Tuesday, 2015-03-17

« Monday, 2015-03-16 Index Wednesday, 2015-03-18 »
atiwariDeveloping a WSGI middleware for authentication00:00
atiwarimorganfainberg, am I suppose to remove other middleware ?00:00
atiwarie.g. token_auth admin_token_auth00:00
morganfainbergatiwari, ok so i'd look at the auth_context https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L198 as an example00:00
morganfainbergthat is what does a lot of the heavy lifting today00:00
morganfainbergatiwari i would also add a debug/output log to see if you're even seeing the request00:01
*** r-daneel has joined #openstack-keystone00:02
morganfainbergoh hm. i might be giving bad advice, sec00:02
morganfainbergok so, atiwari, i'd add debug info see if it's even being trggered. if it is you should be seeing it00:04
morganfainbergi don't know your code so i can't say much else though00:04
atiwarinp morganfainberg thanks for help. I will add debug and see :)00:04
*** gokrokve has joined #openstack-keystone00:08
lhchengjamielennox: just got back, missed the convo about the doa.  So if we eventually moved the authn to apache module, doa just need to be able to read the keystone token out of the request?00:09
jamielennoxlhcheng: we're not going to  be able to move everything to apache module - but that's pretty accurate for the websso as i understand it00:11
jamielennoxDOA will redirect to the auth provider which will redirect to keystone which redirect to horizon with a token already00:11
*** aix has joined #openstack-keystone00:12
lhchengjamielennox: yup, that's how the websso is working right now.00:14
jamielennoxlhcheng: so did you see the link to the email00:15
jamielennoxor the email itself?00:15
lhchengjamielennox: for kerberos, will the authentication be handled in doa or an apache module?00:15
* lhcheng looking00:15
jamielennoxlhcheng: for all of these things we need some interaction with DOA00:15
jamielennoxlhcheng: for kerberos the KRB5CCNAME env var gets passed through which then is used by the kerberos plugin00:16
jamielennoxso it's fairly similar to now, just replace password plugin with kerberos plugin00:16
jamielennoxlhcheng: http://lists.openstack.org/pipermail/openstack-dev/2015-March/059139.html00:17
atiwarimorganfainberg, have one question is the same line. do you have 1 min?00:18
morganfainbergsure00:18
atiwarilet me explain it little bit.00:19
lhchengjamielennox: I suppose for the plugin model, it will eventually support plugin discovery using stevedore?00:19
jamielennoxlhcheng: let's go to #horizon00:19
atiwarikeystone is running under apache. and authentication is done by external IdP, which is setting a token_id (this is not keystone token)00:20
atiwariI want to use external auth but the token_id has to be validated again by the external agent00:21
atiwariis this scenario, I though I will call the external agent from the auth middleware00:22
atiwarido it looks feasible ?00:23
morganfainbergatiwari, so... you are using an external auth [user auth] but also a token?00:23
morganfainbergatiwari, that sounds wrong. token is a type of auth, external would be another00:23
morganfainbergnot external *and* token.00:23
atiwarimy intention is to use external auth only00:23
morganfainbergso you could also just create an auth_plugin00:24
morganfainbergif it doesn't need to be in middleware.00:24
atiwariok00:24
atiwariso custom auth plugin?00:25
morganfainbergbut in short, you just need to set the values the external auth plugin is looking for, and make sure external auth plugin is enabled if you're using a middleware00:25
morganfainbergeither way works00:25
morganfainbergexternal auth is meant to use something like mod_ldap or mod_basic_auth00:25
atiwarisomething like keystone.auth.plugins.external.Domain? correct?00:25
morganfainbergyou instead could just write an auth plugin if you wanted. but someone would need to request the auth plugin00:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add in further token validation in v3_auth tests  https://review.openstack.org/16402600:25
morganfainbergatiwari, yah.00:25
samueldmq_morganfainberg, ^00:26
morganfainbergsamueldmq_, nice00:26
atiwarimorganfainberg, thanks I will test that option00:26
samueldmq_:-)00:26
atiwarithanks00:26
*** samueldmq has quit IRC00:28
*** samueldmq_ is now known as samueldmq00:28
openstackgerritlifeless proposed openstack/python-keystoneclient: Make non-import packages lazy  https://review.openstack.org/16406600:36
*** r-daneel has quit IRC00:37
*** stevemar has joined #openstack-keystone00:43
*** ChanServ sets mode: +v stevemar00:43
samueldmqbknudson, thanks for your review on #164026, replied your comments00:53
*** browne has quit IRC00:54
bknudsonwe shouldn't be using the admin token... admin token should be disabled anyways.00:55
bknudsonbut, we can work on that l8r00:55
samueldmqbknudson, yes I agree, we can address that in a followup patch, thanks00:58
ayoung"I don't think domain scoped tokens have a future and there are a ton of potential security issues if they are used."  david-lyle care to expound?  nkinder you asked  about this, too00:59
openstackgerritLin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2  https://review.openstack.org/9398200:59
bknudsonsomebody else was asking me about domain-scoped tokens in horizon before... they had some weird ideas about how they're planning to use them...00:59
bknudsonlike keeping both a domain-scoped token and another token and using one for some stuff and one for other stuff.01:00
nkinderyou would have to use a domain-scoped token if you want to do things like create projects or define roles from the "Identity" section of Horizon01:00
nkinder...with the domain-aware policy that is01:01
bknudsonkind of implies that there's a "the domain-aware policy"01:01
bknudsonyou can set up your policy any way you want to.01:01
nkinderbknudson: well, there is one (policy.v3cloudsample)01:02
bknudsonhorizon shouldn't be assuming use of policy.v3cloudsample or the sample policy.json.01:02
nkindercorrect, it needs to work with either01:02
bknudsonit also needs to work with whatever a deployer might setup01:02
nkinderdomain-scoped tokens exist, and policy.v3cloudsample is actually fairly sane for a deployment that uses domains01:02
nkinder...otherwise you can't delegate things down to various levels (cloud-admin, domain-admin, project-admin)01:03
samueldmqalso, we should have a way to list what API calls a given token can use ... so horizon could properly show its interface01:03
bknudsonI could set up my policy so that you can delegate using a project-scoped token, too.01:04
nkindersamueldmq: yeah, that was a topic of discussion in Paris01:04
bknudsonif I didn't want to use domain-scoped token.01:04
nkindersamueldmq: "what can I do?"01:04
samueldmqnkinder, yep, listing capabilities01:04
samueldmqnkinder, I'll look for a link on this discussion ("what can I do?")01:05
nkindersamueldmq: there was ont on openstack-dev from last october or november IIRC01:05
nkinders/ont/one/01:05
nkinderbknudson: I see the same problem in Horizon with project-scoped tokens if you have some "admin" project that is used for cloud-admin tasks01:07
nkinderbknudson: you have to select that scope to do cloud-admin tasks (just like you would if domains shows up in the drop-down of projects)01:07
nkinderHorizon would need to know (or be told) what token to use01:07
bknudsonHorizon has the policy.json01:08
nkinderbknudson: yes, it needs a copy of it01:08
bknudsonseems kind of wacky to just be getting tokens from my token just so I can click on some other button?01:09
bknudsonobviously I have authority it's just I've got the wrong token.01:09
nkinderbknudson: there are all sorts of odd cases too.  What if I'm granted admin on multiple domains?01:10
nkinderjust like with multiple projects, I'd have to make some sort of selection to say where I want to perform an action01:11
nkinderThese are all low-level details though.  The question is, why would domain-scoped tokens be going away?01:12
bknudsondomains are going away01:12
nkinder...unless domains are just going to become top-level projects01:12
bknudsonright, a domain is a special type of project (doesn't have to be top-level)01:12
nkinderyes, so we're talking about a name change really (at least from a usage standpoint)01:13
nkindercall it a "domain" or a "top-level" project, but the usage of the tokens is the same.01:13
bknudsony, it doesn't fix the issue.01:13
nkinderThe implementation in Keystone might be different (putting the-projects-formerly-known-as-domains in the projects table, etc.)01:13
bknudsonis that how they want Horizon to work? you can only do what your current scope allows?01:16
bknudsonor does it want you to be able to do anything that any scope you can get allows?01:16
bknudsonbecause they could get a token for every scope and then use one that'll work.01:17
nkinderif I create an instance, how does Horizon know what project it is within?01:17
bknudsongood question.01:18
nkinderor if I create a group (assume user management is in SQL, which "top-level project" does the group belong to?01:18
bknudsonit could put a dropdown in the dialog box.01:18
nkinderthat's what we have today01:18
nkinderthe projects list01:18
nkinderoh, in the dialog01:19
nkindernot the main page01:19
nkinderI guess the same applies for listing instances01:19
nkinderyou need to select the project you want, and we have that at the top of the page01:19
bknudsony, essentially give you a list of the projects where your token is allowed to create instances.01:19
nkinderI sort of like the way it's done now01:19
nkinders/token/tokens/ though01:20
bknudsony, me too... not sure what horizon wants to do though.01:20
bknudsonI was concerned when I was told horizon was going to keep a domain-scoped and a normal token and pick which one to use?01:20
bknudsonthat seems like heading towards the keep all the tokens model.01:20
bknudsonif you were keeping the way it's done now you'd switch to a domain-scoped token and then you'd essentially only see keystone ops.01:21
bknudsonpick a domain01:21
ayoungjamielennox, for Kerberos and X509, we can deduce the protocol from the environment.  Same would be true of mapping, I think.01:23
jamielennoxayoung: sure that would work01:24
ayoung twould take a server side change, but...01:24
jamielennoxthat would just require whatever the DOA plugin is01:24
jamielennoxto setup the plugin with those env vars01:24
ayoung AuthType GSSAPI01:24
ayoungjamielennox, nah, I meant on the Keystone side01:25
morganfainbergayoung, jamielennox, bknudson, review of https://review.openstack.org/#/c/159229/ would be greatly appreciated if you have a few minutes to spare01:25
ayounginstead of explicitly setting protocol, the Apache module sets a config variable and then then  that gets translated pre-mapping...01:25
jamielennoxayoung: how would it work on the keystone side?01:25
ayoungit would even work for SAML etc...damnit, it how it is supposed to work01:25
morganfainbergstevemar, ^01:26
ayounglet me think this through....01:26
ayoungjamielennox, http://www.freeipa.org/page/Environment_Variables01:26
ayoungso  we could select the protocol based on a first mapping:01:26
ayoungIf X509....01:26
*** dims has quit IRC01:26
jamielennoxdoing SET_ENV is easy on the DOA side, and we can use that to autoset them - but we need this stuff when you create the plugin initially01:26
morganfainberghenrynash, so i think the two BPs that need FFEs are going to be the domain sql, and reseller. i know you've worked a lot on the reseller stuff; would you be interested in sponsoring it?01:27
morganfainberghenrynash, will bug you tomorrow at the meeting as well.01:27
jamielennoxayoung: we wouldn't be sharing routes between x509 and kerb01:27
ayoungNo specific AUTH_TYPE is set01:27
henrynashmorganfainberg: yes, happy to sponsor it01:27
ayoungjamielennox, yeah, we could always make it an apache config tio set the variable01:27
ayoungso always assume the protocol is in the AUTH_TYPE variable01:28
morganfainberghenrynash, awesome. thanks. most of the code is good to go there afaict. so i see it as a good candidate for FFE01:28
ayoungprobably safer than letting the client specify it01:28
ayoungquestion is, then, how to chose the mapping01:28
jamielennoxayoung: whatever, that's just config settings01:28
henrynashmorganfainberg: and the domain-config is mainly in already…but we have some of the edge pieces outstanding01:28
morganfainbergraildo, rodrigods, ^ (see) henrynash sponsoring reseller.  will bug you guys tomorrow at the meeting to make it official / get the email to the ML setup.01:28
ayoungjamielennox, if we do this right, we can drop the body of the auth request01:29
morganfainberghenrynash, yeah thats why it needs the FFE, the edge stuff is just finalizing things, but i don't think they can / will land this week [tomorrow]01:29
jamielennoxummm01:29
ayoungwhich is where I wanted to go with this in the first place01:29
morganfainberghenrynash, just makes it easier since it's a minor amount of extra work to get the bits done01:29
henrynashmorganfainberg: a cople more will, but not all01:29
morganfainberghenrynash, less stress than rushing it in.01:29
morganfainberghenrynash, exactly01:29
henrynashmorganfainberg: yep01:30
ayoungjamielennox, it would ber a decision tree.  first level is the Protocol.  THen based on the prtocol, select the env var that specifies which mapping to chose01:30
morganfainberghenrynash, so i want to let it finish up as FFE01:30
jamielennoxhmm, maybe - would have to think that through, but if there's no scoping data then there really isn't much else to post01:30
henrynashmorganfainberg: sounds good to me01:30
morganfainberghenrynash, will confirm all this at the meeting otmorrow01:30
henrynashok01:30
ayoungmorganfainberg, damn it,  why do we always try to do work that the web server should be doing for us?01:30
ayoungHere we are two releases into Federation, and I just realized we don'01:31
ayoungt need the damn request body01:31
morganfainbergayoung, because we had to support eventlet.01:31
morganfainbergayoung, history made us support that stuff01:31
ayoungNot for Federation we didn't01:31
morganfainbergayoung, for everything we needed it. so federation inherited it01:31
ayoungDIE DIE EVENTLET DIE!01:31
morganfainbergin the m-release01:31
*** henrynash has quit IRC01:32
morganfainbergif i could do it faster i would...but it wouldn't be fair to single cycle that01:32
ayoungOK...so now that we are on Apache, maybe we can start doing this:01:32
ayoungif the server sets the Auth_Type variable, use that value to select the protocol instead of the value in the body of the message01:33
ayoungNah,  we can multi-cycle it01:33
ayoungI realize we are reshoeing our horse in the middle of the steeplechase here01:33
jamielennoxayoung: the protocol is part of the URI, we can do that for DOA but not in general01:33
ayoungBut you agree that inferring the protocol and mapping is safer than letting the user specify either one, right?01:34
ayoungjamie lennox, then why is it in the unscoped token request body?01:35
jamielennoxit's not01:35
jamielennoxthat hack you did for kerberos is the only time i've seen protocol in the body01:36
ayoungjamielennox, its been part of the spec from the get go:  https://github.com/openstack-attic/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#authenticating01:38
ayoungah...mapping is inferred,  it is IDP I was thinking of01:39
jamielennoxayoung: that's the returned token - it's not a part of the request01:39
ayoungjamielennox, ah...I see, sowhat I was saying was how the Federated works...just that the identity provider is explicit.  But it really does not need to be01:42
ayoungwe could just do01:42
ayoung     /OS-FEDERATION/protocols/{protocol}/auth01:43
ayoungand deduce the IdP from the env vars01:43
ayoungOK...so01:43
ayoungfor the next rev of this, we should do01:44
ayoungwhen making Federation core API    /auth/protocols/{protocol}/token01:44
jamielennoxayoung: doesn't the saml apache modules validate the server?01:45
*** Akshik has joined #openstack-keystone01:45
ayoungit getter01:45
ayoungbetter01:45
ayoungAh, but maybe we need different configs for different servers?>01:46
jamielennoxas in if you didn't include idp in the URI then you couldn't authenticate multiple providers at the same url01:46
ayoungright, I was thinking Kerberos01:46
ayoungthat says "go to this IdP" not "trust the the assertion came from this IdP"  as that comes from validating the assumption01:46
ayoungKerberos and X509 dion't need that01:46
*** _cjones_ has joined #openstack-keystone01:47
ayoungOK...I've talked myself through the design....feeling a bit slow and dense at the moment01:47
*** _cjones_ has quit IRC01:48
*** _cjones_ has joined #openstack-keystone01:48
*** browne has joined #openstack-keystone01:51
*** lhcheng has quit IRC01:51
ayoungjamielennox, OK,  so let me think through how kerberos and x509 should work today.    To get an unscoped token, I got to /OS-FEDERATION/identity_providers/younglogic/protocols/gssapi/auth .  Send no data, get back an unscoped token, and...01:52
jamielennoxrescope token as per normal01:52
*** dims has joined #openstack-keystone01:54
*** tqtran has quit IRC01:54
david-lylebknudson I've closed the door on domain scoped tokens01:55
david-lylewould prefer a common token01:55
david-lylefor horizon that is01:55
bknudsondavid-lyle: so HMT isn't going to work in horizon?01:56
bknudsonthat's what it was being added for, right?01:56
david-lylewas actually for domain admin01:56
david-lyleso things like the v3 policy file would work01:56
bknudsonah, so no domain admin.01:56
david-lylebut that won't work anyway01:56
bknudsonkind of important.01:57
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table  https://review.openstack.org/16418901:57
rodrigodsstevemar, ^ removed some unused vars and fixed a possible issue in the tests01:58
*** _cjones_ has quit IRC01:58
david-lylehoping with HMT keystone moves to a single token type01:58
rodrigodsdavid-lyle, bknudson dual scoped tokens are in the plan for L (after Reseller base code is ready)01:58
david-lylemaybe false hope01:58
bknudsonwe already have unscoped and project-scoped01:59
david-lylebknudson: true, but the admin role on the domain scoped token creates issues01:59
bknudsona domain-scoped token can definitely have admin role.02:00
bknudsonI guess the way I thought it would work is if you pick a domain scope then you only see keystone operations.02:01
ayoungdavid-lyle, what was the reason for saying there were security issues?02:01
*** ajayaa has joined #openstack-keystone02:02
david-lyleayoung: I need to revalidate02:02
*** dims has quit IRC02:03
david-lylelet me validate and document, I may be incorrect02:03
*** zzzeek has quit IRC02:09
david-lyleMy general feeling is something like domain admin will not be supported outside of keystone, which limits its usefulness, my hope is that if the basic construct is a project, the other services will at least acknowledge their existence, which makes my life easier02:12
* david-lyle goes back to dad mode for a bit02:14
*** Akshik has quit IRC02:21
*** erkules_ has joined #openstack-keystone02:22
*** sigmavirus24_awa is now known as sigmavirus2402:24
*** erkules has quit IRC02:25
*** richm has quit IRC02:26
stevemardavid-lyle, btw thai's patches should be ready for review now02:28
stevemaroops, missed the dad mode message02:28
*** iamjarvo has joined #openstack-keystone02:37
*** krtaylor has quit IRC02:38
*** ajayaa has quit IRC02:43
*** krtaylor has joined #openstack-keystone02:50
*** gokrokve has quit IRC02:56
*** gokrokve has joined #openstack-keystone02:57
*** gokrokve has quit IRC02:57
*** dims has joined #openstack-keystone03:04
*** dims has quit IRC03:11
*** boris-42 has quit IRC03:12
*** harlowja is now known as harlowja_away03:15
*** ajayaa has joined #openstack-keystone03:17
*** zzzeek has joined #openstack-keystone03:22
*** zzzeek has quit IRC03:22
dstaneklbragstad: dolphm: did you guys get the keystone-deploy errors figured out?03:25
*** ajayaa has quit IRC03:25
*** gokrokve has joined #openstack-keystone03:25
*** gokrokve has quit IRC03:27
*** sluo_wfh is now known as sluo_laptop03:28
*** markvoelker has quit IRC03:29
*** ajayaa has joined #openstack-keystone03:29
*** gokrokve has joined #openstack-keystone03:31
*** ccard__ has joined #openstack-keystone03:31
*** ccard_ has quit IRC03:35
*** david-lyle is now known as david-lyle_afk03:35
*** rushiagr_away is now known as rushiagr03:39
*** mitz has quit IRC03:40
*** ncoghlan has joined #openstack-keystone03:55
*** rushiagr is now known as rushiagr_away04:00
*** lhcheng has joined #openstack-keystone04:03
*** _cjones_ has joined #openstack-keystone04:04
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove parent_id in v2 token response  https://review.openstack.org/15686704:04
*** _cjones_ has quit IRC04:04
*** _cjones_ has joined #openstack-keystone04:05
*** iamjarvo has quit IRC04:17
*** drjones has joined #openstack-keystone04:19
*** _cjones_ has quit IRC04:21
*** stevemar has quit IRC04:22
*** stevemar has joined #openstack-keystone04:23
*** ChanServ sets mode: +v stevemar04:23
*** sigmavirus24 is now known as sigmavirus24_awa04:24
openstackgerritMerged openstack/keystone: Create a fixture for key repository  https://review.openstack.org/16481704:28
*** ajayaa has quit IRC04:31
*** ayoung has quit IRC04:32
*** mitz has joined #openstack-keystone04:34
*** rushiagr_away is now known as rushiagr04:39
*** ajayaa has joined #openstack-keystone04:50
*** drjones has quit IRC05:05
*** _cjones_ has joined #openstack-keystone05:05
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437005:14
*** ParsectiX has quit IRC05:14
*** ParsectiX has joined #openstack-keystone05:15
*** gokrokve_ has joined #openstack-keystone05:15
*** gokrokve has quit IRC05:18
*** gokrokve_ has quit IRC05:19
*** ParsectiX has quit IRC05:19
*** ParsectiX has joined #openstack-keystone05:20
*** rushiagr is now known as rushiagr_away05:51
*** ishant|2 has joined #openstack-keystone05:53
*** ishant|2 has quit IRC05:54
*** ishant has joined #openstack-keystone05:54
*** drjones has joined #openstack-keystone05:56
*** _cjones_ has quit IRC05:57
*** lhcheng has quit IRC06:14
*** lhcheng has joined #openstack-keystone06:25
*** lhcheng has quit IRC06:26
*** lhcheng has joined #openstack-keystone06:26
*** drjones has quit IRC06:28
*** lhcheng has quit IRC06:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16495806:34
*** gokrokve has joined #openstack-keystone06:41
*** stevemar has quit IRC06:44
*** ajayaa has quit IRC06:46
*** ajayaa has joined #openstack-keystone06:46
*** browne has quit IRC06:52
*** gokrokve has quit IRC07:02
*** gokrokve has joined #openstack-keystone07:02
*** markvoelker has joined #openstack-keystone07:04
*** pnavarro has joined #openstack-keystone07:05
*** gokrokve has quit IRC07:07
*** markvoelker has quit IRC07:08
*** ParsectiX has quit IRC07:19
*** afazekas has joined #openstack-keystone07:25
*** lhcheng has joined #openstack-keystone07:29
*** lhcheng has quit IRC07:34
*** ParsectiX has joined #openstack-keystone07:36
*** ajayaa has quit IRC07:46
*** erkules_ is now known as erkuls08:04
*** markvoelker has joined #openstack-keystone08:05
*** erkuls is now known as erkules08:05
*** erkules has quit IRC08:05
*** erkules has joined #openstack-keystone08:05
*** markvoelker has quit IRC08:10
*** ajayaa has joined #openstack-keystone08:28
*** lhcheng has joined #openstack-keystone08:31
*** lhcheng has quit IRC08:35
*** dims has joined #openstack-keystone08:42
*** ncoghlan has quit IRC08:43
*** nkinder has quit IRC08:47
*** dims has quit IRC08:48
*** henrynash has joined #openstack-keystone08:54
*** ChanServ sets mode: +v henrynash08:54
*** nkinder has joined #openstack-keystone08:54
*** boris-42 has joined #openstack-keystone08:59
*** ajayaa has quit IRC09:01
*** ajayaa has joined #openstack-keystone09:03
*** jistr has joined #openstack-keystone09:04
*** markvoelker has joined #openstack-keystone09:06
*** markvoelker has quit IRC09:11
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992809:17
*** samueldmq has quit IRC09:20
*** angular_mike has joined #openstack-keystone09:30
*** krykowski has joined #openstack-keystone09:32
*** rushiagr_away is now known as rushiagr09:39
*** samueldmq has joined #openstack-keystone09:40
*** dims has joined #openstack-keystone09:50
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437009:53
*** samueldmq has quit IRC10:04
*** markvoelker has joined #openstack-keystone10:07
*** markvoelker has quit IRC10:12
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16495810:13
openstackgerritMarek Denis proposed openstack/keystone: Distinguish between unset and empty black and white lists  https://review.openstack.org/16479810:16
openstackgerritMarek Denis proposed openstack/keystone: Distinguish between unset and empty black and white lists  https://review.openstack.org/16479810:21
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036410:24
*** henrynash has quit IRC10:25
*** samueldmq has joined #openstack-keystone10:28
*** ajayaa has quit IRC10:51
*** rushiagr is now known as rushiagr_away10:56
*** rushiagr_away is now known as rushiagr10:57
openstackgerritMarek Denis proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215610:57
*** Bsony has joined #openstack-keystone11:00
*** Bsony has quit IRC11:00
*** Bsony has joined #openstack-keystone11:01
*** markvoelker has joined #openstack-keystone11:08
*** krykowski has quit IRC11:08
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Clean arguments in test_federation.*.test_create()  https://review.openstack.org/16460511:09
*** markvoelker has quit IRC11:14
*** krykowski has joined #openstack-keystone11:17
*** pnavarro has quit IRC11:37
*** markvoelker has joined #openstack-keystone11:38
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add in further token validation in v3_auth tests  https://review.openstack.org/16402611:56
*** rushiagr is now known as rushiagr_away12:04
*** ajayaa has joined #openstack-keystone12:05
*** stevemar has joined #openstack-keystone12:05
*** ChanServ sets mode: +v stevemar12:05
*** lhcheng has joined #openstack-keystone12:08
openstackgerritMarco Fargetta proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215612:09
*** lhcheng has quit IRC12:12
*** htruta has joined #openstack-keystone12:13
*** radez_g0n3 is now known as radez12:13
*** dims has quit IRC12:16
*** dims has joined #openstack-keystone12:17
*** ljfisher has joined #openstack-keystone12:19
*** ljfisher has quit IRC12:22
*** henrynash has joined #openstack-keystone12:22
*** ChanServ sets mode: +v henrynash12:22
*** angular_mike has quit IRC12:23
*** jistr is now known as jistr|class12:26
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992812:28
raildohenrynash, morning :) i see the message, you will sponsor the reseller implementation, thanks a lot :)12:29
henrynashraildo: yw12:29
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994412:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742712:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376312:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418012:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837212:32
*** gordc has joined #openstack-keystone12:39
*** rushiagr_away is now known as rushiagr12:49
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137812:50
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839812:50
*** bknudson has quit IRC12:57
*** obutenko_ has quit IRC12:58
*** obutenko has quit IRC12:58
*** bknudson has joined #openstack-keystone13:01
*** ChanServ sets mode: +v bknudson13:01
*** bknudson has left #openstack-keystone13:02
*** bknudson has joined #openstack-keystone13:02
*** ChanServ sets mode: +v bknudson13:02
*** vhoward has joined #openstack-keystone13:18
rodrigodsmarekd, what do you think should be error raised if we try to create an assertion and sp hasn't sp_url or auth_url?13:19
marekdrodrigods: ValidationError maybe?13:20
rodrigodsmarekd, hmm sounds good13:20
marekdbreton: re: https://review.openstack.org/#/c/164798/5 "Overall patch is needed." <- what does it mean?13:21
*** ayoung has joined #openstack-keystone13:23
*** ChanServ sets mode: +v ayoung13:23
*** richm has joined #openstack-keystone13:24
rodrigodsmarekd, ValidationError is client side error :(13:26
openstackgerrithenry-nash proposed openstack/keystone: Move backend LDAP role testing to the new backend testing module  https://review.openstack.org/15683013:26
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Make non-import packages lazy  https://review.openstack.org/16406613:28
marekdrodrigods: ok, so imho it qualifies for HTTP 500 error (internal server error), i.e UnexpectedError, line 354 from exception.py13:28
marekdrodrigods: what do you think?13:29
rodrigodsmarekd, yeah, makes sense to me13:29
rodrigodsmarekd, let me check how to provide a custom message to it13:29
marekdprobably in the constructor.13:29
rodrigodsmarekd, UnexpectedError(exception=msg)13:30
rodrigods:)13:30
marekdyeah13:30
openstackgerrithenry-nash proposed openstack/keystone: Refactor code supporting status in JSON Home  https://review.openstack.org/16507513:48
stevemarmarekd, o/13:48
*** zzzeek has joined #openstack-keystone13:50
stevemarbknudson, apparently i can't keep track of what we test against in ksc, i thought we dropped py26 support13:55
stevemarbut the gate says otherwise13:55
bknudsonstevemar: it's just the libraries that have to maintain py26... same in oslo13:55
stevemarbknudson, do you know why that is?13:55
bknudsonthe libraries run in less-constrained environments.13:56
bknudsonthe servers obviously run on the cloud servers where you have lots of control13:56
*** samueldmq is now known as samueldmq-away13:56
bknudsonwhereas the libraries are on the client systems and we want them to be able to run everywhere13:56
stevemarfair enough i suppose13:56
bknudsonalthough, since we'll have stable branches for the libraries maybe that can be dropped.13:57
*** gokrokve has joined #openstack-keystone14:01
ayoungmarekd, can you look at https://review.openstack.org/#/c/162788/  as morganfainberg sepcifcially wanted your eyes on it.14:01
*** iamjarvo has joined #openstack-keystone14:02
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix nullable constraints in service provider table  https://review.openstack.org/16418914:02
openstackgerritRodrigo Duarte proposed openstack/keystone: Assert sp attributes during assertion generation  https://review.openstack.org/16507914:02
rodrigodsmarekd, stevemar, ^ had to update the commit message from the db migration patch to not close the bug (the follow up change has the Closes-Bug now)14:03
*** lsmola has quit IRC14:03
*** r-daneel has joined #openstack-keystone14:03
*** lsmola has joined #openstack-keystone14:05
*** jistr|class is now known as jistr14:05
*** lsmola has quit IRC14:06
*** lsmola has joined #openstack-keystone14:06
*** sigmavirus24_awa is now known as sigmavirus2414:07
*** lsmola has quit IRC14:10
*** lsmola has joined #openstack-keystone14:10
bretonmarekd: that -1 is only because of the comments and that I like the patch :)14:11
openstackgerrithenry-nash proposed openstack/keystone: Refactor code supporting status in JSON Home  https://review.openstack.org/16507514:14
*** ishant has quit IRC14:15
*** samueldmq has joined #openstack-keystone14:17
*** mattfarina has joined #openstack-keystone14:18
lbragstaddstanek: not yet,14:27
lbragstaddstanek: I'm still digging into it, I have a feeling it might be something with AuthProtocol, or caching14:27
*** topol has joined #openstack-keystone14:29
*** ChanServ sets mode: +v topol14:29
*** nellysmitt has joined #openstack-keystone14:29
*** timcline has joined #openstack-keystone14:31
*** jorge_munoz1 has joined #openstack-keystone14:36
*** radez has left #openstack-keystone14:38
*** ajayaa has quit IRC14:39
*** amakarov_away is now known as amakarov14:42
*** gokrokve_ has joined #openstack-keystone14:44
*** gokrokve has quit IRC14:45
*** browne has joined #openstack-keystone14:46
*** samueldmq has quit IRC14:48
lbragstaddstanek: fyi, it should be recreate-able with https://github.com/dolph/keystone-deploy/commit/caa515f689392701c49db47222b20592049b72f314:51
stevemarmarekd, another marek https://review.openstack.org/#/c/165090/14:52
*** gokrokve_ has quit IRC14:53
lbragstaddolphm: fyi, I'm able to grab tokens from keystone and validate them against keystone just fine. Digging more into middleware14:56
*** gokrokve has joined #openstack-keystone14:56
*** david-lyle_afk is now known as david-lyle14:57
*** ParsectiX has quit IRC15:07
dolphmlbragstad: me too15:08
marekdayoung: i added the comment15:12
marekdand didn't want to explicitely -1 it.15:13
* marekd is logging out for a 80-90 minutes :-)15:14
*** browne has quit IRC15:14
bretonfolks, I don't quite get from the code: does current fernet implementation encrypts token?15:28
bretonis there a blogpost or a spec with followup about current implementation?15:28
dolphmbreton: the tokens themselves are encoded per this spec: https://github.com/fernet/spec15:29
dolphmbreton: identity and authorization attributes are both encrypted via AES-CBC with a 128-bit key15:30
dolphmbreton: all the encryption work is outside of keystone's scope15:30
dstanekstevemar: marekd: do you guys really think having the ABFAB docs is OK if nobody has done or can verify anything?15:37
dolphmdstanek: ?15:37
*** lhcheng has joined #openstack-keystone15:39
dstanekdolphm: just sent you a few emails - Chadwick sent email offlist15:39
dolphmlbragstad: i added another test btw; it's not that more are failing https://travis-ci.org/dolph/keystone-deploy/builds/5473438615:39
dolphmdstanek: ack15:40
*** _cjones_ has joined #openstack-keystone15:42
dolphmdstanek: i agree with you, but i'd be willing to merge it if A) someone else tries out the docs and ensures that they work, B) there's sufficient interest in the use case for keystone-core to maintain the documentation moving forward15:44
dolphmdstanek: i'll comment as much on the review though15:44
dstanekdolphm: i asked on the review about trying it out, but i haven't had time to actually do it and i don't want to use their setup15:45
bretondolphm: great, thanks15:48
bknudsondstanek: I also don't think we want to carry this documentation... it's just going to get out of date.15:50
openstackgerritRodrigo Duarte proposed openstack/keystone: Assert sp attributes during assertion generation  https://review.openstack.org/16507915:51
dstanekbknudson: if we can't easily support it or we don't want to then i totally agree. we could link to it if it were published somewhere15:52
dolphmdstanek: yeah, i'd like to do it myself as well, but definitely won't have time in the near future15:52
bknudsondstanek: I like that idea... they can document it themselves and we put a link up.15:52
dolphmdstanek: that'd be a weird precedent - linking to blog posts and whatnot in official docs? lol15:52
dolphmdstanek: i'd be in favor of it living in the wiki15:52
dolphmthat way support is best effort by the community, rather than gated by keystone-core15:53
bknudsonall our docs can just be links to blogs.15:53
dolphmbknudson: google*15:53
bknudsonlet me google that for you15:53
dolphmbknudson: was just about to say that15:53
bknudsonhe he15:54
dolphmhttp://lmgtfy.com/?q=OpenStack+Keystone+{your search term here}15:54
*** ajayaa has joined #openstack-keystone15:54
dstanek:-)15:55
dolphmwe have so many docs on federation already it's fantastic https://www.google.com/search?btnG=1&pws=0&q=OpenStack+Keystone+federation&gws_rd=ssl15:55
dolphm13,600 docs15:55
dolphmlbragstad: any revelations?15:56
lbragstaddolphm: I'm getting meeting'd15:56
*** iamjarvo has quit IRC16:05
openstackgerrithenry-nash proposed openstack/keystone: Refactor code supporting status in JSON Home  https://review.openstack.org/16507516:05
stevemardstanek, i really don't mind them existing in our docs16:08
*** samueldmq-away is now known as samueldmq16:14
stevemardstanek, dolphm why not a disclaimer indicating that the support is best-effort16:18
dolphmstevemar: that doesn't avoid the issue of those docs being owned by keystone-core16:19
dolphmstevemar: and i'd argue that if it's owned by keystone-core, it's either fully supported or it's not. there's no room for best effort16:20
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: WIP: Bye bye domain table  https://review.openstack.org/16185416:21
stevemardolphm, i feel like we're telling chadwick and his team that abfab will never be supported16:21
dolphmstevemar: but the bigger question i left in the review comments is whether anyone is ever going to use those docs16:21
dolphmstevemar: because no one else is interested, afaik16:21
stevemarprobably not16:21
dolphmstevemar: so then as long as no one is interested, there's no reason to hoist their support effort onto keystone-core16:22
stevemardolphm, so, the docs never get merged, the bp never gets marked as completed, and can't for $reasons_above16:23
stevemarsounds like bad karma16:23
dolphmstevemar: what is the bp?16:23
stevemarhttps://blueprints.launchpad.net/keystone/+spec/abfab16:23
stevemardolphm, ^16:24
dolphmoh, there's even a spec16:24
dstanekstevemar: hey they already have this documented on the wiki - if they just submit a patch to point the docs to it they's be all set16:25
dolphmstevemar: my concern still stands - no one appears to collaborating on the spec as a stakeholder. are there ANY other stakeholders?16:25
dolphmmorganfainberg: ^16:26
dolphmwe should add stakeholders to specs16:27
dolphmas a list of contacts16:27
*** sigmavirus24 is now known as sigmavirus24_awa16:31
*** packet has joined #openstack-keystone16:33
*** Bsony has quit IRC16:33
morganfainbergNot a bad idea16:35
morganfainbergdolphm:16:35
dolphmmorganfainberg: is there more than one stakeholder for ABFAB?16:36
bretonfolks, I'm reading sources now and have a question. Is there any reason why we fetch token ref in AuthContextMiddleware but don't store it in request? It could be heavily reused in https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L677 for example16:36
morganfainbergdolphm: not sure.16:36
morganfainbergCan't brain, has no coffee yet.16:37
dolphmbreton: agree - i was hoping that was the direction that AuthContextMiddleware was going when it was introduced, but it stalled16:37
dolphmbreton: all it really accomplished was providing a venue for eliminating redundancy, and then i think just introduced more redundancy instead16:38
dolphma refactor would be suuuuuper appreciated16:38
*** browne has joined #openstack-keystone16:40
bretonwill it land in kilo if it appears in, say, a week?16:40
*** gordc has quit IRC16:48
*** harlowja_away is now known as harlowja16:49
*** Swanson has joined #openstack-keystone16:51
dolphmbreton: no, feature freeze is basically tomorrow16:52
dolphmbreton: refactors blur the lines though - if it's addressing an actual issue you're experiencing beyond performance, it could land latert16:53
dolphmbreton: start by filing a bug!16:53
*** tqtran has joined #openstack-keystone16:53
*** gordc has joined #openstack-keystone16:58
lbragstadanyone else get this when running middleware locally? http://cdn.pasteraw.com/ozla7dsw8521wwai9ghyy5cniq6ddm217:00
lbragstadas reference by the documentation?17:01
morganfainbergbreton: let's say that refactor should target liberty.17:01
lbragstadhttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L3817:01
*** vhoward has left #openstack-keystone17:01
morganfainbergdolphm: ^^17:01
morganfainberglbragstad: I've never tried to run __main__ of ksm.17:02
*** roxanag_ has joined #openstack-keystone17:02
morganfainberglbragstad: that might have been broken in the module split up.17:03
*** Bsony has joined #openstack-keystone17:03
*** _cjones_ has quit IRC17:05
*** amerine has joined #openstack-keystone17:06
*** _cjones_ has joined #openstack-keystone17:11
*** _cjones_ has quit IRC17:12
*** jistr has quit IRC17:14
*** _cjones_ has joined #openstack-keystone17:15
marekddstanek: well, they claim they tested it, so to some extent i might trust that it works....however if you feel that people more 'coupled' with Keystone team should look after it so..i personally have no interest in supporting ABFAB17:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16235017:18
dstanekmarekd: i think that having it in tree implies that we support it to some extent17:24
*** jbonjean has quit IRC17:26
marekddstanek: maybe you are right.17:27
*** gokrokve has quit IRC17:28
*** sigmavirus24_awa is now known as sigmavirus2417:28
ayoungmarekd, what previous patch do you refer to in your "ignore groups" review?17:30
ayoung[federation] strict_group_mapping = {True,False}17:31
ayoung?17:31
*** packet has quit IRC17:33
marekdayoung: yes.17:33
ayoungmarekd, so,  not as a config option, but rather as something tagged on the mapping itself, sure17:33
ayoungmarekd, I would say that for the lists and matching, the assertions can change without Keystone being aware of it, and in that case, being strict will break something that worked before17:34
marekdayoung: is it ok if we merge what you proposed now, and we simply add some another keyword in L ?17:35
ayoungso we need to be forgiving.  If the user does an explicit match, it will work.  Its just the blacklist that really gets broken, or regex17:35
ayoungmarekd, I think so17:35
ayoungSince blacklist is just merged, it is not in heavyusage...17:35
marekdayoung: i don't want to have a headache with 'backwards compatilibity' just because we already merged something and now there is whole bunch of workarounds and deprecation warnings.17:35
ayoungwe are not going to be breaking production deployments17:35
marekdok, so we can extend this functionality in L17:36
ayoungmarekd, we are not opening up a security hole here.  By dropping groups, we are not making use of that information.17:36
ayoungmarekd, and you see why I think it should be at the mapping level, not config for server?17:37
marekdayoung: true.17:37
marekdayoung: better flexibility for admins17:37
ayoungyeah, the admin does have to go all one or the other17:37
*** jaosorior has joined #openstack-keystone17:42
*** afazekas has quit IRC17:43
*** Ephur has joined #openstack-keystone17:44
morganfainbergdstanek, mind updating: https://review.openstack.org/#/c/163172/4/keystone/tests/unit/test_v3_federation.py to have a real comment. i'd like to see that gate today if we want to keep the test.17:45
morganfainberglbragstad, jorge_munoz, dolphm, https://review.openstack.org/#/c/159229/ and https://review.openstack.org/#/c/164348/ - we need to focus on these today so we can get them gating. this is really important for fernet tokens.  see my comment on the 2nd one to keep the scope really really narrow17:47
dstanekmorganfainberg: sure. i can jump on that in a few minutes17:48
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Review the last two fernet token patches so they can gate today. | Kilo3 this week."17:49
morganfainbergdstanek, i figure that is an easy one since it's just fix name/comment of the test as needed.17:49
*** davechen_ has joined #openstack-keystone17:55
*** csoukup has joined #openstack-keystone17:55
*** gyee has joined #openstack-keystone17:55
*** ChanServ sets mode: +v gyee17:55
dstanekmorganfainberg: what's a good name? s/_hack/_multiples/?17:56
*** jbonjean has joined #openstack-keystone17:57
morganfainbergdstanek, i think that works for me17:57
morganfainbergdstanek, yeah.17:57
marekdbknudson: dstanek morganfainberg: https://review.openstack.org/#/c/152156/ <--- do you mind taking a look (again) also on that one? I hope I addressed your comments, Marco also added some fixes here and there.17:58
bknudsonmarekd: will add it to my list... I'm going to focus on the release-blocking reviews first, though.18:00
marekdbknudson: ok18:00
morganfainbergpsssst meeting time.18:01
*** gokrokve has joined #openstack-keystone18:02
*** aix has quit IRC18:06
dstanekmorganfainberg: stevemar: does this make sense to you guys?18:06
dstanekhttp://paste.openstack.org/show/192951/18:06
stevemardstanek, thought that was in context of a meeting, gimmie a sec18:07
jorge_munoz1morganfainberg: Yes, addressing all of the comments on patch now.  https://review.openstack.org/#/c/159229/.18:07
stevemardstanek, yeah, i'm okay with that18:07
openstackgerritDavid Stanek proposed openstack/keystone: Adds test for federation mapping list order issues  https://review.openstack.org/16317218:08
*** krykowski has quit IRC18:09
openstackgerritLance Bragstad proposed openstack/keystonemiddleware: Fix auth_token inline documentation.  https://review.openstack.org/16517118:16
*** ajayaa has quit IRC18:33
*** gokrokve has quit IRC18:38
*** packet has joined #openstack-keystone18:39
openstackgerritEric Brown proposed openstack/keystone: Replace exec calls with cryptography library  https://review.openstack.org/16308818:49
*** lsmola has quit IRC18:52
*** gokrokve has joined #openstack-keystone18:53
ayoungbrowne, agreed:  should not be in server, though, but in client18:53
ayoungserver code goes to certmonger, as it does cert lifecycle management18:54
browneayoung: sure, given the amount of work to port some of the other commands in openssl.py, I don't think its worth the investment.  I take take more of a look at the keystoneclient18:56
ayoungbrowne, so the code we really need to fix is here:  http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/common/cms.py#n15018:56
browneexactly18:56
brownethat's where the open file handles problem i was seeing18:56
ayoungbrowne, does cryptography.py have full support for CMS now? There is ASN1 encoding involved18:57
browneayoung: technically it has bindings to all of openssl, but lacks convenience functions for things such as CMS.  that's why its a lot more work.18:58
ayoungright18:58
*** gordc has quit IRC18:58
ayoungbrowne, we need message siging for OpenStack in general18:58
ayoungKeystone is just the start, but we have no way of doing secure pub sub in general without PKI of some sort18:58
browneayoung, like an oslo lib?18:58
brownei know nova also uses some openssl18:59
ayoungnah,  should be in cryptography.py18:59
*** rushiagr is now known as rushiagr_away18:59
browneyeah, true, better place for it18:59
jamielennoxmorganfainberg: missed my no spec proposals :( - but no real rush on those19:00
*** lhcheng is now known as lhcheng_afk19:00
morganfainbergjamielennox, next week.19:00
morganfainbergjamielennox, because k319:00
morganfainbergjamielennox, we can also discuss them here in channel19:00
morganfainbergjamielennox, not at the meeting :)19:00
morganfainberg(we've done that in the past)19:00
bknudsonI'm fine with both of those no-spec.19:01
jamielennoxmorganfainberg, both are fairly trivial - just bknudson has started pulling me up on just implementing blueprints without going through the proper processes19:02
davechen_morganfainerg: Is there any need to review the BP before proposing SPEC for 'L'?19:03
morganfainbergjamielennox, let me read them real quick19:03
jamielennoxhowever i did throw up one full client spec: https://review.openstack.org/#/c/164582/ - it's a little more contentious19:03
morganfainbergdavechen_, nothing really unless you want to weigh in on fernet tokens :)19:03
morganfainbergjamielennox, quick SDK non-compat change check-in19:04
morganfainbergjamielennox, no progress right?19:04
davechen_morganfainerg: yeah, i need some homework on the ferent token.19:04
jamielennoxmorganfainberg: what?19:04
morganfainbergjamielennox, when we said we want to break ksc19:04
morganfainbergand were told "put that in SDK"19:04
morganfainbergnothing has really been going on there, right?19:04
* morganfainberg is unaware of any real forward momentum19:05
* morganfainberg might be in the dark too19:05
jamielennoxoh, yep - i was trying to follow SDK but haven't for a bit - they're still going19:05
* morganfainberg is likely hiding from a grue.19:05
jamielennoxksc isn't going anywhere though, there is too much utility code in all these clients to just drop them in favour of SDK19:05
jamielennoxhowever if we breakout keystoneauth i expect they will consume it19:06
dolphmjamielennox: is keystonemiddleware doing any special handling of uuid tokens that would break on fernet tokens?19:07
morganfainbergdolphm, i hope not :P19:07
morganfainbergjamielennox, ++19:07
jamielennoxdolphm: not that i can think of, the path is purely PKI or server handled19:07
jamielennoxand it tests PKI based on that MII prefix19:08
morganfainbergjamielennox, or "PKIZ"19:08
jamielennoxtrue19:08
dolphmjamielennox: hmmm... i'm getting 401's with PKI, PKIZ, and Fernet as of a couple days ago, but not with UUID19:09
jamielennoxit's not keystone returning the 401?19:10
dolphmjamielennox: let me reproduce it again...19:11
*** davechen_ has quit IRC19:14
dolphmjamielennox: so, keystone returns a 404 Project Not found, but i get a 200 if i do it myself19:15
jamielennoxdolphm: real keystone?19:15
dolphmjamielennox:/var/log/apache2/keystone-admin.error.log: WARNING keystone.common.wsgi [-] Could not find project: 3f99c7a2bb40425489650d04dadb5bff19:15
jamielennoxi've no idea why that would be19:16
dolphmjamielennox: /var/log/apache2/echo.error.log: [error] WARNING:keystonemiddleware.auth_token:Authorization failed for token19:16
morganfainbergdolphm, so you curl validate and it works, and ksm gets a project not found?19:16
morganfainbergor curl validate fails too?19:16
dolphmjamielennox: [error] WARNING:keystonemiddleware.auth_token:Identity response: {"error": {"message": "Could not find project: 3f99c7a2bb40425489650d04dadb5bff", "code": 404, "title": "Not Found"}}19:16
*** packet has quit IRC19:16
bknudsonis that the service project?19:16
dolphmbknudson: there is no service project in this deployment19:16
jamielennoxdolphm: also does it change against the v2 or v3 api?19:16
bknudsonor the token?19:16
bknudsonhow does auth_token get a token?19:17
dolphmbknudson: it's not really a deployment, it's just keystone and auth_token running19:17
bknudsonif only a token could be used to validate a token then auth_token wouldn't need its own token.19:17
dolphmbknudson: auth_token gets a token with the password plugin: https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L16-L2319:17
dolphmbknudson: you can do that in policy :) haven't looked at the changes to keystonemiddleware to skip auth if none is required19:18
morganfainbergdolphm, i think some minor code changes were needed too.19:18
jamielennoxwell - a noop plugin would be fairly trivial19:19
*** aix has joined #openstack-keystone19:21
lbragstadmorganfainberg: right, curl validate seems to pass fine,19:25
morganfainberglbragstad, hm.19:26
*** henrynash has quit IRC19:26
morganfainberglbragstad, both on v2 and v3?19:27
morganfainberglbragstad, for curl.19:27
dolphmjamielennox: is auth_token possibly failing to re-authenticate when it gets a 401 for it's own token?19:28
lbragstadmorganfainberg: v3 for sure, and when I've had the v2 patch pulled down that works too. dolphm's auth_token config only runs with v3 though19:28
dolphmlbragstad: my current theory is that auth_token's own token is invalid and keystone is mistakenly returning a 404 instead of a 40119:29
lbragstadwhere does that code live?19:29
morganfainbergwe had a bug like that at one point19:29
dolphmjamielennox: what does auth_token do now if it just doesn't get any auth_ config?19:29
lbragstadthe 404 project thing doesn't make sense to me, especially given the setUp is pretty straight forward19:29
jamielennoxlbragstad: more or less here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L12819:30
dolphmlbragstad: you should come downstairs with your laptop and i'll blow your mind19:30
*** _cjones_ has quit IRC19:30
jamielennoxdolphm: if it sees an auth plugin it'll ignore the old auth_ variables19:31
lbragstaddolphm: sounds good, got a free desk down there?19:31
morganfainbergdolphm, http://img.pandawhale.com/post-28553-Steve-Jobs-mind-blown-gif-HD-T-pVbd.gif19:31
dolphmlbragstad: at the moment19:31
dolphmlbragstad: Darren is in a meeting19:31
*** henrynash has joined #openstack-keystone19:32
*** ChanServ sets mode: +v henrynash19:32
dolphmjamielennox: can i use the token plugin in auth_token?19:33
henrynashdolphm: could you star this one for k3 (even with an FFE, I’d liek to get this into k3 - and it has been extensively reviewed)19:33
henrynashdolphm: https://review.openstack.org/#/c/159928/19:34
jamielennoxdolphm: token gives you like token auth19:34
dolphmhenrynash: done19:34
jamielennoxugh, damnit i never finished the admin token one because OSC camped on the entrypoint19:34
dolphmjamielennox: yeah, i mean token + endpoint19:34
dolphmjamielennox: that might workaround the issue i'm seeing, at least to test it19:35
henrynashbknduson, stevmar, lbragstad: let’s get this puppy in for k3 (https://review.openstack.org/#/c/159928/) - since then teh domain config is fully fucntional, leaving only things liek mioigration and notification beyond k319:35
jamielennoxthe plugin's there at ksc.auth.token_endpoint, but you might need to add an [entry_point] to it to expose it19:35
*** roxanag_ has quit IRC19:35
henrynashdolphm: thx19:35
morganfainberghenrynash, as much as i'd like to say yes to that, the fernet token ones are the priority here.19:36
henrynashmorganfainberg: agree with that priority19:36
morganfainberghenrynash, if i have to ask people to take time to review patches today, the fernet ones are the ones i'd like them to review.19:36
morganfainberghenrynash, once those are ready then we can look at that one as well.19:36
henrynashmorganfainberg: ok, fair enough, guv19:37
dstanekmorganfainberg: lbragstad: one of them is WIP. do we need that one too?19:38
morganfainbergdstanek, yes, we need that one as well, but just the first todo item, that one has way too much baked into it19:38
morganfainbergdstanek, based on the commit message19:38
morganfainbergdstanek, the basic token test should work with fernet,19:38
morganfainbergdstanek, so "refactor parts of keystone/auth/ to work properly with both UUID and Fernet tokens"19:39
morganfainbergthe other todo items should be dropped to post k319:39
*** amakarov is now known as amakarov_away19:59
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file.  https://review.openstack.org/16365420:00
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup tests don't keep engine  https://review.openstack.org/16434020:03
*** samueldmq has quit IRC20:04
*** topol has quit IRC20:04
*** fifieldt has quit IRC20:08
*** aix has quit IRC20:09
*** samueldmq has joined #openstack-keystone20:12
openstackgerritBrant Knudson proposed openstack/keystone: Log when no external auth plugin registered  https://review.openstack.org/16443920:12
*** diegows has joined #openstack-keystone20:17
*** nkinder has quit IRC20:18
*** nkinder has joined #openstack-keystone20:20
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922920:21
*** fifieldt has joined #openstack-keystone20:21
*** r-daneel has quit IRC20:25
*** aix has joined #openstack-keystone20:25
*** _cjones_ has joined #openstack-keystone20:31
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922920:32
*** raildo is now known as raildo_away20:37
*** _cjones_ has quit IRC20:38
*** _cjones_ has joined #openstack-keystone20:38
*** Bsony has quit IRC20:42
*** boris-42 has quit IRC20:42
dstaneklots-o-FFE20:43
*** sigmavirus24 is now known as sigmavirus24_awa20:44
openstackgerritDolph Mathews proposed openstack/keystone: remove expected backtrace from logs  https://review.openstack.org/16521220:47
lhcheng_afkjust curious, who's planning to use the reseller implementation?20:48
*** lhcheng_afk is now known as lhcheng20:48
morganfainbergdolphm, so i can duplicate the issue with KSM now...20:48
morganfainbergit seems like something is wonky here.20:48
morganfainbergand i don't knwo what.20:49
dolphmmorganfainberg: KSM?20:51
dolphmmorganfainberg: oh, 401's?20:51
morganfainbergkeystone middleware20:51
morganfainbergyeah20:51
morganfainbergsomething is getting bound up in there. but it's not clear what20:52
dolphmmorganfainberg: on that note, the patch i just posted above eliminates a ghost i was chasing20:52
morganfainberghah20:53
dolphmmorganfainberg: more to the point, i'm tracing my mysterious 401's back to invalid 404's in keystone on that line20:53
dolphmmorganfainberg: basically, keystone is getting exception.ProjectNotFound there for projects that certainly exist20:54
morganfainbergdolphm, but lbragstad was saying a direct validate (basically don't do cleanup) worked20:54
stevemarmorganfainberg, dolphm osc is officially an 'official openstack' project, under the openstack governance and all, we will be holding elections too20:54
morganfainbergwhere ksm was not?20:54
morganfainbergdolphm, i haven't gotten to the next step which is run keystone-deploy w/o cleanup20:54
morganfainbergthen try a direct validate of the tokens.20:55
*** mestery has quit IRC20:55
*** _cjones_ has quit IRC20:55
dolphmmorganfainberg: i think i'm seeing a project name being passed as an ID - not sure where the mixup is occurring20:56
morganfainbergdolphm, that is what i was thinking.20:56
morganfainbergdolphm, you know, easy way to confirm that20:56
dolphmmorganfainberg: i just did the no-cleanup thing :)20:56
dolphmmorganfainberg: no luck20:56
dolphmmorganfainberg: ?20:56
morganfainbergproject-id = non-hex string20:56
morganfainbergsee if it still comes up at pnf with a non-id, id20:57
dolphmmorganfainberg: yeah, i'm seeing 'admin' being logged in the backtrace i deleted in that patch above20:57
morganfainbergah20:57
dolphmjamielennox: did anything merge into keystonemiddleware / client recently that handled project IDs / names during auth?20:57
jamielennoxdolphm: i don't think so, the actual meat of auth_token hasn't changed significantly in a long time20:58
*** mestery has joined #openstack-keystone20:59
jamielennoxunless bknudson's validate in client has gone through20:59
morganfainbergdolphm, it should fail the same way w/ UUID and Fernet20:59
bknudsonvalidate in client?20:59
dolphmjamielennox: what about in the client's plugins?20:59
jamielennoxdolphm: are you seeing it with attempting to authenticate the user, or authenticating a token?21:00
bknudsonhttps://review.openstack.org/#/q/project:openstack/keystonemiddleware+status:merged,n,z21:00
bknudsonnot much there other than moving stuff around...21:00
dolphmjamielennox: actually, in attempting to validate a token21:01
jamielennoxok - so i don't think that'll be plugin related21:01
jamielennoxis it the auth_token user whos project is missing or the project in the token?21:01
dolphmjamielennox: i take that back, it's a POST!21:02
dolphm"POST /v3/auth/tokens HTTP/1.1" 40121:02
jamielennoxah, crap21:02
*** sigmavirus24_awa is now known as sigmavirus2421:03
jamielennoxstill no ideas, just more likely it's my side21:03
*** harlowja has quit IRC21:03
dolphmjamielennox: well, i'm using the same user to both bootstrap keystone in my test suite as i am to validate tokens in auth_token21:03
*** harlowja_ has joined #openstack-keystone21:03
dolphmjamielennox: but it's not the user's token who is being validated21:03
jamielennoxdolphm: so taking that config file can you get a valid token from keystone21:07
jamielennoxwithout auth_tokne21:07
dolphmmorganfainberg: jamielennox: okay i'm going to stab myself. the name / ID swap was a mistake in MY code that i wrote specifically to debug basically the same backtrace21:08
jamielennoxlol, excellent - i thought i'd broken something important21:09
*** _cjones_ has joined #openstack-keystone21:17
*** iamjarvo has joined #openstack-keystone21:20
iamjarvohttp://pastie.org/private/yisdzgex6yl9eumcqbjudq this is happening after i reset my vagrant box. i can't figure out why.  any ideas?21:21
iamjarvotokens match21:21
*** arif-ali has quit IRC21:28
morganfainbergdolphm, LOL21:29
morganfainbergdolphm, aaaaannnyway21:30
*** arif-ali has joined #openstack-keystone21:34
*** mattfarina has quit IRC21:39
*** _cjones_ has quit IRC21:40
*** nellysmitt has quit IRC21:40
openstackgerritLance Bragstad proposed openstack/keystone: Use existing token test for Fernet tokens.  https://review.openstack.org/16434821:40
*** nellysmitt has joined #openstack-keystone21:41
*** _cjones_ has joined #openstack-keystone21:44
*** nellysmitt has quit IRC21:46
openstackgerritMerged openstack/python-keystoneclient: Split v3 authentication file into module  https://review.openstack.org/16325921:47
openstackgerritMerged openstack/python-keystoneclient: Extract BaseAuth out of Auth Plugin  https://review.openstack.org/16327021:48
*** iamjarvo has quit IRC21:52
*** gokrokve has quit IRC21:52
*** chrisshattuck has joined #openstack-keystone21:54
*** chrisshattuck has quit IRC21:58
*** ayoung has quit IRC21:59
*** chrisshattuck has joined #openstack-keystone22:04
openstackgerritSteve Martinelli proposed openstack/pycadf: update README.rst to include additional links  https://review.openstack.org/16523222:08
*** harlowja_ has quit IRC22:09
*** lhcheng has quit IRC22:09
*** csoukup has quit IRC22:11
*** harlowja has joined #openstack-keystone22:11
*** sigmavirus24 is now known as sigmavirus24_awa22:14
*** carlosmarin has quit IRC22:15
*** henrynash has quit IRC22:19
*** harlowja has quit IRC22:24
*** harlowja_ has joined #openstack-keystone22:24
*** pnavarro has joined #openstack-keystone22:26
*** timcline has quit IRC22:30
openstackgerritMerged openstack/keystone: Ignore unknown groups in lists for Federation  https://review.openstack.org/16278822:30
*** pnavarro has quit IRC22:32
*** iamjarvo has joined #openstack-keystone22:33
*** henrynash has joined #openstack-keystone22:42
*** ChanServ sets mode: +v henrynash22:42
*** samueldmq has quit IRC22:43
*** lhcheng has joined #openstack-keystone22:45
*** stevemar has quit IRC22:52
*** zzzeek has quit IRC22:54
*** chrisshattuck has quit IRC22:59
*** dims has quit IRC23:09
*** dims has joined #openstack-keystone23:20
*** jaosorior has quit IRC23:22
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Provide a generic auth plugin loader  https://review.openstack.org/16252923:26
*** raildo has joined #openstack-keystone23:27
*** Ephur has quit IRC23:29
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Rename requests mock object in testing  https://review.openstack.org/16456823:31
*** atiwari has quit IRC23:37
*** nellysmitt has joined #openstack-keystone23:42
*** chrisshattuck has joined #openstack-keystone23:45
*** nellysmitt has quit IRC23:47
*** david-lyle is now known as david-lyle_afk23:50
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036423:52
*** ayoung has joined #openstack-keystone23:53
*** ChanServ sets mode: +v ayoung23:53
« Monday, 2015-03-16 Index Wednesday, 2015-03-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!