Thursday, 2014-11-20

« Wednesday, 2014-11-19 Index Friday, 2014-11-21 »
*** henrynash has quit IRC00:03
*** chrisshattuck has quit IRC00:06
*** _cjones_ has joined #openstack-keystone00:06
*** oomichi_ has joined #openstack-keystone00:09
*** marcoemorais has quit IRC00:14
*** dims has quit IRC00:15
*** htruta_ has joined #openstack-keystone00:15
*** dims has joined #openstack-keystone00:15
*** jimhoagland has quit IRC00:25
*** agireud has quit IRC00:37
*** jasondotstar has quit IRC00:48
ayoungjamielennox, I don't think we are going to have that luxury.  Bascially,   the format we publish is going to be responsible for revocation events and for policy regardless.    We can punt on it for the Token provider if he really wants to, but I don't think that will buy us much;  the server will still depend on the client code for the AccessInfo00:49
jamielennoxayoung: i'm happy for server to use AccessInfo00:49
jamielennoxjsut saying00:49
ayoungjamielennox, really, those are the two use cases I care about anyway.  The third will be from unpacking a token and using that data to create another token...but policy will need it in the AccessInfo format00:50
ayoungjamielennox, I'm more concerned that you want to change AccessInfo than anything else00:50
jamielennoxyea, i think using accessinfo there is a good thing00:51
ayoungdo you have a sense of what it should look like?00:51
jamielennoxthere are some flaws - but i'm not going to break it00:51
jamielennoxso primarily i don't think AccessInfo should inherit dict, keep the internal representation abstract00:51
*** jimhoagland has joined #openstack-keystone00:51
jamielennoxI'm not sure if from the server side you need to know what is a v2 or v3 format to handle changing between them00:52
ayoungfor policy I think we should coerce V2 into V3 form00:53
*** zzzeek has quit IRC00:53
ayoungand revocation evetns00:53
ayoungevents00:53
ayoungWhy not inherit dict?  Most things need AccessInfo in dict format00:54
*** jorge_munoz has quit IRC00:55
jamielennoxThe dict format is different between v2 and v3 and it's not 'correct' either01:06
jamielennoxit does weird additions01:06
*** jimhoagland has quit IRC01:09
*** gyee has quit IRC01:18
morganfainbergayoung, i really *dont* want to rely on accessinfo or a similar "hack"01:19
morganfainbergayoung, my big concern is i don't want an object that needs to be aware of the underlying token formats - that is the wrong direction01:19
ayoungmorganfainberg, you have to give me something concrete to work with01:19
ayoungSo a builder pattern?01:20
morganfainbergif we're changing how accessinfo works - sure01:20
morganfainbergayoung, much closer to builder pattern01:20
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Split identity server into v2 and v3  https://review.openstack.org/13053401:20
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use real discovery object in auth_token middleware.  https://review.openstack.org/13053201:20
morganfainbergthe short is - lets not make the "format" dictate the object. the obejct should be able to get to the format.01:21
morganfainbergthe v3 dict is already wrong out the gate for this, - even if we maintain it as a dict, or dict-like-access01:21
morganfainbergbut the way accessinfo works *now* is the inverse of how it should be, if that makes sense.01:22
morganfainbergbeyond that thinking, i'm not going to really get in the way of implementation01:22
*** dims has quit IRC01:24
jamielennoxmorganfainberg: i don't think AccessInfo is a problem in that way, yes the dict format is weird but it has a factory builder and the properties are correctly abstracted01:24
*** dims has joined #openstack-keystone01:24
ayoungmorganfainberg, ok, so the disconnect as I see it is that the JSON format, which should be usable for all of the things like policy,is normalized.  Policy and the like don;t do domain { id}  they do domain_id01:24
morganfainbergjamielennox, i think accessinfo is trying to be too smart01:24
morganfainbergjamielennox, it shouldn't care - it should be the end result vs needing to know how to dig the data out01:24
ayoungthe JSON format is what, I think the policy etc should be consuming01:25
morganfainbergayoung, JSON -> Py?01:25
ayoungor rather, what you would get if you parsed the JSON into puthon01:25
morganfainbergayoung, except we already know that is not the case.01:25
ayoungmorganfainberg, yes01:25
jamielennoxmorganfainberg: not necessarily, depends what you are looking to use it for01:25
ayoungmorganfainberg, so...in the policy prep code we had the "flatten" call01:25
jamielennoxmorganfainberg: you're right it won't work as a context, it works just fine as an abstraction01:25
ayoungwhich converts the objects into a dotted notation01:26
ayoungdue to policy needing everything in key-value-pairs01:26
morganfainbergjamielennox, ok so let me rephrase, i want to prevent people from utilizing the accessinfo as a dict so we can tightly control the data added to it - accidental data inclusion doesn't become a contract or "usable"01:26
ayoungcan't you do a read only dics somehow in python?01:27
morganfainbergayoung, overload __setitem__01:27
morganfainbergayoung, but that doesn't solve a "keystone wedged data <X> in unintentionally - or we accidently carried it over"01:28
morganfainbergwe can be explicit about the serialized format and work to correct those issues, but if the servers are trying to use things that are there unintentionally - it becomes really really unhappy to fix01:29
morganfainbergi don't expect we should ever break that data in the serialized form, but what if we accidently included something a server wants to use. i'd rether have a bug saying "hey why is this data here and i can't use it" than "oops we used it and it shouldn't have been there"01:29
morganfainbergand if the data is available...someone will start using it (in a project we don't run)01:30
* morganfainberg is pessimistic about that fact.01:30
ayoungmorganfainberg, do you have an idea of how to do this?01:30
morganfainbergayoung, so my thought was AccessInfo instead of being a bunch of @properties that know how to dig into the dict form json becomes a built object01:31
jamielennoxmorganfainberg: so let me rephrase - i don't mind that AccessInfo is a dict - i mind that it's not a standard token dict01:31
morganfainbergand context can be pulled from that (flattend) even if it's magic like __getitem__01:31
morganfainbergthough i would rather not make "accessinfo" the context objectblobthing01:32
jamielennoxand i think that context should be generated seperately from AccessInfo01:32
ayoungso AccessInfoBuilder.add_user....  and when we are done .build()  returns a frozen Python object01:32
morganfainbergayoung, that is my general thought on what any model should be.01:32
morganfainbergtoken, user, etc01:32
ayoungFavor Immutable Objects01:32
jamielennoxayoung: just AccessInfo.user_id = ... then auth_ref.get_context() or Context.build(auth_ref)01:32
jamielennoxwe don't need a new builder01:33
jamielennoxi just wish that AccessInfo was done right01:33
openstackgerritLin Hua Cheng proposed openstack/keystone: Always return the service name in the catalog  https://review.openstack.org/13580801:33
ayoungI don't think it is possible to do right.  We are working in Python01:33
morganfainbergayoung, alternatively - we *could* use something like protobuf.01:33
ayoungWe could use a real language.  Since we are dreaming, I could use a new house01:34
morganfainberg[there was some chatter on the ML about using that to objectify things away from the db schema]01:34
morganfainbergprotobuf has hard-type enforcement etc and is versioned. i don't know if it's worth even considering01:34
jamielennoxi don't think that helps here01:34
ayoungjamielennox, the token provider already acts like a Builder...we need something that will let us do the same thing even when we are not producing an official token01:35
morganfainbergjamielennox, it does sortof, because there is a JSON-> protobuf formatter already01:35
jamielennoxthe problem isn't python, the problem was how it was done01:35
*** NM has joined #openstack-keystone01:35
ayoungImmutable objects don't seem to be considered Pythonic01:35
morganfainbergjamielennox, and you get a full object out of it. not immutable (that is something else we coudl easily layer on top)01:35
morganfainberganyway01:36
ayoungcan you do sometihng that leaves _setattr__ functional until you flip a switch and then it doesn't allow changes?01:36
morganfainbergayoung, sure01:36
jamielennoxi don't see how these help ys01:36
morganfainbergayoung, http://paste.openstack.org/show/135004/01:37
morganfainbergjamielennox, my big concern and i don't care if it's accessinfo or something else, is we carefully control the data in the token.01:38
morganfainbergand what can get at that data01:38
morganfainbergi want to make sure we don't have extra cruft landing in the token because it was "conviennt" to put it there (we have had this happen before)01:38
jamielennoxmorganfainberg: i actually really like extending dict with properties01:38
jamielennoxit means people can add whatever you like to the dict - we don't care we only use the properties01:39
jamielennoxi know we don't want them to01:39
morganfainbergjamielennox, i prefer real objects that have __iter__ or __getitem__ but that me01:39
jamielennoxit just that we don't care01:39
morganfainbergwell the point is i don't want them going around our interface to get to those items01:39
morganfainbergif it's a dict, people will *tend* to use the dict[<key>] interface01:40
morganfainbergi would rather force use of the properties.01:40
jamielennoxmorganfainberg: python won't help you there01:40
morganfainbergjamielennox, X.<thing> = blah01:40
jamielennoxjust let them use it as much as possible01:40
jamielennoxwe give them that01:41
jamielennoxif they go around it it's not our problem01:41
morganfainbergjamielennox, i disagree whole-heartedly with that01:41
morganfainbergbecause when we break it, they're going to complain a lot01:41
morganfainbergand we're going to have to unbreak it01:41
morganfainbergeven if it means carrying awful things forward and tech debt01:41
jamielennoxdepends on what you set as the base01:42
jamielennoxthis is what i meant earlier - i actually like that AccessInfo is a dict01:42
morganfainbergjamielennox, my expectation is "if this is a dict people will use it like a dict"01:42
jamielennoxi just hate that somewhere along the line we made it not a standard token dict01:42
morganfainbergand that is the interface we're supporting so why bother.01:42
morganfainbergi think passing things around as plain dicts within code, (even if they have @props for convenience) is really poor design. same feeling about **kwargs01:43
morganfainbergor even *args01:43
jamielennoxi think people use them poorly01:44
morganfainbergand yes this is a personal view - i wont hold up everything if everyone else disagrees with me.01:44
*** jasondotstar has joined #openstack-keystone01:44
*** jasondotstar has quit IRC01:44
morganfainbergjamielennox, the problem is they lend themselves to being used poorly01:44
jamielennoxpython is weird, you have to be really careful not to do the wrong thing01:44
morganfainbergi'd rather encourage "not the wrong thing" rather than "oh don't do that but we don't care cause we use X instead"01:45
jamielennoxit's an interesting curve - really easy to get into, the middle bit is much the same as any language, but doing things properly is not helped by the language01:45
jamielennoxi think as you get more experienced in python you realize all the things that helped you at the beginning are bad design01:45
dstanekjamielennox: very true01:46
morganfainbergso let me put away my soapbox01:46
morganfainbergif we're going to extend dict, note my dislike of it, and lets move on01:46
morganfainbergand i wont stand in the way of that design if it's really the way to go01:47
jamielennoxmorganfainberg: AccessInfo is already a standard - we can't do anything01:48
jamielennoxthe factory method sucks - REALLY BADLY01:49
morganfainbergjamielennox, we could stop using it mark it deprecated let it not get new features01:49
jamielennoxhowever as an abstraction it does an OK job and i'd prefer to have just one place to do things01:49
morganfainbergif we are changing things.01:49
jamielennoxkeystoneclient v201:49
*** NM has quit IRC01:50
*** packet has joined #openstack-keystone01:51
morganfainbergjamielennox, anyway. enough on this.01:51
morganfainbergjamielennox, my vote is we fix whatever it is we're going to use and make it not suck.01:51
morganfainbergmore than anything else01:51
jamielennoxfor a v2 my idea was that i could just fix little things like that, keep the major interfaces the same, fix stupid mistakes - then i remember that was the mantra of python 3 and i just loose all interest01:51
morganfainbergand if it means re-doing accessinfo to not suck as something else... lets do it.01:51
*** alex_xu has joined #openstack-keystone01:51
morganfainbergmark it deprecated and stop using it - no new features and in... uh... $SOMETIME$ it can go away01:52
morganfainbergor provide a better factory for it01:52
jamielennoxok, replace it with what?01:53
jamielennoxfactory is easy01:53
*** _cjones_ has quit IRC01:53
morganfainbergor whatever. you know, make it better in a non-break-everything way. even if the not-break things is a shim for the old deployments that still use it + new ksc01:53
morganfainbergif we unify things on accessinfo, lets make it not suck - whatever that means01:54
jamielennoxok, let me think about what that means01:55
morganfainbergi'd like to see tech debt and carrying sucky things forward transition away, even if it's a long ways out :)01:55
jamielennoxin the mean time i'd say just use it, because the property names won't change01:56
morganfainbergbut unifying code on an impl that has real issues, seems like a worse idea.01:56
morganfainbergand all my conversations about accessinfo seemed to revolve around "it sucks but we can't change it"01:56
*** radez_g0n3 is now known as radez01:56
morganfainbergjamielennox, and to be clear i'd support a "fix all the things in keystoneclient-2 or 1.0.0 or...whatever" release and we pivot to it, especially if "session" and the things other clients care about are compatible.01:58
morganfainbergif that is what it takes.01:58
*** lhcheng_ has quit IRC01:59
jamielennoxmorganfainberg: i'd be fine with that - however nobody has successfuly managed to transition to a new library version - i'd almost say some TC advice on how this should work would be useful02:01
morganfainbergjamielennox, ++02:01
morganfainbergjamielennox, *mostly* the big peices would need to be compatible (e.g. session)02:01
morganfainbergi think02:01
morganfainbergbut other than that, i *think* we could get away with it fairly easily.02:02
morganfainbergOSC and middleware being the big changes, and since OSC does CLI going forward new ksc needs no CLI code02:02
morganfainbergand we could drop middleware from it.02:02
jamielennoxmorganfainberg: to have any chance at a transition the old and new would need to be parallel installable02:03
morganfainbergjamielennox, totally doable.02:03
jamielennoxeither we need to create a new pip package02:03
ayoungmorganfainberg, OK, so I started with that approach on Revocation events...and also tried to do Don't Repeat Yourself.  And...ended up with a bunch of sets of Keys for dictionaries in sets02:03
jamielennoxor create a new top level folder in keystoneclient02:04
jamielennoxso keystoneclient2 got installed when you installed python-keystoneclient02:04
jamielennoxjust import keystoneclient2 instead of keystoneclient02:04
jamielennoxso we kind of need a better name02:04
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/model.py#n6302:04
morganfainbergjamielennox, that is a bad approach (trying to do 2 packages from 1 repo) pip, pbr, etc all don't play nice with it02:04
morganfainbergso new repo would be the target02:05
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/model.py#n16  started off with the common attributes, and then each extended their own way02:05
jamielennoxmorganfainberg: i didn't say 2 packages, i said two top level modules02:05
morganfainbergjamielennox, same thing iirc.02:05
morganfainbergjamielennox, it's a namespace issue then.02:06
jamielennoxpip install python-keystoneclient would install keystoneclient and keystoneclient202:06
*** NM has joined #openstack-keystone02:06
morganfainbergoh. eh...02:06
jamielennoxjust there's only 1 version02:06
morganfainbergi *think* that would break some things still02:06
jamielennoxi don't see it's an advantage to do it that way02:06
morganfainbergi'd be inclined to make it explicitly different install02:07
morganfainbergthat way we can really keep it nice and namespaced.02:07
morganfainbergbut i agree keystoneclient2 sounds ... bad?02:07
jamielennox++02:07
morganfainbergand new ksc can still use python-keystoneclient-* auth plugins if we want.02:08
morganfainberghm.02:08
jamielennoxyea, i don't know how we do that bit02:08
morganfainbergayoung, like i said a bit earlier, i've put away my soapbox, if it's the right course its the right course.02:09
morganfainbergayoung, and i wont stand in the way of it. - even though i may not like it.02:09
ayoungmorganfainberg, let me code up what I think you are talking about02:10
*** jorge_munoz has joined #openstack-keystone02:10
*** richm has joined #openstack-keystone02:12
morganfainbergayoung, sounds good. i'm reviewing henrynashes' split review before i start in on other stuff i need to get done, like code ;)02:15
morganfainbergayoung, hmm.02:19
morganfainbergayoung, i think i see a logic issue w/ henry's split review02:20
ayoung?02:20
morganfainbergi *think* role should be part of assignment02:20
morganfainbergnot part of resource02:20
morganfainbergtell me i'm wrong?02:20
ayoungthe role definition should be in resource according to how he split it up.   I'm not so sure myself.02:20
morganfainbergright it looks to me that role and role assignment should be "assignment"02:21
morganfainbergotherwise the pluggable "assignment" backend may not make sense? i have these role things over -----> here02:21
*** NM has quit IRC02:21
morganfainbergbut they don't have bearing in how i do assignment logic?02:21
morganfainbergor is assingment really just the assignment/actor-to-resource-via-role mapping?02:22
ayoungI'm not even certain that splitting this is a good idea at all02:22
ayoungI'm not 100% certain that projects and assignemtns don;t belond together02:22
ayoungbut...02:22
ayoungI could see the argument that if domains and projects are in one backend and were read out of, say, ldap02:23
ayoungthen assigning users to roles in those projects would be something done by Keystone02:23
morganfainbergthats the general view i saw in this.02:23
ayoungin which case, having roles in the resource backend would be broken02:23
ayoungso, yeah, I think I am leaning your way on this02:24
morganfainbergit also allowed things like a graph-db for assignment (interesting, but not relevant for project/domain storage)02:24
morganfainbergbut def. interesting from the RBAC and assignment of role-to-actor-on-resource construct02:24
ayoungI think I am with you on this one02:24
ayoungneed to mull it over.02:25
ayoungfrom a keystone perspective, both users and roles are external to projects02:25
morganfainbergyeah not willing to -1 this *yet* on that front, i think i'll just ask the question.02:25
ayoungthey are things you put in the buckets02:25
morganfainbergbecause other than that, this split looks quite reasonable to me02:26
ayoungI kindof want domains in their own backend02:26
morganfainbergayoung, domains == projects!02:26
ayoungand then a domain could potentially get populated from LDAP02:26
morganfainberg;)02:26
*** jacorob has quit IRC02:26
morganfainberg>.>02:26
morganfainberg<.<02:26
ayoungdomains are top level projects too02:26
ayoung*too*02:26
morganfainbergright.02:26
ayoungbut domains are organizational boundaries02:26
morganfainberganyway - i'm going to ask the question i think role needs to go with role-assignment02:27
ayoungand being able to pull the project listing for a specific domain from an external source is comparable to doing it for users02:27
ayoungI think it goes it its own backend02:27
ayoungroles are a keystone managed resource that span domains02:27
ayoungeven assignments you could see coming from an external source if you squint hard enough02:28
morganfainbergayoung, not convinced that without roles/assignment doesn't mean "resource" [being largely *just* projects going forward] isn't already there02:28
*** richm has left #openstack-keystone02:28
ayoungrichm working the late night in Westford...02:28
morganfainbergwe aren't storing extra stuff *in* the project backend that way, we're just looking at the listing of projects - a very different beast than "assignment" being everything-but-users-and-groups02:29
ayoungall our puppet people are working to untangle that mess....decided to work from home for safety and sanity reasons02:29
morganfainberghaha02:29
morganfainberganyway thanks, wanted the reality check on "am i crazy for asking this" before asking that question02:29
ayoungYeah.  You are still crazy, but not for asking *that*02:30
morganfainbergi resemble that remark02:30
*** jorge_munoz has quit IRC02:30
*** packet has quit IRC02:30
ayoungmorganfainberg, we should have nested the roles under the scope for which the roles are assigned02:35
*** erkules_ has joined #openstack-keystone02:36
ayounginstead we pull them out to their own level of the token, and we lose the ability to have one document that specifies roles for multiple scopes02:36
morganfainbergnot sure that actually makes anything better02:36
morganfainbergoh in the token?02:36
* morganfainberg was still thinking in the backends.02:36
ayounghttps://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#authentication-responses02:36
ayoungscroll down a screen or two02:37
morganfainbergsure. we could tightly couple those thigns but i *thought* we made that an explicit design choice.02:37
morganfainbergback in the day02:37
morganfainberg1 scope per token02:37
ayoung "domain": {02:37
ayoung            "id": "1789d1",02:37
ayoung            "name": "example.com"02:37
ayoung        },02:37
ayoung        "roles": [02:37
morganfainberg*forsomereasonineverwassureabout*02:37
*** jorge_munoz has joined #openstack-keystone02:37
*** erkules has quit IRC02:38
ayoungit makes it easier to find the role02:38
ayoungbut it means that we would not be able to do multi-scope tokens02:38
*** jorge_munoz has quit IRC02:38
ayoungand for nesting  it means we don't have a way to represent02:38
ayoungit would be nice if we could do02:38
ayoungdomain {project {project {project } } } }02:39
ayoungthen inherited roles would be02:39
ayoungdomain { roles[],   project { roles[]   project { roles [] project{roles[] } } } } }02:39
morganfainbergyeah, but that's not what we have today02:40
ayoungI know02:40
ayoungthat is what I just said02:40
morganfainberg=/02:40
morganfainbergi'm agreeing02:40
ayoungwould give us a way to do domain roles on a project scoped token for Horizon, too02:40
*** oomichi_ has quit IRC02:41
morganfainbergit also would have been nice if we had done { 'scope': [ {...}, {...}] } instead of "{project:} or {"domain":}02:41
ayoungwell...maybe not02:41
ayoungyeah02:41
ayoungI still need to figure out how to request an unscoped token02:41
morganfainbergheh02:41
ayoung "scope": {  "none" :"True" }}02:41
ayoungto make sure that if someone requested it of a Keystone server that doesn't support it, it will break02:42
morganfainbergnah, "scope": []02:42
morganfainbergthat is implicitly unscoped02:42
morganfainbergno scope02:42
ayounglets see what happens when I pass that to an existing keystone server...02:42
morganfainbergyou'd get default project back if it exists iirc.02:43
morganfainbergas your scope02:43
morganfainbergotherwise you get a token w/o "domain" or "project"02:43
morganfainberg*i think*02:43
morganfainbergwhich is unscoped. but it's not clear that it's the case because scope is a top-level that could be in one of two places in the token02:43
* morganfainberg takes a break. so i don't go back to dislike token format convo02:44
ayoung{"error": {"message": "Expecting to find project, domain, or OS-TRUST:trust in scope - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}[ayoung@f20 ~]$02:44
ayoungI think you have nailed it02:44
ayounglets see what happens with scope : {}02:45
ayoungsame thing02:45
ayoungso either is acceptable to me02:46
*** yasu_ has joined #openstack-keystone02:47
*** htruta_ has quit IRC02:50
*** KanagarajM has joined #openstack-keystone02:56
*** tellesnobrega has joined #openstack-keystone03:05
*** dims has quit IRC03:08
*** dims has joined #openstack-keystone03:08
openstackgerritMerged openstack/keystone: Move base64 unit tests to keystone/tests/unit dir  https://review.openstack.org/13404303:09
*** yasu_ has quit IRC03:10
openstackgerritMerged openstack/keystone: Increase test coverage of test_base64utils.py  https://review.openstack.org/13404403:10
ayoungmorganfainberg, jamielennox http://paste.openstack.org/show/135032/03:12
openstackgerritMerged openstack/keystone: Doc about specifying domains in domains specific backends  https://review.openstack.org/13214303:12
openstackgerritMerged openstack/keystone: Increase test coverage of test_versions.py  https://review.openstack.org/13436503:12
openstackgerritMerged openstack/keystone: Move injection unit tests to keystone/tests/unit  https://review.openstack.org/13401003:13
jamielennoxayoung: i think its unecssary, we dont need to stop people shooting themselves in the fooyt03:13
*** yasu_ has joined #openstack-keystone03:14
*** HenryG has quit IRC03:15
ayoungjamielennox, that expression has two meanings.  One is someone is trying to do a quick draw, and pulls the trigger while the pistol is still in the holster.  The second is someone trying to get out of combat and puts a bullet through their own foot intentionally.03:16
jamielennoxnew a guy in primary school that actually managed to shoot himself in the foot03:16
ayoungI would argue both are due to people being in situations which are over their head03:16
jamielennoxwent on to play football professionally, so no lasting effects03:16
jamielennoxknew03:17
ayoungNu?03:17
ayoungjamielennox, anyway, I tend to code defensively, which is what I think morganfainberg is aiming for here.  If it makes it easier to document, so much the better.  I think it would be easy to make a builder using that pattern, and a single call to set immutable on all contained objects would ensure correct usage for the most part03:18
*** HenryG has joined #openstack-keystone03:18
ayoungwe'd probably have to grandfather in a few of the flattened attributes like user_id03:19
ayoungto keep policy working03:19
*** tellesnobrega has quit IRC03:45
*** yasu_ has quit IRC03:59
*** chrisshattuck has joined #openstack-keystone04:04
*** radez is now known as radez_g0n304:12
*** jdennis has quit IRC04:17
*** tellesnobrega has joined #openstack-keystone04:20
*** stevemar has joined #openstack-keystone04:29
*** ChanServ sets mode: +v stevemar04:29
*** erkules_ is now known as erkules04:35
*** jdennis has joined #openstack-keystone04:35
*** Nakato_ is now known as Nakato04:58
*** henrynash has joined #openstack-keystone05:05
*** ChanServ sets mode: +v henrynash05:05
*** tellesnobrega has quit IRC05:12
*** chrisshattuck has quit IRC05:17
*** alex_xu has quit IRC05:19
*** alex_xu has joined #openstack-keystone05:29
*** jdennis has quit IRC05:30
*** chrisshattuck has joined #openstack-keystone05:32
*** henrynash has quit IRC05:54
*** ajayaa has joined #openstack-keystone05:57
*** chrisshattuck has quit IRC06:02
*** chrisshattuck has joined #openstack-keystone06:05
*** chrisshattuck has quit IRC06:07
*** alex_xu has quit IRC06:12
*** alex_xu has joined #openstack-keystone06:19
*** oomichi has joined #openstack-keystone06:22
*** amcrn has quit IRC06:24
*** harlowja is now known as harlowja_away06:31
*** k4n0 has joined #openstack-keystone06:33
*** jimhoagland has joined #openstack-keystone06:42
*** afazekas has quit IRC06:55
marekdmorning06:56
*** oomichi__ has joined #openstack-keystone07:01
*** oomichi has quit IRC07:02
*** pc-m has quit IRC07:08
*** pc-m has joined #openstack-keystone07:08
*** ukalifon1 has joined #openstack-keystone07:19
*** afazekas has joined #openstack-keystone07:45
*** ukalifon1 has quit IRC07:47
*** stevemar has quit IRC07:47
*** redrobot has quit IRC07:52
*** abelity has joined #openstack-keystone07:52
abelityhi07:53
abelityjust wanted to check if anyone has implemented keystone CAS as the identity provider07:53
abelityw/ CAS as the identity provider07:54
abelityshould i us shibboleth or just plain mod_auth_cas??07:55
*** redrobot has joined #openstack-keystone07:55
*** redrobot is now known as Guest2787907:55
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K  https://review.openstack.org/13560408:01
marekdabelity: what is CAS?08:02
*** links has joined #openstack-keystone08:11
*** oomichi_ has joined #openstack-keystone08:12
*** oomichi__ has quit IRC08:12
*** oomichi_ has quit IRC08:14
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K  https://review.openstack.org/13560408:18
*** ukalifon1 has joined #openstack-keystone08:20
abelity@marekd CAS = Central Authentication Server08:22
marekdabelity: so CAS is also a protocol, right?08:25
marekdabelity: or it uses SAML as a transport layer?08:25
*** circ-user-vj7sB has joined #openstack-keystone08:28
circ-user-vj7sBwhat happen "WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token"08:28
marekdbdossant: welcome!08:28
bdossantmarekd: yello08:29
circ-user-vj7sBi run keystone but WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token08:30
*** circ-user-vj7sB is now known as xiaozhi08:37
xiaozhiHow to solve "WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token"08:38
*** xiaozhi_ has joined #openstack-keystone08:44
*** xiaozhi has quit IRC08:46
*** uvirtbot has quit IRC09:00
ajayaaxiaozhi, Check if you have setup proper endpoints in keystone.09:07
ajayaacirc-user-vj7sB ^^09:07
xiaozhi_thanks I found a mistake09:08
*** NM has joined #openstack-keystone09:10
*** alex_xu has quit IRC09:14
*** uvirtbot has joined #openstack-keystone09:17
abelity@marekd yes CAS uses SAML as the transport layer09:20
openstackgerritAndrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list  https://review.openstack.org/13223509:22
marekdabelity: so if shibboleth works well you can try it out :-)09:27
marekdabelity: but currently it needs to handle ECP (Enhanced client or proxy) extension09:27
*** oomichi has joined #openstack-keystone09:27
abelitybut was just checking is there is reference implementation you know of CAS backends09:31
samuelmsmorning09:35
*** lhcheng has joined #openstack-keystone09:38
*** uvirtbot has quit IRC09:53
*** NM has quit IRC10:00
*** lhcheng_ has joined #openstack-keystone10:00
marekdelo10:01
marekdabelity: i don't10:01
*** lhcheng has quit IRC10:03
*** arif-ali has quit IRC10:05
*** uvirtbot has joined #openstack-keystone10:05
*** aix has joined #openstack-keystone10:08
*** arif-ali has joined #openstack-keystone10:16
*** uvirtbot has quit IRC10:31
*** nellysmitt has joined #openstack-keystone10:36
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095410:37
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Implement group related methods for LDAP backend  https://review.openstack.org/10224410:37
*** uvirtbot has joined #openstack-keystone10:38
samuelmsmarekd, do you know Marcos Fermín Lobo from cern?10:45
*** xiaozhi has joined #openstack-keystone10:45
marekdy10:46
marekdhe sites next to me10:46
marekdwhat's up?10:46
samuelmsmarekd, just a sec10:47
*** xiaozhi_ has quit IRC10:47
*** diegows has joined #openstack-keystone10:50
samuelmsmarekd, https://review.openstack.org/#/c/130954/10:51
samuelmsmarekd, take a look at the comment I just added at the end10:52
openstackgerritLin Hua Cheng proposed openstack/keystone: Always return the service name in the catalog  https://review.openstack.org/13580810:52
*** uvirtbot has quit IRC10:52
samuelmsmarekd, wait ..10:56
samuelmsmarekd, it looks like he only rebased the patch .. let me confirm10:56
marekdok10:58
*** dims has quit IRC11:01
*** dims has joined #openstack-keystone11:01
*** uvirtbot has joined #openstack-keystone11:02
*** uvirtbot has quit IRC11:03
samuelmsmarekd, if you have a patch .. and you need to do a rebase to master ..11:03
samuelmsmarekd, the changes from master should not appear on your patch set, right?11:04
samuelmsmarekd, forget .. I'm confusing myself .. and confusing you11:05
samuelmshaha11:05
samuelmsmarekd, he just rebased .. false alarm from me11:06
marekdsamuelms: well, that's strange that henry's patch got a new version too, but i guess it's simply because of conf files being regenerated or sth11:07
*** diegows has quit IRC11:07
marekdthe juicy meat is not changed.11:07
samuelmsmarekd, exctly11:07
samuelmsmarekd, I thought it was wrong .. because Marcos came like .. arriving by parachute on that and sending a new patch set11:07
openstackgerritMarek Denis proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313011:08
samuelmsmarekd, I was like .. lol11:08
*** aix has quit IRC11:11
openstackgerritMarek Denis proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349411:16
openstackgerritMarek Denis proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349411:17
openstackgerritMarek Denis proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349411:18
*** aix has joined #openstack-keystone11:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313011:45
*** radez_g0n3 is now known as radez11:59
*** uvirtbot has joined #openstack-keystone12:04
*** KanagarajM has quit IRC12:18
*** uvirtbot has quit IRC12:22
*** eglynn-office is now known as eglynn-nick12:25
*** designate has joined #openstack-keystone12:26
*** designated has quit IRC12:28
*** xiaozhi has quit IRC12:28
*** oomichi has quit IRC12:31
openstackgerritDavid Stanek proposed openstack/keystone-specs: Adds a spec for fixing Keystone's DI  https://review.openstack.org/13593112:33
*** links has quit IRC12:35
*** amakarov_away is now known as amakarov12:42
openstackgerritMarek Denis proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349412:45
*** links has joined #openstack-keystone12:54
dstanekmarekd: morning!12:55
*** bdossant_ has joined #openstack-keystone13:07
*** bdossant has quit IRC13:10
*** bdossant_ has quit IRC13:12
*** afazekas has quit IRC13:13
*** richm has joined #openstack-keystone13:15
*** nellysmitt has quit IRC13:16
*** nellysmitt has joined #openstack-keystone13:17
*** nellysmitt has quit IRC13:28
*** afazekas has joined #openstack-keystone13:29
*** Divya has joined #openstack-keystone13:30
DivyaHi , I am trying to figure out if there are going to be any auditing enhancements in OpenStack Kilo.13:32
*** nellysmitt has joined #openstack-keystone13:32
*** k4n0 has quit IRC13:38
rodrigodsDivya, you may refer to pycadf (https://launchpad.net/pycadf)13:38
*** afazekas has quit IRC13:39
*** gordc has joined #openstack-keystone13:42
*** nellysmitt has quit IRC13:43
*** nellysmitt has joined #openstack-keystone13:46
*** miqui has joined #openstack-keystone13:46
*** jdennis has joined #openstack-keystone13:46
Divyarodrigods , thanks will take a look13:47
*** richm has quit IRC13:50
*** jdennis has quit IRC13:50
*** miqui_ has joined #openstack-keystone13:50
*** jdennis has joined #openstack-keystone13:51
*** henrynash has joined #openstack-keystone13:51
*** ChanServ sets mode: +v henrynash13:51
*** miqui__ has joined #openstack-keystone13:52
*** ajayaa has quit IRC13:53
*** miqui___ has joined #openstack-keystone13:54
zhiyanmorganfainberg: hi! would you mind give me two more mins to talk about oslo-inc policy module with you ?)13:55
*** richm has joined #openstack-keystone13:55
*** miqui____ has joined #openstack-keystone13:55
*** Divya has quit IRC13:55
*** miqui___ has quit IRC13:56
*** miqui___ has joined #openstack-keystone13:57
raildozhiyan, rodrigods are working with this, maybe he can answer your questions13:58
zhiyanraildo: good to know. thanks13:58
*** miqui__ has quit IRC13:58
*** miqui has quit IRC13:58
*** miqui____ has quit IRC13:58
*** miqui_ has quit IRC13:58
*** miqui___ has quit IRC13:58
zhiyanrodrigods: may I ..?13:58
rodrigodszhiyan, go ahead =)13:59
rodrigodsraildo, thanks13:59
zhiyanrodrigods: hey! :)13:59
*** miqui has joined #openstack-keystone13:59
raildo:)13:59
zhiyanrodrigods: this one https://review.openstack.org/#/c/128881/213:59
rodrigodszhiyan, looking14:00
zhiyanrodrigods: i'm handling glance oslo related works now. weeks ago, when i try to syncup latest oslo-inc.policy module to glance, i found there's a limitation for glance exiting ProtectProperty feature14:00
rodrigodszhiyan, can you paste the rule?14:01
zhiyanrodrigods: so I did a hurmless change for policy.py, as you seen, very small one14:01
zhiyani can paste some glance built-in rules, but operator could config it as deployment needed..14:02
*** jistr has joined #openstack-keystone14:02
zhiyanrodrigods: https://github.com/openstack/glance/blob/master/etc/property-protections-policies.conf.sample and https://github.com/openstack/glance/blob/master/etc/property-protections-roles.conf.sample14:02
*** zzzeek has joined #openstack-keystone14:03
*** jistr is now known as jistr|mtg14:04
rodrigodszhiyan, hmm, so you need those rules to not me overwritten by the ones in policy.json14:04
zhiyanrodrigods: sorry, don't followed..14:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/13477014:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/13596514:06
zhiyanrodrigods: actually glance build rules based on image property and these configuration in code, and set them into Enforcer object..14:06
*** nellysmitt has quit IRC14:06
*** ajayaa has joined #openstack-keystone14:06
rodrigodszhiyan, to not be overwritten*14:06
rodrigodszhiyan, good, reading the code now14:07
zhiyanrodrigods: these rule could be overwritten14:07
zhiyanrodrigods: ok..14:07
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements  https://review.openstack.org/13598214:11
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/13479414:12
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-federation: Updated from global requirements  https://review.openstack.org/13357014:12
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/13598614:12
rodrigodszhiyan, I just didn't get why the "if flag" doesn't work in glance side14:13
zhiyan"if flag"?14:14
*** miqui has quit IRC14:14
rodrigodszhiyan, regarding the comments julien left14:14
*** miqui has joined #openstack-keystone14:14
zhiyanrodrigods: oh which one?14:15
*** miqui_ has joined #openstack-keystone14:15
*** afazekas has joined #openstack-keystone14:15
zhiyanrodrigods: you mean removing the "if reloaded" check?14:15
*** diegows has joined #openstack-keystone14:16
*** jimhoagland has quit IRC14:17
*** miqui_ has quit IRC14:17
rodrigodszhiyan, yep14:17
*** nellysmitt has joined #openstack-keystone14:17
zhiyanrodrigods: ok,14:17
*** david-lyle has quit IRC14:18
zhiyanrodrigods: if i remove that condition, only one left it "not self.rules", but in glance before do that code patch, self.rules may could has content14:18
zhiyanbecause glance code build some dynamic rules for protect property stuff14:19
rodrigodszhiyan, hmm14:19
zhiyanrodrigods: any details you want to know?14:20
zhiyanrodrigods: no worries, pls let me know your thoughts )14:21
*** nkinder has quit IRC14:21
rodrigodszhiyan, just a sec =)14:22
zhiyanrodrigods: no rush!14:22
*** joesavak has joined #openstack-keystone14:24
rodrigodszhiyan, yeah, makes sense to me. Since we want to make it as generic as possible once it will graduate (this is already helps in the effort). I'll +1 it14:24
zhiyanrodrigods: thanks!14:25
zhiyanrodrigods: good man14:25
zhiyanrodrigods: i just want to make it fit into glance, btw. so i'd like to make it as harmless and sample as possible.14:25
rodrigodszhiyan, ++14:27
rodrigodsayoung, ^^ can you please review it as well? https://review.openstack.org/#/c/128881/14:27
*** sigmavirus24 has joined #openstack-keystone14:30
*** bdossant has joined #openstack-keystone14:30
*** zzzeek has quit IRC14:30
zhiyanayoung: hi! look forwawrd to see your ideas on the revew, if you have any idea pls let me know it. thanks.14:43
*** r-daneel has joined #openstack-keystone14:47
*** links has quit IRC14:48
*** ukalifon3 has joined #openstack-keystone14:49
*** ukalifon1 has quit IRC14:49
*** links has joined #openstack-keystone14:51
openstackgerritMerged openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/13598614:51
*** Ctina has joined #openstack-keystone14:54
*** miqui has quit IRC15:00
*** miqui has joined #openstack-keystone15:05
*** topol has joined #openstack-keystone15:08
*** ChanServ sets mode: +v topol15:08
*** nkinder has joined #openstack-keystone15:10
*** nellysmitt has quit IRC15:17
*** miqui has quit IRC15:25
morganfainbergzhiyan: pong15:27
morganfainbergReading the scrollback now.15:27
zhiyanmorganfainberg: cool!15:29
*** jacorob has joined #openstack-keystone15:31
*** miqui has joined #openstack-keystone15:31
*** miqui has quit IRC15:32
*** miqui has joined #openstack-keystone15:34
*** miqui has quit IRC15:35
openstackgerritLance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/  https://review.openstack.org/13398915:38
morganfainbergzhiyan: I might need coffee before I can score the patch.15:42
topolmorganfainberg, does storyboard do the bug management as well?15:42
zhiyanmorganfainberg: :) no worries/rush15:42
morganfainbergzhiyan: I'm reading it and I think I need to be more awake. Rules and enforcement is dense stuff :)15:42
morganfainbergtopol: afaik, yes15:42
topolI was poking around on it but did not see any bugs15:42
topolcool15:43
morganfainberghenrynash: commented on your split patch last night.15:43
zhiyanmorganfainberg: :))15:43
henrynashmorganfainberg: yep - saw that…replied to the general point a little earlier15:43
morganfainbergtopol: I think bugs / bps are mostly the same. But infra and Michael kroscheck (sp?) can five more info15:44
topolit looks awesome. when do we get it?15:44
*** abelity has quit IRC15:45
*** jorge_munoz has joined #openstack-keystone15:45
morganfainberghenrynash: so I'm just concerned that the role and role assignment are very tightly intertwined.15:46
morganfainbergAnd the assignment backend will be difficult to manage / develop for being that roles are external.15:47
openstackgerritLance Bragstad proposed openstack/keystone: Remove XML support  https://review.openstack.org/12573815:47
morganfainbergLike I said in my comment, I don't think your proposal is wrong, just a tough split.15:48
morganfainberglbragstad: woot. No more crummy xml support!15:48
lbragstadnote to everyone who +2 the XML removal stuff yesterday ^^. The patch was in merge conflict so I repushed a new revision15:48
morganfainbergtopol: maybe next cycle?15:48
lbragstadmorganfainberg: also, the tempest patch made it through the gate15:49
henrynashmorganfainberg: it’s a fair discussion point….although it certainly didn’t feel alien in the spli to have it in resource….in fact it felt easier that assignment is a pure mapper15:49
lbragstadso we should have an accurate run at tempest testing this patch set15:49
morganfainberghenrynash: that is the reason I didn't -115:50
morganfainbergtopol: I want to be done with LP asap.15:50
topolmorganfainberg. Me too :-).  Its horrible :-)15:51
morganfainberghenrynash: ok so let's talk through what we gain / lose moving role into assignment.15:52
morganfainbergI think that'll help me resolve any dissonance here15:52
*** henrynash has quit IRC15:52
marekddstanek: hey!15:53
morganfainbergmarekd: hello!15:53
*** bdossant has quit IRC15:55
morganfainbergdolphm: ping re: venue for mid cycle. Is it safe to make the announcement of the space were using in San Antonio?15:55
morganfainbergAnd/or hotel.15:55
dolphmmorganfainberg: not yet - i haven't received a response yet. they were *really* slow last time around too15:55
morganfainbergAhh.15:55
topolmorganfainberg, fungi just pointed out to me I didnt read the whole email and storyboard isnt yet ready for the rest of openstack15:55
morganfainbergtopol: like I said. Maybe next cycle.15:56
morganfainbergtopol: I had already asked ;)15:56
dolphmmorganfainberg: give me like a week :-/15:56
topolmorganfainberg, I bet15:56
morganfainbergdolphm: works for me. Will bug you next week. ;)15:56
*** henrynash has joined #openstack-keystone15:57
*** ChanServ sets mode: +v henrynash15:57
henrynashmorganfainberg: if were to imagine pluggin in an arbritary access control engine, I’m not sure why it owning roles wold help…imagine it’s some ABAC thing…it would, I assume, hold a bunch of other attributes tagged against existing objects, have its own rules that reference these attributes, but still result in just expressing what these mean in terms idenity_id X, project_id Y and role_id Z.15:57
morganfainbergBarbican might do SA as well now.15:57
marekdmorganfainberg: good morning!15:58
bknudsondid folks attend the barbican sessions at the summit?15:59
bknudsonthere was one for getting other projs to use barbican15:59
morganfainbergbknudson: there was an overlap every time. So I had to skip :(.15:59
bknudsonessentially they have a credentials API and keystone has one, too16:00
morganfainbergYes and I want ours to proxy to theirs16:00
bknudsonalso other projects are looking to use barbican... they said it was required for incubation16:00
morganfainbergAt least as the transition point. (Or be able to at least)16:00
bknudsonso I'd be interested to know if they're planning to be integrated16:01
morganfainberghenrynash: so whatever that engine is needs to be aware of the resource backend.16:01
*** ukalifon3 has quit IRC16:01
morganfainberghenrynash: hmm.16:02
*** bdossant has joined #openstack-keystone16:02
*** david-lyle has joined #openstack-keystone16:02
bknudsonthere was also talk about adding a certificate issuance API (so they can talk to your CA, or have an openssl-based sample CA)16:02
morganfainbergbknudson: also a good thing for them to do.16:03
henrynashmorganfainberg: it needs to know what entity types (and their IDs) between which it must externally express all relationships …but teh rules and basis for those relationships are matter for its internals16:03
bknudsonthose were the 2 sessions I got to... not sure if I missed any.16:03
ayoungzhiyan I'll have to think about it...what it implies16:03
morganfainbergayoung: that is why I am deferring until post coffee.16:04
ayoung++16:04
morganfainbergIt is actually a very interesting approach.16:04
zhiyanayoung: thanks.16:05
zhiyanmorganfainberg: ayoung btw, current change didn't change any original logic with default params16:05
morganfainberghenrynash: so, then last question, what would a custom backend look like that isn't doing the sql mapping we are doing now? (LDAP isnt different enough to show what I am asking).16:06
morganfainbergI am trying to figure out what it actually looks like.16:07
morganfainbergI am for the split for a number of reasons, but I'm trying to make sure we're not backed into a different corner than we are now. If that makes sense.16:09
*** thedodd has joined #openstack-keystone16:10
*** stevemar has joined #openstack-keystone16:13
*** ChanServ sets mode: +v stevemar16:13
rodrigodsmorganfainberg, 2 rechecks in https://review.openstack.org/#/c/117786/ -> same tests failing =(16:14
*** chrisshattuck has joined #openstack-keystone16:15
dstanekmarekd: at lunch now. I had a question about one of your reviews so it can wait16:16
henrynashmorganfainberg: so imagine one that would store a bunch for additional attributes about users and projects (it would provide its’ own API to store these attributes), and then provide an API tp enable you to create relationships between these attributes (e.g. any user over the age of 18 has the role ok_to_by_tickets on project cinema). It would then dynamically interret its rules when asked “what roles do16:17
henrynashHenry have on project cinema”. This new attribute-based mapping would wrok just fine within today’s openstack…with the rest of teh system being oblivious to that fact that we have effectively ABAC running as an assignments model16:17
dstanekmorganfainberg: the mid-cycle dates are firm right? I wasn't too get a plane ticket since they are currently cheap16:18
*** __TheDodd__ has joined #openstack-keystone16:18
marekddstanek: ok16:18
marekdi will be here another ~1hour16:18
morganfainbergdstanek: yes.16:18
morganfainbergdstanek: we are just waiting for confirm of using geekdom or Rackspace.16:18
dstanekmarekd: cool, thx16:19
morganfainbergWhich directs what hotels were recommending.16:19
*** thedodd has quit IRC16:19
*** sigmavirus24 is now known as sigmavirus24_awa16:19
dstanekmorganfainberg: works for me16:20
ayoungzhiyan, why reload in the first place?16:25
*** nellysmitt has joined #openstack-keystone16:26
zhiyanayoung: sorry more details?16:27
ayoungzhiyan, why is glance reloading policy rules?16:27
*** Ctina has quit IRC16:27
ayoungzhiyan, what is the workflow that leads to there being multiple policy files?16:28
*** Ctina has joined #openstack-keystone16:28
*** afazekas has quit IRC16:28
*** sigmavirus24_awa is now known as sigmavirus2416:29
zhiyanayoung: normally, glance only reload policy.json when it get changed.16:30
zhiyanayoung: actually in glance there's no multi-policy files16:30
zhiyanayoung: but glance has feature called ProtectProperty16:30
ayoungwhat does that do?16:31
*** _cjones_ has joined #openstack-keystone16:31
zhiyanayoung: which could gen policies in code based on configurations (which is not policies) and image properties.16:31
ayoungI need more information16:32
zhiyanayoung: ok, in glance, there are some 'layers'16:32
ayoungare they using it for something other than policy checks?  Is this a case of a singleton approach preventing the policy engine from being use for something else?16:32
zhiyanyes, finally code do checking just use only one policy enforcer object16:33
zhiyanthat enforcer including all rules: policy.json and the ones protectproperty code added16:33
ayoungOK...so we really want different enforcer objects?16:34
openstackgerritMerged openstack/pycadf: Updated from global requirements  https://review.openstack.org/13598216:34
zhiyanayoung: no, teachnically it could work, but for glance is not sensible..16:34
*** __TheDodd__ has quit IRC16:34
*** jorge_munoz has quit IRC16:34
ayoungwhat is ProtectProperty doing?16:35
zhiyanayoung: i also mentioned the glance current design on this in comments as well16:35
zhiyanprotectproperty do works in a 'layer' with in glance, it base on configurations and image properties(metadata) to gen policies16:36
zhiyan(and set these rules into one enforcer obj)16:36
*** bdossant has quit IRC16:36
ayoungare these policies enforced on api calls just like the policy.json file ?16:37
zhiyan1 sec16:38
zhiyanayoung: not so much16:39
zhiyanayoung: they controls if enduser/request could crud on image property16:40
ayoungzhiyan, ok,  so the problem is that they are autogenerating rules, but then when the API attempts to enforce policy, triggering a load_rules call, it wipes out the autogenerated rules, and both sets of rules should be evaluated together?16:47
zhiyanayoung: yes16:47
ayoungzhiyan, ok,  so the current code flushes all old rules upon load?16:48
zhiyanayoung: yes16:48
ayoungwith your code, if a new definition comes in for an existing rule, what happens?16:48
zhiyan"new definition" means?16:49
zhiyanayoung: ^16:49
ayoungzhiyan, for example, if is_admin:  "role:admin"  is currently defined, and on reload we get16:50
ayoungis_admin:  "role:admin and project_id = {%project_id}"16:50
ayoungor whatever the format16:50
zhiyanayoung: ok, it will be overwrite16:51
ayoungwhat would the end state of is_admin be?16:51
zhiyani mean new loaded 'definition' will replace existing rule.16:51
ayoungSo rules that are not explicitly states will be left untouched, but the explict rules will get their valus from the new file16:51
zhiyanjust like original logic16:51
ayoungwe have tests showing that?16:51
zhiyanyes, i think16:51
zhiyanin glance ProtectProperty feature, there's no new definition16:52
ayounghmmm, don't like how were are writing the test conditions16:52
ayoungchecking against what is in the enforcer is not specific enough16:53
ayoungzhiyan, can you do me a favor? Instead of lines likethis16:53
ayoungself.assertEqual('is_admin', self.enforcer.rules['admin'].kind)16:53
ayoungdo something more like this16:53
ayoungrules = {  ... what you have now }16:53
ayoung self.enforcer.set_rules(rules)16:54
ayoungand then16:54
ayoungrun things through the test that should pass in one instance and fail in the other?16:54
ayoungOr at least check what the active rule is set in the enforcer, and that it matches the value from rules16:55
ayoungso16:55
ayoungassertIsEqual(rules['admin'],   self.enforcer.rules['admin'])16:55
*** marcoemorais has joined #openstack-keystone16:57
ayoungzhiyan  what I would like to see is this16:57
ayoungset the rules engine  with one rule16:57
ayounguse the update mechanism16:58
ayoungsee the new version of the rule16:58
ayoungalso see that a rule that was not modified is still there in the origianl state16:58
zhiyanayoung: ok, let me try to update the testcases16:59
ayoungzhiyan, bascially, I am saying more tests...test the assumptions and make them explicit16:59
ayoungsounds good.  I'll put this feedback in the review16:59
zhiyanayoung: thanks!17:00
rodrigodsayoung, good to see that wasn't wrong in thinking that the change makes sense :P17:02
openstackgerritMarek Denis proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313017:03
marekdstevemar: ^^17:03
*** Guest27879 is now known as redrobot17:04
*** zzzeek has joined #openstack-keystone17:07
*** henrynash has quit IRC17:08
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K  https://review.openstack.org/13560417:09
marekdstevemar: ^^17:09
openstackgerritMarek Denis proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349417:09
openstackgerritMarek Denis proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349417:09
*** uvirtbot has joined #openstack-keystone17:13
*** uvirtbot has quit IRC17:14
*** uvirtbot has joined #openstack-keystone17:16
*** uvirtbot has quit IRC17:17
*** nellysmitt has quit IRC17:19
*** gyee has joined #openstack-keystone17:20
*** gyee has quit IRC17:24
*** gyee has joined #openstack-keystone17:24
*** Viswanath has joined #openstack-keystone17:24
*** gyee has quit IRC17:25
*** gyee has joined #openstack-keystone17:26
*** gyee has quit IRC17:26
*** gyee has joined #openstack-keystone17:26
*** ChanServ sets mode: +v gyee17:26
*** Viswanath has quit IRC17:27
*** marekd is now known as marekd|away17:30
morganfainbergayoung, zhiyan, so if i'm reading this correctly it's strictly a "user can change some aspects of permissions and therefore we need to support rloading but not replace the new custom perms"?17:34
zhiyanmorganfainberg: yes, you r correct17:36
morganfainbergzhiyan, hm. i need to mull this one over but i'm not strictly opposed to it17:37
morganfainbergi do agree w/ ayoung about the better testing17:37
ayoungmorganfainberg, It almost feels like we should be maintaining the origianl sources, and then layering them each time17:38
zhiyanmorganfainberg: ok, i will do two more cases for positive and negative versions work17:38
morganfainbergayoung: that is my feeling.17:38
ayoungmorganfainberg, if it were two files, clear and  then scanning each would make sense.  Its is only because these rules are in memory only that will not work here17:38
morganfainbergBut I was still looking over things before is made that statement more directed.17:39
ayoungI'm also a little concerned about what will happen when the base policy file is fetched from Keystone17:39
ayoungstill, I think that this mechanism as is is probably the correct local approach17:39
ayoungand we should not prevent  it from going forward just due to the future work17:39
rodrigodsmorganfainberg, did you see my message regarding the tests in the HM patch?17:44
morganfainbergrodrigods: yeah. I was trying to look at them but phone was too small17:44
zhiyanmorganfainberg: rodrigods, ayoung pls ping if you have any ideas, gtg. thanks for your support!17:44
rodrigodsmorganfainberg, ah, ok... in the laptop already?17:45
morganfainbergrodrigods: waiting for a firmware update and I'll be looking more in depth at them.17:45
rodrigodsmorganfainberg, thx17:45
ayoungmorganfainberg, if you are going to be PTL on the go I think you need a tablet17:45
morganfainbergayoung: wouldn't have helped much.17:45
openstackgerritLin Hua Cheng proposed openstack/keystone: Always return the service name in the catalog  https://review.openstack.org/13580817:45
morganfainbergLaptop rebooted automatically into firmware update mode (missed the *no dont* click).17:46
morganfainbergannnnd back to laptop17:47
morganfainbergooh pycharm 4.17:47
morganfainbergthis ought to be "fun" ;)17:47
*** aix has quit IRC17:51
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/13477017:53
ayoungmorganfainberg, did my quick-and-dirty version of the Token model align with what you were thinking?17:58
morganfainbergayoung, let me re-read it.17:59
morganfainbergayoung, i *think* it did.17:59
*** harlowja_away is now known as harlowja18:02
morganfainbergthe spec lines up with my thoughts18:04
ayoungmorganfainberg, how about the code sample?18:05
morganfainbergayoung, sure. i generally like that approach18:05
morganfainbergayoung, i much prefer that to a bunch of @property magic.18:06
ayoungyeah, me too18:06
*** RichardRaseley has joined #openstack-keystone18:06
ayoung I tend to favor immutable objects. I'm thinking along these lines:  1  get a good set of objects that can be made immutable.  2.  Define a builder interface to those objects.  3.  Have Directors for the common means of building the model:   From token data and from direct database calls18:07
ayoungWhen we get a new token format, it will get its own director18:07
*** marcoemorais has quit IRC18:08
*** marcoemorais has joined #openstack-keystone18:08
morganfainbergayoung, ++ i think you've extracted out waht i've been thinking18:08
morganfainbergand if you look at how the token_model in keystone is being used, that was the direction i was aiming to head18:09
ayoungI think I had to accept that I was trying too hard to think Pythonically18:09
morganfainbergi just needed a stepping stone18:09
*** amakarov is now known as amakarov_away18:09
morganfainbergin fact... i even had an immutable version of that model18:09
morganfainbergat one point18:09
morganfainbergbut it was too big a leap to do in one fell swoop18:09
morganfainbergi think the best plan is be pythonic in python... until it doesn't make sense18:10
morganfainbergthen stop.18:10
morganfainbergrodrigods, huh18:10
morganfainbergrodrigods, interesting looks like user/project creation isn't working as expected18:11
morganfainbergrodrigods, http://logs.openstack.org/87/117787/33/check/check-tempest-dsvm-full/ebe0835/logs/devstacklog.txt.gz#_2014-11-19_13_14_23_17218:11
*** links has quit IRC18:11
morganfainbergsomething specific about "create swift accounts"18:11
rodrigodsmorganfainberg, yeah... saw that18:12
ayoungmorganfainberg, OK.  So I am thinking that I should start with the code in token_models ?18:12
ayoungrework it in this fashion, and make things use that?18:12
rodrigodscouldn't figure out what we might being doing wrong, so thought about the rebase possibility18:12
morganfainbergayoung, yeah i think that is where i'd start18:12
ayoungmorganfainberg, I should probably document this approach in the spec:  will update first18:13
morganfainbergayoung, i am going to start for the provider cleanup on the needed scaffolding to handle a very strictly enforced interface (StrictABC)18:13
morganfainbergayoung, then work on the issuance code / formatters.18:13
morganfainberga lot of shell games going to happen in this refactor i think18:13
rodrigodsmorganfainberg, hmm this was a sensitive change I've made https://review.openstack.org/#/c/117786/32..33/keystone/auth/controllers.py18:14
ayoungmorganfainberg, so long as the model objects are not abstract, I think I'm good with that.18:15
morganfainbergayoung, nah.18:15
morganfainbergayoung, this is the provider interface18:15
*** amcrn has joined #openstack-keystone18:16
ayoungSo the relationship between a token and the AccessInfo is...18:16
ayoungAccessInfo is the data, token is an assertion about that data?18:16
morganfainbergayoung, the provider interface [issue, validate, etc] just needs to be very strict - down to the method signature18:16
morganfainbergayoung, hm.18:16
morganfainbergayoung, yes i think that is the right relationship18:17
*** david-lyle has quit IRC18:17
morganfainbergrodrigods, i'm trying to figure out why only the swift user creation is failing...18:17
morganfainbergrodrigods, or is swift jus tthe first one...18:18
morganfainbergah just the first one18:18
morganfainbergrodrigods, so yeah something you've introduced in the HM code has broken how swift sets up it's users (probably user creation across the board)18:18
rodrigodsmorganfainberg, hmm18:19
rodrigodsmorganfainberg, thanks, will debug it here18:19
morganfainbergand it is something between patchset 32 and 3318:19
morganfainberg32 passes18:19
rodrigodsyep18:19
morganfainberghttps://review.openstack.org/#/c/117786/32..33/keystone/auth/controllers.py this might be it.18:20
rodrigodsmorganfainberg, exactly... just put it in the base classes18:20
morganfainbergit *may* also be the create hierarchy code18:20
morganfainberghttps://review.openstack.org/#/c/117786/32..33/keystone/tests/test_backend.py18:20
morganfainbergoh wait18:21
morganfainbergno that's tests18:21
morganfainbergderp18:21
rodrigodsmorganfainberg, self.griver.get_project() -> self.get_project()? :o18:21
morganfainbergyeah looking at that as well18:21
*** jorge_munoz has joined #openstack-keystone18:22
rodrigodsmorganfainberg, was pretty sure we had a Manager call to it =(18:22
morganfainbergoh it should pass through18:22
morganfainbergeven if you do't have an explicit manager method for it18:22
rodrigodsmorganfainberg, ++18:22
morganfainbergmore magic runtime *stuff* [ugh]18:22
rodrigodsmorganfainberg, must be the get_auth_context part18:23
morganfainbergthe self.get_project *shouldn't* be an issue18:23
morganfainbergrodrigods, yep18:26
morganfainberghttp://logs.openstack.org/86/117786/33/check/check-tempest-dsvm-postgres-full/55b13ec/logs/screen-key.txt.gz#_2014-11-20_09_47_46_29518:26
morganfainbergthe auth context stuff is an issue18:26
openstackgerritLance Bragstad proposed openstack/keystone: Remove XML support  https://review.openstack.org/12573818:27
rodrigodsmorganfainberg, hmm strange, thought the user_id would always be present18:27
morganfainbergrodrigods, well there is the reason things are failing18:28
morganfainbergnot sure what change caused that.18:28
morganfainbergbut... my guess is auth_context stuff18:28
morganfainbergwithout digging in further18:28
rodrigodsmorganfainberg, yeah, I'm getting the user_id in get_project() so we can use it to list_projects_for_user() in the subtree/parents call18:28
rodrigodsmorganfainberg, getting from the context18:29
rodrigodssince it is not present in the URL18:29
morganfainbergdolphm, ayoung, anything we've landed recently in middleware/client that needs a release/18:29
morganfainberg?18:29
*** radez is now known as radez_g0n318:29
ayoungmorganfainberg, not that I know of.  I think we want jamielennox 's changes to support v3 soonest, but those are still pending18:29
dolphmmorganfainberg: doesn't work for features, but run the release script without --release and see if there are any High bugs committed18:29
dolphmfor blueprints* (works for wishlist, obviously)18:30
morganfainbergdolphm, ah right18:30
rodrigodsmorganfainberg, line 419: https://review.openstack.org/#/c/117786/33/keystone/assignment/controllers.py18:30
morganfainbergdolphm, thanks :) i forgot about that script18:30
rodrigodsmorganfainberg, I might ask if this seems the right approach, too :)18:30
rodrigodsmorganfainberg, thanks for helping debuging this, btw18:30
*** vhoward has left #openstack-keystone18:31
morganfainbergstevemar, ping re: OIDC18:31
morganfainbergstevemar, anything elft outstanding on that BP?18:31
*** vhoward has joined #openstack-keystone18:33
*** marcoemorais has quit IRC18:36
*** marcoemorais has joined #openstack-keystone18:36
dstaneklbragstad: what happened in that XML patch? just merge resolutions?18:37
lbragstaddstanek: yeah, merge conflicts18:37
dstaneklbragstad: cool. looking again then. how close is the tempest change to being accepted18:38
lbragstaddstanek: it's merged18:38
lbragstaddstanek: https://review.openstack.org/#/c/126564/18:38
dstaneknice18:38
stevemarmorganfainberg, just the client side work18:39
morganfainbergstevemar, ok marked as implemented and targeted to K118:39
stevemaryay18:39
morganfainbergthe client stuff isn't affected then.18:39
* morganfainberg does relmgmt stuff today.18:39
*** marcoemorais has quit IRC18:40
*** marcoemorais has joined #openstack-keystone18:41
*** ajayaa has quit IRC18:41
*** uvirtbot has joined #openstack-keystone18:41
stevemardstanek, ah good to know i wasn't the only one who thought that about is_* https://review.openstack.org/#/c/133130/14..15/keystone/token/providers/common.py18:41
*** uvirtbot has quit IRC18:41
dstanekstevemar: yeah :-)18:42
gyeeayoung, just occur to me, if we make AccessInfo a requirement for auth context, it would be tough to do tokenless authz18:43
ayounggyee, Hah, actually, just the opposite!18:43
ayounggyee, tokenless will have a builder that creates AccessInfo from the authentication info18:44
gyeebut it may not have all the required info18:44
gyeelike expiration date, roles, etc18:44
gyeeunless those are optional18:45
morganfainbergdstanek, http://specs.openstack.org/openstack/keystone-specs/specs/kilo/tests-on-rdbmses.html has a typo in the spec, we should fix the link18:47
dstanekmorganfainberg: i'll get that fixed up18:48
dstanekmorganfainberg: typo besides the link?18:48
morganfainbergdstanek, yeah nbd, just figured we should get that fixed.18:48
morganfainbergnah, just the link is busted18:48
morganfainberglooks like a typo in the rst probably to blame18:48
openstackgerritayoung proposed openstack/keystone-specs: Access Info  https://review.openstack.org/13577418:48
rodrigodsmorganfainberg, think this gonna work now: https://review.openstack.org/#/c/117786/34/keystone/assignment/controllers.py18:49
rodrigodsmorganfainberg, thanks again!18:49
morganfainbergrodrigods, cool.18:49
morganfainbergrodrigods, np18:49
openstackgerritDavid Stanek proposed openstack/keystone-specs: Fixes link to spec blueprint  https://review.openstack.org/13609018:54
gyeeayoung, I like they way you describe the alternatives, "Do nothing and suffer for it"18:54
ayoung:)18:54
gyeehow about "the sky will rain endlessly"?18:54
dstanekgyee: ayoung: i said something similar in the spec i submitted this morning. it's an attention grabber18:55
ayoungrodrigods, I the way my IRC client wrapped you line, I just read trollers.py18:55
gyeedstanek, nice, might as well18:55
ayoung40 years of darkness.  The dead arising from the grave18:55
ayoungdstanek, actually, I was interested in your feedback18:55
ayoungYou like the general approach I posted last night?18:56
dstanekayoung: on which one? access info?18:56
ayoungdstanek, yeah, the sample code18:56
ayoungI send in an email, but also had a paste.18:56
gyeeno issue there18:56
ayounghttp://paste.openstack.org/show/135032/  dstanek18:56
dstanekayoung: jas - looking18:56
dstanekah thx18:56
morganfainberg2014.2 = stable/juno right?18:57
ayoungmorganfainberg, that is my interpretation, yes18:57
ayoung"second stable release of 2014"18:57
dstanekayoung: why do the assert_class at all?18:57
ayoungdstanek, so you know that the contained objects meet the contract18:58
ayoungIE, you can't put junk into the domain  field18:58
ayoungit has to have domain.id and domain.name18:58
ayoungits called type safty, and I miss it terribly18:59
ayoungsniff18:59
dstanekayoung: also you want the objects to be accessible using dictionary syntax?18:59
ayoungdstanek, yeah..that is one of the main uses19:00
*** Viswanath has joined #openstack-keystone19:00
ayoungpolicy is enforced on a dictionary19:00
ayoungand a bunch of other things assume a dictionary, too19:00
ayoungdon;t want to have to rewrite every consumer, just provide the proper interface19:00
morganfainbergwe should probably backport all the inherited role stuff to juno19:00
morganfainbergthat henryfixed19:00
ayoungdstanek, I was also going to put some Date operations in there, but hadn't yet figured out what the right abstraction was19:01
dstanekayoung: to save execution speed can __setattr__ just raise an exception alway? if you don't want the object to be immutable just don't subclass it19:02
ayoungdstanek, no19:02
ayoungdstanek, it needs to support setting the properites up to a point19:02
ayoungand then lock the object19:02
ayoungdstanek, what happens if you do that, and try to set the properties in the __init__?  I thought that wouldn't work anyway19:03
dstanekayoung: the way i've done it in the past is called the super's __setattr__ from the __init__19:04
dstanekat least that's what i currently remember. that was old, old Python 1.52 code19:04
*** marcoemorais has quit IRC19:04
*** marcoemorais has joined #openstack-keystone19:05
*** Viswanath has quit IRC19:07
openstackgerritMerged openstack/keystone-specs: Fixes link to spec blueprint  https://review.openstack.org/13609019:08
ayoungdstanek, ah...19:09
ayounglet me try that out19:09
ayoungdstanek, so...anything could do that?19:09
ayounglike if I had an immutable object o, I could do19:10
ayoungs = o.super19:10
ayoungor somewierdness like that?19:10
dstaneksuper(Class, self).__setattr__('name', 'value') - should do it19:12
ayoungdstanek, so it is not possible to make an object immutable?19:12
ayoungthere is always the "appeal to the parent class" bypass?19:12
dstanekayoung: not really - you can make it not obvious19:12
*** chrisshattuck has quit IRC19:13
ayoungdstanek, is this a side effect of descending from object?19:13
dstanekayoung: Python is all about trust19:13
ayoungI'm not19:13
*** chrisshattuck has joined #openstack-keystone19:14
ayoungI'm all about the distrust19:14
*** chrisshattuck has quit IRC19:14
*** chrisshattuck has joined #openstack-keystone19:15
ayoungdstanek, what if immutable did not descend from object?  Would that prevent access to the parent __setattr__?19:16
dstanekayoung: still no dice and in Python 3 you have no choice19:16
ayoungyeah, I read that19:16
dstanekayoung: you're fighting the language and culture now19:17
ayoungdstanek, yeah, but knwoing the limits is valuable19:17
ayoungbesides, dstanek you act like I have a choice about using Python.  I don't.19:19
ayoungI'm not going to throw out all of the lessons I've learned just to conform19:20
dstanekayoung: no, i just think it would be easier to give in :-P19:20
ayoungdstanek, but you know me so much better than that19:20
dstanekayoung: the easiest way to get around the immutability would be to just access the __dict__ directly19:20
ayounghttp://www.yegor256.com/2014/06/09/objects-should-be-immutable.html19:21
ayoungok, that does it. I'm going implement in C and use FFI19:21
ayoungoh, wait..19:21
dstaneki actually agree to an extent19:22
ayoungdstanek, what happens if I do self.__slots__ == ()19:24
ayoungor something along those lines?19:24
ayoungor is that for tuples only?19:24
dstanekayoung: you can't add other properties, but you can still change the ones you list in slots19:24
dstanekayoung: it's a memory optimization19:24
ayoungdstanek, so if I remove all values from slots, is the object immutable?19:25
dstanekayoung: i'm not sure what would happen with slots and your custom setattr19:25
ayoungLet me try playing with that19:25
dstanekyes19:25
dstanekayoung: the right way to do it would be to not have any public properties19:26
ayoungdstanek, um...no. Need to have public properties.  Its like the number one thing these classes need19:27
ayoungthe only language I've seen that does this close to right is C++19:28
ayoungJava is close, but Null pointers kindof force you to have code that checks you are not setting a property to Null19:28
*** rwsu has quit IRC19:32
*** marcoemorais has quit IRC19:33
*** rwsu has joined #openstack-keystone19:33
*** marcoemorais has joined #openstack-keystone19:33
*** marcoemorais has quit IRC19:33
*** marcoemorais has joined #openstack-keystone19:33
dstanekayoung: yes, i like the null object pattern instead of ever using null19:34
ayoung++19:34
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313019:37
rodrigodsstevemar, dstanek ^19:38
stevemarty19:38
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313019:41
*** radez_g0n3 is now known as radez19:44
rodrigodsstevemar, the list turns to something like19:45
rodrigodsmethods=external,saml2,oidc19:45
*** chrisshattuck has quit IRC19:45
rodrigodsstevemar, without the [], didn't understand why put [] in the first place19:45
stevemarrodrigods, i'm confused, what file/line are you specifically talking about :)19:46
ayoungdstanek, setting __slots__ does not seem to be something that can be done after the object is created19:47
rodrigodsstevemar, sorry... https://review.openstack.org/#/c/133130/16/keystone/common/config.py19:47
ayoungor, at least it has no effect19:47
morganfainberghttps://launchpad.net/keystone/+milestone/kilo-1 that looks better.19:48
dstanekayoung: yes, it has to be there before the __new__ is called because it changes the way Python constructs the object19:48
ayoungrodrigods, What are you guys doing?  Why do you need to call out which are the mapped methods?19:48
bknudsonrodrigods: stevemar: if it's a listopt then in the config file it's strings separated by ,19:48
bknudsonso saml2,oidc19:49
rodrigodsbknudson, ++19:49
ayoungok,  this is for  if 'saml2' in method_names or 'oidc' in method_names19:49
ayoungand we use that to limi control to19:49
raildomorganfainberg, I can't assignee me to the HM bp :( https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy19:49
ayoung self._handle_federation_tokens(19:50
*** uvirtbot has joined #openstack-keystone19:50
ayoungand what does that do....19:50
rodrigodsayoung, so if we add a new mapped method, we would only need to add it to the config file, not to the "if" in the issue_v3_ part19:50
morganfainbergraildo, fixed19:50
raildomorganfainberg :D19:50
ayoungfederation.FEDERATION: {19:50
ayoung                    'identity_provider': {'id': idp},19:50
ayoung                    'protocol': {'id': protocol}19:50
ayoung                }19:50
ayoungso...this is backwards19:51
ayoungrodrigods, can you hold off on this...I think the right solution is to have the data set up front by the mapped plugin, not to make it a config option19:51
ayoungit really should not be a config option19:51
*** packet has joined #openstack-keystone19:52
rodrigodsayoung, we discussed about listing all protocols and than checking, but since we *must* add those configs, don't really see the problem here19:52
ayoungrodrigods, nope, that is wrong, too19:53
rodrigodsayoung, but that is how is done today19:53
ayoungthe mapped plugin should know what protocol it is supporting19:53
ayoungso what.  we are gods among men here19:53
ayoungwe can make it as we can imagine!19:53
ayoung:)19:54
ayoungok, that might be a bit grandiose19:54
*** chrisshattuck has joined #openstack-keystone19:54
rodrigodsayoung, haha19:54
ayoungrodrigods, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/common.py#n43119:55
rodrigodsayoung, so you're saying the protocols should be a list inside the mapping engine and I ask "can you handle X?"19:55
ayoungrodrigods, when I configure a mapped method, I should be able to extract from the context what protocol/mapping is in effect19:56
ayoungwe don't carry that forward19:56
ayoungso the toiken provider doesn't know it, but there is no reason that it could not19:56
ayoungkeying of the method names is the wrong approach, it should be something like:19:57
ayoungok..one thing you could do is : for method in method_names: if config[auth][method]  == ..mapped19:58
ayoungand get the same effect:  lookup to see if the config option points to the mapped plugin19:58
ayoungnow, that approach sucketh, as well19:58
ayoungcuz maybe you subclass the mapped auth plugin19:58
ayounginstead, the auth plugin should add the data required to the context being used to build the token....lets see19:59
*** marcoemorais has quit IRC19:59
ayoungrodrigods, why do we not just look at the value of idp = auth_context[federation.IDENTITY_PROVIDER]19:59
ayoungif there is something there, always put in the  federation.FEDERATION: {  block?20:00
rodrigodsayoung, idp and protocol20:01
rodrigodsayoung, makes sense to me20:01
ayoungright20:01
rodrigodsneed to get some input from stevemar and marekd|away though20:01
ayoungif one is missing but the other is there, it means something is wrong and broken, right?20:01
rodrigodsayoung, right20:01
rodrigodsayoung, we need both20:01
*** nkinder has quit IRC20:02
*** stevemar has quit IRC20:03
*** stevemar has joined #openstack-keystone20:03
*** ChanServ sets mode: +v stevemar20:03
ayoungrodrigods, ok...going to -1 this until sorted20:04
rodrigodsayoung, ok20:04
stevemarayoung, rodrigods if you have another solution put it in the bug, the proposed one works, nkinder and i hashed it out20:05
ayoungstevemar, posting20:06
ayoungstevemar, if  auth_context[federation.IDENTITY_PROVIDER]  is set, then it should be in the token data, no?20:07
ayoungstevemar, it should not be keyed off of the method name, and should not require an explicit config option.  What am I missing?20:08
lbragstaddstanek: looks like some of the other clients in tempest are using Keystone XML clients :(20:13
dstanekha ha, that sucks20:14
*** chrisshattuck has quit IRC20:33
*** _cjones_ has quit IRC20:39
samuelmshi, recently we have had some discussions on how we use rbac for access control on OS20:40
samuelmsrole-groups and hierarchical roles are some ideas that have appeared20:40
samuelmsI think we feel that we need to improve our access control experience20:40
samuelmsI had some ideas and I've already discussed them with henrynash, who thinks it's an interesting proposal20:40
samuelmsI'd like to share it with you all and then get your feedback20:40
samuelmshttps://etherpad.openstack.org/p/role-capabilities-policy20:41
samuelmsI'd be glad to have other core opinions on there20:42
samuelmsdolphm, morganfainberg, ayoung, bknudson, dstanek, gyee, jamielennox, lbragstad, stevemar, topol ^20:43
ayoungsamuelms, looking20:45
ayoungsamuelms, so that basically is what I proposed, modulo I want the groups to be public and shorthand for the atomic roles20:46
ayoungotherwise, we end up putting each and every capability into the token20:46
ayoungsamuelms, those capabilites are what you were basically collecting up in the git repo with the unified policy file20:47
samuelmsayoung, yes .. we could do that way .. an alternative would be having a list_capabilities on every service20:47
*** _cjones_ has joined #openstack-keystone20:47
ayoungsamuelms, what does that mean?20:48
samuelmsayoung, read Prosposed Change section 320:48
samuelmsayoung, 3.1.1 talks about list_capabilities . 3.1.2 would be reading up the policy (the unified one :))20:49
ayoungsamuelms, ok...yeah, those are the options as I see them as well20:49
ayoungSo either expand when generating the token or create a shorthand that the server pre-fetches20:49
ayoungpolicy file is the shorthand20:49
*** MasterPiece has joined #openstack-keystone20:50
ayoungsamuelms, we could do the bitmapped approach for enumerating all capabilities, but I would not advocate that.  It's fragile and hard to read20:50
samuelmsayoung, yeah .. that's interest .. but not human-readable20:51
samuelmsayoung, feel free to add comments in there :-)20:51
ayoungsamuelms, seems like something that git could solve20:51
*** _cjones_ has quit IRC20:52
samuelmsayoung, should I submit a spec review?20:52
ayoungsamuelms, no20:52
ayoungsamuelms, we have two specs, and I think they cover the range of options20:52
samuelmsayoung, ok .. in fact that are a bunch of ideas .. (that cover those 2 specs )20:53
samuelmsayoung, then it doesnt make sense to create another one20:53
ayoungsamuelms, it comes down to "expand in the token" or "expand in policy" and I think there are reasons for both20:54
samuelmsayoung, do you think the list_capabilities api call could be considered?20:57
samuelmsayoung, that should be implemented by all services ..20:57
ayoungsamuelms, yes20:57
ayoungsamuelms, but only by keystone, not the services20:58
ayoungthere should be a registered set of capabilites20:58
samuelmsayoung, if only keystone implement that .. how we would register capabilities fro mother services?20:59
samuelmsfrom other*20:59
samuelmsreading up the policy file?20:59
samuelmsayoung, think the way we do this should be the same for all services21:00
ayoungyep21:00
samuelmsayoung, yes for doing the same way for all services?21:00
samuelmsayoung, if we have that api call in all services .. they could register themselves and then keystone would get available capabilities :)21:01
ayoungnah21:01
ayoungtoo much21:01
samuelmsayoung, all on the fly21:01
samuelmsayoung, I think that is the best solution .. but not for now .. I don't believe we can convince other services and then have this quickly ..21:03
ayoungsamuelms, I think the impetus is on the services to call to keystone to register their capabilites, not for keystone to query them21:03
ayoungthat can be done statically, too21:03
*** jorge_munoz has quit IRC21:03
samuelmsayoung, how does it work for endpoints?21:04
ayoungsamuelms, ok,  here's what I would suspect21:05
samuelmsayoung, once a new endpoint for a new service appears on keystone .. keystone asks for the capabilities21:05
ayoungwhen I create a new endpoint, and I want a customer policy file, I register my rules with keystone.  Those will override the  default rules for those capabilites explicitly listed21:05
samuelmsayoung, but I don't know how that endpoint registering occurs21:05
stevemarayoung, https://review.openstack.org/#/c/133130/21:06
stevemarcommented21:06
*** edmondsw has joined #openstack-keystone21:06
ayoungstevemar, yes, that is what I was suggesting21:06
* stevemar agrees with ayoung then21:07
stevemar:)21:07
richmstevemar: ping - is "openstack token issue" the same as "keystone token-get"?21:08
stevemarrichm, should be21:08
stevemarrichm, that one has been buggy because of changes in the auth layer of keystoneclient and openstackclient, but that is the goal21:08
richmstevemar: ok - I'm writing the puppet/ruby code for this - it uses keystone token-get to see if the given password is working21:09
richmif there is an easier way to check if a password works, that would be fine too21:09
richmalso related to passwords - how do I do "keystone user-password-update"?21:10
stevemarrichm, are you using osc from master or from pypi (0.4) ?21:10
richmstevemar: let me see21:10
stevemarrichm, that should be openstack user update --password blah21:10
richmI'm using 0.4.1 from fedora package21:10
richmstevemar: ok - thanks21:10
samuelmsayoung, in that approach, IF we have list_capabilities for each service .. it's like we don't need policy FILE anymore (as it is today).. do you agree?21:10
samuelmsayoung, as henrynash replied your dynamic policy email21:11
samuelmsayoung, henrynash: Eventually (as pointed out by samuelmz) the policy "file" could even simply become the definition of the service capabilities (and whether each capability is "open", "closed" or "is a role")...maybe just registered and stored in the service entity the keystone DB (allowing dynamic service registration).21:11
ayoungsamuelms, well, each capability would need to be able to specify what rule it follows, which might be more than just "role:blah"21:11
stevemarrichm, cool, might be worth pulling down the master one and playing... we plan on cutting a 1.0 very soon (cc dtroyer)21:11
*** david-lyle has joined #openstack-keystone21:11
ayoungsamuelms, there are some rules that are more complext21:11
samuelmsayoung, ex ?21:11
richmstevemar: ok - thanks21:11
stevemardtroyer, i'm spreading the word!21:12
ayoungsamuelms, got a link to your git repo handy?21:12
*** david-lyle has quit IRC21:12
ayoungI'll show you in there21:12
dtroyerstevemar: the next unblocking review is nearing merge: https://review.openstack.org/13601821:12
dtroyerthen it's a mad rush to merge all that do stuff ;)21:12
stevemardtroyer, ugh21:12
stevemardtroyer, what do we want to do about OS_USER/PROJECT_DOMAIN_ID/NAME21:12
samuelmsayoung, why not use the ehterpad ? :p21:12
stevemarit's bad to use default, we all agree, i think we should just doc it somewhere that those are req'd for v3 and be done with it21:13
dtroyermy head is deep inside devstack and specs ATM, is the current situation livable or will we break it to fix it?21:13
ayoungsamuelms, cuz you were looking for an example and I don't know it off the top of my head and want to make you do the work21:13
*** david-lyle has joined #openstack-keystone21:13
samuelmsayoung, aaa.. you talk about the repo I created yesterday .. 1 sec21:13
ayoungyeah21:13
samuelmshttps://github.com/samuel-ms/os.unified.policy21:14
samuelmsayoung, ^21:14
stevemardtroyer, i think it's livable, just export 2 more variables, we could make devstack export the 2 to default as a starter21:15
ayoungsamuelms, https://github.com/samuel-ms/os.unified.policy/blob/master/src/policy.json#L62621:15
samuelmsayoung, what does that mean ? :p21:16
dtroyerstevemar: ok, let's leave it alone in OSC and teach devstack the Right Thing21:16
ayoungsamuelms, it means that neutron is doing unspeakable things with policy21:19
*** topol has quit IRC21:19
ayoungbest we not pry too closely21:19
openstackgerritDavid Stanek proposed openstack/keystone: Moves hacking tests to unit directory  https://review.openstack.org/13612521:20
openstackgerritDavid Stanek proposed openstack/keystone: Make the mutable default arg check very strict.  https://review.openstack.org/13612621:20
samuelmsayoung, hm ..21:21
samuelmsayoung, I think one of the best things of that approach is that : instead of defining for what roles a capability is allowed ..21:22
samuelmsayoung, we express that as : what capabilities a role has .. :)21:22
ayoungwe need the enumerations of capabilites, yes21:22
samuelmsayoung, and the domain admin has no need to touch the policy FILE21:23
ayoungsome of them require no role21:23
samuelmsayoung, and has fine grained access control21:23
*** htruta_ has joined #openstack-keystone21:23
samuelmsayoung, did you take a look at Proposed Change 4. ?21:24
ayoungis that not the current policy language?21:24
samuelmsayoung, sort of .. .just the context constraints ..21:25
samuelmsayoung, like project_id:%(project_id)s  that we have today21:25
ayoungsamuelms, maybe.  I was thinking more like this:21:26
ayoungstart with the global policy file21:26
ayoungone by one, replace the complex rules next to each capability with a rule that reflects the lowest level role21:26
ayoungso instead of admin_or_owner it would be Rule:member  and that would be21:27
ayoungautogenerated21:27
ayoungso the projects would then each be responsible for keeping up their set of rules21:28
ayoungwhich would, for the most part be consuming thingslike rule:ROLE_MEMBER21:28
ayoungand they could update what the base level role is that passes a specific policy check21:29
*** fifieldt__ has joined #openstack-keystone21:31
samuelmsayoung, so different domains what tell what rule:ROLE_MEMBER stands for ?21:32
ayoungsamuelms, that would be defined by the hierarchical roles21:33
ayoungI don't think that would be per domain21:33
*** jorge_munoz has joined #openstack-keystone21:34
samuelmsayoung, we also can implement hierarchical roles using composition of domain-roles .. u agree?21:34
ayoungnope21:34
ayoungdomain roles are different21:34
*** fifieldt_ has quit IRC21:34
ayounghierarchical ones are going to be global21:35
ayoungdomain roles will have to be expanded on the server21:35
samuelmsayoung, but the cloud admin can set default domain-roles .. that can be reused by domains21:35
samuelmsayoung, I think if a put an example showing how the whole thing would work with that proposal could help people to understand that21:37
samuelmsayoung, will add on that etherpad21:37
ayoungyeah21:37
dstaneksamuelms: ++21:37
samuelmsayoung, dstanek :-)21:37
samuelmsayoung gotta go home now (-: almost dinner time here in Brazil21:38
ayounghere, too21:38
ayoungsame time zone on the east coast21:39
samuelms18:39?21:39
samuelmsayoung, ^ in fact we have 4 timezones in Brazil lo21:40
samuelmsayoung, see you21:41
ayoungAh, only 16:40 here21:41
samuelmsayoung, and you said that it was almost dinner time there where you are .. \o/21:41
ayoungalmost...actually, my wife decided that the Slow cooker needed to be in my office today. I've been hungry for hours21:42
samuelmsayoung, looks like just coffee break time haha21:42
samuelmsayoung, haha .. see you21:43
*** samuelms is now known as samuelms-away21:43
*** nkinder has joined #openstack-keystone21:46
*** _cjones_ has joined #openstack-keystone21:49
*** _cjones_ has quit IRC21:50
*** _cjones_ has joined #openstack-keystone21:50
*** edmondsw has quit IRC21:54
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768122:04
*** radez is now known as radez_g0n322:12
*** rwsu has quit IRC22:12
*** RichardRaseley has quit IRC22:13
*** radez_g0n3 is now known as radez22:14
*** Ctina has quit IRC22:15
*** rwsu_ has joined #openstack-keystone22:15
*** stevemar2 has joined #openstack-keystone22:17
*** ChanServ sets mode: +v stevemar222:17
*** stevemar has quit IRC22:17
*** stevemar2 has quit IRC22:18
*** stevemar2 has joined #openstack-keystone22:19
*** ChanServ sets mode: +v stevemar222:19
*** rwsu_ has quit IRC22:19
*** packet has quit IRC22:20
*** kashyap has joined #openstack-keystone22:20
*** jistr|mtg has quit IRC22:27
*** henrynash has joined #openstack-keystone22:34
*** ChanServ sets mode: +v henrynash22:34
*** NM has joined #openstack-keystone22:36
*** MasterPiece has quit IRC22:37
*** henrynash has quit IRC22:39
*** RichardRaseley has joined #openstack-keystone22:43
*** NM has quit IRC22:47
kashyapWith current DevStack git, I see stack.sh exiting saying 'keystone did not start', when I reconnect to the screen session ('key-access')22:51
kashyapI _guess_ it's because it can't access /var/log/httpd/keystone_access.log?22:52
kashyapIs it correct? It's currently owned by root:22:52
kashyapHowever, in my another working DevStack setup, I don't notice neither keystone_access.log nor keystone.log in /var/log/httpd. Am I missing something here?22:53
* kashyap tried to delete the files keystone_access.log and keystone.log and re-ran ./stack.sh to no avail - the file was recreated with root as the owner22:54
kashyapOkay, I see a slightly old commit in DevStack git that changed Keystone's access log to /var/log/httpd/keystone_acess.log and that's expected.22:57
*** chrisshattuck has joined #openstack-keystone23:01
*** vhoward has left #openstack-keystone23:03
*** RichardRaseley has quit IRC23:06
crinklestevemar2: you mentioned that openstackclient has caching capabilities to help speed things up? is that this: https://blueprints.launchpad.net/python-openstackclient/+spec/local-cache23:07
*** dtturner has joined #openstack-keystone23:08
stevemar2crinkle, that's still to-do, but if you create an interactive session it shouldn't go back to keystone everytime23:11
stevemar2so if you just type 'openstack' it'll start an interactive session23:11
stevemar2and you can either type in a bunch of commands or pass in a file (iirc... *cough* dtroyer)23:12
*** dims has quit IRC23:12
stevemar2crinkle, though marekd|away *really* wants some token caching, so we might have to do that very soon23:12
crinklehrm I don't really think we can do that programmatically23:12
dtroyercommands are read from stdin, so via output redir, pipe or here document23:12
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005023:12
crinkleokay, we might be able to do that23:14
crinkleor maybe just wait till the caching is implemented23:14
richmstevemar2: dtroyer: using the openstack client, how do I list the projects given a user name/id?  e.g. the api /v3/users/$id/projects ?23:15
richmwhere $id is the user's id23:15
stevemar2richm, there is not command for that in v3 (on the server side) ayoung just said this yesterday actually23:16
stevemar2no*23:16
*** NM has joined #openstack-keystone23:16
*** joesavak has quit IRC23:16
richm?23:16
stevemar2richm, that's kinda like asking ... list all the projects that a user has at least one role for23:17
richmThat's odd - because I'm using it and it is working23:17
stevemar2for 2.0 it should23:17
richmI'm using /v3/users/$id/projects23:17
stevemar2errr, you are right, i'm forgetting the endpoints23:17
richmand it gives me a list of projects23:18
richmso does that mean, no, you can't do that with the openstack client?23:18
stevemar2richm, you are correct, thats a bug23:20
stevemar2can you file it23:20
stevemar2and i'll toss a patch now23:20
stevemar2there are too many list permutations :(23:20
richmhttps://bugs.launchpad.net/python-openstackclient/+bug/139479323:23
uvirtbotLaunchpad bug 1394793 in python-openstackclient "support the keystone api /v3/users/$userid/projects" [Undecided,New]23:23
richmno worries - I can keep using my json rpc code in the meantime23:24
openstackgerritSteve Martinelli proposed openstack/keystone: test some websso stuff  https://review.openstack.org/13617723:27
openstackgerritBrant Knudson proposed openstack/keystone: Fix tests using extension drivers  https://review.openstack.org/12460323:28
openstackgerritBrant Knudson proposed openstack/keystone: Avoid multiple instances for a provider  https://review.openstack.org/12459923:28
stevemar2richm, thanks for playing with it - this is exactly what dtroyer and i need, most folks playing around with it and finding bugs, theres only so much the two of us can do :)23:30
stevemar2crinkle, same goes for you! :)23:31
crinkle:)23:31
richmoh, just wait until we find you some really nasty bugs . . .23:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313023:34
rodrigodsstevemar2, dip and protocol approach ^23:34
rodrigodsayoung, ^23:34
rodrigodsstevemar2, removed the tests, though :x ... Not sure how to test this behavior since the federated_authentication method receives both idp and protocol23:35
*** gordc has quit IRC23:35
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313023:37
stevemar2richm, i'll be even happier when that happens23:37
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Cleanup exception logging  https://review.openstack.org/13129523:39
*** _cjones_ has quit IRC23:42
stevemar2richm, https://review.openstack.org/13618323:43
stevemar2dtroyer, you too ^23:43
*** _cjones_ has joined #openstack-keystone23:45
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313023:49
bknudsonso it's been a while since we split out the assignment backend --23:52
bknudsoncan we get rid of the code to calculate the default assignment backend? http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/core.py#n6823:53
bknudsonhmm... we never seem to have documented it as deprecated.23:54
stevemar2richm, http://paste.openstack.org/show/135565/23:59
« Wednesday, 2014-11-19 Index Friday, 2014-11-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!