atiwari | Developing a WSGI middleware for authentication | 00:00 |
---|---|---|
atiwari | morganfainberg, am I suppose to remove other middleware ? | 00:00 |
atiwari | e.g. token_auth admin_token_auth | 00:00 |
morganfainberg | atiwari, ok so i'd look at the auth_context https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L198 as an example | 00:00 |
morganfainberg | that is what does a lot of the heavy lifting today | 00:00 |
morganfainberg | atiwari i would also add a debug/output log to see if you're even seeing the request | 00:01 |
*** r-daneel has joined #openstack-keystone | 00:02 | |
morganfainberg | oh hm. i might be giving bad advice, sec | 00:02 |
morganfainberg | ok so, atiwari, i'd add debug info see if it's even being trggered. if it is you should be seeing it | 00:04 |
morganfainberg | i don't know your code so i can't say much else though | 00:04 |
atiwari | np morganfainberg thanks for help. I will add debug and see :) | 00:04 |
*** gokrokve has joined #openstack-keystone | 00:08 | |
lhcheng | jamielennox: just got back, missed the convo about the doa. So if we eventually moved the authn to apache module, doa just need to be able to read the keystone token out of the request? | 00:09 |
jamielennox | lhcheng: we're not going to be able to move everything to apache module - but that's pretty accurate for the websso as i understand it | 00:11 |
jamielennox | DOA will redirect to the auth provider which will redirect to keystone which redirect to horizon with a token already | 00:11 |
*** aix has joined #openstack-keystone | 00:12 | |
lhcheng | jamielennox: yup, that's how the websso is working right now. | 00:14 |
jamielennox | lhcheng: so did you see the link to the email | 00:15 |
jamielennox | or the email itself? | 00:15 |
lhcheng | jamielennox: for kerberos, will the authentication be handled in doa or an apache module? | 00:15 |
* lhcheng looking | 00:15 | |
jamielennox | lhcheng: for all of these things we need some interaction with DOA | 00:15 |
jamielennox | lhcheng: for kerberos the KRB5CCNAME env var gets passed through which then is used by the kerberos plugin | 00:16 |
jamielennox | so it's fairly similar to now, just replace password plugin with kerberos plugin | 00:16 |
jamielennox | lhcheng: http://lists.openstack.org/pipermail/openstack-dev/2015-March/059139.html | 00:17 |
atiwari | morganfainberg, have one question is the same line. do you have 1 min? | 00:18 |
morganfainberg | sure | 00:18 |
atiwari | let me explain it little bit. | 00:19 |
lhcheng | jamielennox: I suppose for the plugin model, it will eventually support plugin discovery using stevedore? | 00:19 |
jamielennox | lhcheng: let's go to #horizon | 00:19 |
atiwari | keystone is running under apache. and authentication is done by external IdP, which is setting a token_id (this is not keystone token) | 00:20 |
atiwari | I want to use external auth but the token_id has to be validated again by the external agent | 00:21 |
atiwari | is this scenario, I though I will call the external agent from the auth middleware | 00:22 |
atiwari | do it looks feasible ? | 00:23 |
morganfainberg | atiwari, so... you are using an external auth [user auth] but also a token? | 00:23 |
morganfainberg | atiwari, that sounds wrong. token is a type of auth, external would be another | 00:23 |
morganfainberg | not external *and* token. | 00:23 |
atiwari | my intention is to use external auth only | 00:23 |
morganfainberg | so you could also just create an auth_plugin | 00:24 |
morganfainberg | if it doesn't need to be in middleware. | 00:24 |
atiwari | ok | 00:24 |
atiwari | so custom auth plugin? | 00:25 |
morganfainberg | but in short, you just need to set the values the external auth plugin is looking for, and make sure external auth plugin is enabled if you're using a middleware | 00:25 |
morganfainberg | either way works | 00:25 |
morganfainberg | external auth is meant to use something like mod_ldap or mod_basic_auth | 00:25 |
atiwari | something like keystone.auth.plugins.external.Domain? correct? | 00:25 |
morganfainberg | you instead could just write an auth plugin if you wanted. but someone would need to request the auth plugin | 00:25 |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Add in further token validation in v3_auth tests https://review.openstack.org/164026 | 00:25 |
morganfainberg | atiwari, yah. | 00:25 |
samueldmq_ | morganfainberg, ^ | 00:26 |
morganfainberg | samueldmq_, nice | 00:26 |
atiwari | morganfainberg, thanks I will test that option | 00:26 |
samueldmq_ | :-) | 00:26 |
atiwari | thanks | 00:26 |
*** samueldmq has quit IRC | 00:28 | |
*** samueldmq_ is now known as samueldmq | 00:28 | |
openstackgerrit | lifeless proposed openstack/python-keystoneclient: Make non-import packages lazy https://review.openstack.org/164066 | 00:36 |
*** r-daneel has quit IRC | 00:37 | |
*** stevemar has joined #openstack-keystone | 00:43 | |
*** ChanServ sets mode: +v stevemar | 00:43 | |
samueldmq | bknudson, thanks for your review on #164026, replied your comments | 00:53 |
*** browne has quit IRC | 00:54 | |
bknudson | we shouldn't be using the admin token... admin token should be disabled anyways. | 00:55 |
bknudson | but, we can work on that l8r | 00:55 |
samueldmq | bknudson, yes I agree, we can address that in a followup patch, thanks | 00:58 |
ayoung | "I don't think domain scoped tokens have a future and there are a ton of potential security issues if they are used." david-lyle care to expound? nkinder you asked about this, too | 00:59 |
openstackgerrit | Lin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2 https://review.openstack.org/93982 | 00:59 |
bknudson | somebody else was asking me about domain-scoped tokens in horizon before... they had some weird ideas about how they're planning to use them... | 00:59 |
bknudson | like keeping both a domain-scoped token and another token and using one for some stuff and one for other stuff. | 01:00 |
nkinder | you would have to use a domain-scoped token if you want to do things like create projects or define roles from the "Identity" section of Horizon | 01:00 |
nkinder | ...with the domain-aware policy that is | 01:01 |
bknudson | kind of implies that there's a "the domain-aware policy" | 01:01 |
bknudson | you can set up your policy any way you want to. | 01:01 |
nkinder | bknudson: well, there is one (policy.v3cloudsample) | 01:02 |
bknudson | horizon shouldn't be assuming use of policy.v3cloudsample or the sample policy.json. | 01:02 |
nkinder | correct, it needs to work with either | 01:02 |
bknudson | it also needs to work with whatever a deployer might setup | 01:02 |
nkinder | domain-scoped tokens exist, and policy.v3cloudsample is actually fairly sane for a deployment that uses domains | 01:02 |
nkinder | ...otherwise you can't delegate things down to various levels (cloud-admin, domain-admin, project-admin) | 01:03 |
samueldmq | also, we should have a way to list what API calls a given token can use ... so horizon could properly show its interface | 01:03 |
bknudson | I could set up my policy so that you can delegate using a project-scoped token, too. | 01:04 |
nkinder | samueldmq: yeah, that was a topic of discussion in Paris | 01:04 |
bknudson | if I didn't want to use domain-scoped token. | 01:04 |
nkinder | samueldmq: "what can I do?" | 01:04 |
samueldmq | nkinder, yep, listing capabilities | 01:04 |
samueldmq | nkinder, I'll look for a link on this discussion ("what can I do?") | 01:05 |
nkinder | samueldmq: there was ont on openstack-dev from last october or november IIRC | 01:05 |
nkinder | s/ont/one/ | 01:05 |
nkinder | bknudson: I see the same problem in Horizon with project-scoped tokens if you have some "admin" project that is used for cloud-admin tasks | 01:07 |
nkinder | bknudson: you have to select that scope to do cloud-admin tasks (just like you would if domains shows up in the drop-down of projects) | 01:07 |
nkinder | Horizon would need to know (or be told) what token to use | 01:07 |
bknudson | Horizon has the policy.json | 01:08 |
nkinder | bknudson: yes, it needs a copy of it | 01:08 |
bknudson | seems kind of wacky to just be getting tokens from my token just so I can click on some other button? | 01:09 |
bknudson | obviously I have authority it's just I've got the wrong token. | 01:09 |
nkinder | bknudson: there are all sorts of odd cases too. What if I'm granted admin on multiple domains? | 01:10 |
nkinder | just like with multiple projects, I'd have to make some sort of selection to say where I want to perform an action | 01:11 |
nkinder | These are all low-level details though. The question is, why would domain-scoped tokens be going away? | 01:12 |
bknudson | domains are going away | 01:12 |
nkinder | ...unless domains are just going to become top-level projects | 01:12 |
bknudson | right, a domain is a special type of project (doesn't have to be top-level) | 01:12 |
nkinder | yes, so we're talking about a name change really (at least from a usage standpoint) | 01:13 |
nkinder | call it a "domain" or a "top-level" project, but the usage of the tokens is the same. | 01:13 |
bknudson | y, it doesn't fix the issue. | 01:13 |
nkinder | The implementation in Keystone might be different (putting the-projects-formerly-known-as-domains in the projects table, etc.) | 01:13 |
bknudson | is that how they want Horizon to work? you can only do what your current scope allows? | 01:16 |
bknudson | or does it want you to be able to do anything that any scope you can get allows? | 01:16 |
bknudson | because they could get a token for every scope and then use one that'll work. | 01:17 |
nkinder | if I create an instance, how does Horizon know what project it is within? | 01:17 |
bknudson | good question. | 01:18 |
nkinder | or if I create a group (assume user management is in SQL, which "top-level project" does the group belong to? | 01:18 |
bknudson | it could put a dropdown in the dialog box. | 01:18 |
nkinder | that's what we have today | 01:18 |
nkinder | the projects list | 01:18 |
nkinder | oh, in the dialog | 01:19 |
nkinder | not the main page | 01:19 |
nkinder | I guess the same applies for listing instances | 01:19 |
nkinder | you need to select the project you want, and we have that at the top of the page | 01:19 |
bknudson | y, essentially give you a list of the projects where your token is allowed to create instances. | 01:19 |
nkinder | I sort of like the way it's done now | 01:19 |
nkinder | s/token/tokens/ though | 01:20 |
bknudson | y, me too... not sure what horizon wants to do though. | 01:20 |
bknudson | I was concerned when I was told horizon was going to keep a domain-scoped and a normal token and pick which one to use? | 01:20 |
bknudson | that seems like heading towards the keep all the tokens model. | 01:20 |
bknudson | if you were keeping the way it's done now you'd switch to a domain-scoped token and then you'd essentially only see keystone ops. | 01:21 |
bknudson | pick a domain | 01:21 |
ayoung | jamielennox, for Kerberos and X509, we can deduce the protocol from the environment. Same would be true of mapping, I think. | 01:23 |
jamielennox | ayoung: sure that would work | 01:24 |
ayoung | twould take a server side change, but... | 01:24 |
jamielennox | that would just require whatever the DOA plugin is | 01:24 |
jamielennox | to setup the plugin with those env vars | 01:24 |
ayoung | AuthType GSSAPI | 01:24 |
ayoung | jamielennox, nah, I meant on the Keystone side | 01:25 |
morganfainberg | ayoung, jamielennox, bknudson, review of https://review.openstack.org/#/c/159229/ would be greatly appreciated if you have a few minutes to spare | 01:25 |
ayoung | instead of explicitly setting protocol, the Apache module sets a config variable and then then that gets translated pre-mapping... | 01:25 |
jamielennox | ayoung: how would it work on the keystone side? | 01:25 |
ayoung | it would even work for SAML etc...damnit, it how it is supposed to work | 01:25 |
morganfainberg | stevemar, ^ | 01:26 |
ayoung | let me think this through.... | 01:26 |
ayoung | jamielennox, http://www.freeipa.org/page/Environment_Variables | 01:26 |
ayoung | so we could select the protocol based on a first mapping: | 01:26 |
ayoung | If X509.... | 01:26 |
*** dims has quit IRC | 01:26 | |
jamielennox | doing SET_ENV is easy on the DOA side, and we can use that to autoset them - but we need this stuff when you create the plugin initially | 01:26 |
morganfainberg | henrynash, so i think the two BPs that need FFEs are going to be the domain sql, and reseller. i know you've worked a lot on the reseller stuff; would you be interested in sponsoring it? | 01:27 |
morganfainberg | henrynash, will bug you tomorrow at the meeting as well. | 01:27 |
jamielennox | ayoung: we wouldn't be sharing routes between x509 and kerb | 01:27 |
ayoung | No specific AUTH_TYPE is set | 01:27 |
henrynash | morganfainberg: yes, happy to sponsor it | 01:27 |
ayoung | jamielennox, yeah, we could always make it an apache config tio set the variable | 01:27 |
ayoung | so always assume the protocol is in the AUTH_TYPE variable | 01:28 |
morganfainberg | henrynash, awesome. thanks. most of the code is good to go there afaict. so i see it as a good candidate for FFE | 01:28 |
ayoung | probably safer than letting the client specify it | 01:28 |
ayoung | question is, then, how to chose the mapping | 01:28 |
jamielennox | ayoung: whatever, that's just config settings | 01:28 |
henrynash | morganfainberg: and the domain-config is mainly in already…but we have some of the edge pieces outstanding | 01:28 |
morganfainberg | raildo, rodrigods, ^ (see) henrynash sponsoring reseller. will bug you guys tomorrow at the meeting to make it official / get the email to the ML setup. | 01:28 |
ayoung | jamielennox, if we do this right, we can drop the body of the auth request | 01:29 |
morganfainberg | henrynash, yeah thats why it needs the FFE, the edge stuff is just finalizing things, but i don't think they can / will land this week [tomorrow] | 01:29 |
jamielennox | ummm | 01:29 |
ayoung | which is where I wanted to go with this in the first place | 01:29 |
morganfainberg | henrynash, just makes it easier since it's a minor amount of extra work to get the bits done | 01:29 |
henrynash | morganfainberg: a cople more will, but not all | 01:29 |
morganfainberg | henrynash, less stress than rushing it in. | 01:29 |
morganfainberg | henrynash, exactly | 01:29 |
henrynash | morganfainberg: yep | 01:30 |
ayoung | jamielennox, it would ber a decision tree. first level is the Protocol. THen based on the prtocol, select the env var that specifies which mapping to chose | 01:30 |
morganfainberg | henrynash, so i want to let it finish up as FFE | 01:30 |
jamielennox | hmm, maybe - would have to think that through, but if there's no scoping data then there really isn't much else to post | 01:30 |
henrynash | morganfainberg: sounds good to me | 01:30 |
morganfainberg | henrynash, will confirm all this at the meeting otmorrow | 01:30 |
henrynash | ok | 01:30 |
ayoung | morganfainberg, damn it, why do we always try to do work that the web server should be doing for us? | 01:30 |
ayoung | Here we are two releases into Federation, and I just realized we don' | 01:31 |
ayoung | t need the damn request body | 01:31 |
morganfainberg | ayoung, because we had to support eventlet. | 01:31 |
morganfainberg | ayoung, history made us support that stuff | 01:31 |
ayoung | Not for Federation we didn't | 01:31 |
morganfainberg | ayoung, for everything we needed it. so federation inherited it | 01:31 |
ayoung | DIE DIE EVENTLET DIE! | 01:31 |
morganfainberg | in the m-release | 01:31 |
*** henrynash has quit IRC | 01:32 | |
morganfainberg | if i could do it faster i would...but it wouldn't be fair to single cycle that | 01:32 |
ayoung | OK...so now that we are on Apache, maybe we can start doing this: | 01:32 |
ayoung | if the server sets the Auth_Type variable, use that value to select the protocol instead of the value in the body of the message | 01:33 |
ayoung | Nah, we can multi-cycle it | 01:33 |
ayoung | I realize we are reshoeing our horse in the middle of the steeplechase here | 01:33 |
jamielennox | ayoung: the protocol is part of the URI, we can do that for DOA but not in general | 01:33 |
ayoung | But you agree that inferring the protocol and mapping is safer than letting the user specify either one, right? | 01:34 |
ayoung | jamie lennox, then why is it in the unscoped token request body? | 01:35 |
jamielennox | it's not | 01:35 |
jamielennox | that hack you did for kerberos is the only time i've seen protocol in the body | 01:36 |
ayoung | jamielennox, its been part of the spec from the get go: https://github.com/openstack-attic/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#authenticating | 01:38 |
ayoung | ah...mapping is inferred, it is IDP I was thinking of | 01:39 |
jamielennox | ayoung: that's the returned token - it's not a part of the request | 01:39 |
ayoung | jamielennox, ah...I see, sowhat I was saying was how the Federated works...just that the identity provider is explicit. But it really does not need to be | 01:42 |
ayoung | we could just do | 01:42 |
ayoung | /OS-FEDERATION/protocols/{protocol}/auth | 01:43 |
ayoung | and deduce the IdP from the env vars | 01:43 |
ayoung | OK...so | 01:43 |
ayoung | for the next rev of this, we should do | 01:44 |
ayoung | when making Federation core API /auth/protocols/{protocol}/token | 01:44 |
jamielennox | ayoung: doesn't the saml apache modules validate the server? | 01:45 |
*** Akshik has joined #openstack-keystone | 01:45 | |
ayoung | it getter | 01:45 |
ayoung | better | 01:45 |
ayoung | Ah, but maybe we need different configs for different servers?> | 01:46 |
jamielennox | as in if you didn't include idp in the URI then you couldn't authenticate multiple providers at the same url | 01:46 |
ayoung | right, I was thinking Kerberos | 01:46 |
ayoung | that says "go to this IdP" not "trust the the assertion came from this IdP" as that comes from validating the assumption | 01:46 |
ayoung | Kerberos and X509 dion't need that | 01:46 |
*** _cjones_ has joined #openstack-keystone | 01:47 | |
ayoung | OK...I've talked myself through the design....feeling a bit slow and dense at the moment | 01:47 |
*** _cjones_ has quit IRC | 01:48 | |
*** _cjones_ has joined #openstack-keystone | 01:48 | |
*** browne has joined #openstack-keystone | 01:51 | |
*** lhcheng has quit IRC | 01:51 | |
ayoung | jamielennox, OK, so let me think through how kerberos and x509 should work today. To get an unscoped token, I got to /OS-FEDERATION/identity_providers/younglogic/protocols/gssapi/auth . Send no data, get back an unscoped token, and... | 01:52 |
jamielennox | rescope token as per normal | 01:52 |
*** dims has joined #openstack-keystone | 01:54 | |
*** tqtran has quit IRC | 01:54 | |
david-lyle | bknudson I've closed the door on domain scoped tokens | 01:55 |
david-lyle | would prefer a common token | 01:55 |
david-lyle | for horizon that is | 01:55 |
bknudson | david-lyle: so HMT isn't going to work in horizon? | 01:56 |
bknudson | that's what it was being added for, right? | 01:56 |
david-lyle | was actually for domain admin | 01:56 |
david-lyle | so things like the v3 policy file would work | 01:56 |
bknudson | ah, so no domain admin. | 01:56 |
david-lyle | but that won't work anyway | 01:56 |
bknudson | kind of important. | 01:57 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table https://review.openstack.org/164189 | 01:57 |
rodrigods | stevemar, ^ removed some unused vars and fixed a possible issue in the tests | 01:58 |
*** _cjones_ has quit IRC | 01:58 | |
david-lyle | hoping with HMT keystone moves to a single token type | 01:58 |
rodrigods | david-lyle, bknudson dual scoped tokens are in the plan for L (after Reseller base code is ready) | 01:58 |
david-lyle | maybe false hope | 01:58 |
bknudson | we already have unscoped and project-scoped | 01:59 |
david-lyle | bknudson: true, but the admin role on the domain scoped token creates issues | 01:59 |
bknudson | a domain-scoped token can definitely have admin role. | 02:00 |
bknudson | I guess the way I thought it would work is if you pick a domain scope then you only see keystone operations. | 02:01 |
ayoung | david-lyle, what was the reason for saying there were security issues? | 02:01 |
*** ajayaa has joined #openstack-keystone | 02:02 | |
david-lyle | ayoung: I need to revalidate | 02:02 |
*** dims has quit IRC | 02:03 | |
david-lyle | let me validate and document, I may be incorrect | 02:03 |
*** zzzeek has quit IRC | 02:09 | |
david-lyle | My general feeling is something like domain admin will not be supported outside of keystone, which limits its usefulness, my hope is that if the basic construct is a project, the other services will at least acknowledge their existence, which makes my life easier | 02:12 |
* david-lyle goes back to dad mode for a bit | 02:14 | |
*** Akshik has quit IRC | 02:21 | |
*** erkules_ has joined #openstack-keystone | 02:22 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 02:24 | |
*** erkules has quit IRC | 02:25 | |
*** richm has quit IRC | 02:26 | |
stevemar | david-lyle, btw thai's patches should be ready for review now | 02:28 |
stevemar | oops, missed the dad mode message | 02:28 |
*** iamjarvo has joined #openstack-keystone | 02:37 | |
*** krtaylor has quit IRC | 02:38 | |
*** ajayaa has quit IRC | 02:43 | |
*** krtaylor has joined #openstack-keystone | 02:50 | |
*** gokrokve has quit IRC | 02:56 | |
*** gokrokve has joined #openstack-keystone | 02:57 | |
*** gokrokve has quit IRC | 02:57 | |
*** dims has joined #openstack-keystone | 03:04 | |
*** dims has quit IRC | 03:11 | |
*** boris-42 has quit IRC | 03:12 | |
*** harlowja is now known as harlowja_away | 03:15 | |
*** ajayaa has joined #openstack-keystone | 03:17 | |
*** zzzeek has joined #openstack-keystone | 03:22 | |
*** zzzeek has quit IRC | 03:22 | |
dstanek | lbragstad: dolphm: did you guys get the keystone-deploy errors figured out? | 03:25 |
*** ajayaa has quit IRC | 03:25 | |
*** gokrokve has joined #openstack-keystone | 03:25 | |
*** gokrokve has quit IRC | 03:27 | |
*** sluo_wfh is now known as sluo_laptop | 03:28 | |
*** markvoelker has quit IRC | 03:29 | |
*** ajayaa has joined #openstack-keystone | 03:29 | |
*** gokrokve has joined #openstack-keystone | 03:31 | |
*** ccard__ has joined #openstack-keystone | 03:31 | |
*** ccard_ has quit IRC | 03:35 | |
*** david-lyle is now known as david-lyle_afk | 03:35 | |
*** rushiagr_away is now known as rushiagr | 03:39 | |
*** mitz has quit IRC | 03:40 | |
*** ncoghlan has joined #openstack-keystone | 03:55 | |
*** rushiagr is now known as rushiagr_away | 04:00 | |
*** lhcheng has joined #openstack-keystone | 04:03 | |
*** _cjones_ has joined #openstack-keystone | 04:04 | |
openstackgerrit | Lin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 token response https://review.openstack.org/156867 | 04:04 |
*** _cjones_ has quit IRC | 04:04 | |
*** _cjones_ has joined #openstack-keystone | 04:05 | |
*** iamjarvo has quit IRC | 04:17 | |
*** drjones has joined #openstack-keystone | 04:19 | |
*** _cjones_ has quit IRC | 04:21 | |
*** stevemar has quit IRC | 04:22 | |
*** stevemar has joined #openstack-keystone | 04:23 | |
*** ChanServ sets mode: +v stevemar | 04:23 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 04:24 | |
openstackgerrit | Merged openstack/keystone: Create a fixture for key repository https://review.openstack.org/164817 | 04:28 |
*** ajayaa has quit IRC | 04:31 | |
*** ayoung has quit IRC | 04:32 | |
*** mitz has joined #openstack-keystone | 04:34 | |
*** rushiagr_away is now known as rushiagr | 04:39 | |
*** ajayaa has joined #openstack-keystone | 04:50 | |
*** drjones has quit IRC | 05:05 | |
*** _cjones_ has joined #openstack-keystone | 05:05 | |
openstackgerrit | wanghong proposed openstack/keystone: add timestamp to project and role https://review.openstack.org/154370 | 05:14 |
*** ParsectiX has quit IRC | 05:14 | |
*** ParsectiX has joined #openstack-keystone | 05:15 | |
*** gokrokve_ has joined #openstack-keystone | 05:15 | |
*** gokrokve has quit IRC | 05:18 | |
*** gokrokve_ has quit IRC | 05:19 | |
*** ParsectiX has quit IRC | 05:19 | |
*** ParsectiX has joined #openstack-keystone | 05:20 | |
*** rushiagr is now known as rushiagr_away | 05:51 | |
*** ishant|2 has joined #openstack-keystone | 05:53 | |
*** ishant|2 has quit IRC | 05:54 | |
*** ishant has joined #openstack-keystone | 05:54 | |
*** drjones has joined #openstack-keystone | 05:56 | |
*** _cjones_ has quit IRC | 05:57 | |
*** lhcheng has quit IRC | 06:14 | |
*** lhcheng has joined #openstack-keystone | 06:25 | |
*** lhcheng has quit IRC | 06:26 | |
*** lhcheng has joined #openstack-keystone | 06:26 | |
*** drjones has quit IRC | 06:28 | |
*** lhcheng has quit IRC | 06:29 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/164958 | 06:34 |
*** gokrokve has joined #openstack-keystone | 06:41 | |
*** stevemar has quit IRC | 06:44 | |
*** ajayaa has quit IRC | 06:46 | |
*** ajayaa has joined #openstack-keystone | 06:46 | |
*** browne has quit IRC | 06:52 | |
*** gokrokve has quit IRC | 07:02 | |
*** gokrokve has joined #openstack-keystone | 07:02 | |
*** markvoelker has joined #openstack-keystone | 07:04 | |
*** pnavarro has joined #openstack-keystone | 07:05 | |
*** gokrokve has quit IRC | 07:07 | |
*** markvoelker has quit IRC | 07:08 | |
*** ParsectiX has quit IRC | 07:19 | |
*** afazekas has joined #openstack-keystone | 07:25 | |
*** lhcheng has joined #openstack-keystone | 07:29 | |
*** lhcheng has quit IRC | 07:34 | |
*** ParsectiX has joined #openstack-keystone | 07:36 | |
*** ajayaa has quit IRC | 07:46 | |
*** erkules_ is now known as erkuls | 08:04 | |
*** markvoelker has joined #openstack-keystone | 08:05 | |
*** erkuls is now known as erkules | 08:05 | |
*** erkules has quit IRC | 08:05 | |
*** erkules has joined #openstack-keystone | 08:05 | |
*** markvoelker has quit IRC | 08:10 | |
*** ajayaa has joined #openstack-keystone | 08:28 | |
*** lhcheng has joined #openstack-keystone | 08:31 | |
*** lhcheng has quit IRC | 08:35 | |
*** dims has joined #openstack-keystone | 08:42 | |
*** ncoghlan has quit IRC | 08:43 | |
*** nkinder has quit IRC | 08:47 | |
*** dims has quit IRC | 08:48 | |
*** henrynash has joined #openstack-keystone | 08:54 | |
*** ChanServ sets mode: +v henrynash | 08:54 | |
*** nkinder has joined #openstack-keystone | 08:54 | |
*** boris-42 has joined #openstack-keystone | 08:59 | |
*** ajayaa has quit IRC | 09:01 | |
*** ajayaa has joined #openstack-keystone | 09:03 | |
*** jistr has joined #openstack-keystone | 09:04 | |
*** markvoelker has joined #openstack-keystone | 09:06 | |
*** markvoelker has quit IRC | 09:11 | |
openstackgerrit | henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928 | 09:17 |
*** samueldmq has quit IRC | 09:20 | |
*** angular_mike has joined #openstack-keystone | 09:30 | |
*** krykowski has joined #openstack-keystone | 09:32 | |
*** rushiagr_away is now known as rushiagr | 09:39 | |
*** samueldmq has joined #openstack-keystone | 09:40 | |
*** dims has joined #openstack-keystone | 09:50 | |
openstackgerrit | wanghong proposed openstack/keystone: add timestamp to project and role https://review.openstack.org/154370 | 09:53 |
*** samueldmq has quit IRC | 10:04 | |
*** markvoelker has joined #openstack-keystone | 10:07 | |
*** markvoelker has quit IRC | 10:12 | |
openstackgerrit | Merged openstack/keystone: Imported Translations from Transifex https://review.openstack.org/164958 | 10:13 |
openstackgerrit | Marek Denis proposed openstack/keystone: Distinguish between unset and empty black and white lists https://review.openstack.org/164798 | 10:16 |
openstackgerrit | Marek Denis proposed openstack/keystone: Distinguish between unset and empty black and white lists https://review.openstack.org/164798 | 10:21 |
openstackgerrit | henry-nash proposed openstack/keystone: Support upload domain config files to database https://review.openstack.org/160364 | 10:24 |
*** henrynash has quit IRC | 10:25 | |
*** samueldmq has joined #openstack-keystone | 10:28 | |
*** ajayaa has quit IRC | 10:51 | |
*** rushiagr is now known as rushiagr_away | 10:56 | |
*** rushiagr_away is now known as rushiagr | 10:57 | |
openstackgerrit | Marek Denis proposed openstack/keystone: IdP ID registration and validation https://review.openstack.org/152156 | 10:57 |
*** Bsony has joined #openstack-keystone | 11:00 | |
*** Bsony has quit IRC | 11:00 | |
*** Bsony has joined #openstack-keystone | 11:01 | |
*** markvoelker has joined #openstack-keystone | 11:08 | |
*** krykowski has quit IRC | 11:08 | |
openstackgerrit | Marek Denis proposed openstack/python-keystoneclient: Clean arguments in test_federation.*.test_create() https://review.openstack.org/164605 | 11:09 |
*** markvoelker has quit IRC | 11:14 | |
*** krykowski has joined #openstack-keystone | 11:17 | |
*** pnavarro has quit IRC | 11:37 | |
*** markvoelker has joined #openstack-keystone | 11:38 | |
openstackgerrit | Samuel de Medeiros Queiroz proposed openstack/keystone: Add in further token validation in v3_auth tests https://review.openstack.org/164026 | 11:56 |
*** rushiagr is now known as rushiagr_away | 12:04 | |
*** ajayaa has joined #openstack-keystone | 12:05 | |
*** stevemar has joined #openstack-keystone | 12:05 | |
*** ChanServ sets mode: +v stevemar | 12:05 | |
*** lhcheng has joined #openstack-keystone | 12:08 | |
openstackgerrit | Marco Fargetta proposed openstack/keystone: IdP ID registration and validation https://review.openstack.org/152156 | 12:09 |
*** lhcheng has quit IRC | 12:12 | |
*** htruta has joined #openstack-keystone | 12:13 | |
*** radez_g0n3 is now known as radez | 12:13 | |
*** dims has quit IRC | 12:16 | |
*** dims has joined #openstack-keystone | 12:17 | |
*** ljfisher has joined #openstack-keystone | 12:19 | |
*** ljfisher has quit IRC | 12:22 | |
*** henrynash has joined #openstack-keystone | 12:22 | |
*** ChanServ sets mode: +v henrynash | 12:22 | |
*** angular_mike has quit IRC | 12:23 | |
*** jistr is now known as jistr|class | 12:26 | |
openstackgerrit | henry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs https://review.openstack.org/159928 | 12:28 |
raildo | henrynash, morning :) i see the message, you will sponsor the reseller implementation, thanks a lot :) | 12:29 |
henrynash | raildo: yw | 12:29 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project https://review.openstack.org/159944 | 12:32 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427 | 12:32 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763 | 12:32 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180 | 12:32 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372 | 12:32 |
*** gordc has joined #openstack-keystone | 12:39 | |
*** rushiagr_away is now known as rushiagr | 12:49 | |
openstackgerrit | Telles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id https://review.openstack.org/161378 | 12:50 |
openstackgerrit | Telles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag https://review.openstack.org/158398 | 12:50 |
*** bknudson has quit IRC | 12:57 | |
*** obutenko_ has quit IRC | 12:58 | |
*** obutenko has quit IRC | 12:58 | |
*** bknudson has joined #openstack-keystone | 13:01 | |
*** ChanServ sets mode: +v bknudson | 13:01 | |
*** bknudson has left #openstack-keystone | 13:02 | |
*** bknudson has joined #openstack-keystone | 13:02 | |
*** ChanServ sets mode: +v bknudson | 13:02 | |
*** vhoward has joined #openstack-keystone | 13:18 | |
rodrigods | marekd, what do you think should be error raised if we try to create an assertion and sp hasn't sp_url or auth_url? | 13:19 |
marekd | rodrigods: ValidationError maybe? | 13:20 |
rodrigods | marekd, hmm sounds good | 13:20 |
marekd | breton: re: https://review.openstack.org/#/c/164798/5 "Overall patch is needed." <- what does it mean? | 13:21 |
*** ayoung has joined #openstack-keystone | 13:23 | |
*** ChanServ sets mode: +v ayoung | 13:23 | |
*** richm has joined #openstack-keystone | 13:24 | |
rodrigods | marekd, ValidationError is client side error :( | 13:26 |
openstackgerrit | henry-nash proposed openstack/keystone: Move backend LDAP role testing to the new backend testing module https://review.openstack.org/156830 | 13:26 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Make non-import packages lazy https://review.openstack.org/164066 | 13:28 |
marekd | rodrigods: ok, so imho it qualifies for HTTP 500 error (internal server error), i.e UnexpectedError, line 354 from exception.py | 13:28 |
marekd | rodrigods: what do you think? | 13:29 |
rodrigods | marekd, yeah, makes sense to me | 13:29 |
rodrigods | marekd, let me check how to provide a custom message to it | 13:29 |
marekd | probably in the constructor. | 13:29 |
rodrigods | marekd, UnexpectedError(exception=msg) | 13:30 |
rodrigods | :) | 13:30 |
marekd | yeah | 13:30 |
openstackgerrit | henry-nash proposed openstack/keystone: Refactor code supporting status in JSON Home https://review.openstack.org/165075 | 13:48 |
stevemar | marekd, o/ | 13:48 |
*** zzzeek has joined #openstack-keystone | 13:50 | |
stevemar | bknudson, apparently i can't keep track of what we test against in ksc, i thought we dropped py26 support | 13:55 |
stevemar | but the gate says otherwise | 13:55 |
bknudson | stevemar: it's just the libraries that have to maintain py26... same in oslo | 13:55 |
stevemar | bknudson, do you know why that is? | 13:55 |
bknudson | the libraries run in less-constrained environments. | 13:56 |
bknudson | the servers obviously run on the cloud servers where you have lots of control | 13:56 |
*** samueldmq is now known as samueldmq-away | 13:56 | |
bknudson | whereas the libraries are on the client systems and we want them to be able to run everywhere | 13:56 |
stevemar | fair enough i suppose | 13:56 |
bknudson | although, since we'll have stable branches for the libraries maybe that can be dropped. | 13:57 |
*** gokrokve has joined #openstack-keystone | 14:01 | |
ayoung | marekd, can you look at https://review.openstack.org/#/c/162788/ as morganfainberg sepcifcially wanted your eyes on it. | 14:01 |
*** iamjarvo has joined #openstack-keystone | 14:02 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table https://review.openstack.org/164189 | 14:02 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Assert sp attributes during assertion generation https://review.openstack.org/165079 | 14:02 |
rodrigods | marekd, stevemar, ^ had to update the commit message from the db migration patch to not close the bug (the follow up change has the Closes-Bug now) | 14:03 |
*** lsmola has quit IRC | 14:03 | |
*** r-daneel has joined #openstack-keystone | 14:03 | |
*** lsmola has joined #openstack-keystone | 14:05 | |
*** jistr|class is now known as jistr | 14:05 | |
*** lsmola has quit IRC | 14:06 | |
*** lsmola has joined #openstack-keystone | 14:06 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 14:07 | |
*** lsmola has quit IRC | 14:10 | |
*** lsmola has joined #openstack-keystone | 14:10 | |
breton | marekd: that -1 is only because of the comments and that I like the patch :) | 14:11 |
openstackgerrit | henry-nash proposed openstack/keystone: Refactor code supporting status in JSON Home https://review.openstack.org/165075 | 14:14 |
*** ishant has quit IRC | 14:15 | |
*** samueldmq has joined #openstack-keystone | 14:17 | |
*** mattfarina has joined #openstack-keystone | 14:18 | |
lbragstad | dstanek: not yet, | 14:27 |
lbragstad | dstanek: I'm still digging into it, I have a feeling it might be something with AuthProtocol, or caching | 14:27 |
*** topol has joined #openstack-keystone | 14:29 | |
*** ChanServ sets mode: +v topol | 14:29 | |
*** nellysmitt has joined #openstack-keystone | 14:29 | |
*** timcline has joined #openstack-keystone | 14:31 | |
*** jorge_munoz1 has joined #openstack-keystone | 14:36 | |
*** radez has left #openstack-keystone | 14:38 | |
*** ajayaa has quit IRC | 14:39 | |
*** amakarov_away is now known as amakarov | 14:42 | |
*** gokrokve_ has joined #openstack-keystone | 14:44 | |
*** gokrokve has quit IRC | 14:45 | |
*** browne has joined #openstack-keystone | 14:46 | |
*** samueldmq has quit IRC | 14:48 | |
lbragstad | dstanek: fyi, it should be recreate-able with https://github.com/dolph/keystone-deploy/commit/caa515f689392701c49db47222b20592049b72f3 | 14:51 |
stevemar | marekd, another marek https://review.openstack.org/#/c/165090/ | 14:52 |
*** gokrokve_ has quit IRC | 14:53 | |
lbragstad | dolphm: fyi, I'm able to grab tokens from keystone and validate them against keystone just fine. Digging more into middleware | 14:56 |
*** gokrokve has joined #openstack-keystone | 14:56 | |
*** david-lyle_afk is now known as david-lyle | 14:57 | |
*** ParsectiX has quit IRC | 15:07 | |
dolphm | lbragstad: me too | 15:08 |
marekd | ayoung: i added the comment | 15:12 |
marekd | and didn't want to explicitely -1 it. | 15:13 |
* marekd is logging out for a 80-90 minutes :-) | 15:14 | |
*** browne has quit IRC | 15:14 | |
breton | folks, I don't quite get from the code: does current fernet implementation encrypts token? | 15:28 |
breton | is there a blogpost or a spec with followup about current implementation? | 15:28 |
dolphm | breton: the tokens themselves are encoded per this spec: https://github.com/fernet/spec | 15:29 |
dolphm | breton: identity and authorization attributes are both encrypted via AES-CBC with a 128-bit key | 15:30 |
dolphm | breton: all the encryption work is outside of keystone's scope | 15:30 |
dstanek | stevemar: marekd: do you guys really think having the ABFAB docs is OK if nobody has done or can verify anything? | 15:37 |
dolphm | dstanek: ? | 15:37 |
*** lhcheng has joined #openstack-keystone | 15:39 | |
dstanek | dolphm: just sent you a few emails - Chadwick sent email offlist | 15:39 |
dolphm | lbragstad: i added another test btw; it's not that more are failing https://travis-ci.org/dolph/keystone-deploy/builds/54734386 | 15:39 |
dolphm | dstanek: ack | 15:40 |
*** _cjones_ has joined #openstack-keystone | 15:42 | |
dolphm | dstanek: i agree with you, but i'd be willing to merge it if A) someone else tries out the docs and ensures that they work, B) there's sufficient interest in the use case for keystone-core to maintain the documentation moving forward | 15:44 |
dolphm | dstanek: i'll comment as much on the review though | 15:44 |
dstanek | dolphm: i asked on the review about trying it out, but i haven't had time to actually do it and i don't want to use their setup | 15:45 |
breton | dolphm: great, thanks | 15:48 |
bknudson | dstanek: I also don't think we want to carry this documentation... it's just going to get out of date. | 15:50 |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Assert sp attributes during assertion generation https://review.openstack.org/165079 | 15:51 |
dstanek | bknudson: if we can't easily support it or we don't want to then i totally agree. we could link to it if it were published somewhere | 15:52 |
dolphm | dstanek: yeah, i'd like to do it myself as well, but definitely won't have time in the near future | 15:52 |
bknudson | dstanek: I like that idea... they can document it themselves and we put a link up. | 15:52 |
dolphm | dstanek: that'd be a weird precedent - linking to blog posts and whatnot in official docs? lol | 15:52 |
dolphm | dstanek: i'd be in favor of it living in the wiki | 15:52 |
dolphm | that way support is best effort by the community, rather than gated by keystone-core | 15:53 |
bknudson | all our docs can just be links to blogs. | 15:53 |
dolphm | bknudson: google* | 15:53 |
bknudson | let me google that for you | 15:53 |
dolphm | bknudson: was just about to say that | 15:53 |
bknudson | he he | 15:54 |
dolphm | http://lmgtfy.com/?q=OpenStack+Keystone+{your search term here} | 15:54 |
*** ajayaa has joined #openstack-keystone | 15:54 | |
dstanek | :-) | 15:55 |
dolphm | we have so many docs on federation already it's fantastic https://www.google.com/search?btnG=1&pws=0&q=OpenStack+Keystone+federation&gws_rd=ssl | 15:55 |
dolphm | 13,600 docs | 15:55 |
dolphm | lbragstad: any revelations? | 15:56 |
lbragstad | dolphm: I'm getting meeting'd | 15:56 |
*** iamjarvo has quit IRC | 16:05 | |
openstackgerrit | henry-nash proposed openstack/keystone: Refactor code supporting status in JSON Home https://review.openstack.org/165075 | 16:05 |
stevemar | dstanek, i really don't mind them existing in our docs | 16:08 |
*** samueldmq-away is now known as samueldmq | 16:14 | |
stevemar | dstanek, dolphm why not a disclaimer indicating that the support is best-effort | 16:18 |
dolphm | stevemar: that doesn't avoid the issue of those docs being owned by keystone-core | 16:19 |
dolphm | stevemar: and i'd argue that if it's owned by keystone-core, it's either fully supported or it's not. there's no room for best effort | 16:20 |
openstackgerrit | Raildo Mascena de Sousa Filho proposed openstack/keystone: WIP: Bye bye domain table https://review.openstack.org/161854 | 16:21 |
stevemar | dolphm, i feel like we're telling chadwick and his team that abfab will never be supported | 16:21 |
dolphm | stevemar: but the bigger question i left in the review comments is whether anyone is ever going to use those docs | 16:21 |
dolphm | stevemar: because no one else is interested, afaik | 16:21 |
stevemar | probably not | 16:21 |
dolphm | stevemar: so then as long as no one is interested, there's no reason to hoist their support effort onto keystone-core | 16:22 |
stevemar | dolphm, so, the docs never get merged, the bp never gets marked as completed, and can't for $reasons_above | 16:23 |
stevemar | sounds like bad karma | 16:23 |
dolphm | stevemar: what is the bp? | 16:23 |
stevemar | https://blueprints.launchpad.net/keystone/+spec/abfab | 16:23 |
stevemar | dolphm, ^ | 16:24 |
dolphm | oh, there's even a spec | 16:24 |
dstanek | stevemar: hey they already have this documented on the wiki - if they just submit a patch to point the docs to it they's be all set | 16:25 |
dolphm | stevemar: my concern still stands - no one appears to collaborating on the spec as a stakeholder. are there ANY other stakeholders? | 16:25 |
dolphm | morganfainberg: ^ | 16:26 |
dolphm | we should add stakeholders to specs | 16:27 |
dolphm | as a list of contacts | 16:27 |
*** sigmavirus24 is now known as sigmavirus24_awa | 16:31 | |
*** packet has joined #openstack-keystone | 16:33 | |
*** Bsony has quit IRC | 16:33 | |
morganfainberg | Not a bad idea | 16:35 |
morganfainberg | dolphm: | 16:35 |
dolphm | morganfainberg: is there more than one stakeholder for ABFAB? | 16:36 |
breton | folks, I'm reading sources now and have a question. Is there any reason why we fetch token ref in AuthContextMiddleware but don't store it in request? It could be heavily reused in https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L677 for example | 16:36 |
morganfainberg | dolphm: not sure. | 16:36 |
morganfainberg | Can't brain, has no coffee yet. | 16:37 |
dolphm | breton: agree - i was hoping that was the direction that AuthContextMiddleware was going when it was introduced, but it stalled | 16:37 |
dolphm | breton: all it really accomplished was providing a venue for eliminating redundancy, and then i think just introduced more redundancy instead | 16:38 |
dolphm | a refactor would be suuuuuper appreciated | 16:38 |
*** browne has joined #openstack-keystone | 16:40 | |
breton | will it land in kilo if it appears in, say, a week? | 16:40 |
*** gordc has quit IRC | 16:48 | |
*** harlowja_away is now known as harlowja | 16:49 | |
*** Swanson has joined #openstack-keystone | 16:51 | |
dolphm | breton: no, feature freeze is basically tomorrow | 16:52 |
dolphm | breton: refactors blur the lines though - if it's addressing an actual issue you're experiencing beyond performance, it could land latert | 16:53 |
dolphm | breton: start by filing a bug! | 16:53 |
*** tqtran has joined #openstack-keystone | 16:53 | |
*** gordc has joined #openstack-keystone | 16:58 | |
lbragstad | anyone else get this when running middleware locally? http://cdn.pasteraw.com/ozla7dsw8521wwai9ghyy5cniq6ddm2 | 17:00 |
lbragstad | as reference by the documentation? | 17:01 |
morganfainberg | breton: let's say that refactor should target liberty. | 17:01 |
lbragstad | https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L38 | 17:01 |
*** vhoward has left #openstack-keystone | 17:01 | |
morganfainberg | dolphm: ^^ | 17:01 |
morganfainberg | lbragstad: I've never tried to run __main__ of ksm. | 17:02 |
*** roxanag_ has joined #openstack-keystone | 17:02 | |
morganfainberg | lbragstad: that might have been broken in the module split up. | 17:03 |
*** Bsony has joined #openstack-keystone | 17:03 | |
*** _cjones_ has quit IRC | 17:05 | |
*** amerine has joined #openstack-keystone | 17:06 | |
*** _cjones_ has joined #openstack-keystone | 17:11 | |
*** _cjones_ has quit IRC | 17:12 | |
*** jistr has quit IRC | 17:14 | |
*** _cjones_ has joined #openstack-keystone | 17:15 | |
marekd | dstanek: well, they claim they tested it, so to some extent i might trust that it works....however if you feel that people more 'coupled' with Keystone team should look after it so..i personally have no interest in supporting ABFAB | 17:16 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/162350 | 17:18 |
dstanek | marekd: i think that having it in tree implies that we support it to some extent | 17:24 |
*** jbonjean has quit IRC | 17:26 | |
marekd | dstanek: maybe you are right. | 17:27 |
*** gokrokve has quit IRC | 17:28 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 17:28 | |
ayoung | marekd, what previous patch do you refer to in your "ignore groups" review? | 17:30 |
ayoung | [federation] strict_group_mapping = {True,False} | 17:31 |
ayoung | ? | 17:31 |
*** packet has quit IRC | 17:33 | |
marekd | ayoung: yes. | 17:33 |
ayoung | marekd, so, not as a config option, but rather as something tagged on the mapping itself, sure | 17:33 |
ayoung | marekd, I would say that for the lists and matching, the assertions can change without Keystone being aware of it, and in that case, being strict will break something that worked before | 17:34 |
marekd | ayoung: is it ok if we merge what you proposed now, and we simply add some another keyword in L ? | 17:35 |
ayoung | so we need to be forgiving. If the user does an explicit match, it will work. Its just the blacklist that really gets broken, or regex | 17:35 |
ayoung | marekd, I think so | 17:35 |
ayoung | Since blacklist is just merged, it is not in heavyusage... | 17:35 |
marekd | ayoung: i don't want to have a headache with 'backwards compatilibity' just because we already merged something and now there is whole bunch of workarounds and deprecation warnings. | 17:35 |
ayoung | we are not going to be breaking production deployments | 17:35 |
marekd | ok, so we can extend this functionality in L | 17:36 |
ayoung | marekd, we are not opening up a security hole here. By dropping groups, we are not making use of that information. | 17:36 |
ayoung | marekd, and you see why I think it should be at the mapping level, not config for server? | 17:37 |
marekd | ayoung: true. | 17:37 |
marekd | ayoung: better flexibility for admins | 17:37 |
ayoung | yeah, the admin does have to go all one or the other | 17:37 |
*** jaosorior has joined #openstack-keystone | 17:42 | |
*** afazekas has quit IRC | 17:43 | |
*** Ephur has joined #openstack-keystone | 17:44 | |
morganfainberg | dstanek, mind updating: https://review.openstack.org/#/c/163172/4/keystone/tests/unit/test_v3_federation.py to have a real comment. i'd like to see that gate today if we want to keep the test. | 17:45 |
morganfainberg | lbragstad, jorge_munoz, dolphm, https://review.openstack.org/#/c/159229/ and https://review.openstack.org/#/c/164348/ - we need to focus on these today so we can get them gating. this is really important for fernet tokens. see my comment on the 2nd one to keep the scope really really narrow | 17:47 |
dstanek | morganfainberg: sure. i can jump on that in a few minutes | 17:48 |
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Review the last two fernet token patches so they can gate today. | Kilo3 this week." | 17:49 | |
morganfainberg | dstanek, i figure that is an easy one since it's just fix name/comment of the test as needed. | 17:49 |
*** davechen_ has joined #openstack-keystone | 17:55 | |
*** csoukup has joined #openstack-keystone | 17:55 | |
*** gyee has joined #openstack-keystone | 17:55 | |
*** ChanServ sets mode: +v gyee | 17:55 | |
dstanek | morganfainberg: what's a good name? s/_hack/_multiples/? | 17:56 |
*** jbonjean has joined #openstack-keystone | 17:57 | |
morganfainberg | dstanek, i think that works for me | 17:57 |
morganfainberg | dstanek, yeah. | 17:57 |
marekd | bknudson: dstanek morganfainberg: https://review.openstack.org/#/c/152156/ <--- do you mind taking a look (again) also on that one? I hope I addressed your comments, Marco also added some fixes here and there. | 17:58 |
bknudson | marekd: will add it to my list... I'm going to focus on the release-blocking reviews first, though. | 18:00 |
marekd | bknudson: ok | 18:00 |
morganfainberg | psssst meeting time. | 18:01 |
*** gokrokve has joined #openstack-keystone | 18:02 | |
*** aix has quit IRC | 18:06 | |
dstanek | morganfainberg: stevemar: does this make sense to you guys? | 18:06 |
dstanek | http://paste.openstack.org/show/192951/ | 18:06 |
stevemar | dstanek, thought that was in context of a meeting, gimmie a sec | 18:07 |
jorge_munoz1 | morganfainberg: Yes, addressing all of the comments on patch now. https://review.openstack.org/#/c/159229/. | 18:07 |
stevemar | dstanek, yeah, i'm okay with that | 18:07 |
openstackgerrit | David Stanek proposed openstack/keystone: Adds test for federation mapping list order issues https://review.openstack.org/163172 | 18:08 |
*** krykowski has quit IRC | 18:09 | |
openstackgerrit | Lance Bragstad proposed openstack/keystonemiddleware: Fix auth_token inline documentation. https://review.openstack.org/165171 | 18:16 |
*** ajayaa has quit IRC | 18:33 | |
*** gokrokve has quit IRC | 18:38 | |
*** packet has joined #openstack-keystone | 18:39 | |
openstackgerrit | Eric Brown proposed openstack/keystone: Replace exec calls with cryptography library https://review.openstack.org/163088 | 18:49 |
*** lsmola has quit IRC | 18:52 | |
*** gokrokve has joined #openstack-keystone | 18:53 | |
ayoung | browne, agreed: should not be in server, though, but in client | 18:53 |
ayoung | server code goes to certmonger, as it does cert lifecycle management | 18:54 |
browne | ayoung: sure, given the amount of work to port some of the other commands in openssl.py, I don't think its worth the investment. I take take more of a look at the keystoneclient | 18:56 |
ayoung | browne, so the code we really need to fix is here: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/common/cms.py#n150 | 18:56 |
browne | exactly | 18:56 |
browne | that's where the open file handles problem i was seeing | 18:56 |
ayoung | browne, does cryptography.py have full support for CMS now? There is ASN1 encoding involved | 18:57 |
browne | ayoung: technically it has bindings to all of openssl, but lacks convenience functions for things such as CMS. that's why its a lot more work. | 18:58 |
ayoung | right | 18:58 |
*** gordc has quit IRC | 18:58 | |
ayoung | browne, we need message siging for OpenStack in general | 18:58 |
ayoung | Keystone is just the start, but we have no way of doing secure pub sub in general without PKI of some sort | 18:58 |
browne | ayoung, like an oslo lib? | 18:58 |
browne | i know nova also uses some openssl | 18:59 |
ayoung | nah, should be in cryptography.py | 18:59 |
*** rushiagr is now known as rushiagr_away | 18:59 | |
browne | yeah, true, better place for it | 18:59 |
jamielennox | morganfainberg: missed my no spec proposals :( - but no real rush on those | 19:00 |
*** lhcheng is now known as lhcheng_afk | 19:00 | |
morganfainberg | jamielennox, next week. | 19:00 |
morganfainberg | jamielennox, because k3 | 19:00 |
morganfainberg | jamielennox, we can also discuss them here in channel | 19:00 |
morganfainberg | jamielennox, not at the meeting :) | 19:00 |
morganfainberg | (we've done that in the past) | 19:00 |
bknudson | I'm fine with both of those no-spec. | 19:01 |
jamielennox | morganfainberg, both are fairly trivial - just bknudson has started pulling me up on just implementing blueprints without going through the proper processes | 19:02 |
davechen_ | morganfainerg: Is there any need to review the BP before proposing SPEC for 'L'? | 19:03 |
morganfainberg | jamielennox, let me read them real quick | 19:03 |
jamielennox | however i did throw up one full client spec: https://review.openstack.org/#/c/164582/ - it's a little more contentious | 19:03 |
morganfainberg | davechen_, nothing really unless you want to weigh in on fernet tokens :) | 19:03 |
morganfainberg | jamielennox, quick SDK non-compat change check-in | 19:04 |
morganfainberg | jamielennox, no progress right? | 19:04 |
davechen_ | morganfainerg: yeah, i need some homework on the ferent token. | 19:04 |
jamielennox | morganfainberg: what? | 19:04 |
morganfainberg | jamielennox, when we said we want to break ksc | 19:04 |
morganfainberg | and were told "put that in SDK" | 19:04 |
morganfainberg | nothing has really been going on there, right? | 19:04 |
* morganfainberg is unaware of any real forward momentum | 19:05 | |
* morganfainberg might be in the dark too | 19:05 | |
jamielennox | oh, yep - i was trying to follow SDK but haven't for a bit - they're still going | 19:05 |
* morganfainberg is likely hiding from a grue. | 19:05 | |
jamielennox | ksc isn't going anywhere though, there is too much utility code in all these clients to just drop them in favour of SDK | 19:05 |
jamielennox | however if we breakout keystoneauth i expect they will consume it | 19:06 |
dolphm | jamielennox: is keystonemiddleware doing any special handling of uuid tokens that would break on fernet tokens? | 19:07 |
morganfainberg | dolphm, i hope not :P | 19:07 |
morganfainberg | jamielennox, ++ | 19:07 |
jamielennox | dolphm: not that i can think of, the path is purely PKI or server handled | 19:07 |
jamielennox | and it tests PKI based on that MII prefix | 19:08 |
morganfainberg | jamielennox, or "PKIZ" | 19:08 |
jamielennox | true | 19:08 |
dolphm | jamielennox: hmmm... i'm getting 401's with PKI, PKIZ, and Fernet as of a couple days ago, but not with UUID | 19:09 |
jamielennox | it's not keystone returning the 401? | 19:10 |
dolphm | jamielennox: let me reproduce it again... | 19:11 |
*** davechen_ has quit IRC | 19:14 | |
dolphm | jamielennox: so, keystone returns a 404 Project Not found, but i get a 200 if i do it myself | 19:15 |
jamielennox | dolphm: real keystone? | 19:15 |
dolphm | jamielennox:/var/log/apache2/keystone-admin.error.log: WARNING keystone.common.wsgi [-] Could not find project: 3f99c7a2bb40425489650d04dadb5bff | 19:15 |
jamielennox | i've no idea why that would be | 19:16 |
dolphm | jamielennox: /var/log/apache2/echo.error.log: [error] WARNING:keystonemiddleware.auth_token:Authorization failed for token | 19:16 |
morganfainberg | dolphm, so you curl validate and it works, and ksm gets a project not found? | 19:16 |
morganfainberg | or curl validate fails too? | 19:16 |
dolphm | jamielennox: [error] WARNING:keystonemiddleware.auth_token:Identity response: {"error": {"message": "Could not find project: 3f99c7a2bb40425489650d04dadb5bff", "code": 404, "title": "Not Found"}} | 19:16 |
*** packet has quit IRC | 19:16 | |
bknudson | is that the service project? | 19:16 |
dolphm | bknudson: there is no service project in this deployment | 19:16 |
jamielennox | dolphm: also does it change against the v2 or v3 api? | 19:16 |
bknudson | or the token? | 19:16 |
bknudson | how does auth_token get a token? | 19:17 |
dolphm | bknudson: it's not really a deployment, it's just keystone and auth_token running | 19:17 |
bknudson | if only a token could be used to validate a token then auth_token wouldn't need its own token. | 19:17 |
dolphm | bknudson: auth_token gets a token with the password plugin: https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L16-L23 | 19:17 |
dolphm | bknudson: you can do that in policy :) haven't looked at the changes to keystonemiddleware to skip auth if none is required | 19:18 |
morganfainberg | dolphm, i think some minor code changes were needed too. | 19:18 |
jamielennox | well - a noop plugin would be fairly trivial | 19:19 |
*** aix has joined #openstack-keystone | 19:21 | |
lbragstad | morganfainberg: right, curl validate seems to pass fine, | 19:25 |
morganfainberg | lbragstad, hm. | 19:26 |
*** henrynash has quit IRC | 19:26 | |
morganfainberg | lbragstad, both on v2 and v3? | 19:27 |
morganfainberg | lbragstad, for curl. | 19:27 |
dolphm | jamielennox: is auth_token possibly failing to re-authenticate when it gets a 401 for it's own token? | 19:28 |
lbragstad | morganfainberg: v3 for sure, and when I've had the v2 patch pulled down that works too. dolphm's auth_token config only runs with v3 though | 19:28 |
dolphm | lbragstad: my current theory is that auth_token's own token is invalid and keystone is mistakenly returning a 404 instead of a 401 | 19:29 |
lbragstad | where does that code live? | 19:29 |
morganfainberg | we had a bug like that at one point | 19:29 |
dolphm | jamielennox: what does auth_token do now if it just doesn't get any auth_ config? | 19:29 |
lbragstad | the 404 project thing doesn't make sense to me, especially given the setUp is pretty straight forward | 19:29 |
jamielennox | lbragstad: more or less here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L128 | 19:30 |
dolphm | lbragstad: you should come downstairs with your laptop and i'll blow your mind | 19:30 |
*** _cjones_ has quit IRC | 19:30 | |
jamielennox | dolphm: if it sees an auth plugin it'll ignore the old auth_ variables | 19:31 |
lbragstad | dolphm: sounds good, got a free desk down there? | 19:31 |
morganfainberg | dolphm, http://img.pandawhale.com/post-28553-Steve-Jobs-mind-blown-gif-HD-T-pVbd.gif | 19:31 |
dolphm | lbragstad: at the moment | 19:31 |
dolphm | lbragstad: Darren is in a meeting | 19:31 |
*** henrynash has joined #openstack-keystone | 19:32 | |
*** ChanServ sets mode: +v henrynash | 19:32 | |
dolphm | jamielennox: can i use the token plugin in auth_token? | 19:33 |
henrynash | dolphm: could you star this one for k3 (even with an FFE, I’d liek to get this into k3 - and it has been extensively reviewed) | 19:33 |
henrynash | dolphm: https://review.openstack.org/#/c/159928/ | 19:34 |
jamielennox | dolphm: token gives you like token auth | 19:34 |
dolphm | henrynash: done | 19:34 |
jamielennox | ugh, damnit i never finished the admin token one because OSC camped on the entrypoint | 19:34 |
dolphm | jamielennox: yeah, i mean token + endpoint | 19:34 |
dolphm | jamielennox: that might workaround the issue i'm seeing, at least to test it | 19:35 |
henrynash | bknduson, stevmar, lbragstad: let’s get this puppy in for k3 (https://review.openstack.org/#/c/159928/) - since then teh domain config is fully fucntional, leaving only things liek mioigration and notification beyond k3 | 19:35 |
jamielennox | the plugin's there at ksc.auth.token_endpoint, but you might need to add an [entry_point] to it to expose it | 19:35 |
*** roxanag_ has quit IRC | 19:35 | |
henrynash | dolphm: thx | 19:35 |
morganfainberg | henrynash, as much as i'd like to say yes to that, the fernet token ones are the priority here. | 19:36 |
henrynash | morganfainberg: agree with that priority | 19:36 |
morganfainberg | henrynash, if i have to ask people to take time to review patches today, the fernet ones are the ones i'd like them to review. | 19:36 |
morganfainberg | henrynash, once those are ready then we can look at that one as well. | 19:36 |
henrynash | morganfainberg: ok, fair enough, guv | 19:37 |
dstanek | morganfainberg: lbragstad: one of them is WIP. do we need that one too? | 19:38 |
morganfainberg | dstanek, yes, we need that one as well, but just the first todo item, that one has way too much baked into it | 19:38 |
morganfainberg | dstanek, based on the commit message | 19:38 |
morganfainberg | dstanek, the basic token test should work with fernet, | 19:38 |
morganfainberg | dstanek, so "refactor parts of keystone/auth/ to work properly with both UUID and Fernet tokens" | 19:39 |
morganfainberg | the other todo items should be dropped to post k3 | 19:39 |
*** amakarov is now known as amakarov_away | 19:59 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Update sample config file. https://review.openstack.org/163654 | 20:00 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Cleanup tests don't keep engine https://review.openstack.org/164340 | 20:03 |
*** samueldmq has quit IRC | 20:04 | |
*** topol has quit IRC | 20:04 | |
*** fifieldt has quit IRC | 20:08 | |
*** aix has quit IRC | 20:09 | |
*** samueldmq has joined #openstack-keystone | 20:12 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Log when no external auth plugin registered https://review.openstack.org/164439 | 20:12 |
*** diegows has joined #openstack-keystone | 20:17 | |
*** nkinder has quit IRC | 20:18 | |
*** nkinder has joined #openstack-keystone | 20:20 | |
openstackgerrit | Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229 | 20:21 |
*** fifieldt has joined #openstack-keystone | 20:21 | |
*** r-daneel has quit IRC | 20:25 | |
*** aix has joined #openstack-keystone | 20:25 | |
*** _cjones_ has joined #openstack-keystone | 20:31 | |
openstackgerrit | Jorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens https://review.openstack.org/159229 | 20:32 |
*** raildo is now known as raildo_away | 20:37 | |
*** _cjones_ has quit IRC | 20:38 | |
*** _cjones_ has joined #openstack-keystone | 20:38 | |
*** Bsony has quit IRC | 20:42 | |
*** boris-42 has quit IRC | 20:42 | |
dstanek | lots-o-FFE | 20:43 |
*** sigmavirus24 is now known as sigmavirus24_awa | 20:44 | |
openstackgerrit | Dolph Mathews proposed openstack/keystone: remove expected backtrace from logs https://review.openstack.org/165212 | 20:47 |
lhcheng_afk | just curious, who's planning to use the reseller implementation? | 20:48 |
*** lhcheng_afk is now known as lhcheng | 20:48 | |
morganfainberg | dolphm, so i can duplicate the issue with KSM now... | 20:48 |
morganfainberg | it seems like something is wonky here. | 20:48 |
morganfainberg | and i don't knwo what. | 20:49 |
dolphm | morganfainberg: KSM? | 20:51 |
dolphm | morganfainberg: oh, 401's? | 20:51 |
morganfainberg | keystone middleware | 20:51 |
morganfainberg | yeah | 20:51 |
morganfainberg | something is getting bound up in there. but it's not clear what | 20:52 |
dolphm | morganfainberg: on that note, the patch i just posted above eliminates a ghost i was chasing | 20:52 |
morganfainberg | hah | 20:53 |
dolphm | morganfainberg: more to the point, i'm tracing my mysterious 401's back to invalid 404's in keystone on that line | 20:53 |
dolphm | morganfainberg: basically, keystone is getting exception.ProjectNotFound there for projects that certainly exist | 20:54 |
morganfainberg | dolphm, but lbragstad was saying a direct validate (basically don't do cleanup) worked | 20:54 |
stevemar | morganfainberg, dolphm osc is officially an 'official openstack' project, under the openstack governance and all, we will be holding elections too | 20:54 |
morganfainberg | where ksm was not? | 20:54 |
morganfainberg | dolphm, i haven't gotten to the next step which is run keystone-deploy w/o cleanup | 20:54 |
morganfainberg | then try a direct validate of the tokens. | 20:55 |
*** mestery has quit IRC | 20:55 | |
*** _cjones_ has quit IRC | 20:55 | |
dolphm | morganfainberg: i think i'm seeing a project name being passed as an ID - not sure where the mixup is occurring | 20:56 |
morganfainberg | dolphm, that is what i was thinking. | 20:56 |
morganfainberg | dolphm, you know, easy way to confirm that | 20:56 |
dolphm | morganfainberg: i just did the no-cleanup thing :) | 20:56 |
dolphm | morganfainberg: no luck | 20:56 |
dolphm | morganfainberg: ? | 20:56 |
morganfainberg | project-id = non-hex string | 20:56 |
morganfainberg | see if it still comes up at pnf with a non-id, id | 20:57 |
dolphm | morganfainberg: yeah, i'm seeing 'admin' being logged in the backtrace i deleted in that patch above | 20:57 |
morganfainberg | ah | 20:57 |
dolphm | jamielennox: did anything merge into keystonemiddleware / client recently that handled project IDs / names during auth? | 20:57 |
jamielennox | dolphm: i don't think so, the actual meat of auth_token hasn't changed significantly in a long time | 20:58 |
*** mestery has joined #openstack-keystone | 20:59 | |
jamielennox | unless bknudson's validate in client has gone through | 20:59 |
morganfainberg | dolphm, it should fail the same way w/ UUID and Fernet | 20:59 |
bknudson | validate in client? | 20:59 |
dolphm | jamielennox: what about in the client's plugins? | 20:59 |
jamielennox | dolphm: are you seeing it with attempting to authenticate the user, or authenticating a token? | 21:00 |
bknudson | https://review.openstack.org/#/q/project:openstack/keystonemiddleware+status:merged,n,z | 21:00 |
bknudson | not much there other than moving stuff around... | 21:00 |
dolphm | jamielennox: actually, in attempting to validate a token | 21:01 |
jamielennox | ok - so i don't think that'll be plugin related | 21:01 |
jamielennox | is it the auth_token user whos project is missing or the project in the token? | 21:01 |
dolphm | jamielennox: i take that back, it's a POST! | 21:02 |
dolphm | "POST /v3/auth/tokens HTTP/1.1" 401 | 21:02 |
jamielennox | ah, crap | 21:02 |
*** sigmavirus24_awa is now known as sigmavirus24 | 21:03 | |
jamielennox | still no ideas, just more likely it's my side | 21:03 |
*** harlowja has quit IRC | 21:03 | |
dolphm | jamielennox: well, i'm using the same user to both bootstrap keystone in my test suite as i am to validate tokens in auth_token | 21:03 |
*** harlowja_ has joined #openstack-keystone | 21:03 | |
dolphm | jamielennox: but it's not the user's token who is being validated | 21:03 |
jamielennox | dolphm: so taking that config file can you get a valid token from keystone | 21:07 |
jamielennox | without auth_tokne | 21:07 |
dolphm | morganfainberg: jamielennox: okay i'm going to stab myself. the name / ID swap was a mistake in MY code that i wrote specifically to debug basically the same backtrace | 21:08 |
jamielennox | lol, excellent - i thought i'd broken something important | 21:09 |
*** _cjones_ has joined #openstack-keystone | 21:17 | |
*** iamjarvo has joined #openstack-keystone | 21:20 | |
iamjarvo | http://pastie.org/private/yisdzgex6yl9eumcqbjudq this is happening after i reset my vagrant box. i can't figure out why. any ideas? | 21:21 |
iamjarvo | tokens match | 21:21 |
*** arif-ali has quit IRC | 21:28 | |
morganfainberg | dolphm, LOL | 21:29 |
morganfainberg | dolphm, aaaaannnyway | 21:30 |
*** arif-ali has joined #openstack-keystone | 21:34 | |
*** mattfarina has quit IRC | 21:39 | |
*** _cjones_ has quit IRC | 21:40 | |
*** nellysmitt has quit IRC | 21:40 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone: Use existing token test for Fernet tokens. https://review.openstack.org/164348 | 21:40 |
*** nellysmitt has joined #openstack-keystone | 21:41 | |
*** _cjones_ has joined #openstack-keystone | 21:44 | |
*** nellysmitt has quit IRC | 21:46 | |
openstackgerrit | Merged openstack/python-keystoneclient: Split v3 authentication file into module https://review.openstack.org/163259 | 21:47 |
openstackgerrit | Merged openstack/python-keystoneclient: Extract BaseAuth out of Auth Plugin https://review.openstack.org/163270 | 21:48 |
*** iamjarvo has quit IRC | 21:52 | |
*** gokrokve has quit IRC | 21:52 | |
*** chrisshattuck has joined #openstack-keystone | 21:54 | |
*** chrisshattuck has quit IRC | 21:58 | |
*** ayoung has quit IRC | 21:59 | |
*** chrisshattuck has joined #openstack-keystone | 22:04 | |
openstackgerrit | Steve Martinelli proposed openstack/pycadf: update README.rst to include additional links https://review.openstack.org/165232 | 22:08 |
*** harlowja_ has quit IRC | 22:09 | |
*** lhcheng has quit IRC | 22:09 | |
*** csoukup has quit IRC | 22:11 | |
*** harlowja has joined #openstack-keystone | 22:11 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 22:14 | |
*** carlosmarin has quit IRC | 22:15 | |
*** henrynash has quit IRC | 22:19 | |
*** harlowja has quit IRC | 22:24 | |
*** harlowja_ has joined #openstack-keystone | 22:24 | |
*** pnavarro has joined #openstack-keystone | 22:26 | |
*** timcline has quit IRC | 22:30 | |
openstackgerrit | Merged openstack/keystone: Ignore unknown groups in lists for Federation https://review.openstack.org/162788 | 22:30 |
*** pnavarro has quit IRC | 22:32 | |
*** iamjarvo has joined #openstack-keystone | 22:33 | |
*** henrynash has joined #openstack-keystone | 22:42 | |
*** ChanServ sets mode: +v henrynash | 22:42 | |
*** samueldmq has quit IRC | 22:43 | |
*** lhcheng has joined #openstack-keystone | 22:45 | |
*** stevemar has quit IRC | 22:52 | |
*** zzzeek has quit IRC | 22:54 | |
*** chrisshattuck has quit IRC | 22:59 | |
*** dims has quit IRC | 23:09 | |
*** dims has joined #openstack-keystone | 23:20 | |
*** jaosorior has quit IRC | 23:22 | |
openstackgerrit | Jamie Lennox proposed openstack/python-keystoneclient: Provide a generic auth plugin loader https://review.openstack.org/162529 | 23:26 |
*** raildo has joined #openstack-keystone | 23:27 | |
*** Ephur has quit IRC | 23:29 | |
openstackgerrit | Jamie Lennox proposed openstack/python-keystoneclient: Rename requests mock object in testing https://review.openstack.org/164568 | 23:31 |
*** atiwari has quit IRC | 23:37 | |
*** nellysmitt has joined #openstack-keystone | 23:42 | |
*** chrisshattuck has joined #openstack-keystone | 23:45 | |
*** nellysmitt has quit IRC | 23:47 | |
*** david-lyle is now known as david-lyle_afk | 23:50 | |
openstackgerrit | henry-nash proposed openstack/keystone: Support upload domain config files to database https://review.openstack.org/160364 | 23:52 |
*** ayoung has joined #openstack-keystone | 23:53 | |
*** ChanServ sets mode: +v ayoung | 23:53 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!