Friday, 2015-02-27

« Thursday, 2015-02-26 Index Saturday, 2015-02-28 »
*** rodrigods is now known as rodrigod`00:08
*** rodrigod` is now known as rodrigods00:08
*** henrynash_ has joined #openstack-keystone00:09
*** ChanServ sets mode: +v henrynash_00:09
*** rodrigods has quit IRC00:09
*** henrynash has quit IRC00:09
*** henrynash_ is now known as henrynash00:09
*** karimb has quit IRC00:10
dstanekmorganfainberg: that's a good catch by the automation00:11
morganfainbergdstanek, yep00:11
morganfainbergthough i had to run it locally, devstack error didn't show the problem as clearly00:11
*** browne has quit IRC00:12
*** browne has joined #openstack-keystone00:12
*** rodrigods has joined #openstack-keystone00:12
dstanekmorganfainberg: so my only issue with that review now is the _convert_to_integers because it can be simplified, but that can be a follow up00:12
morganfainbergdstanek, sounds good. i'm happy to see a cleanup on that as a followup00:13
openstackgerrithenry-nash proposed openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805100:13
*** rodrigods has quit IRC00:14
*** rodrigods has joined #openstack-keystone00:14
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867900:15
openstackgerritMarek Denis proposed openstack/keystone: Enhance user identification in mapping engine  https://review.openstack.org/15493400:17
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875200:18
*** raildo_ has quit IRC00:20
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes test_multiple_filters filters definition  https://review.openstack.org/15841100:21
*** david-lyle is now known as david-lyle_Afk00:22
*** david-lyle_Afk is now known as david-lyle_afk00:22
*** markvoelker has quit IRC00:24
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967500:26
henrynashdstanek: hi…you still around00:27
*** cburgess has quit IRC00:28
*** cburgess has joined #openstack-keystone00:28
*** gus has quit IRC00:29
*** darrenc has quit IRC00:29
*** darrenc has joined #openstack-keystone00:29
*** mhu has quit IRC00:29
*** EmilienM|afk has quit IRC00:29
*** markvoelker has joined #openstack-keystone00:29
*** EmilienM has joined #openstack-keystone00:30
*** mhu has joined #openstack-keystone00:30
*** gus has joined #openstack-keystone00:31
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposes bug in SQL when honoring driver_hints  https://review.openstack.org/15841200:32
*** arunkant_ has quit IRC00:35
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967500:37
henrynashI need some python-super-guru help…..00:40
samueldmqthrow your question in, maybe some is able to answer :)00:41
samueldmqwe have some good guys with python here :-)00:41
samueldmqI'm just curious to see your question, and the response you'll find00:42
henrynashI need some help in working out what’s going with my domainConfigOpts wrapper class in https://review.openstack.org/#/c/159675/2/keystone/identity/core.py00:42
openstackgerritLin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2  https://review.openstack.org/9398200:43
henrynashIt works in teh simple tests (see: https://review.openstack.org/#/c/159675/2/keystone/tests/unit/identity/test_core.py)00:43
henrynashbut blows up when use in earnest (see: https://review.openstack.org/#/c/159675/2/keystone/tests/unit/test_backend_ldap.py)00:44
samueldmqhenrynash, going to download and try something :)00:45
henrynashthis is what happens in that last test: http://paste.openstack.org/show/182757/00:45
henrynashbasically I get caught in a infinite loop doing __getattr_   … but I can’t work out why (and why on that particualr access to conf)00:46
samueldmqinfinite loop00:46
samueldmqyep ... going to see the code00:47
henrynashI’m trying to be pretty sneaky here…..probaably too sneaky00:47
henrynashthx00:49
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875200:49
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967500:50
henrynashsamueldmq: I wonder if I have to be careful not to re-patch the same class over and over again…maybe I’m blowing some kind of recursion limit00:55
jamielennoxso member_role_name is almost completely ignored? member_role_id seems to be all that matters00:55
*** dims has joined #openstack-keystone01:01
*** sigmavirus24_awa is now known as sigmavirus2401:06
samueldmqhenrynash, well ... that's pretty hard :p01:06
samueldmqI need to understand the patches to figure out the logic in there01:07
henrynashyeah, it’s pretty funky…not sure if I haev it right…do you egt WHAT I’m tyring to do and why?01:07
*** bknudson has joined #openstack-keystone01:10
*** ChanServ sets mode: +v bknudson01:10
samueldmqnot really I think .. need to recap starting from the spec01:10
henrynashok, so quick summary:01:11
henrynash1) Overall goal is to allow domain configs to specified in sql (instead of files)01:11
henrynash2) Question is…once you have bunch of configs set for a given domain…how do you try and get all the modules taht just get a config value by saying conf.group.option  to pick up the new values....01:13
henrynash3) we already create a seperate oslo  cfg.ConfigOpts object for each domain01:13
henrynash4) what I’m doing is creating an inherited class for this that we will pass aournd instead…and when ever someone reads an attribute (i.e. does __getattr__ ) then we get to intercept it01:14
samueldmqso at the end you would be able to do domain1.conf.ldap.url ?01:15
samueldmqor something like this?01:16
henrynash5) ..but the problem is that our options are actually in groups…and that class (ConfigOpts.GroupAttr) is instantiated inside oslo and passed back to us to pass back to the caller….so we somehow need to intercpept teh __getattr__ to that class, as well as our own01:16
henrynash…essentiall, yes - we already create an array of domains, each one has its one conf….and each domain has its own ldap driver, initialized with the conf for taht doamin01:17
morganfainberghenrynash, that sounds kindof hack-y01:17
henrynashall that comes from teh file based support already there01:17
henrynashmorganfainberg: probably true….it was kind of what doug as suggesting, to have a wrapper around ConfigOpts….01:18
samueldmqhenrynash, hmm... so yes, I see we are consistent with the way we do today (with files)01:18
samueldmqhenrynash, e.g we have file domai1.conf , and inside it we have identity.driver -> domain1.conf.identity.driver01:19
henrynashthe alernative approach is that I manually call teh override method for all domain speciific confisg…01:20
henrynashhmm, that might be a lot easier01:20
samueldmqhenrynash, why not then ? :)01:20
henrynashI think I’ll see if that works better…..it might be cleaner too….have used the manual overriding before….01:21
henrynash(haven’t used the..)01:21
henrynashtry that in the morning…01:22
henrynashok, thx01:22
henrynashtime for bed, me thinks....01:22
*** henrynash has quit IRC01:22
samueldmq:)01:23
*** diegows has quit IRC01:24
openstackgerritwanghong proposed openstack/keystone: apply endpoint_group filters on token catalog  https://review.openstack.org/14418701:27
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687001:28
*** markvoelker has quit IRC01:32
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687001:32
*** _cjones_ has quit IRC01:33
openstackgerritMorgan Fainberg proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841401:38
*** davechen has joined #openstack-keystone01:41
*** rm_work is now known as rm_work|away01:46
openstackgerritLin Hua Cheng proposed openstack/keystone: Make RuleProcessor._UserType class public  https://review.openstack.org/15771101:53
*** erkules_ has joined #openstack-keystone02:16
*** sigmavirus24 is now known as sigmavirus24_awa02:17
*** erkules has quit IRC02:19
*** rwsu is now known as rwsu-afk02:26
*** gyee has quit IRC02:31
*** tqtran_ has quit IRC02:31
*** browne has quit IRC02:33
*** browne has joined #openstack-keystone02:34
*** spandhe has quit IRC02:44
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687002:48
*** leonchio_ has quit IRC02:54
*** samueldmq has quit IRC02:54
ayoungfailures=1703:07
*** stevemar has joined #openstack-keystone03:18
*** ChanServ sets mode: +v stevemar03:18
openstackgerritSteve Martinelli proposed openstack/keystone: Remove conditional check (and test) for oauth_api  https://review.openstack.org/15967103:23
openstackgerritwanghong proposed openstack/keystone: move region and service exist checks into manager layer  https://review.openstack.org/14197703:29
*** browne has quit IRC03:36
*** csoukup has joined #openstack-keystone03:40
*** dims has quit IRC03:41
ayoungmorganfainberg, these service and endpoint defs are wrong, cuz they have no ids.  Am I right?  http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/tests/unit/v3/utils.py#n5204:06
morganfainbergayoung, i think you are right04:06
ayoungmorganfainberg, checking the spec now04:06
morganfainbergayoung, this is an issue whith having fixtures in two places.04:07
ayoungmorganfainberg, we have so many diffferent fixtures in the client04:07
morganfainbergyeah04:07
morganfainberg:(04:07
ayounghttp://developer.openstack.org/api-ref-identity-v3.html#service-catalog-v3  morganfainberg04:07
ayoungadding Ids now04:08
ayoungmorganfainberg, I have , for the moment, punted on how to marshall the new objects via JSON.  I've got lower hanging fruit to knock down first.  I like the idea of named tuples, but it doesn;t map cleanly to a dict interface04:10
morganfainbergno it doesn't04:11
ayoungmight need some more power python knowhow to finish that off04:11
ayoungI guess I could inherit from dict04:11
ayoungwouldn't be the worst thing.  THe objects would still be immutable04:11
* ayoung thinks about that04:11
ayoungwould be treating dict like an interface, which is really what we want here04:12
morganfainbergayoung, right.04:13
ayoungmorganfainberg,  failures=704:17
*** richm has quit IRC04:20
*** lhcheng has quit IRC04:34
*** dims has joined #openstack-keystone04:42
ayoung failures=504:42
*** spandhe has joined #openstack-keystone04:46
*** dims has quit IRC04:47
*** markvoelker has joined #openstack-keystone05:01
ayoung failures=305:01
*** lhcheng has joined #openstack-keystone05:12
*** lhcheng_ has joined #openstack-keystone05:15
*** lhcheng has quit IRC05:18
*** rushiagr_away is now known as rushiagr05:18
*** browne has joined #openstack-keystone05:24
*** markvoelker has quit IRC05:33
*** markvoelker has joined #openstack-keystone05:33
ayoungfailures=205:37
*** markvoelker has quit IRC05:37
*** csoukup has quit IRC05:39
*** spandhe has quit IRC05:44
*** Krast has joined #openstack-keystone05:52
*** abhirc has quit IRC05:55
*** rushiagr is now known as rushiagr_away05:57
*** markvoelker has joined #openstack-keystone06:04
*** rushiagr_away is now known as rushiagr06:05
*** markvoelker has quit IRC06:09
*** MaikZ has quit IRC06:18
*** dims has joined #openstack-keystone06:31
*** dims has quit IRC06:36
*** MasterPiece has joined #openstack-keystone06:41
*** lhcheng_ has quit IRC06:44
*** markvoelker has joined #openstack-keystone07:05
*** markvoelker has quit IRC07:09
*** spandhe has joined #openstack-keystone07:10
bretoninheritance from dict?07:10
bretonwhy not from Mapping or MutableMapping?07:14
*** ajayaa has joined #openstack-keystone07:23
*** ncoghlan has quit IRC07:34
*** stevemar has quit IRC07:43
*** browne has quit IRC08:06
*** spandhe has quit IRC08:18
*** jaosorior has joined #openstack-keystone08:27
*** nellysmitt has joined #openstack-keystone08:29
*** himangi has joined #openstack-keystone08:36
*** pnavarro__ has joined #openstack-keystone08:42
*** chlong has quit IRC08:44
*** MasterPiece has quit IRC08:51
*** jistr has joined #openstack-keystone08:56
*** markvoelker has joined #openstack-keystone09:07
*** henrynash has joined #openstack-keystone09:08
*** ChanServ sets mode: +v henrynash09:08
*** markvoelker has quit IRC09:13
*** davechen has quit IRC09:53
*** svasheka has quit IRC09:55
*** henrynash has quit IRC09:56
*** henrynash has joined #openstack-keystone10:04
*** ChanServ sets mode: +v henrynash10:04
*** fmarco76 has joined #openstack-keystone10:08
*** aix has joined #openstack-keystone10:52
*** jaosorior has quit IRC11:02
*** markvoelker has joined #openstack-keystone11:10
*** markvoelker has quit IRC11:17
openstackgerritMarek Denis proposed openstack/keystone: Enhance user identification in mapping engine  https://review.openstack.org/15493411:26
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967511:27
openstackgerritMarek Denis proposed openstack/keystone: Make RuleProcessor._UserType class public  https://review.openstack.org/15771111:28
openstackgerritMarek Denis proposed openstack/keystone: Move UserAuthInfo to a separate file  https://review.openstack.org/15771711:28
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630811:28
*** amakarov_away is now known as amakarov11:30
openstackgerritAlexander Makarov proposed openstack/keystone: Redis token backend  https://review.openstack.org/15084411:35
amakarovdolphm, hi! ^^ Can you explain me please, how can I test a new token backend? iirc there are no tests for backends at all...11:37
amakarovCan somebody review my revocation bug fix? https://review.openstack.org/#/c/141854/11:39
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables  https://review.openstack.org/15980311:48
*** henrynash has quit IRC11:49
bretondolphm: could you please remove your -2 on https://review.openstack.org/#/c/155292/ since master patch has landed?11:52
*** diegows has joined #openstack-keystone11:54
*** krykowski has joined #openstack-keystone11:56
openstackgerritMarek Denis proposed openstack/keystone: Add ``service_providers`` in Service Catalog  https://review.openstack.org/15265911:59
*** aix has quit IRC12:00
*** pnavarro_ has joined #openstack-keystone12:02
*** erkules_ is now known as erkules12:04
*** afazekas has joined #openstack-keystone12:04
*** dims has joined #openstack-keystone12:04
*** himangi has quit IRC12:05
*** pnavarro__ has quit IRC12:06
*** pnavarro_ has quit IRC12:07
*** obutenko has joined #openstack-keystone12:11
*** markvoelker has joined #openstack-keystone12:13
*** flaviof has joined #openstack-keystone12:15
*** markvoelker has quit IRC12:17
*** ajayaa has quit IRC12:32
*** krykowski has quit IRC12:33
*** rushiagr is now known as rushiagr_away12:35
*** jaosorior has joined #openstack-keystone12:38
*** henrynash has joined #openstack-keystone12:45
*** ChanServ sets mode: +v henrynash12:45
*** himangi has joined #openstack-keystone12:49
*** aix has joined #openstack-keystone12:55
*** himangi has quit IRC13:01
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867913:05
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875213:06
*** krykowski has joined #openstack-keystone13:11
*** markvoelker has joined #openstack-keystone13:14
*** abhirc has joined #openstack-keystone13:15
*** markvoelker has quit IRC13:19
*** dims is now known as dimsum__13:27
*** gordc has joined #openstack-keystone13:37
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967513:39
*** henrynash has quit IRC13:39
*** abhirc has quit IRC13:53
*** radez_g0n3 is now known as radez13:58
*** henrynash has joined #openstack-keystone14:00
*** ChanServ sets mode: +v henrynash14:00
*** henrynash has quit IRC14:01
*** abhirc has joined #openstack-keystone14:02
*** abhirc has quit IRC14:04
*** mattfarina has joined #openstack-keystone14:08
*** samueldmq has joined #openstack-keystone14:08
*** samueldmq has quit IRC14:13
*** markvoelker has joined #openstack-keystone14:15
*** ljfisher has joined #openstack-keystone14:17
*** rushiagr_away is now known as rushiagr14:18
*** markvoelker has quit IRC14:20
*** ljfisher has quit IRC14:21
*** richm has joined #openstack-keystone14:21
*** markvoelker has joined #openstack-keystone14:22
*** joesavak has joined #openstack-keystone14:22
*** mestery has quit IRC14:25
*** ljfisher has joined #openstack-keystone14:25
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376314:29
*** csoukup has joined #openstack-keystone14:30
*** dimsum__ has quit IRC14:36
*** himangi has joined #openstack-keystone14:37
*** dims_ has joined #openstack-keystone14:38
*** rushiagr is now known as rushiagr_away14:40
*** mestery has joined #openstack-keystone14:41
*** bknudson has quit IRC14:42
openstackgerritMarek Denis proposed openstack/keystone: Populate token with service providers  https://review.openstack.org/15986514:42
*** jsavak has joined #openstack-keystone14:44
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215614:46
*** joesavak has quit IRC14:47
*** ogzy has joined #openstack-keystone14:48
*** sigmavirus24_awa is now known as sigmavirus2414:50
openstackgerritMarek Denis proposed openstack/keystone: Populate token with service providers  https://review.openstack.org/15986514:50
marekdmorganfainberg: shit, forgot what was decided: so, service providers are added to the token, we also need to add /auth/service_providers call. Is that true ?14:53
openstackgerritMarek Denis proposed openstack/keystone: Enhance user identification in mapping engine  https://review.openstack.org/15493415:08
openstackgerritMarek Denis proposed openstack/keystone: Make RuleProcessor._UserType class public  https://review.openstack.org/15771115:09
openstackgerritMarek Denis proposed openstack/keystone: Make RuleProcessor._UserType class public  https://review.openstack.org/15771115:13
*** samueldmq-away has quit IRC15:14
openstackgerritMarek Denis proposed openstack/keystone: Move UserAuthInfo to a separate file  https://review.openstack.org/15771715:15
openstackgerritMarek Denis proposed openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630815:17
ayoungdhellmann,  I think out timeutils is leading us astray.  I have a string like this:   "2013-02-27T18:30:59.999999Z"  generated buy the token provider:  this meets the spec.  I convert it to a string using oslo_utils.timeutils.parse_isotime(timestr)  and then...I have no way of getting it back to the origianal string? AAll the functions seem to be missing the timezone.15:21
ayounghttp://docs.openstack.org/developer/oslo.utils/api/timeutils.html15:21
*** markvoelker has quit IRC15:32
*** emily_ has joined #openstack-keystone15:32
*** himangi has quit IRC15:38
*** carlosmarin has joined #openstack-keystone15:39
*** abhirc has joined #openstack-keystone15:39
*** abhirc has quit IRC15:40
*** stevemar has joined #openstack-keystone15:44
*** ChanServ sets mode: +v stevemar15:44
*** emily_ has quit IRC15:46
amakarovstevemar, hi! A question to you: the main purpose of CADF notifications is monitoring, right?15:47
*** stevemar2 has joined #openstack-keystone15:47
*** ChanServ sets mode: +v stevemar215:47
*** stevemar has quit IRC15:47
dstanekamakarov: i would guess auditing15:47
*** rushiagr_away is now known as rushiagr15:48
*** ogzy has quit IRC15:48
*** jsavak has quit IRC15:48
*** himangi has joined #openstack-keystone15:48
amakarovdstanek, thanks! The next question is: can these notifications be used for cross-datacenter assignment replication?15:49
*** abhirc has joined #openstack-keystone15:49
*** afazekas has quit IRC15:50
dstanekamakarov: instead of database replication?15:52
*** bknudson has joined #openstack-keystone15:52
*** ChanServ sets mode: +v bknudson15:52
amakarovdstanek, yes15:52
*** bknudson has quit IRC15:53
dstanekamakarov: i'm not sure if it would have enough info15:53
amakarovdstanek, I've filed a use-case https://blueprints.launchpad.net/keystone/+spec/cross-env-delegations-synchronization15:53
dstanekamakarov: why not sure database replication?15:53
amakarovdstanek, multi-master?15:54
amakarovdstanek, not sure if there is any15:54
amakarovhttp://en.wikipedia.org/wiki/Multi-master_replication15:54
amakarovWe used LDAP for this, but it will soon be deprecated without reliable alternative15:55
*** jorge_munoz has joined #openstack-keystone15:55
dstanekamakarov: yes, exactly15:55
dstanekamakarov: do you need to have write in each cloud?15:56
amakarovdstanek, I asked Henry Hash about it and he suggested me to start researching it15:56
amakarovdstanek, ++15:56
*** joesavak has joined #openstack-keystone15:57
amakarovFor now I have some options what to do - all ugly15:57
dstaneki don't think keystone itself would ever implement replication - that's more of a backend issue15:58
*** krykowski has quit IRC15:58
*** markvoelker has joined #openstack-keystone15:58
*** browne has joined #openstack-keystone15:58
amakarovdstanek, I agree though it seems there is no such backend available now15:59
amakarovand this doesn't go as an excuse :)15:59
dstanekamakarov: why not use the SQL backend with Postgres?16:00
dstanekin a past life we did multi master with it and an open source addon - not across data centers though16:00
amakarovdstanek, postgres is good at master->[slaves]16:00
amakarovdstanek, can you please share this knowledge?16:01
dstanekamakarov: share what? the open source project name?16:01
amakarovdstanek, no :) How did you do multi-master on postgres16:02
amakarovlast time I read postgres docs, there was no recipes for multi-master16:03
dstanekamakarov: we used an open source project with Postgres to do it; i can ask what it was when my friend gets online16:03
dstanekamakarov: https://wiki.postgresql.org/wiki/Replication,_Clustering,_and_Connection_Pooling#Replication <- it was probably one of these16:03
amakarovdstanek, I'd appreciate it! And thanks for the link :)16:05
*** csoukup has quit IRC16:06
*** bknudson has joined #openstack-keystone16:06
*** ChanServ sets mode: +v bknudson16:06
amakarovdstanek, btw can you please review revocation fix? https://review.openstack.org/#/c/141854/16:07
*** justincampbell has joined #openstack-keystone16:07
dstanekamakarov: assuming that cadf messages do contain enough info to recreate the changes you have all sorts of queuing issues to contend with16:08
lbragstaddolphm: there are a few comments related to the file status stuff in keystone/token/providers/klwt/utils.py that bknudson had,16:08
dstanekamakarov: sure, added to my list16:08
amakarovdstanek, I agree about queuing, I'll most probably fail this option, but for now I'm gathering all I can get )16:10
*** csoukup has joined #openstack-keystone16:15
*** justincampbell has left #openstack-keystone16:18
*** david-lyle_afk is now known as david-lyle16:19
*** panbalag has joined #openstack-keystone16:20
*** henrynash has joined #openstack-keystone16:24
*** ChanServ sets mode: +v henrynash16:24
*** markvoelker has quit IRC16:25
panbalagHi... is there a command to find out the keystone API version in use on a devstack installation?16:26
amakarovpanbalag, version depends on components' configurations - so look there16:27
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967516:28
amakarovpanbalag, Keystone can handle both v2.0 and v3 simultaneously so it can be different from one component to another16:29
panbalagamakarov, oh ok. Thanks.16:30
*** markvoelker has joined #openstack-keystone16:32
*** stevemar3 has joined #openstack-keystone16:32
*** ChanServ sets mode: +v stevemar316:32
*** stevemar2 has quit IRC16:33
panbalagamakarov, I'm looking at the config files for swift under /etc/swift/.. any idea where the version will be defined?16:34
openstackgerrithenry-nash proposed openstack/keystone-specs: Remove email from examples in Identity API  https://review.openstack.org/15991416:35
*** david-lyle is now known as david-lyle_Afk16:35
*** david-lyle_Afk is now known as david-lyle_afk16:35
amakarovpanbalag, look for something like http://....:5000/v(2.0|3)16:35
amakarovor just grep config files with | grep ":5000/"16:36
*** henrynash has quit IRC16:36
*** henrynash_ has joined #openstack-keystone16:36
*** ChanServ sets mode: +v henrynash_16:36
*** rwsu-afk is now known as rwsu16:39
*** fmarco76 has left #openstack-keystone16:40
richmWhen setting up multiple domains, is it required to have a separate config file in /etc/keystone/domains?  Could /etc/keystone/keystone.conf be used, with separate sections for each domain?16:42
stevemar3richm, the prior, separate files, directory doesn't matter16:42
stevemar3but definitely not a single file with separate sections16:43
richmstevemar3: thanks16:43
*** stevemar3 is now known as stevemar16:43
*** stevemar is now known as not-stevemar16:43
openstackgerrithenry-nash proposed openstack/keystone-specs: Correct the use of POST for domain configs  https://review.openstack.org/15991916:44
*** not-stevemar has quit IRC16:46
*** stevemar has joined #openstack-keystone16:46
*** ChanServ sets mode: +v stevemar16:46
marekdstevemar: hi16:46
stevemarmarekd, heading out now16:47
stevemarmarekd, have my jacket on :)16:47
marekdstevemar:  :( ok16:47
stevemaremail or pm?16:47
marekdstevemar: sure.16:47
marekdemail16:47
stevemark16:47
*** AndroUser has joined #openstack-keystone16:49
*** justincampbell has joined #openstack-keystone16:49
*** justincampbell has left #openstack-keystone16:50
*** doug-fish has joined #openstack-keystone16:50
*** stevedroid has joined #openstack-keystone16:52
doug-fishhi keystone friends.  I'm working on code to support K2K federation in Horizon and my initial code is failing with a 401 error that confuses me ....16:52
stevedroidTest16:52
doug-fish(very) WIP code is out for review.  Problem code is  https://review.openstack.org/#/c/159910/1/openstack_auth/backend.py around line 15416:53
doug-fishI've seen prototype code that can do this series of calls, but it bypasses the keystone client to do so16:53
openstackgerritMarek Denis proposed openstack/keystone-specs: Add service_providers to the documentation  https://review.openstack.org/15992216:54
doug-fishI'm wondering if there is anything obviously wrong with my keystone client usage or other debug tips?  (keystone log wasn't helpful)16:54
lbragstadstevedroid: getting IRC working on your phone?16:54
*** gyee has joined #openstack-keystone16:55
*** ChanServ sets mode: +v gyee16:55
*** AndroUser has quit IRC16:55
*** browne has quit IRC16:55
doug-fishjamielennox: I've heard you are quite familiar with the auth plugins - I suspect that could be where I'm having problems16:58
dolphmdoug-fish: he's probably asleep (4am ish in australia now)16:58
doug-fishdolphm: yeah understood.  Of course I'm open to input from others as well.16:59
doug-fish:-D16:59
bretonfmarco76:17:00
marekddoug-fish: hi. What's your scenario with K2K and Horizon?17:04
doug-fishmarekd: Basically it's a small number of keystones defined + I want to hide that fact in Horizon so users can choose regions without regard to which keystone is managing them17:05
marekdbreton: you are probably talking https://review.openstack.org/#/c/152156/ ?17:06
marekddoug-fish: so, first of all we have rolled back idea of using regions as 'remote Keystones'. Does it change anything in that case?17:07
doug-fishI'm not quite sure what you mean by "we have rolled back idea of using regions as 'remote Keystones'"17:07
doug-fishmarekd: I understand each keystone is used to access one or more regions17:08
marekddoug-fish: yes, but not necesarilly through K2K.17:09
marekdright?17:09
*** samueldmq-away has joined #openstack-keystone17:09
doug-fishnot necessarily, but desirable in order to hide separate authenticate when switching between keystones17:09
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992817:10
bretonmarekd: yep17:10
marekdwell, never mind, please finish your use case.17:10
marekddoug-fish: ^^17:10
bretonmarekd: I could reproduce the failures17:10
marekddropping utf8 helps ?17:11
bretonmarekd: but now I don't understand why they didn't happen before17:11
marekdbreton: heh, we triggered hidden bug17:11
marekdand the beast is now awaken.17:11
bretonand my "show create table identity_provider" now shows that I have latin1 too17:11
doug-fishmarekd: use case is for hybrid environments to allow separate user, role, region management between private + public clouds, yet show all resources in Horizon without re-authenticating17:12
*** himangi has quit IRC17:13
*** himangi has joined #openstack-keystone17:14
marekddoug-fish: ok17:14
marekddoug-fish: so you probably need something to handle multiple tokens at once17:15
marekdor you managed to do it in a different way  ?17:15
doug-fishmarekd: my patch will manage mulitiple tokens17:15
doug-fishmarekd: but right now it's only as far along as trying to obtain the multiple tokens17:15
doug-fishmarekd: I can obtain unscoped tokens from the remote keystones, but can't list projects in order to get scoped tokens17:16
*** _cjones_ has joined #openstack-keystone17:17
marekddoug-fish: ok, some logs, tokens anything ?17:17
doug-fishmarekd: I'm willing to share whatever might be helpful!  You can see my code is pretty marked up with print statements - shall I collect a set of those and share?17:18
marekddoug-fish: yesh, why not.17:18
henrynash_stevemar, bknudson, gyee, ayoung: would be great to get some eyes on the series of domain config patches - they start at: https://review.openstack.org/#/c/157701/17:21
*** joesavak has quit IRC17:21
bknudsonhenrynash_: if they're not in the list of high priority reviews then I'm probably going to look at those first.17:21
doug-fishmarekd: http://pastebin.com/MZsTPxfX17:21
henrynash_bknudson: what defines high priority?  If it is for Kilo, then these are indeed for Kilo17:22
bknudsonhenrynash_: I don't know where the list came from or why some reviews are in it and others aren't.17:23
marekddoug-fish: and what happens when you try to list projects with that token ?17:23
doug-fishmarekd: I don't get that far - on this line r_unscoped_auth_ref = r_unscoped_auth.get_access(r_session) I get a 401 error17:24
*** jogo is now known as flashgordon17:25
*** jistr has quit IRC17:25
*** joesavak has joined #openstack-keystone17:25
marekddoug-fish: i guess there is some error17:26
marekdsome links17:26
marekdor the reason17:26
marekd(ok, we have a reason)17:26
marekdprinted while 401 is raised17:26
haneef_henrynash: is domain specific conf  only for root domain or is it for project with is_domain true too?17:27
ayounghenrynash_, would be great if our JSON marshalling of Dates wasn't driving me to drink17:27
*** lhcheng has joined #openstack-keystone17:27
*** rushiagr is now known as rushiagr_away17:28
doug-fishmarekd: not much to go on here ... let me see if there is more info I can sort out:   http://pastebin.com/v8GZgTdr17:28
openstackgerritMarek Denis proposed openstack/keystone: Populate token with service providers  https://review.openstack.org/15986517:31
marekddoug-fish: maybe apache logs on the Service PRovider site will tell us more ?17:35
*** pdesai has joined #openstack-keystone17:35
*** pdesai has quit IRC17:37
doug-fishmarekd: I looked at them myself and asked bknudson to take a look as well.  Nothing was obvious to either of us ... is there anything specific I should look for?  or a socially acceptable way to share a large log file?17:37
marekddoug-fish: maybe grep for "Couldn't map user"17:38
marekddoug-fish: but, huh, no.17:38
marekdthat would happen earlier.17:38
doug-fishmarekd: as you theorized, it is not there.  Also - I do have some working prototype code that doesn't use keystoneclient that is able to successfully get through this.17:39
*** pdesai has joined #openstack-keystone17:39
doug-fishmarekd: that says to me it's either a keystone client problem, or a problem in the way I'm using it17:39
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531717:39
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841417:39
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922917:39
dolphmlbragstad: i'm working on a couple patches to the base klwt implementation for utils / key rotation stuff -- do you have any changes going in parallel?17:40
lbragstaddolphm: rebase on those ^17:40
dolphmlbragstad: oh lol k17:40
lbragstadI just address a bunch of comments from Brant17:40
lbragstadand wanted to push, there are some comments bknudson left on coverage17:40
lbragstadthat will still need to be addressed17:40
dolphmlbragstad: the biggest changes i'm making is removing _convert_to_integers() in favor of some defensive logic17:41
lbragstaddolphm: sounds good to me17:41
lbragstadI'll check it out when I sign back on17:41
*** markvoelker has quit IRC17:51
*** lhcheng has quit IRC17:51
*** stevedroid has quit IRC17:53
*** joesavak has quit IRC17:54
*** lhcheng has joined #openstack-keystone17:55
*** lhcheng_ has joined #openstack-keystone17:56
*** lhcheng has quit IRC17:56
doug-fishmarekd: I've added some print statements inside of keystone-client - I'd assume this isn't a proper header value for X-Auth-Token  http://pastebin.com/1VGwMS9v17:58
doug-fishnow to figure out why17:58
*** browne has joined #openstack-keystone17:58
*** chlong has joined #openstack-keystone18:04
*** markvoelker has joined #openstack-keystone18:05
doug-fishmarekd: I can't quite sort out the issue, but it seems like the Token auth plugin can't be told about both the token id and the token body, and as far as I can tell there is no way to pass that (I can pass one or the other, but not both)18:09
doug-fishcould I be using the wrong plugin?18:09
*** chlong has quit IRC18:11
doug-fishmarekd: wouldn't external/3rd party idp have the same need?18:11
*** spandhe has joined #openstack-keystone18:11
*** spandhe has quit IRC18:11
*** krtaylor has quit IRC18:16
*** lhcheng_ is now known as lhcheng18:21
*** spandhe has joined #openstack-keystone18:23
*** Akshik has joined #openstack-keystone18:25
Akshikusing ubuntu 12.04 icehouse trying to integrate openstack keystone with shibboleth18:26
Akshikwhen i restarted shibd now stuck with error "2015-02-27 22:36:38 CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable", not sure if im missing something18:26
Akshikpls. guide me18:26
doug-fishmarekd: some related keystone log info http://pastebin.com/v0yqLt6k18:26
morganfainbergmarekd, rodrigods, gyee, ^ since you've looked at shibboleth a little more recently than I have [I'd need to context switch]18:27
Akshiki've even raised it in http://lists.openstack.org/pipermail/openstack-dev/2015-February/057956.html18:28
*** chlong has joined #openstack-keystone18:28
*** tqtran has joined #openstack-keystone18:28
*** krtaylor has joined #openstack-keystone18:28
morganfainbergAkshik, did you load in the metadata from your IDP?18:31
*** pdesai1 has joined #openstack-keystone18:31
Akshikyes i did register my metadata to testshib, and when i tried calling https://myserver:5000/v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth i got redirected to testhib login page18:32
Akshikwhen i gave username and password18:33
dstanekAkshik: did you add the metadata provider to your shib config?18:34
Akshik*shibsp::ConfigurationException at (https://MYSERVER:5000/Shibboleth.sso/...18:34
Akshik <https://myserver:5000/Shibboleth.sso/SAML2/POST> ) No MetadataProvider available.*18:34
*** pdesai has quit IRC18:34
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994418:34
dstanekAkshik: what is your metadata provider set to?18:34
rodrigodsmorganfainberg, bug in create_project ^18:35
rodrigodsmorganfainberg, looking the logs18:35
*** david-lyle_afk is now known as david-lyle18:35
Akshikdstanek, http://chunk.io/f/a1186c3366ee4d118daf6db9dba6017e18:36
Akshikthis is my shibbloeth2.xml18:36
dstanekAkshik: what is http://federation.org/federation-metadata.xml? i think this is your problem18:37
dstanekyou have to tell shib about the IdP and tell the IdP about shib18:38
*** chlong has quit IRC18:38
amakarovdstanek, thank you for review, I understand that design with decorator looks weird, I don't like it too. What do you suggest?18:39
dstanekAkshik: my example of a mostly working config https://review.openstack.org/#/c/151311/7/dsvm/federation/devstack/files/shibboleth2.xml18:39
gyeemorganfainberg, yeah, like dstanek said, meta data file config is not right18:39
morganfainberggyee, i hadn't looked at it, yet, still pre-coffee ;)18:39
Akshikdstanek, Thanks, will try removing the federation.org portion of it, is rest all thing fine with the file18:40
*** henrynash_ has quit IRC18:40
gyeeAkshik, if you have the file locally, you can do this as well18:40
*** henrynash has joined #openstack-keystone18:40
*** ChanServ sets mode: +v henrynash18:40
dstanekamakarov: no idea, you should walk through the shib docs as they tell you what to do18:40
gyee<MetadataProvider type="XML" file="/etc/keystone/saml2_idp_metadata.xml"/>18:41
dstanekamakarov: does everything need to be called as a decorator?18:41
amakarovdstanek, shib docs?18:41
dstanekthis is what i get for whining about decorators :=-(18:41
dstanekamakarov: oops, not for you18:41
dstanekAkshik: : no idea, you should walk through the shib docs as they tell you what to do18:41
Akshikgyee, thanks, i will first try to remove the federationd in the config file and give it a try18:41
dstanekAkshik: do you know what metadata file to use?18:42
amakarovdstanek, the other option is to expose _send_notification18:43
Akshikdstanek, the federation potion is already commentedout18:43
dstanekAkshik: you need to have a metadata provider defined18:43
Akshikgyee, i have deleted the file backingFilePath="/tmp/testshib.xml" and when i restarted shibd18:44
Akshikthat file got generated, whic means it fetching it from the testshib right?18:44
Akshikdstanek, i have them below <MetadataProvider type="XML" uri="https://idp.testshib.org/idp/shibboleth"18:45
AkshikbackingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>18:45
gyeeAkshik, you can tell from the file itself18:53
gyeeit has the IdP ID in it18:53
*** pdesai2 has joined #openstack-keystone18:53
Akshikgyee, this is the generated xml http://chunk.io/f/0d32318def5842149292623f2cdad5bf18:55
gyeeAkshik, see if the entityID matches your IdP endpoint18:55
gyeelooks fine18:56
gyeewhat error are you getting now?18:56
*** pdesai1 has quit IRC18:56
*** pdesai2 has quit IRC18:56
*** markvoelker has quit IRC18:58
*** pdesai has joined #openstack-keystone19:01
*** markvoelker has joined #openstack-keystone19:01
Akshikgyee, http://chunk.io/f/9f4a9a8758e94d48a7c944be1e0cbc5d19:04
Akshikthis is the error i get after restarting the shibd service19:04
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove deprecated methods and functions in token subsystem  https://review.openstack.org/15138119:04
Akshikgyee, shibsp::ConfigurationException at (https://115.112.68.53:5000/Shibboleth.sso/SAML2/POST)19:11
AkshikNo MetadataProvider available.19:11
*** radez has quit IRC19:11
Akshikis my keystone error log http://chunk.io/f/a22345d8a4874839bf85812f95f4df9019:11
*** aix has quit IRC19:13
*** samueldmq-away has quit IRC19:14
*** stevemar has quit IRC19:15
gyeeAkshik, are you setting K2K Federation or Keystone as SP?19:16
Akshiknot sure about K2K,19:16
*** stevemar has joined #openstack-keystone19:17
*** ChanServ sets mode: +v stevemar19:17
Akshikim trying setup keystone with saml19:17
*** Akshik has quit IRC19:17
*** stevemar has quit IRC19:18
*** stevemar has joined #openstack-keystone19:18
*** ChanServ sets mode: +v stevemar19:18
*** _cjones_ has quit IRC19:20
mfischAnyone seen these odd db rollback failures? I think this is just when people are trying to get tokens (randomly)19:21
mfisch2015-02-27 12:01:00.153 13988 TRACE sqlalchemy.pool.QueuePool     dbapi_connection.rollback()19:21
mfisch2015-02-27 12:01:00.153 13988 TRACE sqlalchemy.pool.QueuePool OperationalError: (1047, 'Unknown command')19:21
*** csoukup has quit IRC19:22
mfischseems to happen in large batches and then quiet down19:22
*** amakarov is now known as amakarov_away19:22
*** nellysmitt has quit IRC19:23
*** _cjones_ has joined #openstack-keystone19:23
*** openstackgerrit has quit IRC19:24
*** openstackgerrit has joined #openstack-keystone19:24
*** csoukup has joined #openstack-keystone19:26
*** radez has joined #openstack-keystone19:35
*** fifieldt_ has joined #openstack-keystone19:36
*** gyee has quit IRC19:38
*** fifieldt has quit IRC19:40
*** pdesai has quit IRC19:44
*** mattamizer has joined #openstack-keystone19:45
morganfainbergmfisch, haven't seen that one before19:45
mfischthx morganfainberg19:46
*** samueldmq has joined #openstack-keystone19:48
*** mattamizer has quit IRC19:50
*** tqtran is now known as tqtran_afk19:50
*** barra204 has joined #openstack-keystone19:50
*** joesavak has joined #openstack-keystone19:50
*** himangi has quit IRC19:51
*** rm_work|away is now known as rm_work19:52
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994419:55
*** barra204 is now known as shakamunyi19:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Fixes the SQL model tests  https://review.openstack.org/15952120:01
*** samueldmq has quit IRC20:01
*** gordc has quit IRC20:07
*** markvoelker has quit IRC20:08
*** markvoelker_ has joined #openstack-keystone20:12
*** markvoelker_ has quit IRC20:16
*** joesavak has quit IRC20:29
*** csoukup has quit IRC20:30
*** _cjones_ has quit IRC20:34
*** csoukup has joined #openstack-keystone20:34
*** _cjones_ has joined #openstack-keystone20:34
*** _cjones_ has quit IRC20:36
*** _cjones_ has joined #openstack-keystone20:36
*** markvoelker has joined #openstack-keystone20:39
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742720:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376320:40
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837220:40
*** markvoelker has quit IRC20:45
morganfainberglbragstad: dolphm anything I can do to help token stuff along?20:47
morganfainbergstevemar: going to go through and address comments on cadf shortly.20:47
*** gordc has joined #openstack-keystone20:48
dolphmmorganfainberg: i'm working on 3 putting things into review today: docs, key rotation improvements, and the fernet rename20:49
dolphmmorganfainberg: i'd like to have functional tests for key rotation if you're interested in that20:49
dolphmmorganfainberg: current implementation has a subtle bug that dstanek caught :)20:49
morganfainbergdolphm: great. I'll look for them. I'll stage the devstack changes to let us get this into gate testing.20:49
dolphms/3 putting/putting 3/20:50
morganfainbergAs well.20:50
dolphmmorganfainberg: care if i jam that all into the one review, including the rename? or should that still be separate?20:50
dolphmi haven't started the rename yet20:50
morganfainbergThe rename I'd like separate. The rest can go in 120:50
dstanekdolphm: it may take a little longer to review if it's squashed20:50
morganfainbergJust so we aren't trying to track rename + stuff. But what dstanek said.20:51
dolphmmorganfainberg: ack20:51
morganfainbergActually docs and rename could be 1. The other improvements might want to be separate. But I'll review it in either case and not complain too much.20:51
*** markvoelker has joined #openstack-keystone20:52
dstanekmorganfainberg: don't worry i'll complain enough for the both of us!20:52
morganfainbergdstanek: oh cool let me just +2 it now without review then!:P20:53
*** karimb has joined #openstack-keystone20:57
*** joesavak has joined #openstack-keystone20:57
*** karimb has quit IRC20:59
stevemarmorganfainberg, trying to help with k2k for horizon :)20:59
*** karimb has joined #openstack-keystone20:59
*** lhcheng is now known as lhcheng_afk20:59
*** lhcheng_afk has quit IRC21:00
*** gyee has joined #openstack-keystone21:02
*** ChanServ sets mode: +v gyee21:02
morganfainbergstevemar, sounds good.21:03
*** raildo has quit IRC21:11
*** abhirc has quit IRC21:13
mfischmorganfainberg: someone was running hourly backups ,the tables are getting locked and keystone gets angry21:14
mfischthe issue occurs at like 4:00, 5:01, 7, 10, 14, etc21:14
morganfainbergmfisch, sounds about right.21:14
*** thedodd has joined #openstack-keystone21:14
morganfainberglocking tables = icky21:14
morganfainbergthough i'd recommend they exclude the token table21:14
mfischI've reassigned the ticket, I keep telling everyone KS is flawless21:15
morganfainbergi bet that'll make things way faster21:15
morganfainberg;)21:15
morganfainbergmfisch, HAH21:15
morganfainbergwait... HAHAHAHA21:15
morganfainbergmfisch, also skip_lock on a mysqldump >.>21:15
morganfainbergor single transaction dumps..21:15
morganfainbergor do a dump from a read-only replica21:15
* mfisch assigns ticket to Morgan21:19
stevemarmfisch, good call21:19
mfischI say we should love on the edge, no backups21:23
mfischfail fast!21:23
mfischdb goes down just update linkedin21:24
*** nellysmitt has joined #openstack-keystone21:24
*** stevemar has quit IRC21:26
marekddoug-fish: hey, sorry, needed to head out immediately. So, looks like you are trying to scope the token not via federated workflow21:27
marekddoug-fish: today, with federation Keystone would never lookup user in database.21:27
doug-fishmarekd: okay that kind of makes sense ... I don't know the federated workflow - do you know offhand where I can find out more?21:28
marekdwell, there is everything in the code, but i am aware that is not super straightforward.21:29
*** nellysmitt has quit IRC21:29
marekddoug-fish: anyway, i'd track down what exactly is being sent to remote keystone21:30
marekdthat it treats user as a local one.21:31
*** joesavak has quit IRC21:31
marekddoug-fish: also, i don't fully remember - why are you calling get_access() ?21:31
doug-fishcopying related code that already exists for making the initial connection to keystone without a deep understanding21:32
doug-fishmarekd: your question makes me think it might be a mistake to call it?21:33
marekddoug-fish: :-)21:34
marekddoug-fish: essentually you want to find out accessible domains/projects, am I right?21:34
doug-fishyes - as a step toward getting a scoped token to one of the projects/domains21:34
doug-fishmarekd: my first expectation was that I'd be using some different auth plugin21:36
doug-fishmarekd: but I couldn't sort out one that was relevant for getting an unscoped token for an SP keystone after authenticating to the first keystone21:37
marekddoug-fish: i don't fully understand.21:40
marekddoug-fish: so, you authN with your local Keystone, where you user exists and has some roles21:40
*** lhcheng_afk has joined #openstack-keystone21:41
marekdlater, you exchange the token for SAML assertion21:41
marekdand use this saml asssertion to get unscoped federated token issued by one of your remote Keystones.21:41
marekdthis is how you should do according to K2K workflow.21:41
doug-fishat a high level that makes sense and is what I intended21:41
*** sigmavirus24 is now known as sigmavirus24_awa21:42
doug-fishbut I couldn't sort out how to exchange the token for a SAML assertion without using new code to do it - hence the k2k.py file21:42
doug-fishbut that didn't seem right to me - shouldn't that be implemented in python-keystoneclient somehow?21:42
*** sigmavirus24_awa is now known as sigmavirus2421:43
doug-fishmarekd: also you use the terminology "exchange the token for SAML assertion", but that implies I can't use the token anymore - is that true?21:44
doug-fishI can use the token to create a saml assertion, but keep the token around too, right?21:44
marekddoug-fish: it should be implemeted, but we short on menpower :( And K2K was "under construction" until more or less now.21:45
flashgordonif any keystone folks have a moment, got a nova patch I would like some feedback on21:45
flashgordonhttps://review.openstack.org/#/c/147042/1121:45
morganfainbergflashgordon, ah that has been on my list to look at for a bit21:45
doug-fishmarekd: ah - this make sense.  Maybe I can't find it because it isn't there?21:45
marekddoug-fish: true, but initially I think we were talking about something different, that's why I didn't tell you that.21:46
flashgordonmorganfainberg: if you want the short version see the bug https://bugs.launchpad.net/nova/+bug/140886521:47
openstackLaunchpad bug 1408865 in OpenStack Compute (nova) ""Ignoring EndpointNotFound: The service catalog is empty" error when init_host" [Low,In progress] - Assigned to wanghao (wanghao749)21:47
flashgordonbug explains the issue pretty well21:47
morganfainbergyeah looking at the bug first21:47
morganfainbergbecause the code didn't make sense right away21:47
flashgordonthe solution makes me cringe though21:47
marekddoug-fish: oh, i just recalled: http://blog.rodrigods.com/playing-with-keystone-to-keystone-federation/21:47
morganfainbergoh god21:47
morganfainbergreally?!21:47
flashgordonright21:47
*** arunkant has joined #openstack-keystone21:47
*** joesavak has joined #openstack-keystone21:47
morganfainbergi mean.. sure this looks like a stop gap21:48
doug-fishmarekd: yes - I think you've shared that link with me before -- I think the k2k.py code was based indirectly on that article21:48
marekddoug-fish: from your initial desc it looked like you had problems with tokens from *remote* Keystone21:48
morganfainbergflashgordon, we should probably make it so compute can get a catalog in a sane way... but that has other implications...21:48
morganfainbergflashgordon, because $scope$21:49
flashgordonright, so even if we can get the catalog21:49
flashgordonhaving nova keep admin credentials for cinder on hand sounds bad21:49
morganfainbergyeah you have no idea what endpoint you should be talking to.. what if Cinder1 is not cinder2, and the users' scope helps suss that out...21:50
morganfainbergugh.21:50
doug-fishmarekd: I think the code I've written gets valid unscoped token from the remote keystone, but it bypasses keystone client and uses k2k.py ...21:50
morganfainberguhm.21:50
flashgordonI think a better solution, is have nova fail more gracefully.21:50
flashgordonSo compute restarts in middle of delete21:50
morganfainbergflashgordon, i would support that21:50
flashgordondelete fails21:50
flashgordonand user has to retry21:50
flashgordonand leave it at that21:50
*** radez is now known as radez_g0n321:51
doug-fishmarekd: but I'm not able to sort out how I should be getting the projects from the remote keystone based on that unscoped token - I can see how to extend k2k.py to do that, but that just didn't seem right to me21:51
marekddoug-fish: just hit /auth/projects on that remote keystone  with your unscoped token21:52
flashgordonmorganfainberg: so i didn't fully get the part about scoped catalogs21:52
morganfainbergflashgordon, i *think* that is how AWS basically ends up working. *delete* and if it fails in a wierd way you need to retry... you just need to make sure in the nova case the instance is in an off-state and recoverable to a user [e.g. can try a delete again]21:52
flashgordonwill different users possible have different URIs in the catalog?21:52
flashgordonmorganfainberg: agreed, commented on the patch saying so21:52
doug-fishmarekd: yeah okay - I can do that!21:52
morganfainbergflashgordon, you can filter the catalog based on user's scope, so when i am scoped to project A i may have access to only endpoint X, where when on another project x,y,z endpoints21:52
marekddoug-fish: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#listing-projects-and-domains21:52
marekddoug-fish: sorry if i mislead you at first, but from your desc it looked like you are having problems completely somewhere else.21:53
*** dims_ is now known as dimsum__21:53
morganfainbergflashgordon, and we're adding support to ensure that if a user doesn't have an endpoint in their token they are prevented (if this security feature is enabled) from interacting with the endpoint. [basically what RAX does, if you don't see the endpoint, you can't use it]21:53
morganfainbergflashgordon, obviously opt-in for enforcement.21:53
doug-fishmarekd: no worries - trying to describe what is going on has helped improved my understanding, and you've shared a lot of good information21:53
flashgordonmorganfainberg: ahh  so additional regions etc21:54
doug-fishwhat I really need is this document https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#listing-projects-and-domains written in terms of keystoneclient instead of direct API calls21:54
doug-fishs/need/want21:54
*** lhcheng__ has joined #openstack-keystone21:54
morganfainbergor even that you want people who pay for $SSD-fast storage to have access to the endpoint that supports that, and people who don't can't use fast storage21:54
morganfainbergfor example21:54
morganfainbergif it's a totally different cinder or somthing21:55
flashgordonmorganfainberg: neat21:55
morganfainbergflashgordon, just responded to the review saying i concur with your comment21:56
openstackgerritEric Brown proposed openstack/python-keystoneclient: Use oslo_config choices support  https://review.openstack.org/16001821:56
*** lhcheng_afk has quit IRC21:57
flashgordonmorganfainberg: awesome, thanks for the consult :)21:58
morganfainberganytime21:58
*** barra204_ has joined #openstack-keystone22:02
*** shakamunyi has quit IRC22:03
*** mattfarina has quit IRC22:04
*** barra204_ has quit IRC22:07
*** barra204_ has joined #openstack-keystone22:08
*** nkinder has quit IRC22:08
*** karimb has quit IRC22:15
ayoungmorganfainberg, guess what:  Ran 1032 (+1030) tests in 10.337s (+10.302s)22:16
ayoungPASSED (id=1573, skips=3)22:16
morganfainbergayoung, holy crap! awesome :)22:16
ayoungmorganfainberg, yeah.   That means that this might be able to work as a replacement for the client side of auth info, but even if we hold off on that, it means the server side is pretty much right on22:17
ayoungI still need to pep 8 and split the patch22:17
ayoungthe JSON stuff was not a problem:  oslo handled it.  THe old code was not using oslo22:17
morganfainbergah22:18
morganfainbergthat makes life easier22:18
openstackgerritDolph Mathews proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531722:18
ayoungyeah.22:18
ayoungdolphm, thought we were going to name them after the transport mech?22:18
dolphmmorganfainberg: lbragstad: dstanek: updated with docs & better key rotation ^22:18
dolphmayoung: that's the next patch i'm putting up, it'll be a discrete change22:19
ayoung++22:19
morganfainbergayoung, the point being not to try and chase renames with other fixes22:19
morganfainbergayoung. should make reviewing waaaaay better22:19
ayoungjust wanted to make sure it was still the plan22:19
dolphmayoung: i wrote a bunch of docs describing things in terms of payload & transport format though: https://review.openstack.org/#/c/145317/31/doc/source/configuration.rst22:19
dstanekdolphm: nice, i'll take a look after dinner22:19
dolphmmorganfainberg: dstanek: there's also an end-user explanation of key rotation in configuration.rst (linked above)22:20
dstanekperfects, thx22:21
*** thedodd has quit IRC22:21
openstackgerritDolph Mathews proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841422:21
openstackgerritDolph Mathews proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922922:22
*** jamielennox is now known as jamielennox|away22:23
openstackgerritMorgan Fainberg proposed openstack/keystone: Add in non-decorator notifiers  https://review.openstack.org/15860022:25
ayoungGAH!  Rebase errors22:27
ayoungFAILED (id=1577, failures=2 (-1), skips=322:27
morganfainbergayoung, race to rebase!22:27
ayoungsomebody change something on the endpoint definitions?22:28
morganfainbergayoung, yes. minor change.22:28
ayoungenough to break my patch22:28
morganfainbergayoung, we collapse services that match.22:28
morganfainbergso if you define compute twice, we would collapse those endpoints22:28
morganfainbergin ksc.22:28
ayoungwonder if I broken that22:28
morganfainbergwasn't you was the way we did session changes22:28
ayoungOK...I'll look later.  Back to two failing tests22:28
morganfainbergthat was what caused the ksc release yesterday22:29
morganfainbergwas actually breaking real users in production22:29
ayoungyeah...I'm sure I can deal with it.  Just need to go back and look...but now I need to go be dad.  access_info will have to wait22:29
morganfainbergnovaclient used to do that, and we said "oh just take the last entry in the catalog" whoopse, that doesn't work22:29
morganfainbergayoung, sure. have a good evening!22:29
morganfainbergdolphm, btw, who do we complain at within RAX to make it clear that in the catalog if compute != compute things are not cool ;)22:30
*** jamielennox|away is now known as jamielennox22:30
morganfainbergdolphm, same thing with future looking changes (e.g. if someone defines a service more than once)22:30
dolphmmorganfainberg: ?22:30
morganfainbergdolphm, so legacy compute22:30
morganfainbergit's not nova22:31
dolphmwhat is the compute service22:31
dolphmoh, no it's not22:31
dolphmlegacy is pre-openstack22:31
morganfainbergbut it's defined in the RAX catalog as a separate entry that claims it is compute22:31
dolphmmorganfainberg: i'd start by complaining to lbragstad22:31
morganfainbergso you have [ type="compute" <--- Nova, type="compute" <-- legacy]22:31
dolphmtotally his fault22:31
morganfainberghaha22:31
morganfainbergobv.22:31
morganfainbergbasically i want to hunt down the right folks and make it clear that this is *not* good for users.22:32
morganfainbergso they don't do it again22:32
morganfainbergwe papered over it in ksc by making the catalog in-memory construct collapse those two entries...but god if someone tried to use the legacy endpoint when trying to get nova or vice versa22:32
morganfainbergick22:32
morganfainbergthat's just insanity22:32
morganfainbergto be fair, novaclient *used* to do just this before we moved them to session22:33
morganfainbergthis notably broke infra22:33
morganfainbergsince they have both legacy and nova22:33
openstackgerrithenry-nash proposed openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805122:34
jamielennoxdoug-fish: i'm not really here, but what's up?22:34
morganfainbergjamielennox, it's the weekend isn't it? :P22:34
* morganfainberg shoos jamielennox off to do weekend things.22:34
morganfainberg;)22:35
jamielennoxmorganfainberg: and i'm being told off for being on IRC on a saturday morning22:35
jamielennoxmorganfainberg: cause you can talk22:35
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867922:35
morganfainbergit's only 1435 on Friday here!22:35
doug-fishjamielennox: I've been working on K2K federation for Horizon .... I think Steve and Marek have answered my immediate questions, but after I process what they've shared I may have more.22:35
doug-fishjamielennox: I appreciate you checking in on the weekend!22:35
jamielennoxmorganfainberg: right, but it's not on those afternoons where i'm leaving and you're still talking to stevemar22:35
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875222:36
morganfainbergjamielennox, >>22:36
morganfainbergjamielennox, <<22:36
morganfainberg^_^22:36
*** _cjones_ has quit IRC22:36
jamielennoxdoug-fish: ok, let me know what you need, i don't have a good story for how k2k will work from client side yet22:36
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967522:36
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992822:37
jamielennoxok, commented on monty's thing, doug-fish doesn't need me - i'm out again, i think it's a beach day22:37
doug-fishjamielennox: will do!  have fun!22:38
*** _cjones_ has joined #openstack-keystone22:38
*** jamielennox is now known as jamielennox|away22:39
*** jamielennox|away is now known as jamielennox22:40
jamielennoxmorganfainberg: oh, yuk: https://review.openstack.org/#/c/15969022:41
jamielennoxbug 142618422:41
openstackbug 1426184 in Keystone "CONF.member_role_name isn't used for lookups" [Undecided,New] https://launchpad.net/bugs/142618422:41
*** mordred has joined #openstack-keystone22:41
mordredmorganfainberg: can you explain roles to me?22:41
morganfainbergmordred, in what manner?22:41
mordredbecause what I've gotten so far is "you can create a thing called a role, and you can add a user to that thing22:42
morganfainbergmordred, creation of them? consumption of them? assignment of them?22:42
mordredwell, you can add a user/project pair to that thing22:42
morganfainbergaye22:42
mordredok. but then making them do anything is in policy.json which are static files on the disk22:42
morganfainbergyes22:42
mordredmorganfainberg: are there any people who think this makes sense?22:43
morganfainbergor crazy custom policy stuff in code. [i think a couple projects do this too]22:43
morganfainbergno, including keystone people22:43
mordredok22:43
mordredbecause, and let me just go out on a limb here ...22:43
morganfainbergwe are working on getting policy 1st step: centralized in keystone and distributed22:43
mordredroles seem to be global per service defacto22:43
morganfainbergthen something a bit more dynamic so you can map these things in a sane way22:43
morganfainbergpolicy in that case is policy.json22:43
mordredas in, a role only matters if it has a matching entry in some service's policy setup22:43
morganfainbergyes.22:44
mordredso22:44
mordredwhy would an admin create one with an api call22:44
mordredwouldn't a service just tell keystone the roles it knows about when it connects?22:44
mordredsince it necessarily knows what roles it has?22:44
morganfainbergmordred, the hard part there is knowhing all the roles it cares about22:44
mordredwhy?22:44
mordredit cares about all the roles in policy.json22:44
mordredand it cares about zero more roles22:44
morganfainberghow do i know how to add a role is nova [for instance] is down22:45
morganfainbergs/is/if22:45
mordredyou don't22:45
mordredyou don't need to22:45
mordredif nova is down22:45
mordredthen roles nova needs are pointless22:45
morganfainbergright but if i'm trying to assign a user a grant on a project so they can create VMs, and nova went down22:45
mordredoh - sorry22:45
mordredI'm not suggesting that22:46
morganfainbergah.22:46
mordredI'm suggesting - when nova boots, nova should run a for loop of "keystone role-create"22:46
mordredand same for every other service22:46
mordredit sholdn't be an admin task22:46
mordredthat's silly22:46
morganfainbergwe're thinking about this the otherway: keystone is authoratative for both policy and the roles22:46
mordredthere are no things an admin can do that add value here22:46
morganfainbergso you can craft the policy/etc in keystone then have the services pull that down22:46
mordredsure - that is also a thing22:46
mordredbut having it be authoritative for half is crazy22:47
morganfainbergyes it is22:47
mordredok22:47
mordredas long as we all agree22:47
morganfainbergyep22:47
mordredbecause this admin step of "now add roles"22:47
mordredI mean22:47
mordredcome on22:47
morganfainberg100% agree with you22:47
morganfainbergso the steps to get there are: 1) centralize policy.json [raw form] in keystone, have services pull that down, 2) make policy something workable in keystone so it's more dynamic (still have services pull that down), 3) ???, 4) profit22:48
morganfainbergthese are liberty targets at this point. but there is little resistance towards that as far as i've heard22:49
morganfainbergactually the first step was graduating olso.policy ;)22:50
morganfainbergso we can maek the rules engine better and/or able to handle things in better ways.22:50
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support  https://review.openstack.org/16003122:50
*** abhirc has joined #openstack-keystone22:51
mordredmorganfainberg: when the policy.json file is in keystone22:52
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003222:52
mordredmorganfainberg: does that mean that keystone could, you know, infer the list of roles contained within?22:52
morganfainbergyep that is one of the goals.22:52
mordredawesome22:52
mordredif it had not been one of the goals I would have been sad22:52
morganfainbergso you can ask: what can i do with role X22:53
morganfainbergor the inverse: to do X what role do i need22:53
morganfainbergbased on the coarse polcy.json representation in the latter22:53
mordredcan I ask a stupid question?22:53
morganfainbergsure22:53
mordredwhat defines the X in to do X what role do I need?22:53
mordredsomewhere in the service there has to be a named capability, right?22:54
morganfainbergnova would have specific capabilities. this is where we get into some chicken egg issues22:54
*** lhcheng__ is now known as lhcheng22:54
morganfainbergyeah22:54
mordredmorganfainberg: I want to stop asking questions right now don't I?22:54
morganfainbergbut, i've opted to make the experience *generally* better and work on how we register that down the line.22:54
morganfainbergnah.22:54
mordredsure!22:54
mordredbetter is better22:54
morganfainbergthese are all things i've been annoyed by for a while22:54
morganfainbergand why we tried to have policy discussions @ paris :)22:55
morganfainbergbut big tent discussions pre-empted some of them22:55
mordrednod22:55
*** mattfarina has joined #openstack-keystone22:55
morganfainbergyour questions are all 100% in line with my view on stuff for making deployer and user experiences both better22:56
morganfainbergkeep asking if there is more to ask though ;)22:56
dolphmmordred: i think the original mistake is in keystone trying to "own" the concept of a role in the first place - it should just be a string in keystone. other services' authorization code (and really their policy.json files) is what really owns a role22:57
*** hichtakk has joined #openstack-keystone22:57
*** barra204_ has quit IRC22:57
dolphmmordred: but from where we are at, populating keystone with roles out of policy.json blobs probably the best move22:58
*** abhirc has quit IRC22:58
morganfainbergdolphm, i agree, none of the changes we're proposing would be broken by that inversion of responsibility, but it could also mean something else could own both. today that is hard because we owned role to begin with22:58
dolphm++22:58
*** spandhe has quit IRC22:58
*** joesavak has quit IRC22:59
morganfainbergso.. lets make the best of it and really own it :)22:59
morganfainbergthough i kind of dig what repose does for you gjuys... if only it wasn't java [for $reasons]23:00
*** nellysmitt has joined #openstack-keystone23:00
morganfainbergnot because i hate java, but because i'm tired of the language holy war other people keep bringing up.23:00
*** spandhe has joined #openstack-keystone23:02
henrynashdolphm: there’s one addition high priorrty spec (domain-configs, see: https://blueprints.launchpad.net/keystone/+spec/domain-config-ext)….could we get it added to https://gist.github.com/dolph/651c6a1748f69637abd023:04
*** nellysmitt has quit IRC23:05
mordreddolphm, morganfainberg: ++23:06
morganfainberghenrynash, whats the review for that?23:06
*** jamielennox is now known as jamielennox|away23:06
morganfainberghenrynash, i can def. add it23:06
gyeelets ask Horizon folks how they feel about roles :)23:06
henrynashmorganfainberg: the code, you mean?23:06
morganfainbergthe reviewe you want on the gist23:06
gyeeand having to parse policy.json files to setup a good UI23:07
henrynashmorganfainberg: to put a link to the blueprint or the code patches?23:07
morganfainberguh. the gist is handled via gerrit reviews23:07
morganfainberghenrynash, so if i star a review it's there23:08
morganfainbergso if we have a spec review i need to know which spec review to star :)23:08
henrynashmorganfainberg: so the review patches start at: https://review.openstack.org/#/c/157701/23:08
henrynash(it’s a chain)23:08
morganfainbergwe might need a FFE for this btw.23:08
morganfainberghenrynash, are there API reviews as well?23:09
henrynashmorgainfainberg: API alradsy merged23:09
morganfainbergok23:09
morganfainbergcool23:09
henrynashmorganfainberg: thx23:11
openstackgerritDolph Mathews proposed openstack/keystone: Rename "Keystone LightWeight Tokens" (KLWT) to "Fernet" tokens  https://review.openstack.org/16004023:12
dolphmmorganfainberg: lbragstad: ayoung: ^23:13
morganfainbergawesome23:13
bknudsonfurby tokens23:15
bknudsonhttp://en.wikipedia.org/wiki/Fernet ??23:15
bknudson"a bitter, aromatic spirit"23:15
morganfainbergbknudson, https://cryptography.io/en/latest/fernet/23:16
*** ljfisher has quit IRC23:16
bknudsonjust like dolphm23:16
morganfainbergbut i do like that it's named after a spirit23:16
morganfainberg:)23:16
morganfainbergthough fernet is gross to drink imo23:16
bknudsonhow about MultiFernet ?23:17
bknudsonare people going to think that fernet tokens don't support key rotation?23:17
*** jorge_munoz has quit IRC23:17
morganfainbergbknudson, dolphm has some documentation around that.23:17
*** doug-fish has left #openstack-keystone23:18
dolphmbknudson: we23:18
dolphmbknudson: we're only using MultiFernet23:18
dolphmbknudson: and yes, they're named after the spirit AFAIK. github.com/fernet23:19
bknudsondo you need to use fernet.generate_key() to get a key?23:19
bknudsonoh, it's just a os.urandom(32)23:20
bknudsonlooks like there is something special about 32 chars, too.23:20
bknudsonI'd prefer the renaming was done in the base patch... no reason to start with the wrong name.23:23
morganfainbergbknudson, easier to put the rename on the end at this point - so as to not interrupt/force a re-review of the code.23:25
bknudsonhttps://review.openstack.org/#/c/145317/31 has 0 reviews.23:26
bknudsonand I think reviewers can handle a name change.23:26
morganfainbergbknudson, no but we've been reviewing that a lot and have a state of where it's at23:26
morganfainbergwhen you introduce a restructure it changes that and forces a lot more re-review time23:27
bknudsonok... it's easy to review the name change patch, too.23:27
morganfainbergthe fact that it's 31 patches means it's already had a ton of re-review. isolating the name change means you only need to review the name change to make sure it's right :)23:27
bknudsonhopefully it won't take weeks to get the name change merged.23:28
morganfainberggod, i hope not23:28
morganfainbergconsidering we're at the deadline..23:28
bknudsonI should have posted all my changes at the end of the release then I wouldn't have to rebase as much.23:28
morganfainbergnext cycle if i'm PTL we're moving back to m2 as the feature freeze. this hasn't been fun to cram everything into m323:28
morganfainbergi'd like m3 to be just featurs that actually slipped and making sure we don't have bugs.23:29
morganfainbergand a lot of this is because we crammed everything into m323:30
bknudsonthere's only so much time for doing reviews.23:31
morganfainbergi know.23:31
morganfainbergtoo many features and not enough reviewing.23:32
morganfainbergand everything crammed into a very short window.23:32
morganfainbergmakes m3 very very unfun23:32
bknudsonThe nova team has been trying different things... not sure if they're working or not.23:32
morganfainbergat least for me.23:32
morganfainbergdunno how much it's impacted everyone else [except rebase hell]23:32
*** gordc has quit IRC23:32
bknudsone.g., runways and requiring cores to sponsor.23:32
bknudsonit'll impact everyone who thought their bp would be in the release.23:33
morganfainbergi mean so far. obivously things punted affect people23:33
bknudsonright, they'll be affected eventually... might come as a surprise to them.23:34
morganfainbergi think we were better with the earlier deadlines, less surprise when things don't land.23:34
morganfainberghonestly i think the spec process is using the wrong tool for the job.23:35
bknudsonmorganfainberg: also, just checking if the gist like for high-priority reviews is up to date?23:35
morganfainbergbut its still better than lp23:35
morganfainbergbknudson, yeah it's up-to-date23:35
morganfainbergi removed anything that wasn't still targeted to kilo23:35
bknudsonthe spec process is lacking reviews just like the code... took too long to get approval.23:36
morganfainbergthe issue is git is a very poor tool for specs23:36
bknudsonI didn't prioritize reviews of specs because I care more about bug fixes.23:36
morganfainbergand the review process isn't good for that kind of collaboration23:36
bknudsonthe mid-cycle or the summit are likely the best place for spec discussions.23:37
morganfainbergthats why i'm planning on [again provided i'm ptl]23:37
*** dims_ has joined #openstack-keystone23:37
morganfainbergmaking m1 the spec deadline, making the summit spec discussions23:37
*** carlosmarin has quit IRC23:37
morganfainbergopening specs to be accepted for L once k3 is cut23:37
morganfainbergand m2 is feature freeze, m2 -> m3 is bugs/smooth out the features23:38
*** dimsum__ has quit IRC23:38
morganfainbergm3 -> rc is focus on bugs/usability concerns from m1,2,323:38
bknudsonmaybe we'll get out of the integrated release then we can add features whenever we want.23:38
*** dims_ has quit IRC23:39
morganfainbergbknudson, thats another separate topic i can't plan for yet ;)23:39
*** dimsum__ has joined #openstack-keystone23:39
morganfainbergbknudson, so planning for the workflow we have until that changes.23:39
*** _cjones_ has quit IRC23:40
*** _cjones_ has joined #openstack-keystone23:41
notmynameI've got a keystone deployment question. hoping someone can help23:42
morganfainbergnotmyname, /me goes and hides :P23:42
morganfainbergnotmyname, ask away :)23:42
notmynameheh23:42
bknudsonI thought keystone was just some source code in git... people deploy it?23:43
notmynameso suppose I have multiple independent keystone deployments. and they all point to the same cloud infrastructure. how does that work? how have other people handled that?23:43
notmynamebknudson: lol23:43
morganfainbergnot sure what you're asking23:44
notmynameis there any way that multiple keystone instances can cooperate?23:44
morganfainberglike 3 different keystones [with different databases, etc] and the same nova-apis controlled by them?23:44
notmynameyes23:45
notmyname(or swift in my case, of course ;-)23:45
morganfainbergnot in the current design scope to have different keystones23:45
notmynamewhat's the barrier?23:45
notmynameor limitation?23:45
morganfainbergthe database ;)23:45
morganfainberghow tokens are validated23:45
notmynameI don't understand23:45
morganfainbergthats the real limiting factor23:45
bknudsonwe'll have keystone-to-keystone federation.23:45
morganfainbergwe have k2k federation to help with that, but it's pretty new [not workable in juno]23:46
bknudsonso you can take a token from keystone1 and use it to get a token in keystone2.23:46
morganfainbergbknudson, but that isn't what was asked, i don't think23:46
morganfainbergtoday nova can accept tokens from 1 keystone.23:46
notmynameya, I don't think that's exactly what's needed23:46
bknudsonoh, right... auth_token middleware doesn't know the source of the token.23:47
bknudsonespecially in the case of UUID23:47
morganfainbergk2k federation allows you to use 1 keystone to get a token for another, but it doesn't allow multiple independant keystones to directly control a specific api23:47
morganfainbergso you'd need to keep the databases in sync between the keystones.23:47
bknudsonmaybe with fernet tokens you can share them?23:48
notmynamein this case, I've got a customer (actually more than one) with existing multiple independent keystones running. they want to unify a global swift deployment, but they want to keep the multiple keystone instances (they may be different departments or business units)23:48
morganfainbergbknudson, still need the assignment data shared23:48
morganfainbergbknudson, and identity data likely23:48
morganfainbergnotmyname, today not doable.23:48
morganfainbergnotmyname, without some highly custom validation middleware23:48
notmynameso that you can get creds from a keystone ("your keystone") and send it to a swift endpoint23:48
bknudsontell your customers they're high.23:48
notmynameyou're saying it's a limitation of the auth_token middleware?23:49
morganfainbergnotmyname, a "global deployment" with "whatever auth endpoints I like" is kindof a crazy request23:49
bknudsonauth_token is one place that this could be handled.23:49
morganfainbergauth_token would need to know how to determine where a token came from23:49
morganfainbergso it could ask the right endpoint to validate it23:49
notmynameok23:50
morganfainbergespecially with UUID tokens - that is almost impossible, since the token has 32 characters that are opaque to that23:50
bknudsony, that could be through a slightly longer token with a prefix or maybe with PKI tokens.23:50
notmynameone thing I've been thinking is multiple instances of middleware in the pipeline23:50
notmynameok23:50
notmynameso it (auth_token middleware) doesn't know where to validate it so it can't differentiate it23:50
morganfainbergnotmyname, it would be a lot of overhead - a lot, since now i need to potentially ask each keystone if something is valid23:50
notmynamein swift we've got the concept of23:51
*** hockeynut has quit IRC23:51
bknudsonlots of overhead, but PKI tokens might be doable.23:51
notmynamein swift we've got the concept of "reseller prefixes". that allows for multiple auth systems without having to query each one23:51
morganfainbergbknudson, pki or fernet could make this doable23:51
bknudsonof course, PKI tokens are lots of overhead.23:51
morganfainbergnotmyname, sure. you could make auth_token smarter on that kind of front, but it's not something we've designed anything for really23:51
*** hockeynut has joined #openstack-keystone23:52
notmynameso, the request coming in with a token (uuid token) has a swift account in the reuqest. which has the reseller prefix. which means I can point to a different keystone config23:52
morganfainbergnotmyname, this sounds highly swift specific23:52
morganfainbergtrying to figure out how this woudl apply to a nova, and i'd be scared23:52
notmynameya, that's something that the keystonemiddleware (in swift's tree) can do23:52
morganfainbergnotmyname, it also potentially could open massive security issues23:52
morganfainbergnotmyname, because all i need to do is make my keystone validate things in a wierd way [assuming it's not all controlled by 1 group]23:53
morganfainbergand now i grant access where it's not supposed to happen23:53
bknudsony, sending tokens to an untrusted server essentially gives them access to your cloud.23:53
morganfainbergbknudson, ++23:53
notmynameno, it would be the swift cluster configs that control where it's validating (ie 1:1 reseller prefix to endpoint)23:54
morganfainbergnotmyname, the reason we designed k2k federation the way we did to make you get a token local to that deployment is to ensure we trust the tokens/control the issuance23:54
notmyname(or that's why it's not a security issue for other systems)23:54
notmynameok, this has helped a lot. thanks23:54
bknudsonso you've got your swift auth_token... then you'd need an option for keystone to prefix tokens.23:54
morganfainbergbknudson, in fernet/uuid yes, in pki you could decode and extract informaiton23:55
notmynameright. the keystone auth_token middleware doesn't know about these things and would need to differentiate somehow23:55
notmynamewhich it can't do now23:55
bknudsonmorganfainberg: you can extract fernet, right?23:55
morganfainbergbknudson, no, it's encrypted/opaque23:56
bknudsonauth_token has the secret?23:56
notmynamenow, follow-on question (and totally serious). if I (we, swiftstack) were to want to write that for keystone, is it something possible or pretty much a non-starter?23:56
bknudsonoh.23:56
morganfainbergbknudson, but the msgpack underpinnings can be leveraged with a non-opaque transport like pki23:56
bknudsonconsidering the size of the code change I don't see why not.23:56
bknudsonwe've got worse things in keystone.23:56
morganfainbergnotmyname, my biggest concern is security - as long as we walk through that in sane ways and solve issues that come up i'd be ok with it.23:57
notmynameok, good to know23:57
morganfainbergnotmyname, the concept in itself isn't bothering me. but i'd want to really spend some time making sure we don't open holes.23:57
notmynameof course23:57
notmynameI don't currently know enough about auth_token middleware to know the scope of the work23:57
morganfainbergit likely also would require some work in keystone [minimal] to provide a clear identifier on who signed/authorized things23:58
notmynamewhat do you think. assuming no huge issues uncovered. is this measured in weeks?, months? quarters? of dev time23:58
bknudsonyou could wrap auth_token.23:58
morganfainbergnotmyname, uhm. changes to middleware tend to be easy.23:58
bknudsone.g., the wrapper checks the prefix and only passes the request to the auth_token if it matches.23:58
morganfainbergbknudson, it could also just be another middleware that handles the first stage and then passes the data on to auth_token23:58
notmynamemorganfainberg: ya, but it's the tentacles into other parts that are tricky ;-)23:58
notmynamebknudson: interesting23:59
« Thursday, 2015-02-26 Index Saturday, 2015-02-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!