Tuesday, 2014-10-21

« Monday, 2014-10-20 Index Wednesday, 2014-10-22 »
*** gokrokve_ has quit IRC00:01
*** zigo has quit IRC00:07
*** david-lyle has quit IRC00:12
*** zigo has joined #openstack-keystone00:13
*** david-lyle has joined #openstack-keystone00:15
*** dimsum_ has joined #openstack-keystone00:21
nkindermorganfainberg, dolphm: I was just looking into the bug that bknudson referenced in https://review.openstack.org/#/c/118590/00:22
nkindermorganfainberg, dolphm: I think that we implemented something that we shouldn't have in https://bugs.launchpad.net/keystone/+bug/129369800:22
uvirtbotLaunchpad bug 1293698 in keystone/icehouse "Can't map user description using LDAP" [Wishlist,Fix released]00:22
nkindermorganfainberg, dolphm: see my reasoning in my comment in https://review.openstack.org/#/c/118590/18/keystone/tests/test_backend_ldap.py00:23
nkinderWe need to come to an agreement on the right direction for this given that we introduced a new behavior for the additional mapping code with the bug that bknudson fixed some time back00:24
*** drjones has quit IRC00:29
*** _cjones_ has joined #openstack-keystone00:30
*** _cjones_ has quit IRC00:34
stevemarman, there a ton of unused libraries in pycadf00:37
*** andreaf has quit IRC00:37
*** andreaf has joined #openstack-keystone00:38
rodrigods stevemar some time to check https://review.openstack.org/#/c/129338/ again?00:38
stevemarrodrigods, nope :P00:39
stevemarrodrigods, jk +A'ed00:39
rodrigodsstevemar, hehe =P00:40
nkinderamakarov_away: you should probably hold off on https://review.openstack.org/#/c/118590/ until we reach consensus on the right way forward00:40
*** gokrokve has joined #openstack-keystone00:42
*** samuelms_home has joined #openstack-keystone00:42
*** zzzeek has quit IRC00:45
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Remove unused dependencies from pycadf  https://review.openstack.org/12976500:47
*** marcoemorais has quit IRC00:48
openstackgerritBrant Knudson proposed a change to openstack/keystone: sys.exit mock cleanup  https://review.openstack.org/12424000:48
openstackgerritBrant Knudson proposed a change to openstack/keystone: Tests raise exception if logging problem  https://review.openstack.org/11994600:48
*** _cjones_ has joined #openstack-keystone00:57
*** _cjones_ has quit IRC01:00
*** _cjones_ has joined #openstack-keystone01:00
samuelms_homedstanek, ping01:01
*** gokrokve has quit IRC01:02
dstaneksamuelms_home: hi01:02
*** r1chardj0n3s_afk is now known as r1chardj0n3s01:02
*** gokrokve has joined #openstack-keystone01:03
samuelms_homedstanek, I've created that etherpad to discuss about test improvements ..01:03
samuelms_homedstanek, but we don't have people eyes up there :/01:04
samuelms_homedstanek, is an etherpad a good place to put such ideas? or should I put in a spec?01:04
*** _cjones_ has quit IRC01:04
dstaneksamuelms: the etherpad is probably good for now - i think most people are probably getting ready for the summit01:05
samuelms_homedstanek, hmm... yeah so we should get some review after that ..01:06
samuelms_homedstanek, do you plan do discuss some points about tests there?01:06
*** gokrokve has quit IRC01:07
dstaneksamuelms_home: probably - my biggest thing is that i don't like that we have different tests between the different backends - it shows that the tests are too coupled to the implementation01:11
samuelms_homedstanek, ++01:12
*** gordc has joined #openstack-keystone01:20
*** topol has joined #openstack-keystone01:21
stevemarsamuelms_home, what do you want to update for tests?01:22
samuelms_homestevemar, I've described some ideas on an etherpad (https://etherpad.openstack.org/p/Keystone_Tests_Improvement)01:24
*** radez_g0n3 is now known as radez01:24
samuelms_homestevemar, basically better organization, stop skipping tests, better reuse01:24
samuelms_homestevemar, create a consistent unit tests suite :)01:25
*** andreaf has quit IRC01:27
*** andreaf has joined #openstack-keystone01:27
*** zzzeek has joined #openstack-keystone01:28
stevemarsamuelms_home, ah i was hoping for more focus on functional tests01:29
*** gokrokve has joined #openstack-keystone01:29
samuelms_homestevemar, what's your point on functional tests? better coverage? organization?01:30
*** gokrokve has quit IRC01:31
stevemarsamuelms_home, create any of them lol01:31
*** gokrokve has joined #openstack-keystone01:31
stevemarsamuelms_home, currently we have none01:31
stevemarand there is a huge gap in the way we test01:31
stevemar1) no real federation tests, 2) no real notification tests, 3) the tests don't run against apache just eventlet01:32
samuelms_homestevemar, hmm.. interesting points01:33
samuelms_homestevemar, where should them be placed? tempest?01:33
*** zzzeek has quit IRC01:34
samuelms_homestevemar, I'm confused on how we could set up a real federation env inside keystone tests .. :/01:48
stevemarsamuelms_home, well thats part of the fun of figuring it out :)01:48
openstackgerritRodrigo Duarte proposed a change to openstack/python-keystoneclient: Improves feedback message in SSL error  https://review.openstack.org/12976901:48
stevemarsamuelms_home, i think we should have our own functional tests, tempest is something that should work against all openstack clouds, so that might be too generic01:49
samuelms_homestevemar, ++01:50
rodrigodsstevemar, samuelms_home, a good start would be some scripts that sets up federation in devstack, right? And I think we can start the contribution from there01:51
stevemarrodrigods, right, devstack has the ability to enable extensions, so if you add KEYSTONE_EXTENSION=federation to localrc, it should do the changes01:52
stevemarsry, KEYSTONE_EXTENSIONS (with an S)01:52
rodrigodsstevemar, didn't about that! =O01:53
stevemarbut that is only really the SP part of the equation01:53
samuelms_homestevemar, rodrigods: cool01:53
stevemarnot the idp part :P01:53
*** richm has quit IRC01:53
samuelms_homestevemar, oh wow ... so the fun don't stop there :p01:53
*** alex_xu has joined #openstack-keystone01:55
stevemarsamuelms_home, correct, the hard part is setting up something that stores user ids, and spits out SAML01:56
rodrigodsstevemar, this shouldn't be that hard...01:56
stevemarwhich tbh, i don't know what can do that, i was hoping nkinder had an idea there with his ipsilon stuff :)01:56
*** diegows has quit IRC01:57
rodrigodsstevemar, btw, right now I'm trying to modify the code in keystone client that handles ECP so I can trade a SAML token for a OS token in k2k, right path?01:58
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295802:00
*** yasu_ has joined #openstack-keystone02:18
*** samuelms_home has quit IRC02:21
*** stevemar has quit IRC02:25
*** stevemar has joined #openstack-keystone02:25
*** alex_xu has quit IRC02:34
nkinderstevemar, rodrigods: Yeah, we would still need to set up an IdP for testing.  Ipsilon on top of an LDAP server could do that, but it will require packaging Ipsilon for Debian/Ubuntu.02:40
nkinderThat's definitely possible of course02:40
* rodrigods googling Ipsilon02:40
nkinderrodrigods: I'll get you a link02:40
nkinderrodrigods: https://fedorahosted.org/ipsilon/02:41
nkinderrodrigods: It's under pretty heavy development to merge with the FedOAuth project right now02:42
*** david-lyle_ has joined #openstack-keystone02:42
nkinderrodrigods: I know the developer who started the project, and he's pretty familiar with Keystone too.02:42
rodrigodsnkinder, hmm looks great02:42
nkinderrodrigods: There's an #ipsilon channel on freenode too02:42
rodrigodswill read though it02:43
*** alex_xu has joined #openstack-keystone02:43
nkinderrodrigods: I've set it up with Keystone's federation (using mod_auth_mellon).  I need to clean up my notes and get them into our docs.02:43
rodrigodsnkinder, Icehouse federation or k2k?02:44
*** david-lyle has quit IRC02:44
nkinderrodrigods: not k2k02:44
nkinderjust regular federation in Juno02:44
rodrigodsnkinder, hmm02:44
stevemari like how it's referred to as regular federation02:44
nkinderfor k2k, isn't keystone the IdM technically?02:44
stevemarnkinder, yep02:45
rodrigodsyes it is02:45
nkindererr, IdP02:45
rodrigodsjust stuck in the SAML <-> token step02:45
* rodrigods deploying a k2k env02:45
stevemarnkinder, what are the odds we can get ipsilon packaged for debian/ubuntu?02:45
nkinderso Ipsilon or Shibboleth isn't even really needed for k2k02:45
stevemarnkinder, correct02:45
stevemarnkinder, what we need are 2 vms02:45
nkinderstevemar: should be pretty doable.  I haven't looked to see if any requirements need to be packages (like lasso or cherry-py)02:46
stevemarshib is still required i think02:46
nkinderstevemar: but I know the devs would be interested in getting it packaged, and we have had an Ubuntu dev working on porting all of FreeIPA over lately02:46
nkindermod_shib you mean02:47
nkinderbut not a shibboleth IdP, right?02:47
stevemarnkinder, yes, it gets a little ambiguous huh :)02:47
nkinderOne VM would be acting as a SP with mod_shib or similar, and the other VM would have Keystone acting as the IdP02:47
rodrigodsyes02:48
rodrigodsthat's exactly what I'm trying to accomplish02:48
nkinderrodrigods: are any particular areas proving to be difficult?02:48
rodrigodsnkinder, the keystone IdP generates a SAML assertion that needs to be traded for a OpenStack token02:49
rodrigodsI have the SAML assertion02:49
rodrigodsbut not being able to figure out how to trade for a token, using ECP02:50
rodrigodsnkinder, (off: ipsilon is how we pronounce Y in portuguese hehe =)02:51
nkinderrodrigods: hence the 'Y' logo02:52
nkinderrodrigods: the developer who wrote it is Italian, and I believe they use ipsilon for Y too02:52
rodrigodsnkinder, ++02:53
rodrigodsabout k2k, any suggestions?02:53
rodrigodsright now I'm trying to modify keystone client code that handles ECP02:53
nkinderrodrigods: not sure since I haven't played with it (also haven't tried the ECP side of things in the client)02:54
rodrigodsok =(02:54
nkinderI think marekd might be your best bet02:54
rodrigodsyeah, I usually ping him =)02:55
rodrigodsthanks, anyway02:55
rodrigodsabout the IdP with ipsilon, looking forward to help with it02:55
nkinderrodrigods: so one of the big things ipsilon (and mod_mellon) needs is ECP support.02:57
nkinderrodrigods: The underlying library that does all of the real SAML work (lasso) has ECP AFAIK.02:57
nkinderrodrigods: So hopefully that's not a ton of work02:58
*** dimsum_ has quit IRC02:58
nkinderrodrigods: One of our devs plans to work on that to make it usable for Keystone once he wraps up some other work.02:58
*** dimsum_ has joined #openstack-keystone02:59
rodrigodsnkinder, I can definitely help with it02:59
rodrigodsmy nights are becoming longer, anyway02:59
nkinderrodrigods: Ok, I'll point him (jdennis) your way.  Maybe tomorrow we can chat on #ipsilon with Simo about it too.03:00
rodrigodsnkinder, just need to figure out how to make k2k work, though, a couple days already in this road03:00
nkinderrodrigods: what timezone/utc offset are you in?03:00
rodrigodsnkinder, utc -303:00
rodrigodsmidnight right now03:00
*** radez is now known as radez_g0n303:01
nkinderyeah, late for you.  I'm utc-7 right now03:02
*** jacer_huawei has quit IRC03:02
rodrigodsnkinder, you can ping me anytime03:02
rodrigodsand If I'm not out sleeping, we can definitely chat03:03
nkinderrodrigods: sounds good03:03
*** dimsum_ has quit IRC03:03
*** r1chardj0n3s is now known as r1chardj0n3s_afk03:13
*** KanagarajM has joined #openstack-keystone03:14
*** jacer_huawei has joined #openstack-keystone03:15
*** gordc has quit IRC03:19
*** ayoung has quit IRC03:35
*** r1chardj0n3s_afk is now known as r1chardj0n3s03:53
*** yasu_ has quit IRC03:56
*** yasu_ has joined #openstack-keystone03:59
openstackgerritA change was merged to openstack/keystone: Extract Assignment tests from IdentityTestCase  https://review.openstack.org/12165304:02
*** gokrokve_ has joined #openstack-keystone04:02
openstackgerritA change was merged to openstack/keystone: Fixes docstrings to be more accurate.  https://review.openstack.org/12673004:02
openstackgerritA change was merged to openstack/keystone: Add xmlsec1 dependency comments  https://review.openstack.org/12933804:03
*** gokrokve has quit IRC04:06
*** gokrokve_ has quit IRC04:07
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Remove unused dependencies from pycadf  https://review.openstack.org/12976504:13
*** lhcheng has quit IRC04:28
openstackgerritwanghong proposed a change to openstack/keystone: remove assignments for foreign actors when deleting domain  https://review.openstack.org/12743304:30
openstackgerritwanghong proposed a change to openstack/keystone: fix the wrong order of assertEqual args in test_v3  https://review.openstack.org/12711004:32
openstackgerritwanghong proposed a change to openstack/keystone: use expected_length parameter to assert expected length  https://review.openstack.org/12819704:54
*** _cjones_ has joined #openstack-keystone04:56
*** topol has quit IRC05:04
*** yasu_ has quit IRC05:10
*** gokrokve has joined #openstack-keystone05:25
*** harlowja is now known as harlowja_away05:30
*** gokrokve has quit IRC05:34
*** gokrokve has joined #openstack-keystone05:34
*** yasu_ has joined #openstack-keystone05:35
*** david-lyle_ has quit IRC05:48
*** k4n0 has joined #openstack-keystone05:50
*** navid_ has joined #openstack-keystone05:52
navid_hi05:53
navid_when i use tox -epy27, i get this error05:54
navid_ERROR: InvocationError: '/opt/stack/python-keystoneclient/.tox/py27/bin/python setup.py testr --testr-args='05:54
*** gokrokve has quit IRC05:57
*** gokrokve has joined #openstack-keystone05:58
*** andreaf has quit IRC05:58
*** andreaf has joined #openstack-keystone05:58
*** gokrokve has quit IRC06:02
*** alex_xu has quit IRC06:06
*** r1chardj0n3s is now known as r1chardj0n3s_afk06:14
*** ukalifon has joined #openstack-keystone06:18
*** alex_xu has joined #openstack-keystone06:20
*** drjones has joined #openstack-keystone06:25
*** _cjones_ has quit IRC06:28
*** gokrokve has joined #openstack-keystone06:28
*** drjones has quit IRC06:29
*** hockeynut has quit IRC06:30
*** hockeynut has joined #openstack-keystone06:32
*** gokrokve has quit IRC06:33
*** alex_xu has quit IRC06:36
*** rm_work has quit IRC06:48
*** alex_xu has joined #openstack-keystone06:48
*** rm_work has joined #openstack-keystone06:49
*** lhcheng has joined #openstack-keystone07:05
marekdnavid_: try tox -repy2707:11
marekd-r rebuilds virtual environment07:11
*** lhcheng has quit IRC07:17
openstackgerritwanghong proposed a change to openstack/keystone: remove implemented TODO in catalog/backends/sql.py  https://review.openstack.org/12983007:17
*** amcrn has quit IRC07:20
*** jamielennox has joined #openstack-keystone07:24
marekdrodrigods: hello07:26
marekdrodrigods: i had somewhere a code which transports saml assertion to the mod shib, but seriously you will help us much more if you sniff the whole taffice and look into avoiding ecp :-) We talked about it once.07:28
*** gokrokve has joined #openstack-keystone07:28
*** gokrokve has quit IRC07:33
jamielennoxmarekd: how are the client federation plugins going? is there stuff i need to look at?07:36
*** dimsum_ has joined #openstack-keystone07:37
*** afazekas has joined #openstack-keystone07:38
*** andreaf has quit IRC07:38
*** dimsum_ has quit IRC07:41
marekdjamielennox: hey, the plugins are merged, osc can even use it. One thing i wanted to get merged is: https://review.openstack.org/#/c/106751/07:42
jamielennoxmarekd: ok, cool so this is the wrapper around the unscoped and scoping process07:44
marekdjamielennox: exactly. it's better to handle it in keystoneclient than in openstackclient.07:45
jamielennoxmarekd: yea, absolutely07:45
marekdjamielennox: btw, do you have any plans for storing sessions or at least tokens so they can be used for multiple calls (separate openstackclient calls for instance)?07:49
jamielennoxmarekd: yes and no07:49
marekdjamielennox: ..uh07:49
jamielennoxi have https://review.openstack.org/#/c/113163/07:50
jamielennoxwhich i put as WIP whilst i was away07:50
*** stevemar has quit IRC07:50
jamielennoxit's not really "complete" because it doesn't serialize the discovery cache which i think will be important for the clients like that07:50
jamielennoxhowever something like OSC could easily build upon that to provide cross instance calls07:51
jamielennoxi just expect to provide the serialization tools and leave the how up to OSC07:51
*** mitz has quit IRC07:52
jamielennoxit needs some more work and testing with CLIs, i was looking at it for serializing a plugin across RPC calls, so that like nova could send the whole plugin of to a worker07:52
marekdi am scanning the code - so it'd would serialize token for instance?07:53
jamielennoxyes, it would essentially allow you to reconstruct an auth plugin with the token in it07:53
jamielennoxit doesn't serialize the password or sensitive data though07:53
marekdthe use case i am thinking about is caching  unscoped token and using it to scope multiple times.07:53
jamielennoxhmm07:54
marekdwhich could be useful in saml2 as we could avoid slightly expensive authentication everytime.07:54
jamielennoxis it more useful than just serializing the scoped token?07:54
jamielennoxone of the things missing from auth plugins in general is a good story about how to rescope a token/plugin07:55
*** mitz has joined #openstack-keystone07:55
marekdbut rescope is scoped token -> scoped toke, right?07:56
marekdin saml2 you have unscoped token that in theory should be able to scoping multiple times.07:56
marekdbrb07:56
marekdim back07:59
*** jistr has joined #openstack-keystone08:02
jamielennoxmarekd: rescope is most likely unscoped -> scoped08:07
jamielennoxbut there is nothing that (currently) prevents you using a scoped token to get a new scoped token08:08
marekdjamielennox: even for changing projects you scope to?08:09
jamielennoxmarekd: yea, it's bad and we've hated it for a while, but because of default_project_id you might not even be able to get a proper unscoped token so we have to allow scoped to scoped exchange08:10
openstackgerritAndreas Jaeger proposed a change to openstack/keystonemiddleware: Improve help strings  https://review.openstack.org/11804808:11
marekdjamielennox: a) is rescoping procedure somewhat standard,  will it work also for federated tokens? b) is it already implemented in ksc?08:12
jamielennoxmarekd: somewhat - and this is kind of what i was trying to ask you about a while ago, was there a reason that federation needed it's own scoping process and couldn't just treat an unscoped token like a non-federated unscoped token08:13
jamielennoxi can't remember your response but there was a reason you had to subclass v3.Token rather than just use v3.Token08:13
jamielennoxand it's possible rather than implemented well08:14
jamielennoxso you can take an unscoped plugin and do scoped = v3.Token(auth_url, unscoped.get_token(session))08:14
jamielennoxscoped = v3.Token(auth_url, unscoped.get_token(session), project_id=project_id, ...)08:15
jamielennoxbut i need to find a way of doing that "nicely"08:15
marekdhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L865 i think i was subclassing it due to different authentication method (saml2 instead of token)08:15
jamielennoxthe pieces are there i think, it's just a bad user interface08:15
jamielennoxmarekd: yep, because something on the server side means that you have to treat federated unscoped tokens differently08:16
jamielennoxthat sounds like it08:16
marekdjamielennox: yes yes.08:16
* jamielennox is trying to get my head back in the game08:17
marekdjamielennox: we are listing projects/domains from groups not user.08:17
marekdjamielennox: hm, one thing.08:17
jamielennoxmarekd: which i am hoping i solved by  GET /auth/projects08:17
marekdjamielennox: is your serialization plugin also storing http headers and cookies stored in session object?08:17
marekdjamielennox: review link?08:18
jamielennoxmarekd: for GET /auth/projects?08:18
*** aix has joined #openstack-keystone08:18
marekdbtw it was super funny that we started deprecating api calls before somebody used it in prod environment08:18
marekdjamielennox: yes08:18
jamielennoxmarekd: so at the moment the serialization is just of the auth plugin, not the session08:18
jamielennoxmarekd: better i think08:19
marekdjamielennox: ok08:19
jamielennoxum, let me look - it was merged before release08:19
jamielennoxmarekd: https://review.openstack.org/#/c/114903/08:20
marekdjamielennox: so until today user listing his projects was calling something like GET /<user>/projects and now they are supposed to switch to GET /auth/projects08:26
jamielennoxmarekd: yep08:26
*** nellysmitt has joined #openstack-keystone08:27
marekdok08:27
jamielennoxmarekd: which means that you don't need to know user_id and so the federated tokens can also call GET /auth/projects rather than OS-FEDERATED/projects or whatever it was08:27
marekdjamielennox: yes yes08:28
*** gokrokve has joined #openstack-keystone08:28
marekdjamielennox: and the /OS-FEDERATION/projects should stay for how long? One, two releases?08:28
marekdjamielennox: i guess one day you will want to remove it, also from keystoneclient.08:28
jamielennoxmarekd: i don't know, i don't think we've managed to successfully remove an API yet, just deprecate it08:29
marekdhm, i am wondering if this change needs any keystoeclient changes.08:32
marekdi think not really08:32
*** gokrokve has quit IRC08:33
marekdjamielennox: or the client side is not yet implemented?08:33
jamielennoxclient side for /auth/projects etc?08:33
*** lsmola has quit IRC08:33
jamielennoxit's not really implemented08:33
marekdyes08:33
*** openstackgerrit has quit IRC08:34
*** openstackgerrit has joined #openstack-keystone08:34
jamielennoxi started it, i don't know if i ever submitted it08:34
jamielennoxthere are some issues with how discovery works i think08:34
*** Tahmina has joined #openstack-keystone08:35
marekdnamely?08:36
jamielennoxum, so it requires API version 3.3 so i had a thing that if discovery doesn't report version 3.3 it should fall back to using the existing methods and something about the way it worked means i couldn't distinguish between v3.3 not being available and something else08:42
jamielennoxit's been a little while08:42
jamielennoxbut it meant that you were always doing two requests where you should only have had to do one08:42
jamielennoxhttps://review.openstack.org/#/c/118531/08:43
jamielennoxlooking at it now i probably don't want to allow the fallback case at all because then it will fail for the federated case08:45
jamielennoxs/fail/do the wrong thing08:45
*** lsmola has joined #openstack-keystone08:46
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/12663108:52
*** Tahmina has quit IRC08:56
*** henrynash has joined #openstack-keystone09:05
*** lsmola has quit IRC09:05
*** alex_xu has quit IRC09:10
*** andreaf_ is now known as andreaf09:10
*** aix has quit IRC09:19
*** lsmola has joined #openstack-keystone09:20
*** aix has joined #openstack-keystone09:22
*** gokrokve has joined #openstack-keystone09:28
*** gokrokve has quit IRC09:33
*** KanagarajM has quit IRC09:38
marekdjamielennox: so, do you think you will find some time for reviewing this: https://review.openstack.org/#/c/106751/12 ?09:39
jamielennoxmarekd: i'm going to have a look, again i don't really have anything i can test it with so it's just a style thing really10:15
marekdjamielennox: better than nothing.10:17
*** gokrokve has joined #openstack-keystone10:28
*** gokrokve has quit IRC10:29
*** gokrokve has joined #openstack-keystone10:30
*** gokrokve has quit IRC10:35
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use connection retrying from keystoneclient  https://review.openstack.org/12986810:37
*** jamielennox_ has joined #openstack-keystone11:06
*** jamielennox has quit IRC11:06
*** jamielennox_ is now known as jamielennox11:06
*** samuelms_home has joined #openstack-keystone11:13
*** ukalifon has quit IRC11:14
*** amakarov_away is now known as amakarov11:15
*** dimsum_ has joined #openstack-keystone11:21
*** miqui has quit IRC11:24
*** jistr is now known as jistr|english11:27
*** gokrokve has joined #openstack-keystone11:28
*** gokrokve has quit IRC11:32
*** afazekas has quit IRC11:37
*** k4n0 has quit IRC11:37
*** rwsu has quit IRC11:37
*** larsks has quit IRC11:37
*** larsks has joined #openstack-keystone11:37
*** afazekas has joined #openstack-keystone11:37
*** rwsu has joined #openstack-keystone11:37
*** k4n0 has joined #openstack-keystone11:38
*** diegows has joined #openstack-keystone11:44
*** afazekas has quit IRC11:46
*** afazekas has joined #openstack-keystone11:46
*** k4n0 has quit IRC11:46
*** k4n0 has joined #openstack-keystone11:46
*** samuelms__ has joined #openstack-keystone11:47
*** aix has quit IRC11:48
*** aix has joined #openstack-keystone11:49
*** samuelms_home has quit IRC11:50
*** vb has quit IRC11:52
*** vb has joined #openstack-keystone11:53
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/12776512:10
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/12663112:10
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/12667912:15
*** k4n0 has quit IRC12:28
*** gokrokve has joined #openstack-keystone12:28
*** htruta has joined #openstack-keystone12:30
*** gokrokve has quit IRC12:33
*** topol has joined #openstack-keystone12:35
*** diegows has quit IRC12:38
*** dimsum_ has quit IRC12:38
*** alee has quit IRC12:38
*** dimsum_ has joined #openstack-keystone12:39
*** yasu_ has quit IRC12:45
*** topol has quit IRC12:49
*** gordc has joined #openstack-keystone12:52
*** diegows has joined #openstack-keystone12:54
*** jistr|english is now known as jistr12:57
marekdhttp://openstack-in-production.blogspot.ch/2014/10/kerberos-and-single-sign-on-with.html13:05
* marekd http://openstack-in-production.blogspot.ch/2014/10/kerberos-and-single-sign-on-with.html13:05
*** richm has joined #openstack-keystone13:06
*** sigmavirus24_awa is now known as sigmavirus2413:07
*** NM has joined #openstack-keystone13:12
*** NM has quit IRC13:12
*** NM has joined #openstack-keystone13:14
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768113:15
*** flaviamissi has joined #openstack-keystone13:17
*** radez_g0n3 is now known as radez13:17
*** jistr has quit IRC13:20
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use connection retrying from keystoneclient  https://review.openstack.org/12986813:21
*** jistr has joined #openstack-keystone13:23
openstackgerritJamie Lennox proposed a change to openstack/keystone-specs: Add a catalog to an unscoped token  https://review.openstack.org/10733313:25
*** bknudson has joined #openstack-keystone13:29
*** joesavak has joined #openstack-keystone13:33
*** r-daneel has joined #openstack-keystone13:34
*** alee has joined #openstack-keystone13:40
*** radez is now known as radez_g0n313:41
*** topol has joined #openstack-keystone13:43
*** samuelms_home has joined #openstack-keystone13:57
*** stevemar has joined #openstack-keystone13:57
*** vejdmn has joined #openstack-keystone13:57
*** ayoung has joined #openstack-keystone13:59
*** gabriel-bezerra has quit IRC13:59
*** gokrokve has joined #openstack-keystone14:01
*** samuelms__ has quit IRC14:01
ayoungstevemar, https://review.openstack.org/#/c/128780/  that should have been called "CADF everywhere" , not  "create a spec for CADF everywhere"  Go terse in your title!14:11
stevemarayoung, my bad :)14:11
ayoungstevemar, I just went to edit the commit message, but saw it merged14:12
stevemarayoung, were you OK with the changes? i think the only concern was to make it configurable?14:12
ayoungNot a huge deal, just a touch of polish14:12
ayoungI think the change itself is good14:12
ayoungstevemar, BTW, I think you can still submit changes to the spec even though it is approved:  bknudson has some spelling and word suggestions that look like they should be adopted14:13
ayoungstevemar, I think that someday the 'Audit' aspect of it will be far overshadowed by the other uses of these notifications.  Getting a decent format, light, and easy to work with, will have huge benefits.  This is a good approach14:15
ayoungand it makes it easier to treat the notifications as a contract14:15
jamielennoxi saw a thing from the opendaylight people where they were also using the "triple A" acronym, however the third A was accounting - not sure about better but maybe a bit more of a generic term14:18
stevemarayoung, i'll push a new patch, just tweaking my VM a bit, just updated from 12.04 to 14.0414:23
bknudsonstevemar: how did the upgrade go?14:24
bknudsonI need to do that sometime.14:24
openstackgerritRodrigo Duarte proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy  https://review.openstack.org/11135514:25
*** gokrokve has quit IRC14:28
*** gokrokve has joined #openstack-keystone14:29
stevemarbknudson, not bad, sladp gave me some issues14:30
stevemarbknudson, not bad otherwise, if you're using a VM with the unity desktop better switch to gnome14:31
bknudsonno desktop for me... ssh14:31
marekdstevemar: gnome isn't unity?14:32
marekdstevemar: that new gnome is bleeeeh :(14:32
bknudsonthat's what kubuntu is for14:32
marekdkubuntu is with kde?14:32
stevemarmarekd, nope it ain't and unity has some requirements for 2d/3d acceleration i think (from what i can tell)14:33
*** andreaf has quit IRC14:33
marekdhm, i'd be super happy with gnome214:33
*** henrynash has quit IRC14:33
marekdbut upgrades are inevitable :(14:34
bknudsony kubuntu has kde14:34
marekdi simply need gnome-settings-daemon which will handle my multimedia, network etc.14:34
*** samuelms_home has quit IRC14:34
marekdi can manage my windows with help of other WMs14:34
rodrigodsgnome 3 >> unity14:35
rodrigods=)14:35
marekdbknudson: so i'd rather go http://xubuntu.org/14:35
bknudsonI haven't tried xubuntu since I like KDE for whatever reason.14:35
marekdbknudson: sure14:36
stevemarbknudson, i would not have thought you like KDE at all14:36
* rodrigods googling to see how KDE looks like nowadays14:36
bknudsonit's better than unity14:36
stevemartrue14:36
rodrigodscontinues similar to windows14:37
*** samuelms_home has joined #openstack-keystone14:38
*** _cjones_ has joined #openstack-keystone14:40
dstanekrodrigods: the new KDE looks really nice, but i stick to the simple window managers14:40
jamielennoxmarekd: gnome 3 took some getting used to, but i prefered it once i did14:42
rodrigodsdstanek, once i almost did a gsoc for gnome, so i became its advocate hehe14:42
dstanekmy favorites were always fluxbox or ratpoison, but a friend of mine had me using awesome for quite a while14:43
marekdjamielennox: http://www.gambaru.de/blog/wp-content/uploads/2011/11/20111108_Gnome3_Debian_Shell.jpg this?14:44
rodrigodsdstanek, so you like the "underdogs"14:45
*** _cjones_ has quit IRC14:45
marekdjamielennox: see, the problem is i use this: http://i3wm.org/ and i like some of gnome (like gnome-settings-daemon), but newest versions of it basically are not really working well with i3. At least after upgrades.14:45
rodrigodsnever tried them14:45
jamielennoxmarekd: pretty much14:45
dstanekrodrigods: i just don't value the flash and like to maximize productivity14:45
marekddstanek: did you know that awesome's author works on openstack at the moment?14:45
dstaneki've have this mac for like 3 years and still can't make it a productive as my old linux machines14:46
dstanekmarekd: really? i didn't know that14:46
marekddstanek: https://julien.danjou.info/blog/14:46
marekddstanek: he works on ceilometer14:46
jamielennoxah, yea - if you're used to one of the really cut down window managers then i don't know what to offer14:47
jamielennoxi tried them for a while dwm and awesome i think14:47
jamielennoxi don't need them to be pretty but it just felt really clunky14:47
rodrigodsdstanek, hmm will check awesome, at least for my workstation14:47
ayoungalee, So,  been thinking over the Barbican Vault and IPA question.  In a pure IPA driven model, what would be used today to determine if a user should be granted access to a key?14:47
marekdjamielennox: it's a matter of getting used to.14:48
marekdjamielennox: just like with vim.14:48
dstanekrodrigods: it's a tiled window manager so the experience is very different14:48
aleeayoung, well lets take the simplest case first.  a secret that is for the project.14:48
marekdjamielennox: however i find vim quite clunky and sometimes switch to sublime14:48
ayoungalee, outside of Keystone and Openstack14:48
rodrigodsmarekd, will send my vim screen to you14:48
*** ukalifon1 has joined #openstack-keystone14:49
marekdrodrigods: yes, please14:49
aleeayoung, you mean barbican outside of openstack?14:49
ayoungno14:49
ayoungalee, I mean IPA and vault only14:49
marekdrodrigods: along with your vimrc14:49
dstanekjamielennox: yeah, awesome feels old and limited until you get used to the keyboard shortcuts14:49
ayoungalee, If I install freeipa from git master , I can install KRA, right?14:50
aleeayoung, yes you can install a KRA14:50
rodrigodsmarekd, https://www.dropbox.com/s/pn0omijznxtvs7e/vim.png?dl=014:50
vsilvaI'm trying to run one single test (function) within keystone but can't get the syntax right - that is possible, isn't it?14:50
aleeayoung, right now , IPA communicates with KRA through a trusted agent.14:51
rodrigodsmarekd, almost sublime =P14:51
aleeso its really what gets put in on the IPA side14:51
vsilvamy last attempt: ./run_tests.sh keystone.tests.test_backend_ldap.BaseLDAPIdentity.test_get_and_remove_role_grant_by_group_and_domain runs 0 tests :|14:51
aleeie. the code that endi is writing14:51
ayoungalee, so for a key retrieval, if IPA says it is OK,  KRA will pack up the key and return it?14:52
aleecorrect14:52
aleejust like we do with certs14:52
jamielennoxalso there was the assumption that you wanted to customize everything, in general i want fairly stock at least until i get used to something14:52
jamielennoxloading lua scripts for clocks and other stuff not my first concern14:52
aleeayoung, so its whatever policy is in place for IPA14:52
marekdrodrigods: does it give you variable hints?14:53
ayoungalee, So, I would think that Barbican should represent the IPA agent in this case:  Barbican is responsible for the Role check.  Since the request coming in is not expected to be Kerberized, you would need to do a transform anyway14:53
rodrigodsmarekd, https://github.com/rodrigods/dotfiles/blob/master/vimrc14:53
marekdrodrigods: not only from the current file?14:53
rodrigodsmarekd, it doesn't, i was learning the shortcuts for that14:53
ayoungalee, the request is going to be handled by Barbican, not directly by IPA, correct?14:54
rodrigodsmarekd, i know that for auto-completing from the file system you use C-x + f14:54
aleeayoung, sure -- you could do that -- that is - you could say "secrets stored by Barbican would need to be retrieved by Barbican"14:54
ayoungYes14:54
aleeayoung, but then, whats the point of involving IPA vault at all?14:54
*** david-lyle_ has joined #openstack-keystone14:54
*** zzzeek has joined #openstack-keystone14:54
aleeayoung, right now - barbican can talk directly through its own agent to the KTA14:54
ayoungalee, well, I would not have done it that way. IPA and Dogtag have always been uneasy bedfellows14:55
aleeKRA14:55
aleeayoung, that is precisely the point of my email :)14:55
ayoungbut...you could try to do a reverse mappping14:55
ayoungright now we map groups to roles-in-projects14:55
*** stevemar has quit IRC14:55
marekdrodrigods: see, the problem is sometimes if you need to navigate and reorganize your buffers/splits14:55
ayoungBarbican could perform a reverse mapping:  roles-in-projects to groups14:55
*** stevemar has joined #openstack-keystone14:56
ayoungits really not a reversable mapping14:56
aleethe question is more what happens when someone tries to retrieve a secret from IPA directly14:57
vsilvaoops, found the problem, nvm14:57
ayoungalee, it falls back on the IPA level permissions14:57
ayoungif only Barbican has access, and that some is not Barbican, it fails14:57
ayoungalee, I would not expect IPA to manage the identiies of the end users anyway,  those are going to come from AD, and a trust arraingement is not a given14:58
aleeyeah - but if I can't access the secret as a user from IPA directly, then I see no reason to involve vault at all.14:58
aleejust let Barbican go to the KRA directly14:58
ayoungas much as we would like to require a trust set up, I think the common use case is a smallish lab, using IPA for host management, and end users comeing out of coproprate Kerboers, or maybe via SAML14:59
ayoungalee, I think Barbican getting access to all of Dogtag would make me very happty14:59
ayounghappity even14:59
ayoungI want user certs15:00
*** david-lyle_ has quit IRC15:00
ayoungbut...IPA has  a role to play here, too.15:00
rodrigodsmarekd, yeah, I think that I got used to the auto-completion style (from the same file) =)15:00
aleeayoung, barbican -> kra and ca already works15:00
*** zzzeek has quit IRC15:01
aleeayoung, ipa has either user/host store .. and provides dogtag15:01
ayoungso I would think that you would want Barbican to talk to the KRA via the IPA identity, and have all service users in IPA as a separate domain15:01
*** stevemar has quit IRC15:01
ayoungremember that Delegation in OpenStack really requires a Keystone user15:01
*** stevemar has joined #openstack-keystone15:01
marekdrodrigods: aha15:01
aleeayoung, ok - you've lost me.  what do you mean by those last two statements?15:02
ayoungalee, for example, the realistic but messy case of Solum talking to Heat on behalf of an end user that needs to stick a key in the KRA so you have a doulbe delegated trust.15:02
*** zzzeek has joined #openstack-keystone15:03
ayoungalee, keystone trusts are user to user15:03
ayoungand they were written primarily to support heat15:03
ayoungHeat needs to do something on your behalf say a week from now15:03
marekdrodrigods: do you have working icehouse federation?15:03
*** zzzeek has quit IRC15:03
ayounglets say that something involved fetching my Key out of the KRA15:03
ayoungSo I create a trust that says "the heat user can get a token as me with the role needed to fetch a key"15:04
ayoungthe heat user is in the service domain...those users could be either in FreeIPA or in SQL.  THey are not going to be in corporate AD, and Corporate is not going to wnat ot treat them as real users, and is unlikely to want to createa Kerberos trust with my lab anyway15:05
ayoungalee, think of Keystone as being a tool that pulls together disparate Identity sources15:06
*** david-lyle has joined #openstack-keystone15:06
aleesure -- I'm following -- go on.15:06
ayoungand provides a common schmear of authorization over those layers.  Like a bagel15:06
ayoungmmmm15:06
ayoungso the users from Keystone's perspective get commonized15:07
ayoungIPA is just one of those sources, but we want to use it to secure the infrastructure15:07
ayoungso users like Barbican, Keystone, Nova, they all become IPA users15:07
morganfainbergmornin15:07
ayoungthen those service users can do Kerberos/SASL protected operations\15:08
ayoungalee, it doesn't preclude having the human users in IPA15:08
ayoungif we want to provide an additional mechanism for the human users in IPA getting a better degree of access control from a Barbican/KRA instance, I would treat that as an upgrade15:09
*** thedodd has joined #openstack-keystone15:09
ayoungnot the default approach15:09
ayoungalee, but you could do something like that with S4U215:09
ayoungIt doesn't really make sense with the Keystone RBAC model.15:10
ayoungBut it really is no different than going direct to LDAP with your Kerberos credentials if you backed Keystone with FreeIPA...with the same ability to bypass the Application-level constraints15:11
*** zzzeek has joined #openstack-keystone15:11
*** jsavak has joined #openstack-keystone15:12
ayoungalee, make sense?15:12
aleeso right now, heat would go to keystone and get a token, and present that token to barbican15:13
ayoungyep15:14
aleebarbican would decide whether or not a user is permitted to get to the secret based on the contents of the token15:14
*** joesavak has quit IRC15:14
ayoungheat would go to keystone with its own identity and a trustid, and execute that trust, to get a token where the heatuser was the trustee and the originaluser was the trustor15:14
*** jistr has quit IRC15:14
aleeand if so, would instruct kra through its trusted agent to go and get it.15:14
ayoungbarbican would look at the roles in the token15:15
ayoungyep15:15
aleeso sure -- I still dont see how all this changes how things are happening now ..15:15
aleeother than ipa having a role in storing some service users15:15
ayoungit doesn't.  Its how things should work.15:15
aleeand is how things work right now ..15:16
aleewell from the barbican side of things in any case.15:16
ayoungcool.  my worrk here is done15:16
aleethe difficulty is when you try to inject ipa vault between barbican and kra15:17
ayoungcuz that expects to operate on the IPA user, not the Barbican Agent15:18
aleeayoung, right - we could do all this as a barbican agent -- but again - Why bother?15:18
ayoungyou could make a fine degree of control...15:19
ayounglets say that, for every project, one person owned the keys15:19
ayoungbut that would still not be the user making the request15:19
ayoungalee, I suspect that you could make use of the IPA layer if you did something with s4u215:20
ayoungbut you can't ignore the Keystone RBAC.15:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Expose version matching functions to the public  https://review.openstack.org/12993515:20
aleeayoung, my point is that any policy related to getting the secrets are enforced at the barbican layer15:20
ayoungBarbican should do whatever Keystone work is necessary.  The protections should be additive15:21
ayoungyou could have multiple Barbicans15:21
ayoungso each would have a separate IPA user15:21
ayoungand B1 would not have access to secrets stored by B215:21
*** radez_g0n3 is now known as radez15:22
ayoungKeystone would know about both endpoints, but they could be assigned via the endpoint filtering to separate projects, or even one project could know about both, but have reasons for putting things into different vaults15:22
ayoungmaybe one is considered "read only" from the keystone side, used just for escrow15:23
aleeso a single ipa with a single kra behind it for multiple barbicans ..15:25
aleeyou could accomplish the same with multiple barbicans each with their own trusted agent in kra15:25
aleeand different domains in the kra15:26
*** vb has quit IRC15:32
*** samuelms__ has joined #openstack-keystone15:34
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation  https://review.openstack.org/12689715:36
*** samuelms_home has quit IRC15:37
*** gyee has joined #openstack-keystone15:39
*** marcoemorais has joined #openstack-keystone15:40
*** jistr has joined #openstack-keystone15:43
amakarovayoung, hello! Can you please review my patch about redelegation? I've found a way to move delete logic to manager and wrote tests with chained trust. Any ideas about more test cases would be welcome!15:43
*** nonameentername has joined #openstack-keystone15:45
ayoungamakarov, looking now15:48
amakarovayoung, small fix on the way :) pep8 mostly15:49
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation  https://review.openstack.org/12689715:50
amakarovayoung, done15:51
*** gokrokve has quit IRC15:52
*** NM has quit IRC15:55
*** samuelms__ has quit IRC15:57
gyeejamielennox, https://review.openstack.org/#/c/113735/, can you check to see if I have all your changes?15:58
*** henrynash has joined #openstack-keystone15:58
jamielennoxgyee: that ones going to take a little looking into15:59
*** lhcheng has joined #openstack-keystone15:59
gyeejamielennox, I am afraid so, I can continue to work on it16:02
*** Kieleth has joined #openstack-keystone16:02
gyeebut there are a bunch of tests failures so far16:02
*** cjellick has joined #openstack-keystone16:02
jamielennoxi only had it working in a fairly limited way16:03
jamielennoxand honestly there were probably some client changes that were made to get it there16:03
amakarovbknudson, greetings! You asked for tests in https://review.openstack.org/#/c/125923/ I've just updated existing fixture so it represent one more caveat now and tests fail without proposed fix.16:04
bknudsonamakarov: I'm not a fan of it... maybe somebody else will think it's the right approach.16:04
bknudsonamakarov: a test for the specific situation would make it more obvious why the code is there and also why the test failed if the problem comes back.16:06
amakarovbknudson, well, thank you for the point, anyway fixture was incomplete... I'll add specific test for this particular issue16:08
jamielennoxamakarov: hmm, it's a little change but it's a big assumption16:08
amakarovjamielennox, we actually test installation over dosens of nodes now and it shows a couple of interesting effects :) Including the spoken issue16:10
*** afazekas has quit IRC16:13
*** NM has joined #openstack-keystone16:14
jamielennoxamakarov: i'm not sure your fixture change is correct either16:14
jamielennoxin the service catalog we don't group by region, but we do group by service_type16:14
jamielennoxyou would expect only one 'compute' entry in the service catalog16:15
jamielennoxactually i would go so far as to say you must only have one entry per service_type in the catalog16:15
jamielennoxyour change to the service_catalog and to the fixture are related, but if we assume the fixture is correct then i think the service_catalog is also correct16:16
amakarovjamielennox, so there have to be some validation of the service_catalog structure?16:16
ayoungamakarov, OK,  so thought experiment:  I need solum to do something for me.  I create a trust where trustor is ayoung, trustee is solum.  Later solum redelegates this to heat.  Who is the trustor, and who is the trustee in this last trust?  ayoung and heat?16:17
KielethHi keystonians, quick question: shouldn't "$ keystone tenant-get PROJECT_ID" provide information of the users members of this PROJECT_ID ? Horizon provides this info nicely, but I cannot find similar in cli.16:18
jamielennoxamakarov: i'm not sure where that validation would happen16:18
ayoungamakarov, because I think that needs to be the case:16:18
jamielennoxmaybe on keystone service-create16:18
ayoungamakarov, tell you what, finish up with jamielennox then we can discuss16:18
jamielennoxso that service_type is unique16:18
amakarovjamielennox, so it's to be decided I presume?16:19
*** cjellick has quit IRC16:20
amakarovayoung, trustor is ayoung , trustee is heat, redelegated is trust ayoung -> solum16:20
jamielennoxi *think* you could put a unique contraint on service_type - though i'm not sure, the project endpoint binding is per endpoitn not per service but i don't know what having multiple services in the catalog would mean16:21
ayoungamakarov, heh, I think you reversed my example, but you are saying that the trustor stays the same in a redelgation?16:21
amakarovayoung, chain may be extracted in a single request16:21
amakarovayoung, yes16:21
jamielennoxi know it would break pretty much everything16:21
ayoungamakarov, OK,  that should work.  All that needs to be valid for the intermediate users is the trust be valid.  I am not certain, however, if we are checking that the intermediate users are still enabled.16:22
jamielennoxKieleth: from memory getting users is keystone user-list --tenant-id PROJECT_ID16:23
*** _cjones_ has joined #openstack-keystone16:23
amakarovjamielennox, thank you, I've got the point. Let's return to it when I have a use case details, ok? :)16:23
ayoungjamielennox, so, the MOC folks have been working on a proposal along the lines of clarifying which endpoint you mean when you do an operation and there are multiple endpoints for the service in the catalog:16:23
ayounginstead of a uuid, you pass the URL.  Its like RESTful and stuff16:23
jamielennoxayoung: i'd be really interested to see a good proposal for the service catalog16:23
ayoungjamielennox, its not a service catalog change.  It is basically a Nova change16:24
ayoungsince really, only Nova is responsible for working as a middleman talking to other services16:24
ayoungI'd expect HEAT and Solumn to follow suite, though16:24
*** cjellick has joined #openstack-keystone16:25
amakarovayoung, thanks for the point about disabled intermediate users, I'll double-check if it's covered by tests16:25
*** gokrokve has joined #openstack-keystone16:25
ayoungit means that when you do a nova boot, instead of passing, say, the image id,  you would pass the URL as returned by Glance.  Then Nova would look at the image_id field and have to determine how to parse it16:26
jamielennoxayoung: at some point quite a lot of flexibility was built into the catalog, and then there was never really concensus on the standard way to use it16:26
ayoungamakarov, yeah,  get_trust is on the right track, but you need an additional check.  I think that the valid user chack is done only in the token provider16:26
ayoungjamielennox, I'm sure it makes sense to someone.16:27
jamielennoxsure, but if it's a change to how the service catalog works across multiple projects i'd expect/hope it came through keystoneclient16:27
ayoungin this case, it was for a single project with ambiguous endpoints for the same service.16:27
jamielennoxi'm not sure why that would happen - if you've got a URL then you don't need a catalog16:28
ayoungnova boot being the obvious starting point, but mounting from cinder a close second.  And then there is a project that might need to talk to multiple neutrons16:28
jamielennoxanything that involves parsing data out of URLs is wrong16:28
ayoungCorect16:28
ayoungif you have an URL< you don't need a catalog16:28
ayoungjamielennox, well, ideally, nova wouldn't parse, but would be able to make use of the URL as is:16:29
ayoungin the case of glance, it would be GET {image_id}16:29
*** aix has quit IRC16:30
ayoungthe only reason to parse is to determine if the value was  an URL or a simple identifier16:30
ayoungbut you could also rename the attribute, and say either pass image_id or pass image_url16:30
ayoungand then no parsing would be required16:30
*** thedodd has quit IRC16:31
*** lhcheng_ has joined #openstack-keystone16:31
*** Dafna has quit IRC16:31
Kielethjamielennox, bingo! thanks16:32
ayoungI could see a substring match for access control:  if you have the image endpoint URL in the catalog, make sure that  image_url.startswith(endpoint)16:32
*** thedodd has joined #openstack-keystone16:32
*** lhcheng has quit IRC16:33
*** packet has joined #openstack-keystone16:34
*** packet has quit IRC16:34
*** packet has joined #openstack-keystone16:34
navid_hi there16:38
navid_i have an error for tox -epy2716:38
ayoungjamielennox, what do you think of the idea that "get_projects" should be the Horizon authenticate call?  Just always make that call.16:38
navid_ERROR: InvocationError: '/opt/stack/python-keystoneclient/.tox/py27/bin/python setup.py testr --testr-args='16:38
ayoungnavid_, did you try recreating the venv in .tox?16:40
ayoungit would be in .tox/py2716:40
jamielennoxayoung: so you want to put a project list as part of the unscoped token?16:42
*** dimsum_ is now known as dims16:45
ayoungjamielennox, you know how you defer getting a token until the first call?  Horizon always needs a project list, so do the project list right up front, and use that to force the authenticate;  it will use the userid and password  in the password plugin16:45
ayoungjamielennox, here is the current logic:  http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py#n11516:46
ayoungI've rewritten it to use auth plugins, but the logic is unchanged, and I have the force_reauthenticate call in there16:46
jamielennoxoh, yea that's fine16:47
ayoungjamielennox, it should make it easier to throw in the "always unscoped" flag in the future16:47
jamielennoxwell it looks like even if it has a default project id you're going to fetch the list anyway so you may as well just do it there16:51
jamielennoxugh, auth_token is just written so differently from everything else, can't figure out how to make the plugin work16:54
ayoungjamielennox, dadgumit...we have no way of getting the user_id to do the project list16:55
jamielennoxi'm re-remembering all these fun things16:55
ayoungjamielennox, need the semantics  list_project?user=self16:56
jamielennoxyep, that's GET /auth/project16:56
navid_ayoung, no i did not, will do, thanks16:56
ayoungnavid_, just a suggestion, not promise it will work16:56
ayoungnavid_, you working on the revocation events?16:57
navid_ayoung, ok, yes the errors i got from the patch16:57
ayoungnavid_, so I got as far as realizeing the issue was httpretty,16:57
ayoungnavid_, I was running individul tests like this:16:58
ayoung. .tox/py27/bin/activate16:58
ayoungthen16:58
ayoungtestr run16:59
ayoungand then adding additional args to bypass the test enumeration16:59
*** cjellick has quit IRC16:59
ayoungnavid_, but that got me http://paste.openstack.org/show/122780/17:00
*** cjellick has joined #openstack-keystone17:00
ayoungnavid_, so do a git show b487f946cd60a907174f550e08372d5907ca319f  to see the commit where we yanked out httpretty17:00
*** lhcheng_ has quit IRC17:01
*** lhcheng has joined #openstack-keystone17:01
ayoungmostly it is changes like17:01
ayoung-        self.stub_url(httpretty.GET, [],17:01
ayoung+        self.stub_url('GET', [],17:01
ayoungnavid_, but it should be pretty straightforward replacement. \17:01
*** packet has quit IRC17:01
ayoungnavid_, however, I think I want to dump the "tree" approach to revocation checking.  No one understands that code except yoriksar17:02
ayoungI think I want to go back to a recursive approach like I had in earlier iterations of my original server side patch17:02
ayoungI think that code might still live in the tests...17:03
ayoungnavid_, here is one of the latest versions of the pre-tree approch:  https://review.openstack.org/#/c/55908/60/keystone/contrib/revoke/model.py,cm17:04
ayounglook at the "matches" method, and I think you will agree it is somewhat more comprehensible than the current "tree" based approach17:05
navid_ayoug, so what would be the future of the bugs for deleting idp17:05
navid_ayoung, is in your we blog17:06
ayoungnavid_, ah...I need to register a new spec, for linking from IdP to domains17:06
ayoungbut...ugh, its a mess.17:06
ayoungmorganfainberg, dagnabit, you should have listened to me about IdPs always getting a domain17:07
ayoungthe current set up is such that we lose the origianator IdP when we create a token17:07
morganfainbergayoung, :(17:08
*** zigo has quit IRC17:08
ayoungand right now, all IdPs go into the same domain.  Which is the default17:08
morganfainbergayoung, yeah.17:08
morganfainbergwait, when we rescope you mean?17:08
morganfainbergor whenever we create a token?17:08
*** zigo has joined #openstack-keystone17:08
ayoungmorganfainberg, mapping has not way to specify domain17:08
morganfainbergbecause the latter *should* have IDP info in it17:08
morganfainbergoh17:08
ayoungso all federation has to go into the default domain17:08
morganfainbergright17:08
ayoungSo if we disable an Idp...we are stuck17:09
ayoungcuz we can't disable the default domain17:09
morganfainberguh, but dones't we have the IDP info in the token?17:09
morganfainbergso we revoke on IDP info17:09
ayoungNo17:09
morganfainbergnot domain17:09
morganfainbergi thought we added that17:09
ayoungits not part of the token format17:09
ayounghmmm,  is it in the federation extensioN?17:10
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L464-L47517:10
ayoungsaml217:11
ayoungmorganfainberg, isn't that just for K2K?17:11
ayoungif 'saml2' in method_names:17:11
morganfainberghttps://github.com/openstack/keystone/commit/986c3eb08aa019a5793074fd7bade8397213527117:11
ayoungso we are ignoring all the other mechanisms?17:11
morganfainbergi'm going to say that is supposed to be for all federation17:12
ayoungFeh17:12
ayoungyep17:12
morganfainbergi still think IDPs should have had a domain each - but that ship may have sailed for the current conversation (would have made things easier)17:12
ayoungyes17:12
ayoungbut if we get the IdP into the token, we can revoke on IdP id17:13
ayoungand since it is there for SAML, we can move support for it into the mapping plugin17:13
morganfainbergbut we can revoke on IDP info (we really need to make revocation events work, even if they are only ever used internal to keystone, because the revocation list is icky and deletes are ... expensive since we keep having to add support for new first order columns to avoid table scans)17:14
morganfainbergayoung, ++17:14
ayoungmorganfainberg, I could see a case where one IdP has multiple domains, and we should be able to disable them all at once17:14
ayoungmorganfainberg, navid_ is working on that for us right now.17:14
morganfainbergayoung, well in the current model there are no domain constructs for "idps" so, not relevant17:14
morganfainbergdisabling the idp covers everything important17:15
ayoungmorganfainberg, we could hardcode a check into the token provider for just that filed17:15
*** harlowja_away is now known as harlowja17:15
ayoungfield17:15
ayoungif there is an Idp field in the token, look to make sure the IDP is not disabled or deleted17:15
morganfainbergor we could finish revocation event support and use that instead of the delete/revoke-by-id thing we have.17:16
ayoung<gonzo>oh sure, if you want to do things the easy way</gonzo>17:16
morganfainberg;)17:16
morganfainbergok, so i'm going to run and try and get breakfast.17:16
morganfainbergif i'm running a bit late, feel free to start the meeting w/o me, skip the Blueprint review (we can circle up next week or at the end of the meeting) [ ayoung, dolphm ]17:17
ayoungnavid_, OK,  so here's the steps:17:17
dolphmmorganfainberg: ack17:17
ayoungget revocation events into the client17:17
ayoungmake the code readable17:17
morganfainbergi *should* be back in time, but. you know how tings go.17:17
ayoungadd in support for revoke by IdP as an optional field in the token17:18
*** thedodd has quit IRC17:21
*** radez is now known as radez_g0n317:24
jamielennoxdo we think that anyone would be purposefully forcing auth_token middleware to use v2.0 even when v3 is available?17:24
jamielennoxvia the auth_version flag17:25
rodrigodsmarekd, sorry, was afk. Yep, we have a icehouse federation deployment here17:25
jamielennoxand can i disable support for that using auth_plugins?17:26
*** radez_g0n3 is now known as radez17:26
*** amcrn has joined #openstack-keystone17:27
bknudsonjamielennox: if they had a problem with v3 for some reason then they'd want a way to use v2.17:34
ekarlsojamielennox: u around ? :)17:35
*** thedodd has joined #openstack-keystone17:35
jamielennoxbknudson: yea - but from my initial guess it seems broken17:36
jamielennoxekarlso: yep17:36
ekarlsojamielennox: when using a adapter towards a experimental api version17:36
ekarlsoit's not enough to LegacyJsonAdapter(version=(2)) ?17:37
jamielennoxekarlso: you are already breaking new ground i think17:38
ekarlsojamielennox: ?17:38
ekarlsothis is for designate17:38
jamielennoxekarlso: why not?17:40
jamielennoxso version is based on the version reported by discovery so it does GET / and looks for what API versions are available17:40
jamielennoxif the status is marked as unstable in some way then it is ignored by default17:41
jamielennoxthere is a flag somewhere...17:41
*** zigo has quit IRC17:41
*** zigo has joined #openstack-keystone17:41
ekarlsojamielennox: yeah, you can specify version when creating the session17:42
ekarlsobut you can not pass that it's unstable :(17:42
*** vejdmn has quit IRC17:43
jamielennoxsorry just thinking and you might be right17:43
jamielennoxactually i'm almost sure you are17:43
jamielennoxso there is a couple of flags when doing discovery17:43
*** jistr has quit IRC17:43
jamielennoxyea17:44
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/_discover.py#L14217:44
jamielennoxhas the flags you want17:44
ekarlsoyah17:44
ekarlsobut17:44
ekarlsohttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/adapter.py#L29-L3217:44
ekarlsodoes not :D17:44
openstackgerritAndreas Jaeger proposed a change to openstack/keystonemiddleware: Improve help strings  https://review.openstack.org/11804817:45
jamielennoxyou would need to pass them through here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L21217:45
ekarlsosounds a bit awkward jamielennox17:46
jamielennoxyuk - i don't know what that does to the cache17:46
*** vejdmn has joined #openstack-keystone17:47
ekarlsojamielennox: wouldn't the best thing be if there was a thing in the version= that allowed it to be marked as unstable ?17:47
jamielennoxyea, the best thing would be is if the discovery object had all the values in it17:48
stevemarcan i get another +2/+A here: https://review.openstack.org/#/c/118048/ tis a simple change to help strings for our doc folks17:48
jamielennoxthen when you did a url_for you could specify unstable=True17:48
ekarlsouh, jamielennox url_For ?17:48
ekarlsoI am just taking a session, wrapping in a adapter where version etc is specified17:49
*** david-lyle has quit IRC17:49
ekarlsoseems to be that version=() should be able to take unstable or not ?17:49
ekarlsoor a unstable=True to adapter17:49
jamielennoxthen we could just add those parameters to the adapter or to the auth plugin itself17:49
jamielennoxhowever it doesn't work that way i think17:49
jamielennoxekarlso: oh - wait17:49
*** david-lyle has joined #openstack-keystone17:49
jamielennoxekarlso: yea i'm looking deeper than that to where the discovery is happening17:50
jamielennoxif we add unstable= to the endpoint_filter will it work17:50
jamielennoxstevemar: done17:51
marekdrodrigods: ok, nevermind, i solved my issue.17:52
jamielennoxekarlso: good news, it shouldn't be hard to do17:54
jamielennoxbut there's nothign that allows it yetr17:54
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support  https://review.openstack.org/12573817:54
jamielennoxumm, i guess it can be added fairly easily to the adapter and hence the client - that would seem to be the place that makes the most sense17:55
jamielennoxekarlso: so, add the allow_experimental etc flags to https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L15117:56
jamielennoxpass them through here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L22217:56
*** jistr has joined #openstack-keystone17:56
ekarlsojamielennox: pass thoguih where ?17:56
jamielennoxthen add them to the adapter here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/adapter.py#L7217:57
jamielennoxto the url_for function17:57
stevemarjamielennox, you are up too early17:58
stevemaror up too late17:58
*** bobt has joined #openstack-keystone17:59
jamielennoxit's the default arguments to url_for that are blocking you17:59
*** bobt has quit IRC17:59
jamielennoxi'm hanging out in Brno till summit17:59
jamielennoxso up too late, but not that bad17:59
jamielennoxthis is how i've been here all day :)18:00
dolphmmorganfainberg: back?18:00
marekdjamielennox: you are in Europe?18:00
morganfainbergAlmost start the meeting18:00
jamielennoxyea18:00
morganfainbergBe at my desk in a few but I'm listening.18:01
marekdjamielennox: working "remotely" or still holiday?18:01
*** marcoemorais has quit IRC18:01
marekdjamielennox: i though you wanted to catch up and worked 24/24 for last few days :P18:01
*** marcoemorais has joined #openstack-keystone18:01
*** marcoemorais has quit IRC18:02
*** marcoemorais has joined #openstack-keystone18:02
*** marcoemorais has quit IRC18:03
*** marcoemorais has joined #openstack-keystone18:04
*** vejdmn has quit IRC18:07
*** vejdmn has joined #openstack-keystone18:07
*** afaranha has left #openstack-keystone18:10
*** marcoemorais has quit IRC18:10
*** radez is now known as radez_g0n318:14
*** radez_g0n3 is now known as radez18:15
*** marcoemorais has joined #openstack-keystone18:18
ekarlsojamielennox: grrr, why so hard :(18:21
ekarlsojamielennox: that means there's no way to use discovery towarsd unstable then in released versions of keystoneclient ?18:22
*** thedodd has quit IRC18:23
morganfainbergjamielennox, post meeing need to sync up on some client stuff with you18:24
morganfainbergjamielennox, if you have time18:24
*** jamielennox_ has joined #openstack-keystone18:25
ekarlsojamielennox: shouldn't all the allow_* stuff be passable all the way down ?18:26
jamielennox_ekarlso: yep18:26
jamielennox_there's 318:27
*** jistr has quit IRC18:31
*** marcoemorais has quit IRC18:33
*** marcoemorais has joined #openstack-keystone18:33
aleeayoung, can I have comments on https://review.openstack.org/#/c/127353/1/specs/kilo/add-per-secret-policy.rst,cm  ?18:33
ayoungalee, will look right after keystone meeting18:33
aleeayoung, thanks18:34
*** meker12 has joined #openstack-keystone18:35
*** marcoemorais has quit IRC18:36
*** marcoemorais has joined #openstack-keystone18:36
*** jamielennox has quit IRC18:38
jamielennox_ekarlso: allow_* should probably be passed through: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/generic/base.py#L143 as well18:41
*** radez is now known as radez_g0n318:43
*** marcoemorais has quit IRC18:44
*** marcoemorais has joined #openstack-keystone18:44
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Use correct name of oslo debugger script  https://review.openstack.org/13000018:44
*** sigmavirus24 is now known as sigmavirus24_awa18:51
*** sigmavirus24_awa is now known as sigmavirus2418:52
ekarlsojamielennox_: has your generic changes gone in btw ? :)18:55
jamielennox_ekarlso: yep18:55
ekarlsojamielennox_: but not released yet ?18:56
jamielennox_ekarlso: yea, i think they were in the last release18:56
jamielennox_0.1118:57
*** thedodd has joined #openstack-keystone18:57
*** ks-untriaged-bot has joined #openstack-keystone18:58
ks-untriaged-botUntriaged bugs for project keystone:18:58
ks-untriaged-bothttps://bugs.launchpad.net/keystone/+bug/138196118:58
uvirtbotLaunchpad bug 1381961 in keystone "Keystone API GET 5000/v3 returns wrong endpoint URL in response body" [Low,Confirmed]18:58
ks-untriaged-bothttps://bugs.launchpad.net/keystone/+bug/138367618:58
uvirtbotLaunchpad bug 1383676 in keystone "endless loop when deleting region" [High,New]18:58
ks-untriaged-botUntriaged bugs for project keystonemiddleware:18:58
ks-untriaged-bothttps://bugs.launchpad.net/keystonemiddleware/+bug/138385318:58
uvirtbotLaunchpad bug 1383853 in keystonemiddleware "auth_token middleware hard coded to check for version 3.0" [Undecided,New]18:58
ks-untriaged-botUntriaged bugs for project python-keystoneclient:18:58
ks-untriaged-bothttps://bugs.launchpad.net/python-keystoneclient/+bug/137708018:58
ks-untriaged-bothttps://bugs.launchpad.net/python-keystoneclient/+bug/137271018:58
uvirtbotLaunchpad bug 1377080 in python-keystoneclient "Stale endpoint selection logic in keystone client" [Undecided,In progress]18:58
uvirtbotLaunchpad bug 1372710 in python-keystoneclient "cfn-push-stats fails to authenticate" [Undecided,Incomplete]18:58
ks-untriaged-bothttps://bugs.launchpad.net/python-keystoneclient/+bug/133438218:58
uvirtbotLaunchpad bug 1334382 in horizon "API endpoint service names are not translated" [Low,Confirmed]18:58
ks-untriaged-bothttps://bugs.launchpad.net/python-keystoneclient/+bug/135756718:58
uvirtbotLaunchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" [Undecided,New]18:58
*** ks-untriaged-bot has quit IRC18:58
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Make assignments pluggable.  https://review.openstack.org/12939718:59
ayoungalee, I want to make trusts less heavy handed, but I need something like this: https://review.openstack.org/#/c/123726/18:59
henrynashmorganfainberg: fyi, here’s hopefully a trivial bp for next time we review: https://blueprints.launchpad.net/keystone/+spec/remove-role-metadata19:00
morganfainberghenrynash, next week19:00
henrynashmorganfainberg: ok19:00
morganfainberghenrynash, i should have everything clenaed up so we can review untargeted/new/etc19:00
jamielennox_ayoung: that's essentially the policy based tokens i've been talking about - just in selective situations19:00
ayoungjamielennox_, yeah.  I think the net effect would be very similar.  Mine would essentially leave RBAC in place.  I also have the inherited roles Spec that would make it possible to go more granular as well.19:02
jamielennox_ayoung: it wouldn't kill RBAC, it would just change it around and make it resolved by the server rather than fetched19:03
jamielennox_i was catching up on the ML and it seems a fairly similar idea to morganfainberg's19:05
jamielennox_i ran something like this by him ages ago, but i still think it's doable and the right way forward - i just don't know what it does to PKI19:05
*** jamielenz has joined #openstack-keystone19:07
*** jamielenz is now known as jamielennox19:07
ayoungjamielennox_, well, one thing that we currently do is split up the token popultation from the policy rules. Putting it all in the token would essentially make the policy  kindof irrelevant19:08
ayoungI'd almost see it as a two step process:  check 1 can this user do this? check 2 can this token do this?19:09
*** jistr has joined #openstack-keystone19:10
ayoungif in effect It does mean that any non-enumerated operation would be denied19:10
ayoungso you do want to be able to say "allow any operation" but have that constrained by the service still to not mean Admin operations19:10
*** radez_g0n3 is now known as radez19:14
*** _cjones_ has quit IRC19:15
*** ayoung has quit IRC19:15
*** _cjones_ has joined #openstack-keystone19:15
morganfainbergjamielennox, unrelated to Keystone stuff, you convinced me, octopress + github = win19:16
openstackgerritDavid Stanek proposed a change to openstack/keystone: Deprecates catalog substitution from config files  https://review.openstack.org/13001319:17
jamielennox_morganfainberg: :) - i'd look at pelican as well as my ruby is a bit rusty but yea19:17
jamielennox_i like doing blogs in vim19:17
jamielennox_and git19:17
morganfainbergjamielennox, nah, i'm a fan of the git model19:17
morganfainbergjamielennox, or is it jamielennox_19:18
morganfainberg:P19:18
morganfainbergone of them is an imposter!19:18
jamielennox_the bouncer i have setup is really unrealiable and laggy, not sure if it's location based or something went wrong19:18
ekarlsojamielennox_: why not just turn allow into a dict ?19:19
ekarlsoinstead of the 3 diff opts19:20
*** _cjones_ has quit IRC19:20
jamielennox_ekarlso: you could, i don't know if it's better - it's already in the endpoint_filter dict so it is seperated from the normal options19:22
ekarlsojamielennox_: what you think is best ?19:22
jamielennox_ekarlso: i'd be inclined to keep the 3 options, the setdefault flow we've got will continue to work that way and we don't need to worry about cloning input dictionaries or anything19:23
jamielennox_(ie we're not supposed to modify provided dictionaries so we'd have to clone the dict before we made changes to it)(19:24
gyeejamielennox_, can you chime in on https://review.openstack.org/#/c/128786/ whenever you have a chance?19:24
gyeeDavid's trying to add the timing functionality back to Nova since session does not support it19:24
jamielennox_gyee: ah - how's that going - did he merge the CLI stuff?19:24
jamielennox_it should be easy to add with a subclass, it's the keyring stuff which will be really hard19:25
gyeejamielennox_, not yet, still working through the nova folks19:25
ekarlsowhich cli stuff ?19:26
*** thedodd has quit IRC19:27
*** thedodd has joined #openstack-keystone19:30
jamielennox_gyee: that's taking a while (largely my fault)19:30
jamielennox_ekarlso: this is trying to convert the nova cli to use all the new plugins and still be compatible with all the old options19:31
jamielennox_designate shouldn't be too bad there19:31
jamielennox_and actually i was helping arosen with the congress client before i left - it's really quite pretty when you get to start from scratch19:31
jamielennox_^ /cc gyee19:32
*** packet has joined #openstack-keystone19:33
*** packet has quit IRC19:35
openstackgerritAlexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed  https://review.openstack.org/12004319:36
jamielennox_night all19:36
*** jamielennox_ has quit IRC19:37
*** jamielennox has quit IRC19:38
*** gyee has quit IRC19:42
openstackgerritAlexander Makarov proposed a change to openstack/python-keystoneclient: Endpoint selection logic fix  https://review.openstack.org/12592319:42
*** _cjones_ has joined #openstack-keystone19:45
*** amakarov is now known as amakarov_away19:46
*** afaranha has joined #openstack-keystone19:48
*** amcrn has quit IRC19:54
*** boris-42 has quit IRC19:59
*** jistr has quit IRC20:01
*** joesavak has joined #openstack-keystone20:03
*** david-lyle has quit IRC20:04
*** jsavak has quit IRC20:06
*** topol has quit IRC20:08
*** david-lyle has joined #openstack-keystone20:15
*** ayoung has joined #openstack-keystone20:16
*** jamielennox has joined #openstack-keystone20:18
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:20
*** meker12 has quit IRC20:24
*** meker12 has joined #openstack-keystone20:27
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Use oslo_debug_helper and remove our own version  https://review.openstack.org/12010420:28
*** nellysmitt has quit IRC20:28
*** ayoung has quit IRC20:30
*** boris-42 has joined #openstack-keystone20:32
ekarlsojamielennox: u up still ? :D20:34
*** flaviamissi has quit IRC20:36
*** jamielennox has quit IRC20:41
*** ukalifon1 has quit IRC20:42
*** ayoung has joined #openstack-keystone20:45
*** radez is now known as radez_g0n320:46
*** ayoung has quit IRC20:47
*** ayoung has joined #openstack-keystone20:47
ekarlsomorganfainberg: you know the change about the new plugins stuff on clients ?20:54
morganfainbergwhich change?20:54
*** gyee has joined #openstack-keystone20:55
*** NM has quit IRC20:58
ekarlsogyee: you know what changes jamie was talking about wrt novaclient or so and the new plugins ?21:01
gyeeekarlso, its the nove to neutron part21:02
gyeeekarlso, https://review.openstack.org/#/c/113735/21:03
gyeethat patch still need quite a bit of work21:03
*** packet has joined #openstack-keystone21:15
*** packet has quit IRC21:15
*** packet has joined #openstack-keystone21:15
*** packet has quit IRC21:16
*** packet has joined #openstack-keystone21:16
openstackgerritA change was merged to openstack/keystonemiddleware: Revert "Support service user and project in non-default domain"  https://review.openstack.org/12955121:17
*** henrynash has quit IRC21:44
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Clean up the comments in CADF everywhere spec  https://review.openstack.org/13004321:50
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use correct name of oslo debugger script  https://review.openstack.org/13004521:53
*** amcrn has joined #openstack-keystone21:54
openstackgerritSteve Martinelli proposed a change to openstack/keystonemiddleware: Use correct name of oslo debugger script  https://review.openstack.org/13004621:54
openstackgerritLance Bragstad proposed a change to openstack/keystone-specs: Add blueprint for Authenticated Encryption Tokens  https://review.openstack.org/13005022:01
rodrigodsmarekd, it worked!!! \o/22:02
rodrigodsstevemar, k2k ^22:03
stevemarbknudson, question about requirements for oslotest22:03
stevemarrodrigods, holy crap, that's awesome22:03
stevemarrodrigods, give us screen shots, logs, everything!22:03
rodrigodsstevemar, ++ blog post with a tutorial as well22:03
*** vejdmn has quit IRC22:04
stevemarbknudson, since it was a minor version change 1.1.0 -> 1.2.0 tox will automatically install 1.2.0, so there isn't really a *need* to udpate it right?22:04
bknudsonstevemar: yes, since somebody might use 1.1.0 and it would fail22:05
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support  https://review.openstack.org/12573822:05
stevemarbknudson, rm -rf .tox/debug and re-run :P22:05
bknudsonstevemar: not everybody is using tox22:05
*** gokrokve has quit IRC22:05
stevemarbknudson, they should be!22:05
stevemaralright, i propose to requirements22:06
stevemarthey are just so slow22:06
bknudsonstevemar: packagers like us don't use tox.22:06
bknudsonsince we want to test with the packages that we ship22:06
*** gordc has quit IRC22:08
*** bknudson has quit IRC22:12
*** david-lyle has quit IRC22:13
*** david-lyle has joined #openstack-keystone22:15
*** mrmoje has joined #openstack-keystone22:17
*** alee has quit IRC22:18
*** wwriverrat has joined #openstack-keystone22:19
*** wwriverrat2 has joined #openstack-keystone22:21
*** wwriverrat2 has left #openstack-keystone22:21
*** wwriverrat has quit IRC22:24
*** dims_ has joined #openstack-keystone22:35
*** dims_ has quit IRC22:36
*** dims_ has joined #openstack-keystone22:36
*** dims has quit IRC22:38
*** soren has joined #openstack-keystone22:45
*** thedodd has quit IRC22:46
sorenI'm trying to debug a permissions problem in Nova. The policy.json allows a particular operation to users who match "is_admin:True". I'm trying to understand when that might be met.22:47
*** mrmoje has quit IRC22:47
sorenAs far as I can tell, is_admin is only True when I've authenticated with the special admin token. Is that accurate?22:47
*** gokrokve has joined #openstack-keystone22:48
stevemarsoren, i think it's also true when the user has a role of 'admin'22:49
sorenstevemar: Is the "admin" role name special?22:49
sorenI don't think so.22:50
sorenLots of policy.json rules specify things like: ./etc/policy.json:    "admin_required": [["role:admin"], ["is_admin:1"]],22:50
sorenIf they were equivalent, there'd be no need to specify both?22:50
stevemarsoren, oh yeah, you are right, it's admin required that has the role condition22:53
stevemari think is_admin is only set if using the admin token22:53
sorenThat's my feeling, too.22:55
sorenThat's very confusing, though.22:56
sorenNova has a *lot* of operations that are restricted to is_admin:True.22:56
stevemarsoren, it's keystone, it wouldn't be right if it wasn't confusing22:56
stevemarsoren, sounds like a bug in Nova's default policy then22:56
sorenAre people seriously using the admin token for anything other than backdoors to create the initial users?22:56
sorenGood grief.22:57
morganfainbergwell that wasn't nearly as painful as it could have been.22:57
*** joesavak has quit IRC23:05
*** alee has joined #openstack-keystone23:07
*** huats_ has quit IRC23:09
*** _cjones_ has quit IRC23:12
*** _cjones_ has joined #openstack-keystone23:12
*** huats_ has joined #openstack-keystone23:12
*** huats_ has quit IRC23:12
*** huats_ has joined #openstack-keystone23:12
*** _cjones_ has quit IRC23:17
*** _cjones_ has joined #openstack-keystone23:22
*** david-lyle has quit IRC23:30
*** zzzeek has quit IRC23:47
*** NM has joined #openstack-keystone23:47
*** sigmavirus24 is now known as sigmavirus24_awa23:52
*** jamielennox has joined #openstack-keystone23:53
« Monday, 2014-10-20 Index Wednesday, 2014-10-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!