Monday, 2014-10-13

openstackgerrit	A change was merged to openstack/keystone: Address some late comments for memcache clients https://review.openstack.org/124443	00:08
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Docstring cleanup for return type https://review.openstack.org/127857	00:13
*** ncoghlan has joined #openstack-keystone		00:22
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Cleanup docs - raises class https://review.openstack.org/127858	00:43
*** mitz_ has joined #openstack-keystone		00:44
*** diegows has joined #openstack-keystone		00:58
*** r1chardj0n3s is now known as r1chardj0n3s_afk		01:19
*** alex_xu has joined #openstack-keystone		01:19
*** bknudson has quit IRC		01:33
*** lhcheng has joined #openstack-keystone		01:37
*** shikui_ has joined #openstack-keystone		01:38
*** Kui has quit IRC		01:38
*** lhcheng has quit IRC		01:39
*** lhcheng has joined #openstack-keystone		01:40
*** r1chardj0n3s_afk is now known as r1chardj0n3s		01:48
*** ncoghlan is now known as ncoghlan_afk		01:54
*** dims has quit IRC		02:22
*** jacer_huawei has quit IRC		02:22
*** zhiyan\|afk is now known as zhiyan		02:28
*** alex_xu has quit IRC		02:31
*** jacer_huawei has joined #openstack-keystone		02:35
*** alex_xu has joined #openstack-keystone		02:40
*** ncoghlan_afk is now known as ncoghlan		02:46
*** david-lyle has joined #openstack-keystone		02:51
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: choose api version when IdentityServer init https://review.openstack.org/127866	02:58
*** lhcheng has quit IRC		03:27
*** r1chardj0n3s is now known as r1chardj0n3s_afk		03:36
*** lhcheng has joined #openstack-keystone		03:36
*** diegows has quit IRC		03:56
*** lhcheng has quit IRC		04:04
*** lhcheng has joined #openstack-keystone		04:10
*** r1chardj0n3s_afk is now known as r1chardj0n3s		04:12
*** swamireddy has joined #openstack-keystone		04:26
*** alex_xu has quit IRC		05:03
*** alex_xu has joined #openstack-keystone		05:18
*** david-lyle has quit IRC		05:21
*** remote_morgan_ has quit IRC		05:24
*** afazekas has quit IRC		05:28
*** alex_xu has quit IRC		05:33
*** alex_xu has joined #openstack-keystone		05:45
*** ncoghlan is now known as ncoghlan_afk		06:00
*** afazekas has joined #openstack-keystone		06:09
*** k4n0 has joined #openstack-keystone		06:16
*** ukalifon1 has joined #openstack-keystone		06:21
*** ncoghlan_afk is now known as ncoghlan		06:26
*** lhcheng has quit IRC		06:27
*** lufix has joined #openstack-keystone		06:47
*** rkofman has quit IRC		06:49
*** dtantsur\|afk is now known as dtantsur		07:23
*** htruta has quit IRC		07:27
*** thiagop has quit IRC		07:28
*** raildo has quit IRC		07:28
*** afaranha has quit IRC		07:28
*** tellesnobrega has quit IRC		07:28
openstackgerrit	wanghong proposed a change to openstack/keystonemiddleware: choose api version when IdentityServer init https://review.openstack.org/127866	07:35
*** jistr has joined #openstack-keystone		07:54
dtantsur	hi folks! on every request to keystoneclient I get keystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound without any explanation. What does it mean?	08:11
*** jistr has quit IRC		08:14
dtantsur	not actually every: tenants.list() works, endpoints.list() or smth with roles - does not. any ideas?	08:16
*** jistr has joined #openstack-keystone		08:18
dtantsur	so, despite the examples in keystoneclient docs, 'endpoint' argument is required. now I get Unauthorized (authentication token is provided) on /endpoints.	08:22
*** ncoghlan has quit IRC		08:34
*** f13o has joined #openstack-keystone		08:50
*** k4n0 has quit IRC		08:50
*** swamireddy1 has joined #openstack-keystone		08:54
*** k4n0 has joined #openstack-keystone		08:55
*** swamireddy has quit IRC		08:55
*** mitz_ has quit IRC		08:57
*** mitz_ has joined #openstack-keystone		08:59
*** aix_ has joined #openstack-keystone		09:11
marekd	mhu: o/	09:17
mhu	marekd: o/	09:17
marekd	mhu: just a question: with the current verion of openstackclient (pulled from master), is it capable of federated authn?	09:17
mhu	marekd: it should be, provided you use a recent enough version of python-keystoneclient	09:18
marekd	0.11	09:18
mhu	the latest tag, 0.11.1, should have the v3unscopedsaml and v3scopedsaml plugins	09:18
marekd	mhu: exactly. I am using keystoneclient with success, but...	09:19
marekd	i have a fres osc installed in a new virtualenv sandbox	09:20
marekd	and for instance available plugins listed are: --os-auth-plugin <OS_AUTH_PLUGIN> The authentication method to use. If this option is not set, openstackclient will attempt to guess the authentication method to use based on the other options. If this option is set, the --os-identity-api- version argument must be consistent with the version of the method. Available methods are v2token, v2password, v3password, token, v3token, password	09:20
marekd	mhu: ^^	09:23
mhu	marekd, odd ... when you check the help, do you see any arguments used by v3unscopedsaml ? like os_identity_provider_url	09:25
marekd	mhu: nope	09:26
marekd	mhu: (osc)marek@cerntop:/srv/openstack/python-openstackclient$ openstack -h \| grep identity	09:27
marekd	[--os-identity-api-version <identity-api-version>]	09:27
marekd	--os-identity-api-version <identity-api-version>	09:27
marekd	options. If this option is set, the --os-identity-api-	09:27
marekd	identity provider create Create new identity provider	09:27
marekd	identity provider delete Delete an identity provider	09:27
marekd	identity provider list List identity providers	09:27
marekd	identity provider set Set identity provider properties	09:27
marekd	identity provider show Show identity provider details	09:27
marekd	(osc)marek@cerntop:/srv/openstack/python-openstackclient$	09:27
marekd	mhu: did you have a chance to try out openstackclient with saml?	09:29
mhu	marekd, no not yet, I had to rebuild my test bed and I have some trouble with activating ECP on the Service Provider, but I had to work on something else in the meantime	09:30
mhu	I hope to address this today actually	09:30
mhu	marekd, what do you get when running this in your venv: python -c 'import openstackclient.api.auth as a;print [i.name for i in a.PLUGIN_LIST]'	09:31
marekd	mhu: ['v2token', 'v2password', 'v3password', 'token', 'v3token', 'password']	09:32
mhu	marekd, this is odd, if you have ksc 0.11 you should have way more: https://github.com/openstack/python-keystoneclient/blob/0.11.0/setup.cfg#L37	09:34
marekd	mhu: i know, cause I am using my own wrappers for federated auth at the moment.	09:34
marekd	mhu: ok, i will investigate it later, I thought there is a step that i unintentionally skipped.	09:34
mhu	marekd, you said it worked with ksc, have you tried in your venv ?	09:34
mhu	try to run pip install -r /path/to/python-keystoneclient/test-requirements.txt	09:35
*** k4n0 has quit IRC		09:35
mhu	I wonder if the saml specific plugins aren't loaded because you're missing dependencies that are declared in test-requirements only (seeing as the federation stuff is considered optional)	09:36
*** alex_xu has quit IRC		09:36
marekd	mhu: i am missing lxml, just nitected. maybe osc is somehow covering this (and hiding error from me)	09:36
marekd	mhu: yeah	09:37
marekd	pip install lxml solved it.	09:37
mhu	marekd, not osc, the endpoint management library which name eludes me at the moment	09:37
*** Dafna has joined #openstack-keystone		09:37
mhu	marekd: \o/ nice	09:37
marekd	mhu: ok, thanks for your assistance	09:37
mhu	marekd, you're welcome, it's a problem likely to occur again so it's good we know about it. I think it should be documented somewhere, maybe in osc	09:38
marekd	mhu: for sure.	09:38
*** dims has joined #openstack-keystone		09:50
*** k4n0 has joined #openstack-keystone		09:54
*** dims has quit IRC		09:55
*** k4n0 has quit IRC		09:55
*** k4n0 has joined #openstack-keystone		09:56
*** amakarov_away has quit IRC		09:56
*** amakarov has joined #openstack-keystone		09:57
*** aix_ has quit IRC		10:35
*** swamireddy1 has quit IRC		11:03
*** samuelmz has joined #openstack-keystone		11:23
*** samuelmz is now known as samuelms		11:23
*** tellesnobrega has joined #openstack-keystone		11:24
*** aix_ has joined #openstack-keystone		11:30
*** diegows has joined #openstack-keystone		11:38
*** jistr has quit IRC		11:49
*** diegows has quit IRC		11:49
*** dims has joined #openstack-keystone		12:01
*** jistr has joined #openstack-keystone		12:12
*** packet has joined #openstack-keystone		12:14
*** k4n0 has quit IRC		12:21
*** ByteSore has quit IRC		12:23
*** ByteSore has joined #openstack-keystone		12:24
*** htruta has joined #openstack-keystone		12:27
*** radez_g0n3 is now known as radez		12:27
*** bknudson has joined #openstack-keystone		12:39
rodrigods	bknudson, just answered your comments in the add parent_id patch =)	12:44
bknudson	rodrigods: is there a change proposed to the identity-api spec? https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md	12:44
bknudson	for the new field in project	12:45
rodrigods	bknudson, yes... let me find it	12:59
rodrigods	bknudson, https://review.openstack.org/#/c/111355/	12:59
*** ukalifon1 has quit IRC		13:00
bknudson	rodrigods: if this is an extension then I don't think it can add a required field to projects	13:01
*** ukalifon has joined #openstack-keystone		13:01
*** NM has joined #openstack-keystone		13:01
openstackgerrit	Sergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3 https://review.openstack.org/118383	13:02
bknudson	makes me wonder why this is implemented as an extension	13:02
rodrigods	bknudson, no... just the inherited roles part is an extension	13:03
bknudson	rodrigods: ok, so where's the change to the identity api to describe the parent_id field?	13:03
rodrigods	bknudson, the same file, the additions at Modified APIs section	13:06
rodrigods	bknudson, it needs update, we changed the field from parent_project_id to parent_id. Will ask raildo to fix it	13:06
*** raildo has joined #openstack-keystone		13:09
*** nkinder has quit IRC		13:10
bknudson	rodrigods: a change to how the server returns projects all the time is going to need to be in the core api and not in an extension	13:10
*** afaranha has joined #openstack-keystone		13:11
rodrigods	bknudson, here: https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#projects-v3projects . Right?	13:12
bknudson	rodrigods: yes	13:13
rodrigods	bknudson, great, will submit . Also, is still needed the part of Modified APIs?	13:13
rodrigods	bknudson, (at the extension)	13:14
*** nellysmitt has joined #openstack-keystone		13:14
*** dims has quit IRC		13:14
bknudson	rodrigods: if the extension modifies APIs then that part is still needed.	13:14
*** dims has joined #openstack-keystone		13:15
*** shikui_ has quit IRC		13:18
openstackgerrit	Samuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance https://review.openstack.org/116682	13:24
samuelms	dolphm, ping	13:25
rodrigods	bknudson, seems that we need a 3.4 version, should I add directly there?	13:26
bknudson	rodrigods: yes	13:26
rodrigods	bknudson, great	13:26
*** jaosorior has joined #openstack-keystone		13:26
*** swamireddy has joined #openstack-keystone		13:30
*** swamireddy1 has joined #openstack-keystone		13:31
openstackgerrit	Thiago Paiva Brito proposed a change to openstack/python-keystoneclient: Implementing hierarchical calls on keystoneclient v3 (python only) https://review.openstack.org/115770	13:31
*** swamireddy has quit IRC		13:35
*** nellysmitt has quit IRC		13:44
*** nellysmitt has joined #openstack-keystone		13:45
openstackgerrit	Andre Aranha proposed a change to openstack/keystone: Creating a policy sample https://review.openstack.org/123509	13:45
*** ukalifon has quit IRC		13:47
*** nellysmitt has quit IRC		13:49
*** ukalifon1 has joined #openstack-keystone		13:51
*** vhoward has joined #openstack-keystone		13:51
*** sigmavirus24_awa is now known as sigmavirus24		13:54
*** nkinder has joined #openstack-keystone		13:59
*** saipandi has joined #openstack-keystone		14:04
*** Guest20248 is now known as redrobot		14:06
*** nellysmitt has joined #openstack-keystone		14:12
ukalifon1	nkinder: ping. I can list users with LDAP but can't get a token. Can you help?	14:13
nkinder	ukalifon1: I'm in meetings for the next hour or so, but let me know what release you are using and what LDAP server it is	14:18
ukalifon1	nkinder: I have 2 havana installations set up, both have the same problem. One is working against AD and the other with IPA. I will mail you the details so you can log into them in case I won't be here already. Thanks a lot	14:20
*** thedodd has joined #openstack-keystone		14:20
*** rwsu has joined #openstack-keystone		14:22
*** nellysmitt has quit IRC		14:23
nkinder	Sure, I can log in and take a look a bit later today	14:23
*** nellysmitt has joined #openstack-keystone		14:23
nkinder	ukalifon1: ^^^	14:23
*** david-lyle has joined #openstack-keystone		14:26
*** nellysmitt has quit IRC		14:28
*** nellysmitt has joined #openstack-keystone		14:31
*** jorge_munoz has joined #openstack-keystone		14:35
*** packet has quit IRC		14:36
dolphm	samuelms: o/	14:37
openstackgerrit	Samuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance https://review.openstack.org/116682	14:43
samuelms	dolphm, hi :-)	14:44
samuelms	dolphm, it would be nice if we could get a couple of reviews on this ^	14:44
samuelms	dolphm, it has been waiting for review since we're closed for kilo dev	14:44
dolphm	samuelms: i'll put it on my list for today	14:44
samuelms	dobson, yes thanks	14:45
samuelms	dobson, oops, sorry	14:45
samuelms	dolphm, ok thanks :)	14:45
*** swamireddy1 has quit IRC		14:47
*** nellysmitt has quit IRC		14:47
*** rwsu has quit IRC		14:47
*** nellysmitt has joined #openstack-keystone		14:48
*** thedodd has quit IRC		14:49
*** packet has joined #openstack-keystone		14:52
*** nellysmitt has quit IRC		14:52
*** thedodd has joined #openstack-keystone		14:56
openstackgerrit	Rodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355	14:57
*** nellysmitt has joined #openstack-keystone		14:58
*** zzzeek has joined #openstack-keystone		15:00
*** thedodd has quit IRC		15:05
openstackgerrit	Rodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355	15:05
*** thedodd has joined #openstack-keystone		15:05
rodrigods	bknudson, ^	15:06
*** thedodd has quit IRC		15:10
*** richm has joined #openstack-keystone		15:23
openstackgerrit	Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993	15:24
*** ayoung has joined #openstack-keystone		15:26
*** nellysmitt has quit IRC		15:26
*** nellysmitt has joined #openstack-keystone		15:27
*** thedodd has joined #openstack-keystone		15:27
*** thedodd has quit IRC		15:27
*** thedodd has joined #openstack-keystone		15:27
openstackgerrit	Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993	15:31
openstackgerrit	Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993	15:31
*** nellysmitt has quit IRC		15:31
openstackgerrit	Terry Howe proposed a change to openstack/python-keystoneclient: Identity plugin that manages passwords and tokens https://review.openstack.org/124830	15:34
*** lufix has quit IRC		15:34
*** ukalifon1 has quit IRC		15:39
ayoung	nkinder, jdennis any familiarity with pyasn1? Trying to extract the signer info out of a keystone token in der format.	15:39
jdennis	ayoung: rcrit has used pyasn1 in the past and there was a recent thread on the openstack list on using it and a patch, let me see if I can dig that up	15:40
ayoung	jdennis, thanls	15:40
ayoung	thanks	15:41
ayoung	jdennis, suspect the mailing list conversation you were remembering was that I fat findered ASN1 to ANS1 and it made it through code review and lived uncaught for about a year	15:42
ayoung	those fat finders are in dull eddect tofay	15:42
jdennis	ayoung: no this was something else, it was how to get some info out of a cert, something related to barbican if I recall	15:43
ayoung	jdennis, cool. The pyasn1 docs don't really explain how to work with the library for parsing arbitraty data. I suspect that the right solution would be to build a CMS based model and parse to that.	15:44
*** dtantsur is now known as dtantsur\|afk		15:44
jdennis	ayoung: the discussion was started by Carlos Garza of RackSpace with a title of "Extracting SubjectCommonName and/or SubjectAlternativeNames from X509"	15:51
jdennis	the discussion started in June and I think ended in August, I believe somewhere along the way Carlos submitted a patch using pyasn1 to extract that info, hope that helps	15:52
morganfainberg	ayoung, starting some discussions to get more push (and resources) to make Keystone + LDAP/IPA/Etc much better. I'll keep you in the loop as things progres.	15:52
ayoung	morganfainberg, happy!	15:52
ayoung	jdennis, a Barbican patch? /me searching through the discussion	15:53
jdennis	ayoung: not sure if it was a barbican patch or not, memory is fuzzy	15:53
jdennis	ayoung: I believe there are also examples in IPA, code authored by rcrit	15:54
ayoung	jdennis, coo;l	15:54
ayoung	jdennis, I got as far as decoding the der to a tuple	15:54
jdennis	ayoung: personally I'd avoid trying to parse asn.1, in favor of using a crypto library that already knows how to extract the data, likely to be more robust and less painful, asn.1 is not easy	15:55
ayoung	jdennis, just that I don;t really have a crypto library I can use	15:56
ayoung	the whole popen thing with openssl.	15:56
ayoung	can't make nss a req yet, and not sure it does the "extract the signer info from CMS when you don't have a certificate" function I need anyway	15:56
jdennis	ayoung: too bad, fwiw pynss can trivially return detailed info on the signer.	15:57
ayoung	so far the best I got was derdumping it and parsing	15:57
*** swamireddy has joined #openstack-keystone		15:57
*** marcoemorais has joined #openstack-keystone		15:57
ayoung	jdennis, code snippet for me?	15:57
jdennis	ayoung: I may have missed the fact you don't have a cert, at the moment pynss needs a cert, I don't think we've added code to pynss yet to parse CMS S/MIME	15:59
ayoung	jdennis, yeah	15:59
ayoung	jdennis, I have the cert, its just external to the message, and I have a set of certs, not a single one. I want to select the right one	16:00
*** marcoemorais has quit IRC		16:01
ayoung	jdennis, I still would love an excuse to make the PKI infrastructure work with NSS	16:01
ayoung	PKI Keystone that is	16:01
*** marcoemorais has joined #openstack-keystone		16:01
*** gyee has joined #openstack-keystone		16:03
morganfainberg	ayoung, doesn't it mostly work with NSS already?	16:05
ayoung	jdennis, https://code.google.com/p/cmstng/source/browse/trunk/python/x509.py?r=67 looks like it is how pyasn1 expects things to work	16:05
ayoung	morganfainberg, not for tokens	16:05
morganfainberg	ahh	16:05
ayoung	morganfainberg, the popen is an openssl call	16:05
morganfainberg	right	16:05
morganfainberg	right	16:05
ayoung	morganfainberg, the https stuff will work with mod_nss	16:05
ayoung	morganfainberg, the barbican approach to trying to "standardize" the crypto libraray falls down on a basic assumption. NSS insists on an external container (representing hardware devices) that keeps the Keys out of the current process space, so a coredump does'nt spew your keys to the disk unencrypted	16:07
morganfainberg	right	16:07
morganfainberg	which is smart	16:07
ayoung	morganfainberg, we could swap in a different popen call,	16:08
morganfainberg	i mean, smart people have been working on that for quite a while, i guess	16:08
ayoung	it would probably require treating the paths for the ca cert and signing certs as "nicknames"	16:08
ayoung	but we still would need some other param for saying "here is the NSS database	16:08
ayoung	morganfainberg, you have a Firefox install on your machine right now?	16:08
morganfainberg	yes. but i need to run off to breakfast	16:09
morganfainberg	or i wont get it	16:09
ayoung	morganfainberg, OK.	16:09
*** wwriverrat has joined #openstack-keystone		16:09
morganfainberg	be back in ~30-60min	16:09
ayoung	morganfainberg, when you get back, I can show you were the NSS DB is	16:09
morganfainberg	cool	16:09
ayoung	it helps to make the whole thing comprehensible	16:09
morganfainberg	I also no longer have an alternate identity for irc when mobile. :)	16:10
morganfainberg	Waaaay better (but multi-tierd zinc was strange to setup)	16:10
morganfainberg	Znc *	16:10
jdennis	ayoung: what info do you want from the signature?	16:15
*** stevemar has joined #openstack-keystone		16:15
ayoung	jdennis, I need to be able to select a certificate from a list of certifcates based on the signing info, not the signature itself	16:16
jdennis	ayoung: but what data in the signing info are you trying to access?	16:16
ayoung	jdennis, token comes in, and middleware will de-base64, uncompress, and then parse the data to extract signing info. Match the CA and serial number against a set of certificates, and then call the --verify code with that certificate	16:17
ayoung	jdennis, all of it...sincre the signing info can be in a couple different forms, I need to extract the whole thing, see which form it is in , and then compare that with the same data extractd from a set of X509 certs	16:17
*** lhcheng has joined #openstack-keystone		16:19
jdennis	ayoung: I thought you said you already had the cert used to sign the data, yes or no?	16:22
*** jaosorior has quit IRC		16:23
jdennis	ayoung: if so then with pythonnss it's just cert.issuer and cert.serial_number	16:24
ayoung	jdennis, this is on the validating side. So, yea, I can parse the cert using cert.issuer etc, but not the cms data from the token	16:27
*** jistr has quit IRC		16:29
ayoung	print parsed[0].getComponentByPosition(1).getComponentByPosition(2).getComponentByPosition(1) gets me the token data...	16:37
*** rwsu has joined #openstack-keystone		16:42
*** gyee has quit IRC		16:52
mhu	marekd, I'd suggest abandoning your patch on saml2.ADFSUnscopedToken method signature for now and re-push this one without the dependency: https://review.openstack.org/#/c/106751/	16:56
mhu	this is a pity to see better SAML support postponed because of argument ordering :)	16:56
*** stevemar has quit IRC		16:57
*** NM has quit IRC		16:59
*** marcoemorais has quit IRC		17:02
*** marcoemorais has joined #openstack-keystone		17:02
openstackgerrit	David Stanek proposed a change to openstack/keystone-specs: Enable tests on non-SQLite databases https://review.openstack.org/126370	17:02
*** marcoemorais has quit IRC		17:02
*** marcoemorais has joined #openstack-keystone		17:03
*** marcoemorais has quit IRC		17:03
*** harlowja_away is now known as harlowja		17:03
*** marcoemorais has joined #openstack-keystone		17:04
morganfainberg	ayoung: ABAC. I want to revisit this.	17:05
*** ayoung has quit IRC		17:05
morganfainberg	I think it solves a lot of the pain points with the RBAC policy stuff.	17:05
*** wwriverrat has quit IRC		17:06
*** thedodd has quit IRC		17:07
*** nellysmitt has joined #openstack-keystone		17:08
*** nellysmitt has quit IRC		17:20
*** nellysmitt has joined #openstack-keystone		17:21
*** swamireddy has quit IRC		17:21
*** ayoung has joined #openstack-keystone		17:21
*** swamireddy has joined #openstack-keystone		17:22
*** nellysmitt has quit IRC		17:25
ayoung	morganfainberg, https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/	17:26
morganfainberg	ayoung, nice	17:26
morganfainberg	ayoung, so, i want to revisit ABAC	17:26
*** nellysmitt has joined #openstack-keystone		17:27
morganfainberg	i think it's time to consider alternatives to the simple RBAC and the painpoints we have with it	17:27
ayoung	morganfainberg, Heh. More than willing to do so as soon as someone gives me some attribute other than "location" a	17:27
morganfainberg	LOL	17:27
*** jaosorior has joined #openstack-keystone		17:30
*** swamireddy1 has joined #openstack-keystone		17:35
morganfainberg	ayoung, i think we discussed the idea of making each interface (e.g. get_user) an attribute at one point	17:37
morganfainberg	ayoung, maybe we should revisit that	17:38
*** swamireddy has quit IRC		17:39
*** gyee has joined #openstack-keystone		17:47
*** wwriverrat has joined #openstack-keystone		17:55
*** amakarov is now known as amakarov_away		17:57
*** david-lyle has quit IRC		17:58
*** marcoemorais has quit IRC		17:58
*** thedodd has joined #openstack-keystone		17:58
*** david-lyle has joined #openstack-keystone		17:58
*** marcoemorais has joined #openstack-keystone		17:59
*** swamireddy1 has quit IRC		18:01
*** swamireddy has joined #openstack-keystone		18:01
*** marcoemorais1 has joined #openstack-keystone		18:02
dstanek	morganfainberg: i don't follow. what do you mean by each interface?	18:03
*** marcoemorais has quit IRC		18:03
morganfainberg	dstanek, what we currently list in policy.json today	18:03
morganfainberg	get_user, update_user, etc	18:03
dstanek	those would be the attributes?	18:04
morganfainberg	dstanek, it was one concept we started with	18:04
morganfainberg	a couple summits ago iirc	18:04
dstanek	i'm not sure how that would work - usually you use user attributes, resource attributes, etc in ABAC	18:05
*** swamireddy has quit IRC		18:06
morganfainberg	Yeah. We might need something else.	18:07
*** marcoemorais1 has quit IRC		18:07
*** marcoemorais has joined #openstack-keystone		18:07
dstanek	morganfainberg: are there use cases for this or is it a acedemic project?	18:07
*** marcoemorais has quit IRC		18:07
*** marcoemorais has joined #openstack-keystone		18:08
dstanek	morganfainberg: i wouldn't want to deviate too much from how ABAC is normally implemented	18:08
morganfainberg	This would solve the horizon needs to know the policy files. And you could always tell from the token what you can do	18:08
*** NM has joined #openstack-keystone		18:08
morganfainberg	Vs who knows what your capabilities are	18:08
dstanek	what keystone process the ABAC rules instead of distributed policy files?	18:09
*** aix_ has quit IRC		18:10
morganfainberg	Easier to describe when I get back to my desk.	18:10
dstanek	morganfainberg: k, i also don't get how you permissions would be clearer - ABAC, i thought, promited the use of an access control mechanism that is usually a central service	18:11
*** wwriverrat has quit IRC		18:11
openstackgerrit	A change was merged to openstack/keystone: Fix fakeldap search_s documentation https://review.openstack.org/121378	18:11
*** swamireddy has joined #openstack-keystone		18:12
morganfainberg	dstanek, well, keystone would need to "know" each of the interfaces of the different projects so it would require something like an IANA registry	18:12
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/127765	18:13
morganfainberg	dstanek, and in theory then you could ask keystone for a list of the attributes. The issue i'm looking at trying to solve is roles as they are are opaque, unless you try something against Nova (for example) you can't know if it'll succeed... unless you inspect / process the policy.json file	18:13
morganfainberg	now you'd probably still need roles or something similar to add capabilities to the grant/user	18:14
morganfainberg	because otherwise it becomes very unwieldy to say "give person X get_user, update_user, delete_user, boot_instance, terminate_instance, read_glance, write_glance ..."	18:15
morganfainberg	dstanek, it would instead of "looking for a role" when enforcing policy, just check to see if the user "can" interact (has_attr) the API call, so to speak.	18:16
morganfainberg	very very rough concept	18:16
dstanek	that's not ABAC that could be nothing more that a better API on top of RBAC	18:16
dstanek	the biggest problem for me in this area is not the roles but the list of things you can do "create an image" and the mapping between them (to do A the service does B under the hood)	18:17
morganfainberg	dstanek, right. well we can't do "true" ABAC because the IDPs don't know the keystone mapping	18:18
morganfainberg	dstanek, it is somewhere between ABAC and RBAC in this case.	18:18
dstanek	morganfainberg: what would process the policy file (or equivalent) in this new way?	18:19
morganfainberg	dstanek, something akin to the decorators we have in keystone, @enforce('attr_name')	18:20
samuelms	morganfainberg, a workaround for this currently would be like having a 'head' call for each operation a user can perform .. thus horizon would be able to ask each available operation .. and then it would know what shows on its interface	18:20
samuelms	morganfainberg, makes sense?	18:20
morganfainberg	samuelms, i don't know if that really scales, it's requiring a lot of extra requests.	18:20
dstanek	morganfainberg: but under the hood enforce would parse the policy file?	18:20
morganfainberg	dstanek, no, policy file could disappear.	18:21
dstanek	where would that info be stored or processed then?	18:21
morganfainberg	for compatibility, we'd still support policy file enforcement obviously	18:21
morganfainberg	the policy file, might become just a "REST URL MAP" -> attr?	18:22
morganfainberg	so it could be 100% enforced in middleware	18:22
morganfainberg	alternatively, instead of using the rules engine you'd just enforce on the user context having the attribute you want.	18:22
morganfainberg	or attributes*	18:23
morganfainberg	thought the rest_url -> attr is no better than what we have now :(	18:23
morganfainberg	except that it doesn't get changed by $deployer_choice	18:24
dstanek	it seems to me that the Horizon problem could be solved by having a standard service interface implemented by each serivce that could take a token and return a list of capabilities	18:24
samuelms	dstanek, ++	18:25
morganfainberg	dstanek, which means any interaction with horizon needs to ask each service what can be done	18:25
morganfainberg	dstanek, i don't think it's going to scale / be performant	18:25
dstanek	morganfainberg: yes, i don't know how else you can do it - glace is the best place to say what a use can do with glance	18:26
samuelms	morganfainberg, it is almost as I had proposed .. but it could be a single request per service I guess	18:26
dstanek	samuelms: yeah, exactly	18:26
morganfainberg	samuelms, still doesn't really scale.	18:26
dstanek	morganfainberg: i think that depends on the impl, caching mechansims and other things	18:27
morganfainberg	dstanek, i think it needs to be more centralized.	18:27
samuelms	morganfainberg, thus we should have something like a 'capabilities' service ?	18:28
dstanek	then you have the oppsite problem of services having to go to a central place for each operation, right?	18:28
morganfainberg	dstanek, the thought I was having is you get a definitve list of interfaces (API calls) for a service and each one is applied to the token like a role today. [in lieu of the roles]	18:29
morganfainberg	so you don't need to ask an external service	18:29
morganfainberg	you get the definitive list of capabilities in the token (probably broken down by service)	18:30
morganfainberg	or whatever AuthZ mechanism we end up with long term	18:30
dstanek	morganfainberg: so you get information to say you can create compute instances in X region, you can create on SSD block storage, etc?	18:31
*** nkinder has quit IRC		18:31
dstanek	that sounds almost like shipping a policy file for each token	18:32
dstanek	or you lose the dynamic nature of the policy file itself	18:32
samuelms	dstanek, yeah, that's the point	18:32
morganfainberg	dstanek, that would be specifically solved by the endpoint filtering	18:33
morganfainberg	dstanek, and constraints	18:33
*** swamireddy has quit IRC		18:33
dstanek	from what i understand the people driving ABAC are trying to extend what you can do with policy not decrease it	18:34
morganfainberg	dstanek, let me start a ML topic on this instead	18:37
morganfainberg	i think the way policy works now, it's not really as flexible as people like to think it is	18:37
*** amcrn has joined #openstack-keystone		18:40
dstanek	cool, right now the part i'm most fuzzy with is the problem being solved	18:42
dstanek	endpoint filtering implies that horizon would needs to know the filtering rules to provide an accurate interface	18:42
dstanek	i think the best thing to do is come up with exactly what information horizon needs to create the desired experience and work backword from there	18:43
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/127765	18:45
samuelms	when talk about flexibility .. I agree that ABAC give us more granularity when defining permissions ..	18:46
samuelms	getting a token capabilities is independent of RBAC/ABAC ... those mechanisms tell how capabilities are 'calculated' ..	18:47
samuelms	for getting token capabilities we just want the result, doesnt matter how we got the result	18:48
dstanek	samuelms: right, that's why i don't understand how you could bundle that in the token and not have to have a service call or policy file	18:48
samuelms	dstanek, so we share the same thoughts .. :)	18:49
*** gabriel-bezerra has joined #openstack-keystone		18:52
*** wwriverrat has joined #openstack-keystone		18:53
*** dtantsur\|afk is now known as dtantsur		18:56
*** wwriverrat has quit IRC		18:57
*** dtantsur has left #openstack-keystone		18:57
*** marcoemorais has quit IRC		19:00
*** marcoemorais has joined #openstack-keystone		19:00
*** marcoemorais has quit IRC		19:01
*** marcoemorais has joined #openstack-keystone		19:01
*** marcoemorais has quit IRC		19:01
*** marcoemorais has joined #openstack-keystone		19:02
*** thedodd has quit IRC		19:04
morganfainberg	dstanek, the endpoints are part of the catalog,	19:05
*** spligak has joined #openstack-keystone		19:06
samuelms	dstanek, one possible solution would be to get resources that a token has access to ... not operations .. like this a client (such horizon) can show a dashboard for those resources (like instances)	19:07
samuelms	morganfainberg, ^	19:07
samuelms	and the dynamic thing 'would be specifically solved by the endpoint filtering and constraints', as morgan said	19:08
morganfainberg	samuelms, my view on this is trying to solve the	19:08
dstanek	samuelms: you wouldn't bundle that with the token though - you would ask nova for the computes, etc	19:09
*** afazekas has quit IRC		19:09
morganfainberg	"what can I do with this token" question, we are already talking about adding in contstaints that indicate what your endpoints you are allowed to interact with will be	19:09
dstanek	yeah, that's what i'm afraid of right now. i think as a group we need to have a cohesive view of everything and then start picking at it for implementation	19:10
morganfainberg	dstanek, which is why i'm starting the conversation (not implementation)	19:11
morganfainberg	:)	19:11
dstanek	maybe not a complete view, but one to help define a general direction	19:11
*** shakamunyi has joined #openstack-keystone		19:12
morganfainberg	maybe we just need a consistent view to work from	19:13
morganfainberg	and that is the issue at hand. inconsistency.	19:14
dstanek	morganfainberg: no, i'm not saying you're doing anything wrong :-) this just tends to happen in open source as everyone tries to scratch their own itch	19:15
morganfainberg	dstanek, right.	19:15
morganfainberg	like i said, let me start a ML topic on it. i think thats the next step to get more conversation vs. just some irc back and forth	19:16
*** shakayumi has joined #openstack-keystone		19:17
*** nellysmitt has quit IRC		19:17
*** nellysmitt has joined #openstack-keystone		19:18
gyee	bknudson, ping	19:18
*** shakamunyi has quit IRC		19:21
bknudson	gyee: what's up?	19:21
*** nellysmitt has quit IRC		19:23
gyee	bknudson, you mentioned awhile back that nova to glance interaction is still backed on keystone v2 auth	19:24
gyee	that still true?	19:24
bknudson	gyee: I don't think nova to glance does any authentication so it doesn't use v2 or v3	19:25
bknudson	gyee: nova to neutron does v2 auth	19:25
gyee	bknudson, you have a patch to fix that? if not, I can work on it	19:26
bknudson	gyee: for nova to glance I think it just reuses the token that it was given originally and doesn't get a new one	19:26
bknudson	gyee: there are a couple of patches... it's probably not worth looking at mine.	19:26
bknudson	gyee: jamielennox had one... let me fine it.	19:26
bknudson	gyee: https://review.openstack.org/#/c/113735/	19:27
gyee	bknudson, I am trying to figure out if we turned of v2 right now, who will break	19:27
gyee	bknudson, should I amend your patch?	19:28
bknudson	gyee: jamielennox commented in 113735 with his suggestion	19:29
bknudson	gyee: jamie's used load_from_conf_options	19:30
gyee	that's fine	19:30
bknudson	which is what I should have used	19:30
bknudson	gyee: you can amend my patch. I don't have time to work on it for a while.	19:30
gyee	bknudson, k, will work on it, just want to make sure we don't collide	19:31
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Remove XML support https://review.openstack.org/125738	19:35
*** thedodd has joined #openstack-keystone		19:36
*** NM has quit IRC		19:37
*** nkinder has joined #openstack-keystone		19:39
*** shakayumi has quit IRC		19:48
*** nellysmitt has joined #openstack-keystone		19:51
openstackgerrit	Andre Aranha proposed a change to openstack/keystone: Creating a policy sample https://review.openstack.org/123509	19:57
ayoung	lbragstad, so on the XML removal, I fully concur. Do we have a follow on plan for XML support?	20:04
ayoung	Or are we just saying "Buh bye"	20:04
lbragstad	ayoung: I think we'll be supporting xml for juno and icehouse, which is why I'm working on these here:	20:04
lbragstad	https://review.openstack.org/#/c/126564/	20:04
lbragstad	https://review.openstack.org/#/c/126672/	20:05
ayoung	lbragstad, OK, so I want to change how we do marshalling	20:05
lbragstad	https://review.openstack.org/#/c/127641/	20:05
ayoung	lbragstad, the old way way	20:05
ayoung	python->json->xml	20:05
ayoung	instead, we should determine the final marshalling format and do python_>json or python->xml	20:05
ayoung	and that means changing out the middleware	20:05
* ayoung had an abandonded review...		20:06
lbragstad	so, how would that work if we're not going to support xml in Kilo?	20:07
ayoung	lbragstad, https://review.openstack.org/#/c/29105/9/keystone/contrib/html/middleware.py,cm	20:07
ayoung	ah, misread what you wrote	20:07
*** shakamunyi has joined #openstack-keystone		20:07
*** Kui has joined #openstack-keystone		20:08
ayoung	lbragstad, if the only content type we are supporting is JSON from here on out, its not needed	20:08
lbragstad	ayoung: ok, sounds good	20:08
lbragstad	I was trying understand the workflow	20:08
ayoung	lbragstad, its my view that marshalling really is not a Keystone specific action, and we should be consuming external marshalling code. THat means that if someone wants XML, they get XML. But we should honor the "Accepts" header	20:09
*** david-lyle has quit IRC		20:09
ayoung	to be celar	20:10
ayoung	clear	20:10
ayoung	they "get" XML if they have their own marshaller, or if the framework provides one	20:10
lbragstad	gotcha	20:10
ayoung	not that we sould	20:10
ayoung	should	20:10
* ayoung worse than usual typing today		20:10
lbragstad	I was just playing with that.. I sent a request with 'Content-Type: application/xml' after ripping out all the middleware for xml and it spits back JSON.	20:11
dolphm	ayoung: but there's no generic way to map from any given format to another, which makes all of the alternatives formats proprietary and broken	20:17
mfisch	are the new defaults listed here accurate: http://docs.openstack.org/trunk/config-reference/content/keystone-conf-changes-master.html	20:17
dolphm	lbragstad: Accept or Content-Type?	20:17
dolphm	lbragstad: Accept indicates what you want back	20:17
mfisch	the example config has a default revocation_cache_time of 3600, not 10	20:17
morganfainberg	dstanek, ML topic sent	20:17
mfisch	the code also says 3600	20:18
morganfainberg	mfisch, that is correct the revocation list in keystone is highly cacheable	20:18
mfisch	is the default 3600? the docs say it should be 300 and is now going to be 10	20:19
ayoung	dolphm depends on if Keystone is stating support for a given format. If we say "we support XML" then we would have to support what the XML looks like that we support. I was just against the JSON->XML approach we were using	20:19
morganfainberg	mfisch, 3600 should be the cache time for the revocation list	20:19
mfisch	so the docs are wrong	20:19
morganfainberg	ugh. did someone change that?	20:19
mfisch	checkout that link	20:19
mfisch	pretty much at the bottom	20:19
morganfainberg	mfisch, yeah docs look wrong	20:20
mfisch	I'll file a doc bug if you confirm it	20:20
mfisch	ok	20:20
morganfainberg	mfisch, cfg.IntOpt('revocation_cache_time', default=3600,	20:20
mfisch	I'm trying to update puppet-keystone to have the right defaults	20:20
ayoung	dolphm, we just currently use the existing JSON marshaller as the starting point. I'm not aware of any real need for an XML tool, but I suspect that, once we rip out XML support, someone will come crying.	20:20
lbragstad	dolphm: did it with both	20:20
mfisch	thx morganfainberg	20:20
mfisch	filed and cited the new PTL so they have to fix it I think ;)	20:21
morganfainberg	lol	20:21
openstackgerrit	Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993	20:21
lbragstad	so, if someone is expecting XML from Keystone, do we bomb out and say that it is no longer supported? Or do we just do everything in JSON and if they happen to have some sort of middleware in place they have to expect JSON because that's what we do support?	20:36
morganfainberg	lbragstad, i'd expect if someone only accepts XML / content-type application/xml we need to say 400	20:36
morganfainberg	bad request.	20:37
morganfainberg	they are asking for something we don't support, but a change in the request would make it valid. (difference from NotImplemented)	20:37
lbragstad	so what if they have their own xml middleware inplace?	20:38
openstackgerrit	Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993	20:39
openstackgerrit	Matthieu Huin proposed a change to openstack/keystone: SAML-related protocols must be named 'saml2' https://review.openstack.org/128093	20:43
morganfainberg	lbragstad, they'd need to convert to json before it hit keystone, since we expect json	20:49
morganfainberg	unfortunately.	20:49
lbragstad	ok	20:49
lbragstad	makes sense	20:49
*** radez is now known as radez_g0n3		20:49
morganfainberg	so XML Request -> XML Middleware (convert to JSON) -> Keystone -> XML Midldeware (from JSON) -> XML Response	20:49
lbragstad	so I'll build a check into wsgi.py somewhere to check for that and bomb out	20:49
ayoung	jdennis, I think I cracked the code on pyasn1. I'm using this code here and it seems to work: http://pyasn1.cvs.sourceforge.net/viewvc/pyasn1/pyasn1-modules/tools/pkcs7dump.py?view=markup	20:53
*** david-lyle has joined #openstack-keystone		20:53
*** david-lyle has quit IRC		20:59
*** arunkant has joined #openstack-keystone		21:02
openstackgerrit	Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993	21:15
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Remove unused ec2 driver option https://review.openstack.org/124810	21:16
openstackgerrit	Kui Shi proposed a change to openstack/keystone: Add memcached_backend configuration https://review.openstack.org/122037	21:18
*** wwriverrat has joined #openstack-keystone		21:19
openstackgerrit	Matthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument when using unscoped SAML-based plugins https://review.openstack.org/128103	21:25
openstackgerrit	Matthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument for unscoped SAML-based plugins https://review.openstack.org/128103	21:25
*** arif-ali has joined #openstack-keystone		21:31
morganfainberg	dstanek, ping	21:33
*** saipandi has quit IRC		21:40
*** shakayumi has joined #openstack-keystone		21:49
*** dims has quit IRC		21:50
*** jraim has quit IRC		21:52
*** shakamunyi has quit IRC		21:53
*** jraim has joined #openstack-keystone		21:53
*** shakayumi has quit IRC		21:54
*** david-lyle has joined #openstack-keystone		21:55
*** nellysmitt has quit IRC		21:58
*** jorge_munoz has quit IRC		22:03
*** bknudson has quit IRC		22:04
*** david-lyle_ has joined #openstack-keystone		22:12
*** david-lyle has quit IRC		22:15
openstackgerrit	Matthieu Huin proposed a change to openstack/keystone: SAML-related protocols must be named 'saml2' https://review.openstack.org/128093	22:23
*** packet has quit IRC		22:28
*** thedodd has quit IRC		22:32
*** david-lyle_ is now known as david-lyle		22:40
*** dims_ has joined #openstack-keystone		22:41
*** shakayumi has joined #openstack-keystone		22:47
*** sigmavirus24 is now known as sigmavirus24_awa		22:53
*** david-lyle has quit IRC		22:58
*** zzzeek has quit IRC		22:59
*** shakayumi has quit IRC		23:01
*** zzzeek has joined #openstack-keystone		23:02
*** openstackgerrit has quit IRC		23:03
*** openstackgerrit has joined #openstack-keystone		23:03
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements https://review.openstack.org/128121	23:05
*** david-lyle has joined #openstack-keystone		23:08
morganfainberg	david-lyle, ping	23:11
*** jorge_munoz has joined #openstack-keystone		23:11
morganfainberg	david-lyle, re: https://etherpad.openstack.org/p/kilo-keystone-summit-topics the first session there.	23:11
morganfainberg	david-lyle, on wed. 0900, as a tentative session topic.	23:11
*** david-lyle has quit IRC		23:14
morganfainberg	ayoung, ping	23:15
*** shakayumi has joined #openstack-keystone		23:18
*** openstackgerrit has quit IRC		23:33
*** openstackgerrit has joined #openstack-keystone		23:33
*** samuelmz__ has joined #openstack-keystone		23:34
ayoung	morganfainberg, I'm in Dad mode. Type your question and I'll answer in spurts...	23:38
morganfainberg	ayoung, https://etherpad.openstack.org/p/kilo-keystone-summit-topics first session there	23:39
nkinder	morganfainberg: is there any chance to move the federation one to a different time-slot?	23:39
morganfainberg	nkinder, all slots are open for moving	23:39
nkinder	morganfainberg: I'm giving a talk at that time, and I really wanted to be there for the federation one	23:39
morganfainberg	nkinder, the only one i likely wont move is the ops on	23:39
morganfainberg	e	23:39
morganfainberg	nkinder, yeah sure we cna move that one	23:39
nkinder	morganfainberg: awesome, thanks	23:40
morganfainberg	limited on options since i don't want it to overlap w/ horizon	23:41
morganfainberg	oh nvm, hah horizon sessions are off-set	23:42
nkinder	Scheduling is always fun. I'm sure we can't make everyone happy	23:43
morganfainberg	nkinder, ok shuffled some stuff around	23:46
morganfainberg	nkinder, the three i'm hoping you can make it to are SSO/Federation, Hierarchical multitenancy, and authorization	23:46
morganfainberg	nkinder, obv wont be upset if you made it to more of them	23:47
nkinder	morganfainberg: I plan to make it to as many keystone sessions as possible. My only real commitment is the keystone talk I'm giving at 9am on wednesday	23:47
morganfainberg	ah	23:48
ayoung	morganfainberg, looks good. BTW, what do you think of the idea of putting the token in the payload of the requests and saying that everyone just needs to make room for keystone?	23:48
morganfainberg	nkinder, also when you have a sec, if you have anything to add to this thread: http://lists.openstack.org/pipermail/openstack-dev/2014-October/048335.html I'd appreciate it.	23:48
morganfainberg	ayoung, you mean in the body?	23:49
nkinder	morganfainberg: yeah, I read that a few minutes ago and plan on chiming in	23:49
morganfainberg	ayoung, it's definitely an alternative. might solve the token size issue.	23:49
morganfainberg	ayoung, i think worth voicing that as option for the authorization/token session	23:49
morganfainberg	token size + header	23:50
morganfainberg	not that the token size would get smaller	23:50
gyee	we need token diet	23:55
*** bknudson has joined #openstack-keystone		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!