Thursday, 2014-12-11

*** gyee has quit IRC00:05
openstackgerritMerged openstack/python-keystoneclient: duplicate auth-url option returned by BaseGenericPlugin
openstackgerritMerged openstack/python-keystoneclient: Add missing user-id option to generic.Password
openstackgerritMerged openstack/keystonemiddleware: Use newer requests-mock syntax
*** shakamunyi has quit IRC00:18
*** raildo_ has quit IRC00:28
*** avozza is now known as zz_avozza00:28
*** oomichi has joined #openstack-keystone00:32
*** dims has quit IRC00:54
*** nkinder has quit IRC01:04
*** _cjones_ has quit IRC01:10
*** dims has joined #openstack-keystone01:12
*** ayoung_dad_mode has quit IRC01:14
*** dims has quit IRC01:16
*** yasu_ has joined #openstack-keystone01:23
*** lhcheng has quit IRC01:32
*** r-daneel has quit IRC01:33
*** marcoemorais has quit IRC01:35
*** Tahmina has quit IRC01:38
*** marcoemorais has joined #openstack-keystone01:39
*** shakamunyi has joined #openstack-keystone01:43
*** ayoung has joined #openstack-keystone01:45
*** ChanServ sets mode: +v ayoung01:45
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_headers interface to authentication plugins
*** marcoemorais has quit IRC01:46
*** afaranha__ has quit IRC01:48
*** r-daneel has joined #openstack-keystone01:49
jamielennoxbknudson or anyone: if you have any ideas on how to better handle ^ i'd be keen to hear them01:56
*** Mario_ has quit IRC01:56
bknudsonjamielennox: what?01:56
jamielennoxthat review replaces get_token in auth plugins with get_headers01:56
jamielennoxso that we can return things other than X-Auth-Token01:56
bknudsonauth might not just be headers01:57
bknudsone.g., for SSL auth01:57
jamielennoxbknudson: right, so the blueprint i tagged in that says we also need get_connect_params01:57
bknudsonbut being able to update any header makes sense.01:57
bknudsonthen you could do basic auth01:57
jamielennoxi just feel like there might be a better way to do this, but i'm not sure what it is01:59
openstackgerritBrant Knudson proposed openstack/keystone: Add tests for enabled attribute ignored
*** tellesnobrega_ has joined #openstack-keystone01:59
bknudsontest_backend_ldap is a mess.02:00
jamielennoxall the ldap code is a mess02:00
*** stevemar has joined #openstack-keystone02:05
*** ChanServ sets mode: +v stevemar02:05
*** diegows has quit IRC02:08
*** erkules_ has joined #openstack-keystone02:12
*** erkules has quit IRC02:15
*** tellesnobrega_ has quit IRC02:17
*** samuelms_ has joined #openstack-keystone02:23
ayounglbragstad, do you have your gist / paste around with your sample code for AE?  I want to try throwing PKI at it and seeing the size differences02:28
*** david-lyle is now known as david-lyle_afk02:30
ayoungldap sucks02:35
*** radez is now known as radez_g0n302:46
*** tellesnobrega_ has joined #openstack-keystone02:58
*** shakamunyi has quit IRC03:12
*** zzzeek has quit IRC03:20
*** thedodd has joined #openstack-keystone03:21
*** tellesnobrega_ has quit IRC03:49
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fix passing parameters to log message
*** thedodd has quit IRC04:06
*** richm has quit IRC04:13
*** dims has joined #openstack-keystone04:23
*** zzzeek has joined #openstack-keystone04:32
*** zzzeek has quit IRC04:33
*** dims_ has joined #openstack-keystone04:37
*** nkinder has joined #openstack-keystone04:40
*** dims has quit IRC04:40
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Update requests-mock syntax
*** junhongl_ has joined #openstack-keystone04:47
*** junhongl_ has quit IRC04:48
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_headers interface to authentication plugins
*** zzzeek has joined #openstack-keystone05:02
*** samuelms__ has joined #openstack-keystone05:07
*** samuelms_ has quit IRC05:08
*** dims has joined #openstack-keystone05:34
*** harlowja is now known as harlowja_away05:36
*** dims__ has joined #openstack-keystone05:37
*** dims_ has quit IRC05:38
*** dims has quit IRC05:40
*** andreaf has quit IRC05:48
*** andreaf has joined #openstack-keystone05:48
*** lhcheng has joined #openstack-keystone05:51
*** rushiagr_away is now known as rushiagr06:00
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
openstackgerritDave Chen proposed openstack/keystone: Refactor the code to join multiple criteria together
*** chrisshattuck has joined #openstack-keystone06:20
*** samuelms__ has quit IRC06:23
*** zzzeek has quit IRC06:26
*** Shohei has quit IRC06:31
*** ajayaa has joined #openstack-keystone06:33
*** Shohei_ has joined #openstack-keystone06:34
*** _cjones_ has joined #openstack-keystone06:38
*** _cjones_ has quit IRC06:43
*** zz_avozza is now known as avozza06:43
marekdstevemar: still here?06:56
stevemarmarekd, yep!06:56
marekdstevemar: thanks for the review06:57
marekdwell, its not meant to be wip any more. docs were just failing06:57
marekdmaybe i should indicate that it partially implements a bp.06:57
stevemari meant it's not taking black/white list into account06:57
marekdah yes06:57
marekdcause i want it to be separate (maybe depending) patches.06:57
marekd do you really think group names should be transformed into ids somewhere in the ?06:58
marekdi can change it there.06:58
*** dims__ has quit IRC07:00
stevemarmarekd, unless there is a reason why it shouldn't be07:02
*** andreaf has quit IRC07:04
marekdthere is no.07:04
marekdstevemar: hm, if i try to map name/domain into group_id and there is no such group i will not be able to raise MappingGroupNotFound as I don't know what mapping id was used07:09
marekdstevemar: mind that utils.validate_groups is called from mapped.py07:09
stevemarthen let's keep it as-is :)07:09
marekdi can add a comment07:09
marekdbut i think this is a good reason to keep it as it is now.07:10
*** lhcheng has quit IRC07:11
*** andreaf has joined #openstack-keystone07:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
stevemarmarekd, the bug timbell raised about no availability zone list in OSC is such a pain07:14
stevemarnovaclient returns the crappiest collection of crap for that endpoint07:15
marekdstevemar: saw the thread.07:15
marekdnovaclient doesnt cover this crapinnes?07:15
marekd(so it can be easily consumed by osc)07:15
stevemarmarekd, this is what it returns
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
openstackgerritYamini Sardana proposed openstack/python-keystoneclient: tenant-list updated to output Tenant Description
openstackgerritwanghong proposed openstack/keystonemiddleware: remove the unused method _will_expire_soon
*** jamielennox is now known as jamielennox|away07:33
marekdstevemar: did you manage to take a look at it?07:35
uvirtbotLaunchpad bug 1401057 in keystone "Direct mapping in mapping rules don't work with keywords" [Undecided,New]07:35
stevemarmarekd, not yet, i'm technically on vacation this week :)07:35
openstackmarekd: Error: "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" is not a valid command.07:36
stevemarmarekd, i'm not sure if thats a problem with the mapping engine, or just a bad mapping07:36
stevemarI got pulled into a meeting today :(07:36
marekdstevemar: go to bed, have some life!07:36
marekdgot snow already?07:37
stevemarmarekd, soon soon, i've been sleeping in07:37
stevemarmarekd, some of the outer areas have snow, but i'm downtown, we get it the lightest07:37
marekdso go skiing07:37
stevemarit snowed hard about 2 weeks ago, but the weather got warmer and now it's all gone07:37
marekdor cross country skiing :-)07:37
marekdu :(07:37
marekdsame here07:37
stevemari'm an old man, my knees hurt07:38
stevemari am organizing boxes that we kept in a closet when we first moved in, almost a year ago07:38
marekdmoved in where?07:39
marekdlike new house/appartment?07:39
stevemarcondo, my gf and i bought a place a year ago, we both have stuff we never unpacked in a spare room, from almost a year ago07:39
stevemarso i'm finally going to go through that stuff - clearly if I haven't touched it in 1 year it's going to the trash :)07:40
marekdor simply useless for you stuff.07:40
stevemarthat too07:41
marekdso since you live together your gf lets you work days and nights ?:-)07:42
stevemarmarekd, yeah, but she gets annoyed - rightfully so07:42
stevemarmarekd, there was some movement on this btw -!topic/mod_auth_openidc/NOdYaCAkx-o if you are interested07:43
*** mzbik has joined #openstack-keystone07:43
marekdi am07:43
openstackgerritMarek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules.
*** k4n0 has joined #openstack-keystone07:44
*** lhcheng has joined #openstack-keystone07:44
*** chrisshattuck has quit IRC07:45
*** lhcheng_ has joined #openstack-keystone07:47
*** mflobo has joined #openstack-keystone07:47
marekdstevemar: hm, he doesn't seem to give you an answer how to authN with cli07:47
*** lhcheng has quit IRC07:49
stevemarmarekd, not really, and i didn't understand his latest response07:52
marekdstevemar: he porbably meant that you need to have a cookie/token from idp (means you need to be authenticated there) to get through the protected url.07:52
marekdwhich doesn't answer a question how to get this token without a browser.07:53
stevemarmarekd, "let the client obtain an access token at the authorization  server " are all very oauth terms07:55
marekdstevemar: cause as afaik openid is simply modified oauth207:56
*** nellysmitt has joined #openstack-keystone08:00
openstackgerritwanghong proposed openstack/keystonemiddleware: remove the unused method _will_expire_soon
*** yasu_ has quit IRC08:16
*** yasu_ has joined #openstack-keystone08:17
*** lhcheng_ has quit IRC08:20
*** nellysmitt has quit IRC08:20
*** avozza is now known as zz_avozza08:26
stevemarmarekd, meh, comment if you want, also, let tim know that i have a patch for listing AZs :)
*** stevemar has quit IRC08:31
*** stevemar has joined #openstack-keystone08:40
*** ChanServ sets mode: +v stevemar08:40
*** zz_avozza is now known as avozza08:40
*** stevemar has quit IRC08:45
*** darren-wang has joined #openstack-keystone08:50
openstackgerritYamini Sardana proposed openstack/python-keystoneclient: tenant-list updated to output Tenant Description
darren-wanghey guys, why do we have to change v3 catalog to v2 catalog in keystonemiddleware?08:55
*** jistr has joined #openstack-keystone09:06
openstackgerritwanghong proposed openstack/keystonemiddleware: _get_token_expiration should return isotime
*** andreaf has quit IRC09:13
*** nellysmi_ has joined #openstack-keystone09:23
openstackgerritYamini Sardana proposed openstack/python-keystoneclient: tenant-list updated to output Tenant Description
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K
*** nellysmi_ is now known as nellysmitt10:02
*** andreaf has joined #openstack-keystone10:15
*** boris-42 has joined #openstack-keystone10:18
*** tellesnobrega_ has joined #openstack-keystone10:25
*** Shohei_ has quit IRC10:30
*** Shohei has joined #openstack-keystone10:31
*** jamielennox|away is now known as jamielennox10:32
*** Shohei_ has joined #openstack-keystone10:34
*** Shohei has quit IRC10:34
*** tellesnobrega_ has quit IRC10:37
*** aix has joined #openstack-keystone10:39
*** tellesnobrega_ has joined #openstack-keystone10:41
*** remix_tj has left #openstack-keystone10:50
*** tellesnobrega_ has quit IRC10:51
*** tellesnobrega_ has joined #openstack-keystone10:53
*** tellesnobrega_ has quit IRC10:54
*** wanghong has quit IRC10:55
*** wanghong has joined #openstack-keystone10:56
*** mancdaz has joined #openstack-keystone10:56
*** kashyap has joined #openstack-keystone10:58
marekdrodrigods: hey, so i talked with morganfainberg 2 days ago and there is a general agreement10:58
marekdthat we cannot save the world.10:58
marekdso, there is a reasonable effort to make Keystone work as a saml idp and similar amout would be required for other protocols. So for now morganfainberg said "lets support SAML2 only and nothing more", hence no need to add protocols and tie them with SP objects10:59
kashyapWith current Keystone git (I'm at commit: 71c9bf5), DevStack is failing with:11:00
kashyap"Could not find user: admin (Disable debug mode to suppress these details.) (HTTP 401)"11:00
* kashyap still investigating, thought I'd note here first11:00
marekdfor the URL  in the region - i believe this should be deprecated, but i don't thnk this should be a work item in SP spec.11:00
marekdor maybe it should...?11:00
*** eglynn-regus is now known as eglynn-office11:11
kashyapDisregard me, cleaning up my env, and re-running it 'fixed' it magically :)11:12
*** kashyap has left #openstack-keystone11:17
rodrigodsmarekd, yeah, makes sense11:31
rodrigodsmarekd, can always be "upgraded" if needed11:31
*** aix has quit IRC11:49
*** aix has joined #openstack-keystone12:02
mancdazthis may be a stupid question, but if I am using "backend = dogpile.cache.memcached", and I have set my memcached servers under the [memcache] section, do I also need to set them via the backend_argument flag in the [cache] section?12:15
*** amakarov_away is now known as amakarov12:16
*** oomichi has quit IRC12:23
*** sluo_afk has joined #openstack-keystone12:31
*** sluo_laptop has quit IRC12:34
marekdrodrigods: well, it's sometimes better to make a good design from the beginning, cause later upgrading may be a mess.12:38
*** sluo_laptop has joined #openstack-keystone12:39
openstackgerritAlexander Makarov proposed openstack/keystone: Trust redelegation
*** sluo_afk has quit IRC12:43
*** radez_g0n3 is now known as radez12:46
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens
lbragstadayoung: AE token demo12:56
amakarovbknudson, good day to you! Can you please review my LDAP doc change again?
amakarovAnd there is HA bug fix, can anybody look into? :)
marekdvsilva: did you happen to start implementing whitelisting in mapping enhancements? :-)13:02
*** ajaya has joined #openstack-keystone13:07
*** ajayaa has quit IRC13:08
*** diegows has joined #openstack-keystone13:15
samuelmswhy test_v3_* has a load_sample_data() method instead of using the default_fixtures?13:21
ayounglbragstad, thanks13:37
lbragstadayoung: yep13:37
*** gordc has joined #openstack-keystone13:38
*** bknudson has quit IRC13:39
lbragstadayoung: If you have any questions, I should be back in about 4 hours. Volunteering for the morning13:39
ayounglbragstad, NAVY!13:40
ayoungNever Again Volunteer Yourself!13:40
ayoung  lbragstad using that to try and get a comparison.13:40
lbragstadayoung: you want to use asymmetric?13:41
ayounglbragstad, if possible, yes13:41
marekddoes tox -edocs work for anybody even on a fresh master?13:41
ayounglbragstad, it means we can avoid the roundtrip13:41
marekd(and Debian/Ubuntu)13:41
ayoungWe'll talk when you get back.  I'm going to do some investigations first13:41
ayounglbragstad, what are we using as our sample payload?13:42
*** yasu_ has quit IRC13:44
ayounglbragstad, is another gist?13:45
lbragstadayoung: yes13:45
lbragstadayoung: it builds of demo.oy13:45*13:45
marekdlbragstad: i am going to read your spec again (lots must have happened before I  had read it last time) and will try comment as I can see you were raising some usecases I had mentioned some time ago.13:46
lbragstadmarekd: ok13:47
lbragstadmarekd: jamielennox had a reference to federation but wasn't clean on the exact use case13:47
lbragstadgotta run, back in a few hours13:47
marekdlbragstad: cya13:47
*** zzzeek has joined #openstack-keystone13:57
*** mitz- has joined #openstack-keystone13:58
*** mitz_ has quit IRC14:00
openstackgerritMarek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules.
*** nkinder has quit IRC14:16
*** richm has joined #openstack-keystone14:19
*** bknudson has joined #openstack-keystone14:23
*** ChanServ sets mode: +v bknudson14:23
marekdrodrigods: one say "an specific" ???14:24
marekddear natives: ^^^^^^^^^^^^^^^^^^^^^^^^14:24
bknudsona specific14:26
bknudsonan is used for vowels14:26
marekdbknudson: and what's correct "a specific url" or "an specific url" ?14:27
*** mzbik has quit IRC14:27
bknudsonmarekd: "a specific url"14:27
marekdbknudson: ok, i though so too.14:27
rodrigodsbknudson, but specific has a sound of "es"14:28
rodrigodsthe an is before words which start with sound of vowel14:29
bknudsonrodrigods: it's not pronounced especific ...14:29
bknudsonnot here in minnesota14:29
marekduh, i am not that into articles.14:29
bknudsonjust change it to "the specific url"14:30
rodrigodsmarekd, bknudson, yep, my portuguese accent makes me pronounce "espe"14:30
rodrigodsmy fault14:30
marekdrodrigods: no worries, i didn't event want to opose, and that's why i asked here :-)14:30
mancdazthis may be a stupid question, but if I am using "backend = dogpile.cache.memcached", and I have set my memcached servers under the [memcache] section, do I also need to set them via the backend_argument flag in the [cache] section?14:31
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K
*** bdossant_ has joined #openstack-keystone14:31
marekdrodrigods: ^^14:31
*** bdossant has quit IRC14:33
rodrigodsayoung, ping "policies engine": so I think I understood correctly what you and morganfainberg discussed yesterday, but I guess you would be the person to update this spec right now:
rodrigodsmarekd, great!14:34
marekdrodrigods: did you catch my last responses about lack of protocols i wrote you earlier here?14:35
rodrigodsmarekd, yes14:36
rodrigodsmarekd, what about regions?14:37
rodrigodsare we going to remove the URL field?14:37
rodrigodsalso, there is GET SAML assertion step, which is done right now by specifying a region14:37
marekdrodrigods: my understanding is that regions would not be used anymore.14:38
marekdrodrigods: i think jamielennox raised a point where region should be usable with a local token which would not be a case with k2k14:39
rodrigodsmarekd, so it will still need the url field?14:40
marekdmorganfainberg: since url in region is no longer required should we actually deprecate it as a part of the service-providers spec?14:40
morganfainbergmarekd, please do14:40
*** joesavak has joined #openstack-keystone14:40
marekdrodrigods: well, i think use of regions was kind of unspecified, and url was added especially for k2k14:40
rodrigodsmarekd, good14:41
morganfainbergmarekd, it probably can disappear without too much effort as it was "optional" iirc14:41
marekdmorganfainberg: let me check.14:41
rodrigodsmarekd, there is the need to document the new way to retrieve a SAML assertion14:41
rodrigodsmarekd, list in the work items?14:41
marekdmorganfainberg: it's not specified whether url is optional or not in the API spec :/14:42
morganfainbergmarekd, i think it is implicitly optional because not everything has it14:43
marekdmorganfainberg: ack14:43
morganfainbergmarekd, i'm ok with deprecating it for sure.14:43
marekdrodrigods: does it fit in itemwork "document implemented changes" ? no keystoneclient exists for k2k so we will not change anything there :-)14:43
*** topol has joined #openstack-keystone14:44
*** ChanServ sets mode: +v topol14:44
rodrigodsmarekd, yes... just concerned about forgerting something14:46
amakarovmorganfainberg, hi! I've turned allow_redelegation from field to parameter, as we discussed, would you kindly have a look?14:47
morganfainbergamakarov, will do, i am travelling today14:47
morganfainbergso might be spotty getting time until i'm checked out of the hotel14:47
amakarovmorganfainberg, ok, just to notify )14:48
morganfainbergand thanks for working hard on this14:48
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K
marekdrodrigods: ^^14:48
marekdmorganfainberg: bknudson: Can i ask for reviews ?14:50
*** joesavak has quit IRC14:52
ayoungrodrigods, yeah, let me deal with that.14:54
*** r-daneel has quit IRC14:54
*** ayoung has quit IRC14:56
*** nkinder has joined #openstack-keystone14:57
*** nkinder is now known as nkinder_away14:57
*** nellysmitt has left #openstack-keystone15:00
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
*** dims has joined #openstack-keystone15:04
*** ayoung has joined #openstack-keystone15:08
*** ChanServ sets mode: +v ayoung15:08
*** rushiagr is now known as rushiagr_away15:16
*** ajaya has quit IRC15:20
marekdrodrigods: thanks for the review.15:26
*** timcline has joined #openstack-keystone15:26
*** timcline has quit IRC15:26
*** timcline has joined #openstack-keystone15:27
gabriel-bezerradstanek: Hi David. My lab mates have told me you are working on setting up keystone with PySaml2 example IdP for testing.15:31
*** bdossant_ has quit IRC15:32
*** bdossant has joined #openstack-keystone15:32
dstanekgabriel-bezerra: yes, that's correct15:32
*** boris-42 has quit IRC15:32
gabriel-bezerradstanek: I've got into a problem in the very end of the shibboleth verification. It's showing: opensaml::FatalProfileException at (http://localhost:5000/Shibboleth.sso/SAML2/POST)15:33
gabriel-bezerradstanek: and Unable to establish security of incoming assertion.15:33
gabriel-bezerradstanek: the log messages in /var/log/shibboleth/shibd.log aren't clear about what is going wrong15:34
gabriel-bezerradstanek: have you ever faced this problem?15:34
dstanekgabriel-bezerra: i haven't gotten that far yet; i have mod_shib's XML configured to know about the IdP, but i don't know how to tell the IdP about the SP15:35
dstanekgabriel-bezerra: what did you do to get them to know about each other?15:35
gabriel-bezerradstanek: just to make it clear: I'm setting it up here as well for us to help with the tests15:35
*** tellesnobrega has quit IRC15:35
gabriel-bezerradstanek: I got the metadata of the sp into a file with curl http://localhost:5000/Shibboleth.sso/Metadata > shibboleth-sp-metadata.xml15:36
gabriel-bezerradstanek: then I replaced the configuration in pysaml2/example/idp2/ (something like that) in the line metadata.local15:37
gabriel-bezerradstanek: as we won't care about that idp talking to the old sp, I didn't mind removing the configuration for the old sp15:38
dstanekgabriel-bezerra: let me get onto my VM and fire things back up15:38
gabriel-bezerradstanek: it is now like this:15:38
gabriel-bezerra"metadata": {15:38
gabriel-bezerra    #"local": [full_path("../sp-wsgi/sp.xml")],15:38
gabriel-bezerra    "local": [full_path("../../../shibboleth-sp-metadata.xml")],15:38
*** bdossant has quit IRC15:40
*** bdossant has joined #openstack-keystone15:41
*** boris-42 has joined #openstack-keystone15:45
*** shakamunyi has joined #openstack-keystone15:45
gabriel-bezerradstanek: could you find that line in the configuration file?15:49
dstanekgabriel-bezerra: yes, i just scripted doing that operation - now i'm restacking15:50
morganfainbergmarekd: that change looks good. I will score it once I'm done checking out of the hotel and taking care of car return.15:53
dstanekgabriel-bezerra: so that seems to be done - what did you do to cause there error you are seeing?15:53
gabriel-bezerradstanek: I used the web browser to access http://localhost:5000/v3/OS-FEDERATION/identity_providers/pysaml2/protocols/saml2/auth15:56
gabriel-bezerradstanek: then I used babs/howes as user/pass15:56
gabriel-bezerrathen it redirects back to the SP and, after ~3s, that error message comes up15:57
gabriel-bezerradstanek: I've just got the same error with roland/dianakra16:00
*** topol has quit IRC16:01
*** topol has joined #openstack-keystone16:01
*** ChanServ sets mode: +v topol16:01
*** DWang has joined #openstack-keystone16:05
*** darren-wang has quit IRC16:06
*** bdossant has quit IRC16:06
*** thedodd has joined #openstack-keystone16:08
*** shakamunyi has quit IRC16:12
*** eglynn-regus has joined #openstack-keystone16:13
*** eglynn-office has quit IRC16:14
openstackgerritMerged openstack/keystone: Remove endpoint_substitution_whitelist config option
*** bdossant has joined #openstack-keystone16:16
openstackgerritMerged openstack/keystone: Updated from global requirements
marekdmorganfainberg: thanks.16:16
marekddstanek: so usuall way  is to send SP's metadata file to the IDP16:17
marekddstanek: where you fetch Metadata from
*** bdossant has quit IRC16:18
*** erkules_ is now known as erkules16:20
marekddstanek: did you manage to write scripts for auto config idps/protocols/mappings?16:21
dstanekmarekd: yes, i just wrote up a few curl commands16:24
*** nkinder_away has quit IRC16:29
*** rushiagr_away is now known as rushiagr16:29
samuelmsdstanek, it looks like you have a functional environment for the federation tests, is that right? o/16:33
samuelmsdstanek, I saw you posted your wip changes to
ayoungrodrigods, samuelms so....I am trying to get a standard approach to Policy  confirming  attributes about the request.  We have 3 distinct pieces:  One is the URL, which has the identifiers in it.  Second is the object fetched by the the URL (target) which will then have a domain on it, and the third is the payload of the request itself.  I think it is the third one that is most problematic16:36
ayoungLets say you are adding a user to a domain16:36
ayoungyou would post to the create URL16:36
ayoungPOST /users16:37
ayoung  "user": {"domain_id": "1789d1",16:37
ayoungand we would assume that  the user has a token scoped to that domain16:38
ayoungbut, what if the user was sneaky and added in a section like this:16:38
ayoung"group": { domain: "something"16:38
ayoungand, if the user was in domain "something" but not in domain "1789d1"16:39
ayoungright now, the policy v3  protects against those kinds of attacks via brute force rules listing:16:39
ayoung  for create user references16:40
*** chrisshattuck has joined #openstack-keystone16:40
ayoung"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",16:40
samuelmsayoung, domain_id:%(user.domain_id)s16:41
samuelmsayoung, the first domain_id is from the url?16:41
ayoungsamuelms, I'd like to not have to write an explicit rule for each variation, though16:41
ayoungI'd rather have something like:16:41
ayoungif  there ius a user section, makes sure the domain matches AND if there is a group section make sure the domain matches etc16:42
samuelmsayoung, instead of thinking about all the paths a domain could come from (url, body, whatever) and just request for the check16:43
samuelmsayoung, and no need to create brute force checks16:44
*** nkinder_away has joined #openstack-keystone16:44
samuelmsayoung, something like: 'create_user': 'role:domain_admin on scope:domain'16:45
samuelmsayoung, and then the engine resolves what's needed16:46
samuelmsayoung, is that what you're thinking?16:46
*** david-lyle_afk is now known as david-lyle16:46
ayoungsamuelms, yes----ish16:46
ayoungsamuelms, something like this:16:46
ayounglets say we have a creator thingy, and we pass that a domain.16:47
ayoungthe creator is used for creating all things, and before it creates the thing, it makes sure you have the role on the domain that pertains.16:47
ayoungI think my logic for domain_matches is flawed, but I can't think how to fix it inside the current structure16:48
*** andreaf is now known as andreaf_16:49
ayoungsamuelms, you know how I was pulling the "member" value out and setting it in the context?  Its something like that16:49
ayoungindicating on a specific request that the thing we care about is in a given field16:49
ayoungcreate USER is the USER field, create group is the group field, and so on16:50
samuelmsayoung, hmm .. an entry point in the code?16:50
ayoungsamuelms, so, if we were stuck with the decorator, we could put a value into the decorator that says "entity=user"16:50
ayoungand then the rule for domain matches would be:  domain_id=entity.domain_id16:51
ayoungor something16:51
samuelmsayoung, looks interesting ++16:52
bknudsonwe're not stuck with a decorator or anything.16:53
ayoungbknudson, I know...just as an example16:53
samuelmsayoung, these days I was thinking about allowing more powerful expressions into the policy16:53
samuelmsayoung, something like OCL (
samuelmsayoung, so that expressions could navigate through the models to make assertions16:53
ayoungsamuelms, I think we want less in the language, and more in the base mechanism16:53
ayoungI think policy should be as simple as:16:54
ayoungI'm more prone to making more powerful rules inside policy.py16:54
ayoungI'd rather people code in Python than in a constraints language16:55
samuelmsayoung, for nova, for example, one could define: 'create_instance': 'role:project_manager_lvl_2 and project.avalaible_quotas > 50%'16:55
ayoungdoesn't belong in policy16:56
openstackgerritBrant Knudson proposed openstack/keystone: Add tests for enabled attribute ignored
openstackgerritBrant Knudson proposed openstack/keystone: Fix disabling entities when enabled is ignored
ayoungI mean, yes we should be able to do that somewhere, but not in policy16:56
samuelmsayoung, where?16:56
samuelmsayoung, is that what congress stands for?16:57
ayoungsamuelms, lets punt on that for now16:57
ayoungI want to get the keystone policy cleaned up to the point that it can be the basis for the unified policy file16:57
ayoungwhich means sorting issues like these16:58
samuelmsayoung, ok, makes sense16:58
*** shakamunyi has joined #openstack-keystone16:59
ayoungI mean, I could make domain_match into a Python object16:59
ayoungsame with project match16:59
samuelmsayoung, yep, and project_match, user_match16:59
samuelmsayoung, and so on17:00
ayoungno, just the containers ones: doamin and project I think17:00
samuelmsayoung, well, yes17:00
samuelmsayoung, was rethinking :p17:00
ayoungkeep are spurring me on17:00
ayoungdon't let my saying "no" shut you up17:00
samuelmsayoung, so glad to see this :)17:01
samuelmsayoung, haha yep17:01
ayoungmaybe a "request_matches"  object17:01
dstaneksamuelms: almost yes - actually fighting some strange config issues right now and then back to the pysaml2 fun17:01
samuelmsdstanek, great ++17:02
ayoungthe thing is, which one matches should depend on the thing you are trying to create17:02
samuelmsdstanek, please let me know if we can try to help17:02
ayoungothers should be ignored or treated as "if this is here and it should not be, reject"17:02
dstaneksamuelms: if you guys get the IdP to work first that would be a huge help :-) that's the last thing i am stuck on17:02
dstaneksamuelms: the rest of the work is really cleaning up some of the scripts that i wrote and making them more robust17:03
samuelmsdstanek, ok .. will request this to vsilva and gabriel-bezerra :-)17:03
*** _cjones_ has joined #openstack-keystone17:03
samuelmsdstanek, great17:03
ayoungsamuelms, OK, so on a create, we maybe do want a specific rule that states what part of the request is relevant17:05
samuelmsayoung, and then we should think on api's by involved  entities to them17:05
ayoungbut it should be as simple as specifying  request_entity:user17:05
*** marcoemorais has joined #openstack-keystone17:08
*** marcoemorais1 has joined #openstack-keystone17:10
*** gyee has joined #openstack-keystone17:11
*** ChanServ sets mode: +v gyee17:11
*** aix has quit IRC17:12
samuelmsayoung, so for each api we need to define the entity that will be used to match attributes (entity.domain_id, for example)17:13
*** marcoemorais has quit IRC17:13
ayoungsamuelms, I think it is only needed for the creates.  For the others, it will all be determined by the objects out of the database.  But with a create, there is no object from the database17:14
ayoungSo, in Keystone, we have the ability to fetch a project from the database.  But In nova, they won't17:15
ayoungso, yeah, we need to match on object itself17:15
ayounger...requested object17:15
ayoungbknudson, is there any support with JSON home for saying "only these fields are valid in the request, and if it is not well formed, reject it?"17:17
bknudsonayoung: I think you're asking about JSONSchema not JSON Home.17:17
bknudsonJSON Home doesn't do any validation17:17
ayoungyes, yes I am17:17
bknudsonayoung: and yes, JSON Schema does support that.17:18
ayoungbknudson, so tell me if these rings true:17:18
bknudsonI think we set all our schema so that they allow extra parameters.17:18
*** henrynash has joined #openstack-keystone17:18
*** ChanServ sets mode: +v henrynash17:18
bknudsonit's difficult to support forwards-compat if you don't allow extra params17:18
bknudsontypically one wants to ignore unknown params so newer clients can work with old server.17:19
samuelmsayoung, I think we just need to check info from assingment's scope, and not from the objects themselves17:19
ayoungsamuelms, in this case, yes17:19
samuelmsayoung, assignment's scope + role + actor17:19
samuelmsayoung, the actor is me, trying to do something in the domain x, where I must have role y17:20
samuelmsayoung, :)17:20
ayoungsamuelms, the thing is, the assignment scope is specific to the API being called, especially if we allow data into the request that we are then goin to ignore17:20
samuelmsayoung, so we're still discussing about the several sources where the info that need to be checked come from (url, body, etc)17:21
samuelmsayoung, the need to compare them with the scope is a fact17:22
ayoungsamuelms, I think the core is that if you are driving an action primarily on data from the request, you need to have some semantic interpretation of the data before you can run policy on it17:24
ayoungwith the other APIs, you have control on the server side. With the request from a remote user, you do not.17:24
ayoungI think we need a rule that says "here are a set of things to check.  One of them must return a positive, and none of them can return a negative"17:25
samuelmsayoung, but can the user modify the token by himself?17:25
ayoungwhich is what the OR rules try to do17:25
ayoungbut then, the rules themselves must do:17:25
ayoungif user exists, check that domain_id == user_id17:26
ayoungif it does not exist, don't treat it as either a success or failure17:26
ayoungI can write it in python, but not in the rules language17:26
samuelmsayoung, ++17:27
samuelmssamuelms, implement the logic evaluation in python17:28
ayoungfor entry in entries: if  entry.passes passes=True else passes = False and break;17:28
samuelmssamuelms, like real logic: a ^b ^¬c17:28
ayoungsamuelms, so some new rule type "at_least_one_of"17:28
samuelmsayoung, any(..) in python :D17:28
ayoungpython any.  exactly17:29
samuelmsayoung, any([False, False, True]) -> True17:29
ayoungAh...not quite17:30
samuelmsayoung, any([None, None, True]) -> True17:30
samuelmsayoung, ^17:30
samuelmsayoung, and we have >>> all([True, True, True]) -> True17:31
samuelmsayoung, if we need ands (but I dont think so)17:31
ayoungfor entity in ['user', 'group', 'project'] :  if request.get(entity) is None continue;17:31
samuelmsayoung, the 'ands' still lives in the .json17:31
ayoungthe JSON needs to specify the keys, but the collection needs to be created in python17:32
ayoungOK...I think I can code that up.  Let me give it a try17:32
samuelmsayoung, sure17:32
samuelmsayoung, if we could always restrict the operations on a target to someone that has a role on that17:37
morganfainbergsamuelms, so following up on graduation stuff will be today when i get home17:38
morganfainberghard to get everything done while at the airport / having to get on a plane.17:38
ayoungsamuelms, you mean as a second check beyond the API level one?  Yes, I think we should17:38
samuelmsayoung, for example, if you have a domain scope token and call list_users, that's pretty obvious you want to list users on that domain17:38
rodrigodsmorganfainberg, ^great :)17:39
samuelmsayoung, and on the policy you just need to: 'list_users': 'role:domain_admin'17:39
samuelmsmorganfainberg, ++17:39
morganfainbergsamuelms, i don't think that case is *that* obvious17:39
morganfainbergsamuelms, honestly, if i say "list_users" do i mean i want to use say a super-power and list all users i can see? just the domain users?17:40
morganfainbergsamuelms, i'd argue that the API shouldn't make those assumptions17:40
samuelmsmorganfainberg, yep makes sense17:41
ayoungmorganfainberg, list users is the sore spot:17:41
samuelmsmorganfainberg, that should be configurable17:41
morganfainbergsamuelms, the tooling around the API can be smarter about it (e.g. horizon/keystoneclient) and pass appropriate params to ensure you get the opnionated response17:41
samuelmsmorganfainberg, by the deployer (using policyc)17:41
ayoungreally the fact that we change what we show based on the context in the token is a little suspect17:41
morganfainbergsamuelms, except it *can't* be configurable at that level via policy17:41
morganfainbergayoung, that is my point17:41
morganfainbergthe API shouldn't try and outthink the user17:41
morganfainbergthe tooling can be more opinionated17:42
morganfainberglist_users probably should show everyone the requestor can see, sans filtering17:42
morganfainbergbut if keystoneclient/OSC (CLI) or horizon is a bit more opinionated about filtering, i think that is fine17:43
ayoung" everyone the requestor can see"  means it is basedon the token17:43
samuelmsayoung, that's waht I'm thinking17:43
ayoungI'd rather say that the API should always return the same thing,but return 403 if the user can't see that17:43
ayoungso for most people list_users would 40317:44
ayoungmaybe for everyone17:44
morganfainbergayoung, so must provide a filter to your domain if you're looking for that scope?17:44
morganfainbergand aren't a super-admin-special-powered-role17:44
* morganfainberg would be ok with that.17:44
morganfainbergit really wouldn't change the current behavior17:44
ayoungmorganfainberg, it would likely break all tooling17:45
ayoungthat is the problem.  Damn users....17:45
morganfainbergnah, only if we update policy as is17:45
ayoungalways wanting us to not break things17:45
morganfainbergif we start with current policy [yes don't change the current policy at the same time you change this stuff]17:45
ayoungOK...time to go talk to my kid's teacher....17:45
morganfainbergthat shouldn't break anything17:45
*** ayoung is now known as ayoung-afk17:46
samuelmsayoung, is he messing up the school? o/17:46
*** tellesnobrega has joined #openstack-keystone17:46
morganfainbergsamuelms, and i agree with ayoung, don't make piolicy "python"17:47
morganfainbergthat is scary scary stuff17:47
morganfainbergpolicy should stay a DSL that we have a lot more control over.17:47
samuelmsmorganfainberg, in fact that's what he was proposing17:47
morganfainbergwell then i mis-read17:48
morganfainbergthe answer is that doesn't belong in the policy language17:48
samuelmsmorganfainberg, what I was thinking was to put more powerful expressions on that17:48
samuelmsmorganfainberg, like using Object constraint language (OCL)17:48
morganfainbergpolicy language doesn't need to be able to make arbitrary python calls - please no.17:48
* morganfainberg is sick of the wikipedia beg-a-thon17:48
morganfainbergit screws up my web browsers all the time.17:49
* morganfainberg considers adding an adblock rule for the begathon div17:49
samuelmsmorganfainberg, and then one could navigate through resources like: 'create_instance':'role:project_admin_lvl2 and project.available_quotas > 50%'17:49
morganfainbergso that explicitly requires us to ensure the PEP is lower than at the API layer (i'm leaning towards that being the right answer)17:49
samuelmsmorganfainberg, haha17:50
morganfainbergi *think* that would actually be: 'create_instance':role:project_adminlvl2 and expr(%(project).available_quotas, gt(50))17:50
samuelmsmorganfainberg, +10017:51
gabriel-bezerradstanek: sorry, I had to go for lunch and my connection has crashed before I could tell you. Did you get to make the IdP to recognize the SP with that change to the file?17:51
samuelmsmorganfainberg, :-)17:51
morganfainbergsamuelms, we might need to make it more like the SQL-partition declariation17:51
morganfainbergand expr(%(project).available_quotas, GREATER 50)17:52
morganfainbergrather than doing the functional-looking approach17:52
morganfainbergeasier from a user-consumption perspective17:52
samuelmsmorganfainberg, agreed17:52
openstackgerritRodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects
morganfainbergbut in either case i think that is fine - it stays a DSL (OCL type)17:52
morganfainbergand doesn't become "omg-run this function"17:53
samuelmsmorganfainberg, perfect17:53
morganfainbergand it would use context to pull %(<kwarg>) ou17:53
rodrigodshenrynash, ^ thanks for the comments, added a more complex testcase (check the replies to see if you are ok with them)17:53
morganfainbergif kwarg doesn't exist, it's a failure in the case of a required 'and'17:53
samuelmsmorganfainberg, yep17:53
morganfainbergin an *or* case that check is implicitly false17:53
*** marcoemorais1 has quit IRC17:54
morganfainbergi think we need to improve the lexical parser to be less about inspect the string and probably move to a known/premade tokenizer17:54
morganfainbergthe "out own tokenizer" is likely not up to the OCL-type task17:55
*** amakarov is now known as amakarov_away17:55
*** gyee has quit IRC17:55
*** bknudson has quit IRC17:56
samuelmsmorganfainberg, yep .. we need to improve it17:56
samuelmsmorganfainberg, I'll write this idea up somewhere, so we keep this17:57
openstackgerritRodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects
*** r-daneel has joined #openstack-keystone17:57
*** topol has quit IRC17:58
openstackgerritMerged openstack/keystone-specs: Scope federated tokens with ``token`` auth method.
*** jistr has quit IRC18:00
samuelmsmorganfainberg, have you ever thought about having 'capabilities' as a first-class citizen on Keystone ?18:01
samuelmshenrynash, hey18:02
samuelmshenrynash, followed what I was discussing with morgan ^18:03
*** harlowja_away is now known as harlowja18:03
samuelmshenrynash, ^18:03
*** thedodd has quit IRC18:04
samuelmshenrynash, we're thinking about more powerful expressions in the policy, something related to Object Constraint Language18:04
samuelmshenrynash, so we could have something like 'create_instance':'role:project_adminlvl2 and expr(%(project).available_quotas, GREATER 50)'18:04
*** lhcheng has joined #openstack-keystone18:07
morganfainbergsamuelms, capabilities? as in nova api actions?18:10
*** _cjones_ has quit IRC18:12
*** _cjones_ has joined #openstack-keystone18:13
samuelmsmorganfainberg, each api would be a capability.. I'm writing up my complete idea right now18:14
*** avozza is now known as zz_avozza18:14
samuelmsmorganfainberg, will ping you in few minutes18:15
morganfainbergi've actually discussed this with people at the summit ;)18:15
samuelmsmorganfainberg, o/18:15
samuelmsmorganfainberg, and?18:15
morganfainbergthere is amajor hurdle - how do you know the capabilities for an endpoint18:15
morganfainbergso you can assign that capability into a role/etc18:15
samuelmsmorganfainberg, two options: i) each service would implement list_capabilities() ii) reading capabilities from policy file18:16
samuelmsmorganfainberg, that way roles could be what they really mean: group of capabilities18:16
samuelmsmorganfainberg, if we update what we have today: role -> capability ; domain-role -> role18:18
samuelmsmorganfainberg, we could have that model18:18
morganfainberghenrynash, ping: just commented again on the split-assignment patch, but short is i wont negatively score it - but I also wont positively score it [don't want it blocked]. If the design is correct with the extra split i'm willing to be proven wrong with the input from the -core team and non-core developers/users/reviewers.18:19
henrynashmorganfaing: ok, will review18:19
morganfainbergbut i haven't seen a strong voice in your favor or my favor on that front. so we're (i think) equally balanced on the design view atm :)18:20
morganfainberghenrynash, please prove me wrong if this split is really buying us a big win.18:20
morganfainbergsamuelms, so you need to be running the service to know the capabilities18:21
samuelmsmorganfainberg, just for the first option18:21
morganfainbergsamuelms, this makes defining roles hard if <service> is down.18:21
dstanekgabriel-bezerra: i'm looking into a mod_shib config issue18:21
samuelmsmorganfainberg, the second would be to read api's from policy18:21
morganfainbergyes, second - i think that might be backwards, but haven't thought too much about that18:21
*** gyee has joined #openstack-keystone18:22
*** ChanServ sets mode: +v gyee18:22
morganfainbergsamuelms, will need to mull that one over some.18:22
samuelmsmorganfainberg, yep, I'm writing my complete vision on how the whole thing could be18:22
gabriel-bezerradstanek: have you had the same issue as I had?18:22
samuelmsmorganfainberg, will ping you and let you mull it :)18:22
gabriel-bezerra dstanek: the same error18:22
morganfainbergsounds good18:23
samuelmsmorganfainberg, great18:23
henrynashrodigods: +2’d your patch18:24
rodrigodshenrynash, yay :)18:26
rodrigodsmorganfainberg, henrynash we need to approve the API spec part too:
dstanekgabriel-bezerra: current issue is
samuelmshenrynash, o/18:26
dstanekgabriel-bezerra: i'm trying to compare my config to marekd's to see if there is something obvious18:27
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller Use case
gabriel-bezerradstanek: ok, I didn't have that issue18:28
*** esp has quit IRC18:28
morganfainbergif you didn't see it:
morganfainbergnext week i'm going to mass-abandon lingering reviews18:29
gabriel-bezerradstanek: pysaml2-iPD?18:29
gabriel-bezerradstanek: see the URL on the error18:29
morganfainbergdstanek, i know you have a chunk of these, as does ayoung-afk.18:29
dstanekgabriel-bezerra: yes18:30
morganfainbergdstanek, hence why i didn't want to abandon w/o warning.18:30
dstanekmorganfainberg: i'll pull down the stuff i'm interested in keeping into local branches and then abandon18:30
gabriel-bezerradstanek: did you notice the swapped P and D?18:30
dstanekgabriel-bezerra: haha, fixed the curl and it still doesn't work18:31
morganfainbergdstanek, you can just pull it all down and let me abandon18:32
morganfainbergdstanek, it's fine either way make it easy for you - i need to look through all of them anyway18:32
dstanekmorganfainberg: do you know if there is anything that we'd actually want? i'd be happy to see if i can recover the reviews on top of current master18:33
*** marcoemorais has joined #openstack-keystone18:33
morganfainbergdstanek, haven't looked18:33
morganfainbergdstanek, i can ping you on any i see after i start abandoning18:33
dstanekmorganfainberg: k18:34
morganfainbergdstanek, lets plan for that - if i see something important i'll toss it over in a gist or some such18:34
morganfainbergi'd rather you grab all your reviews and help w/ K1 targets than worry about abandoning right now.18:34
dstanekthere is probably quite a few bug fixes that were more or less drive by reviews18:34
morganfainbergthis is why i'm actually going to look through each one18:35
morganfainbergnot just blindly abandon18:35
*** marcoemorais1 has joined #openstack-keystone18:35
morganfainbergalso if it just was lingering / no score - i'll not abandon18:35
morganfainbergthis is just negative score with zero updates in 60+d18:35
morganfainbergrebase != update18:36
*** esp has joined #openstack-keystone18:36
openstackgerritMerged openstack/keystone: Add missing translation marker for dependency
openstackgerritThiago Paiva Brito proposed openstack/python-keystoneclient: Implementing hierarchical calls on keystoneclient v3 (python only)
dstanekmorganfainberg: if i have time on Sunday I'll look and see if there is anything i'd like to save18:36
morganfainbergmuch appreciated18:37
*** marcoemorais has quit IRC18:38
morganfainbergzzzeek, ping - need to ask you some questions re SQLA and at least alembic migration(s)18:40
*** rushiagr is now known as rushiagr_away18:40
morganfainbergzzzeek, specifically horizonal partitioning at the RDBMS engine level - and how that's going break things [if at all]18:41
openstackgerritMerged openstack/keystone: TestAuthPlugin doesn't use test_auth_plugin.conf
dstanekgabriel-bezerra: i think my issue is that the shibboleth.xml configuration doesn't match my apache configuration18:52
*** bknudson has joined #openstack-keystone18:55
*** ChanServ sets mode: +v bknudson18:55
*** harlowja has quit IRC19:00
*** thedodd has joined #openstack-keystone19:02
morganfainbergrodrigods, ping: HMT - commented on the inherit stuff19:07
*** nellysmitt has joined #openstack-keystone19:07
morganfainbergrodrigods, one thing that needs to be addressed before I can really +319:07
bknudsonPTL gets +3 now!19:08
morganfainbergbknudson, +3! dude +2 CR, +1 Approved19:09
morganfainbergthat is totally a +3!19:09
* morganfainberg admits to stealing that from -infra19:09
*** topol has joined #openstack-keystone19:12
*** ChanServ sets mode: +v topol19:12
openstackgerritMerged openstack/pycadf: Updated from global requirements
rodrigodsmorganfainberg, great!19:15
dstanekgabriel-bezerra: so i fixed (i think) my config issue and the curl is just hanging there19:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller Use case
*** lhcheng_ has joined #openstack-keystone19:17
*** marcoemorais1 has quit IRC19:18
marekddstanek: if you have some doubts or problems, feel free to shoot me an e-mail!19:20
marekdmaybe i have seen that in the past so why double the efforts.19:20
dstanekmarekd: nothing i can't get past so far...just one after another19:20
marekdgabriel-bezerra: so you want to setup just pysaml2 or working on functional tests?19:20
dstanekmarekd: gabriel-bezerra is setting up pysaml2 to start working on the functional tests19:21
*** ayoung-afk is now known as ayoung19:21
*** lhcheng_ has left #openstack-keystone19:22
ayoungmorganfainberg, I have a lot of irons on the fire, and try to keep up with them.  But review is a slow process, so please don't go through and mark any of mine as abandonded.  I do that myself when it really is abandoned.19:23
morganfainbergayoung, yours are not exempted here19:23
ayoungmorganfainberg, so you think I'm not involved enough?  :)19:23
morganfainbergif the review has not seen an update in 60 days and has a negative score it will be abandoned - i am going to look at them closely.19:23
morganfainbergno it;s not you, it's the fact that these are lingering around and need cleanup19:24
morganfainbergi'll document all of yours marked clearly in agist so you can bring them back as needed19:24
morganfainbergsame w/ dstanek's19:24
marekddstanek: so it's something different from your patch ?19:24
morganfainbergthese don't "go away" just drop off the active review list.19:24
openstackgerritayoung proposed openstack/python-keystoneclient: regions sample script
morganfainbergand i am not blocking them in the future.19:24
marekdgabriel-bezerra: do you have something on gerrit already?19:25
morganfainbergjust makeing sure people who are reviewing can see what is active.19:25
morganfainbergayoung, like i said, i'll build a gist / list of anything abandoned and who was the author with links.19:25
morganfainbergayoung, should be easy to recover them when you have time to circle back on them.19:25
*** thedodd has quit IRC19:25
morganfainberg-specs are less likely to be abandoned as a lot are actually relevant even if they haven't been touched19:25
morganfainbergayoung, but some things have really been drive-by or not going to be followed up on.19:26
morganfainbergayoung, prior to the auto-abandon disable all of these would be abandoned as is - i'm giving a lot more leeway and making it easier to recover them.19:26
morganfainbergayoung, my reviews are not exempt either - if it makes a difference.19:27
ayoungIts ok.  I can rebase the ones that I care about.  I'll try to cull any that are really dead.19:27
morganfainbergayoung, i'm looking at the list you have almost none that meet the 60 day criteria19:28
morganfainbergmaybe 119:28
morganfainbergat a glance19:28
gabriel-bezerramarekd: no, I don't. I'm trying to have it working first and logging what I'm doing.19:29
ayoungyeah, I've been trying to keep them fresh19:29
zzzeekmorganfainberg: sup19:29
gabriel-bezerradstanek: ^19:29
marekdgabriel-bezerra: ok.19:29
morganfainbergayoung, yeah and you're doing a good job. this is just a "if it really isn't worth working on we can circle back on them later"19:29
morganfainbergzzzeek, so if i enable horizontal partitioning at the RDBMS layer19:29
morganfainbergzzzeek, how bad will i break things19:29
morganfainbergzzzeek, going to use range-based partitioning19:30
zzzeekspecifically what horizontal technique19:30
gabriel-bezerramarekd: dstanek: are you using curl to make the authentication on the IdP?19:30
morganfainbergzzzeek, i didn't see anything in SQLA that touched at that layer (it implements horizonal partitioning in python it looks like)19:30
zzzeeklike postgresql inherits partitions ?19:30
morganfainbergzzzeek, like mysql, partition by range less than YEAR(1920)19:30
gabriel-bezerramarekd: dstanek: I'm trying it firts on the browser. When it work, I might try to put it into a script.19:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Inherited role assignments to projects
zzzeekmorganfainberg: didnt know mysql had that ....19:31
morganfainbergzzzeek, it changes what the create table looks like.19:31
morganfainbergzzzeek, it does.19:31
morganfainbergzzzeek, it's slick19:31
rodrigodsmorganfainberg, henrynash ^ thanks for the reviews19:31
morganfainbergzzzeek, it also lets you drop a partiton/truncate19:31
dstanekgabriel-bezerra: put the curl in a script?19:31
morganfainbergzzzeek, it looks like the impact to SQLA should be minimal.19:31
dstanekgabriel-bezerra: seems like that should be a part of the functional tests19:32
gabriel-bezerradstanek: put the authentication in a script, probably using curl.19:32
morganfainbergzzzeek, i was asking if you knew of any land mines going down this path19:32
zzzeekmorganfainberg: OK so two areas.  one is getting the DDL in there out of SQLAclhemy if you need it, i need to see waht we support in mysql at teh moment.  the other is, do the MySQL drivers explode with this.  b.c. they explode w/ everythign else19:32
gabriel-bezerradstanek: I could make it when using testshib. Would just have to make some adaptations, hopefully.19:32
morganfainbergafaict mysql drivers (in python e.g. mysqldb) work with this19:33
morganfainbergsince it's quiet19:33
dstanekmarekd: gabriel-bezerra: i have to put a link to the metadata in shibboleth.xml as well as in the actual IdP?19:33
zzzeekmorganfainberg: OK I see we do have Table(…., mysql_partition_by=“whatever”)19:33
morganfainbergi'm less worried about the DDL access just that we wont explode in SQLA19:33
morganfainbergi'm fine if i need to so sql.execute() to handle the alters in this case - i do *not* expect this to be db agnostic code19:33
morganfainbergit's crazy to try and develop this type of logic for *all* dbs without knowing it.19:34
gabriel-bezerradstanek: I described what I've done: just change that metadata.local entry in the to point to the metadata file I got using curl.19:34
zzzeekmorganfainberg: there’s nothing on the SQLA side that would be impacted , except if the drivers trip over it19:34
morganfainbergzzzeek, great.19:34
*** dims has quit IRC19:34
morganfainbergzzzeek, and alembic?19:34
zzzeekmorganfainberg: have never heard any reports so it is likely OK19:34
zzzeekmorganfainberg: same thing, if the ALTER statements don’t change19:34
morganfainbergzzzeek, i assume alembic would trip up in similar-ish ways to sql-a-migrate19:34
marekddstanek: you need to configure two-way trust19:34
marekdusually it can be done by exchanging peers metadata files19:34
*** dims has joined #openstack-keystone19:35
morganfainbergzzzeek, cool. i'm hoping this all just works but this is my solution to gap-lock and token table flushing19:35
marekddstanek: so, yes..19:35
dstanekgabriel-bezerra: i have already done that but it seems that the shibboleth XML config needs it in the ApplicationOverride19:35
dstanekmarekd: ok...thx19:35
gabriel-bezerradstanek: I don't know if that's all that's needed, as I'm facing that trouble in the end of the saml2 handshake. But, so far, that's all I have changed in that configuration.19:35
marekddstanek: in case of shibboleth you can do this either by storing the file locally and adding the path or adding the url19:35
zzzeekmorganfainberg: well OK when we partition into 1, 2, 3, is there still just one “table” from a MySQL catalog point of view?19:35
morganfainbergzzzeek, if we can horizontally partition and drop/truncate exprred tokens with low impact it'll make managing the cases with a lot of token issuance19:35
marekdto the metadata stored somewhere in  the internet.19:35
morganfainbergzzzeek, yeah it's still a single table19:35
zzzeekmorganfainberg: see this is actually less impactful than PG’s version in that regard19:36
morganfainbergzzzeek, as far as interactions with it, nothing should change except the storage itself is split up horizontally19:36
gabriel-bezerradstanek: in the sp, I put a new MetadataProvider node, and changed the entityID of the SSO node.19:36
zzzeekmorganfainberg: yeah then this shoudl have zero issues19:36
morganfainbergzzzeek, PG's is something i wont even take a stab at yet.19:36
morganfainbergzzzeek, fantastic.19:36
zzzeekmorganfainberg: its jut a table with special options on it19:36
zzzeekmorganfainberg: PG’s approach, there are actually multiple tables19:36
morganfainbergzzzeek, if i run into any i'll be making bugs/bugging you w/ my POC19:36
morganfainbergzzzeek, yeah it looks like SQLA sortof implements the same multiople table thing19:37
gabriel-bezerradstanek: my previous shibboleth2.xml was downloaded from testshib, so it might be somewhat different from the original/example shibboleth2.xml19:37
morganfainbergzzzeek, in code19:37
zzzeekmorganfainberg: yeah dont go near that :)19:37
morganfainbergzzzeek, i don't want anything to do with it19:37
zzzeekmorganfainberg: it was a thought experiment only and also to get certain folks to leave me alone :)19:37
morganfainbergzzzeek, haha19:37
morganfainbergzzzeek, it scared me19:38
zzzeekmorganfainberg: hibernate does it19:38
morganfainbergzzzeek, this is why i'm looking at the RDBMS layer19:38
zzzeekmorganfainberg: so there was some pressure to do “everything hibernate does"19:38
morganfainbergzzzeek if it's transparent to us, it's a real win19:38
dstanekgabriel-bezerra: i'll give that a try when i get back to my desk19:38
morganfainbergzzzeek, hah. /me shakes head19:38
morganfainbergzzzeek, but i get it.19:38
morganfainbergzzzeek, thanks i'll bug you if i run into anything major19:38
morganfainbergzzzeek, but i *think* i wont.19:38
morganfainbergzzzeek, the only scary thing is going to be migrates and i think i'm just going to make them collapse the partitons before migrate.19:39
morganfainbergand resplit-out after19:39
zzzeekmorganfainberg: OK why is that, alterations have issues ?19:39
*** dims has quit IRC19:39
morganfainbergzzzeek, well if an alter touched a partition column19:39
zzzeekmorganfainberg: the new “Batch” migration thing can be used with mysql if you want19:39
morganfainbergerm a column for partitioning19:39
zzzeekmorganfainberg: it can copy the data to a new table and drop the old one19:39
morganfainbergi'd be super worried about it.19:39
morganfainbergzzzeek, yeah thats too expensive when i;m talking about millions upon millions of rows19:40
zzzeekmorganfainberg: well it is in the background19:40
morganfainbergseeing issues with ~45k-60k rows an hour being generated19:40
morganfainbergat idle19:40
morganfainbergso mitigating the management/cleanup part of that as a stopgap19:40
morganfainbergwhile we solve the other issues.19:40
zzzeekmorganfainberg: sounds a little bit un-SQL like, is this like raw stats data19:40
morganfainbergzzzeek, it's the token table19:41
zzzeekmorganfainberg: we should use redis for that :)19:41
morganfainbergzzzeek, someone doing something bad can bloat that table awfully19:41
morganfainbergredis has other overhead issues but yes that is one option i'm going to start pushing people at19:41
morganfainbergonce we're 100% at revocation events redis becomes a better story19:41
morganfainbergzzzeek, i want to never persist a token again19:42
*** dims has joined #openstack-keystone19:42
morganfainbergzzzeek, but we have work to get there, and we need to still address the issues with token table bloat for those who can't move to persistentless tokens and use SQL as a backing store.19:42
zzzeekanytime there is “high speed, throwaway key-lookup only”, redis19:43
morganfainbergzzzeek, so - stopgap - and work on better default solutions19:43
morganfainbergzzzeek, i don't disagree.19:43
* morganfainberg double negatives it up today19:43
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Fixes HEAD return code for OS-INHERIT extension
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects
*** dnalezyt has joined #openstack-keystone19:53
topolmorganfainberg, do I need to do anything special to get the discount room at the Hotel Valencia for the Hackathon?19:53
morganfainbergtopol, let me give you the code / info19:53
morganfainbergtopol, and book it ASAP.19:53
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Fixes HEAD return code for OS-INHERIT extension
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API doc for Inherited Role Assignments to Projects
topolmorganfainberg, will book right now19:54
morganfainbergtopol, info sent19:54
raildomorganfainberg, Is there some mid cycle  "broadcast", for those who can not go? :)20:00
morganfainbergraildo, i am unsure what I'm going to be able to cobble together. i'm hopeing to do a hangout - but no guarantees20:01
morganfainbergjamielennox is likely not goint to be there20:01
morganfainbergso, it would be good to have his input - but the conference phone approach didn't work really well the first mid-cycle20:01
morganfainbergso i'll what i can come up with20:02
henrynashmorganfainberg: can I use a code for the valencia as well?  If so, could you send it to me?20:02
raildomorganfainberg, great. thank you for thinking about that!20:02
morganfainberghenrynash, absolutely20:02
morganfainberghenrynash, sending20:02
*** richm has quit IRC20:04
morganfainbergok i'm hopping on a plane soon20:10
morganfainbergwill probably be back online once we get to altitude20:10
samuelmsmorganfainberg, good trip :)20:12
*** thedodd has joined #openstack-keystone20:21
*** ayoung has quit IRC20:22
*** nellysmitt has quit IRC20:24
topolmorganfainberg I am all booked up. I chose the champagne on ice welcome gift for the Valencia. Looking fwd to it20:31
*** fifieldt_ has quit IRC20:32
topolthat option only appears available if you call direct instead of using the web site20:32
morganfainbergI opted to not do the welcome gifts. But - eh. That's cause $ spent there isn't worth it when I can spend it on whiskey with everyone else.20:32
morganfainbergGod. Drank so much wine w/ the foundation.20:33
morganfainbergPretty much the best food / drink I've had at a business trip yet.20:33
topolmorganfainberg. Excellent.  I will make sure to bring my wallet with me to buy folks drinks too20:33
morganfainbergGetting in the air. Need to jump to airplane mode for a few minutes.20:34
*** marcoemorais has joined #openstack-keystone20:34
topolsafe travels20:34
*** marcoemorais1 has joined #openstack-keystone20:38
*** marcoemorais has quit IRC20:41
topoldstanek, you around?20:41
dstanektopol: yep20:41
topoldstanek, YOU ARE AWESOME!20:41
dstanektopol: ?20:42
topoldstanek, I looked at
topoldstanek, I promise to root for the browns over the bengals if you make the Keystone DI more palatable :-)20:43
dstanektopol: haha20:43
topoldstanek, RE:
*** thedodd has quit IRC20:44
dstanektopol: your comment on my other review about Hoyer was dead on and made me laugh20:44
topoldstanek, I was hoping you would appreciate that!!!20:45
topoldstanek time for Johnny football!20:45
dstaneki'm not sure appreciate is the right word to use there20:45
topoldstanek, when I was new to pyhon/Keystone the way Keystone did DI it was so hard to understand the code.  Looks like you have a way to do much better20:46
topoldtsanek, so Im excited!20:47
*** fifieldt_ has joined #openstack-keystone20:48
*** harlowja has joined #openstack-keystone20:53
bknudsonjohnny football.20:58
raildomaybe time for Brian Hoyer  :P21:00
dstanekgabriel-bezerra: you still here?21:03
dstanekraildo: ugg21:03
gabriel-bezerradstanek: yes, I am.21:04
dstanekit was starting to look like having season tickets was becoming worth it because we are guaranteed home playoff tickets (if we want to pay for them), but now there is no hope21:04
dstanekgabriel-bezerra: i did come across an issue where i was getting a 500 from the idp - is there were you were getting yours?21:05
gabriel-bezerradstanek: it happens when some configuration is wrong or you use a wrong user/password21:05
dstanekah, ok - i'm just starting to work on that now - i had an issue doing a GET on the IdP21:06
dstanekgabriel-bezerra: ^21:06
gabriel-bezerradstanek: can you see the log of the idp?21:07
gabriel-bezerraI could get some information from the idp when I ran: curl http://localhost:8088/metadata21:08
dstanekgabriel-bezerra: yeah, i'm not currently having any IdP issues21:08
*** marekd is now known as marekd|away21:10
gabriel-bezerradstanek: so, what are you doing and what is (not) working?21:11
*** _cjones_ has quit IRC21:12
dstanekgabriel-bezerra: for me everything is ok so far. i was just wondering if you got the 500 at the same place as me21:12
gabriel-bezerradstanek: I get an error from the sp, when the browser goes to something like localhost:5000/Shibboleth.sso/SAML/POST21:13
*** _cjones_ has joined #openstack-keystone21:16
morganfainbergsooooooooo slloooooooowwwwww21:23
*** tellesnobrega_ has joined #openstack-keystone21:24
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Update requests-mock syntax
bknudsonmorganfainberg: using gertty?21:30
jamielennoxgyee: is the last review for a middleware release, can you have a look?21:32
gyeejamielennox, k, one sec21:33
jamielennoxbknudson: isn't a blocker for ksc release but wanghong has a patch waiting for it in middleware, so it'd be good to be in this release and the middleware one can go next release21:34
dstanekgabriel-bezerra: now i'm at "UnknownSystemEntity: http://localhost:5000/shibboleth"21:34
jamielennoxyou had a -1 i cleared up21:34
gyeejamielennox, how are the plugin opts registered?21:36
jamielennoxgyee: auth.register_conf_options(CONF, _AUTHTOKEN_GROUP) line 35621:36
gyeeah, awesome21:37
dstanekgabriel-bezerra: it looks like i'm stuck on the step right before that21:39
*** EmilienM is now known as EmilienM|pto21:39
morganfainbergdstanek, +2 on the DI spec21:41
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Fix passing parameters to log message
jamielennoxgyee: thanks for that, can you have a quick look at as well? it's simple21:49
gyeejamielennox, looking21:50
*** andreaf has joined #openstack-keystone21:50
*** gordc has quit IRC21:51
jamielennoxhmm, there's two more that have the bknudson +2 but they're not urgent21:52
gyeejamielennox, with these two, we should be able to configure v3 auth for the service users for token validation I presume21:54
jamielennoxgyee: yep!21:54
gyeewhen are we cutting a release?21:55
jamielennoxneed to do some work in the plugins to allow client cert auth plugins, but that's where it'll be interesting21:55
jamielennoxgyee: morganfainberg wanted to do it last week21:55
dstanekmorganfainberg: excellent!21:55
jamielennoxgyee:  and are trivial if you want to clean up my review board21:56
gyeejamielennox, I was looking at the code, didn't seem we have the x509 binding part implemented21:56
jamielennoxgyee: no, i've been thinking about binding again in regards to x-service-token21:56
gyeealso, binding fingerprint is PITA as it is not conveyed by mod_ssl21:57
jamielennoxand how we would do that in the plugins21:57
gyeewe should bind issuer and serial number instead21:57
jamielennoxgyee: yep, that's why it wasn't done, have to use issuer serial but i much prefer fingerprint21:57
gyeesubject dn, issuer dn, and serial number should uniquely identify a cert21:57
jamielennoxthere's a few ways to do it21:57
gyeewe can optionally have fingerprint, but it would be just a straight hash of the cert blob21:58
jamielennoxgyee: yea, i guess we can have multiple options and the enforcer just does what it can21:59
gyeeyeah, I like options21:59
gyeewith hash, we still have a chance of collision22:00
*** dims has quit IRC22:00
jamielennoxso i'm wondering if we can only enforce token bind on X-Subject-Token and ignore bind on X-Auth-Token if present?22:00
gyeebut the possibility is so remote that it is inconsequential22:00
*** dims has joined #openstack-keystone22:01
jamielennoxthis would mean that nova->cinder for example we would only check the binding of the nova service token22:01
gyeesubject is not globally unique22:01
jamielennoxgyee: not cert subject, X-Subject-TOken22:01
morganfainbergjamielennox, i expect i'll be able to do release [my availability] either tonight or next week [i wont do it on a friday]22:01
*** Adam_ has joined #openstack-keystone22:01
morganfainbergjamielennox, it can wait till next week though easily22:01
*** Adam_ is now known as ayoung__22:02
*** radez is now known as radez_g0n322:02
jamielennoxmorganfainberg: sure, i need a release soon but next week is fine22:02
ayoung__so...upgrading to F21...did not go smoothly.  Due, I think to python dependencies messed up by devstack installs22:02
jamielennoxmorganfainberg: also it's already my friday so if i need to look at things next week is better22:02
morganfainbergright. let me see how things are going when i'm settled after this flight.22:03
morganfainbergjamielennox, fair enough, if anything we can plan post meeting tuesday22:03
gyeemorganfainberg, ++22:03
gyeeI don't think we'll get the cert plugin implmenented by next week anyway22:03
morganfainbergjamielennox, that'll give me a chance to do the relmanagement stuff like creating the milestones and tagging stuff to it.22:04
jamielennoxgyee: no, we need a way for the auth plugin to modify the send parameters of a request22:04
jamielennoxi haven't got that yet22:05
*** dims has quit IRC22:05
gyeeah, i c22:06
jamielennox is the headers part - which is really the difficult bit22:07
jamielennoxthe connect params bit is just another function22:07
jamielennoxbut i need to go in the same release to make it work22:08
jamielennoxactually maybe ^ needs to be in this release so that it's available before we change the interface next release22:08
morganfainbergjamielennox, there was a bug for nova on it passing a token to cinderclient22:09
morganfainbergand the token expired and there was no story to refresh the credendials22:09
gyeejamielennox, I suppose the security folks won't get freak out on potential "header-injection" problem :)22:09
morganfainbergso user -> nova -> [cinderclient] -> cinder22:09
morganfainbergjamielennox, i left some comments on it, but if you have any extra thoughts it would be appreciated /me digs up the bug22:10
jamielennoxmorganfainberg: link? i just saw some people complaining about it in #openstack-cinder22:10
uvirtbotLaunchpad bug 1401437 in nova "nova passes incorrect authentication info to cinderclient" [High,Confirmed]22:10
bknudsonthis bug has been around forever.22:11
*** marcoemorais1 has quit IRC22:12
bknudsonand we tell them to use trusts or something.22:12
jamielennoxi don't see that code called at all22:12
*** andreaf has quit IRC22:13
morganfainbergmy comments are based on conversation w/ sdague22:14
morganfainbergabout what *is* going on22:14
openstackgerritBrant Knudson proposed openstack/keystone: Fix disabling entities when enabled is ignored
openstackgerritBrant Knudson proposed openstack/keystone: Add tests for enabled attribute ignored
openstackgerritBrant Knudson proposed openstack/keystone: Add test for update role without name
openstackgerritBrant Knudson proposed openstack/keystone: Fix update role without name using LDAP
bknudsonnova accepts a token and passes it to cinder. if the token expires then nova just passed a bad token to cinder.22:16
bknudsonI assume that's the problem.22:16
morganfainbergsure "trusts" are an answer.22:16
morganfainbergbknudson, basically22:16
bknudsonI think there was some discussion on the mailing list...22:16
morganfainbergbknudson, there has been a lot of discussion on this22:17
jamielennoxI don't understand that bug, the code he mentions is never calle22:17
jamielennoxi got the nova->cinder code with sessions commited a week or so ago22:17
bknudsonmy suggestion was that keystone should make this easier by allowing a token expiration to be extended.22:17
morganfainbergbknudson, more and more i'm coming to the conclusion that is the only option that will be backwards compat22:18
morganfainbergbknudson, but that is a drastic departure from our previous stance(s) and I want to be very careful about allowing that kind of stuff to occur.22:18
jamielennoxwe could give some leeway that if X-Subject-Token is valid then we allow some period of expired X-Auth-Token22:18
bknudsonwe should be able to limit it to service users.22:18
morganfainbergjamielennox, that was my prefeered option i *think* we can do that in policy22:19
jamielennoxbut i don't know if it's just going to be an issue of continually extending that window22:19
morganfainbergjamielennox, and the nice thing is if someone wants to lock that out, it's an easy change - deployer option. and it would be per-api not globally22:19
bknudsonproblem is we don't know how long it's going to take.22:19
jamielennoxbknudson: maybe we don't check it at all?22:19
morganfainbergbknudson, some API calls we may have a "don't check expires only revoked"?22:20
morganfainbergoh god that doesn't work.22:20
morganfainbergi'm planning on implementing a mass-cleanup that would purge any expired tokens quickly from the db22:20
jamielennoxbknudson: assume that the first person to add X-Subject-Token validated that the X-Auth-Token was not expired, then auth_token only enforces the X-Subject-Token expiry from then on22:20
morganfainbergwe could make the UX even worse. an explicit extend would be better22:20
morganfainbergthat way we can avoid "oops i purged an expired token"22:20
morganfainbergand a bunch of stuff fails22:21
jamielennoxoh - true, keystone won't return a token body if it is expired22:21
morganfainbergand in memcached or redis that wouldn't *really* work unless PKI and not using horizon22:21
morganfainbergsince memcached and redis would automatically drop the expired tokens22:21
morganfainbergfyi i might miss a couple comments here wireless in flight has been a bit flaky22:22
morganfainbergs/comments/irc messages22:22
bknudsoncomplain to the stewardess.22:22
bknudsonyou'll probably get thrown off22:23
gyeebknudson, no, you would ground the flight like Korean Airlines :)22:23
morganfainbergbknudson, so what is our exposure for allowing explicit extends of the token?22:23
morganfainbergbknudson, if you've thought about it at all22:23
bknudsonmorganfainberg: I think we need to provide limits on it... e.g., user needs to have a role.22:24
bknudsonthen they can limit it to service users22:24
morganfainbergand we'd need to extend the token *early* preferably before it's actually expired - because once expired it could be purged22:24
bknudsonand there's probably a limit on how long they can extend it.22:24
morganfainbergand then we're again in the same / worse state22:24
*** nellysmitt has joined #openstack-keystone22:24
bknudsonnova can extend it as soon as it gets the token.22:25
morganfainbergbknudson, yeah that was my thought22:25
bknudsonand also reject a token that's about to expire.22:25
morganfainbergthis is starting to sound a lot like the service composite token workflow(s) i proposed before we added the service token concept to middleware instead22:25
bknudsonmaybe auth token could reject a token that's about to expire.22:25
*** dims__ has joined #openstack-keystone22:26
bknudsonyes, maybe require service token.22:26
bknudsonbut that's in auth_token... I don't think keystone needs the concept22:26
morganfainbergbknudson, i want to get auth_token out of makeing those types of calls - i'd rather have services complain than auth token needing to outsmart or guess on the user's behalf22:26
bknudsonthat's the x-auth-token... x-subject-token is the one getting extended22:26
morganfainbergthat makes sense to me22:26
gyeecomposite tokens?22:26
morganfainberggyee, not really composite22:27
morganfainberggyee, this would be a service user *could* ask for a token to have a longer TTL because it knows it's going to perform an operation that will need more time22:27
morganfainbergbknudson, this really is just getting an extended life sub-token based on the user's token22:27
gyeemorganfainberg, right, service user can extend the token22:27
morganfainbergbknudson, because in PKI the token expiry would change the hash22:27
morganfainberggyee, but yeah the workflow is a *lot* like the composite token workflow, just without combining the tokens22:28
gyeeyeah, I think trust is a bit overkill as user will need to setup a ton of trusts22:29
openstackgerritMerged openstack/python-keystoneclient: Expose version matching functions to the public
morganfainbergand this circles back again to being able to ask: To perform X task, what roles do I need?22:30
jamielennoxmorganfainberg: if we allowed keystone to return expired tokens (with some sort of flag) couldn't we have the same thing handled on the client?22:30
*** nellysmitt has quit IRC22:30
jamielennoxWe need to figure out what providing an X-Subject-Token means22:30
morganfainbergjamielennox, yes we could. - we'd need to think about how we handle the token cleanup and adjust how expiry works in memcached and redis etc22:31
jamielennoxbecause i think it changes the flow of auth more than we have it now22:31
morganfainbergjamielennox, this might break anyone with a custom token provider22:31
morganfainbergsince the assumption cannot be made that a token that is expired will be returned22:31
gyee<---- it would break this guy :)22:31
jamielennoxno one cares about that guy ^22:32
morganfainbergand it *could* cause issues for folks who actually depend on that 40422:32
gyeeoh fug22:32
*** andreaf has joined #openstack-keystone22:32
morganfainbergso i think returning expired tokens ever at this point is a bad idea.22:32
morganfainbergi'd rather the sub-token workflow22:32
jamielennoxmorganfainberg: so from a REST api we would have to add a new flag or something22:32
morganfainbergjamielennox, this also is a schema change in the token table22:33
jamielennoxyou can't just change the behaviour of a 40422:33
morganfainbergsomething i've been trying very hard to limit22:33
jamielennoxschema change?22:33
morganfainbergjamielennox, right.22:33
jamielennoxgyee: a 404 is returned if auth_token tries to validate an expired UUId token22:34
morganfainbergjamielennox, get_token?expired_ok=True22:34
jamielennoxright - but that's not a schema change22:34
morganfainbergwe still would need a way to prevent tokens from being purged aggressively22:34
morganfainbergwhile they're still in use - meaning a new token issued probably is a *lot* easier.22:34
morganfainbergor... trusts...22:35
morganfainbergjamielennox, how do you prevent a token from being purged in a cleanup?22:36
morganfainbergjamielennox, yes it would be22:36
*** timcline_ has joined #openstack-keystone22:36
jamielennoxthe fact that a service can setup a trust on behalf of a user and just use that info forever always concerns me22:36
morganfainbergjamielennox, you'd need to have a way of preventing an in-use expired token from being purged22:36
gyeebut how does user know expired_ok?22:36
jamielennoxmorganfainberg: wouldn't that just be a window on the purge22:36
morganfainbergjamielennox, actually this wont work with the token cleanup thing i'm working on, because i'm looking at doing a drop partition where the partition would be something like expires(NOW() - (ttl+fudge_factor))22:37
jamielennoxDELETE * WHERE expired > NOW() + hour22:37
*** marcoemorais has joined #openstack-keystone22:37
morganfainbergjamielennox, drop/truncate wont inspect the data22:37
morganfainbergat all22:37
gyeeUX would suck right, if I have to add that flag every time I request a toke to talk to nova22:37
jamielennoxgyee: no - the only thing it would afffect is auth_token middleware22:37
morganfainbergeither trusts or sub-token (new token w/ extended life) would be the only options22:37
*** stevemar has joined #openstack-keystone22:38
*** ChanServ sets mode: +v stevemar22:38
morganfainberggyee, this might be a case where the token should be locked to nova somehow? constrained to come from that service user?22:38
morganfainbergjamielennox, ^22:38
morganfainbergbknudson, ^22:39
morganfainbergif we do it that way22:39
*** timcline has quit IRC22:39
gyeemorganfainberg, it may work22:39
gyeetransparent to the user22:39
bknudsonI don't think we should say how nova has to be implemented.22:39
*** marcoemorais1 has joined #openstack-keystone22:40
gyeebknudson, nova extend the life of the token on behave of the user22:40
bknudsonright, it did that so it can pass the token to other services.22:40
bknudsonthe other service might want to extend it again and pass it off again.22:40
morganfainbergbknudson, it doesn't solve the issue(s) i was thinking - was thinking MITM - but MITM would grab anything nova has to auth itself as well (short of some krb5 type magic)22:40
*** timcline_ has quit IRC22:40
morganfainbergand tokens, even service tokens, are bearer22:40
gyeeuse x.509 then22:41
jamielennoxbknudson: right - if we allow these extensions bound to a service then anyone receiving that token to talk to another service would need to fetch another sub-token22:41
morganfainberggyee, deployer option.22:41
bknudsonif we need to solve the MITM / bearer token issue then I think that's a separate issue22:41
*** topol has quit IRC22:41
morganfainbergbknudson, right i'm fine with ignoring that22:41
bknudsonwe seem to be just trying to make things complicated22:41
morganfainbergbknudson, so back to: a) trusts22:41
*** marcoemorais has quit IRC22:41
bknudsonwhich, unfortunately, never makes things more secure22:41
morganfainbergb) nova can request an extended life token.22:42
gyeebknudson, you want secure, and usable? :)22:42
bknudsonI have no problem with trusts but seems like overkill22:43
jamielennoxmorganfainberg: the only way i can see to do that *relatively* securely is to allow policy to specify which calls are allowed to be made with those extended22:43
morganfainbergbknudson, it does - but it *does* solve the issue. it just isn't very usable22:43
jamielennoxtokens and we don't know what they will be22:43
bknudsonthings "worked" fine when we had long lived tokens (like, 2 days)22:43
morganfainbergbknudson, sortof but they did work better22:43
bknudsonand I think a lot of deployments just set the token lifetime to 2 days.22:44
gyeeits about risk management22:44
gyeek, y'all, gotta run, be back later22:45
*** gyee has quit IRC22:45
morganfainbergbknudson, we could set the default token TTL back to 8640022:45
morganfainbergi think nothing was really broken around that point22:46
* morganfainberg doesn't like that though.22:46
morganfainbergand it does make things look questionable when we're reversing opinion on security vs usability vs <whatever we said in the past>22:46
bknudsonthe reason we went to a shorter token time is to find these issues.22:47
bknudsononce we find them we should be figuring out how to fix it22:47
morganfainbergi'd rather have a *clean* way to fix than just revert the TTL22:47
morganfainbergbut it is an option.22:47
* morganfainberg will mull on this some.22:48
*** dims__ has quit IRC22:49
*** dims__ has joined #openstack-keystone22:50
*** dims__ has quit IRC22:54
*** henrynash has quit IRC22:57
openstackgerritBrant Knudson proposed openstack/keystone: Fix disabling entities when enabled is ignored
openstackgerritBrant Knudson proposed openstack/keystone: Fix update role without name using LDAP
openstackgerritBrant Knudson proposed openstack/keystone: Add tests for enabled attribute ignored
openstackgerritBrant Knudson proposed openstack/keystone: Add test for update role without name
*** stevemar has quit IRC23:00
*** thedodd has joined #openstack-keystone23:12
*** ayoung__ has quit IRC23:12
*** andreaf has quit IRC23:14
*** dnalezyt has quit IRC23:20
openstackgerritAnne Gentle proposed openstack/identity-api: Indicate repo is frozen in README
*** tellesnobrega has quit IRC23:30
openstackgerritJorge Munoz proposed openstack/keystone-specs: Read/Write LDAP drivers
*** thedodd has quit IRC23:34
*** henrynash has joined #openstack-keystone23:37
*** ChanServ sets mode: +v henrynash23:37
*** tellesnobrega has joined #openstack-keystone23:42
*** dims__ has joined #openstack-keystone23:47
openstackgerritMerged openstack/python-keystoneclient: Log the CA cert with the debug statement
*** shakamunyi has quit IRC23:49
openstackgerritMerged openstack/keystonemiddleware: Allow loading other auth methods in auth_token
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Remove kwargs from Session.request

Generated by 2.14.0 by Marius Gedminas - find it at!