Saturday, 2015-02-28

« Friday, 2015-02-27 Index Sunday, 2015-03-01 »
bknudsonso if you're willing to carry the wrapper then all you need from us is the token prefixing in keystone... that's like a 20 line change.00:00
*** henrynash has quit IRC00:00
notmynameinteresting. ok, thanks!00:01
notmynamebknudson: morganfainberg: thanks. I'll think on it and see what we come up with00:02
bknudsonjust don't use a prefix of MII00:04
bknudsonor whatever the prefix is for fernet tokens now.00:04
*** bknudson has quit IRC00:05
*** markvoelker has quit IRC00:07
*** markvoelker has joined #openstack-keystone00:08
*** markvoelker has quit IRC00:10
*** markvoelker_ has joined #openstack-keystone00:10
*** csoukup has quit IRC00:12
*** spandhe has quit IRC00:12
*** sigmavirus24 is now known as sigmavirus24_awa00:13
*** markvoelker_ has quit IRC00:13
*** browne has quit IRC00:15
*** spandhe has joined #openstack-keystone00:15
*** david-lyle is now known as david-lyle_afk00:16
*** _cjones_ has quit IRC00:17
*** raildo has joined #openstack-keystone00:20
*** abhirc has joined #openstack-keystone00:34
*** _cjones_ has joined #openstack-keystone00:37
*** spandhe has quit IRC00:37
*** abhirc has quit IRC00:40
*** diegows has quit IRC00:40
*** spandhe has joined #openstack-keystone00:43
notmynamebknudson isn't here00:53
notmynamelooks like for now, we're going for the "wrap auth token middleware" approach. seems fairly small in scope and works for many use cases00:54
*** raildo has quit IRC00:55
*** nellysmitt has joined #openstack-keystone01:01
*** csoukup has joined #openstack-keystone01:04
*** nellysmitt has quit IRC01:06
*** davechen has joined #openstack-keystone01:08
*** spandhe has quit IRC01:11
*** abhirc has joined #openstack-keystone01:12
*** _cjones_ has quit IRC01:12
*** abhirc has quit IRC01:13
*** hichtakk has quit IRC01:13
*** hichtakk has joined #openstack-keystone01:13
*** diegows has joined #openstack-keystone01:13
*** _cjones_ has joined #openstack-keystone01:16
*** flashgordon is now known as jogo01:18
*** _cjones_ has quit IRC01:38
*** abhirc has joined #openstack-keystone01:46
openstackgerritMorgan Fainberg proposed openstack/keystone: Add in non-decorator notifiers  https://review.openstack.org/15860002:02
openstackgerritMorgan Fainberg proposed openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566002:02
openstackgerritMorgan Fainberg proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186702:03
openstackgerritMorgan Fainberg proposed openstack/keystone: WIP - add cadf notifications for oauth  https://review.openstack.org/15904502:03
*** stevemar has joined #openstack-keystone02:08
*** ChanServ sets mode: +v stevemar02:08
*** gyee has quit IRC02:09
stevemarmorganfainberg, yay for k3 coming up02:10
morganfainbergstevemar, =/02:11
morganfainbergstill a ton to land02:11
stevemaryup02:11
morganfainbergi honestly don't know if henry's thing or x509 will land02:11
morganfainbergjust looking at issues with them02:11
morganfainbergand we still need to get the SP fix in02:12
morganfainbergstevemar, https://review.openstack.org/#/c/159922/02:12
morganfainbergand honestly i am worried about reseller landing02:13
stevemarmorganfainberg, yeah, reseller for sure02:15
stevemarand henrys thing02:15
*** erkules_ has joined #openstack-keystone02:16
*** csoukup has quit IRC02:16
stevemarthe x509 one isn't too bad, it has benefited by being up earlier02:16
morganfainbergoh that one also just got all cleaned up02:16
stevemarthe list performance improvements is just too much to review as well02:16
morganfainbergpassing gate02:16
morganfainbergthats a plus02:17
stevemar\o/02:17
morganfainbergerm check02:17
stevemarfound a few nits02:17
stevemaron the spec one02:17
morganfainbergmarek's?02:17
morganfainbergthings that are worth blocking it?02:17
*** erkules has quit IRC02:19
stevemarmorganfainberg, maybe? i wouldn't mind pushing a new patch of his and +2'ing it. But if you want to be faster, we can do a follow on patch02:19
morganfainbergi'd rather it land if it's nits02:20
morganfainbergnits should be cleanup after not justification to hold a patch up.02:20
stevemarmorganfainberg, take a look @ the comments tell me if you think they are nits, i think so02:20
morganfainbergif it would hold the patch up, it's not a nit ;)02:20
morganfainbergSAML2 is a nit, the o.o is a nit02:22
morganfainbergthe other one is probably not.02:22
morganfainbergoh wait02:22
morganfainbergyeah it probably is.02:22
stevemaryeah, they are, i can submit a follow on patch02:22
morganfainbergyeah lets do that02:22
openstackgerritMerged openstack/keystone-specs: Add service_providers to the documentation  https://review.openstack.org/15992202:28
morganfainbergstevemar, if we land https://review.openstack.org/#/c/151381/ then we can close another bp out02:31
morganfainbergactually https://review.openstack.org/#/c/151381/ and the eventlet one.02:31
morganfainbergoh no nvm eventlet one doesn't apply here02:31
morganfainbergyeah just that one.02:32
morganfainbergalso it's -150 lines ;)02:32
morganfainberg+002:32
*** flaviof has quit IRC02:33
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Fix nits from 159922  https://review.openstack.org/16006502:34
morganfainbergactually02:34
morganfainbergi tthink the 3rd nit was wrong there stevemar02:35
morganfainbergsince the SP would reference *your* IDP02:35
morganfainbergwhich is ACME02:35
morganfainbergfor the auth_url, right?02:35
* morganfainberg 's brain sudeenly hurts.02:36
stevemarmorganfainberg, oh man, now my brain hurts...02:36
morganfainbergright?02:36
stevemarno, it's where you would send your saml assertion02:36
stevemaroh yeah02:36
stevemaryou are right02:36
morganfainbergright but.. i02:36
morganfainbergyeah it's not.. ouch :(02:36
* morganfainberg 's brain explodes02:36
stevemarthe "idp" is still the original dude, acme02:37
morganfainbergyeah02:37
morganfainbergthough the ID could be beta02:37
stevemar(it's actually not acme, but whatever"02:37
stevemaryes02:37
*** rwsu is now known as rwsu-afk02:38
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Fix nits from 159922  https://review.openstack.org/16006502:38
stevemar^02:38
morganfainbergbetter02:38
stevemarthat made more sense in my head02:38
stevemarthe 'acme' & 'ACME' was a bad move02:39
stevemarlooks like a few other things that need to be removed02:43
*** alex_xu has quit IRC02:48
*** alex_xu has joined #openstack-keystone02:48
*** Akshik has joined #openstack-keystone02:49
*** alex_xu has quit IRC02:54
*** hichtakk has quit IRC02:54
stevemarmorganfainberg, i'm pushing a few more patches for removing deprecation stuff02:55
morganfainbergstevemar, oh we have more? i thought i caught them.02:55
morganfainbergyes please02:56
stevemarnah, 2 more02:56
morganfainbergcool. lets kill them02:56
morganfainbergburn it with fire :)02:56
morganfainbergno lingering deprecation junk02:56
openstackgerritSteve Martinelli proposed openstack/keystone: Remove KVS backend for revocation api  https://review.openstack.org/16006702:57
stevemarmorganfainberg, ^02:57
morganfainbergoh uhm02:58
morganfainbergi think we undeprecated that >.< or were supposed to02:58
morganfainbergi *think*02:58
*** diegows has quit IRC02:59
*** richm has quit IRC03:00
stevemaroh?03:00
morganfainbergyeah poke ayoung on that one03:02
*** nellysmitt has joined #openstack-keystone03:02
morganfainbergplz03:02
stevemarsure03:02
stevemarmorganfainberg, what about the 'revoke_by_expiration' bit?03:02
stevemar-    @versionutils.deprecated(as_of=versionutils.deprecated.JUNO,03:03
stevemar-                             remove_in=0)03:03
stevemar-    def revoke_by_expiration(self, user_id, expires_at,03:03
morganfainbergremove_in=0 means never remove03:03
stevemarwelp03:03
stevemarpfft03:03
stevemarFINE03:03
stevemar:P03:03
morganfainbergNO PADDING YOUR STATS THIS TIME *muahahahah*!03:04
morganfainberg;)03:04
*** alex_xu has joined #openstack-keystone03:04
*** alex_xu has quit IRC03:05
*** alex_xu has joined #openstack-keystone03:07
*** alex_xu has quit IRC03:07
*** nellysmitt has quit IRC03:07
*** tqtran_afk has quit IRC03:07
*** Akshik has quit IRC03:08
stevemarbut it was a legit patch :(03:09
stevemari followed the comments in the code03:09
stevemarmorganfainberg, btw - https://review.openstack.org/#/c/142573/ i think is ready03:09
stevemarmarek addressed the comments i had made03:10
stevemarmorganfainberg, err there is also https://review.openstack.org/#/c/159347/4 and it's follow on patches03:12
morganfainbergok re-reading it again03:13
morganfainbergactually i need food.03:13
morganfainbergi'll re-read post füd03:13
stevemarsounds good03:14
stevemari need to review other stuff and things03:14
morganfainberggreat.. cinder bug is blocking things up looks like03:15
morganfainberghttp://logs.openstack.org/17/145317/31/check/check-tempest-dsvm-neutron-full/aa35d56/console.html#_2015-02-28_03_09_29_56203:15
*** alex_xu has joined #openstack-keystone03:16
*** alex_xu has quit IRC03:17
*** alex_xu has joined #openstack-keystone03:21
*** alex_xu has quit IRC03:23
*** alex_xu has joined #openstack-keystone03:24
*** Krast has quit IRC03:44
stevemarlhcheng is having some trouble with osc patches03:48
lhchengstevemar: I got the  change-Id switched on my two patches lol03:51
lhchengstevemar: easy one for you: https://review.openstack.org/#/c/159207/03:53
stevemarlhcheng, easy you say03:54
stevemari thought i reviewed this one03:54
lhcheng0 line change03:54
stevemari *think* it's okay to review03:54
stevemarerr to delete03:54
lhchengthis beats my old record of one-character change patch03:55
stevemarlhcheng, hmm actually03:56
dolphmthere's a lot of references to tmp in tests03:57
stevemaryeah03:57
stevemari am seeing that03:57
stevemarand .gitkeep marks it as 'don't delete me bro'03:57
lhchengweird, how come the test passes03:57
dolphmbecause we have more than one now :) this is probably redundant03:58
lhchenglol03:58
dolphmstevemar: ^ keystone/tests/unit/tmp/03:59
stevemaryep03:59
stevemardolphm, commented on it03:59
stevemardolphm, qq for ya03:59
dolphmstevemar: yeah but then i kicked the gate03:59
stevemarwhats the policy on mucking around with old migration scripts? https://review.openstack.org/#/c/159803/04:00
dolphmstevemar: do you want to +2 or should i remove the +A?04:00
stevemardolphm, ha04:01
stevemari'll +204:01
dolphmstevemar: the preferred approach is to add a new migration because people would have already run the broken ones04:01
stevemarif it bites us in the ass, we can revert04:01
dolphmstevemar: unless a migration is truly broken04:01
dolphmstevemar: in this case, there's probably also a default we should be setting somewhere so the *new* (unwritten) migration wouldn't have any effect on new deploys04:02
morganfainbergstevemar: what dolphm said04:04
morganfainbergFor cd environments "fixing" a migration might break them horribly.04:04
morganfainbergS/might/probably will.04:05
morganfainbergstevemar: fwiw, id -2 that as it sits.04:06
dolphmmorganfainberg: i think that "fix" is fine though - we just need another migration to supplement04:06
dolphmmorganfainberg: really?04:06
morganfainbergWithout the follow up migration.04:06
stevemar-2 is the right call04:06
dolphmmorganfainberg: as ayoung would say: necessary but not sufficient04:06
stevemarbut he didn't know any better04:06
stevemarthis patch needs eyes: -204:06
stevemarerr04:06
stevemarhttps://review.openstack.org/#/c/152156/1604:06
morganfainbergdolphm: and ++ for follow up migration landing at the same time.04:07
stevemarugh it's not targeted04:07
morganfainbergAnyway.04:09
morganfainbergdolphm: I'd minus 2 if it had had a +2. Sorry wasn't clear.04:10
morganfainbergTo make sure it got eyes. Since t has lots of -1 and no +2 it's fine.04:10
* morganfainberg is looking forward to Friday of next week.04:13
morganfainbergNo more milestone3 hell. ;)04:14
lhchengdolphm: I don't see the tmp directory in https://github.com/openstack/keystone/tree/master/keystone/tests/unit04:24
lhchengbut I do see it in my local04:24
lhchengmaybe it is created if it doesn't exists04:25
stevemarmorganfainberg, ha, you think that'll make a difference04:31
morganfainbergWait wut?!04:32
stevemaryou think all those things are going to go in by friday?!04:32
morganfainbergNo.04:32
morganfainbergBut k3 will be cut by then.04:33
morganfainbergSo, people will cry, but things will be fairly set for kilo.04:33
morganfainbergAlso. I'm in NYC next week. So looking for a place.  Maybe I'll have a move to the east coast day by then.04:34
stevemarmorganfainberg, bump this guy to keystone-next?04:34
stevemar* morganfainberg is looking forward to Friday of next week.04:34
stevemar<morganfainberg> No more milestone3 hell. ;)04:34
stevemar<lhcheng> dolphm: I don't see the tmp directory in https://github.com/openstack/keystone/tree/master/keystone/tests/unit04:34
stevemar<lhcheng> but I do see it in my local04:34
stevemar<lhcheng> maybe it is created if it doesn't exists04:34
stevemar<stevemar> morganfainberg, ha, you think that'll make a difference04:34
stevemar<morganfainberg> Wait wut?!04:34
stevemar<stevemar> you think all those things are going to go in by friday?!04:34
stevemar<morganfainberg> No.04:34
stevemar<morganfainberg> But k3 will be cut by then.04:34
stevemarffs04:34
morganfainbergstevemar: really?04:34
stevemari am copy/paste/failing today04:34
stevemarsorry04:34
morganfainberg:P04:34
stevemari meant, bump this guy? https://blueprints.launchpad.net/keystone/+spec/tests-on-rdbmses04:34
morganfainbergI'm two glasses of chianti in.04:35
morganfainbergOh yeah kilo next.04:35
morganfainbergThat's test things. It lands when it lands.04:35
stevemarjust double checking04:35
stevemarmorganfainberg, here for meeting on tuesday?04:37
morganfainbergYep will be.04:37
morganfainbergGoing to the board meeting in NYC while I'm there.04:37
morganfainbergBut I expect to be around for our normal meeting things.04:38
openstackgerritMerged openstack/keystone: Remove unused tmp directory in tests  https://review.openstack.org/15920704:52
*** dimsum__ has quit IRC04:58
morganfainbergstevemar: fwiw, Nutella, banana and strawberries on a pizza. If this is wrong, I don't want to be right.04:59
*** hockeynut has quit IRC05:03
*** nellysmitt has joined #openstack-keystone05:03
*** hockeynut has joined #openstack-keystone05:06
*** nellysmitt has quit IRC05:08
stevemarmordred, that is very wrong05:10
morganfainbergstevemar, no it's *very* right05:14
morganfainbergstevemar also mo<tab> fail ;)05:14
stevemarmorganfainberg, oh yep05:20
stevemartotes05:20
morganfainbergi keep wondering if i should permanently move to "needscoffee" as my nick to solve this issue05:20
stevemarmorganfainberg, theres another 'mor'<tab> too05:21
stevemari suspect stevemar isn't any better05:21
morganfainbergyeah mor<tab> doesn't work either05:21
morganfainbergst<tab> works05:21
morganfainbergat least here05:21
*** fifieldt_ has quit IRC05:23
*** stevemar has quit IRC05:42
*** tqtran_afk has joined #openstack-keystone05:56
*** dimsum__ has joined #openstack-keystone05:59
*** dimsum__ has quit IRC06:04
*** himangi has joined #openstack-keystone06:28
*** stevemar has joined #openstack-keystone06:58
*** ChanServ sets mode: +v stevemar06:58
*** nellysmitt has joined #openstack-keystone07:04
*** nellysmitt has quit IRC07:08
*** tqtran_afk has quit IRC07:23
*** himangi has quit IRC07:47
*** pnavarro_ has joined #openstack-keystone07:49
*** himangi has joined #openstack-keystone07:53
*** pnavarro_ has quit IRC08:08
*** nellysmitt has joined #openstack-keystone09:01
*** lhcheng_ has joined #openstack-keystone09:04
*** lhcheng_ has quit IRC09:06
*** lhcheng_ has joined #openstack-keystone09:07
*** lhcheng has quit IRC09:07
*** lhcheng_ has quit IRC09:12
*** stevemar has quit IRC09:18
*** davechen has quit IRC09:52
*** himangi has quit IRC09:57
*** nellysmitt has quit IRC10:15
*** henrynash has joined #openstack-keystone11:00
*** ChanServ sets mode: +v henrynash11:00
openstackgerrithenry-nash proposed openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805111:27
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867911:29
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875211:30
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967511:30
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003211:32
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992811:32
*** henrynash has quit IRC11:36
*** henrynash has joined #openstack-keystone11:48
*** ChanServ sets mode: +v henrynash11:48
*** henrynash has quit IRC12:36
*** dimsum__ has joined #openstack-keystone13:16
*** jaosorior has quit IRC14:22
*** krtaylor has quit IRC14:41
*** krtaylor has joined #openstack-keystone14:53
*** pnavarro_ has joined #openstack-keystone15:03
mordredif I'm applying roles to user/projects - is there _Any_ situation in which I'd have a different domain value for the user and the project?15:07
mordredI mean, I know that users and projects each have a domain15:07
mordredbut for sanity, I should be able to assume for a transaction that they are the same, yeah?15:07
*** david-lyle_afk has quit IRC15:20
*** david-lyle_afk has joined #openstack-keystone15:20
*** karimb has joined #openstack-keystone15:23
*** david-lyle_afk has quit IRC15:25
*** alex_xu has quit IRC15:35
*** alex_xu has joined #openstack-keystone15:36
*** fifieldt has joined #openstack-keystone15:39
*** alex_xu has quit IRC15:53
*** Akshik has joined #openstack-keystone15:57
*** joesavak has joined #openstack-keystone16:03
*** alex_xu has joined #openstack-keystone16:03
*** jsavak has joined #openstack-keystone16:04
*** joesavak has quit IRC16:08
*** himangi has joined #openstack-keystone16:12
ayoungAkshik, ask questions like that in here.  I'm not really working this morning, but others can help you, too16:20
ayoungyou posted http://chunk.io/f/a22345d8a4874839bf85812f95f4df9016:21
Akshikayoung, Thanks16:22
ayoungAkshik, But I don't see anything Keystone specific in there16:22
ayoungyou are trying to do a Federated setup? Akshik16:23
*** Akshik has quit IRC16:23
ayoungtestshib  ... I assume that is the public test Shibboleth instance ?16:23
* ayoung has left the shibbolth stuff to others16:23
*** Akshik has joined #openstack-keystone16:26
*** jsavak has quit IRC16:50
*** joesavak has joined #openstack-keystone17:18
*** karimb has quit IRC17:20
*** henrynash has joined #openstack-keystone17:30
*** ChanServ sets mode: +v henrynash17:30
*** fifieldt has quit IRC17:46
*** nellysmitt has joined #openstack-keystone17:53
*** nellysmitt has quit IRC17:54
*** nkinder has joined #openstack-keystone18:00
*** dimsum__ has quit IRC18:03
*** Akshik has quit IRC18:11
*** Akshik has joined #openstack-keystone18:11
*** Akshik has quit IRC18:12
*** samueldmq has joined #openstack-keystone18:24
*** jorge_munoz has joined #openstack-keystone18:33
*** pnavarro_ has quit IRC18:39
*** stevemar has joined #openstack-keystone18:43
*** ChanServ sets mode: +v stevemar18:43
*** lhcheng has joined #openstack-keystone18:46
*** lhcheng has quit IRC18:56
*** dimsum__ has joined #openstack-keystone19:04
*** ayoung has quit IRC19:07
*** dimsum__ has quit IRC19:08
*** jorge_munoz has quit IRC19:36
*** lhcheng has joined #openstack-keystone19:48
*** samueldmq has quit IRC19:54
*** himangi has quit IRC19:56
*** bknudson has joined #openstack-keystone20:05
*** ChanServ sets mode: +v bknudson20:05
*** tqtran_afk has joined #openstack-keystone20:19
*** stevemar has quit IRC20:27
*** lhcheng has quit IRC20:33
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851920:43
*** lhcheng has joined #openstack-keystone20:44
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/16013120:51
openstackgerritayoung proposed openstack/python-keystoneclient: pep8 fix for CMS  https://review.openstack.org/16013220:51
openstackgerritayoung proposed openstack/python-keystoneclient: Test updates to prep for unified access info  https://review.openstack.org/16013320:51
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013420:51
*** lhcheng has quit IRC20:57
*** lhcheng has joined #openstack-keystone21:03
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013421:10
openstackgerritayoung proposed openstack/python-keystoneclient: pep8 fix for CMS  https://review.openstack.org/16013221:10
openstackgerritayoung proposed openstack/python-keystoneclient: Test updates to prep for unified access info  https://review.openstack.org/16013321:10
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851921:10
morganfainbergmordred, users can be in one domain easily and projects in  another21:11
*** ayoung has joined #openstack-keystone21:11
*** ChanServ sets mode: +v ayoung21:11
morganfainbergmordred, the assumption that a user belongs to the same domain as the project isn't a good one to make21:12
bknudsonif you're using domains with different backends (e.g., ldap) then you probably have users in a different domain then projects21:12
mordredmorganfainberg: I'm glad I asked21:17
mordredmorganfainberg: it's possible that while I thought I understood these concepts, I do not, in fact, understand them21:18
morganfainbergmordred, the easiest way to think about is that domains are containers of things (users, groups, projects, domains)21:19
mordredthat's how I was thinking of it21:19
morganfainbergmordred, assignments are a mapping of identity resources (users, groups) to (project, domains)21:19
mordredbut if a domain is a container, then wouldn't the user and the project be contained within the domain?21:19
morganfainbergand that is as far as it is enforced.21:20
mordredand wait- what is a group?21:20
morganfainbergyou can assign any role to any user on any project21:20
morganfainberggroup is like LDAP group, a grouping of users21:20
*** richm1 has joined #openstack-keystone21:20
mordredso I have a group, a project and a domain21:20
*** lhcheng has quit IRC21:20
mordredwhat does a project actually model21:20
mordredlike, what is the conceptual resource21:20
bknudsonprojects are used by nova, etc.21:21
morganfainbergproject is what is utilized by other services (e.g. nova) to relate ownership of that services thing21:21
morganfainberglike a vm21:21
bknudsonkeystone doesn't really care about them.21:21
mordredgotcha21:21
mordredso a thing lives inside ofa  project21:21
mordredand via roles, a user can be associated with one or more projects21:21
morganfainbergyep.21:21
bknudsonlet's forget about roles on domains.21:22
morganfainbergwhich is where the token scope comes in, your token is scoped to the project you're working on, how nova knows what project a VM you said "boot" goes into21:22
*** richm1 has quit IRC21:22
openstackgerritBrant Knudson proposed openstack/keystone: Document mapping of policy action to operation  https://review.openstack.org/15591921:23
*** richm1 has joined #openstack-keystone21:23
morganfainbergor what project owns a glance image [for example]21:23
mordredmorganfainberg: I don't suppose the domain value for operations defaults to the domain the user is auth'd to does it?21:23
morganfainbergdomain operations are more of a keystone only thing21:24
mordredright - for keystone operations21:24
morganfainbergnope, still token scope21:24
mordredif I'm creating roles or assigning roles to user/project21:24
morganfainbergroles are global [today]21:24
mordredhang on21:24
morganfainbergso cloud admin is the only one who could create a role definition21:24
mordredI will have authed and received a token and part of that auth transaction will have been me specifying a domain and a project domain21:24
mordredmorganfainberg: I don't actually care about what's finished implemented - I care about the intent design21:25
mordredbecause I'm trying to get some ansible modules right and I don't want their UI to change once I do21:25
bknudsonyou can get a token scoped to a domain or a project.21:25
bknudsonif you scope a token to a project then the project is in a domain.21:25
mordredwhat i'm trying to figure out is whether I need to explicitly pass in a domain and a project domain for role operations, or if there will be a default value if I don't pass  one in21:26
bknudsonnote that the user has a default project... so if no project is specified when getting a token it'll be scoped to that project.21:27
morganfainbergyou would need to pass a scope that grants you cloud admin priviledges,21:27
morganfainbergs/pass/request21:27
mordredtoken=auth(user, password, project, domain, project_domain)21:27
morganfainbergusernames are unique only to their namespace, so when you auth with a username that username needs to have a domain to know how to look it up21:27
*** tqtran_afk has quit IRC21:28
bknudsonshould be like token=auth(user, user_domain password, (project, project_domain) or domain)21:28
morganfainbergbknudson, ++21:28
bknudsonyou can get a token scoped to a project or a domain21:28
mordredok. let me start over21:28
mordredbecause I believe I'm not asking this question right21:28
mordredif I did token=auth(user, user_domain, password, project, project_domain)21:29
*** dimsum__ has joined #openstack-keystone21:29
mordredthen I do map_role(token, role, user, project) ... do I need to pass in a user domain and a project domain?21:30
bknudsonthat looks good... wouldn't allow for domain-scoped tokens though.21:30
mordredbknudson: the generality is still lost on me, so I'm walking through a couple of specific choices to grok the impact21:30
morganfainbergmordred, i belive you can only use user_ids and project_ids for role mapping21:31
mordredmorganfainberg: assume that I'm doing the right thing with names and ids21:31
morganfainbergat the rest api level21:31
mordredI'm really just trying to understand the concept21:31
morganfainbergsure.21:31
bknudsonright, note that if you're using user IDs and project IDs then no need to specify the domain.21:31
mordredbecause it's batshit-crazy-confusing21:31
morganfainbergmordred, yes it is :(21:31
bknudsonIDs are unique whereas names are not (for projects and users)21:31
mordredbknudson: awesome - so this breaks it down to a more simple question then21:32
bknudsonsince names aren't unique you need to specify the domain.21:32
mordredif I did that token as before21:32
mordredif I did token=auth(user, user_domain, password, project, project_domain)21:32
*** richm1 is now known as richm21:32
mordredand then I did "keystone.projects.list()"21:32
mordredam I going to see the projects outside of the domain I auth'd to21:32
bknudsonI believe GET /v3/projects gives you back all projects (since that's what you're requesting)21:33
bknudsonthere should be a GET /v3/project?domain_id=<id>...21:33
mordredok. great. I believe that answers my question21:33
mordredthe act of authenticating to a domain does not affect default visibility of a resource21:34
*** dimsum__ has quit IRC21:35
bknudsonright, although I think it's possible to set the policy so that only the projects in your domain are returned.... not sure. It's not the default policy.21:35
mordredhave I mentioned that I HATE the policy system?21:35
bknudsonyou're not the only one.21:35
mordredit makes answering any questions completely impossible21:35
mordred"how does this work?" - depends on the policy21:36
mordred*STAB*21:36
morganfainbergmordred, yep.21:36
mordredmorganfainberg: I'm trying to write CRUD ansible modules for roles, projects and users21:37
morganfainbergbknudson, no asking what projects a user can see is a different request, not defined by policy21:37
morganfainbergbknudson, that is a ... role_Assignments api thing i think.21:37
mordredit is AMAZING how much I'm having to learn to do that21:37
morganfainbergbknudson, and it's a brutal query.21:37
bknudsonoh, is that what was asked? you're trying to figure out what projects a user has a role in?21:37
mordrednope21:38
morganfainbergbknudson, no just was confirming that it was something else21:38
mordredI'm trying to figure out what information I need to require my users to pass in21:38
morganfainberg\that v3/projects always returns all projects21:38
mordredand what information can be inferred from other information21:38
morganfainbergif you have access to the API call21:38
morganfainbergyou can always filter21:38
mordredwhich is especially hard, because I want to be able to throw input data validation errors21:38
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/controllers.py#n16021:38
bknudsonwe've got this "filterprotected" wrapper....21:39
bknudsonwhat does that do?21:39
mordredbut I can't, because apparently many things can't be known without just trying and seeing if it fails21:39
morganfainbergbknudson, applies policy and allows for explicit filtering21:39
mordredso, my user _might_ need to pass in a domain, or they might not21:39
morganfainbergmordred, this is the whole reason we started conversations on moving policy to less insane-ness21:39
mordredI have no way of giving them a hint21:39
bknudsonalways pass in the domain.21:39
mordredexcept v2 clouds21:39
mordredbknudson: users have no idea if they are v2 or v321:40
mordredand don't care21:40
morganfainbergmordred, you can tell if you're v2 from keystoneclient, that is versioning stuff21:40
bknudsonare there clouds that only support v2?21:40
mordredso I can't make the domain param _required_21:40
mordredYES!!!!!!21:40
morganfainbergbknudson, RAX i think.21:40
bknudsonmust be old.21:40
morganfainbergnot keystone21:40
mordredalso, I don't do anything with domains on HP21:41
mordredbasically, I've never used domains in my life21:41
mordredin production21:41
morganfainbergyeah hp doesn't support v3 really either21:41
mordredbecause none of my clouds support them21:41
mordredso, I'd say21:41
morganfainbergwell not publically..21:41
mordredno clouds21:41
bknudsonthere is a default domain.21:41
morganfainbergit's weird.21:41
mordredmeh21:41
mordredit's not a real thing21:41
mordredI don't use it21:41
mordredwhich means that the ansible modules MUST support that sanely21:41
mordredwhich means I cannot require a domain parameter21:41
bknudsonif you're stuck with v2 then all users and projects are in the default domain.21:41
mordredhowever, if the user needs one and doesn't pass one in21:41
mordredthen the error they are going to get when they search for a project may be that they get a matching project in another domain?21:42
mordred*sigh*21:42
mordredI'll figure it out21:42
mordredthank you - this has been very helpful21:42
morganfainbergmordred, sorry it just piles more insanity on21:42
mordredmorganfainberg: my frustration level with opensatck's complete and utter lack of usability only grows with every passing second21:43
bknudsonit might be handy to have the GET /v3/domains API return an indicator which one is the default.21:44
bknudsonthen clients would at least know what domain all v2 users are in.21:44
morganfainbergmordred, so - if you only had to deal with V3 and not V2, a lot of the insanity becomes more managable - i know it's not an answer, but it's why we're trying so hard to make v2 go away.21:44
bknudsonif the user doesn't provide domain info, then use the v2 API.21:45
morganfainbergbknudson, the only concern then is if they use a "name" and that name could be v3 somewhere not default domain, and is also in default domain21:45
bknudsonalthough I think it would be better to use a default domain if the user doesn't provide domain info.21:45
* morganfainberg wonders how close we really are to being able to ditch v2.21:46
bknudsonto clarigy: although I think it would be better to use the v3 API with a default domain if the user doesn't provide domain info.21:46
bknudsonclarify21:46
morganfainbergbknudson, oh ++ yes21:46
morganfainbergbknudson, 10000% yes21:46
mordredmorganfainberg: so - the problem is21:47
mordreddomain is part of the auth info, right?21:47
mordredwhich means it might not have been provided in a context I'm working with21:47
morganfainbergmordred, if you're authing against v3 [only required if user is not in default domain]21:47
mordredbecause the user might have authenticated with a pre-existing token or with a cert or something21:47
mordredwhat I mean it, I may not know the user's domain21:47
morganfainbergmordred, any auth requests that exist via v2 are default domain, or would fail21:48
mordredbut21:48
morganfainbergyou can always validate the token which contains a user construct21:48
morganfainbergthat will indicate the user's domain21:48
bknudsonI might have mentioned this before... not sure... but seems like it should be possible to do v3 auth with a username and no domain, then keystone uses default domain.21:48
mordredok21:48
bknudsonthat would make it easier to transition from v2 -> v3.21:48
morganfainbergif you have a token you *can* get info about the user/scope21:48
mordredso I can pull the current domain info from keystone21:48
morganfainbergbknudson, i think that was something we discussed21:48
morganfainbergbknudson, making v2 auth a middleware that translated to v321:48
bknudsonalso, we could put the user's domain in the token if they auth using v2 API.21:49
morganfainbergmordred, yes, via a token validate.21:49
morganfainbergbknudson, sure. i mean i wonder how many peopple we'd break if we stopped issuing V2 tokens.21:50
bknudsonoh, right, could validate the v2 token using v3 and you'd get the domain.21:50
morganfainbergbknudson, it wouldn't be hard to wire up v3 tokens to v221:50
bknudsonmorganfainberg: good question... not sure why anyone would be affected if v2 auth returned a v3 token.21:51
morganfainbergbknudson, because they use repose and inspect the token directly instead of having keystone middleware do it for them.21:51
morganfainbergbknudson, not to put too fine a point on it21:51
bknudsony, the catalog.21:51
morganfainbergnot just the catalog21:52
morganfainbergroles, etc21:52
morganfainbergmordred, https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/tokens.py#L55 is the call you'd be looking for to validate the token [you can validate a v2 token via v3 and get all the info such as domains]21:52
morganfainbergmordred, if you *can't* use v3, you know the domain is "default" and the v2 client object has a similar method21:53
morganfainbergif you need token information21:53
bknudsonluckily I just added that API21:53
morganfainbergmordred, you'll get an accessinfo item back which lets you use attribute references for lots of things via magic @property stuff21:54
morganfainbergmordred, so you don't need to know the token structure to extract information21:54
morganfainbergbknudson, y! def good!21:54
morganfainbergwe should bug lbragstad and ask if RAX can consume v3 tokens.21:55
*** rwsu-afk has quit IRC21:55
morganfainbergbecause if so... maybe we put an option in that makes v2 token issuance go away21:55
* morganfainberg doesn't see lots of stuff in openstack that would *require* v2 [except maybe some horizon-isms] now.21:56
morganfainbergfor the API that is21:56
bknudsonsurprising anyone would want to stick with the v2 api considering the known security issues.21:56
bknudsondon't validate a token using the v2 api.21:56
morganfainbergever ;)21:57
*** rwsu-afk has joined #openstack-keystone21:57
morganfainbergbknudson, can i ask you a favor?21:58
bknudsonmorganfainberg: sure...21:58
morganfainbergbknudson, can i ask you to prioritise the ae token review [if you aren't too deep in other stuff] - you can absolutely say no :)21:58
morganfainbergi'd like to [if possible] make sure we're close to winding that down or identify what is needed to make it go before we need a FFE.21:58
bknudsonmorganfainberg: already prioritized... wasn't going to work on it today though.21:59
morganfainbergno no not a today thing21:59
morganfainbergdude, weekend21:59
morganfainberg:)21:59
morganfainbergi expect people to not be working on weekend tbh21:59
bknudsonwhat's a weekend?21:59
morganfainberghah21:59
morganfainbergok so, while you *may* be working on saturday or sunday, I wouldn't expect you to be :P22:00
bknudsonhttp://www.fanforum.com/f387/downton-abbey-quotes-1-what-weekend-63050759/22:00
*** joesavak has quit IRC22:00
morganfainberghahah22:01
bknudsonAE tokens would also make my life easier.22:02
bknudsonif they work.22:02
morganfainbergi also heard from a very large PKI token deployer ... they are also having issues with PKI and are very interested in AE22:02
morganfainbergs/AE/fernet-or-whatever-they-are-called-now22:03
bknudsonhaven't seen any middleware reviews for it.22:03
morganfainbergbknudson, no, there hasn't been any middleware for it yet afaik22:03
morganfainbergwe've been focusing on getting the stuff that needed to land for FF in keystone22:04
morganfainbergthough i *think* the middleware stuff is relatively low amounts of wiring up the revocation event code.22:04
morganfainbergayoung, re: https://review.openstack.org/#/c/160067/ [kvs revoke backend going away] cool - i'm happy to see that go away, but remember we had a convo about it and i didn't want it removed if it needed to stay22:06
morganfainbergayoung, thanks for the +1 on thart22:06
mfischmorganfainberg: I'm trying to remove admin_token_auth from my public pipeline, but it seems to also break the admin one22:07
mfischunless I've made a large puppet fail... which is also a possibility22:08
openstackgerritBrant Knudson proposed openstack/keystone: Document mapping of policy action to operation  https://review.openstack.org/15591922:08
morganfainbergmfisch: you shouldn't need admin_token_auth anywhere in production.22:08
morganfainbergPost bootstrap if you use the api to bootstrap.22:08
mfischyeah I agree22:08
mfischpuppet does bootstrap with it22:09
mfischat a minimum I want it out of the public pipeline22:09
morganfainbergI wonder if we can make bootstrap something keystone manage can do instead. So you don't ever need it in the pipeline.22:09
mfischah I see I broke something22:09
morganfainbergmfisch: got rid of the filter too in the past-ini?22:10
mfischno I had a variable wrrong and put the v3 pipeline in for v2 admin22:10
morganfainbergOh hah ouch. Yeah that'd do it.22:10
ayoungmorganfainberg, so...the only case where I could see us wanting it is some distributed way of doing  revocations and sync  was best on something lioke mongo22:10
ayoungbut revocations need to be transactional...I think?22:11
*** lhcheng has joined #openstack-keystone22:11
ayoungI don't really see it as something desperately needing removal22:11
ayoungmorganfainberg, BTW, did you see my Opus:  http://adam.younglogic.com/2015/02/three-types-of-tokens/22:11
morganfainbergThen let's not remove it.22:11
morganfainbergayoung: I laughed, I cried, I wanted an encore22:12
mfischthat was good ayoung22:12
ayoungdoes it help?22:12
morganfainbergAlas the usher kicked us all out before we could rush the stage.22:12
morganfainbergI think it's an entertaining alternative description of things.22:12
mfischmorganfainberg: is removing admin_token_auth from the public_api pipeline but not the admin_api one a valid config?22:13
morganfainbergIt definitely doesn't hurt.22:13
morganfainbergHelp, I think that depends on the reader.22:13
mfischokay it seems to have broken the service token even on 3535722:13
mfischI am told I have to go buy fish for the kids so I will look later thx22:13
morganfainbergmfisch: I never tried that. With v3 they are the same thing.22:13
mfischwe have public endpoints but not for the admin so since puppet uses that I thought I'd leave it and be "safer"22:14
mfischremoving it 100% is a longer project22:14
morganfainbergLike I said, I haven't tried that.22:14
mfischI'll let you know what I find22:14
mfischyep thx22:14
*** lhcheng_ has joined #openstack-keystone22:14
*** lhcheng has quit IRC22:17
ayoungand with that...I'm off to go see Gogol Bordello!22:23
*** ayoung is now known as ayoung-out22:23
*** karimb has joined #openstack-keystone22:39
*** lhcheng_ has quit IRC22:55
*** karimb has quit IRC22:55
*** lhcheng has joined #openstack-keystone23:03
*** david-lyle_afk has joined #openstack-keystone23:08
*** stevemar has joined #openstack-keystone23:09
*** ChanServ sets mode: +v stevemar23:09
*** stevemar has quit IRC23:11
*** lhcheng has quit IRC23:13
*** lhcheng has joined #openstack-keystone23:28
*** lhcheng_ has joined #openstack-keystone23:37
*** lhcheng has quit IRC23:38
« Friday, 2015-02-27 Index Sunday, 2015-03-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!