Wednesday, 2015-01-07

« Tuesday, 2015-01-06 Index Thursday, 2015-01-08 »
*** david-lyle is now known as david-lyle_afk00:01
openstackgerritMarek Denis proposed openstack/keystone-specs: Standardize federated scoping process.  https://review.openstack.org/14520400:26
*** zzzeek has quit IRC00:28
*** dgonzalez has joined #openstack-keystone00:30
*** ayoung has joined #openstack-keystone00:31
*** ChanServ sets mode: +v ayoung00:31
*** dgonzalez has quit IRC00:35
openstackgerritguang-yee proposed openstack/keystone: make sure the namespace prefixes are explicit for the signed SAML2 assertion  https://review.openstack.org/14515900:50
openstackgerritguang-yee proposed openstack/keystone: make sure the namespace prefixes are explicit for the signed SAML2 assertion  https://review.openstack.org/14515900:54
*** ksavich has quit IRC00:55
*** mattfarina has joined #openstack-keystone00:58
*** avozza is now known as zz_avozza01:06
*** zz_avozza is now known as avozza01:10
*** _cjones_ has quit IRC01:25
*** dgonzalez has joined #openstack-keystone01:31
*** atiwari has quit IRC01:33
*** dgonzalez has quit IRC01:36
*** henrynash has joined #openstack-keystone01:52
*** ChanServ sets mode: +v henrynash01:52
openstackgerrithenry-nash proposed openstack/keystone: Split roles into their own backend within assignments.  https://review.openstack.org/14423902:00
openstackgerrithenry-nash proposed openstack/keystone: Correct doc string for grant driver methods.  https://review.openstack.org/14440302:02
openstackgerrithenry-nash proposed openstack/keystone: Make controllers call the new, split out, role manager.  https://review.openstack.org/14449402:03
openstackgerrithenry-nash proposed openstack/keystone: Make unit tests call the new, split out, role manager.  https://review.openstack.org/14454802:03
openstackgerrithenry-nash proposed openstack/keystone: Refactor assignment manager/driver methods  https://review.openstack.org/14465002:04
openstackgerrithenry-nash proposed openstack/keystone: Correct comment about circular dependency.  https://review.openstack.org/14485002:05
openstackgerrithenry-nash proposed openstack/keystone: Move projects and domains to their own backend.  https://review.openstack.org/14482402:07
openstackgerrithenry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver.  https://review.openstack.org/14502202:07
openstackgerrithenry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager.  https://review.openstack.org/13352502:09
openstackgerrithenry-nash proposed openstack/keystone: Make unit tests call the new reource manager.  https://review.openstack.org/13095402:11
*** nkinder has joined #openstack-keystone02:14
*** packet has joined #openstack-keystone02:19
openstackgerritayoung proposed openstack/keystone:  member for assignment policy  https://review.openstack.org/14216202:21
*** dgonzalez has joined #openstack-keystone02:32
*** dgonzalez has quit IRC02:36
wanghongayoung: ping02:40
ayoungwanghong, I'm here.  In the future, it is better to just ask your question than to say "ping"02:44
openstackgerritguang-yee proposed openstack/keystone: explicit namespace prefixes for SAML2 assertion  https://review.openstack.org/14515902:45
wanghongayoung: OK, what are "Micro versions and multiple versions"? I am not very clear.02:48
ayoung3.0 vs 3.102:48
ayoungif it was looking for 3* before it would only match 3.0, not 3.102:49
wanghongDo you mean I should add tests for 3.2, 3.3?02:51
*** erkules has quit IRC02:53
ayoungwanghong, it doesn't have to be exhaustive, but some versions like that are necessary, yes03:01
*** avozza is now known as zz_avozza03:02
wanghongayoung: OK, thanks03:07
*** erkules has joined #openstack-keystone03:21
*** richm has quit IRC03:23
*** dgonzalez has joined #openstack-keystone03:33
*** dgonzalez has quit IRC03:37
*** chlong has quit IRC03:41
*** chlong has joined #openstack-keystone03:42
*** chlong has quit IRC03:42
*** chlong has joined #openstack-keystone03:44
*** chlong has quit IRC03:48
*** chlong has joined #openstack-keystone03:48
*** packet has quit IRC03:51
*** lhcheng has quit IRC03:55
*** mattfarina has quit IRC04:09
*** Nakato has quit IRC04:16
*** Nakato has joined #openstack-keystone04:16
*** Nakato has quit IRC04:18
*** rm_work|away is now known as rm_work04:18
*** Nakato has joined #openstack-keystone04:19
*** rm_work is now known as rm_work|away04:24
*** gyee has quit IRC04:31
*** dgonzalez has joined #openstack-keystone04:33
*** dgonzalez has quit IRC04:38
*** lhcheng has joined #openstack-keystone04:42
*** lhcheng_ has joined #openstack-keystone04:44
*** lhcheng has quit IRC04:47
*** packet has joined #openstack-keystone04:53
*** radez is now known as radez_g0n304:54
*** mattfarina has joined #openstack-keystone05:10
*** rubii has joined #openstack-keystone05:16
*** packet has quit IRC05:23
*** henrynash has quit IRC05:27
*** dgonzalez has joined #openstack-keystone05:34
*** dgonzalez has quit IRC05:39
*** lhcheng_ has quit IRC05:40
*** dims__ has quit IRC05:50
*** dims__ has joined #openstack-keystone05:50
*** ajayaa has joined #openstack-keystone05:53
*** dims__ has quit IRC05:54
*** lhcheng has joined #openstack-keystone06:00
*** zz_avozza is now known as avozza06:01
*** htruta has quit IRC06:09
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/14513506:10
*** avozza is now known as zz_avozza06:11
*** dgonzalez has joined #openstack-keystone06:35
*** dgonzalez has quit IRC06:39
*** stevemar has quit IRC07:01
openstackgerritAbhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool  https://review.openstack.org/13082407:07
*** afazekas_ has joined #openstack-keystone07:07
openstackgerritAbhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool  https://review.openstack.org/13082407:08
*** dgonzalez has joined #openstack-keystone07:36
*** dgonzalez has quit IRC07:41
*** zz_avozza is now known as avozza07:55
openstackgerritwanghong proposed openstack/keystonemiddleware: support micro version if sent  https://review.openstack.org/13091607:56
*** dgonzalez has joined #openstack-keystone08:00
*** pcaruana|afk| is now known as pcaruana08:04
*** jamielennox is now known as jamielennox|away08:06
*** chlong has quit IRC08:07
openstackgerritAndrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list  https://review.openstack.org/13223508:22
*** dgonzalez has quit IRC08:25
*** avozza is now known as zz_avozza08:28
openstackgerritAndrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list  https://review.openstack.org/13223508:34
*** pcaruana has quit IRC08:59
*** lhcheng has quit IRC09:10
*** mfisch has quit IRC09:12
*** mfisch has joined #openstack-keystone09:12
*** mfisch is now known as Guest1267109:12
*** pcaruana has joined #openstack-keystone09:13
*** jistr has joined #openstack-keystone09:14
*** ajayaa has quit IRC09:17
*** Guest38742 is now known as jell09:23
*** nellysmitt has joined #openstack-keystone09:23
*** jamielennox|away is now known as jamielennox09:33
*** ajayaa has joined #openstack-keystone09:38
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Standardize token scoping workflow.  https://review.openstack.org/14237609:51
*** boris-42 has quit IRC09:53
*** esmute has quit IRC10:03
*** esmute has joined #openstack-keystone10:06
*** jamielennox is now known as jamielennox|away10:09
*** lhcheng has joined #openstack-keystone10:10
*** lhcheng has quit IRC10:15
*** chlong has joined #openstack-keystone10:38
*** zz_avozza is now known as avozza10:50
*** avozza is now known as zz_avozza10:56
*** boris-42 has joined #openstack-keystone11:06
*** jamielennox|away is now known as jamielennox11:08
*** chlong has quit IRC11:08
*** zz_avozza is now known as avozza11:09
*** lhcheng has joined #openstack-keystone11:09
*** lhcheng has quit IRC11:14
*** dims__ has joined #openstack-keystone11:30
*** andreaf has joined #openstack-keystone11:40
*** dgonzalez has joined #openstack-keystone11:47
*** dgonzalez has quit IRC11:47
*** dgonzalez has joined #openstack-keystone11:48
*** mattfarina has quit IRC11:49
*** david-lyle_afk is now known as david-lyle11:58
*** mattfarina has joined #openstack-keystone11:58
bretonmorganfainberg: how long is that form going to live?11:59
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdP authentication URL  https://review.openstack.org/14274312:03
*** avozza is now known as zz_avozza12:08
*** jaosorior has joined #openstack-keystone12:10
*** lhcheng has joined #openstack-keystone12:11
*** lhcheng has quit IRC12:15
*** Zemeio has joined #openstack-keystone12:18
*** Zemeio has left #openstack-keystone12:19
*** jamielennox is now known as jamielennox|away12:19
*** Zemeio has joined #openstack-keystone12:33
ZemeioGuys, I'm trying to run keystone but it is running into an error. I'm currently on fedora 21, this is what i found on the error: http://pastebin.com/u4gprUtN12:33
ZemeioThe file exists, I don't know what is happening. I installed the keystone through packstack and then upgraded with pip (wasn't working before, same error). The command to start the keystone is: /sbin/service openstack-keystone start12:34
*** rushiagr_away is now known as rushiagr12:51
*** david-lyle is now known as david-lyle_afk13:08
*** rushiagr is now known as rushiagr_away13:09
*** topol has joined #openstack-keystone13:10
*** ChanServ sets mode: +v topol13:10
*** mattfarina has quit IRC13:13
*** mattfarina has joined #openstack-keystone13:14
*** bknudson has joined #openstack-keystone13:14
*** ChanServ sets mode: +v bknudson13:14
*** mattfarina has quit IRC13:21
*** samueldmq has joined #openstack-keystone13:21
*** mattfarina has joined #openstack-keystone13:22
*** topol has quit IRC13:24
*** radez_g0n3 is now known as radez13:26
ayoungZemeio, sounds like /etc/keystone/keystone.paste is not where expected.  The value is in the /etc/keystone/keystone.conf file in [paste_deploy]13:27
ayoungconfig_file = /etc/keystone/keystone-paste.ini13:27
*** mattfarina has quit IRC13:27
ayoungpackstack probably puts it under /usr/share since RDO considers it code, not a config file (IIRC)13:27
*** vhoward- has joined #openstack-keystone13:40
*** bdossant has joined #openstack-keystone13:47
openstackgerritBrant Knudson proposed openstack/keystone: Change the default digest for pki/ssl_setup to sha256  https://review.openstack.org/11736713:47
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Fix environ keys missing HTTP_ prefix  https://review.openstack.org/14550514:01
*** sriram has joined #openstack-keystone14:13
*** richm has joined #openstack-keystone14:14
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdP authentication URL  https://review.openstack.org/14274314:24
*** nkinder has quit IRC14:25
*** joesavak has joined #openstack-keystone14:26
*** joesavak has quit IRC14:32
*** joesavak has joined #openstack-keystone14:32
*** samueldmq has quit IRC14:34
*** Guest12671 is now known as mfisch14:44
*** mfisch has quit IRC14:44
*** mfisch has joined #openstack-keystone14:44
*** htruta has joined #openstack-keystone14:45
*** topol has joined #openstack-keystone14:48
*** ChanServ sets mode: +v topol14:48
*** rubii has quit IRC14:49
*** mattfarina has joined #openstack-keystone14:53
*** gordc has joined #openstack-keystone14:54
*** jistr has quit IRC14:57
*** ajayaa has quit IRC14:57
*** jistr has joined #openstack-keystone14:59
*** dgonzale_ has joined #openstack-keystone15:00
*** dgonzalez has quit IRC15:04
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdP authentication URL  https://review.openstack.org/14274315:07
*** fmarco76 has joined #openstack-keystone15:07
*** timcline has joined #openstack-keystone15:14
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Fix environ keys missing HTTP_ prefix  https://review.openstack.org/14550515:15
*** nkinder has joined #openstack-keystone15:15
topolmorganfainberg which was the revocation spec that you wanted folks to review?15:19
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory  https://review.openstack.org/12228115:23
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240315:23
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdP authentication URL  https://review.openstack.org/14274315:29
*** dkingshott has joined #openstack-keystone15:35
openstackgerritBrant Knudson proposed openstack/keystone: Move eventlet server options to a config section  https://review.openstack.org/13096215:42
*** ajayaa has joined #openstack-keystone15:45
openstackgerritMarek Denis proposed openstack/keystone-specs: Standardize federated scoping process.  https://review.openstack.org/14520415:56
*** stevemar has joined #openstack-keystone16:00
*** ChanServ sets mode: +v stevemar16:00
openstackgerritMerged openstack/pycadf: Updated from global requirements  https://review.openstack.org/14271416:02
openstackgerritSean Dague proposed openstack/python-keystoneclient: don't log service catalog in every token response  https://review.openstack.org/14553216:02
*** flwang has quit IRC16:06
*** jistr has quit IRC16:18
*** flwang has joined #openstack-keystone16:18
*** nellysmitt has quit IRC16:21
*** jistr has joined #openstack-keystone16:34
*** _cjones_ has joined #openstack-keystone16:34
*** henrynash has joined #openstack-keystone16:35
*** ChanServ sets mode: +v henrynash16:35
*** gyee has joined #openstack-keystone16:40
*** ChanServ sets mode: +v gyee16:40
*** bdossant has quit IRC16:43
stevemarmorganfainberg, nice presentation on keystone overview :)16:52
*** rm_work|away is now known as rm_work17:00
*** joesavak has quit IRC17:03
*** joesavak has joined #openstack-keystone17:05
*** jsavak has joined #openstack-keystone17:07
*** rm_work is now known as rm_work|away17:09
*** lhcheng has joined #openstack-keystone17:11
*** joesavak has quit IRC17:11
openstackgerrithenry-nash proposed openstack/keystone-specs: Replace the concept of extensions in Keystone.  https://review.openstack.org/13380917:12
*** timcline has quit IRC17:12
*** timcline has joined #openstack-keystone17:12
*** vhoward- has left #openstack-keystone17:13
*** fmarco76 has left #openstack-keystone17:14
*** afazekas_ has quit IRC17:15
*** gordc has quit IRC17:15
*** gordc has joined #openstack-keystone17:16
*** jistr has quit IRC17:26
*** vhoward- has joined #openstack-keystone17:30
openstackgerrithenry-nash proposed openstack/keystone: Split roles into their own backend within assignments.  https://review.openstack.org/14423917:40
*** dims__ has quit IRC17:43
*** dims__ has joined #openstack-keystone17:44
*** dims__ has quit IRC17:45
*** EmilienM is now known as EmilienM|afk17:45
*** dims__ has joined #openstack-keystone17:46
*** david-lyle_afk is now known as david-lyle17:47
*** timcline_ has joined #openstack-keystone17:50
*** timcline has quit IRC17:53
*** zzzeek has joined #openstack-keystone17:54
*** zz_avozza is now known as avozza17:55
*** _cjones_ has quit IRC17:58
*** _cjones_ has joined #openstack-keystone17:59
stevemarmorganfainberg, ping18:00
morganfainbergstevemar: pong18:00
stevemarwhich patch were you referring to: ACTION: *EVERYONE* review revocation events - help to get it in place as the default to replace the revocation list (morganfainberg, 18:45:35)18:01
morganfainbergstevemar: no specific patch.18:01
morganfainbergayoung: has been working on it. But we need to put effort into making rev events the default.18:02
ayoungI can link18:02
morganfainbergayoung: cool18:02
stevemarmorganfainberg, oh so just start pounding away at using it so we iron out the bugs?18:03
ayoungmorganfainberg, ah...I was thinking client patch18:03
morganfainbergI thought there was more than one.18:03
ayoungbut for AE, we don't need ... yes we do?18:03
morganfainbergSo not specific :)18:03
morganfainbergWe need it for ae, we need it for non persist18:03
morganfainbergWe also need it cause rev list is bad :P18:03
ayounghttps://review.openstack.org/#/c/81166/18:03
ayoungmorganfainberg, client side, too?18:03
ayoungOK so 81166 is the client review18:03
morganfainbergayoung: well full support in middleware. However we get there18:04
ayoungright18:04
*** _cjones_ has quit IRC18:05
ayoungmorganfainberg, the server side of revocation events should work today for AE, but it won't allow client/middleware checking18:05
ayoungI really want to get the main code out of the server and into the client, then have the server consume the client code18:05
*** thedodd has joined #openstack-keystone18:08
stevemarwhoops, forgot to actually change the linked address, thanks ayoung18:09
stevemarre: mailing list18:09
ayoungstevemar, yep18:09
*** samueldmq has joined #openstack-keystone18:09
openstackgerritBrant Knudson proposed openstack/keystone: Fix tests using extension drivers  https://review.openstack.org/12460318:11
openstackgerritBrant Knudson proposed openstack/keystone: Avoid multiple instances for a provider  https://review.openstack.org/12459918:12
*** stevemar has quit IRC18:16
*** stevemar has joined #openstack-keystone18:16
*** ChanServ sets mode: +v stevemar18:16
*** jsavak has quit IRC18:17
*** thedodd has quit IRC18:20
*** joesavak has joined #openstack-keystone18:22
*** thedodd has joined #openstack-keystone18:23
*** ajayaa has quit IRC18:24
*** thedodd has quit IRC18:24
*** thedodd has joined #openstack-keystone18:25
*** jsavak has joined #openstack-keystone18:28
*** joesavak has quit IRC18:30
*** _cjones_ has joined #openstack-keystone18:30
*** joesavak has joined #openstack-keystone18:37
*** jsavak has quit IRC18:40
*** LinstatSDR has joined #openstack-keystone18:46
*** joesavak has quit IRC19:19
*** lihkin1 has joined #openstack-keystone19:24
*** raildo has joined #openstack-keystone19:25
*** joesavak has joined #openstack-keystone19:36
*** dank has joined #openstack-keystone19:37
*** dkingshott has quit IRC19:41
*** thedodd has quit IRC19:43
morganfainberggyee, responded to your comments on extensions spec19:44
gyeelooking19:44
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Docstring usability improvements  https://review.openstack.org/12785619:45
gyeemorganfainberg, but what's the relationship between say experimental and OS-FOO? Are they orthogonal?19:49
morganfainberggyee, orthogonal19:49
morganfainberggyee, naming has no bearing on expirimental or stable or anything else19:49
gyeebut there's no distinction with "extension"19:49
morganfainbergand there isn't a distinction here - it's strictly "naming"19:50
morganfainberggyee, this is treading closely into bikeshed19:50
morganfainberggyee, an expirimental feature / API is marked as such - we don't need to change the name19:51
gyeebut aren't we trying to solve the "extension" mess or this is something else?19:51
morganfainbergthe idea is extensions are no more.19:51
gyeeright19:51
morganfainbergwe could have standard APIs called OS-<blah> if we want19:51
morganfainbergdo we *really* care what the API is called?19:51
morganfainbergdoes this spec need to say that?19:51
morganfainbergi think that is something we can address with new features/apis as they are proposed19:52
gyeewell, I thought the spec is mean to address the "process" aspect19:52
morganfainbergalso we can't change the APIs for current featurres.19:52
morganfainberggyee, i really really don't want to get into quibbling over naming19:53
morganfainberggyee, not in this spec.19:53
morganfainberggyee, this spec says: all new features / apis are expirimental19:53
morganfainbergthen once they are considered stable, moved to stable19:53
morganfainbergand we stop makign things "optional"19:53
morganfainbergcurrent "extensions" are classified as stable or expirimental19:54
morganfainbergand finally anything not fitting those categories is not in our tree19:54
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup test-requirements for keystoneclient  https://review.openstack.org/13693919:55
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused testscenarios requirement  https://review.openstack.org/13694019:57
openstackgerritBrant Knudson proposed openstack/keystone: Remove requirements not needed by oslo-incubator modules anymore  https://review.openstack.org/13694119:57
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused requirements  https://review.openstack.org/14511019:58
*** thedodd has joined #openstack-keystone20:00
*** rm_work|away is now known as rm_work20:01
openstackgerritBrant Knudson proposed openstack/python-keystoneclient-federation: Fix pep8 issue  https://review.openstack.org/14451120:08
openstackgerrithenry-nash proposed openstack/keystone: Correct doc string for grant driver methods.  https://review.openstack.org/14440320:08
stevemarbknudson, merge those 2 patches!20:09
openstackgerrithenry-nash proposed openstack/keystone: Make controllers call the new, split out, role manager.  https://review.openstack.org/14449420:09
bknudsonstevemar: which 2?20:11
stevemarhttps://review.openstack.org/#/c/145110/ and https://review.openstack.org/#/c/136941/20:11
bknudsonwill do.20:11
stevemarthey are both artifacts of removing oslo-incubator code20:12
openstackgerrithenry-nash proposed openstack/keystone: Make unit tests call the new, split out, role manager.  https://review.openstack.org/14454820:14
morganfainbergayoung, ok so i am going to go get lunch then i'm looking at the accessinfo review to toss a comment in.20:16
*** chrisshattuck has joined #openstack-keystone20:16
morganfainbergayoung, i *think* it's the way i'd like to see us go - if at all possible, but i see jamielennox|away's perspective20:17
morganfainbergayoung, so i want to re-read his comments as well.20:17
morganfainbergayoung, i'm also going to send the r/w LDAP identity survey out today20:19
morganfainbergayoung, will ping you on the form before sending20:19
ayoungmorganfainberg, I think jamielennox|away just doesn't want duplication20:19
ayoungI think I can make mine backwards compat with the existing20:20
morganfainbergayoung, right. thats why i want to re-read the comments. if that is the case we work... yep20:20
morganfainbergayoung, exactly20:20
ayoung++20:20
*** nkinder has quit IRC20:20
morganfainbergannnd people don't read the questions/survey20:21
morganfainbergso far i see multiple responses about identity20:21
morganfainberg"users and groups"20:21
morganfainberghmm.20:21
morganfainberghow do i resolve this.20:21
ayoungignore them20:22
morganfainberglhcheng, ping20:22
ayoungor do a second survey that explicitly asks about the users and groups so people can feel they have answered, then ignore them20:22
lhchengmorganfainberg, pong20:22
morganfainberglhcheng, so you said you're looking for something to work on within keystone20:22
lhchengmorganfainberg, yes.. (would I regret this?)20:23
morganfainbergnah20:23
morganfainbergjust better to ask here20:23
morganfainbergeveryone is here :) so it's not just me trying to figure out where to point you20:23
morganfainbergwe can always use help squashing bugs20:23
lhchengI did look up the bugs at some point, most are already assigned20:24
morganfainbergbut if you're looking at feature work, we have a lot of things in flight - and ayoung , stevemar, henrynash, gyee, dstanek, dolphm, lbragstad, etc all usually can use help with something at the very least20:24
morganfainbergjamielennox|away, as well20:24
morganfainbergit comes down to what are you looking for and what are you interested in?20:25
gyeejust take some bugs from ayoung :)20:25
*** dgonzalez has joined #openstack-keystone20:25
morganfainbergkeystone does a lot of things at the moment20:25
stevemarlhcheng, one of us, one of us20:25
morganfainberglhcheng, see :) we're happy to have you join us! :)20:25
*** EmilienM|afk is now known as EmilienM20:25
lhchengha20:25
lbragstadlhcheng: another things that helps a *lot* is to triage new bugs, and verify them20:26
morganfainberglbragstad, ++20:26
lbragstadhttp://keystone-weekly-bug-report.tempusfrangit.org/weekly-bug-reports/keystone-weekly-bug-report.html20:26
lbragstadlhcheng: ^20:26
morganfainberglhcheng, if you want to come to the mid-cycle i, of course, would encourage it. however, it is not required for anyone. we will mostly be discussing specs, blueprints, doing secondary design work (e.g. followup now that we're into the cycle), and then a hackathon-type day20:27
lbragstadlhcheng: thats a never ending efforts and helps a lot towards the end of the release when we build the release candidate bug list20:27
lbragstads/efforts/effort/20:27
morganfainberglhcheng, it's short notice to get travel approval etc now. and tbh i'd say it's more important to make it to the summit.20:27
lhchengmorganfainberg, not exactly sure yet what feature.  Yahoo would be using the hierarchical projects, but it sounds like it is already worked on.20:27
morganfainberglhcheng, well, rodrigods, raildo, are the two to talk about that20:28
lbragstadlhcheng: reviews are helpful too :)20:28
morganfainbergand i'm sure they will welcome more eyes on the code as well as can help you contribute on that front20:28
openstackgerritBrant Knudson proposed openstack/keystone: Remove requirements not needed by oslo-incubator modules anymore  https://review.openstack.org/13694120:28
*** dgonzale_ has quit IRC20:28
lhchenglbragstad, been doing some reviews too. But will probably need to fix some bugs to get familiar more with the code structure.20:29
samueldmqmorganfainberg, I'm also here, would be glad if I could help with hierarchical projects :)20:29
morganfainbergsamueldmq, ack20:29
*** dgonzalez has quit IRC20:29
bknudsonstevemar: squashed those 2 reviews into https://review.openstack.org/#/c/136941/20:30
morganfainbergbknudson, ++ that looks like it makes sense20:30
lhchengmorganfainberg, who's working on federation? Would like to understand how to use that, and figure out if that is something we could use.20:31
morganfainberglhcheng, stevemar, marekd, and gyee  are the people who know the most about federation20:31
morganfainbergand samueldmq20:31
morganfainbergiirc20:32
morganfainberglhcheng, i've got to run and get lunch, but i'll be back20:32
morganfainbergi'm leaving you in good hands here.20:32
morganfainberg:)20:32
lhchengmorganfainberg, cool. I might start with that. It is something that I am not that familiar in keystone.20:32
lhchengmorganfainberg, thanks!20:32
lhchengstevemar, is there a good article to get started with federation or how to set that up?20:33
lhchenggyee ^20:33
openstackgerrithenry-nash proposed openstack/keystone: Refactor assignment manager/driver methods  https://review.openstack.org/14465020:33
stevemarlhcheng, hmm, i have a few resources, lemme find them20:33
stevemari think this one is the most informative http://docs.openstack.org/developer/keystone/configure_federation.html20:34
*** rm_work is now known as rm_work|away20:34
stevemarlhcheng, its basically getting user ids from an idp, in case you don't have ldap access20:34
openstackgerrithenry-nash proposed openstack/keystone: Correct comment about circular dependency.  https://review.openstack.org/14485020:35
lhchengstevemar: I have some sort of high level idea of federation, probably just need to try to setup that up via keystone to have a deeper understanding.20:36
lhchengstevemar: so the link is perfect20:36
morganfainbergstevemar, ping - so trystack is going to probably move to OIDC20:37
morganfainbergstevemar, meaning keystone master stuff20:37
morganfainbergstevemar, just a heads up, in case we need to produce any fixes for it20:37
stevemarmorganfainberg, whats a trystack20:37
morganfainberghttp://trystack.org20:37
stevemarhmm20:37
stevemari better get to work on the client side support then20:38
morganfainbergyep!20:38
stevemarwho works on trystack?20:38
morganfainbergthere is a ML thread for it20:38
morganfainbergit'sa  foundation run thing20:38
morganfainbergso the usual suspects w/ an @openstack.org email20:38
morganfainbergthey were also cnsidering oauth2, i said they should stick with OIDC for now20:39
morganfainbergsince well... we support that20:39
stevemari've never used this before, i want to play with it20:39
stevemaroidc is basically oauth2 with user introspection20:39
morganfainbergyeah20:39
morganfainbergbut we don't have oauth2 officially supported afaik20:40
morganfainbergin keystone20:40
morganfainbergoidc you did work on20:40
morganfainbergso - stick with what we officially support, right? :)20:40
stevemaris facebook the only way to get an account? :(20:40
morganfainbergright now20:40
morganfainberghold on thogh20:40
gyeelhcheng, for 2k2, this one may help http://blog.rodrigods.com/playing-with-keystone-to-keystone-federation/20:40
morganfainbergthough*20:40
lhchenglbragstad: Added response for https://review.openstack.org/#/c/135808/ , can you check when you get the chance.20:40
stevemarthanks bknudson20:41
lhchenggyee, thanks!20:42
*** rm_work|away is now known as rm_work20:42
lhchengmorganfainberg, are there going to be discussion on hierarchical projects on mid-cycle? I think there are gaps that needs to be resolve to make it usable for us.20:44
morganfainberglhcheng, likely but raildo  and rodrigods wont be there. hopefully i can get a google hangout setup for oneof the days20:45
morganfainbergmostly we'll be looking at the spec(s) for that, less about in-depth design20:45
lbragstadlhcheng: will do, thanks for the reminder20:45
lhchengmorganfainberg, I think we need to figure out how will it interact with the nestedquota driver. Like when a project is deleted, how to release the quota.20:46
*** toddnni has quit IRC20:47
lhchengmorganfainberg, sounds good.20:47
morganfainberglhcheng most of that (interaction) will be handled via notifications.20:47
morganfainberglhcheng, which is *mostly* supported today20:48
morganfainbergok i am going to lunch20:48
* lhcheng needs to read up on notifications20:49
stevemarlhcheng, oh we can work on that if you'd like :)20:50
stevemarlhcheng, the spec is here http://specs.openstack.org/openstack/keystone-specs/specs/kilo/cadf-everywhere.html20:51
lhchengstevemar, that would be great. my boss will love that. :)20:52
lhchengok I am going to lunch too20:54
stevemarhave fun, we can chat about it later20:54
*** toddnni has joined #openstack-keystone20:55
*** hogepodge has joined #openstack-keystone20:55
hogepodgemorganfainberg you rang?20:56
morganfainberghogepodge, hehe look in -infra :)20:56
dstanekhow's everyone doing?20:56
lbragstaddstanek: !!20:57
lbragstadhow was the conference?20:57
dstaneklbragstad: it's alright - the talks start tomorrow - yesterday and today were tutorial days20:57
lbragstaddstanek: nice20:58
marekdstevemar: did you sort out problems with OIDC and keystoneclient...well in general browserless approach?20:58
stevemarmarekd, nope :(20:59
dstaneklbragstad: the hard part is over so now i can sit back and relax at the waterpark and maybe hit up a few talks20:59
lbragstaddstanek: sounds fun!20:59
marekdstevemar: but i guess it;s the problem with the protocol itself, right?21:00
dstaneklbragstad: yes. except for the overwhelming about of .net and java talk it'll be great21:00
lbragstaddstanek: what conference was this?21:01
openstackgerritBrant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware  https://review.openstack.org/14469721:01
dstaneklbragstad: codemash.org - it's supposed to be a mashup of technologies, but this area is really "enterprise" heavy21:02
lbragstaddstanek: interesting21:02
stevemarmarekd, i'm not sure, maybe i'm doing something messed up21:02
marekd:(21:03
*** openstackgerrit has quit IRC21:05
*** openstackgerrit has joined #openstack-keystone21:05
dolphmdstanek: wb21:08
*** dolphm sets mode: +v lbragstad21:10
dstanekdolphm: :-)21:11
dolphmdstanek: are you actually back, or still in the middle of conferencing?21:11
* stevemar gives voice to dolphm21:12
* dolphm takes stevemar's voice21:12
* stevemar *murmur murmur murmur*21:12
dstanekdolphm: i'm in between evens21:13
dstanekevents21:13
dolphmdstanek: could just say you're odd21:13
morganfainbergdolphm, ++21:13
*** timcline_ has quit IRC21:14
*** timcline has joined #openstack-keystone21:15
bknudsonyou could play buzzword bingo at that conference.21:16
openstackgerritBrant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware  https://review.openstack.org/14469721:17
openstackgerritBrant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware  https://review.openstack.org/14469721:17
*** timcline_ has joined #openstack-keystone21:19
lbragstadbknudson: ++ buzzword bingo is the best at OpenStack conferences...21:19
*** timcline has quit IRC21:22
bknudsonI think haskell is the new buzzword... we should switch keystone to it.21:28
morganfainbergbknudson: darn but I was already 5% through writing keystone in earlang21:36
dstanekdolphm: you should know that by now21:36
*** jungleboyj has quit IRC21:39
*** nkinder has joined #openstack-keystone21:43
*** samueldmq has quit IRC21:52
*** chlong has joined #openstack-keystone21:56
*** topol has quit IRC21:56
*** chlong has quit IRC22:03
openstackgerritBrant Knudson proposed openstack/keystone: Use subunit-trace from tempest-lib  https://review.openstack.org/14560722:07
*** sriram has quit IRC22:11
*** mattfarina has quit IRC22:15
*** samueldmq has joined #openstack-keystone22:22
*** timcline_ has quit IRC22:25
*** timcline has joined #openstack-keystone22:28
*** stevemar has quit IRC22:37
*** samueldmq has quit IRC22:41
morganfainbergayoung: re: basic auth, feel free to give me more details but eventlet fixes like that seem incorrect. (Happy to chance the -2 if we really need that support, but I'd rather push people towards httpd deployment)22:45
openstackgerritBrant Knudson proposed openstack/keystone: Use subunit-trace from tempest-lib  https://review.openstack.org/14560722:47
*** davidHu_ has quit IRC22:49
ayoungmorganfainberg, while I almost abandoned it due to that reasoning myself, I realized that it might fill a role if we want to go towards basic-auth in that it gives people doing eventlet deployments a way to use it as well22:50
ayoungbasic auth allows things that are currently done as posts to be done as gets22:50
ayoungI wrote it a long time ago, when eventlet was still the default.22:51
morganfainbergSure. So let's look closely at it and talk @midcycle. Well either push it through or abandon there.22:52
*** dgonzalez has joined #openstack-keystone22:52
morganfainbergShould be a short convo and easy to work out with everyone in the room.22:53
morganfainbergIdeally I'd like to drop eventlet support completely. Don't know how feasible that really is.22:55
*** timcline has quit IRC23:03
*** timcline has joined #openstack-keystone23:04
*** dgonzalez has quit IRC23:06
*** gordc has quit IRC23:08
*** dgonzalez has joined #openstack-keystone23:12
*** jamielennox|away is now known as jamielennox23:13
openstackgerritguang-yee proposed openstack/keystone: explicit namespace prefixes for SAML2 assertion  https://review.openstack.org/14515923:15
jamielennoxmorganfainberg: what am i supposed to comment on?23:15
morganfainbergjamielennox, hm?23:15
morganfainbergjamielennox, uhhhmmmmmmmmm23:15
jamielennoxlooks like the AccessInfo thing23:16
morganfainbergjamielennox, oh yeah that.23:16
morganfainbergjamielennox, wanted to get your views clear - i think having a unified object would be nice.23:16
jamielennox... unless its changed recently i don't see the need, from a client perspective we have AccessInfo which is somewhat ugly but has a reasonable interface23:17
morganfainbergif it means ayoung's new thing needs to be backwards compat, maybe that is how we get there.23:17
morganfainbergjamielennox, if the new AccessInfo object dropped in replaced the ugly one, would it be a big concern?23:17
morganfainbergjamielennox, i'd like all token handling the same if at all possible.23:17
jamielennoxfrom a middleware perspective i would prefer to see https://review.openstack.org/#/c/137268/23:18
jamielennoxwhich we'd want regardless i guess23:18
jamielennoxthe only people that should actually be building a token object is keystone and thats what the model was for23:18
morganfainbergjamielennox, so i'd like the form of the token used in middleware, passed down, in client and in keystone to be the same - so we don't need to update 2,3,4,5 places anytime something is changed/added23:19
morganfainbergalso, it makes sure we're not inadvertenly breaking something by changing how a token is issued23:19
morganfainbergor such23:19
jamielennoxmorganfainberg: my opinion there is that we should use the interface in that review i linked above23:19
morganfainbergayoung, ^23:20
jamielennoxwe need more than just accessinfo to do policy enforcement properly23:20
morganfainbergsure.23:20
morganfainbergbut you see my point23:20
morganfainbergi don't want keystone to be doing something wildly different than everything else when it comes to representation of the token (outside of the wire)23:20
jamielennoxmost of the information services need to save data are coming through the headers, and what they don't i'm passing down a fully formed plugin, just drop that into the client and go wild23:20
jamielennoxi feel the service should never have to deal with the specifics of the token at all23:21
morganfainbergsure. so if we had a well defined object with a clear interface... (public interface) that would solve it.23:21
morganfainbergyou get XXX look here for <anything> you neecd23:21
*** dgonzalez has quit IRC23:21
morganfainbergwhen keystone consumes a token for interacting on it's API it should be the same as any other service23:22
jamielennoxso from a middleware perspective i want that to be https://review.openstack.org/#/c/137268/ because we want to treat the service token as part of a request23:22
*** chlong has joined #openstack-keystone23:22
jamielennoxmorganfainberg: that means keystone using auth_token though23:22
jamielennoxnot redefining all the interfaces23:22
morganfainbergjamielennox, well it means we break up auth_token to something useful.23:23
morganfainbergwhere keystone *can* use the parts it needs and skip the "ask keystone for data" parts23:23
*** timcline has quit IRC23:23
jamielennoxso essentially i recognize accessinfo is ugly, however it's a core part of how auth plugins work, it's passed down from auth_token as the token_info env variable and relied upon by a number of services - both as a dictionary and as an interface23:23
morganfainbergjamielennox, so in short I want an interface that defines what we pass to services [all services] and what the client can access.23:24
*** stevemar has joined #openstack-keystone23:24
*** ChanServ sets mode: +v stevemar23:24
jamielennoxheat for example does some nasty manipulations where it clones the dict and messes with fields directly  (working on that)23:24
morganfainbergit's what we present from the context (token) to anything that is consuming it23:24
morganfainbergjamielennox, that is important from a perspective of having a single issueance/validation pipeline23:24
jamielennoxmorganfainberg: i want that to be the review i linked23:25
jamielennoxbecause i want that object to be an auth plugin23:25
morganfainbergjamielennox, sure, but i don't think it's an auth_plugin23:25
jamielennoxor at least some way to easily derive an auth plugin from it23:25
morganfainbergi think it's something an auth_plugin uses23:25
jamielennoxwhy/23:25
jamielennoxthat would be https://review.openstack.org/#/c/143338/ with  AccessInfoPlugin(env['keystone.token_info'])23:26
morganfainbergagain, i want to start seeing a clear definition of what we present to anything consuming a token (including keystone server). an auth plugin can use it.23:26
openstackgerritMerged openstack/python-keystoneclient: add clear definition of service list  https://review.openstack.org/14487023:26
jamielennoxi agree23:26
morganfainbergok so we're mostly on the same page23:27
jamielennoxi just don't see the need to make that a new AccessInfo object, we can just build something better that uses the existing23:27
morganfainbergi also want to get out of the habit of having magic @property to needing to look up in an auth_ref23:27
jamielennoxnot following?23:27
morganfainberghaving to have logic to reach into a dict for all the information23:28
morganfainberglike accessinfo does today23:28
jamielennoxok - don't care so much either way on that one23:28
morganfainbergthat is something i'd like to get away from. you shouldn't need to store the token_ref.23:28
jamielennoxi'd prefer it was a userdict or whatever rather than inherit from dict but meh23:28
jamielennoxwe've used that pattern a number of times in various clients23:28
morganfainbergi want to get away from dicts so people don't shove random crap into it/expect to be able to pull things out of it23:29
jamielennoxusing [] gives you raw data using attributes gives you curated information23:29
morganfainbergif it's not part of the public interface we present it shouldn't be accessible23:29
morganfainbergi'm pushing for us to be *very* strict on what we pass down from the token23:29
morganfainbergpart of the mess we're in re tokens is because we have tons of things people can just grab that got left in23:30
morganfainbergif the data was there but not part of the public interface it could be cleaned up/removed/added to the interface if required.23:30
jamielennoxi understand everybody's concerns with python, but its python and people can do weird stuff and we're fighting the language to try and stop people from doing that23:30
*** dims__ has quit IRC23:30
morganfainbergbut i want the interface to be well defined when it comes to accessing token data23:31
morganfainbergit's more of a stop assuming it's a bag of crap we toss out there and more of a "here is the interface"23:31
morganfainbergif people go around that interface we can yell at them23:31
morganfainbergif they break23:31
jamielennoxi think that maybe that's an education or documentation thing23:31
jamielennoxif you look at the access.py file the interface is very clear23:32
morganfainbergif it is a dict it isn't a defined interface23:32
jamielennoxthe problem is that people seem to ignore that and use it as a dict instead23:32
morganfainbergthis is something we can fix by forcing the issue23:32
jamielennoxlet's just put a big deprecated sign on __getitem___23:32
morganfainbergdon't make it a dict for them to go around23:32
morganfainbergsure, and then move away from even allowing it.23:32
jamielennox(i'm not sure if that works when it's a built in type)23:32
morganfainbergeh, it's easy.23:33
morganfainbergbut it gets wonky - but i'd rather move to an object vs a dict.23:33
jamielennoxok, i'm fine with all that in principle23:33
morganfainbergat some point __getitem__ goes away23:33
morganfainbergand it break anyone who didn't pay attention to the deprecation warning23:33
*** lihkin1 has quit IRC23:33
jamielennoxproblems are current AccessInfo object is in use in a lot of places, and we'd need to maintain compat23:33
morganfainbergjamielennox, so lets make accessinfo better - something a bit more universal23:34
jamielennoxi think no-one should be accessing that information directly23:34
morganfainbergs/universal/ugly23:34
jamielennoxmorganfainberg: so is there an issue with https://review.openstack.org/#/c/137268/ being the interface?23:34
morganfainbergjamielennox, no - i just want to go with a public interface on it - which means likely in keystoneclient23:35
jamielennoxi made sure it's an object not a dict, and it's got read only properties23:35
jamielennoxmorganfainberg: why? what's the assumption that people will need to deal with a token that they didn't get from auth_token?23:35
morganfainbergi also want to use it in keystone23:36
morganfainbergand i also want to let people write tests around it. i want this to be *the* token definition23:36
morganfainbergif that makes sense?23:36
jamielennoxwhy isn't that object token model?23:36
morganfainbergtoken model should move towards this23:37
morganfainbergtoken model was a stepping stone.23:37
morganfainbergmy goal was token model fixes issues in keystone, then we move everything towards using it.23:38
jamielennoxso i think there are two parts to that23:38
morganfainbergideally i wanted to use something like a protobuf that could be supported in any language w/ logic to go keystone -> wire -> token model23:38
*** andreaf has quit IRC23:38
morganfainbergbut leaving that last bit out, in python we can be uniform23:38
jamielennox1. This is a token that keystone received. We should figure out how to use auth_token within keystone and use the standard there23:38
jamielennox2. This is a token that keystone created. in which case there is a whole lot more information required that what should be in an interface in auth_token middleware23:39
morganfainbergjamielennox, auth_context needs to consum parts of middleware.23:39
jamielennoxsure23:39
morganfainbergso right now validate pipeline is almost identical to issue pipeline23:40
jamielennoxis that a positive thing?23:40
morganfainbergno23:41
morganfainbergso, my thought is validate can probably be lighter weight in most cases.23:42
jamielennoxI'd be interested to see what we can share between auth_token and auth_context23:42
morganfainbergi think the token object is going to be a public interface - regardless23:43
jamielennoxagreed but token interface != auth context23:43
morganfainbergthe token interface is presented in auth_context23:44
morganfainberghiding the object that is the token in a private object doesn't feel like the right design23:44
jamielennoxsure, but for a glaring difference we have an X-Service-Token which we need to start treating as a first class citizen23:44
morganfainbergit's well defined, should be public. if this is accessinfo + less ugly, that's fine23:44
morganfainbergall tokens need to be handled with the same interface (inc. service tokens)23:45
morganfainbergso my thought was we make accessinfo (or a replacement for it) the cannonical interface that is presented.23:46
jamielennoxok - hows this, i don't think its worth the effort to design a whole new interface, people move to slowly and there is too many comptaibilty issues23:46
morganfainbergauth_context.service_token.<item> or whaever it looks like23:46
jamielennoxlet's remove the dict component of the current accessinfo23:46
jamielennoxconvert it to a user dict or whatever the python is23:46
morganfainbergyeah23:46
morganfainberghowever that works23:46
jamielennoxslap big deprecations over __getitem__23:46
morganfainbergso far sounds right23:47
jamielennoxand see what breaks in devstack as we simply remove __getitem__23:47
jamielennoxthere is nothing about auth plugins that rely on the dict interface23:47
morganfainbergperfect23:47
jamielennoxthere will be big heat issues, but i'm playing with that independently23:47
*** zzzeek has quit IRC23:47
morganfainbergand if we can make accessinfo less magical (doesn't ask keystone for stuff, is a plain interface)23:47
morganfainbergwe can convert the token_model in keystone over to it23:47
morganfainbergat least on in-bound token acceptance23:48
jamielennoxsure - the base object that is subclassed by v2 and v3 is essentially an ABC23:48
*** alex_xu has quit IRC23:48
morganfainbergas the first step towards making auth_context better than it is23:48
morganfainbergonce we get there we get middleware broken up in a way that lest auth_context consume the needed bits23:48
morganfainbergor split those out into a lib that auth_context can use.23:49
jamielennoxthe interface i used in that review is almost exactly the same as accessinfo i just needed to modify some return values23:49
morganfainberg++23:49
morganfainbergayoung, CC ^^ re: accessinfo review23:49
*** alex_xu has joined #openstack-keystone23:50
* morganfainberg needs to go put together a slide deck23:51
morganfainbergor two.23:51
jamielennoxayoung: i saw someone mention https://pypi.python.org/pypi/characteristic/0.1.0 and thought you'd love it23:52
jamielennoxmorganfainberg: you too ^ handles controlling what people can do with a python object23:52
morganfainbergneat23:53
*** gordc has joined #openstack-keystone23:53
morganfainbergstevemar, gonna have the guys at LCA steal most of the content from the bootstrapping hour23:54
morganfainbergstevemar, ;)23:54
jamielennoxthey're still doing a keystone thing at LCA?23:55
morganfainbergstevemar, just going to shuffle a couple things more targeting deployment.23:55
morganfainbergjamielennox, yah, someone is going to present some slides23:55
morganfainbergjamielennox, but i dunno who.23:55
morganfainbergjamielennox, at least thats the plan23:55
stevemarmorganfainberg, thats cool, glad i could help23:55
morganfainbergjamielennox, would have been better if you could have made it :P23:55
stevemarmorganfainberg, let me know who presents :)23:55
jamielennoxmorganfainberg: yea - would have been good23:55
morganfainbergstevemar, yeah gotta cut it down to 30min and focus on some choices like "why PKI vs UUID, why SQL"23:56
morganfainbergstevemar so ripping some of the more indepth slides out. but mostly it's going to be the same.23:56
morganfainbergstevemar, really appreciate you letting me use this deck as the basis23:57
*** marg7175 has joined #openstack-keystone23:58
stevemarnp at all23:59
« Tuesday, 2015-01-06 Index Thursday, 2015-01-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!