Wednesday, 2014-11-12

*** shakamunyi has joined #openstack-keystone		00:02
henrynash	gyee: hmm, that’s a good point….ahev to think about that	00:02
*** amcrn has joined #openstack-keystone		00:02
*** david-lyle is now known as david-lyle_afk		00:03
morganfainberg	henrynash, gyee, as long as we have one mechanism in the end and not two distinct mechanisms that do functionally the same thing, i'm happy	00:04
gyee	morganfainberg, conceptually, role groups and hierarchical roles are the same thing	00:05
morganfainberg	gyee, right	00:05
gyee	especially if we support nested groups	00:05
morganfainberg	gyee, hence the "lets not make 2 different systems"	00:05
morganfainberg	:)	00:05
gyee	++	00:05
rodrigods	morganfainberg, for a feature be in Kilo, its spec needs to be accepted until Kilo-1, right?	00:06
morganfainberg	rodrigods, specs can be accepted until Kilo2	00:07
morganfainberg	rodrigods, but the sooner the better!	00:07
rodrigods	morganfainberg, working with kilo 1 here (HM evolution)	00:07
rodrigods	(the spec)	00:07
morganfainberg	right	00:07
morganfainberg	if you can land it by kilo1 even btter.	00:08
rodrigods	we really appreciate the confidence in our work, thank you all =)	00:08
morganfainberg	rodrigods, seriously, you guys have been doing good work. I honestly can't ask for more.	00:08
*** shakamunyi has quit IRC		00:09
rodrigods	morganfainberg, thanks! really enjoying implementing this stuff	00:09
*** shakamunyi has joined #openstack-keystone		00:10
*** henrynash has quit IRC		00:10
*** shakamunyi has quit IRC		00:15
gyee	morganfainberg, https://review.openstack.org/#/c/131575/	00:20
gyee	we've got to do something to help performance, either reuse or AE token	00:21
morganfainberg	gyee, AE is more in line, reuse i'm wholly against	00:21
morganfainberg	gyee, look at my comment, it was implied AE was the direction i just didn't call it out	00:21
gyee	I am totally fine with AE, just need ayoung to unblock	00:21
morganfainberg	gyee, that isn't going to happen until after we do the cleanup [ the battle on AE at that point is "we should do it cause it makes life better" not massive re-implementation we throw out tons of code for ]	00:22
morganfainberg	gyee, discussed this a lot w/ dstanek @ the summit	00:22
morganfainberg	you were part of those convos	00:22
morganfainberg	iirc	00:22
gyee	exactly	00:23
morganfainberg	so, yes and yes :)	00:23
morganfainberg	i'd much rather make uuid tokens way friendlier (even if they're not uuid anymore)	00:23
gyee	but this is not a massive reimpl	00:24
morganfainberg	this will be because of the way the providers work	00:24
morganfainberg	let me split my non-persistence spec - talk tomorrow about this?	00:24
gyee	k	00:24
morganfainberg	gyee, you'll see where AE fits once that is done	00:24
gyee	k	00:24
*** Viswanath has joined #openstack-keystone		00:25
morganfainberg	but the short is: fix token issuance pipeline, layer non-persistence on top of that [PKI] AE works the same (needs basically 3 methods: 1) issue, 2) validate, 3) get ID	00:25
morganfainberg	not issue v2, issue v3, etc etc etc	00:25
gyee	amen!	00:25
morganfainberg	if we add AE it's going to add a lot more refactoring to get the cleanup done.	00:25
morganfainberg	so AE comes post cleanup	00:25
* morganfainberg grumbles... sigh I have packet loss.		00:26
gyee	and we are going to freeze the interface this time?	00:26
morganfainberg	gyee, the interface for the token provider will be a hard-contract	00:26
morganfainberg	same as the REST API	00:26
gyee	w00t!!!!	00:26
morganfainberg	if we change it we need an adapter layer to handle the change (for transition period)	00:27
gyee	or version it	00:27
morganfainberg	how many people did we have lass midcycle? dolphm, dstanek?	00:27
morganfainberg	gyee, same net effect	00:27
gyee	we are having it in Sunnyvale this time?	00:27
morganfainberg	gyee, that is my general hope.	00:28
morganfainberg	might be mountain view.	00:28
morganfainberg	i'm trying to pin down space.	00:28
*** Viswanath has quit IRC		00:29
*** dims has quit IRC		00:30
*** dims has joined #openstack-keystone		00:30
rodrigods	morganfainberg, gyee, dates?	00:31
morganfainberg	rodrigods, I'm aiming for January 20-22	00:31
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Fix token_endpoint options https://review.openstack.org/133865	00:31
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Fix importing config module https://review.openstack.org/133866	00:31
*** shakamunyi has joined #openstack-keystone		00:31
jamielennox	simple 2 line fixes ^	00:31
morganfainberg	rodrigods, let me send out a survey on the ML so we can get real numbers.	00:31
rodrigods	morganfainberg, would love to be there, will try get my visa asap	00:32
morganfainberg	rodrigods, you should likely only need whatever visa would be required for a conference (fyi(	00:32
*** henrynash has joined #openstack-keystone		00:32
morganfainberg	rodrigods, since thats effectively what this is.	00:32
rodrigods	morganfainberg, yep, here the tourism/conference visa are issued together	00:33
rodrigods	just have to schedule a date and really depends on the demand	00:33
*** henrynash has quit IRC		00:41
*** lhcheng_ has quit IRC		00:46
*** nkinder has joined #openstack-keystone		00:47
*** zzzeek has joined #openstack-keystone		00:49
*** dims has quit IRC		00:52
*** dims has joined #openstack-keystone		00:52
*** amerine has quit IRC		00:58
*** zzzeek has quit IRC		01:13
*** amerine has joined #openstack-keystone		01:14
*** amerine has quit IRC		01:15
*** amerine has joined #openstack-keystone		01:15
*** amcrn has quit IRC		01:17
*** ChanServ sets mode: +o morganfainberg		01:18
*** morganfainberg changes topic to "Blocking reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 \| Keystone Mid-Cycle survey: http://goo.gl/forms/4W7xVM9x49"		01:19
*** gokrokve has quit IRC		01:19
*** dims has quit IRC		01:21
htruta_	morganfainberg: I would really like having an option on the survey like "I hope to" :(	01:21
*** dims has joined #openstack-keystone		01:22
morganfainberg	htruta_, well I understand this is all tentative. I'd rather assume you are going if there is a good chance.	01:22
morganfainberg	or even medium chance	01:22
morganfainberg	htruta_, added an option for you	01:24
htruta_	morganfainberg: hahaha. just saw it. cool	01:25
*** gyee has quit IRC		01:27
*** jacorob has joined #openstack-keystone		01:34
*** wwriverrat has joined #openstack-keystone		01:36
*** sigmavirus24_awa is now known as sigmavirus24		01:38
*** amerine has quit IRC		01:40
*** Viswanath has joined #openstack-keystone		01:47
*** samuelms has quit IRC		01:50
*** Viswanath has quit IRC		01:51
*** htruta_ has quit IRC		01:52
*** dims has quit IRC		02:02
*** dims has joined #openstack-keystone		02:02
*** amerine has joined #openstack-keystone		02:06
*** diegows has quit IRC		02:07
*** amerine has quit IRC		02:11
*** marcoemorais has quit IRC		02:21
*** ayoung has joined #openstack-keystone		02:29
*** openstackgerrit has quit IRC		02:34
*** sluo_laptop has joined #openstack-keystone		02:45
*** tellesnobrega_ has joined #openstack-keystone		02:46
*** dims has quit IRC		02:50
*** dims has joined #openstack-keystone		02:50
stevemar	morganfainberg, getting some good feedback already :)	03:02
*** Viswanath has joined #openstack-keystone		03:22
*** Viswanath has quit IRC		03:25
*** marg7175 has joined #openstack-keystone		03:27
*** esp has joined #openstack-keystone		03:31
*** shakamunyi has quit IRC		03:32
*** boris-42 has quit IRC		03:37
*** alex_xu has joined #openstack-keystone		04:15
*** sigmavirus24 is now known as sigmavirus24_awa		04:19
*** stevemar has quit IRC		05:14
*** tellesnobrega_ has quit IRC		05:23
*** veena has joined #openstack-keystone		05:29
veena	Anybody, please help me in understanding how tenant creation happens and what happens in background when we run the command "keystone tenant-create". Who is responsible for tenant and user creation	05:30
*** marg7175 has quit IRC		05:34
*** richm has quit IRC		05:35
*** ajayaa has joined #openstack-keystone		05:44
*** boris-42 has joined #openstack-keystone		06:21
*** stevemar has joined #openstack-keystone		06:27
*** stevemar has quit IRC		06:28
*** stevemar has joined #openstack-keystone		06:28
*** k4n0 has joined #openstack-keystone		06:37
*** ukalifon1 has joined #openstack-keystone		06:54
*** nellysmitt has joined #openstack-keystone		06:56
*** amirosh has joined #openstack-keystone		07:12
*** nellysmitt has quit IRC		07:14
*** chmouel has quit IRC		07:17
*** chmouel has joined #openstack-keystone		07:19
*** nellysmitt has joined #openstack-keystone		07:36
*** marekd\|away is now known as marekd		07:38
*** chmouel has quit IRC		07:43
stevemar	marekd, ping	07:51
*** chmouel has joined #openstack-keystone		07:54
*** veena has quit IRC		07:57
*** veena has joined #openstack-keystone		07:59
*** jistr has joined #openstack-keystone		08:08
*** amerine has joined #openstack-keystone		08:12
*** nellysmitt has quit IRC		08:13
*** amerine has quit IRC		08:17
*** henrynash has joined #openstack-keystone		08:32
*** nellysmitt has joined #openstack-keystone		08:32
*** ajayaa has quit IRC		08:33
*** stevemar has quit IRC		08:34
*** ukalifon1 has quit IRC		08:36
*** veena has quit IRC		08:45
marekd	stevemar, sorry, missed your msg	08:48
*** afazekas has joined #openstack-keystone		08:59
ekarlso	jamielennox: https://review.openstack.org/#/c/130159/ wanna take a look at that ?	09:00
*** navid__ has quit IRC		09:03
marekd	rodrigods: ping	09:05
*** ukalifon has joined #openstack-keystone		09:06
*** jistr has quit IRC		09:06
*** amerine has joined #openstack-keystone		09:13
*** navid__ has joined #openstack-keystone		09:15
*** nellysmitt has quit IRC		09:17
*** amerine has quit IRC		09:18
*** nellysmitt has joined #openstack-keystone		09:19
*** ajayaa has joined #openstack-keystone		09:22
*** nellysmitt has quit IRC		09:22
*** alex_xu has quit IRC		09:23
*** jistr has joined #openstack-keystone		09:26
*** marekd has quit IRC		09:30
*** bdossant has joined #openstack-keystone		09:31
*** marekd has joined #openstack-keystone		09:34
*** samuelms has joined #openstack-keystone		10:04
*** jacorob has quit IRC		10:05
*** tellesnobrega_ has joined #openstack-keystone		10:11
*** ajayaa has quit IRC		10:16
*** aix has joined #openstack-keystone		10:18
*** tellesnobrega_ has quit IRC		10:23
*** tellesnobrega_ has joined #openstack-keystone		10:29
*** ajayaa has joined #openstack-keystone		10:38
*** diegows has joined #openstack-keystone		10:47
*** tellesnobrega_ has quit IRC		10:50
*** dims has quit IRC		10:54
*** dims has joined #openstack-keystone		10:55
*** Dafna has joined #openstack-keystone		11:02
marekd	morganfainberg: ayoung: so for the https://review.openstack.org/#/c/133037/ i feel this can be landed much faster rather then redoing mapping engine.	11:11
*** aix has quit IRC		11:14
*** amerine has joined #openstack-keystone		11:14
*** amerine has quit IRC		11:15
*** amerine has joined #openstack-keystone		11:15
*** amerine has quit IRC		11:19
*** tellesnobrega_ has joined #openstack-keystone		11:20
*** aix has joined #openstack-keystone		11:28
*** alex_xu has joined #openstack-keystone		11:39
ekarlso	jamielennox: is the session stuff supposed to do a discover if a token + endpoint is used ?	11:46
*** mflobo has quit IRC		11:51
*** nellysmitt has joined #openstack-keystone		11:53
ekarlso	jamielennox: I dont get it why when using the new auth plugin stuff with a token it requires a auth_url to be set ?!	11:59
ekarlso	does ksclient need for some weirdo reason to validate the token before heading the to service ?	11:59
*** lhcheng has joined #openstack-keystone		12:01
*** alex_xu has quit IRC		12:05
rodrigods	marekd, ping	12:11
ekarlso	australian seems to have gone to bed _,,-	12:13
*** jaosorior has joined #openstack-keystone		12:15
*** henrynash has quit IRC		12:53
*** tellesnobrega_ has quit IRC		12:56
*** tellesnobrega_ has joined #openstack-keystone		13:03
*** afazekas has quit IRC		13:06
*** thiagop has joined #openstack-keystone		13:10
*** richm has joined #openstack-keystone		13:11
marekd	rodrigods: nvm :-)	13:14
rodrigods	marekd, hey... checking the next steps list you've presented in the summit at the k2k presentation. what do you think we here give a hand at the mappings issues	13:20
*** amakarov_away is now known as amakarov		13:22
marekd	rodrigods: why not, however i am starting to feel we are trying to many things at the same moment.	13:31
rodrigods	marekd, that's true, where are efforts going on right now?	13:31
marekd	rodrigods: there was a ml thread from jdennis where he shared his experience with a mapping engine he wrote for opendaylight	13:32
marekd	you may find it interesting, good meritoric mails.	13:32
rodrigods	marekd, saw that, didn't have time to read through, though	13:32
marekd	rodrigods: maybe it's a good way to start	13:33
marekd	i admit i didn't read it either.	13:33
rodrigods	marekd, great	13:33
rodrigods	hehe	13:33
marekd	rodrigods: on the other hand	13:33
marekd	one thing thay is quite painful is ensuring the user_id is globally unique.	13:33
rodrigods	marekd, but if you think that we should help to polish something else...	13:33
marekd	rodrigods: https://review.openstack.org/#/c/133037/	13:34
marekd	review!	13:34
marekd	think if this change imply some security issues	13:34
marekd	one thing i would start thinking is also regulations for making user_id unique.	13:35
rodrigods	marekd, will review, I'm asking for your opinion in a big topic though (so we can keep busy here for some days/weeks) =)	13:35
rodrigods	hmm	13:35
marekd	so if you want to keep yourself busy i'd go and read jdennis'es doc and think what could be useful for us.	13:36
marekd	rodrigods: nkinder and ayoung were also talking about dynamic groups	13:37
*** ajayaa has quit IRC		13:37
marekd	i don't have any specific task in mind like 'impement this or that' - it's rather big picture thinking which probably can keep you busy for days :-)	13:37
marekd	and i am serious	13:37
rodrigods	marekd, great =)	13:38
marekd	rodrigods: oh	13:38
marekd	i just recalled one business usecase	13:38
rodrigods	trying to multitask here: HM, federation and policies =)	13:39
rodrigods	marekd, hmm	13:39
marekd	what with policies?	13:39
marekd	what exactly	13:39
marekd	rodrigods: so, imagine you have same set of groups in your idp and keystone	13:40
marekd	now, user should map idp groups to keystone groups	13:40
marekd	this is not possible today with current mapping engine	13:40
*** nellysmitt has quit IRC		13:41
rodrigods	marekd, hmm, group <-> group mapping?	13:41
marekd	kind of, but without explicit destination group specifying.	13:42
marekd	i want my epheremral federated user to become a member of keystone groups A,B,C as he is a member of groups A,B,C in my corporate LDAP	13:43
marekd	thanks to that i will be able to manage access by adding/reming users in my ldap	13:43
rodrigods	marekd, got it	13:43
marekd	not by chaning mapping rules	13:43
*** amaurymedeiros is now known as amaurymederos		13:43
rodrigods	that's a nice one	13:43
marekd	i think so too :-)	13:44
rodrigods	marekd, added to my list: read mappings email, same idp groups to keystone mapping	13:45
rodrigods	thanks!	13:45
marekd	rodrigods: read mapping email ?	13:45
marekd	rodrigods: you might have misunderstood me ;-)	13:45
rodrigods	marekd, "marekd> rodrigods: there was a ml thread from jdennis where he shared his experience with a mapping engine he wrote for opendaylight"	13:45
marekd	aaaaa	13:45
marekd	ok	13:45
marekd	sorry i misunderstood you todo bullet	13:45
rodrigods	haha	13:46
rodrigods	np	13:46
*** k4n0 has quit IRC		13:46
marekd	HP guy didn's respond me yet, but if he didn't setup k2k with proper crypto i'd try that one.	13:46
marekd	hopefully he will today, once he's awake.	13:47
rodrigods	marekd, it worked	13:47
rodrigods	=)	13:47
*** tellesnobrega_ has quit IRC		13:47
marekd	did he reply you ?	13:47
rodrigods	yep	13:47
rodrigods	regarding the certificates issue	13:47
rodrigods	he had an interesting idea: issue both SP and IdP certs with the same issuer	13:48
rodrigods	was going to try it quickly here	13:48
marekd	rodrigods: go ahead	13:48
rodrigods	marekd, not sure if will have the time, though	13:48
rodrigods	=/	13:49
marekd	rodrigods: so you are asking me for ideas to work to keep you busy and at the same time you are super busy? :P	13:49
rodrigods	marekd, haha no... today is a "special" day, full of meetings =P	13:50
marekd	aha	13:50
*** sigmavirus24_awa is now known as sigmavirus24		13:54
*** dims has quit IRC		13:56
*** dims has joined #openstack-keystone		13:56
*** jacorob has joined #openstack-keystone		13:59
*** spligak has quit IRC		14:00
*** afazekas has joined #openstack-keystone		14:01
*** amaurymederos is now known as amaurymedeiros		14:03
*** afazekas has quit IRC		14:06
*** joesavak has joined #openstack-keystone		14:07
*** spligak has joined #openstack-keystone		14:13
*** nkinder has quit IRC		14:18
*** afazekas has joined #openstack-keystone		14:19
*** gokrokve has joined #openstack-keystone		14:20
*** lhcheng_ has joined #openstack-keystone		14:22
*** kobtea has joined #openstack-keystone		14:24
*** lhcheng has quit IRC		14:24
*** shakamunyi has joined #openstack-keystone		14:31
*** stevemar has joined #openstack-keystone		14:35
*** zzzeek has joined #openstack-keystone		14:35
*** adam_g` is now known as adam_g		14:37
*** adam_g has quit IRC		14:37
*** adam_g has joined #openstack-keystone		14:37
*** openstackgerrit has joined #openstack-keystone		14:40
*** thedodd has joined #openstack-keystone		14:44
*** vhoward has joined #openstack-keystone		14:46
*** henrynash has joined #openstack-keystone		14:48
*** ajayaa has joined #openstack-keystone		14:52
*** topol_ has joined #openstack-keystone		14:52
*** topol_ is now known as topol		14:52
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move notification unit tests to unit test dir https://review.openstack.org/133834	14:52
henrynash	lbragstad: thx for all your reviewing recently…any chance you could give a quick squint to: https://review.openstack.org/#/c/132826/ …If we can get that in, we can kick start the whole sequence of patch fixes	14:57
lbragstad	henrynash: looking	14:57
henrynash	lbragstad: thx	14:57
lbragstad	henrynash: btw, I saw the bug you opened (https://bugs.launchpad.net/keystone/+bug/1391682)	14:57
uvirtbot	Launchpad bug 1391682 in keystone "V2.0 Parameter validation for projects crud should not happen in drivers" [Low,New]	14:57
lbragstad	I have a patch that addresses some of it	14:58
*** afazekas_ has joined #openstack-keystone		14:58
henrynash	lbragstad: yeah..and saw your comemnts….I’ll take a look at yours	14:58
lbragstad	it's WIP at the moment but I can try dust it off today	14:58
*** ukalifon has quit IRC		14:58
*** afazekas has quit IRC		15:00
samuelms	henrynash, a couple of minutes to discuss about the 'list role assignments performance' patch ? :)	15:06
henrynash	samuelms: sure	15:06
rodrigods	henrynash, ^ run!	15:06
rodrigods	hehe	15:07
ekarlso	jamielennox: u up ? :D	15:07
henrynash	rodigods: :-)	15:07
samuelms	henrynash, https://review.openstack.org/#/c/116682/12/keystone/assignment/controllers.py	15:07
samuelms	henrynash, everything (except for parameters validation) shoudl be placed at the manager, right?	15:08
henrynash	samuelms: I remember :-)	15:08
samuelms	henrynash, so the methods like _build_project_equivalent_of_group_domain_role should be at the manager	15:08
samuelms	henrynash, right?	15:08
henrynash	samuelms: welll...	15:09
*** nkinder has joined #openstack-keystone		15:10
henrynash	samuelms: I would ahve thought we want the formatting of the chosen response to the API to still be in the controller	15:10
henrynash	samuelms: i.e. let’s say we changed the stucture of teh json we spit return from the API call….	15:11
samuelms	henrynash, but in those methods, as well as for _format_entity, they're based on driver results	15:11
henrynash	samuelms: you would want that to ONLY affect the controller	15:11
henrynash	samuelms: agreed….I think we need to look at what the manager should return to the controller	15:13
samuelms	henrynash, that s the point	15:13
*** gokrokve has quit IRC		15:13
samuelms	henrynash, so the manager should return an intermediate representation of the assignment to the controller ?	15:14
rodrigods	samuelms, henrynash, we should make clear what is the info that the manager can return	15:14
samuelms	henrynash, and we need to use this representation when creating new assignments (when expanding) at the manager level	15:14
rodrigods	and let the controller do the hard part: expand stuff	15:14
rodrigods	right?	15:15
samuelms	rodrigods, no	15:15
samuelms	rodrigods, the expansion of assignments will be placed at manager level	15:15
rodrigods	samuelms, ahh manager vs driver	15:15
rodrigods	was meaning driver	15:15
rodrigods	=P	15:15
samuelms	rodrigods, yep, makes sense now	15:15
*** henrynash has quit IRC		15:15
*** lhcheng_ has quit IRC		15:18
*** samuelms is now known as samuelms-afk		15:18
ayoung	stevemar, I should be doing my expense reports and also out Benefits enrollment, but instead I am +2ing you patches	15:22
stevemar	ayoung, woo hoo, i did those things other things on monday	15:23
ayoung	stevemar, these are simple enough. I want to talk with you about the token pipeline, though. marekd too	15:23
marekd	ayoung: what's yp	15:24
marekd	up	15:24
ayoung	OK...I've been going on about the token provider as a pipeline for a couple years now	15:25
ayoung	and we sketched it out in the mid cycle last January	15:25
marekd	ayoung: what's the general topic? REMOTE_USER and federation ?	15:25
ayoung	the issues you are seeing with REMOTE_USER starts to get in to them	15:25
ayoung	and the openid change that I +2ed as well	15:25
ayoung	the question, then, is what should it look like.	15:26
morganfainberg	Expense reports ugh.	15:26
ayoung	Ideally, it would be a config file that end users could change, but that is risky, in that they could remove essential pieces	15:26
ayoung	alternatively, we could do "plugin ins" at specific points in the pipeline, but then the pipeline gets rigid. That is what we have now	15:27
morganfainberg	Also good morning	15:27
ayoung	we can swap the auth plugins, and we can swap the whole token provider	15:27
ayoung	morganfainberg, good morning to you, too	15:27
ayoung	so...the first step would be, I think, to make use of dstanek 's new mechanism for wiring together the pipeline as a way to break apart the token provider	15:28
marekd	ayoung: any links, reviews?	15:28
ayoung	marekd, sure....	15:28
ayoung	let me get the diagram up from the discussion first...	15:28
marekd	ayoung: cause i was thinking about refactoring auth.controller authenticate() and simply put higher priority on auth methods where JSON input is provided	15:29
ayoung	https://twitter.com/admiyoung	15:29
ayoung	ah...not there yet.	15:29
marekd	ayoung: then, if there is no such thing and REMOTE_USER is not None fire exernal auth method	15:29
ayoung	hold off, that is not sufficient	15:29
marekd	well, some tests started to fail when i was doing so, but didn't investigate too deep.	15:30
ayoung	Damnit twitter, I want a link to my image!	15:30
ayoung	data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAMACAYAAAC6uhUNAAAgAElEQVR4nOy9V5Mj1523qW+wN+ti3x2nkRkNJVKiSFESPUXRm6YTvZHo2b67TJcBCkDB2wQSmchEIpHwpnxVu2pv2N6bqvZNpzHx7l5sbOwHePYCldlA2aYojThvzMUTWXlOJoBCRUf07zn/88/vaAEfeihANhzEiITIhoOk/V4Udz+S04Hm86L5vOh+H9mAH93vI+PzknG7Ud1OVK8LxedA8fSRcttJu+yoThuqoxfV0YvmsqO57CiOXmRnL6q7cV2oez225R/S9eH7KF4vpWSSrBDDiAtkxThaPEYmIaDFYw2EKJoQJRuNYsRiFASBgiBgxASMQIh8l5P0x6uRXnmb+LMvkHxqGfqTz1	15:32
ayoung	F98Ck23vs0W378Wzb+8EG23PEUYw8+T+mZ16m8+RED76xm4KMOau12Sk4PuXAIPRkjp4oU0xIjaZUd2RyHSzVOVYc4XRvm9OAop0bGuTg8ztH+KPvbnOzscnEkInKpVOO/b93Ov49tZiqVZTqmMuVPctGX5Hosw+dqkcuZIqc1g4N6lj2FCscntzN9+DDnDx/m3JHDXDpxgmtHj3Nl30GO1kY5VRnlXGGEs8YgJ7Uqx7Uqp7IDnCsOc1TMcVLKcTSZZW9EZrMzyrAtwLAtxIgrxoQ3xYhHYqhfou6WqLlSGL0CibVu/B92o9ujVHwphqNZxuJ5xhMFNiZLTIhFRmIGRXcSpStAdHUfwlonuj3KUERnY7LEmFKmppUoZQtzKOp5inqeSq5E2ShaNM8V9Twlo2xRzJYo6EXymQJGOoeRzr	15:32
ayoung	XMm9fMR0EvWhSzJUpGmXKuQjFbIp8pkNPy5LQ8+UyBgl4kp+Ux0jlrvHmu+XXzmQL5TMF6zdnkjZJFIVemkCtTzFco5iuUCtUlqRYqFrVilXqpRr1UY6BcZ6BcZ7g2xEh9mJH6MKMDI4wNjjI+NMbE8DgTw+NMTmxhcuNWtm2aZHJyO5PbdrB11y4md+9m69497Dh4gJ2HDrL78CH2HDnMgSNHOXTsOEePneDYsRMcOXSY44ePcOLIUU4dO86ZEyc5d+o050+fYerMWc6dOt1yPn32HBfOnefCufNcPD/FhbPTXDg7zfSZKaZOn2fq9HnOnzrH+VPnOHfyLCcOH+fYwaMc2neQT3fvZ9/OvezetosdW7YzuXErk6Ob2Da2mc1D4wwVa+QVnXRcRhUktESKdFy2UAUJVZBQYkmUWBJZSC	15:32
ayoung	ALAlI8uiBJIbIgkhAhFYugRBdGDocspFCQZDBgIQb8LfPzkYqEF0WKhJAiIeRomFRs5vMIUdR4DDUeQ46GF0WMxBYlGRUWRYwmEaNJkpFW5HADJSK2oIZvoERE5FAMKbwwqWh8QaRYDDEaQhRCJONhpERkzt9OiguzSLSQEOIWYjyBGE+QTIg3jSQmF+XPeb85JiclC0VOkZLklvPmseZ7U5I8BzmZWhRJlBdlqftTkrIoC12ryKqFmkqjptKkFY20olnnzXN/Kub3pcgp1JSCmlJIK6qFOdY8rqlpi+b5r40ioypJlFSClBxHSSVIq0m0tERaTaIqImk1uQSpRdHSyjcio6k3jZ5Jo2fSZHXNYr7XMq8zMcfnu+7rvP98zPe+N+ZkMlqKjCYviPn30NKSNaZnUuiZFFldwUjLN01OS5	15:32
ayoung	HTUuQzikU5k6KcSVHSUxRmyGdTGEaDQiFNPq+Sz6YoGArVXJp6IcNgQWewoDNQ1KnlNcpZhYqhUivqDFZyDJQN6qUslWKGSjFDqTQ/mUwSTRNRFAFJihCPB4hGvYRC/QSDLvr7eyxcrm5crm6czi4LR0/7ovR0rKG3c62FbcO6G3StoW/DKhzdq+i3rcXraCPQ30nY203U30ssYEOMOElGXcQCNhzdq1jxwWu88bsnePGZh3jhqYd45dknuO+O2/nH/+N/4W/+5/+Jn3z3b7nnZz/h/jtu5de3/Yin7v8V//w3/xu/vOUfeeDnt3Dfbf/Ew3feykuP3I+/ax	15:32
morganfainberg	Hah	15:32
ayoung	You have to be Fing kidding me	15:32
*** gokrokve has joined #openstack-keystone		15:32
*** ajayaa has quit IRC		15:33
ayoung	https://twitter.com/admiyoung/status/429060448462577664	15:33
stevemar	ayoung, click on the hour/date of the tweet	15:33
ayoung	OK, looks like I need to link to the post	15:33
stevemar	there ya go	15:33
marekd	o, i remember that pic	15:34
ayoung	mutter mutter	15:34
ayoung	OK, so there are some optional pieces in there, which were put in for the discussion. Don;t let them distract for now	15:34
ayoung	OK, so let me throw out an early approach the morganfainberg has already nacked: we do it all as a paste pipeline.	15:35
ayoung	it would look like this:	15:35
ayoung	[pipeline:auth]	15:35
* ayoung just to start the conversation...		15:36
ayoung	pipeline = sizelimit url_normalize authenticate token_scope delegation catalog format compress signature persist	15:37
ayoung	delegation would, I think, include role assignments, trusts, and oauth in one integrated piece	15:38
* ayoung missed groups		15:38
ayoung	pipeline = sizelimit url_normalize authenticate mapping virtual_orgs token_scope delegation catalog format compress signature persist	15:39
stevemar	ayoung, would this new proposed pipeline remove token_auth and admin_token_auth from the v3/admin/public pipelines?	15:39
ayoung	stevemar, that is the thing, they don't belong in the auth pipeline	15:39
ayoung	token_auth would instead be an auth-plugin only	15:39
stevemar	hmm	15:40
marekd	auth pipe	15:40
ayoung	stevemar, ok...let me go a little further	15:40
ayoung	paste has a shortcoming that we need to work around	15:40
*** henrynash has joined #openstack-keystone		15:40
ayoung	we can define a filter, or a pipeline, but we can't define a reusable series of filters to use in multiple pipelines	15:40
ayoung	lets assume, though, that we can do that	15:40
ayoung	so something like	15:41
ayoung	[filter-list: token_pipeline]	15:41
ayoung	filters = mapping virtual_orgs token_scope delegation catalog format compress signature persist	15:41
ayoung	then we want to do two different auth_urls, say one for SAML, and one for Kerberos	15:41
ayoung	it would be	15:41
henrynash	samuelms, rodigods: sorry, was offline for a bit…yes, agree with your points	15:42
ayoung	pipeline = sizelimit url_normalize saml_auth token_pipeline issue_token	15:42
ayoung	with issue_token being the "service" there as required by paste	15:42
ayoung	we'd pull apart the v3 pipeline to have auth in its own pipeline	15:43
ayoung	for issuing SAML assertions in the K2K case we would vary up the pipeline	15:43
morganfainberg	So. Let me ask a question. Why are we trying to split everything up at once? The isolation of the "bits" that are token provider specific seem like a small optimization and not a big win (especially if they are blockers for the other work this cycle)	15:44
ayoung	so where I have format in the pipeline, it would probably be token_format versus saml_format	15:44
marekd	ayoung: what would be that saml_auth?	15:44
*** baffle has joined #openstack-keystone		15:44
marekd	scoping federated token?	15:44
ayoung	marekd, to me, keystone PKIZ tokens and Keystone SAML docs are two different marshalling formats for the same data	15:45
morganfainberg	Token providers are largely workable as they are (cleanup needed) without needing the fine grained breakdown you're proposing. I'm not saying don't do a pipeline. I'm saying don't try and break it down too far off the bat. Small steps	15:45
ayoung	that was why it was /auth/tokens. We should have /auth/saml	15:45
ayoung	morganfainberg, lets get the vision before we do task breakdown	15:45
ayoung	what I really need is the ability to specify kerberos, x509, and basic/password auth in their own pipelines	15:46
morganfainberg	I think you're off in the weeds of implementation	15:46
morganfainberg	Honestly	15:46
morganfainberg	This isn't vision, this is "what are we going to do".	15:46
ayoung	morganfainberg, I'm using the paste as an example, not as the end implementation	15:47
ayoung	for example, each time I changed the token format, I needed to subclass token-provider	15:47
ayoung	that is not really what we want	15:47
ayoung	we could do it all in Python code, using dstanek 's DI mechanism	15:47
ayoung	I still would need to do paste work, though	15:48
morganfainberg	Yes and we decided that is already largely where we wanted to head. The paste part -- that is details following. You don't need paste to do this.	15:48
baffle	Is there any available policy.json example that implements RBAC with roles and also supports the notion of a "superadmin" like v3cloudsample?	15:49
ayoung	right....as I said you had already nacked it. I was showing a practical example. But regardless of how we implement the token pipeline, we've identified we want to actually have one.	15:49
morganfainberg	Any token provider would be 4 things: issue, validate , validat_middleware, token I'd	15:49
ayoung	I don't care if it is paste or some other format	15:49
ayoung	we need to be able to swap format.	15:50
ayoung	we need to be able to swap auth mechanism	15:50
ayoung	and, we don't want to force all token pipelines to use the same auth mechanism, we do that today	15:50
morganfainberg	The provider is the format the way I see it	15:51
ayoung	we want to be able to reuse the mapping across multiple pipelines, I think. But even there, I am not 100%. The REMOTE_USER issue comes up repeatedly in Kerberos	15:51
ayoung	morganfainberg, then we need to make it cleaner to define new token providers.	15:52
ayoung	and all of the delegation stuff does not need to be swapped out	15:52
*** afazekas_ is now known as afazekas		15:52
*** david-lyle_afk is now known as david-lyle		15:52
morganfainberg	Yes. Already working on the spec for that. Talked a lot with dstanek about this and largely we are headed exactly that way.	15:52
ayoung	I think that is going to be common	15:53
* morganfainberg is on phone so harder to type it all out.		15:53
ayoung	morganfainberg, gotta run myself.	15:53
morganfainberg	Delegation is independent of format, agreed.	15:53
ayoung	Will get back on line shortly	15:53
morganfainberg	K	15:53
*** ayoung is now known as ayoung-afk		15:53
marekd	morganfainberg: ok, so, speaking more...short term....any opinions on that? https://review.openstack.org/#/c/133037/	15:55
*** diegows has quit IRC		15:55
*** ajayaa has joined #openstack-keystone		15:55
*** wwriverrat has joined #openstack-keystone		15:56
marekd	because this is cause of all this convo	15:56
morganfainberg	At a glance that makes a lot of sense.	15:56
marekd	so, feel free to add a score once you read it.	15:57
morganfainberg	Yeah. Putting it on my short list for today.	15:57
marekd	thanks	15:57
*** amirosh has quit IRC		15:59
*** amirosh has joined #openstack-keystone		16:00
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/ https://review.openstack.org/133989	16:01
*** thedodd has quit IRC		16:02
*** wwriverrat1 has joined #openstack-keystone		16:04
*** lhcheng has joined #openstack-keystone		16:04
*** amirosh has quit IRC		16:04
*** lhcheng_ has joined #openstack-keystone		16:06
*** wwriverrat has quit IRC		16:06
*** wwriverrat1 has left #openstack-keystone		16:07
*** lhcheng has quit IRC		16:09
*** saipandi has joined #openstack-keystone		16:15
*** saipandi has quit IRC		16:17
*** kobtea has quit IRC		16:18
*** kobtea has joined #openstack-keystone		16:19
*** kobtea has quit IRC		16:24
*** sigmavirus24 is now known as sigmavirus24_awa		16:32
*** amerine has joined #openstack-keystone		16:33
*** gokrokve_ has joined #openstack-keystone		16:33
*** _cjones_ has joined #openstack-keystone		16:34
*** sigmavirus24_awa is now known as sigmavirus24		16:34
*** Viswanath has joined #openstack-keystone		16:36
*** gokrokve has quit IRC		16:36
*** gokrokve_ has quit IRC		16:37
*** ajayaa has quit IRC		16:38
*** Viswanath has quit IRC		16:39
*** lhcheng_ has quit IRC		16:40
*** lhcheng has joined #openstack-keystone		16:44
*** gyee has joined #openstack-keystone		16:45
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/ https://review.openstack.org/133989	16:47
*** lhcheng_ has joined #openstack-keystone		16:49
*** amerine has quit IRC		16:51
*** afazekas has quit IRC		16:51
*** lhcheng has quit IRC		16:51
*** shakamunyi has quit IRC		16:53
*** samuelms-afk is now known as samuelms		16:54
*** ayoung-afk is now known as ayoung		16:57
openstackgerrit	Merged openstack/keystone: Add openid connect support https://review.openstack.org/132706	16:58
openstackgerrit	Merged openstack/keystone: Additional debug logs for federation flows https://review.openstack.org/132995	16:58
*** joesavak has quit IRC		17:03
*** joesavak has joined #openstack-keystone		17:04
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move injection unit tests to keystone/tests/unit https://review.openstack.org/134010	17:10
*** amirosh has joined #openstack-keystone		17:10
*** amerine has joined #openstack-keystone		17:10
*** gokrokve has joined #openstack-keystone		17:12
*** marcoemorais has joined #openstack-keystone		17:14
*** amirosh has quit IRC		17:15
*** nellysmitt has joined #openstack-keystone		17:17
*** thedodd has joined #openstack-keystone		17:19
*** henrynash has quit IRC		17:30
*** amcrn has joined #openstack-keystone		17:31
openstackgerrit	Marek Denis proposed openstack/keystone: Adds dynamic checking for mapped tokens https://review.openstack.org/133130	17:32
openstackgerrit	Marek Denis proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf https://review.openstack.org/133494	17:33
*** ukalifon1 has joined #openstack-keystone		17:37
*** jistr has quit IRC		17:38
ukalifon1	Hi. I am trying to test CADF in keystone in Juno. I am creating users and granting them roles in different projects/domains - and no messages are emitted to the log at all. Do I need to configure CADF somehow to get it to work? Is it logging to the file or a message queue?	17:41
*** amcrn has quit IRC		17:41
morganfainberg	ukalifon1, CADF notifications should go out on the notification bus.	17:42
morganfainberg	ukalifon1, but you'll need to configure notifications to be on.	17:42
ukalifon1	morganfainberg: how can I configure notifications?	17:43
morganfainberg	ukalifon1, looking for the link for you	17:43
*** amirosh has joined #openstack-keystone		17:43
morganfainberg	so here are the docs on notifications: http://docs.openstack.org/developer/keystone/event_notifications.html looking for the exact option to turn them on for you	17:45
morganfainberg	stevemar, hah, i think we have a documentation gap	17:46
morganfainberg	ukalifon1, enabling notifications for keystone works the same as any other project using the oslo.messaging library	17:48
*** afaranha has joined #openstack-keystone		17:52
morganfainberg	ukalifon1, http://docs.openstack.org/trunk/config-reference/content/orchestration-configuring-rpc.html here is the doc you're looking for	17:52
morganfainberg	ukalifon1, once the RPC / notification system is enabled, CADF notifications for Keystone will be emitted to the bus.	17:52
ukalifon1	morganfainberg: Thanks a lot, I'll try it now	17:54
*** shakamunyi has joined #openstack-keystone		17:56
*** thedodd has quit IRC		17:56
*** shakamunyi has quit IRC		17:56
*** bdossant has quit IRC		17:57
*** henrynash has joined #openstack-keystone		17:59
*** amcrn has joined #openstack-keystone		18:00
*** shakamunyi has joined #openstack-keystone		18:01
*** gokrokve has quit IRC		18:03
*** gokrokve has joined #openstack-keystone		18:03
*** thedodd has joined #openstack-keystone		18:05
stevemar	morganfainberg, ah okay... ukalifon1 did that work for you? are you seeing the notifications / what did you have to change?	18:13
morganfainberg	marekd, stevemar, +1 on the REMOTE_USER change for mapped	18:17
morganfainberg	but no +2 until API doc change merges.	18:17
stevemar	morganfainberg, fair enough	18:18
marekd	morganfainberg: thank yoy, just replied to your comment.	18:18
morganfainberg	marekd, thanks. also +2 on the API change	18:18
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Trust redelegation documentation https://review.openstack.org/131541	18:19
amakarov	morganfainberg, greetings! I made some changes to trust specs,can you please take a look? https://review.openstack.org/#/c/131541/	18:19
*** aix has quit IRC		18:19
morganfainberg	marekd, but user_name isn't used anywhere if it came from REMOTE_USER with that code.	18:20
morganfainberg	we only have user_id at that point, and not in any mapped properties, so... do we need to return out "user_name" in that case from _setup_username ?	18:20
morganfainberg	we only return user_id from _handle_unscoped_token	18:21
henrynash	looking for someone to start +A the first in the chain of assignment fixes: https://review.openstack.org/#/c/132826/2	18:21
morganfainberg	henrynash, let me take a gander, then i need to go off and do paperwork (more specifically write up an official summary of the summit)	18:22
morganfainberg	omg it's only 10am :P	18:22
marekd	morganfainberg: we start with getting user_name either from mapped_properties or REMOTE_USER and urlencode it to user_id	18:22
henrynash	there’s a whole bunch stacked up behind this that I think we want to backport to Juno…so want to get them in before we changed anything too radical in Kilo	18:22
marekd	according to the spec token should have both user_id and _user_name	18:22
marekd	and the code returns user_id only.	18:22
morganfainberg	marekd, right. but _setup_username user_name return isn't used anywhere	18:22
morganfainberg	that was my only point, we have it just ... not doing any7thing with it	18:23
*** amcrn has quit IRC		18:23
morganfainberg	and i was wondering if we needed to in that case.	18:23
marekd	morganfainberg: and my point is: there should be new bug that will put user_name in line 136	18:23
morganfainberg	ahhhh	18:23
morganfainberg	now i get it	18:23
*** browne has joined #openstack-keystone		18:23
marekd	...or change the documentation and erase user_name from the token.	18:23
marekd	(gerrit reviews are sometimes tricky to read)	18:24
morganfainberg	i'd like to drop username from the token tbh, it is mutable	18:24
morganfainberg	not in this case, but in other cases	18:24
marekd	so, drop user_name and update docs, right?	18:24
morganfainberg	i think that falls into API contract break though	18:24
*** thedodd has quit IRC		18:24
morganfainberg	so, no :(	18:24
marekd	we had that split forever as i recall	18:25
marekd	so docs would catch up with code.	18:25
marekd	cannot do it?	18:25
morganfainberg	yeah, we likely need to add user_name	18:25
*** thedodd has joined #openstack-keystone		18:25
marekd	let me propose it	18:25
morganfainberg	marekd, sure.	18:25
marekd	i wonder if it will break anything :D	18:26
morganfainberg	probably :P	18:26
*** amakarov is now known as amakarov_away		18:27
openstackgerrit	Marek Denis proposed openstack/keystone: Return ``user_name`` in federated tokens. https://review.openstack.org/134027	18:28
henrynash	morganfainberg: thx	18:28
henrynash	morganfainberg: if you get a chance to follow the chain up…teh first few already have two +2s…so a quick coup-de-grace might be easy	18:31
morganfainberg	i am reading them	18:31
morganfainberg	some comments but nothing blocking +A	18:31
rodrigods	we need https://review.openstack.org/#/c/117786/ merged so we don't have a bug in the API =)	18:32
morganfainberg	like... don't skip tests, actually verify the "broken" behavior	18:32
henrynash	morganfainberg: I’ll be doing some follow-up cleanup patches, so will collect any comments and batch them in	18:32
morganfainberg	but largely no major issues.	18:32
rodrigods	morganfainberg, about don't skipping tests, you are making samuelms a happier person	18:32
morganfainberg	henrynash, ok i pushed go on the first couple patches there	18:34
morganfainberg	henrynash, i stopped where there wasn't 2x+2	18:34
henrynash	morganfainberg: thx	18:34
morganfainberg	henrynash, https://review.openstack.org/#/c/133299/ is where i stopped for now	18:34
henrynash	morganfainberg: ok…a godo start	18:34
morganfainberg	if i didn't have a ton to write up from the summit i'd keep going right now	18:34
morganfainberg	rodrigods, yes we do need to merge that.	18:35
morganfainberg	rodrigods, it's on my list to review once i'm done writing things up	18:35
morganfainberg	henrynash, also commented on the expirimental vs stable spec yesterday	18:35
morganfainberg	henrynash, thanks for writing that up btw.	18:35
henrynash	morganfainberg: yep, updating that…will post another version later today	18:35
morganfainberg	awesome	18:35
morganfainberg	largely i think it will have almost no impact on anything besides code structure / communication to the deployers.	18:36
morganfainberg	and the code structure changes should be minimal. it's just changing how we handle things and make things a little more explicit.	18:36
*** thedodd has quit IRC		18:37
morganfainberg	hmm.	18:39
morganfainberg	so far most people can make san antonio for mid-cycle	18:39
morganfainberg	and only 1 person can't make it	18:40
openstackgerrit	Merged openstack/keystone-specs: Add REMOTE_USER mapping info in federation docs. https://review.openstack.org/133674	18:40
*** htruta has left #openstack-keystone		18:40
samuelms	henrynash, ping	18:40
*** htruta has joined #openstack-keystone		18:40
samuelms	https://etherpad.openstack.org/p/role-assignment-backend-language	18:41
samuelms	henrynash, please take a look at this ^	18:41
samuelms	henrynash, my idea is to have a consistent representation of role assignments at Manager and Driver levels	18:41
*** thedodd has joined #openstack-keystone		18:41
samuelms	henrynash, and then Controller format them as it needs to	18:41
rodrigods	samuelms, henrynash ++	18:42
morganfainberg	nkinder, ping re: getting RH space [looks like we might also have space from Rackspace available, same event location for Barbican so it might make sense to just use that space)	18:48
nkinder	morganfainberg: that's in SF?	18:49
morganfainberg	nkinder, the rackspace location is SF	18:50
morganfainberg	will be if anything the same space barbican is using.	18:50
morganfainberg	so same as last time just bay area event space vs. geekdom in SAT	18:50
morganfainberg	but i wont know details on that space. HP doesn't have space in sunnyvale, and i think we can't get the PA office auditorium	18:51
morganfainberg	well HP has space, but it'd be less friendly to a group of ~20	18:51
morganfainberg	assuming roughly the same turnout	18:51
*** arborism has joined #openstack-keystone		18:52
*** arborism is now known as amcrn		18:53
*** jsavak has joined #openstack-keystone		18:58
*** diegows has joined #openstack-keystone		18:59
*** joesavak has quit IRC		19:02
*** gokrokve has quit IRC		19:02
*** gokrokve has joined #openstack-keystone		19:02
*** radez_g0` is now known as radez		19:06
*** gokrokve has quit IRC		19:07
samuelms	nkinder, ping	19:09
*** gokrokve has joined #openstack-keystone		19:10
*** shakamunyi has quit IRC		19:12
*** shakamunyi has joined #openstack-keystone		19:13
*** gokrokve has quit IRC		19:21
*** gokrokve has joined #openstack-keystone		19:21
*** gokrokve has quit IRC		19:22
*** gokrokve has joined #openstack-keystone		19:22
*** sbasam has joined #openstack-keystone		19:27
vhoward	gyee: sri basam and i would love some input on our blueprint for catalog filtering by region if you or anyone else has time….a bit confused on if we need to document a spec or not	19:28
vhoward	https://blueprints.launchpad.net/keystone/+spec/catalog-filtering-by-region	19:28
gyee	morganfainberg, SF is better if the guys are staying in SF. Believe me, ya don't want to deal with the (*&@#$ traffic in 101.	19:28
morganfainberg	gyee, i agree	19:29
samuelms	Hi guys, I've pointed out a potential security issue on our Hierarchical Projects patch #117786	19:29
samuelms	It would be great if you could take a look at .. so that we could work on this if necessary	19:29
samuelms	gyee, morganfainberg ^	19:29
gyee	vhoward, looking ...	19:29
vhoward	thank you very much	19:29
sbasam	gyee: Thanks	19:30
morganfainberg	yay for feature branch!	19:30
morganfainberg	no CVE!	19:30
morganfainberg	:)	19:30
samuelms	morganfainberg, but we'll get this merged soon on our master right? :-)	19:31
morganfainberg	samuelms, we will, there will be a bit of work to do it, but we will.	19:31
nkinder	samuelms: pong	19:32
morganfainberg	samuelms, so we will merge to the feature branch, fast-forward the feature branch (resolve conflicts) and then merge to master from feature branch	19:32
morganfainberg	and this may not actually be a security issue	19:32
*** esp has left #openstack-keystone		19:32
morganfainberg	however, when we add the reseller-type break case, it would need to have the hierarchy traversal stop	19:33
samuelms	morganfainberg, cool .. just would like to get some opinions over there ..	19:33
samuelms	morganfainberg, not sure that we could expose ids like that	19:33
morganfainberg	ids largely (except in the case of tokens) are not "secure" data.	19:34
morganfainberg	this may be ok	19:34
morganfainberg	but nkinder might have a clearer view on it	19:34
samuelms	nkinder, last Friday you said me I could ping you if we need some patch reviews :)	19:34
samuelms	nkinder, morganfainberg exactly	19:34
samuelms	nkinder, it'd be great if you could take a look at patch #117786	19:35
nkinder	samuelms: yep, I remember :)	19:35
samuelms	https://review.openstack.org/#/c/117786/31	19:35
gyee	vhoward, sbasam, you want to filter on token auth right?	19:35
sbasam	We want to filter on the os_region_name so that the catalog size can be limited to just a region	19:35
gyee	like POST /v3/auth/tokens?catalog_filter=???	19:35
gyee	because with endpoint groups, you can group them by region if you want	19:36
samuelms	nkinder, I've left a couple of comments on that patch (where I think there is a potential security issue)	19:37
samuelms	nkinder, will wait for your opinion over there :-)	19:37
nkinder	samuelms: yeah, reading that now.	19:37
samuelms	morganfainberg, thanks for clarifying (-:	19:37
nkinder	So the concern is that the parent ID is viewable for someone with a role on a child	19:37
sbasam	gyee: You mean to say we can limit the catalog with endpoint grouping?	19:37
samuelms	nkinder, exactly	19:38
nkinder	samuelms: so the ID is just a UUID, which isn't useful in and of itself	19:39
nkinder	For a reseller case, you are going to know who you are buying service from	19:39
gyee	sbasam, yes	19:39
gyee	you can create a group with the region filter	19:40
gyee	and assign it to a project	19:40
samuelms	nkinder, yes .. for the reseller we'll have to stop going up and down on the tree at some point (when a new domain starts)	19:40
nkinder	So I'm not sure if knowing the parent ID is really a problem. You can't use to get a token at that scope without a role.	19:40
*** dtturner has joined #openstack-keystone		19:40
gyee	samuelms may have a point there	19:40
gyee	we should be able to have ACLs at any point in the tree	19:41
gyee	like LDAP	19:41
samuelms	nkinder, yes makes sense .. ids by themselves are useless	19:41
gyee	nkinder, but you can retrieve the whole chain though	19:42
nkinder	gyee: how?	19:42
gyee	the entire hierarchy	19:42
gyee	of IDs	19:43
nkinder	gyee: yeah, how can I read up past my parent without a role on that parent?	19:43
nkinder	gyee: or is it all parents?	19:44
gyee	I think so	19:44
*** marcoemorais has quit IRC		19:44
*** marcoemorais has joined #openstack-keystone		19:44
gyee	?parent_as_list should get you everything	19:45
gyee	and subtree as a list	19:45
sbasam	gyee: Need to read up on how endpoint grouping works. We have tenants/projects which have access to lots of regions. When a tenant is working in a region, we want the catalog size to be limited to just endpoints in that region so that we aren't passing around lots of data.	19:45
gyee	I don't think we filter resource based on access	19:45
nkinder	as a list of IDs, which are just UUIDs	19:45
rodrigods	nkinder, the project object is returned	19:46
gyee	not just IDs	19:46
gyee	see line 425	19:46
gyee	list of refs	19:46
rodrigods	gyee, ++	19:46
raildo	gyee, nkinder what do you think about to create new options in the policy, to control this options?	19:46
raildo	so, i can control if a user can list the subtree, or parent, or the full hierarchy	19:47
gyee	raildo, problem is oslo policy can't filter resource to be returned	19:47
*** amirosh has quit IRC		19:47
nkinder	Ok, so returning the whole project for all parents doesn't seem good. That exposes too much info	19:47
*** amirosh has joined #openstack-keystone		19:48
raildo	i know, that is not control resource, that is control the action, the user can't use the API call	19:48
gyee	nkinder, like really like LDAP ACLs, they work nicely for tree structures	19:48
gyee	I mean I really like	19:48
nkinder	Just the IDs sounds OK at first thought, but names could give away info about resellers up the tree	19:48
samuelms	makes sense	19:49
morganfainberg	dstanek, i know you're on vacation but ping: re DI	19:49
nkinder	If you think about it, that's sort of how LDAP works	19:49
nkinder	You know the DN of all parents by nature of the DN structure	19:49
gyee	yeah man, no industrial espionage :)	19:49
nkinder	That doesn't mean you can see any of the contents of parent entries though	19:49
nkinder	A DN is just the unique reference to an LDAP entry, and an ID is the unique reference to a project	19:50
gyee	yep	19:50
nkinder	An ID does not convey the hierarchy by itself, but that's OK I think	19:50
gyee	how about we change it to just return the IDs?	19:51
gyee	I don't think there's a use case for everything else	19:51
raildo	but this control via the new role visibility, right? if the user can access a "subdomain", i will list the whole hierarhcy	19:52
rodrigods	gyee, change to return only the ID for the current impl?	19:52
*** amirosh has quit IRC		19:52
raildo	if a user can't access a subdomain, the subprojects inside this subdomain, don't will be returned	19:52
raildo	but for now, we don't have this visibility control, so i can't do this implementation	19:53
samuelms	nkinder, did you get raildo's point?	19:53
nkinder	samuelms: I think so. That's for breaking visibility down the tree, right?	19:54
samuelms	nkinder, basically, for reseller we won't get projects from another domain, right?	19:54
raildo	nkinder, yes	19:54
samuelms	nkinder, yes	19:54
*** ukalifon1 has quit IRC		19:54
samuelms	nkinder, if seeing whole information of projects inside the same domain is not a problem	19:54
samuelms	nkinder, maybe we can keep this, right?	19:55
*** dnalezyt has joined #openstack-keystone		19:55
gyee	sbasam, endpoint filter should solve your problem, let me know if you have issue with the doc, I'll fix	19:55
nkinder	It just gives away name, ID, and description for the projects, right?	19:55
rodrigods	nkinder, right	19:55
nkinder	If we're not covering the reseller case right now, that's not a big deal	19:56
rodrigods	++	19:56
raildo	nkinder, sure	19:56
nkinder	It should just be made clear that one has full visibility into the hierarchy I think	19:56
nkinder	Let me see if we lock down list_projects though....	19:56
gyee	we do	19:56
rodrigods	nkinder, I think we do, and get projects info as well	19:57
rodrigods	might be a good argument agains returning the full ref	19:57
nkinder	So we lock it down to domain admins right now in the v3 policy	19:57
nkinder	...for list_projects	19:57
samuelms	nkinder, yes	19:57
gyee	s/domain/project with special properties/	19:58
gyee	:D	19:58
nkinder	get_project is locked down to the admin of a project	19:58
rodrigods	yeah, but returning only the ID is a bit useless, since there is no way to know about the hierarchy	19:59
rodrigods	only if we return them already in a structured fashion	19:59
openstackgerrit	Merged openstack/keystone: Improve testing of domain federation tokens for inherited roles. https://review.openstack.org/132826	20:00
*** jsavak has quit IRC		20:01
samuelms	nkinder, I think we can keep showing the subtree because we'll stop once we get a new domain (for reseller), right?	20:02
samuelms	nkinder, but showing up the projects (even inside the same domain) may be an issue	20:02
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move base64 unit tests to keystone/tests/unit dir https://review.openstack.org/134043	20:02
openstackgerrit	Lance Bragstad proposed openstack/keystone: Increase test coverage of test_base64utils.py https://review.openstack.org/134044	20:02
*** joesavak has joined #openstack-keystone		20:03
*** jaosorior has quit IRC		20:03
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move functional tests to keystone/tests/functional https://review.openstack.org/133556	20:13
samuelms	nkinder, what about showing only the ids of parents and subtree of projects that the user has not access to	20:14
samuelms	nkinder, but if he has access to any projects in that hierarchy we want to show, then we can show the full info of that project	20:14
samuelms	makes sense?	20:14
*** wwriverrat has joined #openstack-keystone		20:15
samuelms	I mean, If he could do a 'get project' on that project .. so put the whole info, because he'd be able to do that by himself	20:15
*** wwriverrat has left #openstack-keystone		20:15
*** edmondsw has joined #openstack-keystone		20:21
samuelms	morganfainberg, nkinder, gyee we'll have to get back on this discussion later ^	20:48
samuelms	rodrigods and raildo too :-)	20:48
gyee	samuelms, sure	20:56
gyee	lunch time for the left coast ppl right now it seems :)	20:57
*** gyee has quit IRC		20:58
*** kobtea has joined #openstack-keystone		20:58
*** amirosh has joined #openstack-keystone		20:58
*** marg7175 has joined #openstack-keystone		21:00
*** amirosh has quit IRC		21:03
*** kobtea has quit IRC		21:03
dtturner	Hi Folks- Running into a strange one today. I just setup Mistral in order to kick the tires and notice that calls meant for Heat are ending up on the Mistral endpoint. This is obviously wreaking havoc on Heat consumers, with 404's and timeouts.	21:06
dtturner	The service endpoints are completely different. Anyone seen this?	21:06
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/ https://review.openstack.org/133989	21:08
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects https://review.openstack.org/130277	21:09
raildo	dtturner, which port you are using ?	21:10
*** shakamun_ has joined #openstack-keystone		21:10
*** shakamunyi has quit IRC		21:10
dtturner	raildo: Hi. For Mistral? 8989.	21:12
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects https://review.openstack.org/130277	21:12
dtturner	raildo: 8000 and 8004 for heat endpoints. Different IP for heat and mistral endpoints.	21:13
raildo	dtturner, but that is the same in the endpoint?	21:13
*** gyee has joined #openstack-keystone		21:14
dtturner	raildo, yes.	21:14
dtturner	raildo: Looking at output of keystone endpoint-list now.	21:15
*** lhcheng_ has quit IRC		21:16
raildo	can you paste the output?	21:17
dtturner	raildo, sure: http://paste.openstack.org/show/132546/	21:23
raildo	tks	21:23
*** shakamun_ has quit IRC		21:26
*** marg7175 has quit IRC		21:27
raildo	dtturner, this is very weird, maybe you can find the error in the configuration files	21:29
raildo	keystone stored correctly the endpoints	21:29
*** shakamunyi has joined #openstack-keystone		21:30
dtturner	raildo, this started upon adding the Mistral service. Users reported issues with Heat at the same time. If I stop Mistral, the issues with Heat go away. I've been banging my hang trying to see how this is happening.	21:30
*** samuelms-home has joined #openstack-keystone		21:31
raildo	Maybe someone has changed any global variable, or something like that	21:32
*** lhcheng has joined #openstack-keystone		21:33
*** raildo has quit IRC		21:36
*** Viswanath has joined #openstack-keystone		21:36
rodrigods	ayoung, ping	21:36
ayoung	$ ping ayoung	21:37
ayoung	ping: unknown host ayoung	21:37
rodrigods	haha	21:37
gyee	/join ayoung	21:37
rodrigods	ayoung, just saw the "kilo graduation plans" ml thread for oslo	21:37
rodrigods	policy was supposed to be there?	21:38
ayoung	and I just realized I did none of the things I needed to do today	21:38
ayoung	yes, policy is supposed to be there	21:38
gyee	what's up with the common SDK?	21:38
gyee	are we deprecating all the python-*clients?	21:39
rodrigods	ayoung, but it isn't =/	21:39
rodrigods	gyee, thought the SDK intention was to be used by other systems, besides openstack services	21:40
*** Viswanath has quit IRC		21:40
rodrigods	so you would't need to import separate clients	21:40
*** Viswanath has joined #openstack-keystone		21:41
gyee	we already have to common CLI	21:42
gyee	s/to/the	21:42
*** thiagop has quit IRC		21:43
samuelms-home	morganfainberg, just to keep you updated of the things of exposing the ids of parents / subtree	21:43
samuelms-home	morganfainberg, in fact we're exposing all project info (name, description) :p	21:43
*** sbasam has quit IRC		21:43
samuelms-home	morganfainberg, and then nkinder pointed out that this may be a problem	21:43
morganfainberg	that sound like an issue	21:44
morganfainberg	ids, not as much	21:44
*** marg7175 has joined #openstack-keystone		21:44
samuelms-home	morganfainberg, we'll get back on this discussion soon :-)	21:44
*** Viswanath has quit IRC		21:44
rodrigods	morganfainberg, samuelms, we have put some thoughts on it here, we have a bit ugly solution	21:46
rodrigods	we can discuss later, when they are back	21:46
*** zzzeek has quit IRC		21:54
*** zzzeek has joined #openstack-keystone		21:54
*** marg7175_ has joined #openstack-keystone		21:56
morganfainberg	rodrigods, sounds good	21:58
*** marg7175 has quit IRC		21:59
*** amcrn has quit IRC		22:04
*** samuelms-home has quit IRC		22:04
*** joesavak has quit IRC		22:16
openstackgerrit	Merged openstack/pycadf: Add classifiers for Python 3 https://review.openstack.org/133088	22:17
*** gokrokve has quit IRC		22:18
*** patrickeast has joined #openstack-keystone		22:21
*** nellysmitt has quit IRC		22:22
*** edmondsw has quit IRC		22:22
*** marg7175_ has quit IRC		22:23
*** topol has quit IRC		22:25
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move functional tests to keystone/tests/functional https://review.openstack.org/133556	22:26
*** marg7175 has joined #openstack-keystone		22:27
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/ https://review.openstack.org/133989	22:31
*** patrickeast has quit IRC		22:34
rodrigods	ayoung, the oslo.policy lib spec is this one: https://review.openstack.org/#/c/133480/2/specs/keystoneclient/policy-enforce.rst, right?	22:35
*** patrickeast has joined #openstack-keystone		22:35
ayoung	rodrigods, partially, but not completely	22:35
ayoung	rodrigods, it means pulling in a bit more code...let me show what nova does	22:36
ayoung	Well, what Keystone does, but I like nova's approach as a starting point for other reasons...	22:36
ayoung	rodrigods, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n85 is the decorator	22:36
rodrigods	ayoung, cool, managed to put some tasks regarding those policies, will split them	22:36
ayoung	and then a lot of the work is done in http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py	22:37
ayoung	rodrigods, in nova it is a deliberate call, not a decorator, but the general work is the same:	22:37
ayoung	get the token and other data into a format that we can then use to check and enforce policy	22:38
ayoung	rodrigods, http://git.openstack.org/cgit/openstack/nova/tree/nova/policy.py is the most of it	22:39
rodrigods	ayoung, cool, so in the ml thread, dhellmann asked for a spec and I thought that one would be the right place	22:40
ayoung	rodrigods, actually, we are doing a lot more in Keystone than most of the other projects, because we sometimes have to build up the auth data directly from the database. However, a library based approach would not need that; getting the auth data would either done from middleware or would be service specific	22:40
ayoung	You kjnow what, yeah, use that spec	22:41
ayoung	its close enough, and we can always expand on what we need to do beyond just the oslo work	22:41
rodrigods	ayoung, great	22:41
rodrigods	thanks for the quick explanation	22:41
*** tellesnobrega_ has joined #openstack-keystone		22:44
*** marekd is now known as marekd\|away		22:57
*** thedodd has quit IRC		22:58
*** marg7175 has quit IRC		22:58
*** marg7175 has joined #openstack-keystone		23:02
*** browne has quit IRC		23:04
*** browne has joined #openstack-keystone		23:04
*** marcoemorais1 has joined #openstack-keystone		23:05
*** _cjones_ has quit IRC		23:06
*** _cjones_ has joined #openstack-keystone		23:09
*** marcoemorais has quit IRC		23:09
*** amcrn has joined #openstack-keystone		23:12
*** david-lyle is now known as david-lyle_afk		23:12
*** nkinder has quit IRC		23:18
*** tellesnobrega_ has quit IRC		23:20
*** marcoemorais1 has quit IRC		23:30
*** marcoemorais has joined #openstack-keystone		23:31
*** marg7175 has quit IRC		23:32
*** patrickeast has quit IRC		23:32
*** patrickeast has joined #openstack-keystone		23:33
*** tellesnobrega_ has joined #openstack-keystone		23:35
*** nkinder has joined #openstack-keystone		23:43
*** tellesnobrega_ has quit IRC		23:45
*** kobtea has joined #openstack-keystone		23:47
*** kobtea has quit IRC		23:52
*** dims_ has joined #openstack-keystone		23:54
*** gokrokve has joined #openstack-keystone		23:56
*** dims has quit IRC		23:57
*** shakamunyi has quit IRC		23:58
*** shakamunyi has joined #openstack-keystone		23:58
*** nkinder has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!