Friday, 2014-10-24

*** oomichi__ has quit IRC00:02
*** dims_ has joined #openstack-keystone00:03
*** dims_ has quit IRC00:06
*** dims_ has joined #openstack-keystone00:06
*** thiagop has quit IRC00:07
*** dims has quit IRC00:07
*** _cjones_ has joined #openstack-keystone00:09
*** diegows has joined #openstack-keystone00:10
*** _cjones_ has quit IRC00:10
*** _cjones_ has joined #openstack-keystone00:11
*** _cjones_ has quit IRC00:15
*** tellesnobrega_ has joined #openstack-keystone00:16
*** HenryG has quit IRC00:18
*** cjellick has quit IRC00:21
*** gyee has quit IRC00:22
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds missing log hints for level E/I/W
openstackgerritDavid Stanek proposed a change to openstack/keystone: Extends hacking check for logging to verify i18n hints
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes aggressive use of translation hints
*** alee_on_way_home has joined #openstack-keystone00:27
*** tellesnobrega_ has quit IRC00:27
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove nonexistant param from docstring
*** raildo_ has joined #openstack-keystone00:32
*** tellesnobrega_ has joined #openstack-keystone00:38
*** jacer_huawei has quit IRC00:42
openstackgerritBrant Knudson proposed a change to openstack/keystone: Move check_output and git() to test utils
*** tellesnobrega_ has quit IRC00:47
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Remove netaddr package requirement
*** marcoemorais has quit IRC00:52
*** tellesnobrega_ has joined #openstack-keystone00:58
*** jacer_huawei has joined #openstack-keystone00:59
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add fileutils module
*** alex_xu has quit IRC01:01
*** oomichi has quit IRC01:02
openstackgerritA change was merged to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed
openstackgerritA change was merged to openstack/keystone: Move unit tests from test_backend_ldap
*** alee_on_way_home is now known as alee01:13
*** k-kosaka has joined #openstack-keystone01:21
openstackgerritwanghong proposed a change to openstack/keystone: remove assignments for foreign actors when deleting domain
*** topol has joined #openstack-keystone01:24
*** david-lyle has joined #openstack-keystone01:28
*** david-lyle has quit IRC01:32
*** diegows has quit IRC01:40
openstackgerritKenjiro Kosaka proposed a change to openstack/keystone: Identity endpoint in tools/ changed versioned url to unversioned url
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add fileutils module
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync modules from oslo-incubator
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync modules from oslo-incubator
*** lhcheng has quit IRC02:08
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync modules from oslo-incubator
openstackgerritBrant Knudson proposed a change to openstack/keystone: test_utils use jsonutils from oslo.serialization
*** harlowja is now known as harlowja_away02:23
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync modules from oslo-incubator
openstackgerritBrant Knudson proposed a change to openstack/keystone: test_utils use jsonutils from oslo.serialization
*** david-lyle has joined #openstack-keystone02:29
*** NM has joined #openstack-keystone02:33
*** david-lyle has quit IRC02:33
*** raildo_ has quit IRC02:37
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync modules from oslo-incubator
*** richm has quit IRC02:47
*** mrmoje has quit IRC02:49
*** dims_ has quit IRC02:56
*** dims has joined #openstack-keystone02:57
*** dims has quit IRC03:01
*** esp has left #openstack-keystone03:08
*** tellesnobrega_ has quit IRC03:10
*** NM has quit IRC03:12
*** afazekas has quit IRC03:19
*** _afazekas has quit IRC03:19
*** david-lyle has joined #openstack-keystone03:19
*** sigmavirus24 is now known as sigmavirus24_awa03:20
*** topol has quit IRC03:21
*** jacer_huawei has quit IRC03:23
*** breton_ is now known as breton03:28
*** alex_xu has joined #openstack-keystone03:28
*** jacer_huawei has joined #openstack-keystone03:36
*** david-lyle has quit IRC03:36
*** afazekas has joined #openstack-keystone03:39
*** marcoemorais has joined #openstack-keystone03:49
*** marcoemorais has quit IRC03:56
*** lhcheng has joined #openstack-keystone04:05
*** david-lyle has joined #openstack-keystone04:07
*** HenryG has joined #openstack-keystone04:10
*** david-lyle has quit IRC04:13
*** oomichi has joined #openstack-keystone04:24
openstackgerritSteve Martinelli proposed a change to openstack/keystone: try removing oslo.config
*** lhcheng_ has joined #openstack-keystone05:04
*** lhcheng has quit IRC05:07
*** lhcheng_ is now known as lhcheng05:07
*** vsilva is now known as victsou05:09
*** victsou is now known as vsilva05:11
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use new oslo.config generator
*** vsilva is now known as victsou05:22
*** victsou is now known as vsilva05:22
*** vsilva is now known as victsou05:23
*** victsou is now known as vsilva05:24
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use new oslo.config generator
*** gokrokve has joined #openstack-keystone05:28
*** gokrokve has quit IRC05:28
*** gokrokve has joined #openstack-keystone05:29
*** amcrn has quit IRC05:34
*** gokrokve has quit IRC05:41
*** gokrokve has joined #openstack-keystone05:42
*** vsilva is now known as victsou05:51
*** victsou is now known as vsilva05:52
*** gokrokve has quit IRC06:02
*** gokrokve has joined #openstack-keystone06:02
*** r1chardj0n3s is now known as r1chardj0n3s_afk06:06
*** gokrokve has quit IRC06:23
*** mrmoje has joined #openstack-keystone06:28
*** gokrokve_ has joined #openstack-keystone06:32
*** gokrokve_ has quit IRC06:32
*** harlowja_away has quit IRC06:47
*** raildo has quit IRC06:47
*** f13o has quit IRC06:47
*** vsilva has quit IRC06:47
*** DavidHu__ has quit IRC06:47
*** jorge_munoz has quit IRC06:47
*** anteaya has quit IRC06:47
*** dhellmann has quit IRC06:47
*** oomichi has quit IRC06:47
*** aix has quit IRC06:47
*** mitz_ has quit IRC06:47
*** Guest28430 has quit IRC06:47
*** morganfainberg has quit IRC06:47
*** d0ugal has quit IRC06:47
*** marekd|away is now known as marekd06:48
*** rwsu_ has quit IRC06:48
*** rwsu_ has joined #openstack-keystone06:49
*** oomichi has joined #openstack-keystone07:00
*** aix has joined #openstack-keystone07:00
*** jorge_munoz has joined #openstack-keystone07:00
*** mitz_ has joined #openstack-keystone07:00
*** Guest28430 has joined #openstack-keystone07:00
*** morganfainberg has joined #openstack-keystone07:00
*** anteaya has joined #openstack-keystone07:00
*** d0ugal has joined #openstack-keystone07:00
*** dhellmann has joined #openstack-keystone07:00
*** vb has quit IRC07:07
*** vb has joined #openstack-keystone07:07
*** mrmoje has quit IRC07:09
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Create a framework for federation plugins
*** nellysmitt has joined #openstack-keystone07:15
*** andreaf has quit IRC07:16
*** harlowja_away has joined #openstack-keystone07:16
*** raildo has joined #openstack-keystone07:16
*** f13o has joined #openstack-keystone07:16
*** vsilva has joined #openstack-keystone07:16
*** DavidHu__ has joined #openstack-keystone07:16
*** andreaf has joined #openstack-keystone07:16
*** andreaf has quit IRC07:28
*** harlowja_away has quit IRC07:28
*** raildo has quit IRC07:28
*** f13o has quit IRC07:28
*** vsilva has quit IRC07:28
*** DavidHu__ has quit IRC07:29
*** jorge_munoz has quit IRC07:29
*** anteaya has quit IRC07:29
*** dhellmann has quit IRC07:29
*** oomichi has quit IRC07:29
*** aix has quit IRC07:29
*** mitz_ has quit IRC07:29
*** Guest28430 has quit IRC07:29
*** morganfainberg has quit IRC07:29
*** d0ugal has quit IRC07:29
*** andreaf has joined #openstack-keystone07:32
*** d0ugal has joined #openstack-keystone07:32
*** morganfainberg has joined #openstack-keystone07:32
*** Guest28430 has joined #openstack-keystone07:32
*** mitz_ has joined #openstack-keystone07:32
*** aix has joined #openstack-keystone07:32
*** oomichi has joined #openstack-keystone07:32
*** harlowja_away has joined #openstack-keystone07:32
*** raildo has joined #openstack-keystone07:32
*** f13o has joined #openstack-keystone07:32
*** vsilva has joined #openstack-keystone07:32
*** DavidHu__ has joined #openstack-keystone07:32
*** lbragstad has quit IRC07:36
*** lbragstad has joined #openstack-keystone07:36
*** oomichi has quit IRC07:36
*** aix has quit IRC07:36
*** mitz_ has quit IRC07:36
*** Guest28430 has quit IRC07:36
*** morganfainberg has quit IRC07:36
*** d0ugal has quit IRC07:36
*** jorge_munoz has joined #openstack-keystone07:37
*** anteaya has joined #openstack-keystone07:37
*** dhellmann has joined #openstack-keystone07:37
*** Guest351 has joined #openstack-keystone07:39
*** Guest351 has quit IRC07:39
*** oomichi has joined #openstack-keystone07:40
*** aix has joined #openstack-keystone07:40
*** mitz_ has joined #openstack-keystone07:40
*** Guest28430 has joined #openstack-keystone07:40
*** morganfainberg has joined #openstack-keystone07:40
*** mitz_ has quit IRC07:40
*** dmatthews__ has joined #openstack-keystone07:40
*** mitz_ has joined #openstack-keystone07:42
*** dmatthews__ is now known as d0ugal07:46
*** d0ugal has quit IRC07:46
*** d0ugal has joined #openstack-keystone07:46
*** lhcheng has quit IRC08:15
*** jistr has joined #openstack-keystone08:21
*** oomichi has quit IRC08:26
*** andreaf has quit IRC08:32
*** andreaf has joined #openstack-keystone08:32
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Prevent AttributeError if no authorization
*** andreaf has quit IRC08:55
*** andreaf has joined #openstack-keystone08:55
*** alex_xu has quit IRC08:58
*** k-kosaka has quit IRC09:04
marekdmhu: U on Twitter?09:23
mhumarekd, no, I don't check it enough to justify an account :)09:24
openstackgerritwanghong proposed a change to openstack/keystone: unnecessary checks in assignment/
openstackgerritwanghong proposed a change to openstack/keystone: remove unnecessary checks in assignment/
marekdhmmm, i remember there was something09:50
marekdwhere osc was not recognizing09:50
marekdall auth plugins09:50
marekddo you remember how it was fixed?09:50
*** lsmola has quit IRC09:53
*** arunkant has quit IRC09:53
*** htruta has quit IRC09:53
*** wpf has quit IRC09:53
*** gsilvis has quit IRC09:53
*** lsmola has joined #openstack-keystone09:53
*** arunkant has joined #openstack-keystone09:53
*** htruta has joined #openstack-keystone09:53
*** wpf has joined #openstack-keystone09:53
*** gsilvis has joined #openstack-keystone09:53
mhumarekd, IIRC it was because lxml wasn't installed09:54
mhuthe *saml auth plugins are in contrib so dependencies are not in requirements.txt09:55
*** andreaf has quit IRC09:55
*** aix has quit IRC09:55
*** Guest28430 has quit IRC09:55
*** morganfainberg has quit IRC09:55
*** andreaf has joined #openstack-keystone09:56
*** aix has joined #openstack-keystone09:56
*** Guest28430 has joined #openstack-keystone09:56
*** morganfainberg has joined #openstack-keystone09:56
*** samuelms has quit IRC09:58
*** xianghui has quit IRC09:58
*** jamiec has quit IRC09:58
*** csd has quit IRC09:58
*** ekarlso has quit IRC09:58
*** rharwood has quit IRC09:58
*** rodrigods has quit IRC09:58
*** palendae has quit IRC09:58
*** rodrigods has joined #openstack-keystone09:59
*** samuelms has joined #openstack-keystone09:59
*** xianghui has joined #openstack-keystone09:59
*** jamiec has joined #openstack-keystone09:59
*** csd has joined #openstack-keystone09:59
*** ekarlso has joined #openstack-keystone09:59
*** rharwood has joined #openstack-keystone09:59
*** palendae has joined #openstack-keystone09:59
marekdmhu: yes yes yes yes :D09:59
mhumarked: this is going to be documented in OSC man page, this sounds like a problem that's going to be recurring :)10:00
*** andreaf has quit IRC10:11
*** andreaf has joined #openstack-keystone10:11
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient-kerberos: kerberos client plugin
jamielennoxayoung: ^10:21
*** aix has quit IRC10:42
*** dims has joined #openstack-keystone10:47
*** andreaf has quit IRC10:48
*** andreaf has joined #openstack-keystone10:48
*** spligak has quit IRC11:10
*** aix has joined #openstack-keystone11:13
*** amakarov_away is now known as amakarov11:13
*** vb has quit IRC11:21
*** raildo_ has joined #openstack-keystone11:27
*** andreaf has quit IRC11:27
*** andreaf has joined #openstack-keystone11:28
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Log the CA cert with the debug statement
*** NM has joined #openstack-keystone11:33
*** raildo_ has quit IRC11:34
ekarlsojamielennox: you ever got to the CLI plugin btw ?11:35
jamielennoxekarlso: no, not as yet. i want to have a chat to the OSC guys at the summit and figure out what they want in it11:35
jamielennoxcause i think they will be one of the primary users11:36
jamielennoxbecause from what i can tell i think we could probably just use generic.Password and everyone would be fairly happy11:36
*** diegows has joined #openstack-keystone11:50
*** radez_g0n3 is now known as radez12:30
*** andreaf_ has joined #openstack-keystone12:33
*** andreaf has quit IRC12:36
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Log the CA cert with the debug statement
*** dims has quit IRC12:51
*** dims has joined #openstack-keystone12:52
*** gokrokve has joined #openstack-keystone12:58
ayoungjamielennox, found a fun one out last night.  You know how the updated cloudsample policy file does the smart thing and says that in order to list projects in a domain you have to be admin on that domain?  Turns out that breaks Horizon13:00
jamielennoxayoung: why is horizon dealing with domains13:01
rodrigodsayoung, exactly... a teammate is working on a patch to fix that13:01
jamielennoxoh -13:01
*** gokrokve has quit IRC13:08
ayoungjamielennox, because Horizon only fetches project scoped tokens13:11
*** afaranha has joined #openstack-keystone13:11
*** afaranha has quit IRC13:11
*** afaranha has joined #openstack-keystone13:11
ayoungrodrigods, I think that anything we do there is going to be problematic13:11
ayoungrodrigods, thing is, we are working with the cloudsample policy file, which radically changes the rules13:11
ayoungrodrigods, in this case, the rule is_admin means13:12
ayoungwell, this rule13:12
ayoung"identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",13:12
ayoungSo:  user must have the admin role, and the domain_id needs to match.13:13
rodrigodsayoung,  yeah...13:13
ayoungBut if you are using a default project, then the domain_id is probably for the wrong domain13:13
ayoungit is messy, and I think we need to sit down with the horizon folks to figure out a path forward13:14
ayoungrodrigods, but....13:14
ayoungI want to collapse IdPs, Domains, and Projects all into one supertype13:14
ayoungIdps will have no parents13:14
ayoungdomains will live under idp13:14
ayoungproject under domain13:14
ayoungbut we'll treat them all as roughly the same thing13:14
rodrigodsayoung, ++13:15
rodrigodsthis would simplify A LOT13:15
rodrigodsthis domain vs project scoping stuff13:16
*** thiagop has joined #openstack-keystone13:16
rodrigodsayoung, about the list_projects issue, shouldn't horizon use the list_projects_for_user() instead of listing the projects in a domain?13:17
ayoungrodrigods, nope13:18
ayoungthis is on the admin panel13:18
thiagopayoung: why?13:18
ayoungnot on the users lists of projects13:18
*** bknudson has quit IRC13:18
ayoungfor the list of projects, it does use list_projects_for_user13:18
ayoungthiagop, ^^ make sense?13:19
thiagopayoung: you mean the project picker?13:19
ayoungin the project picker it uses list_projects_for_user13:19
ayoungbut there is the admin panel, for administering projects (add new, etc)13:20
thiagopIdentity/projects, right?13:20
jamielennoxlol never say tenants13:20
jamielennoxand domains shouldn't live under idps, they should be different things13:21
ayoungdomains should live under idps13:22
ayoungidps Own things13:22
jamielennoxi thought that was one of the goals of hierarchical multitenancy13:22
ayoungdomains should probably go away13:22
jamielennoxayoung: why13:22
ayoungcuz they are just projects13:22
ayoungif Idps own users13:22
jamielennoxwhy does an idp own things13:22
thiagopI've always find it strange that I, as a user, could see projects that I don't have a role in13:23
ayoungreally, these things are all namespaces13:23
ayoungthiagop, A general can see all of the Bridages in his Division.  He doesn't have a role in those Brigades, he has a role in the organization that containes those brigades13:24
ayoungbut..with Hierarchical Multitenancy they want to do information hiding13:24
ayoungso  if Cloud provider sells to reseller who then sells to me, cloud provider should not see "me"13:24
jamielennoxayoung: right, but we collapse a domain into a project then13:25
jamielennoxwhich is great13:25
ayoungdomain is a project13:25
ayoungdomains are projects who have no parent13:25
jamielennoxright, still not sure why an idp should live in that tree13:25
ayoungexcept when it comes to users13:25
ayoungin which case domains are projects13:25
ayoungand their parents are IdPs13:25
ayoungjamielennox, so we just make idps, projects, and domains all subclasses of one thing.13:27
ayoungcall it tenants, and make everyone go away13:27
jamielennoxa domains parent is not an idp13:29
jamielennoxbecause i can map a user into multiple domains13:29
jamielennoxand a user is owned by an idp13:30
ayoung"i can map a user into multiple domains" NONONONONONONO13:30
ayoungA user is owned by exactly one domain13:30
ayoungthey can have roles in many13:30
*** gordc has joined #openstack-keystone13:30
ayoungwe can't break that now13:30
ayoungdomains are part of the literature13:30
jamielennoxhierarchical gives us that a domain is essentially just a project without a parent13:30
jamielennoxa user can have roles in multiple unrelated projects13:31
ayoungI';d argue that the parent of a domain is the IdP, with the implied IdP being Keystone itself13:31
jamielennoxtherefor a user can have roles in multiple domains13:31
jamielennoxtherefore you shouldn't have it owned13:31
jamielennoxright - and the mistake there was ever assuming that the user was owned by a domain13:31
ayoungunless we drop the user_domain abstraction, which is codified into the APIs, and thus we are stuck with it13:31
ayoungusers used to be owned by projects13:32
jamielennoxuser_domain_id should become user_idp_id13:32
jamielennoxand i don't see how to handle all this with v3 :)13:32
ayoungwell, we could merge domains and IdPs13:33
ayoungbut then we are one to one with Idps and domains, which might not be right13:33
ayoungI always suspected that it should be one to at-least-one13:34
*** radez is now known as radez_g0n313:34
amakarovayoung, hi! Steve Hardy wants redelegation enabled by default :)13:34
ayoungamakarov, OK13:34
ayoungI'm cool with that13:35
ayoungask morganfainberg when he is around amakarov13:35
ayoungamakarov, it is backwards compatible.  Its just a risk13:35
ayoungwe tend to disable a new feature like that until its somewhat hardened13:35
amakarovayoung, I understand13:36
ayoungHe wants to know that it is something he can rely on13:36
*** sigmavirus24_awa is now known as sigmavirus2413:36
ayoungamakarov, so, not in the first patch13:36
ayoungbut we can have the goal to have them enabled at release13:36
*** bknudson has joined #openstack-keystone13:36
amakarovayoung, so I stick to current implementation for now?13:37
amakarovayoung, thanks )13:37
*** afazekas_ has joined #openstack-keystone13:39
ayoungjamielennox, so we make  a subclass for all of these things:  Idps, projects, domains, and make sure that the Ids are unique across all of them13:41
jamielennoxayoung: ids are uuids now - with some fudging we assume that already13:41
ayoungit might be our saving grace here13:41
*** bknudson has quit IRC13:42
*** vhoward has left #openstack-keystone13:43
openstackgerritLance Bragstad proposed a change to openstack/keystone: Use mask_password from oslo.utils.strutils
rodrigodsmarekd, just commented in the ECP/POST review, we can discuss it here =)13:44
marekdrodrigods: one main diference between websso and ecp is how you authenticate with idp13:46
rodrigodsmarekd, hm...13:46
rodrigodstrade offs?13:46
marekdwebsso assumes it browser and human being usin it13:47
marekdit will give him a webpage13:47
*** vejdmn has joined #openstack-keystone13:47
marekdusually with user/pass form.13:47
marekdsuper hard to parse and make sure python-requests will know how to use it, right?13:47
marekdthat's why ECP comes into13:47
marekdit assumes that pure http client is used there, and it's aall XML/SOAP13:48
marekdmore cli firnedly, right?13:48
marekdin k2k we break whole stuff13:48
marekdyou authenticate with your idp actually by passing your openstack token13:49
ayoungECP is pretty much required for SAML in a CLI use13:49
*** bknudson has joined #openstack-keystone13:49
marekdayoung: ++13:50
marekdayoung: but only because websso will present you a webpage for authN13:50
rodrigodsmarekd, once we already have the SAML assertion in k2k, the webpage isn't required, right?13:51
ayoungjamielennox, for Horizon...should it attempt to get a domain scoped token for Admin panels?13:51
ayoungk2k should do ECP13:51
rodrigodsbut... since we are getting in the middle for both13:51
rodrigodsi don't see how websso can be better than ECP for our case13:52
jamielennoxayoung: i guess the theory was always that you needed a domain scoped token to list users etc13:52
ayoungand list  projects for a domain...13:52
jamielennoxayoung: we don't have the best 'admin token' story - so i think domain scoped token is the best we can do13:52
marekdnot all sps can talk ecp13:52
ayoungHorizon just assumes a global project list, I think13:52
rodrigodsmarekd, good point13:52
ayoungjamielennox, or we do it all with an unscoped, and check permissions inside Keystone13:53
marekdsaml2 was designed for browsers13:53
rodrigodsmarekd, but we need excellent support for both than13:53
marekdecp is an extension.13:53
ayoungsaml2 wasn';t designed.  It crawled out of the primordial soup13:53
jamielennoxayoung: i'd be ok with that, i think we expect more from our policy layer that it can handle13:54
ayoungpolicy could handle it in Keystone13:54
ayoungjust only in Keystone, since Keystone has all of the Roles assignments13:54
marekdrodrigods: it's something we cannot control.13:55
marekdyou are supposed to federate your keystone along with non openstack products13:55
marekdit's not something you can's not openstack ecosystem.13:55
ayoungjamielennox, of course, if we split the Identity part from the Assignment part....I thiin we'd still be good.  It would all be managed from the Assignment part13:56
marekdrodrigods: joesavak was business suporter for k2k13:56
marekdso he may have some insignht on whether it should be websso or ecp13:57
rodrigodsmarekd, ++13:57
rodrigodsI vote for both13:57
jamielennoxayoung: if we roll domains into projects, do you think instead of going to api v4 next we can go to api v2.1 ?13:59
marekdayoung: what was the initial concept of the domains, btw?13:59
ayoungjamielennox, yeah, sure!13:59
ayoungjamielennox, I say we go asymptotic to Pi14:00
ayoungmarekd, namespaces for users14:01
ayoungmarekd, I'd have to git log to find the to the blueprint that way, I think14:01
*** marekd has quit IRC14:04
*** marekd has joined #openstack-keystone14:09
*** richm has joined #openstack-keystone14:11
*** radez_g0n3 is now known as radez14:18
lbragstadmarekd: rodrigods re: k2k stuff with jsavak. I believe he is on ETO today but he said to go ahead and email him if you have questions.14:21
jamielennoxayoung: if we roll domains into projects, do you think instead of going to api v4 next we can go to api v2.1 ?14:25
jamielennoxwoops, sorry up + enter14:25
*** andreaf_ has quit IRC14:25
ayoungI still think it is a great idea14:25
*** andreaf_ has joined #openstack-keystone14:26
jamielennoxit's a horrible idea14:27
gabriel-bezerraayoung, jamielennox: how is that change related to domain-specific drivers?14:28
ayounggabriel-bezerra, we are not really planning on moving back to 2.114:28
gabriel-bezerraI mean.. it seems to me that a domain-specific identity backend would be an IdP, but how would domains fit there then?14:29
gabriel-bezerraayoung: my question is about the (idp, domain, project) change14:30
ayounggabriel-bezerra, just problem solving for now:  I think that the solution lies in there.14:30
ayounggabriel-bezerra, Don't take this as done-deal, rather as brainstorming,  feel free to contribute14:31
gabriel-bezerraok :)14:31
marekdlbragstad: ETO ?14:31
ayoungI agree that domain specific identity backend should be for an IdP14:31
lbragstadmarekd: Earned Time Off14:31
ayoungI would think that Idp should have a one-to-one with a domain, but we could make them the same thing and have the same solution14:32
jamielennoxlbragstad: ... is that a thing, or did i miss a joke there somewhere14:32
ayoungif we forces A ONE-TO-ONE between IdP and domains, it would probably work, too14:32
ayoungjamielennox, probably an accounting acronym for time off htat is accrued14:33
jamielennoxayoung: not always going to be on IRC so please assume I'm always going to say NO when you suggest that14:33
ayoungjamielennox, meaning IDP->domains?14:33
ayoungone to one?14:33
gabriel-bezerraI see domains as a user repository/namespace, so it would map directly to an idp14:34
ayoungmeaning you want to drop the whole domain-around-users concept?14:34
gabriel-bezerraas domain-specific backends do14:34
jamielennoxwhilst ever domains own projects i think it's a bad idea14:34
ayoungwe've already dug this ditch, we are just trying to climb out of it14:35
jamielennoxin which case we should kill the term and move to idps own users projects own projects and only roles map from one to the other14:35
ayoungthe  decision was made back before we split Identity and Assignment14:35
ayoungyeah, that is the cleaner language14:35
jamielennoxyea - also i'm not doing any work in that space to actually get in and influence it14:35
ayoungI'm just looking for a transition plan14:35
lbragstadjamielennox: it's a thing14:36
jamielennoxsame with some of my federation concerns that i found a week before RC14:36
ayoungSo for now, we say one-to-one Idp to domain, and IdP/domains (not ones backed by keystone) can't own projects?14:36
gabriel-bezerrawould a project own an IdP?14:36
jamielennoxlbragstad: is it as ayoung suggested an accrued thing? or can your manager just award you time off for doing something?14:36
ayounggabriel-bezerra, projects don't own IdPs14:37
lbragstadETO is usually accrued14:37
ayoungIdPs are top of the tree14:37
gabriel-bezerraI liked jamielennox's suggestion, my question is in that context14:37
lbragstadjamielennox: so you get ETO over time14:38
rodrigodslbragstad, I'd enjoy some ETO ;)14:38
jamielennoxlbragstad: ok - just never heard the term and though 'earned' was a weird way to phrase it14:38
lbragstadjamielennox: it's a type of 'time off' policy offered by employers14:39
gabriel-bezerraI'm asking about the case of a customer of a public cloud being able to configure his/her idp as a way for his/her employees to sign in14:40
marekdlbragstad: jamielennox i thought 'earned' was used by Lance here to indicate, that joe was working supre hard so he took a day off and he really deserves it :P14:40
gabriel-bezerraayoung jamielennox ^14:40
lbragstadmarekd: well.. that *could* be the case, I'm just the proxy :)14:40
ayounggabriel-bezerra, ability to manage an IdP should be based on a role assigned to a user14:40
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation the hierarchy needs to have a root:  we've typically called that the Default domains14:41
openstackgerritA change was merged to openstack/keystone: Add fileutils module
marekdlbragstad: btw, how many paid days off (or day offs?) do you have in USA?14:41
ayounger default domain14:41
gabriel-bezerraayoung: you mean the project hierarchy, right?14:41
ayoungyeah....all this stuff14:41
ayoungreally, we are just reinventing a hierarchical database here14:42
ayoungthese are all collections14:42
jamielennoxyea, i think you would make idp management a role based check14:42
lbragstadmarekd: it depends on a lot of different things (i.e. experience and employer)14:42
ayoungSo at the root of the tree you have the keystone server itself14:42
marekdlbragstad: say, somebody with 2-5 years of experience14:42
marekdso probably somebody like you or me.14:42
ayoungunder that you have IdPs on the identity side.  jamielennox 's suggestion is that domains are on the assignment side14:42
jamielennoxi don't think it's worth complicating it more than that, and you can always use groups if you want to pick up multiple useres14:42
rodrigodsmarekd, thinking of moving to US?14:43
marekdjust curious14:43
ayoungso, first layer down is "modules"  with identity, assignemnt, and service catalog in them14:43
ayoungunder identity we have IdPs14:43
ayoungunder assignement we have projects14:43
ayoungand under service catalog we have services14:43
rodrigodsmarekd, I now that for Microsoft, (with such experience) you have 15 days off14:43
ayoungnext level down should be clear, but to be explicit14:43
jamielennoxayoung: my concern is that we should never re-use a term, we can't transition domain from one thing to another, and i've always considered domains more about multitenancy rather than user grouping14:43
ayoungunser Idps we have users and groups14:43
lbragstadmarekd: that's a tough one, it depend a lot on employer.. I think when I graduated college most of the people I graduated with ended up with around 14 days at their first job?14:44
ayoungunder domains we have projects (or tenants in oldspeak)14:44
lbragstadmarekd: depending on their start date14:44
gabriel-bezerraayoung: I guess jamielennox's suggestion doesn't involve domains.14:44
lbragstadwrt the first of the year14:44
ayoungunder services we have endpoints...crud,  service catalog has regions14:44
ayoungand endpoints are kindof under both14:44
jamielennoxmarekd: i assume this is real simple and legally mandated for you too?14:44
ayoungok,  endpoints are under  services14:44
ayoungthe relationship between endpoints and regions is an assignment one14:45
ayoungsymlink:  an endpoint can be in more than one region14:45
marekdjamielennox: is it for you?14:45
jamielennoxmarekd: yea, 20days per year is law, and i really don't know any employers that offer more - it's just not something people mess with14:45
ayoungEPO/PTO terms  came out of merging vacation and sick days14:45
marekdjamielennox: i work for cern so it's a different story, but for the normal company - in Europe, at least in European Union it's rather decided by law14:46
marekdjamielennox: exactly14:46
ayoungI used to get 10 vacation and 5 sick days a year.  Somehow that got collapsed into 10 days  PTO14:46
ayoungEurope closes down for August14:46
jamielennoxyea, i think our 20 is supposed to be split 10/1014:46
ayoungwe also get like 3 floating hoidays or something14:47
marekdjamielennox: and our's 20 is 20 for vacation. If you get sick, you go to the doctor, get a paper and you get paid 80% of your salary. for that time.14:47
ayoungcuz not everyone celebrates the Feast of the Assumption or Tu B'Shvat14:47
bknudsonI'd be in pretty bad shape if I was sick 10 days a year.14:47
bknudsonat least, too sick to sit at a computer.14:48
ayoungbknudson, if your kids get sick, they don't go to school or daycare14:48
ayoungand someone needs to stay home with them14:48
ayoungand that is more and more a reason for PTO, in two-income families14:48
jamielennoxbknudson: it's not sick - they call it personal, can be used for sick, kids, things like family funerals14:48
ayoungjob interviews14:48
bknudsonI thought that's what the summit was for?14:49
*** radez is now known as radez_g0n314:51
marekdbknudson: heh14:52
openstackgerritA change was merged to openstack/keystone: test_utils use jsonutils from oslo.serialization
*** thedodd has joined #openstack-keystone14:52
nkindermhu: I'm seeing problems with the OSC code from git that might be related to the auth plugin stuff14:53
gabriel-bezerraayoung: I cannot delete a domain that is backed by a populated read-only LDAP database. It is a bug, right? (just asking before filing)14:53
nkinderayoung: you might be interested too since I was talking with you about this problem...14:53
nkindermhu, ayoung:
mhunkinder, I'll have a look14:54
nkinderThat's the same OSC user-list command with the released OSC (that works) and the new one.14:54
nkinderthe domain info is missing, which results in a 400 from keystone14:54
ayoungName versus ID14:54
ayoungso git one is broken?14:55
nkinderayoung: no, it's a missing domain14:55
nkinderayoung: yes, the git one is broken14:55
ayounggit blame?14:55
nkinderayoung: about to file a bug and start tracing that down14:55
ayounggabriel-bezerra, multi-backend?14:56
*** topol has joined #openstack-keystone14:56
gabriel-bezerraayoung: yes, domain-specific14:56
mhunkinder, what's the context ? how is osc user-list called ?14:56
*** comstud is now known as bearhands14:57
ayounggabriel-bezerra, what error do you get?  I'm not certain its a bug or not.  Suspect a foreign key constraint14:57
nkindermhu: openstack --debug --os-identity-api-version 3 --os-auth-url http://rhos.rhosdom.test:35357/v3 --os-username admin --os-password XXXXXXXX --os-project-name admin user list14:57
ayoungbut you need to disable a domain before deleting no matter what14:57
vsilvapretty late at the discussion, marekd, but at Facebook you get 21 days PTO a year14:57
nkindermhu: This is from some automation that I've been using for about a month, but breaks if I install OSC from git14:57
marekdvsilva: so it's not regulated by law.14:58
gabriel-bezerraayoung: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}14:58
nkindermhu: 0.4.0 works fine14:58
ayounggabriel-bezerra, cuz deleting the domain trys to delete all of the objects inside it14:58
vsilvaI don´t believe it is, marekd, but I´d say it´s somewhere between 10-20 for most companies14:58
gabriel-bezerraayoung: it is being disabled14:58
ayoungYou'd have to unmap the domain specific backend part first14:59
nkindermhu: I don't mean to blame your patch, it could be something else. :)14:59
mhunkinder, no offense taken, don't worry :)14:59
nkindermhu: just seems in a similar area and wanted to give a heads up14:59
ayoungso remove the file, restart the server,and I bet it works...and I think that is as it should be under current ways of thinking14:59
mhunkinder, it's probably because os_domain_id must be set to default by default in 0.4.014:59
gabriel-bezerraayoung: ok. no bug then. thank you.15:00
ayoungyeah...but maybe something to document15:00
nkindermhu: yeah, let me explicitly add the option15:00
ayounggabriel-bezerra, until we make the configuration something that can be done on the fly and without restarting the server, I'd say it "works as designed"15:00
mhunkinder, in the meantime I'll have a quick look at the code on master and 0.4.015:01
nkindermhu: related to this most likely
uvirtbotLaunchpad bug 1272451 in python-keystoneclient "hardcoded references to 'default' domain id" [Undecided,Opinion]15:01
nkindermhu: ...or similar at least15:02
*** cjellick has joined #openstack-keystone15:05
openstackgerritA change was merged to openstack/keystone: Sync modules from oslo-incubator
*** cjellick has quit IRC15:06
*** cjellick has joined #openstack-keystone15:07
gabriel-bezerraayoung: I'll file the bug then, just to keep track of the issue.15:07
ayoungnkinder, I'm kindof stumped about what to do with the policy thing for Horizon in the short term15:08
ayoungI mean, dropping the domain requirement would be pretty bad.15:08
ayoungbut Horizon won't work with it.  And I don't think I can fix in time for the summit15:08
*** joesavak has joined #openstack-keystone15:09
*** andreaf_ has quit IRC15:10
ayoung"list projects"  in the abstract doesn't make sense in any sort of nested arraingment anyway:  it should be list_projects under X where X is the parent15:11
*** andreaf_ has joined #openstack-keystone15:11
ayoungkeystone admin operations should not require a scoped token15:11
*** thedodd has quit IRC15:12
nkinderayoung: it would have to be aware of domain scoped tokens I think15:12
*** jsavak has joined #openstack-keystone15:13
*** thedodd has joined #openstack-keystone15:14
thiagopayoung: what kind of error are you seeing in horizon?15:14
*** __TheDodd__ has joined #openstack-keystone15:15
ayoungthiagop, OK, so we are using the cloudsample policy file, and with that, to list projects you need a domain scoped token15:15
ayoungdoesn't matter what privs the user has, Horizon only knows about project scoped tokens15:16
*** dims is now known as dimsum_15:16
thiagopayoung: I believe the problem there is that Horizon doesn't give you access if you're not in a project15:16
*** joesavak has quit IRC15:18
thiagopayoung: e.g.:
*** david-lyle has joined #openstack-keystone15:18
ayoungthiagop, yea, that too15:18
thiagophere we have an operation using domain scope when you do have access to list_projects15:18
ayoungand the solution is to redefine the problem:  everything is a projects!15:18
*** thedodd has quit IRC15:19
ayoungthiagop, domain_scope?  Meaning requesting a domains scoped token?  How?15:19
nkinderthiagop: the v3 cloud policy sample also only allows listing projects for domain scoped tokens15:19
nkinderthiagop: ...which makes sense, as it's something that the domain admin is responsible for managing (not a project admin)15:20
ayoungand there is no way that Horizon today knows how to request a domain scoped token15:20
thiagopI didn't test it on my setup though15:21
david-lyleayoung, not with the code checked in15:21
nkinderdtroyer: fyi, I've noticed a regression in the current OSC code that may or may not be important -
uvirtbotLaunchpad bug 1385338 in python-openstackclient "Keystone v3 authentication request is malformed with latest OSC code" [Undecided,New]15:21
nkinderdtroyer: I'm not sure if it was an intentional change or not, but commands that worked in 0.4.0 will no longer work without adding additional options to specify the domain15:22
david-lyleit's a trivial modification really to get a domain scoped token, the problem is that the rest of horizon is expecting a project scoped token15:22
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use connection retrying from keystoneclient
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Add versions to requests
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use an adapter in IdentityServer
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Allow loading other auth methods in auth_token
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use Discovery fixtures for auth token tests
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Convert authentication into a plugin
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Split identity server into v2 and v3
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Additional discovery changes
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use real discovery object in auth_token middleware.
*** tellesnobrega_ has joined #openstack-keystone15:22
*** marekd is now known as marekd|away15:23
openstackgerritAbhishek Kekane proposed a change to openstack/keystone: Eventlet green threads not released back to pool
*** afazekas_ has quit IRC15:24
nkinderdolphm: I'm interested in getting your take on the above OSC bug too, as you had some conversations around a similar issue with KSC earlier in the year.15:25
david-lyleayoung the other consideration is how the user determines if they want a domain scoped token or a project scoped token15:25
ayoungdavid-lyle, users don't really make that decision.  All they can do is select a project15:26
ayoungcan they even select a domain?15:26
nkinderdavid-lyle: it's almost like the domain should be listed in the project list15:26
david-lylethey have to enter it15:26
ayoungwe just show the set of projects for which the user has roles15:26
dtroyernkinder: that isn't intentional, but we did strip the auth option handling down to rely on the plugins for checking, setting the default probably went away with that15:26
nkinder...but we don't know if the user has a role on their domain15:26
jamielennoxbknudson and anyone else interested: with those ^ and devstack deploys with v3 auth15:26
ayoungNo,  that is the namespace for the user themsef, not as the target of their operations15:27
david-lylebreaking out the domain administration actions into a separate token type seems wrong to me15:27
david-lylebut i missed the argument on that one originally15:27
ayoungdavid-lyle, that is what we were discussing before:  unifying projects, IdPs, and domains into a single coherent structure15:27
david-lyleayoung: that would be much better15:27
david-lylenot just from a GUI perspective15:27
ayoungdavid-lyle, domains are really an unnecessary abstraction15:27
david-lylethe CLI handling is confusing as well15:27
ayoungwith HTM,  everything could be project on the assignment side15:28
ayoungand on the user side, users would be owned by IdPs15:28
david-lyleHTM? HMT?15:28
ayounghierarchical multi tenancy15:29
david-lylemaking sure15:29
david-lyleI'm easily confused15:29
ayoungnot to be confused with hierarchical temporal memory15:29
bknudsonjamielennox: I had updated devstack to use the change that was reverted... so can also revert that change15:29
jamielennoxoh, was that one submitted to devstack?15:30
jamielennoxanyway, that one uses the straight password plugin, which will use v315:30
bknudsonjamielennox: yes, I wanted to test it.15:30
jamielennoxit should be replacable with any plugin15:30
bknudson(locally, not in tempest)15:30
jamielennoxkeeping backwards compatability there is a nightmare, so most of the changes are as small as possible - sometimes stupidly so15:31
david-lylenkinder: the problem with adding it to the project list is it doesn't behave like a project15:31
bknudsonjamielennox: ah, it didn't merge yet:
nkinderdavid-lyle: yeah, I know.  I can't think of an easy answer.15:32
david-lylewe've made recent changes to show the domain, in the context information, perhaps we could let the user rescope their token there, but that requires some fairly advanced understanding of the identity model in OpenStack by general users15:32
jamielennoxok, with that i'm out for the night - have a good weekend everybody15:33
nkinderjamielennox: later15:33
david-lylethe other idea was to just grab a domain scoped token and project scoped token (if a project role exists) and have Horizon hide the internal decisions as to which token to use15:33
*** lsmola has quit IRC15:34
david-lylewe need more session space to do that, hence the ML thread15:34
david-lyleregarding session stores in horizon15:34
*** lsmola has joined #openstack-keystone15:35
ayoungdavid-lyle, I want to go the other direction for Keystone:  if you have an unscoped token, you should be able to perform operations inside of Keystone.15:36
ayoungGetting a scoped token buys us nothing.15:36
ayoungNow, honoring a scoped token is something different15:36
ayoungbut for Horizon -> keystone those operations should be performed unscoped, and the RBAC should be dynamic15:37
david-lylethat's how HP did it actually15:37
bknudsonyou don't have any roles in an unscoped token15:38
*** cjellick has quit IRC15:39
david-lylereally keystone should be telling me what actions I can do, regardless of token scope15:40
david-lyleI don't it requires passing back the roles to me the user15:40
david-lylebut that gets very complicated quickly15:41
david-lyle*I don't think15:41
*** jsavak has quit IRC15:47
*** vejdmn has quit IRC15:53
*** amerine has quit IRC15:57
*** miqui has quit IRC15:59
*** palendae has quit IRC15:59
*** miqui has joined #openstack-keystone15:59
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation
*** nkinder has quit IRC16:00
*** jimbaker has quit IRC16:01
ayoungbknudson, you don't need roles in an unscoped token if the operations i performed against Keystone itself.  Keystone can look up the roles itself16:01
*** palendae has joined #openstack-keystone16:01
bknudsonayoung: the roles on the project?16:02
ayoungdavid-lyle, keystone doensn't know the complete set of operations on other services yet.  We need to work on the policy interface a little better16:02
*** vhoward has joined #openstack-keystone16:02
ayoungbknudson, If a user does list_projects,  what should happen?16:02
david-lyleayoung: I fully agree16:02
*** amerine has joined #openstack-keystone16:02
bknudsonayoung: if the user doesn't have authority to list_projects then they should get a 403.16:02
ayoungbknudson, right now, it is implied that either they can globally list projects or get nothing16:02
ayounginstead, it should be list_projects_for_scope16:03
ayoungand then...keystone should looks to see if the user has access to enumerate projects in that scope16:03
ayoungits a tough question how, though16:03
*** jimbaker has joined #openstack-keystone16:03
*** jimbaker has quit IRC16:03
*** jimbaker has joined #openstack-keystone16:03
ayoungwe don't tend to make it easy to work backwards from operations to roles16:03
ayoungtoday we assume that the user will pass in a token with the scope pre-populated16:04
*** nkinder has joined #openstack-keystone16:04
ayoungI'd argue that if I do list_projects_for_scope keystone should attempt to make a temporary-project-scoped token for me...just for the span of this request16:04
*** chrisshattuck has joined #openstack-keystone16:05
ayoungunless an explicit token comes in,  let keystone make a best effort based on the scope of the request to list roles for scope16:05
*** chrisshattuck has left #openstack-keystone16:05
ayoungwhat did I do for the basic-auth patch?16:05
*** vejdmn has joined #openstack-keystone16:06
*** tellesnobrega_ has quit IRC16:06
ayoungI punted16:10
ayoungyou'd bascially get an unscoped token's data in the context16:10
*** thiagop has quit IRC16:11
ayoungactually just set REMOTE_USER...16:11
ayoungI had something more in the HTML patch16:11
ayounglost in history now...maybe an earlier review16:13
*** _cjones_ has joined #openstack-keystone16:15
*** _cjones_ has quit IRC16:16
*** _cjones_ has joined #openstack-keystone16:16
ayoungdavid-lyle, this is the problem with us not having thought about this from both the CLI and WebUI at the same time.  Discoverability is broken16:18
ayoungIf I log in to Horizon, the first thing Horizon should do is go to Keystone and say "what should Adam see"16:18
ayoungthis is "unscoped" so I should see a list of top level things that I can do with my token16:19
ayoungnone of them "select scope"16:19
ayoungnow..."something" could remember the scope and jump directly to that level on second and subsequent visits16:20
ayounglets just call it a cookie for now, and say that it is the users' clients responsibility for storing and handing it over16:21
ayoungso if I do "list projects"  that should be done as a link with some starting point, and I should be put at that starting point by the cookie16:21
ayoungnot just have it magically assumed into existence16:22
david-lyleayoung: we essentially do that now, but pick the first project to scope to16:22
david-lylewe're planning on storing the last project scope in a cookie and reference that on subsequent log ins16:23
ayoungdavid-lyle, only if it is an uscoped token16:23
ayoungotherwise, we have magic16:23
ayoung"default project"16:23
ayoungwhich the user can';t even set themselves16:23
david-lylewe get the project_list with an unscoped token then rescope16:24
david-lylewe're creating our own default project implementation16:24
david-lylemore of a sticky project implementation16:24
david-lylelast one scoped to is what you're scoped to on next login16:25
ayoungdavid-lyle, so I have a spec that might interest you16:27
ayoung  david-lyle16:27
ayoungwe need to implement that in Keystone, and then make Horizon use it16:27
ayoungthe follow up is to force unscoped->scoped rescoping only16:27
ayoungdavid-lyle, and...based on a conversation with jamielennox what we are going to persist in the users session is the auth plugin16:28
ayoungso rescoping means:  start with a password auth plugin, get a  token, use that token to create another auth plugin.16:28
ayoungTHe httpsession object should actually be global to Horizon,16:28
ayoungwhich is counter intuitive of course16:29
ayoungI was thinking that I want to make the request be something like:16:29
ayoungscope : "unscoped"16:29
david-lyleayoung, what do you mean by global16:31
*** lhcheng has joined #openstack-keystone16:33
*** vhoward has left #openstack-keystone16:37
ayoungdavid-lyle, heh16:38
ayoungdavid-lyle, global as in one per process16:38
ayoungthe session object will not maintain a relationship with the auth plugin16:38
ayoungthe keystoneclient, and other clients, will maintain that16:39
*** aix has quit IRC16:41
david-lylethe only difficulty there is horizon and openstack_auth make separate use of keystoneclient16:41
ayoungthat is OK, as horizon gets its client from openstack_auth, right?16:42
ayoungso the session should be maintained by openstack_auth16:42
*** andreaf_ has quit IRC16:42
david-lylehorizon gets the session from openstack_auth16:42
*** andreaf_ has joined #openstack-keystone16:43
david-lyleif the client is attached to the session somehow we could, but right now the handling of keystoneclient is separated16:43
ayoungnah, I think we're good16:51
ayoungdavid-lyle, so the session would be global to openstack-auth.16:51
david-lylejust for token scoping operations16:53
david-lylethen horizon would use another instance of the client to interact with keystone for other operations16:53
*** rwsu_ has quit IRC16:53
ayoungdavid-lyle, yep16:54
david-lyleayoung: that works16:54
ayoungdavid-lyle, of course, if we do the whole "Keystone don't need no stinken tokens" approach, it simplifies horizon16:55
*** rwsu has joined #openstack-keystone16:56
david-lyleayoung: true, simplifies but requires some significant code removal/rework16:56
david-lylelong term simpler16:56
ayoungdavid-lyle, yeah16:57
ayoungwe need to iron this out at the summit, and it is Keystone-Horizon specific discussions16:57
david-lylewon't eliminating tokens affect everyone? i.e. all services?16:58
*** jistr has quit IRC16:58
ayoungdavid-lyle, this is just for Keystone-specific operations16:59
ayoungwhy go to Keystone, get a token, just to hand it back to keystone?17:00
ayoungand most servcies don't do thjat17:00
david-lyleah, ok17:00
ayoungdavid-lyle, for something like executing a trust, sure, no token should be required for that, but that should be the extent of most keystone operations from services17:01
ayoungactually, If I made it that you could only create a trust when authenticated as the original user, it would probably  break Heat, but it would be more secure17:01
*** _cjones_ has quit IRC17:05
*** _cjones_ has joined #openstack-keystone17:06
*** cjellick has joined #openstack-keystone17:08
*** cjellick has quit IRC17:09
*** cjellick has joined #openstack-keystone17:09
*** _cjones_ has quit IRC17:11
*** _cjones_ has joined #openstack-keystone17:11
rodrigodshey, we really need reviews in the HM API changes:
openstackgerritAbhishek Kekane proposed a change to openstack/keystone: Eventlet green threads not released back to pool
*** __TheDodd__ has quit IRC17:41
*** harlowja_away is now known as harlowja17:55
*** harlowja is now known as harlowja_away17:56
*** harlowja_away is now known as harlowja17:58
*** alee has quit IRC18:02
ayoungmorganfainberg, so...thinking about access control, delegation, and capabilities.  Lets say you have a rule where you need to be cleared Top Secret to access a particular piece of data.  That Data is in an encrypted volume in Cinder.  When creating a trust,  you would want to make sure that the trustee was already cleared top secret.  Or, more correctly, when checking the trust scoped token, you would want to make sure that18:04
ayoungthe users clearance was still active.18:04
ayoungnot everything can be delegated18:05
morganfainbergRight. Makes sense18:05
ayoungmorganfainberg, I thought we had code in Keystone that said "fetch the object, and then evaluate the policy based on both the request context and the actual object"  but I can't find it18:06
ayoungI thought it was one of the decorators that did that18:07
morganfainbergWe do. It's done via the callback in the @protected decorator18:07
morganfainbergOr filter protected.18:07
morganfainbergYou can do a lot with the callback18:08
ayoungthat is on the controll object?18:09
morganfainbergI believe so. It is an attribute that points to the method that should be called18:10
ayoungmorganfainberg, that means it would have to execute that call for every policy check, not just on some.  And it could only fetch one type of object18:11
ayoungfor example role_v3 has  self.get_member_from_driver = self.assignment_api.get_role18:12
*** gyee_ has joined #openstack-keystone18:12
morganfainbergThat's the standard filter stuff right. ?18:13
morganfainbergSorry walking to internet.18:13
morganfainbergOn phone.18:13
morganfainbergHard to look at code.18:13
ayoungNo problem18:14
morganfainbergWill be at the coffee shop in 5or so18:14
morganfainbergJust ordered new internet today. So should be installed tomorrow. Just in time to go to Paris :P18:15
*** tellesnobrega_ has joined #openstack-keystone18:15
*** thedodd has joined #openstack-keystone18:20
*** raildo_ has joined #openstack-keystone18:24
*** lihkin has joined #openstack-keystone18:25
*** lihkin_ has joined #openstack-keystone18:26
morganfainbergayoung, yeah i think we need smarter policy enforcement then18:27
morganfainbergfor special usecases we could use the callback which supplants the normal enforcement, but that is not generic - it's specific for each call18:27
*** mitz_ has quit IRC18:28
*** lihkin_ has quit IRC18:28
ayoungmorganfainberg, yeah.  If you don't enforce it right down at the database level, you can always do an end run around enforcement18:28
ayoungits one of the reasons that LDAP and hiererachical database survived the fallout of their battle with Relational Databases18:28
morganfainbergi've long been a fan of LDAP for the right scenarios18:30
*** saipandi_ has joined #openstack-keystone18:30
morganfainbergexample: what we used it for at blizzard.18:30
*** marcoemorais has joined #openstack-keystone18:32
*** ks-untriaged-bot has joined #openstack-keystone18:34
ks-untriaged-botUntriaged bugs for project keystone:18:34
uvirtbotLaunchpad bug 1384789 in keystone "XmlBodyMiddleware driver is deprecated, probably shouldn't still be the default" [Undecided,New]18:34
uvirtbotLaunchpad bug 1384112 in keystone "endpoint, service, region can not be updated when using kvs driver" [Undecided,In progress]18:34
uvirtbotLaunchpad bug 1384775 in keystone "revoke driver default should be the non-deprecated driver" [Undecided,New]18:34
uvirtbotLaunchpad bug 1361360 in cinder "Eventlet green threads not released back to the pool leading to choking of new requests" [High,In progress]18:34
uvirtbotLaunchpad bug 1384382 in keystone "GET /OS-FEDERATION/saml2/metadata does not work" [Undecided,In progress]18:34
uvirtbotLaunchpad bug 1381365 in ossa "SSL Version and cipher selection not possible" [Undecided,Won't fix]18:34
uvirtbotLaunchpad bug 1385405 in keystone "Domain backed by a populated read-only domain-specific LDAP identity backend cannot be deleted" [Undecided,New]18:34
uvirtbotLaunchpad bug 1384457 in keystone "Self value in Link  is wrong in  GET /OS-REVOKE/events" [Undecided,In progress]18:34
uvirtbotLaunchpad bug 1384377 in keystone "Policy rule position errors" [Undecided,New]18:34
uvirtbotLaunchpad bug 1384365 in keystone "Domain admin should be allowed to show their domain" [Undecided,In progress]18:35
ks-untriaged-botUntriaged bugs for project python-keystoneclient:18:35
uvirtbotLaunchpad bug 1377080 in python-keystoneclient "Stale endpoint selection logic in keystone client" [Undecided,In progress]18:35
uvirtbotLaunchpad bug 1372710 in python-keystoneclient "cfn-push-stats fails to authenticate" [Undecided,Incomplete]18:35
ks-untriaged-botUntriaged bugs for project keystonemiddleware:18:35
uvirtbotLaunchpad bug 1357567 in python-keystoneclient "auth_ref caching/retrieving is failing - user needs to provide password for every command" [Undecided,New]18:35
uvirtbotLaunchpad bug 1384898 in keystonemiddleware "auth_token middleware should not require OS-SIMPLE-CERT extension for v3" [Undecided,Confirmed]18:35
*** ks-untriaged-bot has quit IRC18:35
*** saipandi has quit IRC18:36
ayoungmorganfainberg, you used LDAP for untriaged Keystone bugs?  You have been holding out on us.18:38
lbragstadhi ks-untriaged-bot!18:38
morganfainbergayoung, hah, no.18:39
morganfainbergayoung, but i did use LDAP extensively at Blizzard, even supported global replication18:39
morganfainberga lot of C/C++ and Python integration18:39
morganfainbergi just keep my head down most of time time when people talk about LDAP.18:39
lhchengrodrigods: ping18:39
ayoungmorganfainberg, the thing is, even LDAP in a hierarchical database doesn't really support the type of ABAC we are discussing here18:40
ayoungit really would be something at the SQLAlchemy level anyway18:40
morganfainbergayoung, are we keeping revoke? KVS18:41
uvirtbotLaunchpad bug 1384775 in keystone "revoke driver default should be the non-deprecated driver" [Undecided,New]18:41
rodrigodslhcheng, pong18:42
*** gyee_ has quit IRC18:43
lhchengrodrigos: Question about HM, when it is implemented on keystone.  Are there more work needed to allow  admin from top-level project to administer quota for sub-level projects?  Or would the inherited roles in HM take care of that?18:44
*** tellesnobrega_ has quit IRC18:45
morganfainbergrodrigods, ping:
uvirtbotLaunchpad bug 1384382 in keystone "GET /OS-FEDERATION/saml2/metadata does not work" [Undecided,In progress]18:45
morganfainbergrodrigods, so, your patch is needed or a fixed config solved it?18:46
morganfainbergrodrigods, not clear by the comments in the bug18:46
*** raildo_ has quit IRC18:47
morganfainbergbknudson, so for are we providing a fix as described in the bug? just to eliminate sslv3 ?18:47
uvirtbotLaunchpad bug 1381365 in ossa "SSL Version and cipher selection not possible" [Undecided,Won't fix]18:47
bknudsonmorganfainberg: the fix that I proposed is to allow picking the ssl version and cipher selection...18:48
bknudsonbut note that it's incorrect.18:48
morganfainbergbknudson, ok18:48
bknudsonit allows you to select TLS1 but not to pick SSLv23 - SSLv3 - SSLv2.18:48
bknudsonso it needs to be updated.18:49
bknudsonI didn't understand how it worked. It's pretty goofy.18:49
rodrigodsmorganfainberg, the lbragstad patch fixed it18:49
morganfainbergbknudson, right ok, will classify this as medium then, based on the exposure (and that please please please don't use eventlet to run SSL) it's not super crazy critical18:49
bknudsonI agree. It's not really a bug.18:50
morganfainbergactually then, wishlist?18:50
bknudsonwishlist makes more sense18:50
bknudsonthink we should move the eventlet server options into their own section of the config?18:51
morganfainbergbknudson, thats a damn goot idea18:51
bknudsonit might confuse someone to think they disabled sslv3 when they're running in httpd18:52
dolphmmorganfainberg: why is there not a backend_argument option in [kvs]?18:55
morganfainbergdolphm, hm. sec. i think this relates to "morganfainberg forgot important options"18:56
morganfainbergbut let me 2x check that before i take all the blame18:56
dolphmmorganfainberg: (or, how else do you configure the dogpile backend?)19:01
dolphmmorganfainberg: does it share config with [cache] or something? :-/19:01
morganfainbergthere is a way19:01
dolphmmorganfainberg: we're not testing that config in devstack or anything, right?19:01
morganfainbergnot directly19:02
morganfainbergwe have unit tests for most of that, but it's not functionally tested19:02
morganfainbergthere is no direct way to set that value atm19:04
dolphmmorganfainberg: then how do configure19:05
morganfainbergthe way we do it for memcached is the class sets it for you19:05
dolphmmorganfainberg: so for non-memcached we need a custom class?19:05
morganfainbergit's passed through to the constructor for the KVS region (common) class.19:05
morganfainbergbasically yes, there is no "generic" way to configure the token KVS backend to use something19:06
morganfainbergeach one would need a custom class.19:06
dolphmmorganfainberg: so do we want to support other kvs backends out of the box, in tree?19:07
morganfainbergi thought i had a way to make it work.19:07
* morganfainberg looks again19:07
ayoungI want to be able to git clone
*** amakarov is now known as amakarov_away19:07
morganfainbergi'd be happy with an HTML version that let me link to a specific timestamp19:07
morganfainbergdolphm, oooh19:08
*** lhcheng_ has joined #openstack-keystone19:08
morganfainbergi think i found a bug looking into this19:08
morganfainbergoh nvm19:08
*** lhcheng_ has quit IRC19:08
morganfainbergdolphm, i think we should move to making the KVS backend "generically" configurable19:08
morganfainbergdolphm, if we're keeping it (we have memcache, we have a dogpile mongo driver we could support mongo [excluding license questions])19:09
morganfainbergmoving to a single "KVS" backend would make a lot of sense instead of needing mongo, memcache, redis, etc all specificaly called out - unless we want deployer experience better whichc ase each of those could have a clearer set of options19:10
* morganfainberg needs to revisit oslo.cache19:10
morganfainbergi think we can make this *way* better if we make a generic lib like that and convert over to it19:11
dolphmmorganfainberg: we were looking at backing to redis at the moment19:11
morganfainbergi like redis a lot19:11
morganfainbergit has issues with clustering (or did last i looked)19:11
morganfainbergi think it is a MUCH better target than memcached, and should be the recommendation for persisting tokens tbh19:11
morganfainbergunless you *need* the SQL backend.19:12
dolphmmorganfainberg: so for juno, we have to extend token.persistence.backends.kvs.Token with a redis.Token -- worth upstreaming that for kilo? or would you rather pursue improving the configuration flexibility of the base kvs.Token class?19:12
morganfainbergdolphm, so, lets take a look at deployer experience.19:12
* morganfainberg takes off developer hat19:12
dolphmmorganfainberg: i am having the deployer experience right now19:13
* morganfainberg dusts off deployer hat19:13
morganfainbergdoes configuring [kvs]/backend=redis (+ all the specific options)19:13
morganfainbergmake life better? or would it make sense to make  a token driver that worked like19:13
morganfainbergor make "smart" choices in [token] based on driver=token.persistence.backend.redis.Token (omg we're fixing this with stevedore this cycle)19:14
morganfainbergi lean towards just assigning [token]/driver= and having redis "smart" options rather than saying [token]driver=kvs + needing to no arcane ways to getting redis and redis options selected19:16
morganfainbergthe problem is it is more to maintain in-tree.19:16
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support
dolphmmorganfainberg: do we really need anything more than backend_arguments (key/value pairs?)19:16
dolphmto support like
morganfainbergdolphm, sadly a lot of the arguments aren't straight key/string_Value19:16
morganfainbergin redis i think they are all string values19:17
morganfainbergwow. redis has grown some neat features.19:18
lbragstadbknudson: I had to update the commit message here:
morganfainbergtoo bad dogpile has to cater to lowest common feature set (read: memcached)19:18
bknudsonlbragstad: how's the tempest change going?19:19
lbragstadfwiw, mtreinish has +2'd both of the devstack changes for XML removal19:19
morganfainbergdolphm, the only concern i really have *wearing deployer hat* is that with kvs + key-value configs, we don't explciitly document the options, it's a bit arcane to know what to pass to the backend to make redis behave19:19
lbragstadso, we're going to merge the devstack changes first19:19
lbragstadwe still need to test XML support for icehouse and juno releases19:19
lbragstadonce those two merge, we will merge the tempest change19:20
morganfainbergdolphm, i think the reason KVS doesn't have these options is because the original idea was those options would be per-subsystem (e.g. Identity would have it's own KVS options, so it didn't need to share a backend with token)19:20
ayoungmorganfainberg, lets use that as an example for
lbragstadbknudson: after that, we can merge the Keystone change19:21
lbragstadlot of moving parts19:21
bknudsonthere should be a git repo for tracking.19:21
morganfainbergayoung, ++ that is a good example, similar to "SQL backends might differ between Identity and Assignment" or "LDap <same as previous statement>"19:21
morganfainbergbknudson, i want cross-project depenedencies in Zuul19:22
*** _cjones_ has quit IRC19:22
ayoungyeah,  #1 issue for using IofC/DI  is naming of remote resources19:22
bknudsonthat would do it.19:22
morganfainbergDependsOn: XXXX19:22
morganfainbergbknudson, iirc there has been some work on it19:22
morganfainbergjust not sure where it stands19:22
*** _cjones_ has joined #openstack-keystone19:22
lbragstadyeah, that would be cool19:22
ayoungso I fetched all of evesdrop logs for this channel19:22
ayoung grep ayoung *.log | wc -l19:23
ayoungwget -r -l 1 -w 1 -t 1 -T 5 -nd -k -e "robots=off"
bknudsonhow many lines in keystone?19:23
ayoungI need a way to do that incrementally19:23
ayoung  181978 total19:23
morganfainbergayoung, i bet you could make infra changes to make it a git repo.19:23
morganfainbergand have it commit changes once a <interval>19:23
morganfainbergayoung, you could also use RSYNC19:24
morganfainbergfor incremental19:24
bknudsonI don't want to have to review all those logs.19:24
ayoungrsync and wget?19:24
morganfainbergbknudson, LOL19:24
morganfainbergi kinda want all the IRC logs in elasticsearch19:25
ayoungI know that you are making a joke, but what really has me laughing is knowing that, for one fraction of an instant, you actually had that thought for real19:25
*** _cjones_ has quit IRC19:25
* morganfainberg ponders what volume of nodes would be needed for that.19:25
morganfainbergit really isn't *that* much data.19:25
ayoung17 M19:26
morganfainbergthe question is how do you group conversations...19:26
morganfainbergi don't think elsaticsearch does that well19:27
*** vejdmn has quit IRC19:27
ayoungmorganfainberg, It discounts all of the openstack-dev discussions from before we moved to our own channel.  THat used to be defacto #openstack-keystone19:27
morganfainbergayoung, gthats fine19:27
morganfainbergayoung, i ignore those dark days now >.>19:27
morganfainbergdolphm, so i think short term, i'd upstream the dedicated Redis driver.19:29
morganfainbergdolphm, mostly so we can say "stop using memcached, here is a good alternative"19:29
morganfainbergdolphm, long term we should make KVS backend waaaaaaay more capable so the "smart" choices we make as sane defaults can be mucked with if someone really has a need. (doing really crazy dogpile things)19:30
morganfainbergayoung, *random thought* wonder if we could come up with a fusion-drive (hard disk concept) like construct in python that used in-memory data structures, auto cleanup and kept hot data localized (read faster than even memcached) creating a smart tiered caching system.19:32
ayoungisn't that what you are writing with dogpile?19:32
morganfainbergayoung, e.g. <hot content> | dogpile/Kvs/Memcached | Stable Slow Storage19:32
morganfainbergnot exactly, dogpile is pretty limited memoization19:32
ayoungwell, what makes sense depends on the threading model of the web server19:33
morganfainbergi mean, really build in for openstack the async runners that dogpile uses and layer dogpile via a proxy to keep common content really really fresh19:33
morganfainbergand in local process mem19:33
morganfainbergdogpile supports the concept of using an async runner for refreshing content/data.19:33
morganfainbergin eventlet it's easy to figure that bit out, in apache more difficult.19:34
* morganfainberg goes back to things we can actually accomplish before the summit :)19:34
morganfainbergayoung, and
ayoungmorganfainberg, sounds good19:39
ayoungmorganfainberg, I would not have labeled either of those sessions that way...19:39
* ayoung needs to read up on congress19:40
* ayoung needs to refrain from using that term in conjunction with unlawful19:40
*** gyee_ has joined #openstack-keystone19:48
ayoungmorganfainberg, so  just saw this in #freeipa:19:55
ayoung<tjaalton> now the first milestone is accomplished19:55
ayoung<tjaalton> as in, first ipa release with both server and client working on debian19:55
*** pc-m has quit IRC19:56
morganfainbergi'm .. i'm really stoked19:57
ayoungmorganfainberg, Timo is on my "I owe a beer" list20:00
dstanekmorganfainberg: i'd love to talk about your in memory cache ideas at the summit20:00
morganfainbergayoung, s/owe beer/owe a case of beer or whiskey/20:00
morganfainbergdstanek, ++20:00
*** lhcheng has quit IRC20:00
*** marcoemorais has quit IRC20:01
*** lhcheng has joined #openstack-keystone20:01
*** marcoemorais has joined #openstack-keystone20:01
*** lihkin has quit IRC20:05
lbragstadayoung: are we doing beer floats in Paris?20:06
ayounglbragstad, Nope...Something with Wine20:06
nkinderwine floats?  Not sure how well that would work out...20:07
ayoungI'm more thinking Jam session20:08
*** _cjones_ has joined #openstack-keystone20:09
ayoungNkinder pair the FreeIPA thing with
* morganfainberg kicks internet20:12
nkinderayoung: yeah, I saw that20:12
*** vejdmn has joined #openstack-keystone20:12
ayoungnkinder, sometimes you need to lead the target by a couple years20:13
*** _cjones_ has quit IRC20:13
ayoungNow we need to get launchpad ported over to FreeIPA20:13
ayoungsuspect that will require Ipsilon thogh20:14
ayoungneed to support openid etc.20:15
dstanekI'll bring my IV bag for all the beer20:16
*** marcoemorais has quit IRC20:16
ayoungnkinder, does 389 have any way to plugin in an external policy check for ACL enforcement?20:16
nkinderayoung: not trivially.  What are you trying to do?20:17
ayoungnkinder, ABAC20:17
ayoungnkinder, specificially...20:17
dstaneki'm super paranoid about bring my Macbook to Paris and was thinking about buying a Chromebook to tote along. am i too paranoid?20:18
ayoungthere was a request to be able to provide access control all the way down to individula attributes20:18
rodrigodsdstanek, super20:18
ayoungnkinder, and I was wondering if the answer to the ultra paranoid was to use 389 ACLs for that kind of thing20:19
ayoungnkinder, something like  applying RBAC ontop  of the 389 ACLs20:19
ayoungwith the roles come from Keystone20:19
ayoungI know that row level access control in SQL is messy, was wondering if maybe for the super sensitive stuff 389 might make more sense20:20
ayoungtrying to avoid reinventing things20:20
nkinderayoung: not sure.  The 389 ACLs are powerful, but pretty hairy20:21
ayoungnkinder, I wrote this a while ago:
ayoungso it would work for Designate20:21
ayoungusers and groups too,  so we could cover the Identity side of Keystone.20:21
ayoungIf we put assignment in LDAP, it would work for that too.20:22
*** andreaf_ has quit IRC20:22
ayoungnkinder, it would be hideously inapproriate use of the technology, but what if....20:22
ayoungwe used the FreeIPA role management for Keystone roles?20:23
*** marcoemorais has joined #openstack-keystone20:23
ayoung2012.  Prehistory20:24
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:24
*** raildo has quit IRC20:25
ayoungr1chardj0n3s, do you have a public demo of angboard?20:26
r1chardj0n3sayoung: no public demo, but I did put to gether a little demo vid20:26
ayoungr1chardj0n3s, I have a keystone server up on the dreamhost demo machine20:27
ayoungwhat do I need:  keystone, nova?20:27
ayoungr1chardj0n3s, OK if I share that?20:27
nkinderayoung: using to install OSC is not at all happy with the auth plugin stuff.  Guess I'll have to go back to pip install -e20:27
ayoungnkinder, too bad20:28
r1chardj0n3sayoung: sure20:28
ayoungnkinder, ^^ is the Horizon replacement in Javascript.20:29
nkinderayoung: yeah, I get "'Namespace' object has no attribute 'os_auth_type'" when it loops through the available plugins20:29
ayoungnkinder, that sounds like a mismatch oin the CLI param20:29
ayoungos_auth_type  vs os-auth-plugin20:30
ayoungr1chardj0n3s, you going to Paris?20:30
nkinderayoung: it might be some weirdness between the RPMs on the system and the OSC install from git20:30
nkinderayoung: just not sure why it would work when doing an editable install via pip20:31
r1chardj0n3sayoung: yes, I am20:31
ayoungyou sure you don't have the old OSC again?20:31
ayoungr1chardj0n3s, Awesome20:31
*** jorge_munoz has quit IRC20:31
r1chardj0n3sayoung: I assume you'll be there? :)20:32
ayoungr1chardj0n3s, yes20:32
r1chardj0n3sayoung: cool20:32
ayoungand lots of people interested in this20:32
ayoungr1chardj0n3s, need you involved on the "how do web apps interact with keystone" type discussions20:32
ayoungr1chardj0n3s, like SAML20:33
r1chardj0n3sayoung: that sounds scary :)20:33
ayoungDon't fear the Penguin20:33
r1chardj0n3sayoung: but yes, I think that's one of many discussions I'm going to be having20:33
ayoungof corse20:33
r1chardj0n3sayoung: my primary goal is to try to promote angboard ;)20:33
r1chardj0n3sayoung: or if not it, then something very much like it20:33
ayoungr1chardj0n3s, "You've got my sword!"20:33
ayoungnow give it back20:34
ayoungr1chardj0n3s, I assume everything there is working through the service catalog that you get back from Keystone?20:35
ayoungLike, determining which Nova server to call and so on?20:35
r1chardj0n3sayoung: yes20:36
ayoungr1chardj0n3s, OK, I have a server that I can put this up on internally.  Let me check it out there,  and I might do a devstack on  the dreamhost demo site to make it publically available.  Unless you want to do that?20:36
r1chardj0n3splease, go for it20:37
ayoungr1chardj0n3s, I was hoping you would say "nah I've got it covered"20:37
*** _cjones_ has joined #openstack-keystone20:37
ayounga demo is worth a 1000 meetings20:37
ayounga prototype that is20:37
r1chardj0n3sayoung: hahah, yeah, I should try to get it up and running, yeah20:38
r1chardj0n3sayoung: I'll put it on my TODO. shouldn't be difficult20:38
ayoungr1chardj0n3s, I'd offer to provide space, but it looks like your employer should make that available20:38
ayoungnkinder, I think I need to go rework the horizon patches to be in line with jamielennox 's latest change20:39
r1chardj0n3sayoung: indeed :)20:39
ayoungr1chardj0n3s, what I would like to have is angboard working with a kerberized web server.20:40
ayoungYou are using something for dev, but I assume it would work in Apache HTTPD?20:40
nkinderayoung: ok, so installing via ends up leaving some of the older OSC .py files form the RPM in site-packages20:41
nkinderayoung: so it's some frankenstein setup20:41
ayoungwe'll get there20:41
ayoungnkinder, I had hacked out the PBR stuff in an earlier version of my patch,  I think jamie replaced it (or maybe I did )  but I wonder if that would solve the problem20:42
nkinderayoung: ok, if I uninstall the OSC RPM, it works20:42
r1chardj0n3sayoung: I know very little about kerberos :/20:42
ayoungr1chardj0n3s, its OK, I know Kerberos20:43
nkinderayoung: I think assumes some of it is already installed and leaves old files in place20:43
ayoungnkinder, ah, probably20:43
nkinderayoung: let me try a new setup that doesn't use the RPM at all...20:43
ayoungnkinder, and I take it packstack installs OSC, so probably rpm -e and then git20:43
nkinderayoung: nope, I do it explicitly20:43
nkinderayoung: I may still want to install, then remove it to satisfy deps20:43
ayoungso, like I said, rpm -e and then git20:44
*** vejdmn has quit IRC20:44
r1chardj0n3sayoung: I would like to help you get kerberos PR against angboard :)20:45
nkinderayoung: I WILL have a fully-automated kerberized keystone today.  I'm determined. :)20:46
ayoungr1chardj0n3s, I have a public Kerberos setup we can use20:46
morganfainbergnkinder, ^_^20:46
morganfainbergnkinder, if i can help at all, let me know.20:46
ayoungmorganfainberg, he already has it.  Its just the OSC bit that is taking tweaking20:46
morganfainbergeven if it's just "hey look how cool this is"20:46
ayoungmorganfainberg, the issue is PBR and entrypoints20:46
r1chardj0n3sayoung: cool20:46
ayoungmorganfainberg, if you review
ayoungtry using epi (entry point inspector)20:47
ayoungand ... well, see for yourself20:47
ayoungr1chardj0n3s, let me see what my current setup looks like20:47
nkindermorganfainberg: I can mannually get it working, but it's just automation hassles since I'm installing patches from gerrit and cobbling it all together20:48
ayoungnkinder, how hard would it be for your script to run against an existing FreeIPA server?20:48
nkinderayoung: not too hard20:48
nkinderayoung: you'd just need to pass in some details about the IPA server20:48
ayoungnkinder, once we get this working, I'd like to try to have it up for younglogic.net20:48
nkinderayoung: we should be able to extract what you need20:49
nkinderayoung: my scripts actually create VMs from scratch and set up everything20:49
nkinderayoung: I think you probably just want the configuration part of it20:49
ayoungnkinder, yeah, not VMs,20:50
ayoungI could probably start with just packstack20:50
nkinderayoung: I also avoided using curl for anything, so it's entirely using OSC for the operations against keystone20:50
ayoungactually, I have a kerberized Keystone already, I need nova and glance20:50
nkindergood testing of OSC with domains that way20:50
ayoungr1chardj0n3s, we can work on the rest next week. I'll work with nkinder in getting the rest of the OpenStack stuff up and running.  I might be able  to get as far as angboard.20:52
r1chardj0n3sayoung: \o/20:53
*** gyee_ has quit IRC21:00
*** NM has quit IRC21:01
*** gyee_ has joined #openstack-keystone21:05
*** gyee_ has left #openstack-keystone21:07
*** topol has quit IRC21:10
*** marcoemorais has quit IRC21:23
richmWould updating a user to change the tenant cause any updates in the identity backend?21:24
*** marcoemorais has joined #openstack-keystone21:24
richmI'm trying to setup keystone with puppet to use an ldap identity backend with users already created in ldap21:24
*** lhcheng has quit IRC21:24
*** fifieldt_ has joined #openstack-keystone21:26
*** nellysmitt has quit IRC21:28
*** nellysmitt has joined #openstack-keystone21:29
*** marcoemorais has quit IRC21:29
*** lhcheng has joined #openstack-keystone21:29
*** marcoemorais has joined #openstack-keystone21:29
*** fifieldt has quit IRC21:30
ayoungrichm, ?21:32
ayoungupdating a user to change the tenant?21:32
ayoungyou mean default tenant?21:32
ayoungwhat call21:32
*** nellysmitt has quit IRC21:33
*** lhcheng has quit IRC21:35
*** r1chardj0n3s is now known as r1chardj0n3s_afk21:36
*** lhcheng has joined #openstack-keystone21:38
*** marcoemorais has quit IRC21:40
*** thedodd has quit IRC21:40
nkinderayoung, morganfainberg:
morganfainberganyone know how to define named anchors in markdown that is more friendly than <a name="THING">&nbsp;</a> ?21:43
ayoungmorganfainberg, not it21:43
ayoungmorganfainberg, don't you get them with <h> tags?21:44
morganfainbergayoung, trying to get anchors to work in that blog post21:44
ayoungmorganfainberg, one sec21:44
morganfainbergmarkdown, the goal is to be able to do <url>#Policy21:44
ayoungwe get them in the markdown for identity-api21:44
nkinderayoung: Those are the only commands I ran after '' that built all of the VMs from scratch.21:44
ayoungnkinder, So, I changed my mind:  I do want to create the virtual machines21:45
nkinderayoung: ok, I'll check my automation in somewhere you can get at it.21:45
nkinderayoung: I just need to switch it over to use centos repos so it can be useful to everyone21:45
ayoungnkinder, I can do a complete packstack install, but want to use an existing IPA server21:46
nkinderayoung: I use some internal repos for RHEL out of convenience right now21:46
ayoungFmily just invaded21:46
morganfainbergayoung, nope, doesn't work with jeykll21:46
*** marcoemorais has joined #openstack-keystone21:48
*** mrmoje has joined #openstack-keystone21:48
*** ayoung has quit IRC21:51
*** nellysmitt has joined #openstack-keystone21:55
*** nellysmitt has quit IRC21:55
*** sigmavirus24 is now known as sigmavirus24_awa21:58
*** saipandi_ has quit IRC22:02
*** saipandi has joined #openstack-keystone22:03
*** dims_ has joined #openstack-keystone22:03
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: documentation for audit middleware
*** marcoemorais has quit IRC22:03
*** marcoemorais has joined #openstack-keystone22:04
*** dims__ has joined #openstack-keystone22:05
*** dimsum_ has quit IRC22:06
*** marcoemorais has quit IRC22:06
*** marcoemorais has joined #openstack-keystone22:07
*** marcoemorais1 has joined #openstack-keystone22:07
*** dims_ has quit IRC22:08
*** marcoemorais1 has quit IRC22:08
*** david-lyle has quit IRC22:08
*** marcoemorais1 has joined #openstack-keystone22:08
*** marcoemorais1 has quit IRC22:08
*** marcoemorais1 has joined #openstack-keystone22:09
*** marcoemorais has quit IRC22:11
*** rwsu has quit IRC22:14
*** david-lyle has joined #openstack-keystone22:17
morganfainbergdstanek, dolphm, lbragstad, nkinder, how does this read:
*** gordc has quit IRC22:18
morganfainbergdolphm, dolphm, lbragstad, nkinder. I'm adding it to my blog post, and i'm going to link each of the summit design sessions to these sub sections as a way to help provide more detail [e.g. "pre-session reading"] on the topics. hopefully it'll help cut down on the "lets spend the first XXXX minute syncing up with the state of the world"22:19
morganfainbergthis is an idea based on Nova's "required reading" per session.. but since we don't have a ton of specs; that is to say we have summit sessions to help define the specs, we can't link to a specific spec.22:20
*** amcrn has joined #openstack-keystone22:22
*** gyee has joined #openstack-keystone22:29
*** marcoemorais1 has quit IRC22:31
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
nkindermorganfainberg: looks good aside form the fact that you misspelled 'truly' :P22:37
*** bknudson has quit IRC22:37
nkinderbah, and I misspelled/typod 'from'22:37
morganfainbergnkinder, so i added it to the session:
morganfainberg"pre-session reading" or should a change that to "recommended pre-session reading"?22:38
morganfainbergi don't think i can make it a link though :(22:39
morganfainbergor should i not put it in the schedule like that?22:39
morganfainbergi guess i could just put it in the etherpad(s)22:40
*** arunkant has quit IRC22:43
*** htruta has quit IRC22:43
*** wpf has quit IRC22:43
*** gsilvis has quit IRC22:43
*** gsilvis has joined #openstack-keystone22:43
*** htruta has joined #openstack-keystone22:44
*** arunkant has joined #openstack-keystone22:44
*** wpf has joined #openstack-keystone22:44
*** marcoemorais has joined #openstack-keystone22:45
morganfainbergoh crud...22:57
*** harlowja is now known as harlowja_away23:00
*** marcoemorais has quit IRC23:04
*** joesavak has joined #openstack-keystone23:10
*** raildo has joined #openstack-keystone23:11
nkindermorganfainberg: bummer it won't let you create a link in the sched page :(23:12
morganfainbergI might put it there anyway.23:13
*** jsavak has joined #openstack-keystone23:15
*** alex_xu has joined #openstack-keystone23:17
raildomorganfainberg, what do you think?
*** joesavak has quit IRC23:19
*** harlowja_away is now known as harlowja23:24
*** jsavak has quit IRC23:25
*** packet has joined #openstack-keystone23:33
*** david-lyle has quit IRC23:34
morganfainbergraildo, we definitely need to look at the reseller use case23:36
morganfainbergas well23:36
raildoi agree23:36
raildothe other alternative that I can see is project come to be the container of users23:38
raildobut I believe we have much to discuss about it23:38
morganfainbergi added / fixed a couple of lines on the etherpad23:38
morganfainbergalso added the link
raildook, thanks23:39
morganfainbergthat link sums up what I think the HM session should be covering / sets the stage for where we currently are23:40
raildoDo you agree that the policy v3 needs to be the default?23:41
*** chrisshattuck has joined #openstack-keystone23:41
raildoI will complement the document with the issues of your link.23:42
morganfainbergi think the v3cloud policy needs to be the default regardless of HM support23:42
*** david-lyle has joined #openstack-keystone23:44
raildoabsoluty, HM is just another use case for v3cloud policy23:44
raildoDo you have seen something about the implementation of hierarchical quotas in Nova?23:46
morganfainbergtalked with jogo on that topic actually not too long ago23:46
raildogreat :)23:47
raildoits a good solution for expand HM for Nova and  to improve the HM concept for other services.23:48
*** david-lyle has quit IRC23:49
raildoI have some concern about a possible removal of domains, it would not be a big impact on other features as Federation, domain-specific backend?23:53
morganfainbergdomains would stay in23:58
morganfainbergthe difference would be what we "call a domain"23:58
morganfainbergbasically a domain would be a top-level project (no parent)23:58
morganfainbergbut projects would accquire all other domain capabilities23:59
morganfainbergwe can't "remove" domains without breaking API compatibility, but we can make projects way way more featureful23:59
gyeemorganfainberg, raildo, I'll add the rule ownership & visibility stuff later, stilling thinking it through23:59

Generated by 2.14.0 by Marius Gedminas - find it at!