openstackgerrit | A change was merged to openstack/keystone: Address some late comments for memcache clients https://review.openstack.org/124443 | 00:08 |
---|---|---|
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Docstring cleanup for return type https://review.openstack.org/127857 | 00:13 |
*** ncoghlan has joined #openstack-keystone | 00:22 | |
openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: Cleanup docs - raises class https://review.openstack.org/127858 | 00:43 |
*** mitz_ has joined #openstack-keystone | 00:44 | |
*** diegows has joined #openstack-keystone | 00:58 | |
*** r1chardj0n3s is now known as r1chardj0n3s_afk | 01:19 | |
*** alex_xu has joined #openstack-keystone | 01:19 | |
*** bknudson has quit IRC | 01:33 | |
*** lhcheng has joined #openstack-keystone | 01:37 | |
*** shikui_ has joined #openstack-keystone | 01:38 | |
*** Kui has quit IRC | 01:38 | |
*** lhcheng has quit IRC | 01:39 | |
*** lhcheng has joined #openstack-keystone | 01:40 | |
*** r1chardj0n3s_afk is now known as r1chardj0n3s | 01:48 | |
*** ncoghlan is now known as ncoghlan_afk | 01:54 | |
*** dims has quit IRC | 02:22 | |
*** jacer_huawei has quit IRC | 02:22 | |
*** zhiyan|afk is now known as zhiyan | 02:28 | |
*** alex_xu has quit IRC | 02:31 | |
*** jacer_huawei has joined #openstack-keystone | 02:35 | |
*** alex_xu has joined #openstack-keystone | 02:40 | |
*** ncoghlan_afk is now known as ncoghlan | 02:46 | |
*** david-lyle has joined #openstack-keystone | 02:51 | |
openstackgerrit | wanghong proposed a change to openstack/keystonemiddleware: choose api version when IdentityServer init https://review.openstack.org/127866 | 02:58 |
*** lhcheng has quit IRC | 03:27 | |
*** r1chardj0n3s is now known as r1chardj0n3s_afk | 03:36 | |
*** lhcheng has joined #openstack-keystone | 03:36 | |
*** diegows has quit IRC | 03:56 | |
*** lhcheng has quit IRC | 04:04 | |
*** lhcheng has joined #openstack-keystone | 04:10 | |
*** r1chardj0n3s_afk is now known as r1chardj0n3s | 04:12 | |
*** swamireddy has joined #openstack-keystone | 04:26 | |
*** alex_xu has quit IRC | 05:03 | |
*** alex_xu has joined #openstack-keystone | 05:18 | |
*** david-lyle has quit IRC | 05:21 | |
*** remote_morgan_ has quit IRC | 05:24 | |
*** afazekas has quit IRC | 05:28 | |
*** alex_xu has quit IRC | 05:33 | |
*** alex_xu has joined #openstack-keystone | 05:45 | |
*** ncoghlan is now known as ncoghlan_afk | 06:00 | |
*** afazekas has joined #openstack-keystone | 06:09 | |
*** k4n0 has joined #openstack-keystone | 06:16 | |
*** ukalifon1 has joined #openstack-keystone | 06:21 | |
*** ncoghlan_afk is now known as ncoghlan | 06:26 | |
*** lhcheng has quit IRC | 06:27 | |
*** lufix has joined #openstack-keystone | 06:47 | |
*** rkofman has quit IRC | 06:49 | |
*** dtantsur|afk is now known as dtantsur | 07:23 | |
*** htruta has quit IRC | 07:27 | |
*** thiagop has quit IRC | 07:28 | |
*** raildo has quit IRC | 07:28 | |
*** afaranha has quit IRC | 07:28 | |
*** tellesnobrega has quit IRC | 07:28 | |
openstackgerrit | wanghong proposed a change to openstack/keystonemiddleware: choose api version when IdentityServer init https://review.openstack.org/127866 | 07:35 |
*** jistr has joined #openstack-keystone | 07:54 | |
dtantsur | hi folks! on every request to keystoneclient I get keystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound without any explanation. What does it mean? | 08:11 |
*** jistr has quit IRC | 08:14 | |
dtantsur | not actually every: tenants.list() works, endpoints.list() or smth with roles - does not. any ideas? | 08:16 |
*** jistr has joined #openstack-keystone | 08:18 | |
dtantsur | so, despite the examples in keystoneclient docs, 'endpoint' argument is required. now I get Unauthorized (authentication token is provided) on /endpoints. | 08:22 |
*** ncoghlan has quit IRC | 08:34 | |
*** f13o has joined #openstack-keystone | 08:50 | |
*** k4n0 has quit IRC | 08:50 | |
*** swamireddy1 has joined #openstack-keystone | 08:54 | |
*** k4n0 has joined #openstack-keystone | 08:55 | |
*** swamireddy has quit IRC | 08:55 | |
*** mitz_ has quit IRC | 08:57 | |
*** mitz_ has joined #openstack-keystone | 08:59 | |
*** aix_ has joined #openstack-keystone | 09:11 | |
marekd | mhu: o/ | 09:17 |
mhu | marekd: o/ | 09:17 |
marekd | mhu: just a question: with the current verion of openstackclient (pulled from master), is it capable of federated authn? | 09:17 |
mhu | marekd: it should be, provided you use a recent enough version of python-keystoneclient | 09:18 |
marekd | 0.11 | 09:18 |
mhu | the latest tag, 0.11.1, should have the v3unscopedsaml and v3scopedsaml plugins | 09:18 |
marekd | mhu: exactly. I am using keystoneclient with success, but... | 09:19 |
marekd | i have a fres osc installed in a new virtualenv sandbox | 09:20 |
marekd | and for instance available plugins listed are: --os-auth-plugin <OS_AUTH_PLUGIN> The authentication method to use. If this option is not set, openstackclient will attempt to guess the authentication method to use based on the other options. If this option is set, the --os-identity-api- version argument must be consistent with the version of the method. Available methods are v2token, v2password, v3password, token, v3token, password | 09:20 |
marekd | mhu: ^^ | 09:23 |
mhu | marekd, odd ... when you check the help, do you see any arguments used by v3unscopedsaml ? like os_identity_provider_url | 09:25 |
marekd | mhu: nope | 09:26 |
marekd | mhu: (osc)marek@cerntop:/srv/openstack/python-openstackclient$ openstack -h | grep identity | 09:27 |
marekd | [--os-identity-api-version <identity-api-version>] | 09:27 |
marekd | --os-identity-api-version <identity-api-version> | 09:27 |
marekd | options. If this option is set, the --os-identity-api- | 09:27 |
marekd | identity provider create Create new identity provider | 09:27 |
marekd | identity provider delete Delete an identity provider | 09:27 |
marekd | identity provider list List identity providers | 09:27 |
marekd | identity provider set Set identity provider properties | 09:27 |
marekd | identity provider show Show identity provider details | 09:27 |
marekd | (osc)marek@cerntop:/srv/openstack/python-openstackclient$ | 09:27 |
marekd | mhu: did you have a chance to try out openstackclient with saml? | 09:29 |
mhu | marekd, no not yet, I had to rebuild my test bed and I have some trouble with activating ECP on the Service Provider, but I had to work on something else in the meantime | 09:30 |
mhu | I hope to address this today actually | 09:30 |
mhu | marekd, what do you get when running this in your venv: python -c 'import openstackclient.api.auth as a;print [i.name for i in a.PLUGIN_LIST]' | 09:31 |
marekd | mhu: ['v2token', 'v2password', 'v3password', 'token', 'v3token', 'password'] | 09:32 |
mhu | marekd, this is odd, if you have ksc 0.11 you should have way more: https://github.com/openstack/python-keystoneclient/blob/0.11.0/setup.cfg#L37 | 09:34 |
marekd | mhu: i know, cause I am using my own wrappers for federated auth at the moment. | 09:34 |
marekd | mhu: ok, i will investigate it later, I thought there is a step that i unintentionally skipped. | 09:34 |
mhu | marekd, you said it worked with ksc, have you tried in your venv ? | 09:34 |
mhu | try to run pip install -r /path/to/python-keystoneclient/test-requirements.txt | 09:35 |
*** k4n0 has quit IRC | 09:35 | |
mhu | I wonder if the saml specific plugins aren't loaded because you're missing dependencies that are declared in test-requirements only (seeing as the federation stuff is considered optional) | 09:36 |
*** alex_xu has quit IRC | 09:36 | |
marekd | mhu: i am missing lxml, just nitected. maybe osc is somehow covering this (and hiding error from me) | 09:36 |
marekd | mhu: yeah | 09:37 |
marekd | pip install lxml solved it. | 09:37 |
mhu | marekd, not osc, the endpoint management library which name eludes me at the moment | 09:37 |
*** Dafna has joined #openstack-keystone | 09:37 | |
mhu | marekd: \o/ nice | 09:37 |
marekd | mhu: ok, thanks for your assistance | 09:37 |
mhu | marekd, you're welcome, it's a problem likely to occur again so it's good we know about it. I think it should be documented somewhere, maybe in osc | 09:38 |
marekd | mhu: for sure. | 09:38 |
*** dims has joined #openstack-keystone | 09:50 | |
*** k4n0 has joined #openstack-keystone | 09:54 | |
*** dims has quit IRC | 09:55 | |
*** k4n0 has quit IRC | 09:55 | |
*** k4n0 has joined #openstack-keystone | 09:56 | |
*** amakarov_away has quit IRC | 09:56 | |
*** amakarov has joined #openstack-keystone | 09:57 | |
*** aix_ has quit IRC | 10:35 | |
*** swamireddy1 has quit IRC | 11:03 | |
*** samuelmz has joined #openstack-keystone | 11:23 | |
*** samuelmz is now known as samuelms | 11:23 | |
*** tellesnobrega has joined #openstack-keystone | 11:24 | |
*** aix_ has joined #openstack-keystone | 11:30 | |
*** diegows has joined #openstack-keystone | 11:38 | |
*** jistr has quit IRC | 11:49 | |
*** diegows has quit IRC | 11:49 | |
*** dims has joined #openstack-keystone | 12:01 | |
*** jistr has joined #openstack-keystone | 12:12 | |
*** packet has joined #openstack-keystone | 12:14 | |
*** k4n0 has quit IRC | 12:21 | |
*** ByteSore has quit IRC | 12:23 | |
*** ByteSore has joined #openstack-keystone | 12:24 | |
*** htruta has joined #openstack-keystone | 12:27 | |
*** radez_g0n3 is now known as radez | 12:27 | |
*** bknudson has joined #openstack-keystone | 12:39 | |
rodrigods | bknudson, just answered your comments in the add parent_id patch =) | 12:44 |
bknudson | rodrigods: is there a change proposed to the identity-api spec? https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md | 12:44 |
bknudson | for the new field in project | 12:45 |
rodrigods | bknudson, yes... let me find it | 12:59 |
rodrigods | bknudson, https://review.openstack.org/#/c/111355/ | 12:59 |
*** ukalifon1 has quit IRC | 13:00 | |
bknudson | rodrigods: if this is an extension then I don't think it can add a required field to projects | 13:01 |
*** ukalifon has joined #openstack-keystone | 13:01 | |
*** NM has joined #openstack-keystone | 13:01 | |
openstackgerrit | Sergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3 https://review.openstack.org/118383 | 13:02 |
bknudson | makes me wonder why this is implemented as an extension | 13:02 |
rodrigods | bknudson, no... just the inherited roles part is an extension | 13:03 |
bknudson | rodrigods: ok, so where's the change to the identity api to describe the parent_id field? | 13:03 |
rodrigods | bknudson, the same file, the additions at Modified APIs section | 13:06 |
rodrigods | bknudson, it needs update, we changed the field from parent_project_id to parent_id. Will ask raildo to fix it | 13:06 |
*** raildo has joined #openstack-keystone | 13:09 | |
*** nkinder has quit IRC | 13:10 | |
bknudson | rodrigods: a change to how the server returns projects all the time is going to need to be in the core api and not in an extension | 13:10 |
*** afaranha has joined #openstack-keystone | 13:11 | |
rodrigods | bknudson, here: https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#projects-v3projects . Right? | 13:12 |
bknudson | rodrigods: yes | 13:13 |
rodrigods | bknudson, great, will submit . Also, is still needed the part of Modified APIs? | 13:13 |
rodrigods | bknudson, (at the extension) | 13:14 |
*** nellysmitt has joined #openstack-keystone | 13:14 | |
*** dims has quit IRC | 13:14 | |
bknudson | rodrigods: if the extension modifies APIs then that part is still needed. | 13:14 |
*** dims has joined #openstack-keystone | 13:15 | |
*** shikui_ has quit IRC | 13:18 | |
openstackgerrit | Samuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance https://review.openstack.org/116682 | 13:24 |
samuelms | dolphm, ping | 13:25 |
rodrigods | bknudson, seems that we need a 3.4 version, should I add directly there? | 13:26 |
bknudson | rodrigods: yes | 13:26 |
rodrigods | bknudson, great | 13:26 |
*** jaosorior has joined #openstack-keystone | 13:26 | |
*** swamireddy has joined #openstack-keystone | 13:30 | |
*** swamireddy1 has joined #openstack-keystone | 13:31 | |
openstackgerrit | Thiago Paiva Brito proposed a change to openstack/python-keystoneclient: Implementing hierarchical calls on keystoneclient v3 (python only) https://review.openstack.org/115770 | 13:31 |
*** swamireddy has quit IRC | 13:35 | |
*** nellysmitt has quit IRC | 13:44 | |
*** nellysmitt has joined #openstack-keystone | 13:45 | |
openstackgerrit | Andre Aranha proposed a change to openstack/keystone: Creating a policy sample https://review.openstack.org/123509 | 13:45 |
*** ukalifon has quit IRC | 13:47 | |
*** nellysmitt has quit IRC | 13:49 | |
*** ukalifon1 has joined #openstack-keystone | 13:51 | |
*** vhoward has joined #openstack-keystone | 13:51 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 13:54 | |
*** nkinder has joined #openstack-keystone | 13:59 | |
*** saipandi has joined #openstack-keystone | 14:04 | |
*** Guest20248 is now known as redrobot | 14:06 | |
*** nellysmitt has joined #openstack-keystone | 14:12 | |
ukalifon1 | nkinder: ping. I can list users with LDAP but can't get a token. Can you help? | 14:13 |
nkinder | ukalifon1: I'm in meetings for the next hour or so, but let me know what release you are using and what LDAP server it is | 14:18 |
ukalifon1 | nkinder: I have 2 havana installations set up, both have the same problem. One is working against AD and the other with IPA. I will mail you the details so you can log into them in case I won't be here already. Thanks a lot | 14:20 |
*** thedodd has joined #openstack-keystone | 14:20 | |
*** rwsu has joined #openstack-keystone | 14:22 | |
*** nellysmitt has quit IRC | 14:23 | |
nkinder | Sure, I can log in and take a look a bit later today | 14:23 |
*** nellysmitt has joined #openstack-keystone | 14:23 | |
nkinder | ukalifon1: ^^^ | 14:23 |
*** david-lyle has joined #openstack-keystone | 14:26 | |
*** nellysmitt has quit IRC | 14:28 | |
*** nellysmitt has joined #openstack-keystone | 14:31 | |
*** jorge_munoz has joined #openstack-keystone | 14:35 | |
*** packet has quit IRC | 14:36 | |
dolphm | samuelms: o/ | 14:37 |
openstackgerrit | Samuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance https://review.openstack.org/116682 | 14:43 |
samuelms | dolphm, hi :-) | 14:44 |
samuelms | dolphm, it would be nice if we could get a couple of reviews on this ^ | 14:44 |
samuelms | dolphm, it has been waiting for review since we're closed for kilo dev | 14:44 |
dolphm | samuelms: i'll put it on my list for today | 14:44 |
samuelms | dobson, yes thanks | 14:45 |
samuelms | dobson, oops, sorry | 14:45 |
samuelms | dolphm, ok thanks :) | 14:45 |
*** swamireddy1 has quit IRC | 14:47 | |
*** nellysmitt has quit IRC | 14:47 | |
*** rwsu has quit IRC | 14:47 | |
*** nellysmitt has joined #openstack-keystone | 14:48 | |
*** thedodd has quit IRC | 14:49 | |
*** packet has joined #openstack-keystone | 14:52 | |
*** nellysmitt has quit IRC | 14:52 | |
*** thedodd has joined #openstack-keystone | 14:56 | |
openstackgerrit | Rodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355 | 14:57 |
*** nellysmitt has joined #openstack-keystone | 14:58 | |
*** zzzeek has joined #openstack-keystone | 15:00 | |
*** thedodd has quit IRC | 15:05 | |
openstackgerrit | Rodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy https://review.openstack.org/111355 | 15:05 |
*** thedodd has joined #openstack-keystone | 15:05 | |
rodrigods | bknudson, ^ | 15:06 |
*** thedodd has quit IRC | 15:10 | |
*** richm has joined #openstack-keystone | 15:23 | |
openstackgerrit | Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993 | 15:24 |
*** ayoung has joined #openstack-keystone | 15:26 | |
*** nellysmitt has quit IRC | 15:26 | |
*** nellysmitt has joined #openstack-keystone | 15:27 | |
*** thedodd has joined #openstack-keystone | 15:27 | |
*** thedodd has quit IRC | 15:27 | |
*** thedodd has joined #openstack-keystone | 15:27 | |
openstackgerrit | Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993 | 15:31 |
openstackgerrit | Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993 | 15:31 |
*** nellysmitt has quit IRC | 15:31 | |
openstackgerrit | Terry Howe proposed a change to openstack/python-keystoneclient: Identity plugin that manages passwords and tokens https://review.openstack.org/124830 | 15:34 |
*** lufix has quit IRC | 15:34 | |
*** ukalifon1 has quit IRC | 15:39 | |
ayoung | nkinder, jdennis any familiarity with pyasn1? Trying to extract the signer info out of a keystone token in der format. | 15:39 |
jdennis | ayoung: rcrit has used pyasn1 in the past and there was a recent thread on the openstack list on using it and a patch, let me see if I can dig that up | 15:40 |
ayoung | jdennis, thanls | 15:40 |
ayoung | thanks | 15:41 |
ayoung | jdennis, suspect the mailing list conversation you were remembering was that I fat findered ASN1 to ANS1 and it made it through code review and lived uncaught for about a year | 15:42 |
ayoung | those fat finders are in dull eddect tofay | 15:42 |
jdennis | ayoung: no this was something else, it was how to get some info out of a cert, something related to barbican if I recall | 15:43 |
ayoung | jdennis, cool. The pyasn1 docs don't really explain how to work with the library for parsing arbitraty data. I suspect that the right solution would be to build a CMS based model and parse to that. | 15:44 |
*** dtantsur is now known as dtantsur|afk | 15:44 | |
jdennis | ayoung: the discussion was started by Carlos Garza of RackSpace with a title of "Extracting SubjectCommonName and/or SubjectAlternativeNames from X509" | 15:51 |
jdennis | the discussion started in June and I think ended in August, I believe somewhere along the way Carlos submitted a patch using pyasn1 to extract that info, hope that helps | 15:52 |
morganfainberg | ayoung, starting some discussions to get more push (and resources) to make Keystone + LDAP/IPA/Etc much better. I'll keep you in the loop as things progres. | 15:52 |
ayoung | morganfainberg, happy! | 15:52 |
ayoung | jdennis, a Barbican patch? /me searching through the discussion | 15:53 |
jdennis | ayoung: not sure if it was a barbican patch or not, memory is fuzzy | 15:53 |
jdennis | ayoung: I believe there are also examples in IPA, code authored by rcrit | 15:54 |
ayoung | jdennis, coo;l | 15:54 |
ayoung | jdennis, I got as far as decoding the der to a tuple | 15:54 |
jdennis | ayoung: personally I'd avoid trying to parse asn.1, in favor of using a crypto library that already knows how to extract the data, likely to be more robust and less painful, asn.1 is not easy | 15:55 |
ayoung | jdennis, just that I don;t really have a crypto library I can use | 15:56 |
ayoung | the whole popen thing with openssl. | 15:56 |
ayoung | can't make nss a req yet, and not sure it does the "extract the signer info from CMS when you don't have a certificate" function I need anyway | 15:56 |
jdennis | ayoung: too bad, fwiw pynss can trivially return detailed info on the signer. | 15:57 |
ayoung | so far the best I got was derdumping it and parsing | 15:57 |
*** swamireddy has joined #openstack-keystone | 15:57 | |
*** marcoemorais has joined #openstack-keystone | 15:57 | |
ayoung | jdennis, code snippet for me? | 15:57 |
jdennis | ayoung: I may have missed the fact you don't have a cert, at the moment pynss needs a cert, I don't think we've added code to pynss yet to parse CMS S/MIME | 15:59 |
ayoung | jdennis, yeah | 15:59 |
ayoung | jdennis, I have the cert, its just external to the message, and I have a set of certs, not a single one. I want to select the right one | 16:00 |
*** marcoemorais has quit IRC | 16:01 | |
ayoung | jdennis, I still would love an excuse to make the PKI infrastructure work with NSS | 16:01 |
ayoung | PKI Keystone that is | 16:01 |
*** marcoemorais has joined #openstack-keystone | 16:01 | |
*** gyee has joined #openstack-keystone | 16:03 | |
morganfainberg | ayoung, doesn't it mostly work with NSS already? | 16:05 |
ayoung | jdennis, https://code.google.com/p/cmstng/source/browse/trunk/python/x509.py?r=67 looks like it is how pyasn1 expects things to work | 16:05 |
ayoung | morganfainberg, not for tokens | 16:05 |
morganfainberg | ahh | 16:05 |
ayoung | morganfainberg, the popen is an openssl call | 16:05 |
morganfainberg | right | 16:05 |
morganfainberg | right | 16:05 |
ayoung | morganfainberg, the https stuff will work with mod_nss | 16:05 |
ayoung | morganfainberg, the barbican approach to trying to "standardize" the crypto libraray falls down on a basic assumption. NSS insists on an external container (representing hardware devices) that keeps the Keys out of the current process space, so a coredump does'nt spew your keys to the disk unencrypted | 16:07 |
morganfainberg | right | 16:07 |
morganfainberg | which is *smart* | 16:07 |
ayoung | morganfainberg, we could swap in a different popen call, | 16:08 |
morganfainberg | i mean, smart people have been working on that for quite a while, i guess | 16:08 |
ayoung | it would probably require treating the paths for the ca cert and signing certs as "nicknames" | 16:08 |
ayoung | but we still would need some other param for saying "here is the NSS database | 16:08 |
ayoung | morganfainberg, you have a Firefox install on your machine right now? | 16:08 |
morganfainberg | yes. but i need to run off to breakfast | 16:09 |
morganfainberg | or i wont get it | 16:09 |
ayoung | morganfainberg, OK. | 16:09 |
*** wwriverrat has joined #openstack-keystone | 16:09 | |
morganfainberg | be back in ~30-60min | 16:09 |
ayoung | morganfainberg, when you get back, I can show you were the NSS DB is | 16:09 |
morganfainberg | cool | 16:09 |
ayoung | it helps to make the whole thing comprehensible | 16:09 |
morganfainberg | I also no longer have an alternate identity for irc when mobile. :) | 16:10 |
morganfainberg | Waaaay better (but multi-tierd zinc was strange to setup) | 16:10 |
morganfainberg | Znc * | 16:10 |
jdennis | ayoung: what info do you want from the signature? | 16:15 |
*** stevemar has joined #openstack-keystone | 16:15 | |
ayoung | jdennis, I need to be able to select a certificate from a list of certifcates based on the signing info, not the signature itself | 16:16 |
jdennis | ayoung: but what data in the signing info are you trying to access? | 16:16 |
ayoung | jdennis, token comes in, and middleware will de-base64, uncompress, and then parse the data to extract signing info. Match the CA and serial number against a set of certificates, and then call the --verify code with that certificate | 16:17 |
ayoung | jdennis, all of it...sincre the signing info can be in a couple different forms, I need to extract the whole thing, see which form it is in , and then compare that with the same data extractd from a set of X509 certs | 16:17 |
*** lhcheng has joined #openstack-keystone | 16:19 | |
jdennis | ayoung: I thought you said you already had the cert used to sign the data, yes or no? | 16:22 |
*** jaosorior has quit IRC | 16:23 | |
jdennis | ayoung: if so then with pythonnss it's just cert.issuer and cert.serial_number | 16:24 |
ayoung | jdennis, this is on the validating side. So, yea, I can parse the cert using cert.issuer etc, but not the cms data from the token | 16:27 |
*** jistr has quit IRC | 16:29 | |
ayoung | print parsed[0].getComponentByPosition(1).getComponentByPosition(2).getComponentByPosition(1) gets me the token data... | 16:37 |
*** rwsu has joined #openstack-keystone | 16:42 | |
*** gyee has quit IRC | 16:52 | |
mhu | marekd, I'd suggest abandoning your patch on saml2.ADFSUnscopedToken method signature for now and re-push this one without the dependency: https://review.openstack.org/#/c/106751/ | 16:56 |
mhu | this is a pity to see better SAML support postponed because of argument ordering :) | 16:56 |
*** stevemar has quit IRC | 16:57 | |
*** NM has quit IRC | 16:59 | |
*** marcoemorais has quit IRC | 17:02 | |
*** marcoemorais has joined #openstack-keystone | 17:02 | |
openstackgerrit | David Stanek proposed a change to openstack/keystone-specs: Enable tests on non-SQLite databases https://review.openstack.org/126370 | 17:02 |
*** marcoemorais has quit IRC | 17:02 | |
*** marcoemorais has joined #openstack-keystone | 17:03 | |
*** marcoemorais has quit IRC | 17:03 | |
*** harlowja_away is now known as harlowja | 17:03 | |
*** marcoemorais has joined #openstack-keystone | 17:04 | |
morganfainberg | ayoung: ABAC. I want to revisit this. | 17:05 |
*** ayoung has quit IRC | 17:05 | |
morganfainberg | I think it solves a lot of the pain points with the RBAC policy stuff. | 17:05 |
*** wwriverrat has quit IRC | 17:06 | |
*** thedodd has quit IRC | 17:07 | |
*** nellysmitt has joined #openstack-keystone | 17:08 | |
*** nellysmitt has quit IRC | 17:20 | |
*** nellysmitt has joined #openstack-keystone | 17:21 | |
*** swamireddy has quit IRC | 17:21 | |
*** ayoung has joined #openstack-keystone | 17:21 | |
*** swamireddy has joined #openstack-keystone | 17:22 | |
*** nellysmitt has quit IRC | 17:25 | |
ayoung | morganfainberg, https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ | 17:26 |
morganfainberg | ayoung, nice | 17:26 |
morganfainberg | ayoung, so, i want to revisit ABAC | 17:26 |
*** nellysmitt has joined #openstack-keystone | 17:27 | |
morganfainberg | i think it's time to consider alternatives to the simple RBAC and the painpoints we have with it | 17:27 |
ayoung | morganfainberg, Heh. More than willing to do so as soon as someone gives me some attribute other than "location" a | 17:27 |
morganfainberg | LOL | 17:27 |
*** jaosorior has joined #openstack-keystone | 17:30 | |
*** swamireddy1 has joined #openstack-keystone | 17:35 | |
morganfainberg | ayoung, i think we discussed the idea of making each interface (e.g. get_user) an attribute at one point | 17:37 |
morganfainberg | ayoung, maybe we should revisit that | 17:38 |
*** swamireddy has quit IRC | 17:39 | |
*** gyee has joined #openstack-keystone | 17:47 | |
*** wwriverrat has joined #openstack-keystone | 17:55 | |
*** amakarov is now known as amakarov_away | 17:57 | |
*** david-lyle has quit IRC | 17:58 | |
*** marcoemorais has quit IRC | 17:58 | |
*** thedodd has joined #openstack-keystone | 17:58 | |
*** david-lyle has joined #openstack-keystone | 17:58 | |
*** marcoemorais has joined #openstack-keystone | 17:59 | |
*** swamireddy1 has quit IRC | 18:01 | |
*** swamireddy has joined #openstack-keystone | 18:01 | |
*** marcoemorais1 has joined #openstack-keystone | 18:02 | |
dstanek | morganfainberg: i don't follow. what do you mean by each interface? | 18:03 |
*** marcoemorais has quit IRC | 18:03 | |
morganfainberg | dstanek, what we currently list in policy.json today | 18:03 |
morganfainberg | get_user, update_user, etc | 18:03 |
dstanek | those would be the attributes? | 18:04 |
morganfainberg | dstanek, it was one concept we started with | 18:04 |
morganfainberg | a couple summits ago iirc | 18:04 |
dstanek | i'm not sure how that would work - usually you use user attributes, resource attributes, etc in ABAC | 18:05 |
*** swamireddy has quit IRC | 18:06 | |
morganfainberg | Yeah. We might need something else. | 18:07 |
*** marcoemorais1 has quit IRC | 18:07 | |
*** marcoemorais has joined #openstack-keystone | 18:07 | |
dstanek | morganfainberg: are there use cases for this or is it a acedemic project? | 18:07 |
*** marcoemorais has quit IRC | 18:07 | |
*** marcoemorais has joined #openstack-keystone | 18:08 | |
dstanek | morganfainberg: i wouldn't want to deviate too much from how ABAC is normally implemented | 18:08 |
morganfainberg | This would solve the horizon needs to know the policy files. And you could always tell from the token what you can do | 18:08 |
*** NM has joined #openstack-keystone | 18:08 | |
morganfainberg | Vs who knows what your capabilities are | 18:08 |
dstanek | what keystone process the ABAC rules instead of distributed policy files? | 18:09 |
*** aix_ has quit IRC | 18:10 | |
morganfainberg | Easier to describe when I get back to my desk. | 18:10 |
dstanek | morganfainberg: k, i also don't get how you permissions would be clearer - ABAC, i thought, promited the use of an access control mechanism that is usually a central service | 18:11 |
*** wwriverrat has quit IRC | 18:11 | |
openstackgerrit | A change was merged to openstack/keystone: Fix fakeldap search_s documentation https://review.openstack.org/121378 | 18:11 |
*** swamireddy has joined #openstack-keystone | 18:12 | |
morganfainberg | dstanek, well, keystone would need to "know" each of the interfaces of the different projects so it would require something like an IANA registry | 18:12 |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/127765 | 18:13 |
morganfainberg | dstanek, and in theory then you could *ask* keystone for a list of the attributes. The issue i'm looking at trying to solve is roles as they are are opaque, unless you try something against Nova (for example) you can't know if it'll succeed... unless you inspect / process the policy.json file | 18:13 |
morganfainberg | now you'd probably still need roles or something similar to add capabilities to the grant/user | 18:14 |
morganfainberg | because otherwise it becomes very unwieldy to say "give person X get_user, update_user, delete_user, boot_instance, terminate_instance, read_glance, write_glance ..." | 18:15 |
morganfainberg | dstanek, it would instead of "looking for a role" when enforcing policy, just check to see if the user "can" interact (has_attr) the API call, so to speak. | 18:16 |
morganfainberg | very very rough concept | 18:16 |
dstanek | that's not ABAC that could be nothing more that a better API on top of RBAC | 18:16 |
dstanek | the biggest problem for me in this area is not the roles but the list of things you can do "create an image" and the mapping between them (to do A the service does B under the hood) | 18:17 |
morganfainberg | dstanek, right. well we can't do "true" ABAC because the IDPs don't know the keystone mapping | 18:18 |
morganfainberg | dstanek, it is somewhere between ABAC and RBAC in this case. | 18:18 |
dstanek | morganfainberg: what would process the policy file (or equivalent) in this new way? | 18:19 |
morganfainberg | dstanek, something akin to the decorators we have in keystone, @enforce('attr_name') | 18:20 |
samuelms | morganfainberg, a workaround for this currently would be like having a 'head' call for each operation a user can perform .. thus horizon would be able to ask each available operation .. and then it would know what shows on its interface | 18:20 |
samuelms | morganfainberg, makes sense? | 18:20 |
morganfainberg | samuelms, i don't know if that really scales, it's requiring a *lot* of extra requests. | 18:20 |
dstanek | morganfainberg: but under the hood enforce would parse the policy file? | 18:20 |
morganfainberg | dstanek, no, policy file could disappear. | 18:21 |
dstanek | where would that info be stored or processed then? | 18:21 |
morganfainberg | for compatibility, we'd still support policy file enforcement obviously | 18:21 |
morganfainberg | the policy file, might become just a "REST URL MAP" -> attr? | 18:22 |
morganfainberg | so it could be 100% enforced in middleware | 18:22 |
morganfainberg | alternatively, instead of using the rules engine you'd just enforce on the user context having the attribute you want. | 18:22 |
morganfainberg | or attributes* | 18:23 |
morganfainberg | thought the rest_url -> attr is no better than what we have now :( | 18:23 |
morganfainberg | except that it doesn't get changed by $deployer_choice | 18:24 |
dstanek | it seems to me that the Horizon problem could be solved by having a standard service interface implemented by each serivce that could take a token and return a list of capabilities | 18:24 |
samuelms | dstanek, ++ | 18:25 |
morganfainberg | dstanek, which means any interaction with horizon needs to ask each service what can be done | 18:25 |
morganfainberg | dstanek, i don't think it's going to scale / be performant | 18:25 |
dstanek | morganfainberg: yes, i don't know how else you can do it - glace is the best place to say what a use can do with glance | 18:26 |
samuelms | morganfainberg, it is almost as I had proposed .. but it could be a single request per service I guess | 18:26 |
dstanek | samuelms: yeah, exactly | 18:26 |
morganfainberg | samuelms, still doesn't really scale. | 18:26 |
dstanek | morganfainberg: i think that depends on the impl, caching mechansims and other things | 18:27 |
morganfainberg | dstanek, i think it needs to be more centralized. | 18:27 |
samuelms | morganfainberg, thus we should have something like a 'capabilities' service ? | 18:28 |
dstanek | then you have the oppsite problem of services having to go to a central place for each operation, right? | 18:28 |
morganfainberg | dstanek, the thought I was having is you get a definitve list of interfaces (API calls) for a service and each one is applied to the token like a role today. [in lieu of the roles] | 18:29 |
morganfainberg | so you don't need to ask an external service | 18:29 |
morganfainberg | you get the definitive list of capabilities in the token (probably broken down by service) | 18:30 |
morganfainberg | or whatever AuthZ mechanism we end up with long term | 18:30 |
dstanek | morganfainberg: so you get information to say you can create compute instances in X region, you can create on SSD block storage, etc? | 18:31 |
*** nkinder has quit IRC | 18:31 | |
dstanek | that sounds almost like shipping a policy file for each token | 18:32 |
dstanek | or you lose the dynamic nature of the policy file itself | 18:32 |
samuelms | dstanek, yeah, that's the point | 18:32 |
morganfainberg | dstanek, that would be specifically solved by the endpoint filtering | 18:33 |
morganfainberg | dstanek, and constraints | 18:33 |
*** swamireddy has quit IRC | 18:33 | |
dstanek | from what i understand the people driving ABAC are trying to extend what you can do with policy not decrease it | 18:34 |
morganfainberg | dstanek, let me start a ML topic on this instead | 18:37 |
morganfainberg | i *think* the way policy works now, it's not really as flexible as people like to think it is | 18:37 |
*** amcrn has joined #openstack-keystone | 18:40 | |
dstanek | cool, right now the part i'm most fuzzy with is the problem being solved | 18:42 |
dstanek | endpoint filtering implies that horizon would needs to know the filtering rules to provide an accurate interface | 18:42 |
dstanek | i think the best thing to do is come up with exactly what information horizon needs to create the desired experience and work backword from there | 18:43 |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/127765 | 18:45 |
samuelms | when talk about flexibility .. I agree that ABAC give us more granularity when defining permissions .. | 18:46 |
samuelms | getting a token capabilities is independent of RBAC/ABAC ... those mechanisms tell how capabilities are 'calculated' .. | 18:47 |
samuelms | for getting token capabilities we just want the result, doesnt matter how we got the result | 18:48 |
dstanek | samuelms: right, that's why i don't understand how you could bundle that in the token and not have to have a service call or policy file | 18:48 |
samuelms | dstanek, so we share the same thoughts .. :) | 18:49 |
*** gabriel-bezerra has joined #openstack-keystone | 18:52 | |
*** wwriverrat has joined #openstack-keystone | 18:53 | |
*** dtantsur|afk is now known as dtantsur | 18:56 | |
*** wwriverrat has quit IRC | 18:57 | |
*** dtantsur has left #openstack-keystone | 18:57 | |
*** marcoemorais has quit IRC | 19:00 | |
*** marcoemorais has joined #openstack-keystone | 19:00 | |
*** marcoemorais has quit IRC | 19:01 | |
*** marcoemorais has joined #openstack-keystone | 19:01 | |
*** marcoemorais has quit IRC | 19:01 | |
*** marcoemorais has joined #openstack-keystone | 19:02 | |
*** thedodd has quit IRC | 19:04 | |
morganfainberg | dstanek, the endpoints are part of the catalog, | 19:05 |
*** spligak has joined #openstack-keystone | 19:06 | |
samuelms | dstanek, one possible solution would be to get *resources* that a token has access to ... *not operations* .. like this a client (such horizon) can show a dashboard for those resources (like instances) | 19:07 |
samuelms | morganfainberg, ^ | 19:07 |
samuelms | and the dynamic thing 'would be specifically solved by the endpoint filtering and constraints', as morgan said | 19:08 |
morganfainberg | samuelms, my view on this is trying to solve the | 19:08 |
dstanek | samuelms: you wouldn't bundle that with the token though - you would ask nova for the computes, etc | 19:09 |
*** afazekas has quit IRC | 19:09 | |
morganfainberg | "what can I do with this token" question, we are already talking about adding in contstaints that indicate what your endpoints you are allowed to interact with will be | 19:09 |
dstanek | yeah, that's what i'm afraid of right now. i think as a group we need to have a cohesive view of everything and then start picking at it for implementation | 19:10 |
morganfainberg | dstanek, which is why i'm starting the conversation (not implementation) | 19:11 |
morganfainberg | :) | 19:11 |
dstanek | maybe not a complete view, but one to help define a general direction | 19:11 |
*** shakamunyi has joined #openstack-keystone | 19:12 | |
morganfainberg | maybe we just need a consistent view to work from | 19:13 |
morganfainberg | and that is the issue at hand. inconsistency. | 19:14 |
dstanek | morganfainberg: no, i'm not saying you're doing anything wrong :-) this just tends to happen in open source as everyone tries to scratch their own itch | 19:15 |
morganfainberg | dstanek, right. | 19:15 |
morganfainberg | like i said, let me start a ML topic on it. i think thats the next step to get more conversation vs. just some irc back and forth | 19:16 |
*** shakayumi has joined #openstack-keystone | 19:17 | |
*** nellysmitt has quit IRC | 19:17 | |
*** nellysmitt has joined #openstack-keystone | 19:18 | |
gyee | bknudson, ping | 19:18 |
*** shakamunyi has quit IRC | 19:21 | |
bknudson | gyee: what's up? | 19:21 |
*** nellysmitt has quit IRC | 19:23 | |
gyee | bknudson, you mentioned awhile back that nova to glance interaction is still backed on keystone v2 auth | 19:24 |
gyee | that still true? | 19:24 |
bknudson | gyee: I don't think nova to glance does any authentication so it doesn't use v2 or v3 | 19:25 |
bknudson | gyee: nova to neutron does v2 auth | 19:25 |
gyee | bknudson, you have a patch to fix that? if not, I can work on it | 19:26 |
bknudson | gyee: for nova to glance I think it just reuses the token that it was given originally and doesn't get a new one | 19:26 |
bknudson | gyee: there are a couple of patches... it's probably not worth looking at mine. | 19:26 |
bknudson | gyee: jamielennox had one... let me fine it. | 19:26 |
bknudson | gyee: https://review.openstack.org/#/c/113735/ | 19:27 |
gyee | bknudson, I am trying to figure out if we turned of v2 right now, who will break | 19:27 |
gyee | bknudson, should I amend your patch? | 19:28 |
bknudson | gyee: jamielennox commented in 113735 with his suggestion | 19:29 |
bknudson | gyee: jamie's used load_from_conf_options | 19:30 |
gyee | that's fine | 19:30 |
bknudson | which is what I should have used | 19:30 |
bknudson | gyee: you can amend my patch. I don't have time to work on it for a while. | 19:30 |
gyee | bknudson, k, will work on it, just want to make sure we don't collide | 19:31 |
openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Remove XML support https://review.openstack.org/125738 | 19:35 |
*** thedodd has joined #openstack-keystone | 19:36 | |
*** NM has quit IRC | 19:37 | |
*** nkinder has joined #openstack-keystone | 19:39 | |
*** shakayumi has quit IRC | 19:48 | |
*** nellysmitt has joined #openstack-keystone | 19:51 | |
openstackgerrit | Andre Aranha proposed a change to openstack/keystone: Creating a policy sample https://review.openstack.org/123509 | 19:57 |
ayoung | lbragstad, so on the XML removal, I fully concur. Do we have a follow on plan for XML support? | 20:04 |
ayoung | Or are we just saying "Buh bye" | 20:04 |
lbragstad | ayoung: I think we'll be supporting xml for juno and icehouse, which is why I'm working on these here: | 20:04 |
lbragstad | https://review.openstack.org/#/c/126564/ | 20:04 |
lbragstad | https://review.openstack.org/#/c/126672/ | 20:05 |
ayoung | lbragstad, OK, so I want to change how we do marshalling | 20:05 |
lbragstad | https://review.openstack.org/#/c/127641/ | 20:05 |
ayoung | lbragstad, the old way way | 20:05 |
ayoung | python->json->xml | 20:05 |
ayoung | instead, we should determine the final marshalling format and do python_>json or python->xml | 20:05 |
ayoung | and that means changing out the middleware | 20:05 |
* ayoung had an abandonded review... | 20:06 | |
lbragstad | so, how would that work if we're not going to support xml in Kilo? | 20:07 |
ayoung | lbragstad, https://review.openstack.org/#/c/29105/9/keystone/contrib/html/middleware.py,cm | 20:07 |
ayoung | ah, misread what you wrote | 20:07 |
*** shakamunyi has joined #openstack-keystone | 20:07 | |
*** Kui has joined #openstack-keystone | 20:08 | |
ayoung | lbragstad, if the only content type we are supporting is JSON from here on out, its not needed | 20:08 |
lbragstad | ayoung: ok, sounds good | 20:08 |
lbragstad | I was trying understand the workflow | 20:08 |
ayoung | lbragstad, its my view that marshalling really is not a Keystone specific action, and we should be consuming external marshalling code. THat means that if someone wants XML, they get XML. But we should honor the "Accepts" header | 20:09 |
*** david-lyle has quit IRC | 20:09 | |
ayoung | to be celar | 20:10 |
ayoung | clear | 20:10 |
ayoung | they "get" XML if they have their own marshaller, or if the framework provides one | 20:10 |
lbragstad | gotcha | 20:10 |
ayoung | not that we sould | 20:10 |
ayoung | should | 20:10 |
* ayoung worse than usual typing today | 20:10 | |
lbragstad | I was just playing with that.. I sent a request with 'Content-Type: application/xml' after ripping out all the middleware for xml and it spits back JSON. | 20:11 |
dolphm | ayoung: but there's no generic way to map from any given format to another, which makes all of the alternatives formats proprietary and broken | 20:17 |
mfisch | are the new defaults listed here accurate: http://docs.openstack.org/trunk/config-reference/content/keystone-conf-changes-master.html | 20:17 |
dolphm | lbragstad: Accept or Content-Type? | 20:17 |
dolphm | lbragstad: Accept indicates what you want back | 20:17 |
mfisch | the example config has a default revocation_cache_time of 3600, not 10 | 20:17 |
morganfainberg | dstanek, ML topic sent | 20:17 |
mfisch | the code also says 3600 | 20:18 |
morganfainberg | mfisch, that is correct the revocation list in keystone is highly cacheable | 20:18 |
mfisch | is the default 3600? the docs say it should be 300 and is now going to be 10 | 20:19 |
ayoung | dolphm depends on if Keystone is stating support for a given format. If we say "we support XML" then we would have to support what the XML looks like that we support. I was just against the JSON->XML approach we were using | 20:19 |
morganfainberg | mfisch, 3600 should be the cache time for the revocation list | 20:19 |
mfisch | so the docs are wrong | 20:19 |
morganfainberg | ugh. did someone change that? | 20:19 |
mfisch | checkout that link | 20:19 |
mfisch | pretty much at the bottom | 20:19 |
morganfainberg | mfisch, yeah docs look wrong | 20:20 |
mfisch | I'll file a doc bug if you confirm it | 20:20 |
mfisch | ok | 20:20 |
morganfainberg | mfisch, cfg.IntOpt('revocation_cache_time', default=3600, | 20:20 |
mfisch | I'm trying to update puppet-keystone to have the right defaults | 20:20 |
ayoung | dolphm, we just currently use the existing JSON marshaller as the starting point. I'm not aware of any real need for an XML tool, but I suspect that, once we rip out XML support, someone will come crying. | 20:20 |
lbragstad | dolphm: did it with both | 20:20 |
mfisch | thx morganfainberg | 20:20 |
mfisch | filed and cited the new PTL so they have to fix it I think ;) | 20:21 |
morganfainberg | lol | 20:21 |
openstackgerrit | Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993 | 20:21 |
lbragstad | so, if someone is expecting XML *from* Keystone, do we bomb out and say that it is no longer supported? Or do we just do everything in JSON and if they happen to have some sort of middleware in place they have to expect JSON because that's what we do support? | 20:36 |
morganfainberg | lbragstad, i'd expect if someone only accepts XML / content-type application/xml we need to say 400 | 20:36 |
morganfainberg | bad request. | 20:37 |
morganfainberg | they are asking for something we don't support, but a change in the request would make it valid. (difference from NotImplemented) | 20:37 |
lbragstad | so what if they have their own xml middleware inplace? | 20:38 |
openstackgerrit | Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993 | 20:39 |
openstackgerrit | Matthieu Huin proposed a change to openstack/keystone: SAML-related protocols must be named 'saml2' https://review.openstack.org/128093 | 20:43 |
morganfainberg | lbragstad, they'd need to convert to json before it hit keystone, since we expect json | 20:49 |
morganfainberg | unfortunately. | 20:49 |
lbragstad | ok | 20:49 |
lbragstad | makes sense | 20:49 |
*** radez is now known as radez_g0n3 | 20:49 | |
morganfainberg | so XML Request -> XML Middleware (convert to JSON) -> Keystone -> XML Midldeware (from JSON) -> XML Response | 20:49 |
lbragstad | so I'll build a check into wsgi.py somewhere to check for that and bomb out | 20:49 |
ayoung | jdennis, I think I cracked the code on pyasn1. I'm using this code here and it seems to work: http://pyasn1.cvs.sourceforge.net/viewvc/pyasn1/pyasn1-modules/tools/pkcs7dump.py?view=markup | 20:53 |
*** david-lyle has joined #openstack-keystone | 20:53 | |
*** david-lyle has quit IRC | 20:59 | |
*** arunkant has joined #openstack-keystone | 21:02 | |
openstackgerrit | Terry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass https://review.openstack.org/127993 | 21:15 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Remove unused ec2 driver option https://review.openstack.org/124810 | 21:16 |
openstackgerrit | Kui Shi proposed a change to openstack/keystone: Add memcached_backend configuration https://review.openstack.org/122037 | 21:18 |
*** wwriverrat has joined #openstack-keystone | 21:19 | |
openstackgerrit | Matthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument when using unscoped SAML-based plugins https://review.openstack.org/128103 | 21:25 |
openstackgerrit | Matthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument for unscoped SAML-based plugins https://review.openstack.org/128103 | 21:25 |
*** arif-ali has joined #openstack-keystone | 21:31 | |
morganfainberg | dstanek, ping | 21:33 |
*** saipandi has quit IRC | 21:40 | |
*** shakayumi has joined #openstack-keystone | 21:49 | |
*** dims has quit IRC | 21:50 | |
*** jraim has quit IRC | 21:52 | |
*** shakamunyi has quit IRC | 21:53 | |
*** jraim has joined #openstack-keystone | 21:53 | |
*** shakayumi has quit IRC | 21:54 | |
*** david-lyle has joined #openstack-keystone | 21:55 | |
*** nellysmitt has quit IRC | 21:58 | |
*** jorge_munoz has quit IRC | 22:03 | |
*** bknudson has quit IRC | 22:04 | |
*** david-lyle_ has joined #openstack-keystone | 22:12 | |
*** david-lyle has quit IRC | 22:15 | |
openstackgerrit | Matthieu Huin proposed a change to openstack/keystone: SAML-related protocols must be named 'saml2' https://review.openstack.org/128093 | 22:23 |
*** packet has quit IRC | 22:28 | |
*** thedodd has quit IRC | 22:32 | |
*** david-lyle_ is now known as david-lyle | 22:40 | |
*** dims_ has joined #openstack-keystone | 22:41 | |
*** shakayumi has joined #openstack-keystone | 22:47 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 22:53 | |
*** david-lyle has quit IRC | 22:58 | |
*** zzzeek has quit IRC | 22:59 | |
*** shakayumi has quit IRC | 23:01 | |
*** zzzeek has joined #openstack-keystone | 23:02 | |
*** openstackgerrit has quit IRC | 23:03 | |
*** openstackgerrit has joined #openstack-keystone | 23:03 | |
openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements https://review.openstack.org/128121 | 23:05 |
*** david-lyle has joined #openstack-keystone | 23:08 | |
morganfainberg | david-lyle, ping | 23:11 |
*** jorge_munoz has joined #openstack-keystone | 23:11 | |
morganfainberg | david-lyle, re: https://etherpad.openstack.org/p/kilo-keystone-summit-topics the first session there. | 23:11 |
morganfainberg | david-lyle, on wed. 0900, as a tentative session topic. | 23:11 |
*** david-lyle has quit IRC | 23:14 | |
morganfainberg | ayoung, ping | 23:15 |
*** shakayumi has joined #openstack-keystone | 23:18 | |
*** openstackgerrit has quit IRC | 23:33 | |
*** openstackgerrit has joined #openstack-keystone | 23:33 | |
*** samuelmz__ has joined #openstack-keystone | 23:34 | |
ayoung | morganfainberg, I'm in Dad mode. Type your question and I'll answer in spurts... | 23:38 |
morganfainberg | ayoung, https://etherpad.openstack.org/p/kilo-keystone-summit-topics first session there | 23:39 |
nkinder | morganfainberg: is there any chance to move the federation one to a different time-slot? | 23:39 |
morganfainberg | nkinder, all slots are open for moving | 23:39 |
nkinder | morganfainberg: I'm giving a talk at that time, and I really wanted to be there for the federation one | 23:39 |
morganfainberg | nkinder, the only one i likely *wont* move is the ops on | 23:39 |
morganfainberg | e | 23:39 |
morganfainberg | nkinder, yeah sure we cna move that one | 23:39 |
nkinder | morganfainberg: awesome, thanks | 23:40 |
morganfainberg | limited on options since i don't want it to overlap w/ horizon | 23:41 |
morganfainberg | oh nvm, hah horizon sessions are off-set | 23:42 |
nkinder | Scheduling is always fun. I'm sure we can't make everyone happy | 23:43 |
morganfainberg | nkinder, ok shuffled some stuff around | 23:46 |
morganfainberg | nkinder, the three i'm hoping you can make it to are SSO/Federation, Hierarchical multitenancy, and authorization | 23:46 |
morganfainberg | nkinder, obv wont be upset if you made it to more of them | 23:47 |
nkinder | morganfainberg: I plan to make it to as many keystone sessions as possible. My only real commitment is the keystone talk I'm giving at 9am on wednesday | 23:47 |
morganfainberg | ah | 23:48 |
ayoung | morganfainberg, looks good. BTW, what do you think of the idea of putting the token in the payload of the requests and saying that everyone just needs to make room for keystone? | 23:48 |
morganfainberg | nkinder, also when you have a sec, if you have anything to add to this thread: http://lists.openstack.org/pipermail/openstack-dev/2014-October/048335.html I'd appreciate it. | 23:48 |
morganfainberg | ayoung, you mean in the body? | 23:49 |
nkinder | morganfainberg: yeah, I read that a few minutes ago and plan on chiming in | 23:49 |
morganfainberg | ayoung, it's definitely an alternative. might solve the token size issue. | 23:49 |
morganfainberg | ayoung, i think worth voicing that as option for the authorization/token session | 23:49 |
morganfainberg | token size + header | 23:50 |
morganfainberg | not that the token size would get smaller | 23:50 |
gyee | we need token diet | 23:55 |
*** bknudson has joined #openstack-keystone | 23:55 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!