Monday, 2015-03-16

*** aix has quit IRC		00:26
*** aix has joined #openstack-keystone		00:30
*** iamjarvo has joined #openstack-keystone		00:53
*** bknudson has quit IRC		01:53
*** dims_ has quit IRC		02:13
*** erkules_ has joined #openstack-keystone		02:23
*** erkules has quit IRC		02:26
*** chrisshattuck has joined #openstack-keystone		02:33
openstackgerrit	Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	02:42
*** hogepodge has joined #openstack-keystone		02:43
*** erkules_ is now known as erkules		02:54
*** erkules has quit IRC		02:55
*** erkules has joined #openstack-keystone		02:55
*** browne has joined #openstack-keystone		02:56
*** chrisshattuck has quit IRC		03:05
*** iamjarvo has quit IRC		03:12
*** dimsum__ has joined #openstack-keystone		03:14
*** stevemar has joined #openstack-keystone		03:19
*** ChanServ sets mode: +v stevemar		03:19
*** dimsum__ has quit IRC		03:19
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Rename requests mock object in testing https://review.openstack.org/164565	03:26
*** chrisshattuck has joined #openstack-keystone		03:30
*** achudnovets_ has quit IRC		03:37
*** iamjarvo has joined #openstack-keystone		03:46
*** iamjarvo has quit IRC		03:46
*** iamjarvo has joined #openstack-keystone		03:47
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Rename requests mock object in testing https://review.openstack.org/164568	03:59
*** iamjarvo has quit IRC		04:03
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Allow passing logger object to request https://review.openstack.org/157647	04:16
*** lhcheng has quit IRC		04:25
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Add Request ID to outbound calls when set https://review.openstack.org/155672	04:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Add service token to user token plugin https://review.openstack.org/141614	04:31
*** gokrokve has joined #openstack-keystone		04:40
*** Akshik has joined #openstack-keystone		04:45
*** gokrokve has quit IRC		04:45
*** gokrokve has joined #openstack-keystone		04:46
*** gokrokve has quit IRC		04:50
*** gokrokve has joined #openstack-keystone		05:16
*** gokrokve has quit IRC		05:18
*** gokrokve has joined #openstack-keystone		05:18
*** gokrokve has quit IRC		05:23
openstackgerrit	Steve Martinelli proposed openstack/keystone: Adds test for federation mapping list order issues https://review.openstack.org/163172	05:25
*** lhcheng has joined #openstack-keystone		05:25
*** chrisshattuck has quit IRC		05:27
*** lhcheng has quit IRC		05:30
*** lhcheng has joined #openstack-keystone		05:36
*** sluo_wfh has joined #openstack-keystone		05:46
*** sluo_wfh has quit IRC		05:55
*** stevemar has quit IRC		05:55
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin https://review.openstack.org/138575	05:56
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Provide a generic auth plugin loader https://review.openstack.org/162529	05:56
*** sluo_wfh has joined #openstack-keystone		06:08
davechen	morganfainberg, steve, hi,	06:11
davechen	morganfainberg, steve, I just drafted a blueprint here (https://blueprints.launchpad.net/keystone/+spec/ondelete-cascade) to follow some comments and discussion in the mailing list regarding to ondelete cascade/ondelete restrict.	06:12
davechen	morganfainberg, steve, since the impact is a little bigger than expected, one or two bugs seems cannot hold the changes.	06:14
davechen	would you pls take mins to look at that pages? I am not quite sure whether it's worthwhile to do that in 'L'? and is there any mistake or break something in the Keystone which I cann't see.	06:17
*** gokrokve has joined #openstack-keystone		06:18
davechen	lurking... talk to you when you online, thx.	06:21
*** gokrokve has quit IRC		06:23
*** afazekas has joined #openstack-keystone		06:23
openstackgerrit	Jamie Lennox proposed openstack/keystone-specs: Add spec for request-helpers https://review.openstack.org/164582	06:26
*** topol has quit IRC		06:41
*** pcaruana has quit IRC		07:14
*** gokrokve has joined #openstack-keystone		07:18
*** gokrokve has quit IRC		07:20
*** gokrokve has joined #openstack-keystone		07:20
*** browne has quit IRC		07:22
*** gokrokve has quit IRC		07:24
*** mflobo has quit IRC		07:43
*** rwsu has joined #openstack-keystone		07:43
*** mflobo has joined #openstack-keystone		07:45
*** ajayaa has joined #openstack-keystone		07:48
*** ncoghlan has quit IRC		07:51
*** ParsectiX has joined #openstack-keystone		08:13
*** gokrokve has joined #openstack-keystone		08:18
*** gokrokve has quit IRC		08:23
*** jorge_munoz has quit IRC		08:28
*** jorge_munoz has joined #openstack-keystone		08:29
*** nellysmitt has joined #openstack-keystone		08:40
openstackgerrit	henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928	08:54
openstackgerrit	henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928	08:56
*** henrynash has quit IRC		08:59
openstackgerrit	Marek Denis proposed openstack/python-keystoneclient: Federation Service Providers CRUD operations https://review.openstack.org/159018	09:00
*** Akshik has quit IRC		09:10
openstackgerrit	Marek Denis proposed openstack/python-keystoneclient: Clean arguments in test_federation.*.test_create() https://review.openstack.org/164605	09:11
*** jistr has joined #openstack-keystone		09:11
*** gokrokve has joined #openstack-keystone		09:18
*** gokrokve has quit IRC		09:22
*** amakarov_away is now known as amakarov		09:37
*** dimsum__ has joined #openstack-keystone		09:46
*** lhcheng has quit IRC		09:50
*** gokrokve has joined #openstack-keystone		10:18
*** gokrokve has quit IRC		10:23
*** Akshik has joined #openstack-keystone		11:02
*** dims_ has joined #openstack-keystone		11:02
*** dimsum__ has quit IRC		11:04
*** dims_ has quit IRC		11:07
samueldmq	morning	11:09
amakarov	hi!	11:11
*** dimsum__ has joined #openstack-keystone		11:13
*** gokrokve has joined #openstack-keystone		11:18
*** aix has quit IRC		11:21
*** Akshik has quit IRC		11:22
*** gokrokve has quit IRC		11:23
*** ajayaa has quit IRC		11:24
*** fmarco76 has joined #openstack-keystone		11:32
*** ajayaa has joined #openstack-keystone		11:37
*** rushiagr_away is now known as rushiagr		11:39
*** tsufiev_ is now known as tsufiev		11:42
openstackgerrit	Merged openstack/keystonemiddleware: Update auth_token config docs https://review.openstack.org/164441	11:42
*** rushiagr is now known as rushiagr_away		11:55
openstackgerrit	Merged openstack/python-keystoneclient: Crosslink to other sites that are owned by Keystone https://review.openstack.org/163266	11:55
openstackgerrit	Merged openstack/keystonemiddleware: Crosslink to other sites that are owned by Keystone https://review.openstack.org/163263	11:57
*** rushiagr_away is now known as rushiagr		12:01
*** henrique_ has joined #openstack-keystone		12:04
*** rm_work is now known as rm_work\|away		12:14
openstackgerrit	Merged openstack/keystonemiddleware: Move _memcache_pool into auth_token https://review.openstack.org/162480	12:14
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table https://review.openstack.org/164189	12:17
*** gokrokve has joined #openstack-keystone		12:18
*** raildo has joined #openstack-keystone		12:21
*** gokrokve has quit IRC		12:23
*** dimsum__ has quit IRC		12:32
*** dimsum__ has joined #openstack-keystone		12:32
openstackgerrit	Marco Fargetta proposed openstack/keystone: IdP ID registration and validation https://review.openstack.org/152156	12:37
*** radez_g0n3 is now known as radez		12:38
*** ajayaa has quit IRC		12:41
*** mattamizer has joined #openstack-keystone		12:47
*** carlosmarin has joined #openstack-keystone		12:49
*** openstackgerrit has quit IRC		12:50
*** openstackgerrit has joined #openstack-keystone		12:50
*** fifieldt has joined #openstack-keystone		12:51
*** mattamizer has quit IRC		13:01
*** ayoung has joined #openstack-keystone		13:02
*** ChanServ sets mode: +v ayoung		13:02
openstackgerrit	Rodrigo Duarte proposed openstack/python-keystoneclient: Federation Service Providers CRUD operations https://review.openstack.org/159018	13:09
*** henrynash has joined #openstack-keystone		13:10
*** ChanServ sets mode: +v henrynash		13:10
*** aix has joined #openstack-keystone		13:10
*** henrynash has quit IRC		13:15
*** gokrokve has joined #openstack-keystone		13:18
*** gokrokve has quit IRC		13:22
*** bknudson has joined #openstack-keystone		13:30
*** ChanServ sets mode: +v bknudson		13:30
*** jdennis has quit IRC		13:33
*** dimsum__ is now known as dims		13:33
*** Ctina_ has joined #openstack-keystone		13:35
*** henrynash has joined #openstack-keystone		13:35
*** ChanServ sets mode: +v henrynash		13:35
*** jdennis has joined #openstack-keystone		13:39
*** Ctina_ is now known as ctina		13:39
henrynash	having an issue mocking out the LOG.warn as part of a test for invalid domain configs: https://review.openstack.org/#/c/159928/27/keystone/tests/unit/backend/domain_config/core.py	13:41
henrynash	doesn’t seem to catch it….anyone have expereince of trying this?	13:41
*** jaosorior has joined #openstack-keystone		13:43
*** ajayaa has joined #openstack-keystone		13:47
rodrigods	henrynash, hey... fixed here	13:49
henrynash	rodigods:….really?	13:49
rodrigods	henrynash, the error is because you are mocking with the create_config call, not with get_config_with_sensitive_info	13:49
rodrigods	henrynash, should I submit the changes here?	13:50
henrynash	rodigods: duuuuhhhhhhhh	13:50
henrynash	rodigods: no, I get it!!!!!	13:50
henrynash	rodigods: thanks….one of those things I stared at…and couldn’t see the problem!	13:50
rodrigods	henrynash, great! reviewed some nits there	13:50
rodrigods	henrynash, np :)	13:50
henrynash	rodigods: yep, saw those, thanks!	13:50
*** richm has joined #openstack-keystone		13:51
*** gokrokve has joined #openstack-keystone		13:56
*** radez is now known as radez_g0n3		13:58
*** samueldmq has quit IRC		14:00
*** gokrokve_ has joined #openstack-keystone		14:00
*** ctina has quit IRC		14:01
openstackgerrit	henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928	14:04
*** gokrokve has quit IRC		14:04
openstackgerrit	henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928	14:05
openstackgerrit	Brant Knudson proposed openstack/keystone: Update sample httpd config file https://review.openstack.org/164510	14:05
*** mattfarina has joined #openstack-keystone		14:08
*** henrynash has quit IRC		14:08
ParsectiX	I'm trying to get this test = keystone_admin.roles.get("heat_stack_owner") but I'm getting Could not find role: heat_stack_owner (HTTP 404)	14:12
ParsectiX	when I put the UUID in () it returns the user	14:12
ParsectiX	why I can't search with name ?	14:12
*** Akshik has joined #openstack-keystone		14:15
*** ljfisher has joined #openstack-keystone		14:19
*** timcline has joined #openstack-keystone		14:23
*** krykowski has joined #openstack-keystone		14:23
*** amerine has quit IRC		14:24
*** sigmavirus24_awa is now known as sigmavirus24		14:25
*** Akshik has quit IRC		14:32
*** stevemar has joined #openstack-keystone		14:40
*** ChanServ sets mode: +v stevemar		14:40
*** angular_mike has joined #openstack-keystone		14:42
*** topol has joined #openstack-keystone		14:47
*** ChanServ sets mode: +v topol		14:47
*** iamjarvo has joined #openstack-keystone		14:49
*** atiwari has joined #openstack-keystone		14:54
*** krykowski has quit IRC		14:55
*** browne has joined #openstack-keystone		14:56
*** gordc has joined #openstack-keystone		14:59
dstanek	FYI - I'm in training this week so I won't be very responsive to requests	15:00
dstanek	morganfainberg: lbragstad: dolphm: ayoung: marekd: bknudson: stevemar: marekd: ^	15:00
*** zzzeek has joined #openstack-keystone		15:01
lbragstad	dstanek: sounds good	15:01
bknudson	dstanek: training for what?	15:01
marekd	dstanek: sure :-)	15:01
dstanek	bknudson: OpenStack!	15:01
bknudson	(can't imagine how dstanek could get any better)	15:01
stevemar	sales training?	15:01
dstanek	lbragstad: where do you sit at Castle?	15:01
lbragstad	dstanek: you're here?!	15:01
dstanek	bknudson: <3	15:01
marekd	dstanek is going to sell what we all do here.	15:01
bknudson	dstanek should be training them.	15:02
lbragstad	dstanek: in the back dark corner by the bookstore	15:02
*** rushiagr is now known as rushiagr_away		15:02
stevemar	dstanek, thanks for letting us know	15:02
dstanek	bknudson: i am learning to set up my own cloud!	15:02
zigo_	It's looking like to me that current trunk of Keystone needs a higher version of python-cryptography than just 0.4.	15:02
dstanek	lbragstad: i'm up on floor 3 right now, but i'll be here all week	15:02
* zigo_ is currently trying to build with cryptography 0.8.		15:03
lbragstad	dstanek: nice! let me know if they let you out for food	15:03
lbragstad	cc dolphm ^	15:03
bknudson	global-requirements only has 0.4 for now	15:03
bknudson	latest is 0.8	15:04
bknudson	zigo: AttributeError: 'module' object has no attribute 'MultiFernet'	15:08
bknudson	that's with cryptography==0.4	15:08
bknudson	zigo: 0.7 worked, 0.6.1 didn't	15:12
bknudson	I'll post a change to g-r.	15:12
*** chrisshattuck has joined #openstack-keystone		15:13
bknudson	zigo: https://review.openstack.org/#/c/164731/	15:15
*** david-lyle_afk is now known as david-lyle		15:15
zigo_	bknudson: Cheers!	15:17
zigo_	bknudson: Indeed, I just tried the unit tests with 0.6, it failed, but 0.8 worked.	15:17
* zigo_ is trying to package everything from trunk this week, to get ahead of beta3 release ...		15:17
bknudson	I could update to 0.8? probably doesn't matter to anyone if 0.7 or 0.8 is used.	15:17
zigo_	bknudson: I currently can't rebuild 0.8 in Jessie, because of unit tests failing with the SSLv3 stuff in Debian. Though since 0.8 is in Experimental, I guess it doesn't change much for me.	15:19
*** thedodd has joined #openstack-keystone		15:21
*** rm_work\|away is now known as rm_work		15:30
*** rushiagr_away is now known as rushiagr		15:30
*** _cjones_ has joined #openstack-keystone		15:31
*** arunkant has quit IRC		15:35
*** Akshik has joined #openstack-keystone		15:36
*** krykowski has joined #openstack-keystone		15:36
*** lhcheng has joined #openstack-keystone		15:45
*** iamjarvo has quit IRC		15:46
*** _cjones_ has quit IRC		15:48
*** tqtran has joined #openstack-keystone		15:51
*** rushiagr is now known as rushiagr_away		15:53
*** gokrokve_ has quit IRC		15:53
*** arunkant has joined #openstack-keystone		15:54
*** ljfisher has quit IRC		15:56
*** gokrokve has joined #openstack-keystone		15:57
*** gyee has joined #openstack-keystone		15:59
*** ChanServ sets mode: +v gyee		15:59
*** ljfisher has joined #openstack-keystone		16:00
*** rushiagr_away is now known as rushiagr		16:02
dolphm	lbragstad: one test is fixed since friday, but i'm still getting a bunch of 401's when sending fernet tokens to auth_token? https://travis-ci.org/dolph/keystone-deploy/builds/53202078	16:04
lbragstad	dolphm: do you get anything logged from the echo service?	16:09
lbragstad	wrt AuthProtocol?	16:09
*** Akshik has quit IRC		16:10
*** Akshik has joined #openstack-keystone		16:10
*** openstackgerrit has quit IRC		16:11
*** openstackgerrit has joined #openstack-keystone		16:11
*** iamjarvo has joined #openstack-keystone		16:12
*** Akshik has quit IRC		16:12
*** samueldmq has joined #openstack-keystone		16:13
*** Akshik has joined #openstack-keystone		16:13
*** Akshik has quit IRC		16:14
*** vhoward has left #openstack-keystone		16:14
*** aix has quit IRC		16:16
*** Akshik has joined #openstack-keystone		16:16
*** fmarco76 has left #openstack-keystone		16:16
*** radez_g0n3 is now known as radez		16:16
dolphm	lbragstad: not that travis logs - but i could change that	16:17
lbragstad	dolphm: just curious since there looks to be a bit of logging in AuthProtocol that could help narrow down what's happening	16:18
*** browne has quit IRC		16:18
lbragstad	dolphm: might be hitting? https://github.com/openstack/keystonemiddleware/blob/8e1bba14235c7860a39dff8f4cf0358d184bad9c/keystonemiddleware/auth_token/__init__.py#L617	16:20
*** ljfisher has quit IRC		16:26
*** iamjarvo has quit IRC		16:29
*** nellysmitt has quit IRC		16:30
*** ljfisher has joined #openstack-keystone		16:30
*** iamjarvo has joined #openstack-keystone		16:32
lbragstad	dolphm: I'm working on a patch for the rest of the methods stuff.	16:32
lbragstad	dolphm: I'm wondering if that is related?	16:32
lbragstad	https://review.openstack.org/#/c/164348/	16:32
*** gokrokve has quit IRC		16:34
dolphm	lbragstad: i sort of doubt it - i'm not aware of anything that cares about methods yet	16:34
*** gokrokve has joined #openstack-keystone		16:36
*** iamjarvo has quit IRC		16:36
*** krykowski has quit IRC		16:37
*** haneef has joined #openstack-keystone		16:40
*** samueldmq has quit IRC		16:40
haneef	bknudson: Regarding defect that is merged , https://bugs.launchpad.net/keystone/+bug/1421825	16:41
openstack	Launchpad bug 1421825 in Keystone "Sample policy should allow user to validate and revoke own token" [Undecided,In progress] - Assigned to Brant Knudson (blk-u)	16:41
uvirtbot	Launchpad bug 1421825 in keystone "Sample policy should allow user to validate and revoke own token" [Undecided,In progress]	16:41
uvirtbot	Launchpad bug 1421825 in keystone "Sample policy should allow user to validate and revoke own token" [Undecided,In progress] https://launchpad.net/bugs/1421825	16:41
morganfainberg	hm..	16:41
haneef	I'm not sure about validation. I think it was done intentionally. If some one gets your token, by doing validation they can get more information about the user from that token. To avoid this token validation was intentionally restricted to service and admin	16:41
morganfainberg	oh uvirtbot is back.	16:41
bknudson	haneef: it's not merged.	16:41
haneef	Do we really want user to validate his token? -	16:42
bknudson	I'll have to think about it.	16:42
morganfainberg	haneef, i think we need to allow it	16:42
morganfainberg	there are things that people, unfortunate, need to figure out based on their token	16:42
morganfainberg	e.g. scope	16:42
bknudson	if I had a token I'd just try stuff and see what worked.	16:43
haneef	why, it will cause security implications. if some one gets a token from log, they can do find out more information about th caller	16:43
morganfainberg	haneef, the PII leaking into tokens should not be the reason why we don't allow it	16:43
morganfainberg	haneef, from a security perspective, it's at best security through obscurity to not allow someone to get other information about what they can do with a token	16:44
bknudson	haneef: is there any issue with revoke? only validate?	16:44
haneef	It is not about PII, you can get the roles associated with the user from that tokek, then can you can more harm	16:44
bknudson	I can split up the patch.	16:44
haneef	Only validate	16:44
morganfainberg	haneef, security through obscurity is not security	16:44
bknudson	if I got the token from a log then I've probably got a good idea of what I can do with it.	16:45
bknudson	e.g., whatever the log says they were trying to do.	16:45
morganfainberg	bknudson, ++	16:45
haneef	It need not be from log, -- since our token are bearer tokens	16:45
*** henrynash has joined #openstack-keystone		16:46
*** ChanServ sets mode: +v henrynash		16:46
haneef	I beleive dolph may know this. It was done intentionally	16:46
morganfainberg	haneef, again, i have a token i got from smewhere, i can just keep doing things until i find something that works. it's not really security.	16:46
morganfainberg	haneef, bad UX for false sense of security isn't good.	16:46
haneef	Agreed, But I can validate now and figure out what it can do in a second which I want to avoid	16:46
*** henrynash has quit IRC		16:47
bknudson	well, anyone can avoid it just edit your policy.json to disallow.	16:47
bknudson	these policies are actually a little weird... since if I've got the token I can use it on itself.	16:48
haneef	bknudson: Agree, but in reality many don't do that	16:48
morganfainberg	haneef, so nothing in a token should be considered sensitive data ever.	16:48
morganfainberg	haneef, the token id should be considered sensitive	16:48
morganfainberg	haneef, if we can't make that assertion we are in the wrong. with PKI tokens, you can decode them w/o the keys since ASN1 is just signing. this adds no level of security above obscurity	16:49
*** Akshik has quit IRC		16:50
ayoung	stevemar, so making the blacklist check "is None" SHOULD BE PART OF THIS PATCH? yOU SURE IT IS NOT SCOPE CREEP? i'M WILLING TO DO IT, but not retype this after realizing my caps lock was on	16:51
* ayoung needs to rip caps lock off this keyboard		16:51
morganfainberg	ayoung, linux, can't you just make capslock do nothing?	16:52
morganfainberg	;)	16:52
haneef	My questions was, if some one gets the token, do we want to make it easier ( even for lay man) to gets token capability . Easier --> as simple as rest call	16:52
ayoung	Technically, it would be X, I suspect	16:52
ayoung	haneef, basic-auth?	16:52
ayoung	or you talking validation?	16:53
*** angular_mike has quit IRC		16:53
morganfainberg	haneef, https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/common/cms.py#L332	16:53
morganfainberg	ayoung, he's arguing it is a security risk to let someone self validate their token to get information.	16:54
*** openstackgerrit has quit IRC		16:54
*** openstackgerrit has joined #openstack-keystone		16:54
haneef	ayoung: https://review.openstack.org/#/c/155916/6/etc/policy.json	16:54
*** browne has joined #openstack-keystone		16:54
bknudson	I'm actually fine with not changing the sample policy to not allow validating a token... I can see haneef's point.	16:54
* bknudson sometimes proposes changes to see what others think.		16:56
morganfainberg	bknudson, eh i think we're focusing on the wrong place here. but i'm not willing to really argue it.	16:56
morganfainberg	bknudson, just keep in mind we only use -sign for cms, meaning we haven't encrypted anything in PKI tokens.	16:56
ayoung	haneef, you are probably right. Let me look	16:57
morganfainberg	haneef, i think admin only validate wasn't intentional on a security front, i think it was a hold-over from v2.0 where we didn't have a strong policy language fwiw	16:58
ayoung	haneef, the user can swap one token for another anyway. All that would happen here is they can validate the token to get the data in it, but a user can do that anyway	16:58
*** nellysmitt has joined #openstack-keystone		16:58
ayoung	haneef, a user can list projects for themself...essential workflow	16:58
haneef	Actually, it was supposed to be admin and service and all services accounts are supposed to have "service" role. But unfortunately every one used "admin" role, Even our config field names are called "admin tenant" instead of service tenant	16:59
ayoung	now...knowin that a token is good for a specific project....hmmm.	16:59
ayoung	morganfainberg, actually, he has a point	16:59
ayoung	a token should never be validatable using itself	16:59
bknudson	haneef: I had a change to change "admin" to "service" in middleware... abandoned it because we've got auth plugins now.	16:59
ayoung	I would argue that only an unscoped token should be used to validate a users own token	16:59
bknudson	we'd need a special rule for unscoped token.	17:00
bknudson	(I think)	17:00
morganfainberg	bknudson, maybe.	17:00
*** iamjarvo has joined #openstack-keystone		17:01
morganfainberg	ayoung, why should i not be able to get info about the token? I can already do a ton of things with the token. maybe we should disallow any keystone-operations (all) for non-keystone-service-scoped tokens?	17:01
*** iamjarvo has quit IRC		17:01
*** wpf has quit IRC		17:01
*** henrique_ has quit IRC		17:02
*** wpf has joined #openstack-keystone		17:02
*** htruta has quit IRC		17:02
*** iamjarvo has joined #openstack-keystone		17:02
*** iamjarvo has quit IRC		17:02
*** htruta has joined #openstack-keystone		17:03
*** iamjarvo has joined #openstack-keystone		17:03
*** iamjarvo has quit IRC		17:04
*** iamjarvo has joined #openstack-keystone		17:05
ayoung	morganfainberg, agreed; unscoped are for keystone only, and only unscoped.	17:07
ayoung	And they are not validatable	17:08
morganfainberg	ayoung, so lets get out of the weeds, we can't do the unscoped only today	17:10
morganfainberg	ayoung, is there any real benefit to not allowing a user to use both x-auth and x-subject tokens being the same. they can aloready do a ton of things with a token	17:11
*** gokrokve has quit IRC		17:11
ayoung	morganfainberg, Considering how close we are to K3, I consider all design discussions to be about L	17:11
morganfainberg	ayoung, this is a patch that is proposed today.	17:11
morganfainberg	to let a user self-validate their token	17:11
ayoung	morganfainberg, So, lets styart by assuming the token is sniffed	17:11
ayoung	if it is a scoped token, keystone should provide no more information to the sniffer	17:12
*** zzzeek has quit IRC		17:12
ayoung	it should be, for all intensive porposes, useless against Keystone	17:12
ayoung	So Keystone can't say "here is the project you should try to hack over on glance	17:12
ayoung	The problem is that the token carries the information about who the user is. With only the token, we can give up a lot more information	17:13
openstackgerrit	Henrique Truta proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	17:13
morganfainberg	ayoung, i'm going to hurt you because "intensive purposes"	17:14
morganfainberg	ayoung, :P	17:14
morganfainberg	porposes*	17:14
morganfainberg	stupid autocorrect	17:14
morganfainberg	ayoung, i don't think we should ever assume anything in the token should be priviledged info	17:14
morganfainberg	in fact we've done a remarkably good job of not letting priv. info leak into the token	17:16
ayoung	morganfainberg, in a PKI token, there is a lot of data, but in a UUID, there is none. In Ferent, there is probably a comparable amoput to PKI	17:16
*** leonchio_ has joined #openstack-keystone		17:16
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: [WIP]Update inherited role assignments behavior https://review.openstack.org/164180	17:19
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id https://review.openstack.org/161378	17:20
dstanek	do we still need public_endpoint and admin_endpoint set in config?	17:21
dstanek	morganfainberg: dolphm: ^	17:21
stevemar	ayoung, the blacklist check can wait til another patch	17:24
ayoung	stevemar, k	17:24
ayoung	stevemar, I'll queu it up behind this one, started doing it a lready	17:25
ayoung	I think the only test that would break if I did this is mine...	17:25
morganfainberg	ayoung, fernet is actually encrypted	17:26
morganfainberg	ayoung, fernet is opaque like uuid, pki is not	17:26
ayoung	morganfainberg, I thought that was optional	17:26
morganfainberg	ayoung, nope, fernet payload is always encrypted	17:26
ayoung	I thought we were going with HMAC due to size issues	17:26
morganfainberg	ayoung, using fernet means that	17:26
morganfainberg	ayoung, it is HMAC(creation_time, AES(payload)) [roughly]	17:26
morganfainberg	fernet is HMAC(AES())	17:27
ayoung	Ah.	17:27
morganfainberg	we looked at HMAC only if we were implementing it	17:27
morganfainberg	but since fernet gave us both w/o implementing it ourselves, why not?	17:27
*** harlowja has joined #openstack-keystone		17:28
morganfainberg	and size issues seem to be mostly addressed	17:28
*** leonchio_ has quit IRC		17:30
openstackgerrit	Merged openstack/python-keystoneclient: Federation Service Providers CRUD operations https://review.openstack.org/159018	17:30
*** rushiagr is now known as rushiagr_away		17:36
openstackgerrit	Merged openstack/keystone: Mark the domain config API as experimental https://review.openstack.org/160032	17:37
openstackgerrit	ayoung proposed openstack/keystone: Distinguish between unset and empty blac and white lists https://review.openstack.org/164798	17:37
morganfainberg	ayoung, 'blac'!	17:37
morganfainberg	:)	17:37
openstackgerrit	ayoung proposed openstack/keystone: Distinguish between unset and empty black and white lists https://review.openstack.org/164798	17:38
ayoung	morganfainberg, was already on it.	17:38
*** gokrokve has joined #openstack-keystone		17:39
morganfainberg	ayoung, i like that typo :P	17:40
ayoung	blac and whyt?	17:40
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2 https://review.openstack.org/93982	17:40
*** trey has quit IRC		17:43
morganfainberg	ayoung, hahaha	17:43
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2 https://review.openstack.org/93982	17:44
ayoung	stevemar, does update_mapping wipe out the old mapping, and replace it with the new one, or does it add the rules?	17:44
*** afazekas has quit IRC		17:44
ayoung	I did delete/create to make sure I wasn't fooling myself	17:44
*** trey has joined #openstack-keystone		17:45
openstackgerrit	ayoung proposed openstack/keystone: Ignore unknown groups in lists for Federation https://review.openstack.org/162788	17:47
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	17:47
stevemar	ayoung, it wipes out the old mapping	17:47
morganfainberg	marekd, ping: https://review.openstack.org/#/c/113586/15 i just responded to your question.	17:48
morganfainberg	marekd, let me know if you have any other questions.	17:48
ayoung	stevemar, OK, I'll test it out	17:48
*** jistr has quit IRC		17:51
*** sigmavirus24 is now known as sigmavirus24_awa		17:51
openstackgerrit	ayoung proposed openstack/keystone: Ignore unknown groups in lists for Federation https://review.openstack.org/162788	17:53
*** ajayaa has quit IRC		17:57
ayoung	morganfainberg, when is cut off for K3 changes?	17:57
morganfainberg	ayoung, thursday is k3	17:57
morganfainberg	so.. gating today	17:57
morganfainberg	because gate is going to be icky	17:58
ayoung	morganfainberg, OK...so mapping update looks good. The only change for that BP is to tests. https://review.openstack.org/#/c/163172/	17:59
morganfainberg	so, https://review.openstack.org/#/c/159229/34 is the #1 priority to review, and whatever else we can trickle in.	17:59
morganfainberg	ayoung, ++ yeah and test expansions can land post k3	17:59
morganfainberg	if needed.	17:59
ayoung	Remove manager-driver assignment metadata construct seems almost liek a purely internal work	18:00
ayoung	https://review.openstack.org/#/c/148995/	18:00
morganfainberg	ayoung, reseller is probably going to be our FFE	18:00
ayoung	I'll review, but if it misses, it can got in post k3, maybe?	18:00
*** amerine has joined #openstack-keystone		18:01
morganfainberg	ayoung, remove-role-metadata can probably just land post k3, it looks to be tech-debt paydown	18:01
ayoung	reseller not on the k3 list	18:01
morganfainberg	ayoung, reseller is not going to be k3.	18:01
ayoung	OK...so Fernet	18:01
morganfainberg	ayoung, fernet has 2 outstanding patches, 1: v2.0, 2: use current token tests	18:02
morganfainberg	the v2.0 bit is the realllllllly important part to land	18:02
ayoung	what about Federation? I saw a bug on that	18:02
ayoung	fernet + federation works?	18:02
morganfainberg	ayoung, the formatter for it is there.	18:03
*** amerine has quit IRC		18:03
morganfainberg	ayoung, it looks to work, but i've been holding on some end-to-end because v2.0 is needed as well.	18:03
ayoung	morganfainberg, I'm guessing jorge_munoz has a new patch incipient, but I'll look through what he has there	18:04
*** amakarov is now known as amakarov_away		18:04
ayoung	would be so much easier with my builder code...oh well	18:04
morganfainberg	ayoung, the v2.0 looks complete based on no more TODOs etc	18:05
morganfainberg	the testing is the followup patch which i think is the new patchset if anything jorge_munoz is working on	18:05
ayoung	I meant converting from 3 to 2 would be easier...	18:05
morganfainberg	ayoung, oh yes it would	18:06
morganfainberg	ayoung, but alas,	18:06
ayoung	a lass a lass is what I lack, alas a alack I lack a lass alas alack	18:06
ayoung	or summat like that	18:07
*** iamjarvo has quit IRC		18:08
openstackgerrit	Steve Martinelli proposed openstack/keystone: Distinguish between unset and empty black and white lists https://review.openstack.org/164798	18:14
stevemar	just a rebase ^	18:14
*** rushiagr_away is now known as rushiagr		18:17
ayoung	morganfainberg, can you bless: https://review.openstack.org/#/c/162788/ or explicitly tell me it is too big a change for K3? I think it i an under-the-threshold type changes	18:18
*** iamjarvo has joined #openstack-keystone		18:18
morganfainberg	ayoung, this looks like a bug. meaning it can land either now or later, but more important i'd like marek's +2 on it.	18:20
ayoung	morganfainberg, thanks	18:20
ayoung	I'm fine waiting for Marek so long as it is OK for Kilo	18:20
morganfainberg	ayoung, not a crazy change to land in k3, just want marek bless it.	18:20
ayoung	Fine by me	18:20
ayoung	morganfainberg, the follow on one is probably the right approach: distinguish between bnlacklist = [] and no explicitly set blacklist	18:21
* morganfainberg knows enough about the federation to review it... but sometimes it's better to defer to the smart guys who wrote this stuff. (stevemar and marekd being the best matches in this case)		18:21
ayoung	but that to me is a behaviro change, and also sometjhing I'd want to test better	18:21
*** packet has joined #openstack-keystone		18:21
ayoung	and..we can work around it	18:21
morganfainberg	ayoung, yeah please test that further	18:21
ayoung	wilco	18:21
stevemar	who in the what	18:22
ayoung	Me, in the library, with the lead pipe	18:22
ayoung	damnit, I have the library card	18:22
stevemar	that's solid evidence	18:23
ayoung	Must have been in the Billiards room	18:23
ayoung	Clue is one game you can solidly loose without there being an obvious winner	18:23
stevemar	morganfainberg, yeah i'm not sure what the protocol is for a change in behaviour	18:24
stevemar	ayoung, i really want this in, rather than make a deployer define blacklist = ['made up group']	18:24
ayoung	stevemar, really it should be whitelist='*'	18:25
ayoung	welll...meh	18:25
stevemar	yeah, i'm meh on that	18:25
morganfainberg	ayoung, it's far more amusing when you mess clue up and end up with soemthing like: the lead pipe, with the candlestick in the study	18:25
stevemar	its the `group not found` issue	18:25
morganfainberg	ayoung, oh look, no murder happened in this game.	18:26
ayoung	morganfainberg, maybe in that Castle from Disney's version of Beauty and the Beast. That Candlestick with the Lead pipe actually would make more sense. I'd argue it was likely, and he even had the motive. That clock had it coming.	18:27
morganfainberg	ayoung, or "mr. green with ms. scarlet in the lounge" hey wait... that isn't a murder.	18:28
ayoung	The Adult version of Clue?	18:28
morganfainberg	ayoung, must be	18:28
ayoung	It was Col Musteard with Mr. Gree ..."Hey, don't ask don't tell!"	18:28
morganfainberg	ayoung, i think i'd still go with "hey that isn't a murder"	18:29
ayoung	Technically, it is not even a crime in today's Army.	18:29
morganfainberg	there we go.	18:30
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	18:32
openstackgerrit	Brant Knudson proposed openstack/keystone: Create a fixture for key repository https://review.openstack.org/164817	18:33
stevemar	every project needs a bknudson of their own	18:44
stevemar	or maybe bknudson can work on cleaning up every project	18:44
openstackgerrit	Matthew Edmonds proposed openstack/keystonemiddleware: v3 to v2 catalog conversion missing id https://review.openstack.org/164826	18:54
*** afazekas has joined #openstack-keystone		18:57
*** sigmavirus24_awa is now known as sigmavirus24		19:04
*** samueldmq has joined #openstack-keystone		19:05
*** iamjarvo has quit IRC		19:08
*** atiwari has quit IRC		19:12
*** afazekas has quit IRC		19:13
openstackgerrit	ayoung proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	19:16
openstackgerrit	ayoung proposed openstack/keystone-specs: Policy rules mangaged from a database https://review.openstack.org/133814	19:17
openstackgerrit	ayoung proposed openstack/keystone-specs: Policy rules managed from a database https://review.openstack.org/133814	19:17
*** afazekas has joined #openstack-keystone		19:21
*** ayoung has quit IRC		19:29
*** afazekas has quit IRC		19:30
*** iamjarvo has joined #openstack-keystone		19:30
*** jimbaker has joined #openstack-keystone		19:33
dolphm	lbragstad: so, it looks like a bunch of changes to auth_token (to use plugins) caused my v3 credentials to be passed to v2	19:35
dolphm	lbragstad: even though i was explicitly setting api_version to 3	19:35
lbragstad	dolphm: really?	19:36
lbragstad	dolphm: do you have it narrowed down to a commit?	19:37
dolphm	lbragstad: anyway, switching to auth_plugin = password, etc, eliminated the 501's	19:37
*** packet has quit IRC		19:37
lbragstad	oh	19:37
dolphm	lbragstad: now i'm getting 401's on the same tests, without 501's to blame	19:37
dolphm	lbragstad: also, the unscoped test passed once, and is now failing...	19:37
lbragstad	dolphm: logs?	19:38
lbragstad	echo logs?	19:38
lbragstad	er, echo service logs	19:38
dolphm	lbragstad: i'm getting a Could not find project: {id} in echo's error logs	19:38
lbragstad	dolphm: from AuthProtocol?	19:40
dolphm	lbragstad: yes, which is logging teh response body from keystone	19:40
lbragstad	dolphm: ok, so it is getting to the online validation part	19:41
dolphm	lbragstad: yes, and getting a 404 in response	19:41
lbragstad	dolphm: what did you use to set it up?	19:41
*** rushiagr is now known as rushiagr_away		19:42
lbragstad	dolphm: I can't remember if keystone-deploy sets stuff up	19:42
dolphm	lbragstad: [16/Mar/2015:19:41:58 +0000] "GET /v3/auth/tokens HTTP/1.1" 404 341 "-" "python-keystoneclient"	19:42
dolphm	lbragstad: keystone-deploy fernet-tokens	19:42
dolphm	lbragstad: with this patch http://cdn.pasteraw.com/77bmg54kuw9zxwkifgh4ar8rup8kcmh	19:43
*** packet has joined #openstack-keystone		19:43
dolphm	lbragstad: the first bit is not relevant	19:43
dolphm	of the diff	19:43
lbragstad	dolphm: ok, makes sense. I have it pulled down locally	19:43
lbragstad	dolphm: I think my old keystone-deploy vagrant was in a bad state, so I'm rebuilding it	19:44
*** Akshik has joined #openstack-keystone		19:46
lbragstad	dolphm: you ever get this? http://cdn.pasteraw.com/h6alx36xcdkxk3l2cpygwuda4w4isej	19:46
*** uvirtbot has quit IRC		19:50
stevemar	morganfainberg, your input is required for the abfab bp	19:53
morganfainberg	stevemar: on what part?	19:54
stevemar	morganfainberg, if it's going in kilo or not...	19:54
morganfainberg	If it is doc only it can land anytime.	19:54
*** nellysmitt has quit IRC		19:54
stevemar	morganfainberg, that's what the claim is	19:54
stevemar	its only a config issue	19:55
morganfainberg	And I'd say yes, but post k3.	19:55
morganfainberg	If it is doc only. :)	19:55
morganfainberg	Cause the gate is going to be rough till k3 at this point.	19:55
stevemar	morganfainberg, thats the problem, we don't know if it's doc only; thats whats being claimed	19:55
morganfainberg	So we go with "doc only = yes, if it works" otherwise liberty.	19:56
morganfainberg	Very simple. We can revert the docs prior to rc if needed if it is more than docs.	19:56
morganfainberg	But it won't go in if t is more than docs due to timing	19:56
dolphm	lbragstad: oh, yes	19:57
dolphm	lbragstad: ansible-galaxy install -r ansible-requirements.txt	19:57
*** afazekas has joined #openstack-keystone		19:57
dolphm	lbragstad: i stopped testing with vagrant, but that's in the README now ^	19:57
dolphm	lbragstad: that should be a pre-req to 'vagrant up' now	19:57
lbragstad	dolphm: do you have to sudo that?	19:58
*** r-daneel has joined #openstack-keystone		19:58
lbragstad	I'm assuming so?	19:58
dolphm	lbragstad: you can, but instead ...	19:58
stevemar	morganfainberg, okay, the uKent folks have a patch up for config docs, i think it's good to go, but i haven't verified the steps	19:58
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix sample policy to allow user to revoke own token https://review.openstack.org/155916	19:58
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix sample policy to allow user to check own token https://review.openstack.org/164848	19:58
dolphm	lbragstad: add --roles-path=playbooks/roles/	19:58
dolphm	lbragstad: so it installs the new role locally to the project, instead of system-wide	19:59
openstackgerrit	Eric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support https://review.openstack.org/160031	20:00
dolphm	lbragstad: just updated all branches on keystone-deploy with more robust tests	20:01
lbragstad	dolphm: cool, is add an ansible command?	20:01
lbragstad	nm	20:01
lbragstad	i'm dumb	20:01
openstackgerrit	Eric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support https://review.openstack.org/160031	20:01
lbragstad	it's monday	20:01
dolphm	lbragstad: D) all of the above	20:02
dolphm	lbragstad: https://travis-ci.org/dolph/keystone-deploy/branches	20:02
dolphm	lbragstad: new tests are running on non-master branches now ^	20:02
lbragstad	dolphm: nice	20:02
dolphm	lbragstad: the best part is that v3-only is passing with auth_plugin support (thanks jamielennox!!)	20:03
*** timcline has quit IRC		20:04
*** rushiagr_away is now known as rushiagr		20:07
*** tsufiev is now known as tsufiev_		20:10
*** afazekas has quit IRC		20:15
*** afazekas has joined #openstack-keystone		20:16
*** timcline has joined #openstack-keystone		20:18
browne	bknudson, stevemar: I'm here (Eric Brown)	20:18
bknudson	browne: we were all excited about the cryptography patch.	20:19
browne	bknudson: thanks! I like to do more of the same work all over where exec of openssl command line is used. Only issue is that it gets much harder with some of the commands because the cryptography lib doesn't have as many convenient functions.	20:21
bknudson	openssl has too many options.	20:22
*** afazekas has quit IRC		20:23
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: WIP - Validate user exist when assigning roles in V2 https://review.openstack.org/93982	20:24
dolphm	lbragstad: pkiz-tokens branch just failed the same way fernet is -- i'm thinking something might be wrong with auth_token	20:25
*** gokrokve has quit IRC		20:27
*** gokrokve has joined #openstack-keystone		20:27
*** rushiagr is now known as rushiagr_away		20:27
dolphm	lbragstad: PKI, PKIZ & fernet all failing with 401's	20:28
lbragstad	dolphm: yeah, I'm getting the same thing	20:29
lbragstad	http://cdn.pasteraw.com/ro2bjn8cnimtdc0oga4nidz64eot4jv	20:29
lbragstad	dolphm: I get one to pass	20:29
dolphm	lbragstad: exactly	20:29
*** Akshik has quit IRC		20:30
lbragstad	dolphm: I'm not seeing the 404s though	20:33
*** afazekas has joined #openstack-keystone		20:38
dolphm	lbragstad: for projects?	20:38
lbragstad	dolphm: right	20:38
*** lhcheng is now known as lhcheng_afk		20:41
stevemar	browne, ah, the ol' lastname first irc handle	20:43
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/162350	20:44
*** thedodd has quit IRC		20:44
stevemar	browne, nice to have you helping us out :) great job reviewing and pushing new code	20:44
morganfainberg	samueldmq, btw, what you sent me in a direct message on IRC regarding those tests - feel free to add yourself as co-author and push those changes up	20:45
dolphm	lbragstad: (i'm trying to repro again, i've been messing with other branches)	20:47
*** afazekas has quit IRC		20:47
lbragstad	dolphm: I can consistently get 3 failures (project-scoped, domain-scoped, and unscoped-token test)	20:47
browne	stevemar: thanks, no problem	20:48
*** afazekas has joined #openstack-keystone		20:49
*** packet has quit IRC		20:50
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/162355	20:50
morganfainberg	lbragstad, for all forms of token?	20:50
lbragstad	morganfainberg: I've been testing strictly keystone-deploy against fernet, but dolphm's been able to recreate with everything except uuid	20:51
lbragstad	I think	20:51
morganfainberg	hm.	20:51
* morganfainberg goes back to reviewing v2.0 for fernet.		20:51
lbragstad	morganfainberg: ++	20:52
morganfainberg	fwiw, it looks pretty damn good.	20:52
lbragstad	morganfainberg: agreed, I like the test	20:52
lbragstad	tests*	20:52
morganfainberg	i need to actually compare the v2 output(s) so... but otherwise i'm not seeing anything crazy	20:52
dolphm	lbragstad: in /var/log/apache2/echo.error.log: [Mon Mar 16 20:50:02 2015] [error] WARNING:keystonemiddleware.auth_token:Identity response: {"error": {"message": "Could not find project: 76fd9194a52c4d9ba3592fa2d08f838b", "code": 404, "title": "Not Found"}}	20:52
dolphm	lbragstad: and then running tests again, i get even more 404's	20:54
jamielennox	bknudson: what tests do you think are required for https://review.openstack.org/#/c/163259/ , it's purely a split of a file into a module	20:54
dolphm	lbragstad: something about the tests is passing when auth_token first starts up, and then failing later on	20:54
bknudson	jamielennox: it's creating new public symbols, so have a test that asserts that those symbols are there.	20:54
bknudson	so that we don't lose them and break everybody	20:55
*** thedodd has joined #openstack-keystone		20:55
jamielennox	bknudson: ok, will re-look - i didn't think i added anything new in that	20:55
bknudson	I can do keystoneclient.auth.identity.v3.password.PasswordMethod now?	20:56
jamielennox	bknudson: that was always available	20:56
bknudson	password is a new module?	20:57
lbragstad	dolphm: strange... I get failures, but i can't seem to find 404s	20:57
jamielennox	oh, right - ksc.auth.identity.v3.PasswordMethod was always available and still is, but you want to test the new locations as well	20:57
jamielennox	np	20:57
bknudson	right, if they're public	20:57
bknudson	or keep them private	20:58
*** harlowja is now known as harlowja_away		20:58
*** packet has joined #openstack-keystone		21:00
*** sigmavirus24 is now known as sigmavirus24_awa		21:00
morganfainberg	dolphm, caching	21:02
morganfainberg	dolphm, in ATM	21:02
morganfainberg	dolphm, set cache time to 0	21:02
morganfainberg	dolphm, does it start behaving more consistently	21:03
dolphm	lbragstad: http://cdn.pasteraw.com/nq487tgvag9wynjxrjejmbtkozoun23	21:04
dolphm	morganfainberg: let me try	21:04
dolphm	lbragstad: ignore the random spaces inserted in there	21:05
dolphm	lbragstad: line wrapping gone awry	21:05
* lbragstad shakes head		21:05
dolphm	lbragstad: (those look totally fine to me, just sharing in case you spot something)	21:05
lbragstad	dolphm: those look fine	21:05
openstackgerrit	Henrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180	21:05
samueldmq	morganfainberg, k will do in a few hours (the tests)	21:06
lbragstad	dolphm: you got those directly from keystone-deploy's keystone?	21:06
dolphm	lbragstad: yes	21:06
samueldmq	morganfainberg, I wasn't sure you would like to work on that by yourself :)	21:06
samueldmq	morganfainberg, thnaks	21:06
dolphm	lbragstad: like this http://cdn.pasteraw.com/kvwuect3e5uyiq3asx3hkt0zsl9a9vp	21:06
*** htruta has quit IRC		21:06
*** iamjarvo has quit IRC		21:06
jamielennox	bknudson, morganfainberg: any opinion on https://bugs.launchpad.net/python-keystoneclient/+bug/1425345 ?	21:08
openstack	Launchpad bug 1425345 in python-keystoneclient "Can't load auth_plugin by full-class-name of plugin class" [Wishlist,In progress] - Assigned to Yuki Nishiwaki (uckey-1067)	21:09
lbragstad	morganfainberg: I don't get any behavior difference setting token_cache_time = 0	21:09
lbragstad	dolphm: ^	21:09
bknudson	jamielennox: I assumed you needed the qualified class name?	21:09
bknudson	how does it find it if it's not qualified?	21:09
*** ayoung has joined #openstack-keystone		21:09
*** ChanServ sets mode: +v ayoung		21:09
jamielennox	bknudson: it uses entry points	21:09
jamielennox	it all loads via stevedore	21:09
bknudson	jamielennox: is that a bug in stevedore then?	21:10
jamielennox	I'm not sure why you would want to use keystoneclient.auth.identity.generic.Password instead of just password	21:10
jamielennox	bknudson: no, he's wanting to specify full class names in config for like auth_plugin = keystoneclient.auth.identity.generic.Password	21:10
bknudson	right, why doesn't stevedore support that?	21:10
jamielennox	stevedore has always been about endpoints, i don't think it falls back to full classnames	21:11
dolphm	lbragstad: only with a new deployment do i see 2 tests fail; with subsequent test runs, 3 tests always fail	21:11
jamielennox	s/endpoints/entry points	21:11
lbragstad	dolphm: hmm, that does sound like a cache problem	21:11
bknudson	stevedore should use the service catalog!	21:11
jamielennox	lol, leads to catalog bloat	21:12
bknudson	jamielennox: I think we're using stevedore correctly, so if they want that support add it to stevedore.	21:12
*** tellesnobrega has quit IRC		21:13
jamielennox	i'm pretty sure stevedore won't take it, it's not really its job - i'm just not sure if i have good reason to say no besides why would i want that?	21:13
jamielennox	and 'being done in neutron' is not a great reason	21:13
bknudson	jamielennox: I don't want to see us copy-paste code from neutron.	21:14
dolphm	lbragstad: added a sort-of negative test btw https://travis-ci.org/dolph/keystone-deploy/builds/54626167	21:14
lbragstad	dolphm: you mean test_unauthorized_request	21:15
*** ljfisher has quit IRC		21:16
bknudson	we should use stevedore to load all our backends.	21:16
*** lhcheng_afk is now known as lhcheng		21:16
*** afazekas has quit IRC		21:16
*** browne has quit IRC		21:16
*** radez is now known as radez_g0n3		21:16
*** tellesnobrega has joined #openstack-keystone		21:18
bknudson	jamielennox: I asked in -oslo... this is more of a question for stevedore, I think.	21:18
*** iamjarvo has joined #openstack-keystone		21:20
*** iamjarvo has quit IRC		21:21
*** iamjarvo has joined #openstack-keystone		21:21
*** browne has joined #openstack-keystone		21:22
*** browne has quit IRC		21:23
*** afazekas has joined #openstack-keystone		21:23
*** packet has quit IRC		21:27
openstackgerrit	James Page proposed openstack/keystone: Deal with PEP-0476 certificate chaining checking https://review.openstack.org/144988	21:28
*** browne has joined #openstack-keystone		21:28
*** afazekas has quit IRC		21:29
bknudson	jamielennox: weren't we going to provide auth plugins in different repos? (e.g., federation)	21:31
jamielennox	bknudson: that was and generally still is the plan	21:32
bknudson	https://etherpad.openstack.org/p/GHG6Kl8hCD	21:32
jamielennox	bknudson: issue is that federation is a really broad term that kind of just means 'use the mapping' which is useful for x509 and kerberos and other things as well	21:32
jamielennox	bknudson: so we killed ksc-federation, am going to add a base plugin in ksc, and then we can pull out ksc-saml2 specifically	21:32
bknudson	jamielennox: so turns out you can have [entry_points] in the other repo's setup.cfg...	21:33
jamielennox	bknudson: yep	21:33
*** mattfarina has quit IRC		21:33
jamielennox	bknudson: kind of the point of entry points, let these plugins be named but exist out of tree	21:34
bknudson	so you'd have keystoneclient.auth.plugin =	21:34
bknudson	myplugin = myplugin:MyPlugin	21:34
bknudson	or whatever	21:34
jamielennox	https://github.com/openstack/python-openstackclient/blob/master/setup.cfg#L30	21:34
jamielennox	i don't believe OSC should be doing this but they are and it works	21:34
bknudson	y, no need to register plugins when you can change the code...	21:35
*** iamjarvo has quit IRC		21:35
bknudson	if these are so great put them in keystoneclient.	21:35
jamielennox	right, OSC is exporting things into the public pool - and particularly token_endpoint i wanted to export that from ksc - cause there's is specific to OSC use case	21:35
jamielennox	but particularly for -kerberos and such we will do thta	21:36
jamielennox	https://github.com/openstack/python-keystoneclient-kerberos/blob/master/setup.cfg#L25	21:36
bknudson	should have called it keystoneclient_kerberos.v3 rather than v3kerberos, then can have best of both worlds.	21:37
bknudson	or keystoneclient_kerberos.v3.Kerberos ?	21:38
jamielennox	so that's what that bug wanted, the full path to the class	21:38
jamielennox	but the case for stevedore should always be when you don't know what class will be used	21:39
bknudson	it's neutron that should get rid of their crappy workaround code... apparently it's just there for backwards-compat.	21:39
jamielennox	if you are ever in your code writing stevedore.load('password') (not real code) you are wrong because you already know what plugin you want and the path to it	21:39
jamielennox	it's really for the case of people using --os-auth-plugin password or auth_plugin = password in CONF that we want these short names	21:40
bknudson	we could have the long names, too.	21:40
jamielennox	bknudson: well we still have that in keystone, you have to specify all the backends by full class name, hopefully we will move that to stevedore entry points one day	21:40
jamielennox	backend = ldap # yay!	21:40
morganfainberg	jamielennox, sooner [think liberty]	21:41
bknudson	now that I have some understanding how it works I'll dig up that old review.	21:41
morganfainberg	jamielennox, but it'll need to support old-style loading	21:41
morganfainberg	jamielennox, as well	21:41
bknudson	I didn't trust it.	21:41
morganfainberg	jamielennox, maybe the answer is new options and deprecate the old options	21:41
morganfainberg	jamielennox, /me hasn't thought about it much	21:41
jamielennox	morganfainberg: the way i've seen it done in others is to specify the full class name as an entrypoing	21:42
morganfainberg	oh hm.	21:42
morganfainberg	except we have people using custom drivers	21:42
jamielennox	[entry_points] keystone.x.y.z = keystone.x.y.z	21:42
morganfainberg	which would massively break	21:42
bknudson	they can provide their own entry_points.	21:42
jamielennox	sure - it's easy to do a fallback, but we expect them to need to do some work between cycles	21:42
jamielennox	that's what neutron is doing with the fallback and why i'm not wanting to copy it	21:42
morganfainberg	jamielennox, yeah i've not thought too much about the best experience for changing it over	21:42
morganfainberg	jamielennox, entry points might be sufficient	21:43
morganfainberg	might	21:43
jamielennox	i looked at it a while ago, i can't remember there was something that prevented me from doing the stevedore rewrite	21:43
jamielennox	i'm guessing it was all the dependency loading stuff	21:43
morganfainberg	the other option is to do stevedore load, if it fails try old load warn if that succeeds, then re-raise exception if it still failed	21:44
*** browne_ has joined #openstack-keystone		21:44
*** browne_ has quit IRC		21:44
ayoung	jamielennox, So...I suspect SOA will evolve like this: It will know about how to create plugins, and create them based on the stevedore plugin name passed from horizon. It will always do federation, and we make the existing authentication mechanism be a subset of Federation	21:44
*** browne1 has joined #openstack-keystone		21:44
*** browne1 has quit IRC		21:44
bknudson	morganfainberg: that's what neutron does.	21:45
bknudson	https://github.com/openstack/neutron/blob/master/neutron/manager.py#L130-L143	21:45
morganfainberg	bknudson, then thats prob. what we should do.	21:45
bknudson	as long as it's deprecated.	21:45
morganfainberg	bknudson, cool.	21:45
morganfainberg	bknudson, ++ i don't want to keep loading w/ old import logic.	21:45
morganfainberg	bknudson, i expect this to be a 1 cycle deprecation.	21:46
jamielennox	ayoung: you referring to my -dev email?	21:46
ayoung	jamielennox, nah, just the comments above. Let me see the mail...	21:46
*** topol has quit IRC		21:47
*** browne_ has joined #openstack-keystone		21:47
*** sigmavirus24_awa is now known as sigmavirus24		21:47
jamielennox	ayoung: i wrote two reviews for DOA, the one i had originally which was creating DOA specific plugins, one where i subclassed DOA and made a kerberos specific django auth backend and used the django loading	21:47
ayoung	jamielennox, I was actually referring to our earlier exchange about kerberos using standard mechinsm, and you saying "use Federation" though	21:47
ayoung	let me seee....	21:47
jamielennox	i put a mail on the list but i wont be able to make the meeting	21:47
*** browne has quit IRC		21:47
ayoung	https://review.openstack.org/#/c/164071/	21:48
ayoung	jamielennox, that was the reusable...	21:48
lbragstad	dolphm: I'm running out of ideas. I generated tokens from Keystone and again, they look fine.	21:48
morganfainberg	lbragstad, if you validate the token yourself, what do you get?	21:49
lbragstad	morganfainberg: checking	21:49
morganfainberg	lbragstad, and is the system somewherre i could poke at it? i can set it up myself, but i don't have working vagrant atm.	21:49
jamielennox	ayoung: http://lists.openstack.org/pipermail/openstack-dev/2015-March/059139.html	21:49
morganfainberg	so it'd be more time to replicate the environment	21:50
jamielennox	also stevemar, lhcheng david-lyle ^	21:50
*** zzzeek has joined #openstack-keystone		21:50
david-lyle	jamielennox: so originally backend was the pluggable part, but it's evolved to be less clean	21:51
david-lyle	err, very dirty	21:51
jamielennox	david-lyle: yea, there is a pretty tight coupling between DOA and dashboard	21:51
jamielennox	also we can do this in #horizon if you like	21:51
david-lyle	personally I don't see much benefit to having a separate project any longer	21:52
david-lyle	it wasn't really written in a reusable way	21:52
david-lyle	unless you want a django UI for openstack that is backed by keystone	21:53
david-lyle	very broad	21:53
jamielennox	david-lyle: well what i'd like is to not see DOA start having dependencies on kerberos and SSO libs	21:53
jamielennox	and to not have those things in the regular DOA library	21:54
david-lyle	but I'm probably not reintegrating DOA into horizon very soon	21:54
david-lyle	yes, as we discussed before I would like to have some form of plugin mechanism	21:55
jamielennox	david-lyle: so i did two forms of plugins that i mentioned in the email, and two horizon patches that i think are required regardless	21:56
jamielennox	david-lyle: the subclass DOA feels a little bit cleaner - but i really struggle to say why other than it's reusing Django concepts	21:57
jamielennox	i guess it seems like it'll be easier to extend, for example i can see the k2k patch is already adding data to the User model but you could make that a public function either way..	21:59
*** timcline has quit IRC		22:00
lbragstad	morganfainberg: I'll see if I can get one setup	22:00
morganfainberg	lbragstad, no problem if it's a lot of work	22:01
morganfainberg	i can just spin up some stuff here locally. just will take longer	22:01
morganfainberg	if the vm was already just out there i'd have just said "oh let me jump on it"	22:01
*** iamjarvo has joined #openstack-keystone		22:10
*** harlowja_away is now known as harlowja		22:11
ayoung	jamielennox, so, no responses to that	22:12
*** gordc has quit IRC		22:12
*** stevemar has quit IRC		22:13
jamielennox	ayoung: i'll be honest i think there's like 3 people who know anything about this on the horizon team	22:14
ayoung	jamielennox, it would be nice if we could take this out of DOA. Ir really feels like that should be split	22:14
jamielennox	david-lyle, lhcheng, and doug-fish, and stevemar is poking around for sso as well	22:14
ayoung	there is some UX portion that should be DOA, and some library portion that should not be Django specific at all	22:15
ayoung	TBH, I would think the authentication should be done by Apache. Which means mod_keystone might not be such a terrible idea after all	22:15
david-lyle	very little of DOA is authentication	22:16
morganfainberg	ayoung, staying out of this conversation due to trauma due to bucketbridgade code in apache mods from a past job.	22:16
david-lyle	if we want to pull that out, I don't care	22:16
*** browne_ has quit IRC		22:16
ayoung	david-lyle, I know. And that is the part we want to be able to swap out	22:16
david-lyle	but most of that just builds on django provide	22:16
ayoung	david-lyle, so if an org wants to use Kerberso or SAML, Horizon will need to be fronted by the appropriate apache module anyway	22:17
*** browne has joined #openstack-keystone		22:18
*** mattfarina has joined #openstack-keystone		22:18
david-lyle	jamielennox: in all honestly I try to stay off the mailing list as much as possible. I read all of it, but prefer to have more real time conversations	22:18
*** mattfarina has quit IRC		22:18
david-lyle	ayoung: sure, and once we expanded beyond simple credential auth, I think we've left the scope of DOA	22:18
jamielennox	david-lyle: no problem, i just wanted to make sure it got some attention and i could point at it rather than explain it to everyone	22:18
jamielennox	ayoung: the problem is the amount of stuff that DOA sets up on the request	22:19
david-lyle	jamielennox: session?	22:19
jamielennox	that 'contract' seems to have been established very hap hazard	22:19
jamielennox	david-lyle: probably - i don't know my django terms	22:19
ayoung	session is standard web thing. It is a secure cookie that maps to the data passed back and forth on each request	22:20
david-lyle	just trying to clarify	22:20
david-lyle	request to keystone vs session data	22:21
*** bknudson has quit IRC		22:22
jamielennox	ok, so on session it's not too bad, the UserModel is a bit big, but i don't want to maintain compatibility with all the recent_project stuff, just have it in one place	22:23
david-lyle	jamielennox: I would say I hope to move that to the client side, but I have too much django content left	22:24
david-lyle	but yes, the session data is too large	22:25
jamielennox	david-lyle: i won't be able to make the horizon meeting, if you could just make people aware of the email i can make either scheme work	22:26
jamielennox	i don't see that we'll honestly have that many auth mechanisms anyway	22:26
jamielennox	if we have a decision i can work on getting it ready before landing the SSO patches	22:27
david-lyle	I'd prefer that, because the SSO patches are a bit of a hack	22:29
david-lyle	let me dig a little more	22:31
david-lyle	but, I'm happy to raise it in the horizon meeting	22:31
jamielennox	david-lyle: cheers	22:32
david-lyle	and thanks for raising the issue	22:32
openstackgerrit	Merged openstack/keystone: Make the default cache time more explicit in code https://review.openstack.org/113586	22:36
*** dims has quit IRC		22:43
*** sigmavirus24 is now known as sigmavirus24_awa		22:43
*** dims has joined #openstack-keystone		22:46
openstackgerrit	Merged openstack/keystone: Address nits for default cache time more explicit https://review.openstack.org/162815	22:46
*** dims has quit IRC		22:47
*** dims has joined #openstack-keystone		22:47
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Extract BaseAuth out of Auth Plugin https://review.openstack.org/163270	22:54
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add a FederatedBase v3 plugin https://review.openstack.org/163271	22:54
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Split v3 authentication file into module https://review.openstack.org/163259	22:54
*** chrisshattuck has quit IRC		23:00
*** iamjarvo has quit IRC		23:07
*** jaosorior has quit IRC		23:12
*** samueldmq_ has joined #openstack-keystone		23:13
*** thedodd has quit IRC		23:14
*** gyee has quit IRC		23:16
*** dims has quit IRC		23:18
*** dims has joined #openstack-keystone		23:18
*** r-daneel has quit IRC		23:19
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229	23:22
morganfainberg	dstanek, ^ addressed your comments.	23:22
*** lnr has joined #openstack-keystone		23:32
*** lnr has left #openstack-keystone		23:32
*** atiwari has joined #openstack-keystone		23:33
morganfainberg	lbragstad, https://review.openstack.org/#/c/164348/ just commented here	23:37
morganfainberg	lbragstad, please keep the scope super small here. i'd like to see that gating today if at all possible.	23:38
*** r-daneel has joined #openstack-keystone		23:42
*** r-daneel has quit IRC		23:47
atiwari	all, I am trying to setup a custom auth middleware as per instruction given in http://docs.openstack.org/developer/keystone/external-auth.html. seem it is not triggering. any idea?	23:48
atiwari	thanks for the help in advance	23:48
*** gokrokve has quit IRC		23:49
*** henrynash has joined #openstack-keystone		23:54
*** ChanServ sets mode: +v henrynash		23:54
morganfainberg	atiwari, you're writing your own middleware or you're trying to use external auth?	23:54
atiwari	I am writing my own	23:54
atiwari	morganfainberg, ^	23:54
morganfainberg	atiwari, did you add it to the paste pipeline for the service it is protecting?	23:54
atiwari	yes	23:55
*** bknudson has joined #openstack-keystone		23:55
*** ChanServ sets mode: +v bknudson		23:55
morganfainberg	atiwari, i think it needs a __call__ function	23:55
morganfainberg	atiwari, s/function/method	23:55
morganfainberg	atiwari, what behavior are you seeing?	23:55
morganfainberg	atiwari, not trggering at all?	23:56
atiwari	1 sec	23:56
morganfainberg	atiwari, is it after the normal auth_token middleware? and is the normal auth_token rejeciting. because a reject anywhere in the pipeline beforee your filter will cause it to fail	23:56
morganfainberg	also your new filter needs to be in the pipeline where the normal auth_token is, remember requests go through the filters serially	23:57
atiwari	morganfainberg, yes it is after that	23:57
atiwari	as per the link I am adding it after "url_normalize token_auth admin_token_auth json_body"	23:58
atiwari	is that not correct?	23:58
morganfainberg	wait	23:58
morganfainberg	oh this is for keystone not to replace auth_token middleware	23:58
atiwari	http://docs.openstack.org/developer/keystone/external-auth.html is the link	23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!