Tuesday, 2015-03-03

« Monday, 2015-03-02 Index Wednesday, 2015-03-04 »
*** david-lyle has quit IRC00:00
*** markvoelker has quit IRC00:03
lbragstadmorganfainberg: ^ thanks to jorge_munoz00:05
lbragstaddolphm: ++, thanks for fixing up the rename00:06
morganfainbergso i hope we can get the 4 patches moving through the gate today00:06
*** samueldmq_ has quit IRC00:06
* lbragstad high-fives the dogs00:07
*** ljfisher has joined #openstack-keystone00:07
morganfainberglbragstad, so.. https://review.openstack.org/#/c/159865/ https://review.openstack.org/#/c/152156/ and https://review.openstack.org/#/c/142573/ those are next following KLWT00:08
morganfainbergand then into Henry's00:08
openstackgerritMerged openstack/keystone: Refactor and provide scaffolding for domain specific loading  https://review.openstack.org/15770100:08
lbragstadsweet00:08
morganfainberglbragstad, https://review.openstack.org/#/c/159865/ should be an easy one00:11
*** chlong has quit IRC00:15
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16056700:15
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867900:16
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875200:17
*** stevemar has joined #openstack-keystone00:18
*** ChanServ sets mode: +v stevemar00:18
*** karimb has quit IRC00:24
*** raildo_ has quit IRC00:24
*** dims has quit IRC00:27
stevemarmorganfainberg, quickly check my comments here? https://review.openstack.org/#/c/159865/00:29
morganfainbergstevemar, yeah all comments make sense00:31
morganfainbergstevemar, nothing i see should block that up00:31
stevemarmorganfainberg, okay00:31
jamielennoxi should know this, but how can i load a dependency without the controller?00:31
morganfainbergthe manager can be removed as a cleanup patch00:31
morganfainbergjamielennox, load a dependency? as in the API?00:32
morganfainbergjamielennox, <api_thing>.Manager() ?00:32
stevemari'll pull the trigger and fix the manager thing00:32
jamielennoxmorganfainberg: as in our non-functional, useless @dependency.provides() PITA00:32
morganfainbergjamielennox, so we load the things in service.py every time, the decorator just sticks them as properties00:33
jamielennoxmorganfainberg: remove /v3 from the pipeline from keystone-paste.ini and keystone fails to boot00:33
stevemarmorganfainberg, bah lbragstad ruined our fun00:33
morganfainbergjamielennox, oh00:33
jamielennoxUnresolvableDependencyException: Unregistered dependency: revoke_api00:33
morganfainbergjamielennox, uh.00:33
* lbragstad fun-hater \o/00:33
morganfainbergjamielennox, wait what?!00:33
jamielennoxand there is no v2 version of revoke_api00:33
morganfainbergjamielennox, uhm... that should be handled via the service loading00:33
morganfainbergit shouldn't be controller based.00:33
morganfainbergstevemar, ^ we might have missed another *thing* in loading services non-optionally00:34
stevemarlbragstad, i can't really fix the sp_url thing, it's what's in the spec00:34
jamielennoxmorganfainberg: dependency injection is pointless when the first thing we do is resolve them all00:34
lbragstadstevemar: ok, that was a minor suggestion00:34
lbragstadstevemar: more of a question really.00:34
stevemarlbragstad, ah okay00:34
stevemarmorganfainberg, uh oh00:35
morganfainbergjamielennox, remember we want that "injection" stuff to go away00:35
morganfainbergjamielennox, i think for now we should just be resolving them . if we're not we are doing something wrong00:35
jamielennoxmorganfainberg: right, should do pecan00:35
dstanekjamielennox: morganfainberg: i have some patches for that, but they need love; henry moved all the things around00:35
jamielennoxanyway, any idea why revoke_api is not being loaded00:35
stevemarmorganfainberg, jamielennox a patch recently went in that removed a bunch of checks for if revoke_api00:35
morganfainbergjamielennox sure! lets do it!00:35
jamielennoxmorganfainberg: waiting for things to calm down00:35
morganfainbergjamielennox, my guess is it is missing from service00:35
morganfainbergjamielennox, or similar00:36
stevemarmorganfainberg, jamielennox it's in the load_backends code for keystone as a whole00:36
morganfainbergit probably just needs an import instantiation00:36
dstaneki really wish they didn't pick pecan; we'll be the only people i've ever seen using it :-(00:36
stevemarah crud00:36
morganfainbergdstanek, wellllllll00:36
stevemarjamielennox, morganfainberg shouldn't revoke manager be here: https://github.com/openstack/keystone/blob/d1b707c5686a61cc888b96d915dd1f36fac74527/keystone/backends.py00:37
*** bknudson has joined #openstack-keystone00:37
*** ChanServ sets mode: +v bknudson00:37
morganfainbergstevemar, yep00:37
morganfainbergthat would be it00:37
morganfainbergdstanek, didn't we write a bunch of pecan? :P00:37
stevemargrumble grumble00:37
stevemarokieeee 2 more patches coming up!00:38
jamielennoxstevemar: you on it?00:38
*** karimb has joined #openstack-keystone00:38
stevemarjamielennox, yeah00:39
openstackgerritDolph Mathews proposed openstack/keystone: move token version into fernet payload  https://review.openstack.org/16057900:39
morganfainbergstevemar, jamielennox, make sure to file a bog on that.00:39
morganfainbergbug*00:39
dstanekmorganfainberg: i'll clean up one or two of those "remove di" patches for you to take a look at00:39
stevemarjamielennox, file the bug would ya?00:39
morganfainbergdstanek, thanks :)00:39
* morganfainberg is going to go for dinner now00:39
morganfainbergbe back later on00:39
dolphmlbragstad: ^ https://review.openstack.org/#/c/160579/1/keystone/token/providers/fernet/token_formatters.py00:40
dstanekjamielennox: does pecan give us anything more than a different way to do routing?00:40
jamielennoxdstanek: not hugely00:40
jamielennoxwe can't use wsme because of our weird APIs00:40
dolphmlbragstad: so, BaseTokenFormatter has a generic pack/unpack that handles messagepack and fernet both00:40
dstanekmorganfainberg: i think pecan was all dreamhost00:40
jamielennoxit'd be a nice cleanup though00:40
morganfainbergjamielennox, i want to get rid of our weird apis :P00:40
bknudsonour APIs are broken then00:41
dolphmlbragstad: convenient since it also owns the crypto @property00:41
jamielennoxmorganfainberg: i know00:41
morganfainbergbknudson, it's the extra field stuff00:41
jamielennoxthere's no way to handle the 'extra' stuff00:41
jamielennoxi filed a bug ages ago, tried to fix it00:41
lbragstaddolphm: makes sense00:41
morganfainbergbknudson, you know... keystone is a badly implemented key-value-store00:41
morganfainbergover rest api00:41
jamielennoxthis was around the original jsonschema stuff and i got distracted over that00:41
lbragstaddolphm: but you'd need to know the format before unpacking the rest since the Standard format and the Trust format contain different values,00:41
lbragstadright?00:41
dolphmlbragstad: yep00:41
dolphmlbragstad: before calling the last two classes, i suppose00:42
lbragstaddolphm: yeah, that's tough00:42
lbragstaddolphm: I know jacorob thought about that a lot too.00:42
lbragstaddolphm: what we could do00:42
lbragstaddolphm: is to carry the token version externally (same as before) and use that to verify, and once we do, we can ensure the external token version and the internal token version match?00:43
lbragstaddolphm: but that doesn't really make the token version completely internal00:43
dolphmlbragstad: the advantage to internal is integrity checking00:44
dolphmlbragstad: the advantage to external is just convenience00:44
openstackgerritSteve Martinelli proposed openstack/keystone: Always load revocation manager  https://review.openstack.org/16058200:44
dolphmlbragstad: so i'd rather ditch convenience in favor of adding more lightness00:44
stevemarjamielennox, ^00:44
dolphmstevemar: does that mean you agree with me?00:44
jamielennoxstevemar: bug 142744000:45
openstackbug 1427440 in Keystone "V2 only keystone wont start - revoke not in loaded backends" [Undecided,New] https://launchpad.net/bugs/142744000:45
stevemardolphm, uh00:45
dolphmstevemar: just nod your head, yes00:45
* stevemar nods00:45
dolphmlbragstad: so we're agreed then00:45
lbragstaddolphm: so, in that case00:46
lbragstadwe still need a way to pass the token string to the right formatter for validation00:46
lbragstaddolphm: that's if we want to be smart about it,00:47
dolphmlbragstad: something somewhere needs to know how to handle an ambiguous token and parse it correctly00:47
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212200:47
lhchenglbragstad: fixed pep8 ^00:47
lbragstaddolphm: which we've always done with the external token version00:47
lbragstadlhcheng: ++ thanks!00:48
lbragstaddolphm: unless you just pass the token string to every format validator until one works, but I think that'd be ugly00:48
openstackgerritSteve Martinelli proposed openstack/keystone: Cleanup comments from 159865  https://review.openstack.org/16058400:48
stevemarlbragstad, for you bud ^00:49
dolphmlbragstad: also more than one might "work"00:49
openstackgerritSteve Martinelli proposed openstack/keystone: Always load revocation manager  https://review.openstack.org/16058200:49
lbragstadstevemar: thank you sir00:50
lbragstaddolphm: yeah, exactly00:50
stevemarweee it's gating!00:50
lbragstaddolphm: what if00:50
lbragstadyou hash/encrypt the token data, right?00:51
lbragstadand at that point you know the token format00:51
lbragstadso, you take the token format and hash that as well and tack that on to the encrypted token string00:51
lbragstadso, everything is still opaque00:51
stevemarlbragstad, could you do this patch quickly? https://review.openstack.org/#/c/151867/00:51
stevemarit's already 2x +2'ed00:52
lbragstaddolphm: and then on validate, fernet.core always decrypts the beginning of the token,00:52
lbragstadwhich maintains the integrity check of the token format/version00:52
lbragstadwhich means you could determine the proper token format and still pass it to the correct token formatter00:53
lbragstadIf the token format/version integrity check fails, then bomb out early saying it's an unsupported fernet token00:53
dolphmlbragstad: i don't know if i follow all that without a whiteboardl ol00:53
lbragstaddolphm: ok, so when we are in fernet.core we call to create_token, which lives in token_formatters.py, right?00:54
dolphmalrighty00:55
lbragstadat that point, we know if we are dealing with a StandardTokenFormat or a TrustTokenFormat00:55
lbragstadi.e. F00 or F0100:55
lbragstadon the way out, we could call some encrypt_sign_token_format(self, token_format) method that takes the token format we know we are dealing with, and encrypt/signs that string (F00 or F01)00:56
lbragstadso, at this point we have two strings, one is an encrypted version of the token format and one is an encrypted version of the token data00:57
lbragstadthe token could then turn into {encrypted_token_format}{encrypted_token_data}00:57
dolphmlbragstad: but why not just put it into plaintext? how is that different than version + encrypt(version + payload)?00:58
dolphms/different/better/00:58
lbragstaddolphm: it depends on why you want to put the token version in the token payload,00:58
lbragstadare you doing it to make it opaque to the user?00:59
lbragstads/want/why/00:59
dolphmlbragstad: to include it in the integrity check, for hardening01:00
dolphmi don't think we have an attack vector today, but it would be easy to accidentally introduce one in the future01:01
lbragstadencrypting the token version and tacking it to the encrypted token data would still require it to be integrity checked on validate01:01
lbragstadbut, we'd have to do it in two separate steps if we want to know where to pass the rest of the token data to01:01
dolphmlbragstad: something about that statement makes me think we need to move a bunch of logic closer to the versioned payload code01:03
dolphmlbragstad: like fernet.core shouldn't care about versioning at all01:04
dolphmlbragstad: i also don't see these as "versions," they're more like variants01:04
lbragstadlike various token formats..01:04
lbragstadright?01:04
dolphmyou either have vanilla or trust, not 0.0 or 0.101:04
dolphmlbragstad: yeah01:04
*** markvoelker has joined #openstack-keystone01:04
lbragstadyeah, we could do that01:04
lbragstads/do that/move all token specific logic to fernet.core/01:05
dolphmlbragstad: i'm going to go get food and ponder01:05
stevemarjamielennox, dstanek lbragstad dolphm https://review.openstack.org/#/c/160582/01:05
lbragstaddolphm: ok, ping me if you have any other ideas.. I'll keep thinking about it01:06
openstackgerritVictor Silva proposed openstack/keystone: bp/mapping-enhancements  https://review.openstack.org/14257301:06
jamielennoxstevemar: ugh - that's a pain01:07
jamielennoxstevemar: extra backens01:07
stevemarjamielennox, why is it a pain?01:07
jamielennoxthis needs to die01:07
dstanekjamielennox: what do you mean?01:07
stevemarya, i'm confused01:07
jamielennoxdstanek: let's just import all that stuff on load01:08
jamielennoxditch the dependency management entirely for all that stuff01:08
*** dimsum__ has joined #openstack-keystone01:08
dstanekjamielennox: yes, i am building the graph without DI right now01:08
jamielennoxdstanek: excellent01:08
*** david-lyle has joined #openstack-keystone01:09
dstanekjamielennox: i stashed stuff away when henry was moving stuff around, but now that that's all over i'll start fixing and posting those01:09
openstackgerritSteve Martinelli proposed openstack/keystone: Implements whitelist and blacklist mapping rules  https://review.openstack.org/14257301:12
*** markvoelker has quit IRC01:13
stevemarjamielennox, that's what the 'replace extensions' bp was starting to do01:14
stevemarjust load the things, and claim it's either experimental or stable01:14
stevemarrather than dealing with dependency weirdness01:14
jamielennoxstevemar: well that was more, that was about URIs and discovery tc01:15
*** henrynash has quit IRC01:15
*** krtaylor has quit IRC01:20
*** ljfisher has quit IRC01:25
*** nellysmitt has joined #openstack-keystone01:25
openstackgerritMerged openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531701:26
* lbragstad \o/01:27
*** karimb has quit IRC01:29
*** nellysmitt has quit IRC01:30
dstanekwhat was the verdict about stopping downgrades for us?01:31
*** krtaylor has joined #openstack-keystone01:33
*** _cjones_ has quit IRC01:34
stevemardstanek, no official word01:40
stevemarmaybe we will officially say something next release01:40
stevemarbut it's something that should be openstack wide01:40
stevemarnot just us01:40
openstackgerritMerged openstack/keystone: Populate token with service providers  https://review.openstack.org/15986501:49
openstackgerritMerged openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186701:49
*** david-lyle has quit IRC01:52
*** david-lyle has joined #openstack-keystone01:53
dstanekstevemar: yeah, downgrades are dump01:53
dstanekfor instance, i just reviewed https://review.openstack.org/#/c/152156/ which is a broken downgrade because it's impossible to represent the new data in the old schema01:54
stevemardstanek, thanks for reviewing the multiple remote id patch01:56
stevemarit still feels wonky to me01:56
stevemardstanek / jamielennox https://review.openstack.org/#/c/159671 (really quick ones)01:59
dstanekstevemar: don't need that test anymore?02:00
stevemardstanek, nope, the test sets oauth_api to None02:01
stevemarself.token_provider_api.driver.oauth_api = None02:01
jamielennoxstevemar: can you still disable oauth02:01
stevemarjamielennox, how?02:01
stevemarfrom the pipeline, yea, but the manager always loads02:02
dstaneki think you just don't add it to the list of accepted methods, but the manager is still created02:02
stevemarlist of accepted methods?02:03
dstanekhttp://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n391 right?02:03
dstanekor does it not actually have to go in there?02:04
*** rwsu is now known as rwsu-afk02:06
stevemardstanek, it should now that you mention it02:07
stevemarbut that is only checked at authN time02:07
stevemarthe manager itself should be loaded once keystone starts, either through eventlet or apache02:07
*** sigmavirus24 is now known as sigmavirus24_awa02:08
*** ayoung-lunx is now known as ayoung02:09
*** tqtran has quit IRC02:09
*** zzzeek has quit IRC02:10
*** erkules_ has joined #openstack-keystone02:11
*** erkules has quit IRC02:14
mfischis there anything I need to know about switching my revoke provider to the non-deprecated token driver, keystone.contrib.revoke.backends.sql?02:14
mfischAny chants or incense required?02:14
mfischseems to just be a drop-in from my testing02:14
stevemarmfisch, it *should* be just that02:15
stevemarmfisch, also, we are not going to deprecate it for another cycle02:15
stevemarthats the story at the moment anyway02:15
mfischdeprecate that one or the one thats already deprecated02:15
mfischkvs02:15
mfischkvs is already showing deprcated for me02:16
*** lhcheng has quit IRC02:16
stevemarmfisch, the kvs backend for revoke was slated to be removed in Kilo, but it probably won't be02:16
*** lhcheng has joined #openstack-keystone02:16
mfischok02:17
stevemarkvs, yeah morganfainberg and ayoung changed their minds about that, today in fact :)02:17
mfischdeprecation warnings are scary because I never look for them and they tend to become broken without me knowing02:17
stevemaryou're getting the news hot off the presses02:17
mfischso when I find, I fix02:17
mfischI feel so priveleged02:17
stevemarits still a good move to go to the sql backend02:17
stevemarthats the default now anyway02:17
mfischwhat is kvs?02:17
mfischI mean its still an SQL revoke at some level02:17
stevemarmfisch, gonna have to bug ayoung about the diffs02:18
mfischno worries02:18
mfischit was just FYI02:19
ayoungwe will certainly have SQL02:19
mfischI'm switching the puppet default02:19
ayoungkvs is something that I think will come up, and I don't want to yank just to have to put it back02:19
ayoungI don't think Keystone has a puppet backend for anything02:20
ayoungwe did discuss a DNS backend for the service catalog at one point02:20
mfischnot sure if that was a joke...02:20
ayoungmfisch, a lame one to be sure02:20
ayoungI misread what you said, and just went with it02:20
mfischI was very confused...02:20
ayoungyeah, the default should be mysql02:21
mfischwait until you see my proposal for keystone02:21
*** panbalag has quit IRC02:21
mfischhttps://review.openstack.org/#/c/160402/02:21
ayoungmfisch, deprecate all of keystone?02:21
ayoungmfisch, thanks02:21
ayoungwhy does puppet require you to repeat yourself?02:22
mfischwhere?02:22
mfischI need a change in there02:22
ayoungboth files have the line:   $revoke_driver          = 'keystone.contrib.revoke.backends.sql',02:22
mfischoh thats just tests02:22
ayoungits in there like 34 times, twice commented out02:23
ayoungheh02:23
ayoung4 times02:23
mfischI get paid my LoC02:23
*** david-lyle has quit IRC02:23
ayoungoverride_params = is that going to break if we change the default?02:24
ayoung'revoke_driver'         => 'keystone.contrib.revoke.backends.kvs',02:24
mfischno02:24
ayoungI read that as:  change from this default.  Is my puppetese correct?02:24
mfischthats just rspec, unit tests02:24
mfischyeah02:24
mfischfrom the puppet default02:24
mfischnot the keystone or ubuntu/redhat default02:24
mfischits a unit test02:25
mfischlike if you had a unit test for a different driver, I could say "revoke_driver => 'adam' if I wanted to test puppet02:25
dstanekanother easy one https://review.openstack.org/#/c/158411/02:25
*** markvoelker has joined #openstack-keystone02:26
openstackgerritMerged openstack/keystone: Rename "Keystone LightWeight Tokens" (KLWT) to "Fernet" tokens  https://review.openstack.org/16004002:32
*** mancdaz has quit IRC02:32
stevemar\o/02:33
*** mancdaz has joined #openstack-keystone02:34
stevemardstanek, done02:36
mfischI saw Keystone Light and got all excited before I kept reading02:36
stevemarit'll be renamed for just that reason02:37
dstanekstevemar: thx02:37
stevemarso much code being merged today!02:37
stevemarnow to review henrys stuff02:39
*** mancdaz has quit IRC02:41
dolphmstevemar: 22 reviews in last 24 hours by my count02:47
stevemar22 patches?02:47
dolphmmfisch: not sure if you're question was ever answered regarding "what is kvs?" -- it's just an in-memory python dict. not for production, and especially not for a multi node deploy!02:49
dolphmstevemar: yessir02:49
mfischdolphm: it seemed to be working to revoke tokens in mysql02:50
dolphmmfisch: ah, so we have two revocation mechanisms at the moment02:50
dolphmmfisch: one persists a list of revoked tokens to the token backend: the token revocation list02:50
*** toddnni_ has joined #openstack-keystone02:51
dstanekstevemar: you still here?02:51
dolphmmfisch: as of kilo (maybe icehouse?) we also have token revocation *events*: which is actually the discrete driver you're changing02:51
dolphmmfisch: revocation events describe the revoked tokens instead of enumerating them all02:51
dolphmmfisch: the end goal is not to persist any tokens ever02:52
mfischsome mechanisnm is setting the "valid" flag to 0 in mysql02:52
dolphmmfisch: the ones with "0" that are otherwise not expired make up the token revocation list02:52
*** toddnni has quit IRC02:52
*** toddnni_ is now known as toddnni02:52
mfischnot separate table which is good for easy cleanup02:53
dolphmmfisch: either way, it's a lot of tokens that shouldn't be persisted in the first place :( -- unless you're using UUID, in which case, that's by design02:54
dolphmmfisch: the fact that PKI tokens end up in the DB is basically broken02:54
mfischUUID, waiting for AE02:54
dolphmmfisch: AE is shipping in kilo as "Fernet tokens"02:54
mfischyep saw that convo here 10 mins ago02:55
dolphmmfisch: cool02:55
mfischProof of concept in Kilo or fully working?02:55
dolphmmfisch: PoC has been around since december. an implementation merged today along with docs, and we've got a stream of patches to improve them further02:56
mfischsounds like it should be pretty solid by may then02:57
dolphmmfisch: so, AE has been renamed twice. once to KLWT, and then to Fernet. anyway, read here about "KLWT" soon-to-be-renamed-to-Fernet: http://docs.openstack.org/developer/keystone/configuration.html#uuid-pki-pkiz-or-klwt02:57
dolphmmfisch: the PKI paragraph also talks about revocations lists vs events02:58
mfischthx for the docs02:59
mfischI'm excited for frenets02:59
mfischerr fernets?02:59
*** toddnni has quit IRC02:59
*** browne has quit IRC02:59
*** toddnni has joined #openstack-keystone03:00
dolphmmfisch: good question.03:00
dolphmmfisch: https://github.com/fernet03:00
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/16056703:01
dolphmmfisch: did you see the token format benchmarks?03:02
dolphmmfisch: s/the/my/03:02
mfischyeah thats what made me think about this03:03
mfischthats how I found out03:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994403:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742703:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Expose create project with invalid domain_id  https://review.openstack.org/16044603:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872003:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837203:03
*** richm has quit IRC03:05
* dolphm just realized the rename already landed03:07
dolphmmfisch: ^ http://docs.openstack.org/developer/keystone/configuration.html#uuid-pki-pkiz-or-fernet03:07
openstackgerritMerged openstack/keystone: Cleanup comments from 159865  https://review.openstack.org/16058403:07
stevemardstanek, yep i'm here03:13
*** lhcheng has quit IRC03:13
*** lhcheng has joined #openstack-keystone03:16
*** spandhe has quit IRC03:16
openstackgerritMerged openstack/keystone: Always load revocation manager  https://review.openstack.org/16058203:17
*** lhcheng has quit IRC03:21
*** ncoghlan has joined #openstack-keystone03:25
*** nellysmitt has joined #openstack-keystone03:26
openstackgerritSteve Martinelli proposed openstack/keystone: Avoid multiple instances for a provider  https://review.openstack.org/12459903:26
stevemardstanek, can you take another look @ this guy: https://review.openstack.org/#/c/124599/03:27
openstackgerritMerged openstack/keystone: Fixes test_multiple_filters filters definition  https://review.openstack.org/15841103:28
openstackgerritSteve Martinelli proposed openstack/keystone: Use oslo.policy instead of incubated version  https://review.openstack.org/14862403:30
*** nellysmitt has quit IRC03:31
openstackgerritSteve Martinelli proposed openstack/keystone: Remove policy parsing exception  https://review.openstack.org/15856203:31
openstackgerritSteve Martinelli proposed openstack/keystone: Remove incubated version of oslo policy  https://review.openstack.org/15715803:31
openstackgerritSteve Martinelli proposed openstack/keystone: Cleanup policy related tests  https://review.openstack.org/15856103:31
*** ccard__ has joined #openstack-keystone03:31
*** ccard_ has quit IRC03:34
lbragstaddolphm: nice work on the rename, happy to see it merged!03:39
*** browne has joined #openstack-keystone03:39
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994403:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742703:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Expose create project with invalid domain_id  https://review.openstack.org/16044603:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872003:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837203:42
rodrigods^ there are some bug fixes as base for the reseller code, some of them might not make sense but we need them to be triaged or invalidated03:43
*** dimsum__ has quit IRC03:45
*** ayoung has quit IRC03:50
*** ccard__ has quit IRC03:50
*** ccard__ has joined #openstack-keystone03:51
*** ccard_ has joined #openstack-keystone03:58
*** ccard__ has quit IRC03:58
*** wanghong has quit IRC04:06
*** wanghong has joined #openstack-keystone04:07
*** thedodd has joined #openstack-keystone04:08
*** wanghong has joined #openstack-keystone04:09
*** harlowja_ is now known as harlowja_away04:13
*** lhcheng has joined #openstack-keystone04:18
*** ccard__ has joined #openstack-keystone04:20
*** ccard_ has quit IRC04:21
*** lhcheng has quit IRC04:22
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841404:34
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922904:34
*** dimsum__ has joined #openstack-keystone04:46
*** dimsum__ has quit IRC04:51
*** markvoelker has quit IRC04:59
*** markvoelker has joined #openstack-keystone05:00
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support  https://review.openstack.org/16003105:00
*** markvoelker has quit IRC05:04
*** david-lyle_afk has joined #openstack-keystone05:06
*** ajayaa has joined #openstack-keystone05:08
*** ChristyF has quit IRC05:09
*** ChristyF has joined #openstack-keystone05:10
*** lhcheng has joined #openstack-keystone05:24
*** nellysmitt has joined #openstack-keystone05:27
*** haneef has joined #openstack-keystone05:30
*** markvoelker has joined #openstack-keystone05:30
haneefstevemar:  What happened to this page?  After you last commit, it shows old doc using keystoneclient instead of openstackclient :   https://github.com/openstack/keystone/blob/master/doc/source/cli_examples.rst05:31
*** nellysmitt has quit IRC05:31
stevemarhaneef, as it says: 'with full examples are located at OpenStackClient's Command List page'05:32
stevemarhttp://docs.openstack.org/developer/python-openstackclient/command-list.html05:32
haneefok, got it.05:34
*** thedodd has quit IRC05:34
*** markvoelker has quit IRC05:35
*** thedodd has joined #openstack-keystone05:37
*** david-lyle_afk has quit IRC05:44
*** lhcheng has quit IRC05:44
*** lhcheng has joined #openstack-keystone06:06
*** lhcheng has quit IRC06:08
stevemarhmm, i think this bug was incorrectly marked as fixed06:12
stevemarhttps://bugs.launchpad.net/keystone/+bug/138438206:12
openstackLaunchpad bug 1384382 in Keystone "GET /OS-FEDERATION/saml2/metadata does not work" [High,Fix released] - Assigned to Lance Bragstad (lbragstad)06:12
*** ChristyF has quit IRC06:18
*** lhcheng has joined #openstack-keystone06:19
*** redrobot has quit IRC06:21
stevemarnevermind, looks fixed :)06:21
*** gyee has quit IRC06:22
*** redrobot has joined #openstack-keystone06:25
*** redrobot is now known as Guest3254406:25
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16023306:27
*** jaosorior has joined #openstack-keystone06:30
*** thedodd has quit IRC06:31
*** markvoelker has joined #openstack-keystone06:31
*** markvoelker has quit IRC06:36
*** pnavarro has joined #openstack-keystone06:38
*** nellysmitt has joined #openstack-keystone06:42
*** david-lyle_afk has joined #openstack-keystone06:44
*** pnavarro has quit IRC06:53
*** lhcheng has quit IRC07:01
*** openstackgerrit has quit IRC07:22
*** openstackgerrit has joined #openstack-keystone07:22
*** AnxiousGarlic has joined #openstack-keystone07:26
*** AnxiousGarlic has left #openstack-keystone07:27
*** markvoelker has joined #openstack-keystone07:32
*** lhcheng has joined #openstack-keystone07:34
*** markvoelker has quit IRC07:37
*** lhcheng has quit IRC07:41
*** lhcheng has joined #openstack-keystone07:42
*** ogzy has joined #openstack-keystone07:56
ogzywhere can i find details about keystone's policy.json file, i want to write my own rules and roles07:57
stevemarogzy, keystones policy.json is based off of oslo's policy, their docs are here: http://docs.openstack.org/developer/oslo.policy/api.html#module-oslo_policy.policy07:58
*** krtaylor has quit IRC07:58
ogzystevemar: thank you07:59
*** erkules_ is now known as erkules08:05
*** browne has quit IRC08:07
*** krtaylor has joined #openstack-keystone08:08
*** stevemar has quit IRC08:15
*** ncoghlan has quit IRC08:16
*** lsmola has joined #openstack-keystone08:16
*** lhcheng has quit IRC08:17
*** dimsum__ has joined #openstack-keystone08:24
*** sigmavirus24_awa has quit IRC08:26
*** dolphm has quit IRC08:27
*** d34dh0r53 has quit IRC08:27
*** dimsum__ has quit IRC08:29
*** d34dh0r53 has joined #openstack-keystone08:30
*** dolphm has joined #openstack-keystone08:31
ogzywhat does identity:get_endpoint means at the policy.json, i didn't get the idea behind using identity:, can someone tell it?08:32
*** pnavarro has joined #openstack-keystone08:32
*** markvoelker has joined #openstack-keystone08:33
*** markvoelker has quit IRC08:39
*** mancdaz has joined #openstack-keystone08:44
*** jistr has joined #openstack-keystone08:46
*** davechen_ has joined #openstack-keystone08:46
openstackgerritMarek Denis proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215608:57
*** karimb has joined #openstack-keystone09:16
openstackgerritMerged openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841409:19
*** markvoelker has joined #openstack-keystone09:35
*** ajayaa has quit IRC09:38
*** markvoelker has quit IRC09:39
*** ajayaa has joined #openstack-keystone09:40
*** ajayaa has quit IRC09:50
*** davechen_ has quit IRC09:55
openstackgerritElena Ezhova proposed openstack/keystone: [WIP] Prevent calling waitall() inside a GreenPool's greenthread  https://review.openstack.org/16072010:04
*** afazekas has joined #openstack-keystone10:05
*** ajayaa has joined #openstack-keystone10:09
*** henrynash has joined #openstack-keystone10:16
*** ChanServ sets mode: +v henrynash10:16
*** markvoelker has joined #openstack-keystone10:35
*** markvoelker has quit IRC10:40
*** trey has quit IRC10:43
*** trey has joined #openstack-keystone10:45
*** henrynash has quit IRC10:45
*** henrynash has joined #openstack-keystone10:46
*** ChanServ sets mode: +v henrynash10:46
*** henrynash has quit IRC10:50
*** dimsum__ has joined #openstack-keystone11:16
*** ajayaa has quit IRC11:20
*** fmarco76 has joined #openstack-keystone11:23
*** fmarco76 has left #openstack-keystone11:25
*** tellesnobrega has quit IRC11:27
*** ajayaa has joined #openstack-keystone11:31
*** tellesnobrega has joined #openstack-keystone11:33
*** markvoelker has joined #openstack-keystone11:36
*** markvoelker has quit IRC11:41
*** fmarco76 has joined #openstack-keystone11:42
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215611:44
*** ajayaa has quit IRC11:53
fmarco76https://review.openstack.org/#/c/159803/11:58
fmarco76sorry, wrong chat11:58
*** EmilienM|afk is now known as EmilienM12:05
openstackgerritSean Dague proposed openstack/oslo.policy: provide more descriptive exception  https://review.openstack.org/16076112:10
*** amakarov_away is now known as amakarov12:31
*** markvoelker has joined #openstack-keystone12:38
*** markvoelker has quit IRC12:42
*** aix has quit IRC12:44
*** dimsum__ is now known as dims12:46
*** oguz has joined #openstack-keystone13:00
*** ogzy has quit IRC13:03
*** oguz_ has joined #openstack-keystone13:04
*** markvoelker has joined #openstack-keystone13:04
*** oguz has quit IRC13:07
*** Bsony has joined #openstack-keystone13:09
ekarlsojamielennox: did you ever comeup with a solution for the allow stuff in the client ?13:11
openstackgerritEndre Karlson proposed openstack/python-keystoneclient: Allow for other then STABLE api version  https://review.openstack.org/13015913:11
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose register and Check as part of public API  https://review.openstack.org/15952513:14
*** dims has quit IRC13:14
openstackgerritElena Ezhova proposed openstack/keystone: Prevent calling waitall() inside a GreenPool's greenthread  https://review.openstack.org/16072013:14
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose register and Check as part of public API  https://review.openstack.org/15952513:15
*** dims has joined #openstack-keystone13:15
*** henrynash has joined #openstack-keystone13:19
*** ChanServ sets mode: +v henrynash13:19
*** Bsony has quit IRC13:22
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994413:22
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742713:22
openstackgerritRodrigo Duarte proposed openstack/keystone: Expose create project with invalid domain_id  https://review.openstack.org/16044613:22
openstackgerritRodrigo Duarte proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872013:22
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837213:22
*** aix has joined #openstack-keystone13:23
*** Bsony has joined #openstack-keystone13:23
openstackgerritAlexander Makarov proposed openstack/keystone: Redis token backend  https://review.openstack.org/15084413:27
*** panbalag has joined #openstack-keystone13:28
openstackgerritAlexander Makarov proposed openstack/keystone: Redis token backend  https://review.openstack.org/15084413:29
*** gordc has joined #openstack-keystone13:37
*** aix has quit IRC13:44
*** aix has joined #openstack-keystone13:44
*** jbonjean has quit IRC13:46
*** jbonjean has joined #openstack-keystone13:46
*** jbonjean has quit IRC13:47
*** jbonjean has joined #openstack-keystone13:48
*** jbonjean has quit IRC13:48
*** jbonjean has joined #openstack-keystone13:48
*** oguz_ is now known as ogzy13:48
*** ogzy has joined #openstack-keystone13:48
*** radez_g0n3 is now known as radez13:57
*** grantbow has quit IRC14:00
amakarovdstanek, hi! About that testing question: is there any suggestion how can we test real backends (Redis in particular)14:12
*** ljfisher has joined #openstack-keystone14:17
*** mattfarina has joined #openstack-keystone14:18
*** richm has joined #openstack-keystone14:19
*** nkinder has quit IRC14:24
*** chlong has joined #openstack-keystone14:27
*** joesavak has joined #openstack-keystone14:28
openstackgerrithenry-nash proposed openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805114:29
openstackgerritMerged openstack/keystone: Avoid multiple instances for a provider  https://review.openstack.org/12459914:29
*** david-lyle has joined #openstack-keystone14:31
*** diegows has joined #openstack-keystone14:35
*** ayoung has joined #openstack-keystone14:43
*** ChanServ sets mode: +v ayoung14:43
*** topol has joined #openstack-keystone14:50
*** ChanServ sets mode: +v topol14:50
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742714:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837214:56
openstackgerritRodrigo Duarte proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872014:56
*** nkinder has joined #openstack-keystone15:08
*** thedodd has joined #openstack-keystone15:12
*** jasondotstar has joined #openstack-keystone15:16
openstackgerritMarcos Fermín Lobo proposed openstack/keystone: Implement group related methods for LDAP backend  https://review.openstack.org/15732715:22
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867915:22
*** henrynash has quit IRC15:23
*** sigmavirus24 has joined #openstack-keystone15:35
*** henrynash has joined #openstack-keystone15:51
*** ChanServ sets mode: +v henrynash15:51
*** stevemar has joined #openstack-keystone15:53
*** ChanServ sets mode: +v stevemar15:53
doug-fishhello again keystone friends.  I'm still working on k2k federation for Horizon and struggling with getting it to work with the keystone client.  In order to facilitate discussion, I've put together a script that makes the same calls I'm making it django_openstack_auth but hopefully in a form that easier to read15:54
doug-fishhttps://review.openstack.org/#/c/160851/15:54
*** zzzeek has joined #openstack-keystone15:54
openstackgerritElena Ezhova proposed openstack/keystone: Prevent calling waitall() inside a GreenPool's greenthread  https://review.openstack.org/16072015:55
openstackgerritLance Bragstad proposed openstack/keystone: Use choices in config.py  https://review.openstack.org/15789015:57
*** pnavarro has quit IRC15:57
*** eezhova has joined #openstack-keystone15:59
*** crinkle has quit IRC16:01
*** crinkle has joined #openstack-keystone16:01
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875216:02
*** ekarlso has quit IRC16:03
*** ekarlso has joined #openstack-keystone16:07
*** atiwari has joined #openstack-keystone16:14
*** browne has joined #openstack-keystone16:14
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967516:17
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992816:22
*** ChanServ sets mode: +o dolphm16:25
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003216:26
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036416:27
*** spandhe has joined #openstack-keystone16:30
*** diegows has quit IRC16:31
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087216:34
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967516:35
*** spandhe has quit IRC16:35
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992816:35
*** Bsony has quit IRC16:36
*** david-lyle_afk has quit IRC16:37
*** david-lyle has quit IRC16:37
openstackgerritLance Bragstad proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922916:38
openstackgerrithenry-nash proposed openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805116:40
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867916:40
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875216:42
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087216:43
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967516:43
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992816:44
lbragstaddstanek: on the v2 token stuff16:44
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003216:44
lbragstaddstanek: the current commit that is up still needs some work for building the token context on the way out of authenticate and validate calls.16:45
lbragstaddstanek: similar to how v3 does it with V3DataHelper.get_token_data()16:45
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036416:45
lbragstaddstanek: currently jorge_munoz is working on it,16:45
samueldmqhenrynash, ping - I've a question regarding domain-specific configs :)16:46
henrynashsamueldmq: sure16:46
samueldmqhenrynash, maybe I missed/forgot something from the spec ..16:46
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875216:47
samueldmqhenrynash, ok, so ... when we create a config that has some sensitive options, those options go to the sensitive_configs database, right?16:47
samueldmqhenrynash, while the others go to the whitelisted_one ..16:47
henrynashyes16:47
samueldmqhenrynash, how are we protecting that data?16:47
henrynashjust a differnet table…but also the public API cannot read the sensiive table16:48
samueldmqhenrynash, k got it.. and that is just used by the manger16:48
samueldmqmanager*16:48
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087216:48
henrynashyes16:48
samueldmqhenrynash, ack, thx16:49
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967516:49
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992816:50
*** jistr has quit IRC16:50
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003216:50
samueldmqhenrynash, this test (https://review.openstack.org/#/c/159928/9/keystone/tests/unit/backend/domain_config/core.py) described the whole thing :)16:51
*** thedodd has quit IRC16:51
*** Guest32544 is now known as redrobot16:51
henrynash:-)16:51
*** diegows has joined #openstack-keystone16:52
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036416:52
*** henrynash has quit IRC16:53
dstaneklbragstad: nice, i'm going to make a comment in the review so i don't forget16:54
lbragstadok16:54
dstaneklbragstad: i'm sure you've seen it, but the patch is broken now that the fernet naming change has merged16:54
lbragstadyeah, I did a rebase, but two of the tests are still failing,16:55
dstaneklbragstad: just an import problem from what i saw16:55
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994416:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742716:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837216:58
*** gyee has joined #openstack-keystone16:58
*** ChanServ sets mode: +v gyee16:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Expose create project with invalid domain_id  https://review.openstack.org/16044616:59
*** nellysmitt has quit IRC17:03
*** ljfisher has quit IRC17:05
*** david-lyle has joined #openstack-keystone17:05
*** _cjones_ has joined #openstack-keystone17:05
amakarovlbragstad, greetings! Is there any roadmap for Fernet tokens? I'd like to try to replace uuid with them :)17:07
lbragstadamakarov: roadmap?17:08
lbragstadas in a migration guide?17:08
amakarovlbragstad, let me put it this way: when will any pre-pre-pre-alpha be ready for testing?17:09
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables  https://review.openstack.org/15980317:09
lbragstadamakarov: what kind of testing?17:10
lbragstadare you looking to do?>17:10
amakarovlbragstad, I want to deploy an env with several controllers, switch to Fernet tokens and see how fast Keystone have become :)17:11
lbragstadamakarov: so you want to do some performance testing? You should be able to do some of that now, with the commits that merged recently17:12
amakarovlbragstad, I have a full set of rally tests17:12
amakarovlbragstad, cool! Then the last issue will be revocation engine: how do I sync revocations across several controllers/datacenters/databases?17:13
lbragstadamakarov: that work is probably going to come with a new release of keystonemiddleware17:14
*** Bsony has joined #openstack-keystone17:14
lbragstadamakarov: the keystone server works with Fernet tokens and revocation events, we just need a way for keystonemiddleware (auth_token.py Middleware) to grab those events17:15
amakarovlbragstad, middleware? I'm a little lost: how middleware will help with multiple Keystone servers?17:15
amakarovlbragstad, ok, the user story: as a cloud admin I want to revoke user's X role Y on project Z17:16
lbragstadamakarov: sorry, the middleware will help with the service side,17:16
openstackgerritMerged openstack/oslo.policy: provide more descriptive exception  https://review.openstack.org/16076117:16
*** chlong has quit IRC17:17
*** fmarco76 has quit IRC17:17
amakarovlbragstad, well, don't mention it now - I'll try postgres with BDR as a backend. I need an rw LDAP replacement for assingnments anyway17:18
amakarovlbragstad, so can I just take master branch and there are Fernet tokens operational?17:19
openstackgerritayoung proposed openstack/keystone-specs: Service Catalog Subsets by ID  https://review.openstack.org/16090917:20
*** lhcheng has joined #openstack-keystone17:22
morganfainbergamakarov: we need to land 1 more patch for fernet to be fully implemented.17:24
morganfainbergamakarov: but it is close.17:24
*** lhcheng_ has joined #openstack-keystone17:24
amakarovmorganfainberg, thanks, eager to try )17:26
*** lhcheng has quit IRC17:27
morganfainberglbragstad: how are v2 tokens text_string and v3 bytes (or vice versa)?17:28
morganfainbergOh wait I know. Header vs url bit17:28
morganfainbergDamn :(17:28
amakarovmorganfainberg, can you take a look please? https://review.openstack.org/#/c/141854/17:29
dstanekmorganfainberg: what's the point of having config values for field lengths? (read max_param_size)17:30
dstanekmorganfainberg: the only reason i can think of is that our specifications are week and backends can do what they please17:30
morganfainbergdstanek, where?17:32
dstanekmorganfainberg: i was looking at why we would want to do this: https://review.openstack.org/#/c/128504/17:32
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables  https://review.openstack.org/15980317:32
dstanekmorganfainberg: max_param_size is something only used in keystone/token/controllers.py so maybe that's already broken17:33
dstanekour schema could conflict with it17:33
morganfainberglikely is.17:34
morganfainbergso i wonder how much is broken today by that.17:34
morganfainbergthe schema and API spec should be the canonical source of truth17:35
morganfainbergnot the backend17:35
morganfainbergi think this is a legacy hold-over fix17:35
* morganfainberg looks again17:35
morganfainbergoh17:36
morganfainbergx509 things17:36
morganfainberguhm.17:36
morganfainbergdstanek, hm. so we should not have config options for that. we should just enforce in schema [json schema] and document in API. if it would break v2 to increase that length / v3, we stick with 6417:38
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837217:39
dstanekmorganfainberg: perfect, that's what i was hoping to hear. making too many config options would suck for a variety of reasons17:39
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables  https://review.openstack.org/15980317:41
openstackgerritMerged openstack/oslo.policy: Expose register and Check as part of public API  https://review.openstack.org/15952517:42
*** tellesnobrega has quit IRC17:43
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215617:44
morganfainbergmtreinish, ping - i can't get debtcollector to emit the warning. i can get direct calls to warnings.warn to work, etc.17:45
morganfainbergmtreinish, i have no idea why debtcollector isn't working. so i'm going to have to propose not using it - and revisit.17:45
morganfainbergmtreinish, i've tried a ton of different incarnations for calling it and it always seems to boil down to just not calling things in clearly expected manners.17:46
morganfainbergmtreinish, when it hits warnings.warn, i'll poke at it more after k317:46
*** ljfisher has joined #openstack-keystone17:47
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables  https://review.openstack.org/15980317:47
*** jorge_munoz has joined #openstack-keystone17:49
*** jorge_munoz has left #openstack-keystone17:49
*** jorge_munoz has joined #openstack-keystone17:49
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate Eventlet Deployment in favor of wsgi containers  https://review.openstack.org/15749517:50
*** htruta has quit IRC17:50
morganfainbergstevemar, dstanek, dolphm, lbragstad, ayoung, https://review.openstack.org/157495 should be an easy review.17:52
*** pnavarro has joined #openstack-keystone17:54
*** spandhe has joined #openstack-keystone17:56
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate Eventlet Deployment in favor of wsgi containers  https://review.openstack.org/15749517:57
*** lhcheng_ is now known as lhcheng17:59
*** htruta has joined #openstack-keystone18:00
*** henrynash has joined #openstack-keystone18:00
*** ChanServ sets mode: +v henrynash18:00
*** tqtran has joined #openstack-keystone18:00
*** lhcheng_ has joined #openstack-keystone18:01
*** browne has quit IRC18:02
bretonwell18:03
bretonwe killed eventlet.18:04
*** lhcheng has quit IRC18:04
mtreinishmorganfainberg: ok sure, it worked when I tested it, I'll try to dive into it whenever18:04
*** timcline has joined #openstack-keystone18:04
mtreinishbut as long as you guys have something that works18:04
*** tellesnobrega has joined #openstack-keystone18:04
mtreinishthere's no real rush18:04
*** _cjones_ has quit IRC18:05
*** diegows has quit IRC18:06
*** Bsony has quit IRC18:10
*** Bsony has joined #openstack-keystone18:10
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nits from 157495  https://review.openstack.org/16092518:11
rodrigodsmorganfainberg, ^ fixed some nits in the eventlet deprecation patch18:11
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967518:12
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967518:12
*** harlowja_away is now known as harlowja_18:12
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992818:14
*** _cjones_ has joined #openstack-keystone18:15
*** lhcheng has joined #openstack-keystone18:16
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003218:16
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036418:16
*** lhcheng_ has quit IRC18:19
morganfainbergrodrigods sure18:21
morganfainbergrodrigods, thanks18:21
morganfainbergmtreinish, yeah it's something odd - i'm sure it's just something called in thr wrong order18:22
*** karimb has quit IRC18:24
*** radez is now known as radez_g0n318:27
openstackgerritDolph Mathews proposed openstack/keystone: remove old docstr referring to keyczar  https://review.openstack.org/16093018:35
*** dnalezyt has joined #openstack-keystone18:36
mtreinishmorganfainberg: I just looked at the most recent patch for the deprecation, I think it'll bounce off pep8. You left the debtcollector import in there18:36
morganfainbergdang it.18:37
morganfainbergi thought i pulled that out18:37
jamielennoxmtreinish: /join #openstack-meeting18:37
jamielennoxdamnit18:37
jamielennoxmtreinish: sorry - that must have been there from yesterday18:37
mtreinishjamielennox: I'm always in there :)18:37
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate Eventlet Deployment in favor of wsgi containers  https://review.openstack.org/15749518:37
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nits from 157495  https://review.openstack.org/16092518:38
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nits from 157495  https://review.openstack.org/16092518:38
openstackgerritDolph Mathews proposed openstack/keystone: refactor: extract fernet packing & unpacking methods  https://review.openstack.org/16093218:43
jamielennoxdstanek: you had the last -1 on https://review.openstack.org/#/c/157282/ can you look again - then i can rebase all my other stuff18:51
dstanekjamielennox: sure18:51
morganfainbergayoung, want to re +2 https://review.openstack.org/#/c/157495/ had to remove an erroneous import18:51
dstanekjamielennox: that was a trivial -1 :-)18:52
jamielennoxdstanek: yea, but if i'm going to bug someone about it at least you've seen it before18:53
dstanekjamielennox: yeah, going through it again now18:53
openstackgerritDolph Mathews proposed openstack/keystone: refactor: consistently refer to "unpacked tokens" as the token's "payload"  https://review.openstack.org/16094018:55
ayoungmorganfainberg, happy to18:55
henrynashstevemar, bknudson: all the early patches for domain-config have been updated from your comments and the new versions have passed jenkins (starts at: https://review.openstack.org/#/c/158051/14)….if we can get a few +2’s I’ll try and line up a +A from someone…18:55
ayounghenrynash, looking18:56
henrynashayoung: thx18:57
marekddstanek: re: https://review.openstack.org/#/c/142573/15/keystone/contrib/federation/utils.py i am not sure if you are suggesting that some tests are actually missing ?18:57
*** jeffDeville has joined #openstack-keystone18:58
*** amakarov is now known as amakarov_away18:58
dstanekmarekd: yes, all of the tests expect empty list instead of a list with stuff18:58
dstanekmarekd: the append vs. extend looks broken to me18:59
dstanekmarekd: is that the way it's supposed to work?18:59
marekddstanek: i don't follow what do you mean by saying tests expect empty lists...empty lists of user input (params from assertion) or empty white/black lists ?19:01
jeffDevillehey everyone, I just started using Keystone (Juno) and I'm trying to use openidconnect as the auth provider, but use the sql assignments to manage the roles. a) Is that possible? I've seen ldap references that suggest it might be. b) I seem to need to provide a mapping, but I've yet to find any docs on the syntax. Any suggestions on where to look? c) I don't want to deal w/ mapping OIDC roles to19:01
jeffDeville Keystone ones. I want to manage those from Keystone exclusively. Any pointers on where to look?19:01
dstanekmarekd: all these tests seem to compare against [], what about a case where something is returned?19:02
morganfainbergjeffDeville, it should be doable, that is the design. however, you need to map the OIDC users to a group, and assign the role to the group [not to the user directly]19:02
morganfainbergstevemar, ^ jeffDeville's question19:02
dstanekmarekd: for example, you have 3 things in the input and 1 is blacklisted; the result should be a list of two things19:02
jeffDevilleso we could have a 'user' group and an 'admin' group, and map things to those groups correct?19:03
dstanekmarekd: i'm just trying to figure out is .append is right and if so why the tests didn't catch it19:03
morganfainbergjeffDeville, yes. the groups are defined in keystone still.19:03
morganfainbergjeffDeville, you use the federation mapping rules to take the OIDC attributes and put users into those groups. you can use [i think] any attr to map the user to the group.19:04
morganfainbergjeffDeville, i know stevemar has a bit more experience with this directly than I do.19:04
morganfainbergjeffDeville, so he can expand some [he wrote a chunk of the oidc stuff in keystone along w/ marekd for the federation core code]19:04
jeffDevillemorganfainberg: Ok, we also need to use domain-based authorization. So we're going to have a LOT of groups here that would correspond to the various sets of permissions we'd need. Is that an accurate statement?19:05
*** browne has joined #openstack-keystone19:05
morganfainbergjeffDeville, explain what you mean by domain authorization please.19:05
morganfainbergi don't want to guess wrong ;)19:06
jeffDevillemorganfainberg: stevemar: - Keystone v3 lets you assign roles by domain.  We're offering openstack to multiple companies, and so will need to be isolated from one another. We were going to do that w/ domains.19:07
*** joesavak has quit IRC19:07
bknudsonhenrynash: I had a couple of minor comments on https://review.openstack.org/#/c/158051/ that should be cleaned up.19:07
*** joesavak has joined #openstack-keystone19:07
morganfainbergjeffDeville, you can [with the v3 policy] use groups per domain and map users into those groups19:07
stevemarjeffDeville, catching up...19:08
morganfainbergso yes, you'd need groups that provide the right permissions to the right users.19:08
*** ccard__ has quit IRC19:08
*** jsavak has joined #openstack-keystone19:09
stevemarjeffDeville yeah so morganfainberg explained it perfect19:09
*** ccard__ has joined #openstack-keystone19:09
jeffDevillemorganfainberg: stevemar: - So example: if we have 10 users across 2 companies, where each company has 3 roles, we'd need to create 3*2 = 6 groups, and then map each of the 10 users to the appropriate set of group memberships.  Correct?19:10
henrynashbknudson: would you be Ok with cleaning that up in a (for Kilo) follow up bug fix?19:10
stevemarit'll behave the same way we do SAML based federation now19:10
jeffDevilleSo the mapping will basically include a list of all of the relevant userids (I don't know the mapping syntax yet), and anytime a new user comes in, we'll need to rebuild the mapping doc?19:10
jeffDevillemorganfainberg: stevemar: ^ (sorry)19:11
stevemarjeffDeville, so yes, i think thats what you would want to do19:11
*** aix has quit IRC19:11
stevemar2 domains, one per company, and 3 groups per domain19:11
stevemarthen assign them roles19:11
stevemarthat'll make sure they never collide or have access to each others roles19:12
bknudsonhenrynash: as long as the commit message summary isn't "Fix comments in review https://review.openstack.org/#/c/158051/".19:12
jeffDevilleThanks morganfainberg: stevemar: - Is there any reference for the mapping syntax, or should I peruse the source?19:12
stevemarjeffDeville, there are definitely some examples in the API, but they might be dated now, we have since made some improvements19:13
*** joesavak has quit IRC19:13
morganfainbergstevemar he;'s useing juno19:13
stevemarjeffDeville, how much do you know about openid connect :D19:13
henrynashbknudson: you mean, make the defect/commit message explict….sure19:13
morganfainbergand all syntax should be backwards compatible19:13
bknudsonhenrynash: yes.19:13
*** ChristyF has joined #openstack-keystone19:13
jeffDevillestevemar: morganfainberg: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#create-a-mapping This?19:14
henrynashbknudson: I’ll raise explict defect(s)19:14
jeffDevillestevemar: Enough to have configured our Forgerock sso provider for it, and connect it successfully using the apache mod.  We've registered the identity provider, mapping, and protocol, but the mapping doesn't work because I just copied something from an example.19:15
*** topol has quit IRC19:15
stevemarjeffDeville, excellent, you know everything then :D19:16
jeffDevillestevemar: I've found examples of mapping, but nothing that explains how it works yet, and it's tough to know what's going on because it's taking input -> mapping_it -> output.  And the examples don't have much to say on what the input and output looks like.19:16
samueldmqstevemar, ping - have something to discuss about cadf notif initiators .. :)19:16
stevemarjeffDeville, and those examples are more SAML friendly, let me check what i used for oidc19:17
stevemarsamueldmq, one sec19:17
ayoungdevstack's handling of Horizon is painful.  Defining a virtualhost :80  needs to die19:17
samueldmqstevemar, k19:17
stevemarjeffDeville, this is what I was using: https://gist.github.com/stevemart/e1c07cf4df50f621282f#file-oidc_steps-L65-L8319:17
*** mattamizer has joined #openstack-keystone19:18
stevemarjeffDeville, the apache vhost file is there too19:18
stevemarjeffDeville, oh i used one that had 'groups' at one point19:19
jeffDevilleThanks a ton stevemar:!  I'll go digest for awhile and see what I can do on my own.19:20
*** radez_g0n3 is now known as radez19:20
bknudsonhenrynash: if you want to open a bug that's fine but I don't think that's necessary.19:20
henrynashbknudson: ok19:20
stevemarjeffDeville, PM'ed you a bit more info19:21
henrynashbknudson: I’ll follow up with a two seaprate explict patches that fix those two issues, tied to this bp19:21
*** Bsony has quit IRC19:21
marekddstanek: ok, so the reason why it's .append() in white and blacklisting cases19:22
marekdare that local rules expect lists19:22
marekdnot strings.19:22
marekddstanek: see line 603 here https://review.openstack.org/#/c/142573/15/keystone/tests/unit/mapping_fixtures.py19:22
marekdit expects all the groups whitelisted by given dict.19:23
openstackgerritDavid Stanek proposed openstack/keystone: WIP: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603019:23
marekdwhereas in the 'else' case it is 'extend' cause before we only added single strings, usually it was username19:23
marekdmapped directly from some parameter19:24
morganfainbergmarekd, that confused me alot19:24
openstackgerritMerged openstack/keystone-specs: Alembic for SQL migrations  https://review.openstack.org/13153119:24
*** mattamizer has quit IRC19:24
*** Bsony has joined #openstack-keystone19:24
*** Bsony has quit IRC19:25
marekdmorganfainberg: :(19:25
*** Bsony has joined #openstack-keystone19:25
marekdmorganfainberg: append vs extend ?19:26
morganfainbergmarekd, eyah i clearly did not/do not grok the whitelist/blacklist stuff19:27
morganfainbergit wasn't clear why sometimes append was right and sometimes extend was19:27
marekdmorganfainberg: look at the test rule here: https://review.openstack.org/#/c/142573/15/keystone/tests/unit/mapping_fixtures.py line 82119:28
* morganfainberg has a meeting to jump into19:28
marekdit says, take all the value from assertion:ordPersonType and put every value except those blacklisted in the groups attribute19:28
marekdso groups must be a list efectively, hence we need to direct_maps.append(input - blaclisted_values)19:29
stevemarsamueldmq, whats up with the notifier?19:29
stevemarerr initiator19:30
marekdso later local rule with take 0'th element ({0} keyword) from direct_maps and put it19:30
marekdmorganfainberg: ^^19:30
marekddstanek: ^^19:31
marekdand the tests, yes they expect empty group lists, but here mapping engine effectively outputs group names + domains and we check it here https://review.openstack.org/#/c/142573/15/keystone/tests/unit/test_v3_federation.py line 931 for instance19:33
marekdwhat I can add is a length comparison19:33
*** lsmola has quit IRC19:36
*** jeffDeville has quit IRC19:37
dstanekmarekd: i'm going to have to dig into this again.19:39
marekdi left you a comment.19:43
*** kfox1111 has joined #openstack-keystone19:46
dstanekmarekd: i think i get it, but i have a few questions19:46
dstanekmarekd: if multiple things are whitelisted does the first always get applied to the local rule?19:47
kfox1111so is the 'internal' endpoint url ever used? Can I use it to have a private to the physical network compute nodes and have the public addresses unreachable from those nodes?19:48
*** jeffDeville has joined #openstack-keystone19:48
samueldmqstevemar, hi .. does the initiator have some coupling to the resource_type?19:48
marekddstanek: example?19:49
henrynashstevemar, ayoung: sorry to bug…if you’re OK wth at least the first couple of the domain-config patches….it would be great to start them gating….(starting at: https://review.openstack.org/#/c/158051/)19:49
samueldmqstevemar, if so, maybe I can't use a project_initiator to report a domain notification ...19:49
*** lsmola has joined #openstack-keystone19:49
larskskfox1111: most services like you configure them to use a specific endpoint type (public/admin/internal).19:49
henrynashgyee: if you are about, see above too19:49
stevemarhenrynash, on it dude19:49
marekddstanek: so, you have input: a,b,c and whitelist: b = > mapped groups for instance will be [a,c]19:49
henrynashstevemar: thx…..19:49
larskskfox1111: or at least, some services do.19:49
marekddstanek: uh, sorry, mapped groups will be [b]19:50
dstanekmarekd: what what be in {0}?19:50
stevemarsamueldmq, the initiator is just the person who created the request, if he fails the policy check it'll be stopped there19:50
marekd0'th element from direct_map list19:50
openstackgerritDolph Mathews proposed openstack/keystone: log query string instead of openstack.params and request args  https://review.openstack.org/16095519:50
dstanekmarekd: but won't that be a list if there are multple whitelisted things?19:50
marekddstane: or, output of the 0'th remote rule19:50
marekddstanek: it will be a list19:51
dolphmbknudson: i marked the corresponding bug as critical- https://review.openstack.org/#/c/160955/19:51
samueldmqstevemar, ok ... I'll dig it a bit more19:51
marekdand that's why append() is there19:51
samueldmqthx19:51
marekddstanek: ^^19:51
bknudsondolphm: let me try it.19:52
marekddstanek: from the UX, {0}, {1} means: take 0th, 1st output from the remote rule and put it in the  local attribute19:52
dstanekmarekd: what code takes that list (that may contain another list) and does stuff with it?19:52
*** dnalezyt has quit IRC19:52
marekddstanek: looking.19:52
marekddstanek: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L392 and https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L471 which transforms {0} into real mapped values19:54
openstackgerritMerged openstack/keystonemiddleware: Extract IdentityServer into file  https://review.openstack.org/15728219:54
openstackgerritMerged openstack/keystonemiddleware: Move UserAuthPlugin into its own file  https://review.openstack.org/15728319:55
*** ccard_ has joined #openstack-keystone19:55
bknudsondevstack didn't work ... AttributeError: 'module' object has no attribute 'SECURITY_TRUST'19:56
marekddstanek: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L485 uh, docstring could be updated here so the direct_map include also a list inside19:56
*** ccard__ has quit IRC19:56
ayounghenrynash, so far so good19:56
dstanekmarekd: so the output of that will be a str(list)?19:56
ayoungI'm about 1/2 through that patch19:56
gyeehenrynash, sure, looking19:57
bknudsonmaybe we're requiring a newer version of pycadf?19:57
henrynashgyee: thx19:57
ayounghenrynash, would love to see that code eventually moving to oslo.config19:57
*** jorge_munoz_ has joined #openstack-keystone19:57
henrynashayoung: yeah, understand that desire!19:58
marekddstanek:aparently yes19:59
marekddstanek: and later will be transformed to list again with ast.literal_eval()19:59
ayounghenrynash, +2A19:59
dstanekmarekd: ah, interesting19:59
ayounghenrynash, get brant's -1 on the next ...19:59
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup docstrings in test_v3_federation.py  https://review.openstack.org/16095919:59
henrynashayoung: thx you sir..yeah, just saw that…fixing now20:00
gyeeI call ayoung's +2A and raise another +220:00
ayounghenrynash, he made a lot of comments, not sure which are responsible for the -120:00
marekddstanek: it was not my idea to do the rules substitution using .format() :(20:00
ayoungOK..so it is the API that scares me....20:00
*** ccard_ has quit IRC20:01
ayoungthat is going to be disabled by default, right?20:01
*** jorge_munoz_ has quit IRC20:01
*** browne has quit IRC20:01
henrynashayoung: yes, the config switch is set to False by default20:01
ayoungOK20:01
marekddstanek: honestly, i would like to get rod of the way we do substitution today (with .format() )20:02
*** browne has joined #openstack-keystone20:02
ayounghenrynash, you have a test that confirms that?20:02
henrynashayoung: hmm, now that’s probably a fair point :-)20:02
henrynashayoung: I’ll add one20:02
ayounghenrynash, that would be a deal breaker for me.  I can't accidentally enable an API that can change configs....20:03
*** ccard_ has joined #openstack-keystone20:03
ayoungthanks20:03
ayounghenrynash, +2 A on the ldap logging.  If you rebase that or something, feel free to re-apply my +2A20:03
henrynashayoung: thx20:04
*** joesavak has joined #openstack-keystone20:04
marekddstanek: makes more sense now?20:05
dstanekmarekd: yes, fairly complicated though :-) mostly due to the distributed nature of the logic.20:06
*** jsavak has quit IRC20:06
dstanekmarekd: for example i would say the str-ing the is wrong because i don't see the ast.literal_eval20:07
openstackgerritLance Bragstad proposed openstack/keystone: Use choices in config.py  https://review.openstack.org/15789020:07
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376320:07
*** jorge_munoz has quit IRC20:07
marekddstanek: well, i am not the original author, but read the code and added many fixes there and yes...now i also had to 'rethink' what's going on. So i can imagine it is not super straightforward.20:07
openstackgerritMarek Denis proposed openstack/keystone: Implements whitelist and blacklist mapping rules  https://review.openstack.org/14257320:08
*** ccard__ has joined #openstack-keystone20:08
marekddstanek: dtr'ing is done from the beginning20:08
marekdstr'ing20:08
*** _cjones_ has quit IRC20:09
kfox1111larsks: ok. thanks.20:10
*** ccard_ has quit IRC20:10
*** _cjones_ has joined #openstack-keystone20:13
*** jsavak has joined #openstack-keystone20:15
*** _cjones_ has quit IRC20:18
*** joesavak has quit IRC20:18
dstanekmarekd: i think it just needs a little refactoring20:19
*** topol has joined #openstack-keystone20:20
*** ChanServ sets mode: +v topol20:20
*** _cjones_ has joined #openstack-keystone20:21
lbragstadmarekd: so _is_mapped_token is what determines if we're dealing with a federated token in the token provider api, correct? https://github.com/openstack/keystone/blob/ec8f6070abf7576d37837bdf5aec45bc7a055f15/keystone/token/providers/common.py#L430-L43220:23
*** radez is now known as radez_g0n320:26
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file  https://review.openstack.org/16097020:27
marekdlbragstad: yes20:27
lbragstadmarekd: cool20:27
marekddstanek: uh....20:27
*** gyee has quit IRC20:28
bknudsonlbragstad: now there's more places to use choices...20:28
bknudsonnotification_format20:28
lbragstadbknudson: awesome!20:28
lbragstadbknudson: I'll rebase on your sample config update when it merges20:29
bknudsonlbragstad: btw -- looks like oslo config generator doesn't list the allowed values.20:32
bknudsonin the generated help text.20:32
stevemarthanks bknudson20:32
lbragstadbknudson: I wonder if they plan to build that in?20:32
bknudsonstevemar: for what??20:32
stevemarfor updating sample config20:32
stevemarit was getting pretty out of date20:32
lbragstadbknudson: I feel like that would be helpful if you're going to have choices in there20:33
stevemarlbragstad, totally20:33
stevemarlbragstad, i feel that's an error on oslo.config's part20:33
bknudsonlbragstad: I'll ask in oslo.20:33
*** jorge_munoz has joined #openstack-keystone20:34
openstackgerritDavid Stanek proposed openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808020:35
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376320:35
*** timcline has quit IRC20:39
lbragstaddolphm: from our conversation earlier about audit_id info https://github.com/openstack/keystone/blob/ec8f6070abf7576d37837bdf5aec45bc7a055f15/keystone/token/provider.py#L8320:53
dolphmlbragstad: ... why?!20:53
lbragstaddolphm: I was wrong. they are uuid420:53
lbragstaddolphm: i'm not entirely sure why they are base64 encoded.20:54
*** timcline has joined #openstack-keystone20:54
dolphmlbragstad: but why the fsck are they b64 encoded and then mutilated?20:54
lbragstaddolphm: I think they only live in the token_data dict20:54
lbragstaddolphm: morganfainberg might have an answer?20:55
lbragstaddolphm: looks like there was a specific commit made for making them b64 safe20:55
lbragstadhttps://github.com/openstack/keystone/commit/db6869d616c1315fff8cb93771f59cb961887c1820:56
dolphmlbragstad: i assume that's just to make them shorter?20:56
dolphmmorganfainberg: why do audit ID's need to be url safe?20:56
lbragstaddolphm: we can do that with uuid.bytes?20:57
morganfainbergUhmmmmmmmm. I don't remember.20:57
morganfainbergThere was a reason for it.20:57
morganfainbergThey were b64 since bytes sucked to work with in json, and the :-2 was because we didn't need the padding that was the same every time.20:58
*** raildo_ has joined #openstack-keystone20:58
morganfainbergUrl safe... I don't remember why. But there was a definitive reason.20:59
*** jeffDeville has quit IRC20:59
*** samueldmq is now known as samueldmq-away20:59
morganfainbergUuid -> b64 also was shorter than .hex in string form fwiw.20:59
dolphmmorganfainberg: that's it?21:01
morganfainbergYep.21:01
morganfainberg20characters vs 32.21:01
dolphmmorganfainberg: do audit IDs ever appear in URLs or something?21:01
morganfainbergNot today. I think we wanted to at one point.21:01
morganfainbergBut hat derailed21:02
*** jeffDeville has joined #openstack-keystone21:02
lbragstadwhat if we do something like https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L77-L7821:03
lbragstad?21:03
lbragstad>>> len(uuid.UUID(uuid.uuid4().hex).bytes)21:04
lbragstad1621:04
morganfainberglbragstad: as long as the audit ids end up conforming to the spec of a "short string" in the exploded token body returned by validate.21:04
lbragstadso is 16 too long?21:04
morganfainberglbragstad: bytes is really awful to work with in the string repr.21:04
morganfainbergSo you need to make it a string before representing it in json / logging / etc21:04
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867921:05
morganfainbergIt should always be printable characters. Bytes does not guarantee that.21:05
morganfainbergI don't care what goes in the msgpacked token id21:05
dolphmlbragstad: i don't quite know how you'd reliably go from base64.urlsafe_b64encode(uuid.uuid4().bytes)[:-2] to a hex-encoded string for input to uuid.UUID() ?21:05
morganfainbergI care what is represented outside of that.21:05
morganfainbergIn json / to services / from validate.21:06
*** radez_g0n3 is now known as radez21:06
dolphmlbragstad: can you just pass bytes to msgpack?21:07
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875221:07
lbragstaddolphm: I think so21:07
lbragstaddolphm: that's what we do with uuid21:07
dolphmlbragstad: oh, then put the audit IDs in as bytes21:07
dolphmlbragstad: bah, that's right21:07
lbragstadmsgpack takes care of it21:07
dolphmlbragstad: let me put up a refactor...21:08
lbragstadcool,21:08
henrynashbknudson: thanks for detailed review of https://review.openstack.org/#/c/158679/ - all items fixed up21:08
lbragstaddolphm: working on a federated token formatter that will probably need to be rebased if we decided to move the token schema logic into token_formatters21:08
morganfainbergYeah. It doesn't matter what is in the packed data. Just what is resulted in the other end(s)21:08
henrynashayoung, stevemar: see above21:08
ayounghenrynash, tooo much above.  see what?21:09
henrynashayoung, stevemar: bknudson: thanks for detailed review of https://review.openstack.org/#/c/158679/ - all items fixed up21:09
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087221:10
lbragstadmorganfainberg: I *think* it should be good since the only time a uuid.bytes representation exists is in the token_formatter and before sending things to msgpack21:10
morganfainbergThat's fine.21:11
morganfainbergNo concerns with that.21:11
ayounghenrynash, you can drop about 90% of the LDAP options there.21:11
ayoungJust saying21:11
henrynashayoung: meaning that most of them are unlikely to be used?  They are the ones that *could* have an affect on the identity driver21:12
*** Bsony has quit IRC21:12
henrynashayoung: btw, regarding the check to make sure all this is disabeld by default…I’ll add that further up teh chain atthe point anything in the domain config sql tables is actually wired up21:13
openstackgerritDolph Mathews proposed openstack/keystone: refactor: extract and document audit ID generation  https://review.openstack.org/16098021:13
henrynashayoung: i.e. here: https://review.openstack.org/#/c/159675/21:14
dolphmmorganfainberg: ^ lbragstad: now you can use that to "safely" decode the audit ID into bytes21:14
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967521:15
morganfainbergdolphm: sure. Or we could just make audit id a provider owned thing and fernet can handle that however it wants.21:17
dolphmmorganfainberg: this seems simpler :)21:17
morganfainbergSo move audit id generation down to the base driver and override however you want.21:18
morganfainbergDoesn't bother me either way. This just feels like needless to/from strings for fernet.21:18
morganfainbergBut again not a huge impact.21:18
*** thedodd has joined #openstack-keystone21:20
*** browne has quit IRC21:22
openstackgerritDolph Mathews proposed openstack/keystone: refactor: extract and document audit ID generation  https://review.openstack.org/16098021:23
morganfainbergnotmyname: I'd like to get your take on the fernet tokens as they sit for swift (now that they merged). Post meetings of course.21:23
*** browne has joined #openstack-keystone21:23
notmynamemorganfainberg: ack21:23
openstackgerritMerged openstack/keystone: Remove conditional check (and test) for oauth_api  https://review.openstack.org/15967121:24
*** Tahmina has joined #openstack-keystone21:26
notmynamemorganfainberg: I think I win the "disrupt openstack meetings" badge ;-)21:29
notmynamemorganfainberg: got a doc for me to look at to know what fernet tokens are?21:30
openstackgerritMerged openstack/keystone: Implement backend driver support for domain config  https://review.openstack.org/15805121:31
morganfainbergnotmyname: will get you some info post meeting. Or lbragstad and dolphm can as well.21:31
*** jsavak has quit IRC21:31
*** samueldmq_ has joined #openstack-keystone21:31
*** pnavarro has quit IRC21:34
*** samueldmq_ is now known as samueldmq21:34
dolphmnotmyname: https://github.com/fernet/spec21:35
*** Tahmina has quit IRC21:35
dolphmnotmyname: verify.json has an example of one21:35
*** remote_morgan_ has quit IRC21:36
lbragstaddolphm: you can roll this into your patch if you want to http://cdn.pasteraw.com/gwystlxhrflbg0xhkk25nw2yot9cd9h21:36
dolphmlbragstad: put it up as a dependent patch21:37
dolphmlbragstad: are you just handling it differently if it's one to save space?21:39
dolphmone element*21:39
*** browne has quit IRC21:39
*** browne has joined #openstack-keystone21:39
lbragstaddolphm: I was handling the case where it might be a list,21:39
lbragstadmorganfainberg: are audit_ids always in a list?21:40
lbragstadmorganfainberg: even if it's just one?21:40
morganfainberglbragstad: yes.21:40
lbragstadoh21:40
morganfainbergOr should be.21:40
lbragstaddolphm: in that case, I'll fix better21:40
dolphmmorganfainberg: and it's always either one or two, never an unbounded list?21:40
morganfainbergdolphm: correct21:40
morganfainbergIt is either 1: the original token issued or 2: a token that was rescoped21:41
morganfainbergBut never more than 2.21:41
dolphmmorganfainberg: what if it's a rescoped rescoped token?21:41
morganfainbergYou always maintain the original token if and current token Id21:41
*** stevemar has quit IRC21:41
morganfainbergYou don't care about the intermediary ids.21:41
dolphmmorganfainberg: hmm, alright21:42
morganfainbergS/if/id21:42
dolphmmorganfainberg: remind me to ask you why in vancouver21:42
morganfainbergThe idea being that we want to drive towards no rescoping a scoped token21:42
morganfainbergAnd the important part is being able to invalidate a whole session. But not needing to chase a chain to figure that out.21:43
morganfainbergHow often do you revoke this token and subordinate tokens? It's not common.21:44
morganfainbergOr not doable :P21:44
*** EmilienM has quit IRC21:44
*** EmilienM has joined #openstack-keystone21:44
*** jeffDeville has quit IRC21:44
*** gyee has joined #openstack-keystone21:44
*** ChanServ sets mode: +v gyee21:44
morganfainbergSo we opted for either "this token" or the more nuclear option of "all tokens in a chain"21:44
morganfainbergBut not needing to revoke all tokens for a user.21:45
dolphmcool21:45
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking  https://review.openstack.org/16099321:46
lbragstaddolphm: ^21:46
dolphmlbragstad: you need to decode the bytes back to strings21:47
dolphmlbragstad: in validate21:48
dolphmlbragstad: right?21:48
lbragstaddolphm: yeah, pushing up another revision21:50
morganfainbergIt just seems silly to do bytes -> str -> bytes -> pack -> unpack -> str21:52
*** trey has quit IRC21:52
morganfainbergYou could do bytes -> pack -> unpack -> str21:52
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add Request ID to outbound calls when set  https://review.openstack.org/15567221:53
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Add service token to user token plugin  https://review.openstack.org/14161421:53
*** jeffDeville has joined #openstack-keystone21:54
*** trey has joined #openstack-keystone21:54
*** jeffDeville has quit IRC21:57
*** mattfarina has quit IRC21:59
notmynamedolphm: thanks. got any python examples on what a client needs to do? any way I can use this with curl?22:00
morganfainbergnotmyname: works the same as uuid tokens, just a little larger (255bytes max)22:03
dolphmnotmyname: set keystone's token provider to .fernet. instead of .uuid. and authenticate against v322:03
dolphmnotmyname: ooh, and run keystone-manage fernet_setup :)22:03
morganfainbergYeah v3 is needed atm. V2 patch is pending.22:03
morganfainbergdolphm: ++22:03
*** pmath has joined #openstack-keystone22:04
dolphmmorganfainberg: next thing to document ^^22:04
morganfainbergdolphm: hehe.22:04
morganfainbergHow close are we to getting v2 happy?22:04
morganfainbergI'd like to get the last of these things gating today (and related: federated tokens)22:04
dolphmmorganfainberg: jorge_munoz and lbragstad are looking for the best way to do something analagous to the v3 token data "helper"22:05
*** topol has quit IRC22:05
*** edmondsw has joined #openstack-keystone22:05
lbragstadsince we have to reconstruct the token data22:05
morganfainbergThat's hard cause the bad "take crap data and shove it into the token" that v2 does now.22:05
morganfainbergThis was part of the fix the provider cleanup. You may just want to make everything v3 then do a v3 -> v2 converter.22:06
morganfainbergJust mangle v3 data to v2 when asked.22:06
morganfainbergFor fernet that is.22:07
morganfainbergV3 has all the data needed to construct a v2 token. So should be easy to do so.22:08
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967522:11
*** gyee has quit IRC22:13
*** devlaps has joined #openstack-keystone22:13
*** devlaps has quit IRC22:13
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967522:13
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992822:14
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003222:15
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking  https://review.openstack.org/16099322:18
*** Bsony has joined #openstack-keystone22:19
*** Bsony has quit IRC22:23
pmathkeystone ImportError: No module named access22:27
pmathis this a known issue or a bad upgrade on my part?22:27
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994422:27
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742722:27
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837222:27
morganfainbergpmath, haven't seen that before22:27
morganfainbergso not a known issue as far as i am aware22:28
pmathk thanks22:28
*** gyee has joined #openstack-keystone22:33
*** ChanServ sets mode: +v gyee22:33
*** timcline has quit IRC22:42
dolphm /sigh vancouver comes up in our expense report system as "Vancouver, United States of America"22:42
bknudsonvancouver washington?22:43
dstanekdolphm: isn't Canada a US territory?22:43
morganfainbergyeah don't forget there is a vancouver WA22:43
*** stevemar has joined #openstack-keystone22:44
*** ChanServ sets mode: +v stevemar22:44
openstackgerritMerged openstack/keystone: remove old docstr referring to keyczar  https://review.openstack.org/16093022:44
dolphmdstanek: morganfainberg: Canada isn't even listed in "Travel Cities by Country"22:44
*** ayoung has quit IRC22:45
dstanekdolphm: "other" maybe?22:45
dstaneki guess we don't like our neighbors22:45
dolphmdstanek: there actually is an "Other" if you search for "Other" -- no idea how to find that in the UI though22:46
dolphmlbragstad: i love that this merged with you as the blamer https://github.com/openstack/keystone/blame/master/keystone/tests/unit/token/test_fernet_provider.py#L207-L210 sorry22:50
dstanekdolphm: lbragstad: ouch22:51
*** openstackgerrit has quit IRC22:51
*** openstackgerrit has joined #openstack-keystone22:51
morganfainbergdolphm, wheeee: http://www.macrumors.com/2015/03/03/apple-freak-security-flaw/23:02
*** nkinder has quit IRC23:04
*** spandhe has quit IRC23:05
dstanekwhy does gerrit spit out )]}' before the opening { when using the rest API?23:08
henrynashbknudson: thanks for the further review…working on fixes now23:10
openstackgerritMerged openstack/keystone: Deprecate Eventlet Deployment in favor of wsgi containers  https://review.openstack.org/15749523:12
openstackgerritMerged openstack/keystone: refactor: extract fernet packing & unpacking methods  https://review.openstack.org/16093223:12
openstackgerritMerged openstack/keystone: refactor: consistently refer to "unpacked tokens" as the token's "payload"  https://review.openstack.org/16094023:13
*** raildo_ has quit IRC23:13
*** Ephur has joined #openstack-keystone23:16
*** CF_ has joined #openstack-keystone23:16
*** ChristyF has quit IRC23:17
doug-fishwhere do the unit tests for auth plugins reside?23:21
jamielennoxhey, someone want to approve: https://review.openstack.org/#/c/158503/ ? moving functional tests from tempest to ksc23:24
jamielennoxdoug-fish: ksc/tests/auth23:24
*** spandhe has joined #openstack-keystone23:24
doug-fishthx!23:25
*** stevemar has quit IRC23:29
*** chlong has joined #openstack-keystone23:31
openstackgerritMerged openstack/keystone: log query string instead of openstack.params and request args  https://review.openstack.org/16095523:34
*** sigmavirus24 is now known as sigmavirus24_awa23:36
*** jorge_munoz has left #openstack-keystone23:39
*** edmondsw has quit IRC23:49
*** gordc has quit IRC23:57
« Monday, 2015-03-02 Index Wednesday, 2015-03-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!