*** david-lyle is now known as david-lyle_afk | 00:01 | |
openstackgerrit | Marek Denis proposed openstack/keystone-specs: Standardize federated scoping process. https://review.openstack.org/145204 | 00:26 |
---|---|---|
*** zzzeek has quit IRC | 00:28 | |
*** dgonzalez has joined #openstack-keystone | 00:30 | |
*** ayoung has joined #openstack-keystone | 00:31 | |
*** ChanServ sets mode: +v ayoung | 00:31 | |
*** dgonzalez has quit IRC | 00:35 | |
openstackgerrit | guang-yee proposed openstack/keystone: make sure the namespace prefixes are explicit for the signed SAML2 assertion https://review.openstack.org/145159 | 00:50 |
openstackgerrit | guang-yee proposed openstack/keystone: make sure the namespace prefixes are explicit for the signed SAML2 assertion https://review.openstack.org/145159 | 00:54 |
*** ksavich has quit IRC | 00:55 | |
*** mattfarina has joined #openstack-keystone | 00:58 | |
*** avozza is now known as zz_avozza | 01:06 | |
*** zz_avozza is now known as avozza | 01:10 | |
*** _cjones_ has quit IRC | 01:25 | |
*** dgonzalez has joined #openstack-keystone | 01:31 | |
*** atiwari has quit IRC | 01:33 | |
*** dgonzalez has quit IRC | 01:36 | |
*** henrynash has joined #openstack-keystone | 01:52 | |
*** ChanServ sets mode: +v henrynash | 01:52 | |
openstackgerrit | henry-nash proposed openstack/keystone: Split roles into their own backend within assignments. https://review.openstack.org/144239 | 02:00 |
openstackgerrit | henry-nash proposed openstack/keystone: Correct doc string for grant driver methods. https://review.openstack.org/144403 | 02:02 |
openstackgerrit | henry-nash proposed openstack/keystone: Make controllers call the new, split out, role manager. https://review.openstack.org/144494 | 02:03 |
openstackgerrit | henry-nash proposed openstack/keystone: Make unit tests call the new, split out, role manager. https://review.openstack.org/144548 | 02:03 |
openstackgerrit | henry-nash proposed openstack/keystone: Refactor assignment manager/driver methods https://review.openstack.org/144650 | 02:04 |
openstackgerrit | henry-nash proposed openstack/keystone: Correct comment about circular dependency. https://review.openstack.org/144850 | 02:05 |
openstackgerrit | henry-nash proposed openstack/keystone: Move projects and domains to their own backend. https://review.openstack.org/144824 | 02:07 |
openstackgerrit | henry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver. https://review.openstack.org/145022 | 02:07 |
openstackgerrit | henry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager. https://review.openstack.org/133525 | 02:09 |
openstackgerrit | henry-nash proposed openstack/keystone: Make unit tests call the new reource manager. https://review.openstack.org/130954 | 02:11 |
*** nkinder has joined #openstack-keystone | 02:14 | |
*** packet has joined #openstack-keystone | 02:19 | |
openstackgerrit | ayoung proposed openstack/keystone: member for assignment policy https://review.openstack.org/142162 | 02:21 |
*** dgonzalez has joined #openstack-keystone | 02:32 | |
*** dgonzalez has quit IRC | 02:36 | |
wanghong | ayoung: ping | 02:40 |
ayoung | wanghong, I'm here. In the future, it is better to just ask your question than to say "ping" | 02:44 |
openstackgerrit | guang-yee proposed openstack/keystone: explicit namespace prefixes for SAML2 assertion https://review.openstack.org/145159 | 02:45 |
wanghong | ayoung: OK, what are "Micro versions and multiple versions"? I am not very clear. | 02:48 |
ayoung | 3.0 vs 3.1 | 02:48 |
ayoung | if it was looking for 3* before it would only match 3.0, not 3.1 | 02:49 |
wanghong | Do you mean I should add tests for 3.2, 3.3? | 02:51 |
*** erkules has quit IRC | 02:53 | |
ayoung | wanghong, it doesn't have to be exhaustive, but some versions like that are necessary, yes | 03:01 |
*** avozza is now known as zz_avozza | 03:02 | |
wanghong | ayoung: OK, thanks | 03:07 |
*** erkules has joined #openstack-keystone | 03:21 | |
*** richm has quit IRC | 03:23 | |
*** dgonzalez has joined #openstack-keystone | 03:33 | |
*** dgonzalez has quit IRC | 03:37 | |
*** chlong has quit IRC | 03:41 | |
*** chlong has joined #openstack-keystone | 03:42 | |
*** chlong has quit IRC | 03:42 | |
*** chlong has joined #openstack-keystone | 03:44 | |
*** chlong has quit IRC | 03:48 | |
*** chlong has joined #openstack-keystone | 03:48 | |
*** packet has quit IRC | 03:51 | |
*** lhcheng has quit IRC | 03:55 | |
*** mattfarina has quit IRC | 04:09 | |
*** Nakato has quit IRC | 04:16 | |
*** Nakato has joined #openstack-keystone | 04:16 | |
*** Nakato has quit IRC | 04:18 | |
*** rm_work|away is now known as rm_work | 04:18 | |
*** Nakato has joined #openstack-keystone | 04:19 | |
*** rm_work is now known as rm_work|away | 04:24 | |
*** gyee has quit IRC | 04:31 | |
*** dgonzalez has joined #openstack-keystone | 04:33 | |
*** dgonzalez has quit IRC | 04:38 | |
*** lhcheng has joined #openstack-keystone | 04:42 | |
*** lhcheng_ has joined #openstack-keystone | 04:44 | |
*** lhcheng has quit IRC | 04:47 | |
*** packet has joined #openstack-keystone | 04:53 | |
*** radez is now known as radez_g0n3 | 04:54 | |
*** mattfarina has joined #openstack-keystone | 05:10 | |
*** rubii has joined #openstack-keystone | 05:16 | |
*** packet has quit IRC | 05:23 | |
*** henrynash has quit IRC | 05:27 | |
*** dgonzalez has joined #openstack-keystone | 05:34 | |
*** dgonzalez has quit IRC | 05:39 | |
*** lhcheng_ has quit IRC | 05:40 | |
*** dims__ has quit IRC | 05:50 | |
*** dims__ has joined #openstack-keystone | 05:50 | |
*** ajayaa has joined #openstack-keystone | 05:53 | |
*** dims__ has quit IRC | 05:54 | |
*** lhcheng has joined #openstack-keystone | 06:00 | |
*** zz_avozza is now known as avozza | 06:01 | |
*** htruta has quit IRC | 06:09 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/145135 | 06:10 |
*** avozza is now known as zz_avozza | 06:11 | |
*** dgonzalez has joined #openstack-keystone | 06:35 | |
*** dgonzalez has quit IRC | 06:39 | |
*** stevemar has quit IRC | 07:01 | |
openstackgerrit | Abhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool https://review.openstack.org/130824 | 07:07 |
*** afazekas_ has joined #openstack-keystone | 07:07 | |
openstackgerrit | Abhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool https://review.openstack.org/130824 | 07:08 |
*** dgonzalez has joined #openstack-keystone | 07:36 | |
*** dgonzalez has quit IRC | 07:41 | |
*** zz_avozza is now known as avozza | 07:55 | |
openstackgerrit | wanghong proposed openstack/keystonemiddleware: support micro version if sent https://review.openstack.org/130916 | 07:56 |
*** dgonzalez has joined #openstack-keystone | 08:00 | |
*** pcaruana|afk| is now known as pcaruana | 08:04 | |
*** jamielennox is now known as jamielennox|away | 08:06 | |
*** chlong has quit IRC | 08:07 | |
openstackgerrit | Andrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list https://review.openstack.org/132235 | 08:22 |
*** dgonzalez has quit IRC | 08:25 | |
*** avozza is now known as zz_avozza | 08:28 | |
openstackgerrit | Andrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list https://review.openstack.org/132235 | 08:34 |
*** pcaruana has quit IRC | 08:59 | |
*** lhcheng has quit IRC | 09:10 | |
*** mfisch has quit IRC | 09:12 | |
*** mfisch has joined #openstack-keystone | 09:12 | |
*** mfisch is now known as Guest12671 | 09:12 | |
*** pcaruana has joined #openstack-keystone | 09:13 | |
*** jistr has joined #openstack-keystone | 09:14 | |
*** ajayaa has quit IRC | 09:17 | |
*** Guest38742 is now known as jell | 09:23 | |
*** nellysmitt has joined #openstack-keystone | 09:23 | |
*** jamielennox|away is now known as jamielennox | 09:33 | |
*** ajayaa has joined #openstack-keystone | 09:38 | |
openstackgerrit | Marek Denis proposed openstack/python-keystoneclient: Standardize token scoping workflow. https://review.openstack.org/142376 | 09:51 |
*** boris-42 has quit IRC | 09:53 | |
*** esmute has quit IRC | 10:03 | |
*** esmute has joined #openstack-keystone | 10:06 | |
*** jamielennox is now known as jamielennox|away | 10:09 | |
*** lhcheng has joined #openstack-keystone | 10:10 | |
*** lhcheng has quit IRC | 10:15 | |
*** chlong has joined #openstack-keystone | 10:38 | |
*** zz_avozza is now known as avozza | 10:50 | |
*** avozza is now known as zz_avozza | 10:56 | |
*** boris-42 has joined #openstack-keystone | 11:06 | |
*** jamielennox|away is now known as jamielennox | 11:08 | |
*** chlong has quit IRC | 11:08 | |
*** zz_avozza is now known as avozza | 11:09 | |
*** lhcheng has joined #openstack-keystone | 11:09 | |
*** lhcheng has quit IRC | 11:14 | |
*** dims__ has joined #openstack-keystone | 11:30 | |
*** andreaf has joined #openstack-keystone | 11:40 | |
*** dgonzalez has joined #openstack-keystone | 11:47 | |
*** dgonzalez has quit IRC | 11:47 | |
*** dgonzalez has joined #openstack-keystone | 11:48 | |
*** mattfarina has quit IRC | 11:49 | |
*** david-lyle_afk is now known as david-lyle | 11:58 | |
*** mattfarina has joined #openstack-keystone | 11:58 | |
breton | morganfainberg: how long is that form going to live? | 11:59 |
openstackgerrit | Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743 | 12:03 |
*** avozza is now known as zz_avozza | 12:08 | |
*** jaosorior has joined #openstack-keystone | 12:10 | |
*** lhcheng has joined #openstack-keystone | 12:11 | |
*** lhcheng has quit IRC | 12:15 | |
*** Zemeio has joined #openstack-keystone | 12:18 | |
*** Zemeio has left #openstack-keystone | 12:19 | |
*** jamielennox is now known as jamielennox|away | 12:19 | |
*** Zemeio has joined #openstack-keystone | 12:33 | |
Zemeio | Guys, I'm trying to run keystone but it is running into an error. I'm currently on fedora 21, this is what i found on the error: http://pastebin.com/u4gprUtN | 12:33 |
Zemeio | The file exists, I don't know what is happening. I installed the keystone through packstack and then upgraded with pip (wasn't working before, same error). The command to start the keystone is: /sbin/service openstack-keystone start | 12:34 |
*** rushiagr_away is now known as rushiagr | 12:51 | |
*** david-lyle is now known as david-lyle_afk | 13:08 | |
*** rushiagr is now known as rushiagr_away | 13:09 | |
*** topol has joined #openstack-keystone | 13:10 | |
*** ChanServ sets mode: +v topol | 13:10 | |
*** mattfarina has quit IRC | 13:13 | |
*** mattfarina has joined #openstack-keystone | 13:14 | |
*** bknudson has joined #openstack-keystone | 13:14 | |
*** ChanServ sets mode: +v bknudson | 13:14 | |
*** mattfarina has quit IRC | 13:21 | |
*** samueldmq has joined #openstack-keystone | 13:21 | |
*** mattfarina has joined #openstack-keystone | 13:22 | |
*** topol has quit IRC | 13:24 | |
*** radez_g0n3 is now known as radez | 13:26 | |
ayoung | Zemeio, sounds like /etc/keystone/keystone.paste is not where expected. The value is in the /etc/keystone/keystone.conf file in [paste_deploy] | 13:27 |
ayoung | config_file = /etc/keystone/keystone-paste.ini | 13:27 |
*** mattfarina has quit IRC | 13:27 | |
ayoung | packstack probably puts it under /usr/share since RDO considers it code, not a config file (IIRC) | 13:27 |
*** vhoward- has joined #openstack-keystone | 13:40 | |
*** bdossant has joined #openstack-keystone | 13:47 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Change the default digest for pki/ssl_setup to sha256 https://review.openstack.org/117367 | 13:47 |
openstackgerrit | Alistair Coles proposed openstack/keystonemiddleware: Fix environ keys missing HTTP_ prefix https://review.openstack.org/145505 | 14:01 |
*** sriram has joined #openstack-keystone | 14:13 | |
*** richm has joined #openstack-keystone | 14:14 | |
openstackgerrit | Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743 | 14:24 |
*** nkinder has quit IRC | 14:25 | |
*** joesavak has joined #openstack-keystone | 14:26 | |
*** joesavak has quit IRC | 14:32 | |
*** joesavak has joined #openstack-keystone | 14:32 | |
*** samueldmq has quit IRC | 14:34 | |
*** Guest12671 is now known as mfisch | 14:44 | |
*** mfisch has quit IRC | 14:44 | |
*** mfisch has joined #openstack-keystone | 14:44 | |
*** htruta has joined #openstack-keystone | 14:45 | |
*** topol has joined #openstack-keystone | 14:48 | |
*** ChanServ sets mode: +v topol | 14:48 | |
*** rubii has quit IRC | 14:49 | |
*** mattfarina has joined #openstack-keystone | 14:53 | |
*** gordc has joined #openstack-keystone | 14:54 | |
*** jistr has quit IRC | 14:57 | |
*** ajayaa has quit IRC | 14:57 | |
*** jistr has joined #openstack-keystone | 14:59 | |
*** dgonzale_ has joined #openstack-keystone | 15:00 | |
*** dgonzalez has quit IRC | 15:04 | |
openstackgerrit | Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743 | 15:07 |
*** fmarco76 has joined #openstack-keystone | 15:07 | |
*** timcline has joined #openstack-keystone | 15:14 | |
openstackgerrit | Alistair Coles proposed openstack/keystonemiddleware: Fix environ keys missing HTTP_ prefix https://review.openstack.org/145505 | 15:15 |
*** nkinder has joined #openstack-keystone | 15:15 | |
topol | morganfainberg which was the revocation spec that you wanted folks to review? | 15:19 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281 | 15:23 |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403 | 15:23 |
openstackgerrit | Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743 | 15:29 |
*** dkingshott has joined #openstack-keystone | 15:35 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Move eventlet server options to a config section https://review.openstack.org/130962 | 15:42 |
*** ajayaa has joined #openstack-keystone | 15:45 | |
openstackgerrit | Marek Denis proposed openstack/keystone-specs: Standardize federated scoping process. https://review.openstack.org/145204 | 15:56 |
*** stevemar has joined #openstack-keystone | 16:00 | |
*** ChanServ sets mode: +v stevemar | 16:00 | |
openstackgerrit | Merged openstack/pycadf: Updated from global requirements https://review.openstack.org/142714 | 16:02 |
openstackgerrit | Sean Dague proposed openstack/python-keystoneclient: don't log service catalog in every token response https://review.openstack.org/145532 | 16:02 |
*** flwang has quit IRC | 16:06 | |
*** jistr has quit IRC | 16:18 | |
*** flwang has joined #openstack-keystone | 16:18 | |
*** nellysmitt has quit IRC | 16:21 | |
*** jistr has joined #openstack-keystone | 16:34 | |
*** _cjones_ has joined #openstack-keystone | 16:34 | |
*** henrynash has joined #openstack-keystone | 16:35 | |
*** ChanServ sets mode: +v henrynash | 16:35 | |
*** gyee has joined #openstack-keystone | 16:40 | |
*** ChanServ sets mode: +v gyee | 16:40 | |
*** bdossant has quit IRC | 16:43 | |
stevemar | morganfainberg, nice presentation on keystone overview :) | 16:52 |
*** rm_work|away is now known as rm_work | 17:00 | |
*** joesavak has quit IRC | 17:03 | |
*** joesavak has joined #openstack-keystone | 17:05 | |
*** jsavak has joined #openstack-keystone | 17:07 | |
*** rm_work is now known as rm_work|away | 17:09 | |
*** lhcheng has joined #openstack-keystone | 17:11 | |
*** joesavak has quit IRC | 17:11 | |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Replace the concept of extensions in Keystone. https://review.openstack.org/133809 | 17:12 |
*** timcline has quit IRC | 17:12 | |
*** timcline has joined #openstack-keystone | 17:12 | |
*** vhoward- has left #openstack-keystone | 17:13 | |
*** fmarco76 has left #openstack-keystone | 17:14 | |
*** afazekas_ has quit IRC | 17:15 | |
*** gordc has quit IRC | 17:15 | |
*** gordc has joined #openstack-keystone | 17:16 | |
*** jistr has quit IRC | 17:26 | |
*** vhoward- has joined #openstack-keystone | 17:30 | |
openstackgerrit | henry-nash proposed openstack/keystone: Split roles into their own backend within assignments. https://review.openstack.org/144239 | 17:40 |
*** dims__ has quit IRC | 17:43 | |
*** dims__ has joined #openstack-keystone | 17:44 | |
*** dims__ has quit IRC | 17:45 | |
*** EmilienM is now known as EmilienM|afk | 17:45 | |
*** dims__ has joined #openstack-keystone | 17:46 | |
*** david-lyle_afk is now known as david-lyle | 17:47 | |
*** timcline_ has joined #openstack-keystone | 17:50 | |
*** timcline has quit IRC | 17:53 | |
*** zzzeek has joined #openstack-keystone | 17:54 | |
*** zz_avozza is now known as avozza | 17:55 | |
*** _cjones_ has quit IRC | 17:58 | |
*** _cjones_ has joined #openstack-keystone | 17:59 | |
stevemar | morganfainberg, ping | 18:00 |
morganfainberg | stevemar: pong | 18:00 |
stevemar | which patch were you referring to: ACTION: *EVERYONE* review revocation events - help to get it in place as the default to replace the revocation list (morganfainberg, 18:45:35) | 18:01 |
morganfainberg | stevemar: no specific patch. | 18:01 |
morganfainberg | ayoung: has been working on it. But we need to put effort into making rev events the default. | 18:02 |
ayoung | I can link | 18:02 |
morganfainberg | ayoung: cool | 18:02 |
stevemar | morganfainberg, oh so just start pounding away at using it so we iron out the bugs? | 18:03 |
ayoung | morganfainberg, ah...I was thinking client patch | 18:03 |
morganfainberg | I thought there was more than one. | 18:03 |
ayoung | but for AE, we don't need ... yes we do? | 18:03 |
morganfainberg | So not specific :) | 18:03 |
morganfainberg | We need it for ae, we need it for non persist | 18:03 |
morganfainberg | We also need it cause rev list is bad :P | 18:03 |
ayoung | https://review.openstack.org/#/c/81166/ | 18:03 |
ayoung | morganfainberg, client side, too? | 18:03 |
ayoung | OK so 81166 is the client review | 18:03 |
morganfainberg | ayoung: well full support in middleware. However we get there | 18:04 |
ayoung | right | 18:04 |
*** _cjones_ has quit IRC | 18:05 | |
ayoung | morganfainberg, the server side of revocation events should work today for AE, but it won't allow client/middleware checking | 18:05 |
ayoung | I really want to get the main code out of the server and into the client, then have the server consume the client code | 18:05 |
*** thedodd has joined #openstack-keystone | 18:08 | |
stevemar | whoops, forgot to actually change the linked address, thanks ayoung | 18:09 |
stevemar | re: mailing list | 18:09 |
ayoung | stevemar, yep | 18:09 |
*** samueldmq has joined #openstack-keystone | 18:09 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Fix tests using extension drivers https://review.openstack.org/124603 | 18:11 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Avoid multiple instances for a provider https://review.openstack.org/124599 | 18:12 |
*** stevemar has quit IRC | 18:16 | |
*** stevemar has joined #openstack-keystone | 18:16 | |
*** ChanServ sets mode: +v stevemar | 18:16 | |
*** jsavak has quit IRC | 18:17 | |
*** thedodd has quit IRC | 18:20 | |
*** joesavak has joined #openstack-keystone | 18:22 | |
*** thedodd has joined #openstack-keystone | 18:23 | |
*** ajayaa has quit IRC | 18:24 | |
*** thedodd has quit IRC | 18:24 | |
*** thedodd has joined #openstack-keystone | 18:25 | |
*** jsavak has joined #openstack-keystone | 18:28 | |
*** joesavak has quit IRC | 18:30 | |
*** _cjones_ has joined #openstack-keystone | 18:30 | |
*** joesavak has joined #openstack-keystone | 18:37 | |
*** jsavak has quit IRC | 18:40 | |
*** LinstatSDR has joined #openstack-keystone | 18:46 | |
*** joesavak has quit IRC | 19:19 | |
*** lihkin1 has joined #openstack-keystone | 19:24 | |
*** raildo has joined #openstack-keystone | 19:25 | |
*** joesavak has joined #openstack-keystone | 19:36 | |
*** dank has joined #openstack-keystone | 19:37 | |
*** dkingshott has quit IRC | 19:41 | |
*** thedodd has quit IRC | 19:43 | |
morganfainberg | gyee, responded to your comments on extensions spec | 19:44 |
gyee | looking | 19:44 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Docstring usability improvements https://review.openstack.org/127856 | 19:45 |
gyee | morganfainberg, but what's the relationship between say experimental and OS-FOO? Are they orthogonal? | 19:49 |
morganfainberg | gyee, orthogonal | 19:49 |
morganfainberg | gyee, naming has no bearing on expirimental or stable or anything else | 19:49 |
gyee | but there's no distinction with "extension" | 19:49 |
morganfainberg | and there isn't a distinction here - it's strictly "naming" | 19:50 |
morganfainberg | gyee, this is treading closely into bikeshed | 19:50 |
morganfainberg | gyee, an expirimental feature / API is marked as such - we don't need to change the name | 19:51 |
gyee | but aren't we trying to solve the "extension" mess or this is something else? | 19:51 |
morganfainberg | the idea is extensions are no more. | 19:51 |
gyee | right | 19:51 |
morganfainberg | we could have standard APIs called OS-<blah> if we want | 19:51 |
morganfainberg | do we *really* care what the API is called? | 19:51 |
morganfainberg | does this spec need to say that? | 19:51 |
morganfainberg | i think that is something we can address with new features/apis as they are proposed | 19:52 |
gyee | well, I thought the spec is mean to address the "process" aspect | 19:52 |
morganfainberg | also we can't change the APIs for current featurres. | 19:52 |
morganfainberg | gyee, i really really don't want to get into quibbling over naming | 19:53 |
morganfainberg | gyee, not in this spec. | 19:53 |
morganfainberg | gyee, this spec says: all new features / apis are expirimental | 19:53 |
morganfainberg | then once they are considered stable, moved to stable | 19:53 |
morganfainberg | and we stop makign things "optional" | 19:53 |
morganfainberg | current "extensions" are classified as stable or expirimental | 19:54 |
morganfainberg | and finally anything not fitting those categories is not in our tree | 19:54 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Cleanup test-requirements for keystoneclient https://review.openstack.org/136939 | 19:55 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Remove unused testscenarios requirement https://review.openstack.org/136940 | 19:57 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Remove requirements not needed by oslo-incubator modules anymore https://review.openstack.org/136941 | 19:57 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Remove unused requirements https://review.openstack.org/145110 | 19:58 |
*** thedodd has joined #openstack-keystone | 20:00 | |
*** rm_work|away is now known as rm_work | 20:01 | |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient-federation: Fix pep8 issue https://review.openstack.org/144511 | 20:08 |
openstackgerrit | henry-nash proposed openstack/keystone: Correct doc string for grant driver methods. https://review.openstack.org/144403 | 20:08 |
stevemar | bknudson, merge those 2 patches! | 20:09 |
openstackgerrit | henry-nash proposed openstack/keystone: Make controllers call the new, split out, role manager. https://review.openstack.org/144494 | 20:09 |
bknudson | stevemar: which 2? | 20:11 |
stevemar | https://review.openstack.org/#/c/145110/ and https://review.openstack.org/#/c/136941/ | 20:11 |
bknudson | will do. | 20:11 |
stevemar | they are both artifacts of removing oslo-incubator code | 20:12 |
openstackgerrit | henry-nash proposed openstack/keystone: Make unit tests call the new, split out, role manager. https://review.openstack.org/144548 | 20:14 |
morganfainberg | ayoung, ok so i am going to go get lunch then i'm looking at the accessinfo review to toss a comment in. | 20:16 |
*** chrisshattuck has joined #openstack-keystone | 20:16 | |
morganfainberg | ayoung, i *think* it's the way i'd like to see us go - if at all possible, but i see jamielennox|away's perspective | 20:17 |
morganfainberg | ayoung, so i want to re-read his comments as well. | 20:17 |
morganfainberg | ayoung, i'm also going to send the r/w LDAP identity survey out today | 20:19 |
morganfainberg | ayoung, will ping you on the form before sending | 20:19 |
ayoung | morganfainberg, I think jamielennox|away just doesn't want duplication | 20:19 |
ayoung | I think I can make mine backwards compat with the existing | 20:20 |
morganfainberg | ayoung, right. thats why i want to re-read the comments. if that is the case we work... yep | 20:20 |
morganfainberg | ayoung, exactly | 20:20 |
ayoung | ++ | 20:20 |
*** nkinder has quit IRC | 20:20 | |
morganfainberg | annnd people don't read the questions/survey | 20:21 |
morganfainberg | so far i see multiple responses about identity | 20:21 |
morganfainberg | "users and groups" | 20:21 |
morganfainberg | hmm. | 20:21 |
morganfainberg | how do i resolve this. | 20:21 |
ayoung | ignore them | 20:22 |
morganfainberg | lhcheng, ping | 20:22 |
ayoung | or do a second survey that explicitly asks about the users and groups so people can feel they have answered, then ignore them | 20:22 |
lhcheng | morganfainberg, pong | 20:22 |
morganfainberg | lhcheng, so you said you're looking for something to work on within keystone | 20:22 |
lhcheng | morganfainberg, yes.. (would I regret this?) | 20:23 |
morganfainberg | nah | 20:23 |
morganfainberg | just better to ask here | 20:23 |
morganfainberg | everyone is here :) so it's not just me trying to figure out where to point you | 20:23 |
morganfainberg | we can always use help squashing bugs | 20:23 |
lhcheng | I did look up the bugs at some point, most are already assigned | 20:24 |
morganfainberg | but if you're looking at feature work, we have a lot of things in flight - and ayoung , stevemar, henrynash, gyee, dstanek, dolphm, lbragstad, etc all usually can use help with something at the very least | 20:24 |
morganfainberg | jamielennox|away, as well | 20:24 |
morganfainberg | it comes down to what are you looking for and what are you interested in? | 20:25 |
gyee | just take some bugs from ayoung :) | 20:25 |
*** dgonzalez has joined #openstack-keystone | 20:25 | |
morganfainberg | keystone does a lot of things at the moment | 20:25 |
stevemar | lhcheng, one of us, one of us | 20:25 |
morganfainberg | lhcheng, see :) we're happy to have you join us! :) | 20:25 |
*** EmilienM|afk is now known as EmilienM | 20:25 | |
lhcheng | ha | 20:25 |
lbragstad | lhcheng: another things that helps a *lot* is to triage new bugs, and verify them | 20:26 |
morganfainberg | lbragstad, ++ | 20:26 |
lbragstad | http://keystone-weekly-bug-report.tempusfrangit.org/weekly-bug-reports/keystone-weekly-bug-report.html | 20:26 |
lbragstad | lhcheng: ^ | 20:26 |
morganfainberg | lhcheng, if you want to come to the mid-cycle i, of course, would encourage it. however, it is not required for anyone. we will mostly be discussing specs, blueprints, doing secondary design work (e.g. followup now that we're into the cycle), and then a hackathon-type day | 20:27 |
lbragstad | lhcheng: thats a never ending efforts and helps a lot towards the end of the release when we build the release candidate bug list | 20:27 |
lbragstad | s/efforts/effort/ | 20:27 |
morganfainberg | lhcheng, it's short notice to get travel approval etc now. and tbh i'd say it's more important to make it to the summit. | 20:27 |
lhcheng | morganfainberg, not exactly sure yet what feature. Yahoo would be using the hierarchical projects, but it sounds like it is already worked on. | 20:27 |
morganfainberg | lhcheng, well, rodrigods, raildo, are the two to talk about that | 20:28 |
lbragstad | lhcheng: reviews are helpful too :) | 20:28 |
morganfainberg | and i'm sure they will welcome more eyes on the code as well as can help you contribute on that front | 20:28 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Remove requirements not needed by oslo-incubator modules anymore https://review.openstack.org/136941 | 20:28 |
*** dgonzale_ has quit IRC | 20:28 | |
lhcheng | lbragstad, been doing some reviews too. But will probably need to fix some bugs to get familiar more with the code structure. | 20:29 |
samueldmq | morganfainberg, I'm also here, would be glad if I could help with hierarchical projects :) | 20:29 |
morganfainberg | samueldmq, ack | 20:29 |
*** dgonzalez has quit IRC | 20:29 | |
bknudson | stevemar: squashed those 2 reviews into https://review.openstack.org/#/c/136941/ | 20:30 |
morganfainberg | bknudson, ++ that looks like it makes sense | 20:30 |
lhcheng | morganfainberg, who's working on federation? Would like to understand how to use that, and figure out if that is something we could use. | 20:31 |
morganfainberg | lhcheng, stevemar, marekd, and gyee are the people who know the most about federation | 20:31 |
morganfainberg | and samueldmq | 20:31 |
morganfainberg | iirc | 20:32 |
morganfainberg | lhcheng, i've got to run and get lunch, but i'll be back | 20:32 |
morganfainberg | i'm leaving you in good hands here. | 20:32 |
morganfainberg | :) | 20:32 |
lhcheng | morganfainberg, cool. I might start with that. It is something that I am not that familiar in keystone. | 20:32 |
lhcheng | morganfainberg, thanks! | 20:32 |
lhcheng | stevemar, is there a good article to get started with federation or how to set that up? | 20:33 |
lhcheng | gyee ^ | 20:33 |
openstackgerrit | henry-nash proposed openstack/keystone: Refactor assignment manager/driver methods https://review.openstack.org/144650 | 20:33 |
stevemar | lhcheng, hmm, i have a few resources, lemme find them | 20:33 |
stevemar | i think this one is the most informative http://docs.openstack.org/developer/keystone/configure_federation.html | 20:34 |
*** rm_work is now known as rm_work|away | 20:34 | |
stevemar | lhcheng, its basically getting user ids from an idp, in case you don't have ldap access | 20:34 |
openstackgerrit | henry-nash proposed openstack/keystone: Correct comment about circular dependency. https://review.openstack.org/144850 | 20:35 |
lhcheng | stevemar: I have some sort of high level idea of federation, probably just need to try to setup that up via keystone to have a deeper understanding. | 20:36 |
lhcheng | stevemar: so the link is perfect | 20:36 |
morganfainberg | stevemar, ping - so trystack is going to probably move to OIDC | 20:37 |
morganfainberg | stevemar, meaning keystone master stuff | 20:37 |
morganfainberg | stevemar, just a heads up, in case we need to produce any fixes for it | 20:37 |
stevemar | morganfainberg, whats a trystack | 20:37 |
morganfainberg | http://trystack.org | 20:37 |
stevemar | hmm | 20:37 |
stevemar | i better get to work on the client side support then | 20:38 |
morganfainberg | yep! | 20:38 |
stevemar | who works on trystack? | 20:38 |
morganfainberg | there is a ML thread for it | 20:38 |
morganfainberg | it'sa foundation run thing | 20:38 |
morganfainberg | so the usual suspects w/ an @openstack.org email | 20:38 |
morganfainberg | they were also cnsidering oauth2, i said they should stick with OIDC for now | 20:39 |
morganfainberg | since well... we support that | 20:39 |
stevemar | i've never used this before, i want to play with it | 20:39 |
stevemar | oidc is basically oauth2 with user introspection | 20:39 |
morganfainberg | yeah | 20:39 |
morganfainberg | but we don't have oauth2 officially supported afaik | 20:40 |
morganfainberg | in keystone | 20:40 |
morganfainberg | oidc you did work on | 20:40 |
morganfainberg | so - stick with what we officially support, right? :) | 20:40 |
stevemar | is facebook the only way to get an account? :( | 20:40 |
morganfainberg | right now | 20:40 |
morganfainberg | hold on thogh | 20:40 |
gyee | lhcheng, for 2k2, this one may help http://blog.rodrigods.com/playing-with-keystone-to-keystone-federation/ | 20:40 |
morganfainberg | though* | 20:40 |
lhcheng | lbragstad: Added response for https://review.openstack.org/#/c/135808/ , can you check when you get the chance. | 20:40 |
stevemar | thanks bknudson | 20:41 |
lhcheng | gyee, thanks! | 20:42 |
*** rm_work|away is now known as rm_work | 20:42 | |
lhcheng | morganfainberg, are there going to be discussion on hierarchical projects on mid-cycle? I think there are gaps that needs to be resolve to make it usable for us. | 20:44 |
morganfainberg | lhcheng, likely but raildo and rodrigods wont be there. hopefully i can get a google hangout setup for oneof the days | 20:45 |
morganfainberg | mostly we'll be looking at the spec(s) for that, less about in-depth design | 20:45 |
lbragstad | lhcheng: will do, thanks for the reminder | 20:45 |
lhcheng | morganfainberg, I think we need to figure out how will it interact with the nestedquota driver. Like when a project is deleted, how to release the quota. | 20:46 |
*** toddnni has quit IRC | 20:47 | |
lhcheng | morganfainberg, sounds good. | 20:47 |
morganfainberg | lhcheng most of that (interaction) will be handled via notifications. | 20:47 |
morganfainberg | lhcheng, which is *mostly* supported today | 20:48 |
morganfainberg | ok i am going to lunch | 20:48 |
* lhcheng needs to read up on notifications | 20:49 | |
stevemar | lhcheng, oh we can work on that if you'd like :) | 20:50 |
stevemar | lhcheng, the spec is here http://specs.openstack.org/openstack/keystone-specs/specs/kilo/cadf-everywhere.html | 20:51 |
lhcheng | stevemar, that would be great. my boss will love that. :) | 20:52 |
lhcheng | ok I am going to lunch too | 20:54 |
stevemar | have fun, we can chat about it later | 20:54 |
*** toddnni has joined #openstack-keystone | 20:55 | |
*** hogepodge has joined #openstack-keystone | 20:55 | |
hogepodge | morganfainberg you rang? | 20:56 |
morganfainberg | hogepodge, hehe look in -infra :) | 20:56 |
dstanek | how's everyone doing? | 20:56 |
lbragstad | dstanek: !! | 20:57 |
lbragstad | how was the conference? | 20:57 |
dstanek | lbragstad: it's alright - the talks start tomorrow - yesterday and today were tutorial days | 20:57 |
lbragstad | dstanek: nice | 20:58 |
marekd | stevemar: did you sort out problems with OIDC and keystoneclient...well in general browserless approach? | 20:58 |
stevemar | marekd, nope :( | 20:59 |
dstanek | lbragstad: the hard part is over so now i can sit back and relax at the waterpark and maybe hit up a few talks | 20:59 |
lbragstad | dstanek: sounds fun! | 20:59 |
marekd | stevemar: but i guess it;s the problem with the protocol itself, right? | 21:00 |
dstanek | lbragstad: yes. except for the overwhelming about of .net and java talk it'll be great | 21:00 |
lbragstad | dstanek: what conference was this? | 21:01 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware https://review.openstack.org/144697 | 21:01 |
dstanek | lbragstad: codemash.org - it's supposed to be a mashup of technologies, but this area is really "enterprise" heavy | 21:02 |
lbragstad | dstanek: interesting | 21:02 |
stevemar | marekd, i'm not sure, maybe i'm doing something messed up | 21:02 |
marekd | :( | 21:03 |
*** openstackgerrit has quit IRC | 21:05 | |
*** openstackgerrit has joined #openstack-keystone | 21:05 | |
dolphm | dstanek: wb | 21:08 |
*** dolphm sets mode: +v lbragstad | 21:10 | |
dstanek | dolphm: :-) | 21:11 |
dolphm | dstanek: are you actually back, or still in the middle of conferencing? | 21:11 |
* stevemar gives voice to dolphm | 21:12 | |
* dolphm takes stevemar's voice | 21:12 | |
* stevemar *murmur murmur murmur* | 21:12 | |
dstanek | dolphm: i'm in between evens | 21:13 |
dstanek | events | 21:13 |
dolphm | dstanek: could just say you're odd | 21:13 |
morganfainberg | dolphm, ++ | 21:13 |
*** timcline_ has quit IRC | 21:14 | |
*** timcline has joined #openstack-keystone | 21:15 | |
bknudson | you could play buzzword bingo at that conference. | 21:16 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware https://review.openstack.org/144697 | 21:17 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware https://review.openstack.org/144697 | 21:17 |
*** timcline_ has joined #openstack-keystone | 21:19 | |
lbragstad | bknudson: ++ buzzword bingo is the best at OpenStack conferences... | 21:19 |
*** timcline has quit IRC | 21:22 | |
bknudson | I think haskell is the new buzzword... we should switch keystone to it. | 21:28 |
morganfainberg | bknudson: darn but I was already 5% through writing keystone in earlang | 21:36 |
dstanek | dolphm: you should know that by now | 21:36 |
*** jungleboyj has quit IRC | 21:39 | |
*** nkinder has joined #openstack-keystone | 21:43 | |
*** samueldmq has quit IRC | 21:52 | |
*** chlong has joined #openstack-keystone | 21:56 | |
*** topol has quit IRC | 21:56 | |
*** chlong has quit IRC | 22:03 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Use subunit-trace from tempest-lib https://review.openstack.org/145607 | 22:07 |
*** sriram has quit IRC | 22:11 | |
*** mattfarina has quit IRC | 22:15 | |
*** samueldmq has joined #openstack-keystone | 22:22 | |
*** timcline_ has quit IRC | 22:25 | |
*** timcline has joined #openstack-keystone | 22:28 | |
*** stevemar has quit IRC | 22:37 | |
*** samueldmq has quit IRC | 22:41 | |
morganfainberg | ayoung: re: basic auth, feel free to give me more details but eventlet fixes like that seem incorrect. (Happy to chance the -2 if we really need that support, but I'd rather push people towards httpd deployment) | 22:45 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Use subunit-trace from tempest-lib https://review.openstack.org/145607 | 22:47 |
*** davidHu_ has quit IRC | 22:49 | |
ayoung | morganfainberg, while I almost abandoned it due to that reasoning myself, I realized that it might fill a role if we want to go towards basic-auth in that it gives people doing eventlet deployments a way to use it as well | 22:50 |
ayoung | basic auth allows things that are currently done as posts to be done as gets | 22:50 |
ayoung | I wrote it a long time ago, when eventlet was still the default. | 22:51 |
morganfainberg | Sure. So let's look closely at it and talk @midcycle. Well either push it through or abandon there. | 22:52 |
*** dgonzalez has joined #openstack-keystone | 22:52 | |
morganfainberg | Should be a short convo and easy to work out with everyone in the room. | 22:53 |
morganfainberg | Ideally I'd like to drop eventlet support completely. Don't know how feasible that really is. | 22:55 |
*** timcline has quit IRC | 23:03 | |
*** timcline has joined #openstack-keystone | 23:04 | |
*** dgonzalez has quit IRC | 23:06 | |
*** gordc has quit IRC | 23:08 | |
*** dgonzalez has joined #openstack-keystone | 23:12 | |
*** jamielennox|away is now known as jamielennox | 23:13 | |
openstackgerrit | guang-yee proposed openstack/keystone: explicit namespace prefixes for SAML2 assertion https://review.openstack.org/145159 | 23:15 |
jamielennox | morganfainberg: what am i supposed to comment on? | 23:15 |
morganfainberg | jamielennox, hm? | 23:15 |
morganfainberg | jamielennox, uhhhmmmmmmmmm | 23:15 |
jamielennox | looks like the AccessInfo thing | 23:16 |
morganfainberg | jamielennox, oh yeah that. | 23:16 |
morganfainberg | jamielennox, wanted to get your views clear - i think having a unified object would be nice. | 23:16 |
jamielennox | ... unless its changed recently i don't see the need, from a client perspective we have AccessInfo which is somewhat ugly but has a reasonable interface | 23:17 |
morganfainberg | if it means ayoung's new thing needs to be backwards compat, maybe that is how we get there. | 23:17 |
morganfainberg | jamielennox, if the new AccessInfo object dropped in replaced the ugly one, would it be a big concern? | 23:17 |
morganfainberg | jamielennox, i'd like all token handling the same if at all possible. | 23:17 |
jamielennox | from a middleware perspective i would prefer to see https://review.openstack.org/#/c/137268/ | 23:18 |
jamielennox | which we'd want regardless i guess | 23:18 |
jamielennox | the only people that should actually be building a token object is keystone and thats what the model was for | 23:18 |
morganfainberg | jamielennox, so i'd like the form of the token used in middleware, passed down, in client and in keystone to be the same - so we don't need to update 2,3,4,5 places anytime something is changed/added | 23:19 |
morganfainberg | also, it makes sure we're not inadvertenly breaking something by changing how a token is issued | 23:19 |
morganfainberg | or such | 23:19 |
jamielennox | morganfainberg: my opinion there is that we should use the interface in that review i linked above | 23:19 |
morganfainberg | ayoung, ^ | 23:20 |
jamielennox | we need more than just accessinfo to do policy enforcement properly | 23:20 |
morganfainberg | sure. | 23:20 |
morganfainberg | but you see my point | 23:20 |
morganfainberg | i don't want keystone to be doing something wildly different than everything else when it comes to representation of the token (outside of the wire) | 23:20 |
jamielennox | most of the information services need to save data are coming through the headers, and what they don't i'm passing down a fully formed plugin, just drop that into the client and go wild | 23:20 |
jamielennox | i feel the service should never have to deal with the specifics of the token at all | 23:21 |
morganfainberg | sure. so if we had a well defined object with a clear interface... (public interface) that would solve it. | 23:21 |
morganfainberg | you get XXX look here for <anything> you neecd | 23:21 |
*** dgonzalez has quit IRC | 23:21 | |
morganfainberg | when keystone consumes a token for interacting on it's API it should be the same as any other service | 23:22 |
jamielennox | so from a middleware perspective i want that to be https://review.openstack.org/#/c/137268/ because we want to treat the service token as part of a request | 23:22 |
*** chlong has joined #openstack-keystone | 23:22 | |
jamielennox | morganfainberg: that means keystone using auth_token though | 23:22 |
jamielennox | not redefining all the interfaces | 23:22 |
morganfainberg | jamielennox, well it means we break up auth_token to something useful. | 23:23 |
morganfainberg | where keystone *can* use the parts it needs and skip the "ask keystone for data" parts | 23:23 |
*** timcline has quit IRC | 23:23 | |
jamielennox | so essentially i recognize accessinfo is ugly, however it's a core part of how auth plugins work, it's passed down from auth_token as the token_info env variable and relied upon by a number of services - both as a dictionary and as an interface | 23:23 |
morganfainberg | jamielennox, so in short I want an interface that defines what we pass to services [all services] and what the client can access. | 23:24 |
*** stevemar has joined #openstack-keystone | 23:24 | |
*** ChanServ sets mode: +v stevemar | 23:24 | |
jamielennox | heat for example does some nasty manipulations where it clones the dict and messes with fields directly (working on that) | 23:24 |
morganfainberg | it's what we present from the context (token) to anything that is consuming it | 23:24 |
morganfainberg | jamielennox, that is important from a perspective of having a single issueance/validation pipeline | 23:24 |
jamielennox | morganfainberg: i want that to be the review i linked | 23:25 |
jamielennox | because i want that object to be an auth plugin | 23:25 |
morganfainberg | jamielennox, sure, but i don't think it's an auth_plugin | 23:25 |
jamielennox | or at least some way to easily derive an auth plugin from it | 23:25 |
morganfainberg | i think it's something an auth_plugin uses | 23:25 |
jamielennox | why/ | 23:25 |
jamielennox | that would be https://review.openstack.org/#/c/143338/ with AccessInfoPlugin(env['keystone.token_info']) | 23:26 |
morganfainberg | again, i want to start seeing a clear definition of what we present to anything consuming a token (including keystone server). an auth plugin can use it. | 23:26 |
openstackgerrit | Merged openstack/python-keystoneclient: add clear definition of service list https://review.openstack.org/144870 | 23:26 |
jamielennox | i agree | 23:26 |
morganfainberg | ok so we're mostly on the same page | 23:27 |
jamielennox | i just don't see the need to make that a new AccessInfo object, we can just build something better that uses the existing | 23:27 |
morganfainberg | i also want to get out of the habit of having magic @property to needing to look up in an auth_ref | 23:27 |
jamielennox | not following? | 23:27 |
morganfainberg | having to have logic to reach into a dict for all the information | 23:28 |
morganfainberg | like accessinfo does today | 23:28 |
jamielennox | ok - don't care so much either way on that one | 23:28 |
morganfainberg | that is something i'd like to get away from. you shouldn't need to store the token_ref. | 23:28 |
jamielennox | i'd prefer it was a userdict or whatever rather than inherit from dict but meh | 23:28 |
jamielennox | we've used that pattern a number of times in various clients | 23:28 |
morganfainberg | i want to get away from dicts so people don't shove random crap into it/expect to be able to pull things out of it | 23:29 |
jamielennox | using [] gives you raw data using attributes gives you curated information | 23:29 |
morganfainberg | if it's not part of the public interface we present it shouldn't be accessible | 23:29 |
morganfainberg | i'm pushing for us to be *very* strict on what we pass down from the token | 23:29 |
morganfainberg | part of the mess we're in re tokens is because we have tons of things people can just grab that got left in | 23:30 |
morganfainberg | if the data was there but not part of the public interface it could be cleaned up/removed/added to the interface if required. | 23:30 |
jamielennox | i understand everybody's concerns with python, but its python and people can do weird stuff and we're fighting the language to try and stop people from doing that | 23:30 |
*** dims__ has quit IRC | 23:30 | |
morganfainberg | but i want the interface to be well defined when it comes to accessing token data | 23:31 |
morganfainberg | it's more of a stop assuming it's a bag of crap we toss out there and more of a "here is the interface" | 23:31 |
morganfainberg | if people go around that interface we can yell at them | 23:31 |
morganfainberg | if they break | 23:31 |
jamielennox | i think that maybe that's an education or documentation thing | 23:31 |
jamielennox | if you look at the access.py file the interface is very clear | 23:32 |
morganfainberg | if it is a dict it isn't a defined interface | 23:32 |
jamielennox | the problem is that people seem to ignore that and use it as a dict instead | 23:32 |
morganfainberg | this is something we can fix by forcing the issue | 23:32 |
jamielennox | let's just put a big deprecated sign on __getitem___ | 23:32 |
morganfainberg | don't make it a dict for them to go around | 23:32 |
morganfainberg | sure, and then move away from even allowing it. | 23:32 |
jamielennox | (i'm not sure if that works when it's a built in type) | 23:32 |
morganfainberg | eh, it's easy. | 23:33 |
morganfainberg | but it gets wonky - but i'd rather move to an object vs a dict. | 23:33 |
jamielennox | ok, i'm fine with all that in principle | 23:33 |
morganfainberg | at some point __getitem__ goes away | 23:33 |
morganfainberg | and it break anyone who didn't pay attention to the deprecation warning | 23:33 |
*** lihkin1 has quit IRC | 23:33 | |
jamielennox | problems are current AccessInfo object is in use in a lot of places, and we'd need to maintain compat | 23:33 |
morganfainberg | jamielennox, so lets make accessinfo better - something a bit more universal | 23:34 |
jamielennox | i think no-one should be accessing that information directly | 23:34 |
morganfainberg | s/universal/ugly | 23:34 |
jamielennox | morganfainberg: so is there an issue with https://review.openstack.org/#/c/137268/ being the interface? | 23:34 |
morganfainberg | jamielennox, no - i just want to go with a public interface on it - which means likely in keystoneclient | 23:35 |
jamielennox | i made sure it's an object not a dict, and it's got read only properties | 23:35 |
jamielennox | morganfainberg: why? what's the assumption that people will need to deal with a token that they didn't get from auth_token? | 23:35 |
morganfainberg | i also want to use it in keystone | 23:36 |
morganfainberg | and i also want to let people write tests around it. i want this to be *the* token definition | 23:36 |
morganfainberg | if that makes sense? | 23:36 |
jamielennox | why isn't that object token model? | 23:36 |
morganfainberg | token model should move towards this | 23:37 |
morganfainberg | token model was a stepping stone. | 23:37 |
morganfainberg | my goal was token model fixes issues in keystone, then we move everything towards using it. | 23:38 |
jamielennox | so i think there are two parts to that | 23:38 |
morganfainberg | ideally i wanted to use something like a protobuf that could be supported in any language w/ logic to go keystone -> wire -> token model | 23:38 |
*** andreaf has quit IRC | 23:38 | |
morganfainberg | but leaving that last bit out, in python we can be uniform | 23:38 |
jamielennox | 1. This is a token that keystone received. We should figure out how to use auth_token within keystone and use the standard there | 23:38 |
jamielennox | 2. This is a token that keystone created. in which case there is a whole lot more information required that what should be in an interface in auth_token middleware | 23:39 |
morganfainberg | jamielennox, auth_context needs to consum parts of middleware. | 23:39 |
jamielennox | sure | 23:39 |
morganfainberg | so right now validate pipeline is almost identical to issue pipeline | 23:40 |
jamielennox | is that a positive thing? | 23:40 |
morganfainberg | no | 23:41 |
morganfainberg | so, my thought is validate can probably be lighter weight in most cases. | 23:42 |
jamielennox | I'd be interested to see what we can share between auth_token and auth_context | 23:42 |
morganfainberg | i think the token object is going to be a public interface - regardless | 23:43 |
jamielennox | agreed but token interface != auth context | 23:43 |
morganfainberg | the token interface is presented in auth_context | 23:44 |
morganfainberg | hiding the object that is the token in a private object doesn't feel like the right design | 23:44 |
jamielennox | sure, but for a glaring difference we have an X-Service-Token which we need to start treating as a first class citizen | 23:44 |
morganfainberg | it's well defined, should be public. if this is accessinfo + less ugly, that's fine | 23:44 |
morganfainberg | all tokens need to be handled with the same interface (inc. service tokens) | 23:45 |
morganfainberg | so my thought was we make accessinfo (or a replacement for it) the cannonical interface that is presented. | 23:46 |
jamielennox | ok - hows this, i don't think its worth the effort to design a whole new interface, people move to slowly and there is too many comptaibilty issues | 23:46 |
morganfainberg | auth_context.service_token.<item> or whaever it looks like | 23:46 |
jamielennox | let's remove the dict component of the current accessinfo | 23:46 |
jamielennox | convert it to a user dict or whatever the python is | 23:46 |
morganfainberg | yeah | 23:46 |
morganfainberg | however that works | 23:46 |
jamielennox | slap big deprecations over __getitem__ | 23:46 |
morganfainberg | so far sounds right | 23:47 |
jamielennox | and see what breaks in devstack as we simply remove __getitem__ | 23:47 |
jamielennox | there is nothing about auth plugins that rely on the dict interface | 23:47 |
morganfainberg | perfect | 23:47 |
jamielennox | there will be big heat issues, but i'm playing with that independently | 23:47 |
*** zzzeek has quit IRC | 23:47 | |
morganfainberg | and if we can make accessinfo less magical (doesn't ask keystone for stuff, is a plain interface) | 23:47 |
morganfainberg | we can convert the token_model in keystone over to it | 23:47 |
morganfainberg | at least on in-bound token acceptance | 23:48 |
jamielennox | sure - the base object that is subclassed by v2 and v3 is essentially an ABC | 23:48 |
*** alex_xu has quit IRC | 23:48 | |
morganfainberg | as the first step towards making auth_context better than it is | 23:48 |
morganfainberg | once we get there we get middleware broken up in a way that lest auth_context consume the needed bits | 23:48 |
morganfainberg | or split those out into a lib that auth_context can use. | 23:49 |
jamielennox | the interface i used in that review is almost exactly the same as accessinfo i just needed to modify some return values | 23:49 |
morganfainberg | ++ | 23:49 |
morganfainberg | ayoung, CC ^^ re: accessinfo review | 23:49 |
*** alex_xu has joined #openstack-keystone | 23:50 | |
* morganfainberg needs to go put together a slide deck | 23:51 | |
morganfainberg | or two. | 23:51 |
jamielennox | ayoung: i saw someone mention https://pypi.python.org/pypi/characteristic/0.1.0 and thought you'd love it | 23:52 |
jamielennox | morganfainberg: you too ^ handles controlling what people can do with a python object | 23:52 |
morganfainberg | neat | 23:53 |
*** gordc has joined #openstack-keystone | 23:53 | |
morganfainberg | stevemar, gonna have the guys at LCA steal most of the content from the bootstrapping hour | 23:54 |
morganfainberg | stevemar, ;) | 23:54 |
jamielennox | they're still doing a keystone thing at LCA? | 23:55 |
morganfainberg | stevemar, just going to shuffle a couple things more targeting deployment. | 23:55 |
morganfainberg | jamielennox, yah, someone is going to present some slides | 23:55 |
morganfainberg | jamielennox, but i dunno who. | 23:55 |
morganfainberg | jamielennox, at least thats the plan | 23:55 |
stevemar | morganfainberg, thats cool, glad i could help | 23:55 |
morganfainberg | jamielennox, would have been better if you could have made it :P | 23:55 |
stevemar | morganfainberg, let me know who presents :) | 23:55 |
jamielennox | morganfainberg: yea - would have been good | 23:55 |
morganfainberg | stevemar, yeah gotta cut it down to 30min and focus on some choices like "why PKI vs UUID, why SQL" | 23:56 |
morganfainberg | stevemar so ripping some of the more indepth slides out. but mostly it's going to be the same. | 23:56 |
morganfainberg | stevemar, really appreciate you letting me use this deck as the basis | 23:57 |
*** marg7175 has joined #openstack-keystone | 23:58 | |
stevemar | np at all | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!