Monday, 2014-10-13

openstackgerritA change was merged to openstack/keystone: Address some late comments for memcache clients
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Docstring cleanup for return type
*** ncoghlan has joined #openstack-keystone00:22
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Cleanup docs - raises class
*** mitz_ has joined #openstack-keystone00:44
*** diegows has joined #openstack-keystone00:58
*** r1chardj0n3s is now known as r1chardj0n3s_afk01:19
*** alex_xu has joined #openstack-keystone01:19
*** bknudson has quit IRC01:33
*** lhcheng has joined #openstack-keystone01:37
*** shikui_ has joined #openstack-keystone01:38
*** Kui has quit IRC01:38
*** lhcheng has quit IRC01:39
*** lhcheng has joined #openstack-keystone01:40
*** r1chardj0n3s_afk is now known as r1chardj0n3s01:48
*** ncoghlan is now known as ncoghlan_afk01:54
*** dims has quit IRC02:22
*** jacer_huawei has quit IRC02:22
*** zhiyan|afk is now known as zhiyan02:28
*** alex_xu has quit IRC02:31
*** jacer_huawei has joined #openstack-keystone02:35
*** alex_xu has joined #openstack-keystone02:40
*** ncoghlan_afk is now known as ncoghlan02:46
*** david-lyle has joined #openstack-keystone02:51
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: choose api version when IdentityServer init
*** lhcheng has quit IRC03:27
*** r1chardj0n3s is now known as r1chardj0n3s_afk03:36
*** lhcheng has joined #openstack-keystone03:36
*** diegows has quit IRC03:56
*** lhcheng has quit IRC04:04
*** lhcheng has joined #openstack-keystone04:10
*** r1chardj0n3s_afk is now known as r1chardj0n3s04:12
*** swamireddy has joined #openstack-keystone04:26
*** alex_xu has quit IRC05:03
*** alex_xu has joined #openstack-keystone05:18
*** david-lyle has quit IRC05:21
*** remote_morgan_ has quit IRC05:24
*** afazekas has quit IRC05:28
*** alex_xu has quit IRC05:33
*** alex_xu has joined #openstack-keystone05:45
*** ncoghlan is now known as ncoghlan_afk06:00
*** afazekas has joined #openstack-keystone06:09
*** k4n0 has joined #openstack-keystone06:16
*** ukalifon1 has joined #openstack-keystone06:21
*** ncoghlan_afk is now known as ncoghlan06:26
*** lhcheng has quit IRC06:27
*** lufix has joined #openstack-keystone06:47
*** rkofman has quit IRC06:49
*** dtantsur|afk is now known as dtantsur07:23
*** htruta has quit IRC07:27
*** thiagop has quit IRC07:28
*** raildo has quit IRC07:28
*** afaranha has quit IRC07:28
*** tellesnobrega has quit IRC07:28
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: choose api version when IdentityServer init
*** jistr has joined #openstack-keystone07:54
dtantsurhi folks! on every request to keystoneclient I get keystoneclient.openstack.common.apiclient.exceptions.EndpointNotFound without any explanation. What does it mean?08:11
*** jistr has quit IRC08:14
dtantsurnot actually every: tenants.list() works, endpoints.list() or smth with roles - does not. any ideas?08:16
*** jistr has joined #openstack-keystone08:18
dtantsurso, despite the examples in keystoneclient docs, 'endpoint' argument is required. now I get Unauthorized (authentication token is provided) on /endpoints.08:22
*** ncoghlan has quit IRC08:34
*** f13o has joined #openstack-keystone08:50
*** k4n0 has quit IRC08:50
*** swamireddy1 has joined #openstack-keystone08:54
*** k4n0 has joined #openstack-keystone08:55
*** swamireddy has quit IRC08:55
*** mitz_ has quit IRC08:57
*** mitz_ has joined #openstack-keystone08:59
*** aix_ has joined #openstack-keystone09:11
marekdmhu: o/09:17
mhumarekd: o/09:17
marekdmhu: just a question: with the current verion of openstackclient (pulled from master), is it capable of federated authn?09:17
mhumarekd: it should be, provided you use a recent enough version of python-keystoneclient09:18
mhuthe latest tag, 0.11.1, should have the v3unscopedsaml and v3scopedsaml plugins09:18
marekdmhu: exactly. I am using keystoneclient with success, but...09:19
marekdi have a fres osc installed in a new virtualenv sandbox09:20
marekdand for instance available plugins listed are: --os-auth-plugin <OS_AUTH_PLUGIN> The authentication method to use. If this option is not set, openstackclient will attempt to guess the authentication method to use based on the other options. If this option is set, the --os-identity-api- version argument must be consistent with the version of the method. Available methods are v2token, v2password, v3password, token, v3token, password09:20
marekdmhu: ^^09:23
mhumarekd, odd ... when you check the help, do you see any arguments used by v3unscopedsaml ? like os_identity_provider_url09:25
marekdmhu: nope09:26
marekdmhu: (osc)marek@cerntop:/srv/openstack/python-openstackclient$ openstack -h | grep identity09:27
marekd                 [--os-identity-api-version <identity-api-version>]09:27
marekd  --os-identity-api-version <identity-api-version>09:27
marekd                        options. If this option is set, the --os-identity-api-09:27
marekd  identity provider create  Create new identity provider09:27
marekd  identity provider delete  Delete an identity provider09:27
marekd  identity provider list  List identity providers09:27
marekd  identity provider set  Set identity provider properties09:27
marekd  identity provider show  Show identity provider details09:27
marekdmhu: did you have a chance to try out openstackclient with saml?09:29
mhumarekd, no not yet, I had to rebuild my test bed and I have some trouble with activating ECP on the Service Provider, but I had to work on something else in the meantime09:30
mhuI hope to address this today actually09:30
mhumarekd, what do you get when running this in your venv: python -c 'import openstackclient.api.auth as a;print [ for i in a.PLUGIN_LIST]'09:31
marekdmhu: ['v2token', 'v2password', 'v3password', 'token', 'v3token', 'password']09:32
mhumarekd, this is odd, if you have ksc 0.11 you should have way more:
marekdmhu: i know, cause I am using my own wrappers for federated auth at the moment.09:34
marekdmhu: ok, i will investigate it later, I thought there is a step that i unintentionally skipped.09:34
mhumarekd, you said it worked with ksc, have you tried in your venv ?09:34
mhutry to run pip install -r /path/to/python-keystoneclient/test-requirements.txt09:35
*** k4n0 has quit IRC09:35
mhuI wonder if the saml specific plugins aren't loaded because you're missing dependencies that are declared in test-requirements only (seeing as the federation stuff is considered optional)09:36
*** alex_xu has quit IRC09:36
marekdmhu: i am missing lxml, just nitected. maybe osc is somehow covering this (and hiding error from me)09:36
marekdmhu: yeah09:37
marekdpip install lxml solved it.09:37
mhumarekd, not osc, the endpoint management library which name eludes me at the moment09:37
*** Dafna has joined #openstack-keystone09:37
mhumarekd: \o/ nice09:37
marekdmhu: ok, thanks for your assistance09:37
mhumarekd, you're welcome, it's a problem likely to occur again so it's good we know about it. I think it should be documented somewhere, maybe in osc09:38
marekdmhu: for sure.09:38
*** dims has joined #openstack-keystone09:50
*** k4n0 has joined #openstack-keystone09:54
*** dims has quit IRC09:55
*** k4n0 has quit IRC09:55
*** k4n0 has joined #openstack-keystone09:56
*** amakarov_away has quit IRC09:56
*** amakarov has joined #openstack-keystone09:57
*** aix_ has quit IRC10:35
*** swamireddy1 has quit IRC11:03
*** samuelmz has joined #openstack-keystone11:23
*** samuelmz is now known as samuelms11:23
*** tellesnobrega has joined #openstack-keystone11:24
*** aix_ has joined #openstack-keystone11:30
*** diegows has joined #openstack-keystone11:38
*** jistr has quit IRC11:49
*** diegows has quit IRC11:49
*** dims has joined #openstack-keystone12:01
*** jistr has joined #openstack-keystone12:12
*** packet has joined #openstack-keystone12:14
*** k4n0 has quit IRC12:21
*** ByteSore has quit IRC12:23
*** ByteSore has joined #openstack-keystone12:24
*** htruta has joined #openstack-keystone12:27
*** radez_g0n3 is now known as radez12:27
*** bknudson has joined #openstack-keystone12:39
rodrigodsbknudson, just answered your comments in the add parent_id patch =)12:44
bknudsonrodrigods: is there a change proposed to the identity-api spec?
bknudsonfor the new field in project12:45
rodrigodsbknudson, yes... let me find it12:59
*** ukalifon1 has quit IRC13:00
bknudsonrodrigods: if this is an extension then I don't think it can add a required field to projects13:01
*** ukalifon has joined #openstack-keystone13:01
*** NM has joined #openstack-keystone13:01
openstackgerritSergey Kraynev proposed a change to openstack/python-keystoneclient: Using correct keyword for region in v3
bknudsonmakes me wonder why this is implemented as an extension13:02
rodrigodsbknudson, no... just the inherited roles part is an extension13:03
bknudsonrodrigods: ok, so where's the change to the identity api to describe the parent_id field?13:03
rodrigodsbknudson, the same file, the additions at Modified APIs section13:06
rodrigodsbknudson, it needs update, we changed the field from parent_project_id to parent_id. Will ask raildo to fix it13:06
*** raildo has joined #openstack-keystone13:09
*** nkinder has quit IRC13:10
bknudsonrodrigods: a change to how the server returns projects all the time is going to need to be in the core api and not in an extension13:10
*** afaranha has joined #openstack-keystone13:11
rodrigodsbknudson, here: . Right?13:12
bknudsonrodrigods: yes13:13
rodrigodsbknudson, great, will submit . Also, is still needed the part of Modified APIs?13:13
rodrigodsbknudson, (at the extension)13:14
*** nellysmitt has joined #openstack-keystone13:14
*** dims has quit IRC13:14
bknudsonrodrigods: if the extension modifies APIs then that part is still needed.13:14
*** dims has joined #openstack-keystone13:15
*** shikui_ has quit IRC13:18
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance
samuelmsdolphm, ping13:25
rodrigodsbknudson, seems that we need a 3.4 version, should I add directly there?13:26
bknudsonrodrigods: yes13:26
rodrigodsbknudson, great13:26
*** jaosorior has joined #openstack-keystone13:26
*** swamireddy has joined #openstack-keystone13:30
*** swamireddy1 has joined #openstack-keystone13:31
openstackgerritThiago Paiva Brito proposed a change to openstack/python-keystoneclient: Implementing hierarchical calls on keystoneclient v3 (python only)
*** swamireddy has quit IRC13:35
*** nellysmitt has quit IRC13:44
*** nellysmitt has joined #openstack-keystone13:45
openstackgerritAndre Aranha proposed a change to openstack/keystone: Creating a policy sample
*** ukalifon has quit IRC13:47
*** nellysmitt has quit IRC13:49
*** ukalifon1 has joined #openstack-keystone13:51
*** vhoward has joined #openstack-keystone13:51
*** sigmavirus24_awa is now known as sigmavirus2413:54
*** nkinder has joined #openstack-keystone13:59
*** saipandi has joined #openstack-keystone14:04
*** Guest20248 is now known as redrobot14:06
*** nellysmitt has joined #openstack-keystone14:12
ukalifon1nkinder: ping. I can list users with LDAP but can't get a token. Can you help?14:13
nkinderukalifon1: I'm in meetings for the next hour or so, but let me know what release you are using and what LDAP server it is14:18
ukalifon1nkinder: I have 2 havana installations set up, both have the same problem. One is working against AD and the other with IPA. I will mail you the details so you can log into them in case I won't be here already. Thanks a lot14:20
*** thedodd has joined #openstack-keystone14:20
*** rwsu has joined #openstack-keystone14:22
*** nellysmitt has quit IRC14:23
nkinderSure, I can log in and take a look a bit later today14:23
*** nellysmitt has joined #openstack-keystone14:23
nkinderukalifon1: ^^^14:23
*** david-lyle has joined #openstack-keystone14:26
*** nellysmitt has quit IRC14:28
*** nellysmitt has joined #openstack-keystone14:31
*** jorge_munoz has joined #openstack-keystone14:35
*** packet has quit IRC14:36
dolphmsamuelms: o/14:37
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance
samuelmsdolphm, hi :-)14:44
samuelmsdolphm, it would be nice if we could get a couple of reviews on this ^14:44
samuelmsdolphm, it has been waiting for review since we're closed for kilo dev14:44
dolphmsamuelms: i'll put it on my list for today14:44
samuelmsdobson, yes thanks14:45
samuelmsdobson, oops, sorry14:45
samuelmsdolphm, ok thanks :)14:45
*** swamireddy1 has quit IRC14:47
*** nellysmitt has quit IRC14:47
*** rwsu has quit IRC14:47
*** nellysmitt has joined #openstack-keystone14:48
*** thedodd has quit IRC14:49
*** packet has joined #openstack-keystone14:52
*** nellysmitt has quit IRC14:52
*** thedodd has joined #openstack-keystone14:56
openstackgerritRodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy
*** nellysmitt has joined #openstack-keystone14:58
*** zzzeek has joined #openstack-keystone15:00
*** thedodd has quit IRC15:05
openstackgerritRodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy
*** thedodd has joined #openstack-keystone15:05
rodrigodsbknudson, ^15:06
*** thedodd has quit IRC15:10
*** richm has joined #openstack-keystone15:23
openstackgerritTerry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass
*** ayoung has joined #openstack-keystone15:26
*** nellysmitt has quit IRC15:26
*** nellysmitt has joined #openstack-keystone15:27
*** thedodd has joined #openstack-keystone15:27
*** thedodd has quit IRC15:27
*** thedodd has joined #openstack-keystone15:27
openstackgerritTerry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass
openstackgerritTerry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass
*** nellysmitt has quit IRC15:31
openstackgerritTerry Howe proposed a change to openstack/python-keystoneclient: Identity plugin that manages passwords and tokens
*** lufix has quit IRC15:34
*** ukalifon1 has quit IRC15:39
ayoungnkinder, jdennis any familiarity with pyasn1?  Trying to extract the signer info out of a keystone token in der format.15:39
jdennisayoung: rcrit has used pyasn1 in the past and there was a recent thread on the openstack list on using it and a patch, let me see if I can dig that up15:40
ayoungjdennis, thanls15:40
ayoungjdennis, suspect the mailing list conversation you were remembering was that I fat findered ASN1 to ANS1  and it made it through code review and lived uncaught for about a year15:42
ayoungthose fat finders are in dull eddect tofay15:42
jdennisayoung: no this was something else, it was how to get some info out of a cert, something related to barbican if I recall15:43
ayoungjdennis, cool.  The pyasn1 docs don't really explain how to work with the library for parsing arbitraty data.  I suspect that the right solution would be to build a CMS based model and parse to that.15:44
*** dtantsur is now known as dtantsur|afk15:44
jdennisayoung: the discussion was started by Carlos Garza of RackSpace with a title of "Extracting SubjectCommonName and/or SubjectAlternativeNames from X509"15:51
jdennisthe discussion started in June and I think ended in August, I believe somewhere along the way Carlos submitted a patch using pyasn1 to extract that info, hope that helps15:52
morganfainbergayoung, starting some discussions to get more push (and resources) to make Keystone + LDAP/IPA/Etc much better. I'll keep you in the loop as things progres.15:52
ayoungmorganfainberg, happy!15:52
ayoungjdennis, a  Barbican patch?  /me searching through the discussion15:53
jdennisayoung: not sure if it was a barbican patch or not, memory is fuzzy15:53
jdennisayoung: I believe there are also examples in IPA, code authored by rcrit15:54
ayoungjdennis, coo;l15:54
ayoungjdennis, I got as far as decoding the der to a tuple15:54
jdennisayoung: personally I'd avoid trying to parse asn.1, in favor of using a crypto library that already knows how to extract the data, likely to be more robust and less painful, asn.1 is not easy15:55
ayoungjdennis, just that I don;t really have a crypto library I can use15:56
ayoungthe whole popen thing with openssl.15:56
ayoungcan't make nss a req yet, and not sure it does the "extract the signer info from CMS when you don't have a certificate" function I need anyway15:56
jdennisayoung: too bad, fwiw pynss can trivially return detailed info on the signer.15:57
ayoungso far the best I got was derdumping it and parsing15:57
*** swamireddy has joined #openstack-keystone15:57
*** marcoemorais has joined #openstack-keystone15:57
ayoungjdennis, code snippet for me?15:57
jdennisayoung: I may have missed the fact you don't have a cert, at the moment pynss needs a cert, I don't think we've added code to pynss yet to parse CMS S/MIME15:59
ayoungjdennis, yeah15:59
ayoungjdennis, I have the cert, its just external to the message, and I have a set of certs, not a single one.  I want to select the right one16:00
*** marcoemorais has quit IRC16:01
ayoungjdennis, I still would love an excuse to make the PKI infrastructure work with NSS16:01
ayoungPKI Keystone that is16:01
*** marcoemorais has joined #openstack-keystone16:01
*** gyee has joined #openstack-keystone16:03
morganfainbergayoung, doesn't it mostly work with NSS already?16:05
ayoungjdennis,  looks like it is how pyasn1 expects things to work16:05
ayoungmorganfainberg, not for tokens16:05
ayoungmorganfainberg, the popen is an openssl call16:05
ayoungmorganfainberg, the https stuff will work with mod_nss16:05
ayoungmorganfainberg, the barbican approach to trying to "standardize" the crypto libraray falls down on a basic assumption.  NSS insists on an external container (representing hardware devices) that keeps the Keys out of the current process space, so a coredump does'nt spew your keys to the disk unencrypted16:07
morganfainbergwhich is *smart*16:07
ayoungmorganfainberg, we could swap in a different popen call,16:08
morganfainbergi mean, smart people have been working on that for quite a while, i guess16:08
ayoungit would probably require treating the paths for the ca cert and signing certs as "nicknames"16:08
ayoungbut we still would need some other param for saying "here is the NSS database16:08
ayoungmorganfainberg, you have a Firefox install on your machine right now?16:08
morganfainbergyes. but i need to run off to breakfast16:09
morganfainbergor i wont get it16:09
ayoungmorganfainberg, OK.16:09
*** wwriverrat has joined #openstack-keystone16:09
morganfainbergbe back in ~30-60min16:09
ayoungmorganfainberg, when you get back, I can show you were the NSS DB is16:09
ayoungit helps to make the whole thing comprehensible16:09
morganfainbergI also no longer have an alternate identity for irc when mobile. :)16:10
morganfainbergWaaaay better (but multi-tierd zinc was strange to setup)16:10
morganfainbergZnc *16:10
jdennisayoung: what info do you want from the signature?16:15
*** stevemar has joined #openstack-keystone16:15
ayoungjdennis, I need to be able to select a certificate from a list of certifcates based on the signing info, not the signature itself16:16
jdennisayoung: but what data in the signing info are you trying to access?16:16
ayoungjdennis,  token comes in,  and middleware will de-base64, uncompress, and then parse the data to extract signing info.  Match the CA and serial number against a set of certificates, and then call the --verify code with that certificate16:17
ayoungjdennis, all of it...sincre the signing info can be in a couple different forms, I need to extract the whole thing, see which form it is in , and then compare that with the same data extractd from a set of X509 certs16:17
*** lhcheng has joined #openstack-keystone16:19
jdennisayoung: I thought you said you already had the cert used to sign the data, yes or no?16:22
*** jaosorior has quit IRC16:23
jdennisayoung: if so then with pythonnss it's just cert.issuer and cert.serial_number16:24
ayoungjdennis, this is on the validating side.  So, yea, I can parse the cert using cert.issuer etc, but not the cms data from the token16:27
*** jistr has quit IRC16:29
ayoungprint parsed[0].getComponentByPosition(1).getComponentByPosition(2).getComponentByPosition(1)  gets me the token data...16:37
*** rwsu has joined #openstack-keystone16:42
*** gyee has quit IRC16:52
mhumarekd, I'd suggest abandoning your patch on saml2.ADFSUnscopedToken method signature for now and re-push this one without the dependency:
mhuthis is a pity to see better SAML support postponed because of argument ordering :)16:56
*** stevemar has quit IRC16:57
*** NM has quit IRC16:59
*** marcoemorais has quit IRC17:02
*** marcoemorais has joined #openstack-keystone17:02
openstackgerritDavid Stanek proposed a change to openstack/keystone-specs: Enable tests on non-SQLite databases
*** marcoemorais has quit IRC17:02
*** marcoemorais has joined #openstack-keystone17:03
*** marcoemorais has quit IRC17:03
*** harlowja_away is now known as harlowja17:03
*** marcoemorais has joined #openstack-keystone17:04
morganfainbergayoung: ABAC. I want to revisit this.17:05
*** ayoung has quit IRC17:05
morganfainbergI think it solves a lot of the pain points with the RBAC policy stuff.17:05
*** wwriverrat has quit IRC17:06
*** thedodd has quit IRC17:07
*** nellysmitt has joined #openstack-keystone17:08
*** nellysmitt has quit IRC17:20
*** nellysmitt has joined #openstack-keystone17:21
*** swamireddy has quit IRC17:21
*** ayoung has joined #openstack-keystone17:21
*** swamireddy has joined #openstack-keystone17:22
*** nellysmitt has quit IRC17:25
morganfainbergayoung, nice17:26
morganfainbergayoung, so, i want to revisit ABAC17:26
*** nellysmitt has joined #openstack-keystone17:27
morganfainbergi think it's time to consider alternatives to the simple RBAC and the painpoints we have with it17:27
ayoungmorganfainberg, Heh.  More than willing to do so as soon as someone gives me some attribute other than "location"  a17:27
*** jaosorior has joined #openstack-keystone17:30
*** swamireddy1 has joined #openstack-keystone17:35
morganfainbergayoung, i think we discussed the idea of making each interface (e.g. get_user) an attribute at one point17:37
morganfainbergayoung, maybe we should revisit that17:38
*** swamireddy has quit IRC17:39
*** gyee has joined #openstack-keystone17:47
*** wwriverrat has joined #openstack-keystone17:55
*** amakarov is now known as amakarov_away17:57
*** david-lyle has quit IRC17:58
*** marcoemorais has quit IRC17:58
*** thedodd has joined #openstack-keystone17:58
*** david-lyle has joined #openstack-keystone17:58
*** marcoemorais has joined #openstack-keystone17:59
*** swamireddy1 has quit IRC18:01
*** swamireddy has joined #openstack-keystone18:01
*** marcoemorais1 has joined #openstack-keystone18:02
dstanekmorganfainberg: i don't follow. what do you mean by each interface?18:03
*** marcoemorais has quit IRC18:03
morganfainbergdstanek, what we currently list in policy.json today18:03
morganfainbergget_user, update_user, etc18:03
dstanekthose would be the attributes?18:04
morganfainbergdstanek, it was one concept we started with18:04
morganfainberga couple summits ago iirc18:04
dstaneki'm not sure how that would work - usually you use user attributes, resource attributes, etc in ABAC18:05
*** swamireddy has quit IRC18:06
morganfainbergYeah. We might need something else.18:07
*** marcoemorais1 has quit IRC18:07
*** marcoemorais has joined #openstack-keystone18:07
dstanekmorganfainberg: are there use cases for this or is it a acedemic project?18:07
*** marcoemorais has quit IRC18:07
*** marcoemorais has joined #openstack-keystone18:08
dstanekmorganfainberg: i wouldn't want to deviate too much from how ABAC is normally implemented18:08
morganfainbergThis would solve the horizon needs to know the policy files. And you could always tell from the token what you can do18:08
*** NM has joined #openstack-keystone18:08
morganfainbergVs who knows what your capabilities are18:08
dstanekwhat keystone process the ABAC rules instead of distributed policy files?18:09
*** aix_ has quit IRC18:10
morganfainbergEasier to describe when I get back to my desk.18:10
dstanekmorganfainberg: k, i also don't get how you permissions would be clearer - ABAC, i thought, promited the use of an access control mechanism that is usually a central service18:11
*** wwriverrat has quit IRC18:11
openstackgerritA change was merged to openstack/keystone: Fix fakeldap search_s documentation
*** swamireddy has joined #openstack-keystone18:12
morganfainbergdstanek, well, keystone would need to "know" each of the interfaces of the different projects so it would require something like an IANA registry18:12
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
morganfainbergdstanek, and in theory then you could *ask* keystone for a list of the attributes. The issue i'm looking at trying to solve is roles as they are are opaque, unless you try something against Nova (for example) you can't know if it'll succeed... unless you inspect / process the policy.json file18:13
morganfainbergnow you'd probably still need roles or something similar to add capabilities to the grant/user18:14
morganfainbergbecause otherwise it becomes very unwieldy to say "give person X get_user, update_user, delete_user, boot_instance, terminate_instance, read_glance, write_glance ..."18:15
morganfainbergdstanek, it would instead of "looking for a role" when enforcing policy, just check to see if the user "can" interact (has_attr) the API call, so to speak.18:16
morganfainbergvery very rough concept18:16
dstanekthat's not ABAC that could be nothing more that a better API on top of RBAC18:16
dstanekthe biggest problem for me in this area is not the roles but the list of things you can do "create an image" and the mapping between them (to do A the service does B under the hood)18:17
morganfainbergdstanek, right. well we can't do "true" ABAC because the IDPs don't know the keystone mapping18:18
morganfainbergdstanek, it is somewhere between ABAC and RBAC in this case.18:18
dstanekmorganfainberg: what would process the policy file (or equivalent) in this new way?18:19
morganfainbergdstanek, something akin to the decorators we have in keystone, @enforce('attr_name')18:20
samuelmsmorganfainberg, a workaround for this currently would be like having a 'head' call for each operation a user can perform .. thus horizon would be able to ask each available operation .. and then it would know what shows on its interface18:20
samuelmsmorganfainberg, makes sense?18:20
morganfainbergsamuelms, i don't know if that really scales, it's requiring a *lot* of extra requests.18:20
dstanekmorganfainberg: but under the hood enforce would parse the policy file?18:20
morganfainbergdstanek, no, policy file could disappear.18:21
dstanekwhere would that info be stored or processed then?18:21
morganfainbergfor compatibility, we'd still support policy file enforcement obviously18:21
morganfainbergthe policy file, might become just a "REST URL MAP" -> attr?18:22
morganfainbergso it could be 100% enforced in middleware18:22
morganfainbergalternatively, instead of using the rules engine you'd just enforce on the user context having the attribute you want.18:22
morganfainbergor attributes*18:23
morganfainbergthought the rest_url -> attr is no better than what we have now :(18:23
morganfainbergexcept that it doesn't get changed by $deployer_choice18:24
dstanekit seems to me that the Horizon problem could be solved by having a standard service interface implemented by each serivce that could take a token and return a list of capabilities18:24
samuelmsdstanek, ++18:25
morganfainbergdstanek, which means any interaction with horizon needs to ask each service what can be done18:25
morganfainbergdstanek, i don't think it's going to scale / be performant18:25
dstanekmorganfainberg: yes, i don't know how else you can do it - glace is the best place to say what a use can do with glance18:26
samuelmsmorganfainberg, it is almost as I had proposed .. but it could be a single request per service I guess18:26
dstaneksamuelms: yeah, exactly18:26
morganfainbergsamuelms, still doesn't really scale.18:26
dstanekmorganfainberg: i think that depends on the impl, caching mechansims and other things18:27
morganfainbergdstanek, i think it needs to be more centralized.18:27
samuelmsmorganfainberg, thus we should have something like a 'capabilities' service ?18:28
dstanekthen you have the oppsite problem of services having to go to a central place for each operation, right?18:28
morganfainbergdstanek, the thought I was having is you get a definitve list of interfaces (API calls) for a service and each one is applied to the token like a role today. [in lieu of the roles]18:29
morganfainbergso you don't need to ask an external service18:29
morganfainbergyou get the definitive list of capabilities in the token (probably broken down by service)18:30
morganfainbergor whatever AuthZ mechanism we end up with long term18:30
dstanekmorganfainberg: so you get information to say you can create compute instances in X region, you can create on SSD block storage, etc?18:31
*** nkinder has quit IRC18:31
dstanekthat sounds almost like shipping a policy file for each token18:32
dstanekor you lose the dynamic nature of the policy file itself18:32
samuelmsdstanek, yeah, that's the point18:32
morganfainbergdstanek, that would be specifically solved by the endpoint filtering18:33
morganfainbergdstanek, and constraints18:33
*** swamireddy has quit IRC18:33
dstanekfrom what i understand the people driving ABAC are trying to extend what you can do with policy not decrease it18:34
morganfainbergdstanek, let me start a ML topic on this instead18:37
morganfainbergi *think* the way policy works now, it's not really as flexible as people like to think it is18:37
*** amcrn has joined #openstack-keystone18:40
dstanekcool, right now the part i'm most fuzzy with is the problem being solved18:42
dstanekendpoint filtering implies that horizon would needs to know the filtering rules to provide an accurate interface18:42
dstaneki think the best thing to do is come up with exactly what information horizon needs to create the desired experience and work backword from there18:43
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
samuelmswhen talk about flexibility .. I agree that ABAC give us more granularity when defining permissions ..18:46
samuelmsgetting a token capabilities is independent of RBAC/ABAC ... those mechanisms tell how capabilities are 'calculated' ..18:47
samuelmsfor getting token capabilities we just want the result, doesnt matter how we got the result18:48
dstaneksamuelms: right, that's why i don't understand how you could bundle that in the token and not have to have a service call or policy file18:48
samuelmsdstanek, so we share the same thoughts .. :)18:49
*** gabriel-bezerra has joined #openstack-keystone18:52
*** wwriverrat has joined #openstack-keystone18:53
*** dtantsur|afk is now known as dtantsur18:56
*** wwriverrat has quit IRC18:57
*** dtantsur has left #openstack-keystone18:57
*** marcoemorais has quit IRC19:00
*** marcoemorais has joined #openstack-keystone19:00
*** marcoemorais has quit IRC19:01
*** marcoemorais has joined #openstack-keystone19:01
*** marcoemorais has quit IRC19:01
*** marcoemorais has joined #openstack-keystone19:02
*** thedodd has quit IRC19:04
morganfainbergdstanek, the endpoints are part of the catalog,19:05
*** spligak has joined #openstack-keystone19:06
samuelmsdstanek, one possible solution would be to get *resources* that a token has access to ... *not operations* .. like this a client (such horizon) can show a dashboard for those resources (like instances)19:07
samuelmsmorganfainberg, ^19:07
samuelmsand the dynamic thing 'would be specifically solved by the endpoint filtering and constraints', as morgan said19:08
morganfainbergsamuelms, my view on this is trying to solve the19:08
dstaneksamuelms: you wouldn't bundle that with the token though - you would ask nova for the computes, etc19:09
*** afazekas has quit IRC19:09
morganfainberg"what can I do with this token" question, we are already talking about adding in contstaints that indicate what your endpoints you are allowed to interact with will be19:09
dstanekyeah, that's what i'm afraid of right now. i think as a group we need to have a cohesive view of everything and then start picking at it for implementation19:10
morganfainbergdstanek, which is why i'm starting the conversation (not implementation)19:11
dstanekmaybe not a complete view, but one to help define a general direction19:11
*** shakamunyi has joined #openstack-keystone19:12
morganfainbergmaybe we just need a consistent view to work from19:13
morganfainbergand that is the issue at hand. inconsistency.19:14
dstanekmorganfainberg: no, i'm not saying you're doing anything wrong :-) this just tends to happen in open source as everyone tries to scratch their own itch19:15
morganfainbergdstanek, right.19:15
morganfainberglike i said, let me start a ML topic on it. i think thats the next step to get more conversation vs. just some irc back and forth19:16
*** shakayumi has joined #openstack-keystone19:17
*** nellysmitt has quit IRC19:17
*** nellysmitt has joined #openstack-keystone19:18
gyeebknudson, ping19:18
*** shakamunyi has quit IRC19:21
bknudsongyee: what's up?19:21
*** nellysmitt has quit IRC19:23
gyeebknudson, you mentioned awhile back that nova to glance interaction is still backed on keystone v2 auth19:24
gyeethat still true?19:24
bknudsongyee: I don't think nova to glance does any authentication so it doesn't use v2 or v319:25
bknudsongyee: nova to neutron does v2 auth19:25
gyeebknudson, you have a patch to fix that? if not, I can work on it19:26
bknudsongyee: for nova to glance I think it just reuses the token that it was given originally and doesn't get a new one19:26
bknudsongyee: there are a couple of patches... it's probably not worth looking at mine.19:26
bknudsongyee: jamielennox had one... let me fine it.19:26
gyeebknudson, I am trying to figure out if we turned of v2 right now, who will break19:27
gyeebknudson, should I amend your patch?19:28
bknudsongyee: jamielennox commented in 113735 with his suggestion19:29
bknudsongyee: jamie's used load_from_conf_options19:30
gyeethat's fine19:30
bknudsonwhich is what I should have used19:30
bknudsongyee: you can amend my patch. I don't have time to work on it for a while.19:30
gyeebknudson, k, will work on it, just want to make sure we don't collide19:31
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support
*** thedodd has joined #openstack-keystone19:36
*** NM has quit IRC19:37
*** nkinder has joined #openstack-keystone19:39
*** shakayumi has quit IRC19:48
*** nellysmitt has joined #openstack-keystone19:51
openstackgerritAndre Aranha proposed a change to openstack/keystone: Creating a policy sample
ayounglbragstad, so on the XML removal,  I fully concur.  Do we have a follow on plan for XML support?20:04
ayoungOr are we just saying "Buh bye"20:04
lbragstadayoung: I think we'll be supporting xml for juno and icehouse, which is why I'm working on these here:20:04
ayounglbragstad, OK,  so I want to change how we do marshalling20:05
ayounglbragstad, the old way way20:05
ayounginstead, we should determine the final marshalling format and do python_>json or python->xml20:05
ayoungand that means changing out the middleware20:05
* ayoung had an abandonded review...20:06
lbragstadso, how would that work if we're not going to support xml in Kilo?20:07
ayoungah, misread what you wrote20:07
*** shakamunyi has joined #openstack-keystone20:07
*** Kui has joined #openstack-keystone20:08
ayounglbragstad, if the only content type we are supporting is JSON from here on out, its not needed20:08
lbragstadayoung: ok, sounds good20:08
lbragstadI was trying understand the workflow20:08
ayounglbragstad, its my view that marshalling really is not a Keystone specific action, and we should be consuming external marshalling code. THat means that if someone wants XML, they get XML.  But we should honor the "Accepts" header20:09
*** david-lyle has quit IRC20:09
ayoungto be celar20:10
ayoungthey "get" XML if they have their own marshaller, or if the framework provides one20:10
ayoungnot that we sould20:10
* ayoung worse than usual typing today20:10
lbragstadI was just playing with that.. I sent a request with 'Content-Type: application/xml' after ripping out all the middleware for xml and it spits back JSON.20:11
dolphmayoung: but there's no generic way to map from any given format to another, which makes all of the alternatives formats proprietary and broken20:17
mfischare the new defaults listed here accurate:
dolphmlbragstad: Accept or Content-Type?20:17
dolphmlbragstad: Accept indicates what you want back20:17
mfischthe example config has a default revocation_cache_time of 3600, not 1020:17
morganfainbergdstanek, ML topic sent20:17
mfischthe code also says 360020:18
morganfainbergmfisch, that is correct the revocation list in keystone is highly cacheable20:18
mfischis the default 3600? the docs say it should be 300 and is now going to be 1020:19
ayoungdolphm depends on if Keystone is stating support for a given format.  If we say "we support XML" then we would have to support what the XML looks like that we support.  I was just against the JSON->XML approach we were using20:19
morganfainbergmfisch, 3600 should be the cache time for the revocation list20:19
mfischso the docs are wrong20:19
morganfainbergugh. did someone change that?20:19
mfischcheckout that link20:19
mfischpretty much at the bottom20:19
morganfainbergmfisch, yeah docs look wrong20:20
mfischI'll file a doc bug if you confirm it20:20
morganfainbergmfisch,         cfg.IntOpt('revocation_cache_time', default=3600,20:20
mfischI'm trying to update puppet-keystone to have the right defaults20:20
ayoungdolphm, we just currently use the existing JSON marshaller as the starting point.  I'm not aware of any real need for an XML tool, but I suspect that, once we rip out XML support, someone will come crying.20:20
lbragstaddolphm: did it with both20:20
mfischthx morganfainberg20:20
mfischfiled and cited the new PTL so they have to fix it I think ;)20:21
openstackgerritTerry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass
lbragstadso, if someone is expecting XML *from* Keystone, do we bomb out and say that it is no longer supported? Or do we just do everything in JSON and if they happen to have some sort of middleware in place they have to expect JSON because that's what we do support?20:36
morganfainberglbragstad, i'd expect if someone only accepts XML / content-type application/xml we need to say 40020:36
morganfainbergbad request.20:37
morganfainbergthey are asking for something we don't support, but a change in the request would make it valid. (difference from NotImplemented)20:37
lbragstadso what if they have their own xml middleware inplace?20:38
openstackgerritTerry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass
openstackgerritMatthieu Huin proposed a change to openstack/keystone: SAML-related protocols must be named 'saml2'
morganfainberglbragstad, they'd need to convert to json before it hit keystone, since we expect json20:49
lbragstadmakes sense20:49
*** radez is now known as radez_g0n320:49
morganfainbergso XML Request -> XML Middleware (convert to JSON) -> Keystone -> XML Midldeware (from JSON) -> XML Response20:49
lbragstadso I'll build a check into somewhere to check for that and bomb out20:49
ayoungjdennis, I think I cracked the code on pyasn1.  I'm using this code here and it seems to work:
*** david-lyle has joined #openstack-keystone20:53
*** david-lyle has quit IRC20:59
*** arunkant has joined #openstack-keystone21:02
openstackgerritTerry Howe proposed a change to openstack/keystone-specs: Keystone Client Auth Plugin for token or user/pass
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove unused ec2 driver option
openstackgerritKui Shi proposed a change to openstack/keystone: Add memcached_backend configuration
*** wwriverrat has joined #openstack-keystone21:19
openstackgerritMatthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument when using unscoped SAML-based plugins
openstackgerritMatthieu Huin proposed a change to openstack/python-keystoneclient: Add protocol as an argument for unscoped SAML-based plugins
*** arif-ali has joined #openstack-keystone21:31
morganfainbergdstanek, ping21:33
*** saipandi has quit IRC21:40
*** shakayumi has joined #openstack-keystone21:49
*** dims has quit IRC21:50
*** jraim has quit IRC21:52
*** shakamunyi has quit IRC21:53
*** jraim has joined #openstack-keystone21:53
*** shakayumi has quit IRC21:54
*** david-lyle has joined #openstack-keystone21:55
*** nellysmitt has quit IRC21:58
*** jorge_munoz has quit IRC22:03
*** bknudson has quit IRC22:04
*** david-lyle_ has joined #openstack-keystone22:12
*** david-lyle has quit IRC22:15
openstackgerritMatthieu Huin proposed a change to openstack/keystone: SAML-related protocols must be named 'saml2'
*** packet has quit IRC22:28
*** thedodd has quit IRC22:32
*** david-lyle_ is now known as david-lyle22:40
*** dims_ has joined #openstack-keystone22:41
*** shakayumi has joined #openstack-keystone22:47
*** sigmavirus24 is now known as sigmavirus24_awa22:53
*** david-lyle has quit IRC22:58
*** zzzeek has quit IRC22:59
*** shakayumi has quit IRC23:01
*** zzzeek has joined #openstack-keystone23:02
*** openstackgerrit has quit IRC23:03
*** openstackgerrit has joined #openstack-keystone23:03
openstackgerritOpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements
*** david-lyle has joined #openstack-keystone23:08
morganfainbergdavid-lyle, ping23:11
*** jorge_munoz has joined #openstack-keystone23:11
morganfainbergdavid-lyle, re: the first session there.23:11
morganfainbergdavid-lyle, on wed. 0900, as a tentative session topic.23:11
*** david-lyle has quit IRC23:14
morganfainbergayoung, ping23:15
*** shakayumi has joined #openstack-keystone23:18
*** openstackgerrit has quit IRC23:33
*** openstackgerrit has joined #openstack-keystone23:33
*** samuelmz__ has joined #openstack-keystone23:34
ayoungmorganfainberg, I'm in Dad mode.  Type your question and I'll answer in spurts...23:38
morganfainbergayoung, first session there23:39
nkindermorganfainberg: is there any chance to move the federation one to a different time-slot?23:39
morganfainbergnkinder, all slots are open for moving23:39
nkindermorganfainberg: I'm giving a talk at that time, and I really wanted to be there for the federation one23:39
morganfainbergnkinder, the only one i likely *wont* move is the ops on23:39
morganfainbergnkinder, yeah sure we cna move that one23:39
nkindermorganfainberg: awesome, thanks23:40
morganfainberglimited on options since i don't want it to overlap w/ horizon23:41
morganfainbergoh nvm, hah horizon sessions are off-set23:42
nkinderScheduling is always fun.  I'm sure we can't make everyone happy23:43
morganfainbergnkinder, ok shuffled some stuff around23:46
morganfainbergnkinder, the three i'm hoping you can make it to are SSO/Federation, Hierarchical multitenancy, and authorization23:46
morganfainbergnkinder, obv wont be upset if you made it to more of them23:47
nkindermorganfainberg: I plan to make it to as many keystone sessions as possible.  My only real commitment is the keystone talk I'm giving at 9am on wednesday23:47
ayoungmorganfainberg, looks good.  BTW, what do you think of the idea of putting the token in the payload of the requests and saying that everyone just needs to make room for keystone?23:48
morganfainbergnkinder, also when you have a sec, if you have anything to add to this thread: I'd appreciate it.23:48
morganfainbergayoung, you mean in the body?23:49
nkindermorganfainberg: yeah, I read that a few minutes ago and plan on chiming in23:49
morganfainbergayoung, it's definitely an alternative. might solve the token size issue.23:49
morganfainbergayoung, i think worth voicing that as option for the authorization/token session23:49
morganfainbergtoken size + header23:50
morganfainbergnot that the token size would get smaller23:50
gyeewe need token diet23:55
*** bknudson has joined #openstack-keystone23:55

Generated by 2.14.0 by Marius Gedminas - find it at!