*** sigmavirus24 is now known as sigmavirus24_awa | 00:09 | |
*** iamjarvo has quit IRC | 00:10 | |
jamielennox | bknudson: right, i only figured it out when i tried to restrict an operation on the client side if there wasn't a sufficient api version | 00:16 |
---|---|---|
bknudson | you can do that? | 00:16 |
jamielennox | bknudson: yep, implemented that a while ago for exactly this reason - doesn't help if the server doesn't advertise it though :( | 00:19 |
jamielennox | .get('/auth/projects', endpoint_filter={'service_type': 'identity', 'interface': 'public', 'version': (3, 3)}) | 00:19 |
jamielennox | will raise EndpointNotFound or something similar | 00:20 |
bknudson | neat | 00:20 |
bknudson | so we can put that in the auth manager, too? | 00:20 |
bknudson | client.auth.get_projects() | 00:21 |
jamielennox | if keystone wasn't advertising 3.0 for the last 2 years | 00:21 |
*** ncoghlan has joined #openstack-keystone | 00:21 | |
bknudson | we've also got JSON Home, but there's no client support for it yet. | 00:21 |
jamielennox | yea, i think we can do that with like get(resource='jsonhomeid', ...) instead of url, just haven't implemented it yet | 00:22 |
bknudson | where does the JSON Home document live? | 00:24 |
bknudson | client, session? | 00:24 |
jamielennox | i expect we'd treat it like we do with discovery now, cache it on both the client and the session | 00:25 |
jamielennox | it's a fairly static page | 00:25 |
*** dims has joined #openstack-keystone | 00:27 | |
*** Tahmina has quit IRC | 00:27 | |
*** iamjarvo has joined #openstack-keystone | 00:30 | |
*** iamjarvo has quit IRC | 00:30 | |
*** iamjarvo has joined #openstack-keystone | 00:30 | |
openstackgerrit | Merged openstack/keystone: Bump advertised API version to 3.4 https://review.openstack.org/168771 | 00:41 |
*** zzzeek has quit IRC | 00:44 | |
*** lhcheng has quit IRC | 00:57 | |
*** spandhe has quit IRC | 01:18 | |
*** henrynash has quit IRC | 01:21 | |
*** henrynash has joined #openstack-keystone | 01:21 | |
*** ChanServ sets mode: +v henrynash | 01:21 | |
*** mitz has quit IRC | 01:26 | |
*** nkinder has joined #openstack-keystone | 01:30 | |
*** mitz has joined #openstack-keystone | 01:36 | |
*** stevemar has joined #openstack-keystone | 01:39 | |
*** ChanServ sets mode: +v stevemar | 01:39 | |
*** tqtran has quit IRC | 01:45 | |
*** erkules has quit IRC | 01:49 | |
*** erkules_ has joined #openstack-keystone | 01:49 | |
*** edmondsw has quit IRC | 01:55 | |
*** samueldmq has quit IRC | 01:56 | |
*** jacer_huawei has quit IRC | 01:59 | |
openstackgerrit | Lance Bragstad proposed openstack/keystonemiddleware: Pull echo service out of auth_token. https://review.openstack.org/165171 | 02:02 |
*** dims has quit IRC | 02:07 | |
*** dims has joined #openstack-keystone | 02:08 | |
ayoung | jamielennox, we're getting close: https://review.openstack.org/#/c/151842/35 | 02:11 |
ayoung | Need Lin to push that one in | 02:11 |
ayoung | Or Mattias | 02:12 |
jamielennox | yep, the DOA part we can handle seperately, just need the horizon forms | 02:13 |
jamielennox | the breakup is kinda dumb here, why the assets are handled by horizon and the routes by DOA - but whatever | 02:13 |
*** dims has quit IRC | 02:14 | |
ayoung | Heh | 02:17 |
ayoung | jamielennox, I was all ready to start hacking on the sssd thing we were talking about yesterday, but then I showed the devstack one working to nkinder and he said "don't touch it, I need it for a demo." | 02:18 |
*** _cjones_ has joined #openstack-keystone | 02:30 | |
*** ccard_ has joined #openstack-keystone | 02:32 | |
*** _cjones_ has quit IRC | 02:33 | |
*** _cjones_ has joined #openstack-keystone | 02:33 | |
*** ccard__ has quit IRC | 02:35 | |
*** lhcheng has joined #openstack-keystone | 02:41 | |
*** jacer_huawei has joined #openstack-keystone | 02:46 | |
*** iamjarvo has quit IRC | 02:58 | |
stevemar | ayoung, hehe | 03:05 |
stevemar | that would be a funny convo | 03:05 |
stevemar | jamielennox, btw, i tossed up new versions of the saml/ecp patches | 03:06 |
jamielennox | stevemar: ok | 03:06 |
*** harlowja_ is now known as harlowja_away | 03:07 | |
ayoung | stevemar, DOA patche? | 03:07 |
*** henrynash has quit IRC | 03:07 | |
ayoung | ECP... | 03:08 |
ayoung | doi | 03:08 |
stevemar | ayoung, naw, client | 03:09 |
stevemar | https://review.openstack.org/#/c/159022/ and https://review.openstack.org/#/c/168678/ if you're interested | 03:09 |
ayoung | stevemar, I realized that as I parsed ECP | 03:09 |
ayoung | I am...looks good | 03:09 |
*** henrynash has joined #openstack-keystone | 03:09 | |
*** ChanServ sets mode: +v henrynash | 03:09 | |
stevemar | ayoung, think it's worth adding support in the client for getting saml metadata? | 03:10 |
ayoung | I've looked at it before, but the real issue is that I won't really be able to evaluate it with out a functioning ECP setup. | 03:10 |
ayoung | stevemar, no idea | 03:10 |
ayoung | what is it needed for? | 03:10 |
ayoung | I was looking at the one on my Ipsilon box, and that was where I noticed the hostname != the IPadress | 03:11 |
ayoung | but beyond that... why would we not have support for the metadata? Isn't it kindof required to know where to go to get the assertion? | 03:11 |
*** bknudson has quit IRC | 03:16 | |
*** iamjarvo has joined #openstack-keystone | 03:41 | |
*** ayoung has quit IRC | 03:48 | |
*** iamjarvo has quit IRC | 03:51 | |
*** topol has joined #openstack-keystone | 03:52 | |
*** ChanServ sets mode: +v topol | 03:53 | |
*** ajayaa has joined #openstack-keystone | 03:56 | |
*** krtaylor has quit IRC | 04:11 | |
*** jasondotstar has quit IRC | 04:12 | |
*** krtaylor has joined #openstack-keystone | 04:14 | |
*** jasondotstar has joined #openstack-keystone | 04:14 | |
*** _cjones_ has quit IRC | 04:15 | |
*** _cjones_ has joined #openstack-keystone | 04:15 | |
*** drjones has joined #openstack-keystone | 04:16 | |
*** ajayaa has quit IRC | 04:19 | |
*** _cjones_ has quit IRC | 04:20 | |
*** drjones has quit IRC | 04:21 | |
*** spandhe has joined #openstack-keystone | 04:21 | |
*** spandhe_ has joined #openstack-keystone | 04:24 | |
*** spandhe has quit IRC | 04:26 | |
*** spandhe_ is now known as spandhe | 04:26 | |
*** lhcheng_ has joined #openstack-keystone | 04:39 | |
*** _cjones_ has joined #openstack-keystone | 04:41 | |
*** lhcheng has quit IRC | 04:42 | |
*** _cjones_ has quit IRC | 04:44 | |
breton | morning, keystoneers | 05:19 |
openstackgerrit | henry-nash proposed openstack/keystone: Refactor identity driver internal clean-up method names https://review.openstack.org/169169 | 05:26 |
*** topol has quit IRC | 05:47 | |
*** markvoelker has quit IRC | 05:48 | |
stevemar | jamielennox, if you have a minute, could you look at: https://review.openstack.org/#/c/159022/6/keystoneclient/v3/contrib/federation/saml.py | 06:01 |
jamielennox | stevemar: what headers would you be wanting from that? | 06:03 |
jamielennox | cause i agree, i would expect to just get a string | 06:03 |
stevemar | jamielennox, http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#generate-a-saml-assertion | 06:04 |
stevemar | in the response, there are also 2 headers that are useful | 06:04 |
jamielennox | stevemar: and you expect to use those? | 06:05 |
stevemar | jamielennox, well, they are accessible via the service_provider manager | 06:05 |
stevemar | so i guess they aren't super necessary | 06:05 |
jamielennox | i just assumed that you would have provided those | 06:06 |
stevemar | yeah, when the service provider is created | 06:06 |
jamielennox | maybe provide both | 06:07 |
jamielennox | do get_saml_assertion_details or something return a named tuple with all the elements, provide another method which just returns the body | 06:07 |
jamielennox | prefer you didn't return a raw response | 06:07 |
stevemar | ++ | 06:08 |
jamielennox | i've no idea how you expect them to be used as to what information you need from the request - maybe you only want to provide the method that returns the object | 06:10 |
stevemar | jamielennox, let me mull it over | 06:11 |
jamielennox | most managers return a resource, i don't think you want a resource here, but some form of object is normal | 06:12 |
stevemar | jamielennox, the more i think about, i don't think it's necessary to return the headers (saml details as you put it) | 06:18 |
jamielennox | stevemar: whatever you think | 06:18 |
stevemar | yeah, if someone wants it, we can revisit it | 06:19 |
*** markvoelker has joined #openstack-keystone | 06:19 | |
stevemar | so you would be against returning `resp.content`, you want it in some sort of an object? | 06:19 |
openstackgerrit | henry-nash proposed openstack/keystone: Remove unnecessary .driver. references in assignment manager https://review.openstack.org/169186 | 06:20 |
openstackgerrit | henry-nash proposed openstack/keystone: Refactor assignment driver internal clean-up method names https://review.openstack.org/169169 | 06:23 |
*** markvoelker has quit IRC | 06:26 | |
*** spandhe has quit IRC | 06:36 | |
*** ParsectiX has joined #openstack-keystone | 06:38 | |
openstackgerrit | Steve Martinelli proposed openstack/python-keystoneclient: Add support to create SAML assertion based on a token https://review.openstack.org/159022 | 06:43 |
jamielennox | stevemar: not against resp.content if it makes sense | 06:46 |
stevemar | jamielennox, cool - i think it does, latest PS should be good | 06:47 |
jamielennox | resp.text probably what you want | 06:47 |
stevemar | malrigt | 06:47 |
jamielennox | cya | 06:48 |
*** lhcheng_ has quit IRC | 06:48 | |
stevemar | just rebasing the later one, i'll go back and fix up the earlier one in 2 seconds | 06:48 |
*** jamielennox is now known as jamielennox|away | 06:49 | |
openstackgerrit | Steve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token https://review.openstack.org/168678 | 06:49 |
*** erkules_ is now known as erkules | 06:49 | |
*** erkules has quit IRC | 06:49 | |
*** erkules has joined #openstack-keystone | 06:49 | |
openstackgerrit | Steve Martinelli proposed openstack/python-keystoneclient: Add support to create SAML assertion based on a token https://review.openstack.org/159022 | 06:56 |
openstackgerrit | Steve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token https://review.openstack.org/168678 | 07:00 |
*** stevemar has quit IRC | 07:16 | |
*** markvoelker has joined #openstack-keystone | 07:22 | |
*** markvoelker has quit IRC | 07:27 | |
*** jaosorior has joined #openstack-keystone | 07:28 | |
*** rushiagr_away is now known as rushiagr | 07:30 | |
*** jistr has joined #openstack-keystone | 07:43 | |
*** rushiagr is now known as rushiagr_away | 07:47 | |
*** Ephur has quit IRC | 08:01 | |
*** ncoghlan has quit IRC | 08:11 | |
*** pnavarro|off has quit IRC | 08:22 | |
*** markvoelker has joined #openstack-keystone | 08:23 | |
*** lhcheng has joined #openstack-keystone | 08:24 | |
*** markvoelker has quit IRC | 08:27 | |
*** rushiagr_away is now known as rushiagr | 08:34 | |
-openstackstatus- NOTICE: CI Check/Gate pipelines currently stuck due to a bad dependency creeping in the system. No need to recheck your patches at the moment. | 08:53 | |
*** ChanServ changes topic to "CI Check/Gate pipelines currently stuck due to a bad dependency creeping in the system. No need to recheck your patches at the moment." | 08:53 | |
*** viktors has joined #openstack-keystone | 08:56 | |
*** rushiagr is now known as rushiagr_away | 08:57 | |
*** rushiagr_away is now known as rushiagr | 08:58 | |
*** krykowski has joined #openstack-keystone | 09:05 | |
*** afazekas has joined #openstack-keystone | 09:11 | |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Migrate_repo init version helper https://review.openstack.org/137640 | 09:11 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Share engine between migration helpers. https://review.openstack.org/137778 | 09:11 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at. https://review.openstack.org/137639 | 09:11 |
openstackgerrit | Victor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table. https://review.openstack.org/137637 | 09:11 |
*** markvoelker has joined #openstack-keystone | 09:23 | |
*** markvoelker has quit IRC | 09:28 | |
*** lhcheng has quit IRC | 09:36 | |
*** jamielennox|away is now known as jamielennox | 09:41 | |
*** jamielennox is now known as jamielennox|away | 09:47 | |
*** dims has joined #openstack-keystone | 10:03 | |
*** topol has joined #openstack-keystone | 10:20 | |
*** ChanServ sets mode: +v topol | 10:20 | |
*** pnavarro|off has joined #openstack-keystone | 10:21 | |
*** markvoelker has joined #openstack-keystone | 10:24 | |
*** henrynash has quit IRC | 10:27 | |
*** markvoelker has quit IRC | 10:29 | |
*** samueldmq has joined #openstack-keystone | 10:35 | |
samueldmq | morning | 10:36 |
*** lhcheng has joined #openstack-keystone | 10:37 | |
*** lhcheng has quit IRC | 10:41 | |
boris-42 | jamielennox|away: ping | 10:59 |
boris-42 | anybody knows how to check is current user admin or not? | 10:59 |
boris-42 | just checking is it in admin project with admin role doesn't sound good=) | 10:59 |
samueldmq | boris-42, well, what gives the user the ability to do something is the *role* he has and how this role is used across the services' policies :) | 11:05 |
boris-42 | samueldmq: ya that creates issues =) | 11:06 |
boris-42 | samueldmq: if you don't want allow admin user to run some code | 11:06 |
samueldmq | boris-42, so basically you may have the admin role assigned to a user on a project/domain, and what makes him able to do anything is how you configure your policy | 11:06 |
boris-42 | samueldmq: ya I know | 11:06 |
samueldmq | boris-42, k, what's the problem you're trying to solve? | 11:07 |
boris-42 | samueldmq: I am working on Rally cleanup mechanism | 11:07 |
boris-42 | samueldmq: that works in next way list() resources -> delete all listed | 11:07 |
boris-42 | samueldmq: the issue is that we would like to support benchmarking from existing users (that passed end user, and not created by Rally) | 11:08 |
samueldmq | boris-42, so list any created projects, users, etc ... | 11:08 |
boris-42 | samueldmq: if user pass admin instead of non-admin it will list everything=) | 11:08 |
boris-42 | samueldmq: and will clean whole cloud=) | 11:08 |
samueldmq | boris-42, yes so you need to make sure what operations you required for your benchmarking | 11:08 |
samueldmq | boris-42, lets say for an specific one you need to CRUD users, ok? | 11:08 |
samueldmq | boris-42, before starting your benchmarking, make sure the user being used can do every operation you need | 11:09 |
boris-42 | samueldmq: so in such case we just use special names | 11:09 |
boris-42 | samueldmq: the most important thing that I would like to cover is cleanup step | 11:09 |
boris-42 | samueldmq: if some becnhamrk doesn't work because of policies it's not a big deal | 11:10 |
boris-42 | samueldmq: if I delete whole cloud that's the issue=) | 11:10 |
samueldmq | boris-42, ah, you get everything inside a domain when you list projects, users, etc ... | 11:10 |
boris-42 | samueldmq: yep if I list VMs from admin I will get all VMs from all tenants | 11:10 |
samueldmq | boris-42, so I'd say you crete a new domain to create resources in, and then after that you just delete the whole domain, makes sense? | 11:10 |
boris-42 | samueldmq: hm domain?) | 11:10 |
boris-42 | samueldmq: any how to?) | 11:11 |
samueldmq | boris-42, yes users/groups/projects are created in a domain | 11:11 |
samueldmq | boris-42, ah this is for keystone, that means you can list usres/projects/groups for an specific domain | 11:12 |
samueldmq | boris-42, for other resources (instances, etc) I am not sure, but I think you can list instances per project | 11:12 |
samueldmq | boris-42, makes sense? | 11:12 |
boris-42 | samueldmq: ya I think this is a good step of protection | 11:14 |
samueldmq | boris-42, yeah, if you're running in an existing cloud, I think it's better to create a new domain | 11:14 |
samueldmq | boris-42, to not mess up with the existing cloud | 11:15 |
samueldmq | boris-42, so if something unexpected occurs, it will be easy to do a manual cleanup | 11:15 |
*** tsufiev_ has joined #openstack-keystone | 11:15 | |
samueldmq | boris-42, gotta to go afk for a bit, I hope this helps :) | 11:15 |
boris-42 | samueldmq: thank you | 11:15 |
samueldmq | boris-42, np | 11:16 |
*** markvoelker has joined #openstack-keystone | 11:25 | |
*** hogepodge has quit IRC | 11:27 | |
*** markvoelker has quit IRC | 11:29 | |
*** ccard__ has joined #openstack-keystone | 11:32 | |
*** jistr is now known as jistr|english | 11:32 | |
*** jistr|english is now known as jistr|class | 11:33 | |
*** ccard_ has quit IRC | 11:35 | |
*** rushiagr is now known as rushiagr_away | 11:42 | |
*** tsufiev_ is now known as tsufiev | 11:42 | |
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Review RC Blocking Reviews. | RC Milestone: https://launchpad.net/keystone/+milestone/kilo-rc1" | 11:49 | |
-openstackstatus- NOTICE: Check/Gate unstuck, feel free to recheck your abusively-failed changes. | 11:49 | |
*** rushiagr_away is now known as rushiagr | 11:54 | |
*** pnavarro|off has quit IRC | 12:01 | |
*** iamjarvo has joined #openstack-keystone | 12:08 | |
*** iamjarvo has quit IRC | 12:08 | |
*** raildo|away is now known as raildo | 12:11 | |
*** pnavarro|off has joined #openstack-keystone | 12:14 | |
*** markvoelker has joined #openstack-keystone | 12:17 | |
*** dims has quit IRC | 12:25 | |
*** dims has joined #openstack-keystone | 12:25 | |
*** lhcheng has joined #openstack-keystone | 12:26 | |
*** lhcheng has quit IRC | 12:30 | |
*** bknudson has joined #openstack-keystone | 12:42 | |
*** ChanServ sets mode: +v bknudson | 12:42 | |
*** gordc has joined #openstack-keystone | 12:50 | |
*** jistr|class is now known as jistr | 12:58 | |
*** hogepodge has joined #openstack-keystone | 13:05 | |
samueldmq | dolphm, hi - you around? | 13:08 |
samueldmq | dolphm, I am getting some sentences from http://dolphm.com/hierarchical-multitenancy/, ok? | 13:08 |
*** nkinder has quit IRC | 13:12 | |
*** ayoung has joined #openstack-keystone | 13:23 | |
*** ChanServ sets mode: +v ayoung | 13:23 | |
*** blinky_ghost_ has joined #openstack-keystone | 13:26 | |
blinky_ghost_ | hi all, I'm trying to run command "keystone-user list" and I get this error: WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token. This happens If I try to use username, password and tenant. If I use token the command will work. What I'm doing wrong? Thanks | 13:28 |
*** rushiagr is now known as rushiagr_away | 13:29 | |
*** Ephur has joined #openstack-keystone | 13:29 | |
blinky_ghost_ | it's workking now my mistake :) | 13:42 |
samueldmq | blinky_ghost_, keystone user-list ? | 13:43 |
*** topol has quit IRC | 13:44 | |
*** topol has joined #openstack-keystone | 13:45 | |
*** ChanServ sets mode: +v topol | 13:45 | |
*** zzzeek has joined #openstack-keystone | 13:57 | |
*** nkinder has joined #openstack-keystone | 13:58 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 13:59 | |
*** rushiagr_away is now known as rushiagr | 13:59 | |
openstackgerrit | Cyril Roelandt proposed openstack/python-keystoneclient: Print an error message when no tenant is specified https://review.openstack.org/148305 | 14:02 |
*** ayoung has quit IRC | 14:05 | |
*** gokrokve has joined #openstack-keystone | 14:06 | |
*** ParsectiX has quit IRC | 14:16 | |
*** henrynash has joined #openstack-keystone | 14:18 | |
*** ChanServ sets mode: +v henrynash | 14:18 | |
*** ayoung has joined #openstack-keystone | 14:18 | |
morganfainberg | Mornin. | 14:18 |
*** ChanServ sets mode: +v ayoung | 14:18 | |
*** timcline has joined #openstack-keystone | 14:21 | |
*** henrynash has quit IRC | 14:22 | |
*** timcline has quit IRC | 14:24 | |
*** timcline has joined #openstack-keystone | 14:24 | |
*** timcline_ has joined #openstack-keystone | 14:26 | |
*** viktors has quit IRC | 14:30 | |
*** timcline has quit IRC | 14:30 | |
*** carlosmarin has joined #openstack-keystone | 14:36 | |
*** mattfarina has joined #openstack-keystone | 14:36 | |
raildo | morganfainberg, morning :) | 14:38 |
*** jeffDeville has joined #openstack-keystone | 14:38 | |
raildo | morganfainberg, hey, I have a doubt. I want to propose a feature to inherited roles assignments below subdomains, I need to create a spec for this or just a blueprint can be enough to explain this? | 14:40 |
morganfainberg | Based on what you just described, I'd say spec | 14:46 |
raildo | morganfainberg, ok :) | 14:47 |
htruta | off-topic: hey, american guys... do you know if I need a US visa to make just a stop in the US? | 14:47 |
amakarov_away | morganfainberg, hi! I wonder if something ever use keystone middleware at all: revocation logic there is still rely on revoked token list - it looks... ancient :) | 14:49 |
*** amakarov_away is now known as amakarov | 14:50 | |
*** openstackgerrit_ has joined #openstack-keystone | 14:50 | |
morganfainberg | htruta: as in a layover? Don't take this as legal advice from me on this, but I think you don't need one for a layover/travel through airspace of the U.S. But let me do a quick search to see if I can help. | 14:51 |
*** ayoung has quit IRC | 14:51 | |
morganfainberg | htruta: if you're doing more than a layover and having to switch terminals and/or go through customs to do so, it depends on where you're from on the visa requirement. | 14:52 |
htruta | morganfainberg: I think it's not a layover, since I won't change the airplane | 14:52 |
morganfainberg | Oh airplane is landing and you just wait on the plane? | 14:52 |
htruta | morganfainberg: yes... that's it | 14:53 |
amakarov | htruta, I'm not an american guy, although afaik is you don't leave transit zone you don't cross US border | 14:54 |
htruta | I know that if I was going to switch terminals, I'd need at least the transit visa | 14:54 |
morganfainberg | htruta: http://travel.stackexchange.com/questions/4859/do-i-need-a-us-visa-to-change-planes-in-an-american-airport again don't assume legal advice | 14:54 |
htruta | amakarov, morganfainberg: ok. I think I'll contact the US consular to be sure | 14:56 |
morganfainberg | amakarov: the old code in ksm is for the token revocation list (list of all tokens revoked) and it is used for pki tokens. | 14:56 |
htruta | thank you guys | 14:57 |
*** Ephur has quit IRC | 14:57 | |
morganfainberg | htruta: it'll probably be a silly short convo and they'll say what that link says. But never hurts to ask them :) | 14:57 |
morganfainberg | amakarov: you should sync with jamielennox|away on the revocation event code that needs to go in ksm | 14:58 |
amakarov | morganfainberg, does this change need a spec? | 14:58 |
morganfainberg | amakarov: I think we have an approved spec for it already. | 14:58 |
htruta | morganfainberg: I'm just trying to convince myself that I don't need one. hehe. But I think I got nowhere to run. | 14:58 |
amakarov | morganfainberg, good, thanks for direction | 14:59 |
amakarov | jamielennox|away, hi! :) ^^ Can you please point me to the spec? | 14:59 |
morganfainberg | amakarov: I'm looking for the spec now ;) | 15:00 |
amakarov | morganfainberg, me too :) | 15:00 |
bknudson | spec for using revocation events in auth_token? | 15:00 |
morganfainberg | amakarov: I thought we had one. I think I am wrong | 15:01 |
morganfainberg | bknudson: yeah | 15:01 |
bknudson | revocation events in keystone were done before we were even using specs. | 15:01 |
morganfainberg | Ah right. | 15:02 |
morganfainberg | amakarov: yep a spec is going to be needed if one hasn't been lingering in gerrit. | 15:02 |
*** joesavak has joined #openstack-keystone | 15:03 | |
*** ayoung has joined #openstack-keystone | 15:04 | |
*** ChanServ sets mode: +v ayoung | 15:04 | |
*** dims has quit IRC | 15:05 | |
morganfainberg | bknudson: for the domain configs in sql, we should probably just enforce that the sql driver can't be used in per-domain setups. I don't see a real benefit to it. Since then your default is not domain aware. You could just override the default domains' config to be ldap instead of default everything to ldap except domain X | 15:05 |
*** Ephur has joined #openstack-keystone | 15:05 | |
*** dims_ has joined #openstack-keystone | 15:08 | |
bknudson | morganfainberg: seems like if you want to use sql at all you'd want it for your "base" domains and not the per-domains... | 15:08 |
bknudson | since ldap doesn't support multiple domains and sql does | 15:08 |
morganfainberg | bknudson: exactly. | 15:09 |
morganfainberg | bknudson: that would solve the per-domain issue you highlighted in Henry's review. | 15:09 |
bknudson | morganfainberg: yes, mostly. | 15:10 |
bknudson | still think you could get parts of an update in a different thread. | 15:10 |
morganfainberg | Not the reload issue itself. But at least the weird explode-y issues n | 15:10 |
bknudson | just won't allow having 2 sql | 15:10 |
morganfainberg | Oh you totally could get updates in different threads. You need to use optimistic db locking (same thing we do for the decrement of trust consumptions) | 15:11 |
morganfainberg | bknudson: but subqueries with optimistic locking won't work afaik | 15:12 |
*** jsavak has joined #openstack-keystone | 15:18 | |
openstackgerrit | ayoung proposed openstack/keystone-specs: certmonger https://review.openstack.org/134099 | 15:19 |
*** joesavak has quit IRC | 15:21 | |
*** zigo__ is now known as zigo | 15:23 | |
lbragstad | ayoung: have you done anything with dolphm's keystone-deploy stuff on Centos/Fedora/RH? | 15:25 |
ayoung | lbragstad, no | 15:25 |
ayoung | lbragstad, What I tend to do, beyond Devstack, is RDO related | 15:26 |
ayoung | usually packstack | 15:26 |
lbragstad | ayoung: ok, well in case you want to test it out, I attempted to add support for it https://github.com/dolph/keystone-deploy/pull/7 | 15:26 |
ayoung | lbragstad, I have worked through deploying using Puppet in a manual (non installer driven approach) | 15:26 |
ayoung | very cool | 15:26 |
lbragstad | ayoung: it seems to work on Centos 7 | 15:27 |
ayoung | lbragstad, what does it use as the base? Git checkout from tag? | 15:27 |
lbragstad | ayoung: but it will need some work still if dolphm wants to incorporate the "daily" build into the README.md results | 15:27 |
ayoung | Ah | 15:27 |
lbragstad | ayoung: yes, it deploys from source | 15:27 |
lbragstad | ayoung: straight up vanilla/default | 15:28 |
ayoung | playbooks...is that Ansble? | 15:28 |
lbragstad | ayoung: yep | 15:28 |
ayoung | lbragstad, I might just have to mess around with that myself... | 15:28 |
ayoung | it will be much more stable than devstack | 15:29 |
lbragstad | ayoung: please do an feel free to leave comments | 15:29 |
*** krykowski has quit IRC | 15:29 | |
ayoung | how does this align with the Ansible OpenStack efforts? | 15:29 |
*** stevemar has joined #openstack-keystone | 15:29 | |
*** ChanServ sets mode: +v stevemar | 15:29 | |
*** spandhe has joined #openstack-keystone | 15:30 | |
lbragstad | ayoung: the os-ansible-deployment https://github.com/stackforge/os-ansible-deployment ? | 15:31 |
ayoung | yeah | 15:31 |
ayoung | lbragstad, TBH, I would love to be able to replace devsatck with ansible.... | 15:31 |
lbragstad | ayoung: not real sure, I know we have a bunch of people here at Rax that work with it | 15:31 |
lbragstad | ayoung: they all hangout in #openstack-ansible | 15:32 |
*** spandhe_ has joined #openstack-keystone | 15:33 | |
ayoung | cool | 15:33 |
*** spandhe has quit IRC | 15:34 | |
*** spandhe_ is now known as spandhe | 15:34 | |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add in further token validation in v3_auth tests https://review.openstack.org/164026 | 15:34 |
*** atiwari has joined #openstack-keystone | 15:35 | |
morganfainberg | ayoung: added comments to your policy check. | 15:37 |
ayoung | morganfainberg, thanks. I was just reading them. I'll try to make the code as clear as possible. | 15:38 |
morganfainberg | ayoung: I think it is good but I'd like one more test to clearly show an expected behavior. | 15:38 |
ayoung | Agreed | 15:38 |
morganfainberg | Some comments I think would clear the rest of the stuff up. | 15:38 |
morganfainberg | It wasn't too bad. And I think gerrit is rendering indent issues that aren't there :( | 15:39 |
*** jeffDeville has quit IRC | 15:40 | |
*** thedodd has joined #openstack-keystone | 15:40 | |
*** henrynash has joined #openstack-keystone | 15:44 | |
*** ChanServ sets mode: +v henrynash | 15:44 | |
*** mestery has quit IRC | 15:45 | |
*** jeffDeville has joined #openstack-keystone | 15:46 | |
dstanek | ayoung: lbragstad: my new dev environment used their ansible playbooks instead of devstack | 15:55 |
lbragstad | dstanek: ++ | 15:56 |
lbragstad | dstanek: I'm using dolphm's keystone-deploy stuff exclusively if I don't need any other services. | 15:56 |
bknudson | why would anybody need anything other than keystone? | 15:57 |
raildo | henrynash, hey, I answered your question in the reseller patches :) | 15:57 |
raildo | dstanek, for you too https://review.openstack.org/#/c/158720/ :) | 15:57 |
*** bdossant has joined #openstack-keystone | 15:58 | |
dstanek | raildo: responded inline | 15:59 |
*** samueldmq_ has joined #openstack-keystone | 16:03 | |
*** mestery has joined #openstack-keystone | 16:03 | |
*** lhcheng has joined #openstack-keystone | 16:03 | |
*** _cjones_ has joined #openstack-keystone | 16:05 | |
raildo | dstanek, thanks :) | 16:06 |
openstackgerrit | Alexander Makarov proposed openstack/keystone-specs: Revocation events for keystonemiddleware https://review.openstack.org/169399 | 16:07 |
*** lhcheng has quit IRC | 16:08 | |
*** jistr has quit IRC | 16:09 | |
amakarov | morganfainberg, ^^. What if spec is to implement completed blueprint? https://blueprints.launchpad.net/keystone/+spec/revocation-events | 16:09 |
amakarov | Is blueprint needs to be reopened somehow? | 16:10 |
*** bdossant has quit IRC | 16:18 | |
*** jeffDeville has quit IRC | 16:29 | |
samueldmq | morganfainberg, updated the keystone meeting page with a topic for hierarchical projects on horizon | 16:30 |
samueldmq | morganfainberg, I added a new section 3/31, since the agenda from the last meeting has not been cleaned up yet | 16:31 |
morganfainberg | Yeah sounds good. | 16:31 |
morganfainberg | Thanks. | 16:31 |
morganfainberg | amakarov: need one for keystone middleware. | 16:32 |
morganfainberg | Should be straightforward. | 16:32 |
amakarov | morganfainberg, I'll file a new blueprint with a link to completed one | 16:32 |
*** spandhe has quit IRC | 16:35 | |
openstackgerrit | Alexander Makarov proposed openstack/keystone-specs: Revocation events for keystonemiddleware https://review.openstack.org/169399 | 16:39 |
*** jeffDeville has joined #openstack-keystone | 16:41 | |
*** jeffDeville has quit IRC | 16:42 | |
*** henrynash has quit IRC | 16:42 | |
openstackgerrit | Steve Martinelli proposed openstack/python-keystoneclient: Add support to create SAML assertion based on a token https://review.openstack.org/159022 | 16:43 |
*** harlowja_away is now known as harlowja_ | 16:45 | |
*** jeffDeville has joined #openstack-keystone | 16:46 | |
openstackgerrit | Steve Martinelli proposed openstack/python-keystoneclient: Add support to create ECP assertion based on a token https://review.openstack.org/168678 | 16:47 |
*** lhcheng has joined #openstack-keystone | 16:51 | |
*** dims_ has quit IRC | 16:51 | |
*** dims_ has joined #openstack-keystone | 16:51 | |
openstackgerrit | Merged openstack/keystone: Update configuration documentation for domain config https://review.openstack.org/165754 | 17:01 |
stevemar | 12 bugs and 1 bp left! | 17:05 |
*** tqtran has joined #openstack-keystone | 17:09 | |
*** haneef has joined #openstack-keystone | 17:17 | |
openstackgerrit | ayoung proposed openstack/oslo.policy: Lists for Generic Checks https://review.openstack.org/169045 | 17:20 |
*** carlosmarin has quit IRC | 17:24 | |
dstanek | stevemar: stupid jenkins! | 17:25 |
openstackgerrit | Alexander Makarov proposed openstack/keystonemiddleware: Validate tokens against revocation events https://review.openstack.org/169438 | 17:27 |
*** carlosmarin has joined #openstack-keystone | 17:29 | |
*** henrynash has joined #openstack-keystone | 17:29 | |
*** ChanServ sets mode: +v henrynash | 17:29 | |
rodrigods | ayoung, just a couple of nits there ^ | 17:30 |
openstackgerrit | ayoung proposed openstack/oslo.policy: Lists for Generic Checks https://review.openstack.org/169045 | 17:36 |
ayoung | morganfainberg, for dyanmic policy, since there are so many subordinate specs, does it make sense to have one blueprint, and then each of the pieces set as to_do items on it? Top level spec is the overview? Or do you need on BP per spec for tracking reasons? | 17:41 |
stevemar | dstanek, it should be all better now, no? | 17:42 |
dstanek | stevemar: i'm hopig | 17:42 |
*** ayoung is now known as hopig | 17:43 | |
hopig | no I'm hopig@ | 17:43 |
*** hopig is now known as ayoung | 17:43 | |
stevemar | hue hue | 17:43 |
dstanek | :-P | 17:43 |
ayoung | Pretty sure hopig is a pokemon | 17:44 |
ayoung | I'll ask my son | 17:45 |
morganfainberg | ayoung: I think we need a bp-per spec for release tracking purposes. | 17:45 |
ayoung | morganfainberg, OK. Will do | 17:45 |
morganfainberg | stevemar: we should be ready to cut rc next week. So we need to crank on the bugs. | 17:45 |
rodrigods | ayoung, there is another extra space after a dot | 17:46 |
ayoung | morganfainberg, since we graduated oslo to a library on an oslo BP, should I repurpose this one for just the "fetch from keystone" part https://blueprints.launchpad.net/keystone/+spec/policy-enforcement-library | 17:46 |
ayoung | rodrigods, ignore those please for the love of .... | 17:46 |
raildo | hahaha | 17:46 |
morganfainberg | Sure. Or create a new one and mark that superseded. | 17:46 |
morganfainberg | ayoung: whatever is easiest for you on that front. | 17:46 |
ayoung | morganfainberg, that one was trying to do too much...I repurpose. | 17:46 |
rodrigods | ayoung, I'll think about it... | 17:46 |
raildo | ayoung, for the love of rodriGODS | 17:46 |
stevemar | ha! | 17:47 |
morganfainberg | ayoung: I still see a test I'd like to see with policy. I'll post up the test in a paste and get feedback. | 17:47 |
ayoung | morganfainberg, sure. more testst gooder | 17:48 |
morganfainberg | ayoung: comments make it a lot easier to see what you are doing. I don't like the token fixture being copied in there. We might want to rely on ksc as a test-requires? And use the common fixture (or we need to get the token fixture someplace sane we don't have to remember to updat everywhere) | 17:49 |
ayoung | morganfainberg, Nah. I just wanted a non-trivial fixture. In KSC, it reads from JSON etc. | 17:49 |
morganfainberg | But making olso rely on ksc for a test would be bad. | 17:49 |
ayoung | Really, we should be working to make policy non-keystone specific. Just this shows an application of it | 17:49 |
ayoung | I'd love to get rid of the role check as a specific check, and use the generic in its place | 17:50 |
morganfainberg | ayoung: sure. Just the copy/paste token implies that is the right way to do it. | 17:50 |
morganfainberg | Oh. We could move role check to keystone. Neutron has a custom check they define. | 17:50 |
*** iamjarvo has joined #openstack-keystone | 17:50 | |
ayoung | morganfainberg, link? | 17:51 |
ayoung | I'll find it... | 17:51 |
morganfainberg | Will go hunting post meeting. | 17:51 |
ayoung | OwnerCheck | 17:52 |
ayoung | http://git.openstack.org/cgit/openstack/neutron/tree/neutron/policy.py#n230 | 17:52 |
ayoung | http://git.openstack.org/cgit/openstack/neutron/tree/neutron/policy.py#n319 | 17:52 |
ayoung | Those are good things...and it almost seems like they should go into Oslo | 17:52 |
ayoung | There are also some scary things in their policy.py | 17:53 |
bknudson | I might have asked neutron folks to try to get these things into oslo.policy. | 17:53 |
bknudson | came up in an oslo meeting | 17:54 |
ayoung | bknudson, ++ | 17:54 |
bknudson | looks like they haven't switched to oslo.policy yet. | 17:54 |
bknudson | still using from neutron.openstack.common import policy | 17:55 |
ayoung | um...wow. | 17:57 |
ayoung | Not sure I can unsee some of that | 17:57 |
bknudson | you can't un-see it. | 17:57 |
bknudson | never know what you'll see when you look into the abyss. | 17:57 |
*** spandhe has joined #openstack-keystone | 17:59 | |
*** timcline_ has quit IRC | 18:01 | |
*** timcline has joined #openstack-keystone | 18:01 | |
*** topol has quit IRC | 18:04 | |
*** jamielennox|away is now known as jamielennox | 18:04 | |
morganfainberg | bknudson: I *may* have know what I was sending ayoung to go look at *evilgrin* | 18:08 |
*** edmondsw has joined #openstack-keystone | 18:17 | |
sigmavirus24 | yeah morganfainberg I saw that previously as well | 18:18 |
morganfainberg | sigmavirus24: :P | 18:18 |
*** packet has joined #openstack-keystone | 18:24 | |
stevemar | i think they are intending to move to oslo.policy in L right? | 18:26 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/166437 | 18:32 |
openstackgerrit | ayoung proposed openstack/keystone: Group role revocation invalidates all user tokens https://review.openstack.org/141854 | 18:34 |
*** samueldmq_ has quit IRC | 18:40 | |
*** afazekas has quit IRC | 18:43 | |
stevemar | ayoung, if you're using devstack, DOA isn't cloned from master, it installs the latest release | 18:50 |
jamielennox | stevemar: so is the hockey still going to be running in Vancouver by summit time? | 18:51 |
ayoung | stevemar, I know, I cloned and python setup.py develop | 18:51 |
ayoung | jamielennox, it is Canada. The Hocky is everlasting | 18:51 |
jamielennox | i *think* he's joking | 18:52 |
*** jaosorior has quit IRC | 18:52 | |
bknudson | http://canucks.nhl.com/club/schedule.htm | 18:52 |
morganfainberg | . | 18:52 |
bknudson | don't start calling everyone a canuck. | 18:52 |
jamielennox | damn, finished before summit | 18:53 |
*** stevemar has quit IRC | 18:54 | |
ayoung | 'Token' object has no attribute 'is_federated' | 18:54 |
ayoung | jamielennox, that is the NHL. So, yeah, that will be over | 18:54 |
iamjarvo | so i am trying to use the authtoken based flow and I am getting an unauthorized error. http://pastie.org/private/lmzsuxopkw1ptxdt8lyw the users find is failing | 18:54 |
ayoung | iamjarvo, not TOKEN | 18:55 |
ayoung | you was Service token | 18:55 |
*** henrynash has quit IRC | 18:55 | |
ayoung | The way you are calling it, it is tryijng to use a keystone token issued from the server, but 'exit' is ADMIN_TOKEN form your conf file, no? | 18:55 |
iamjarvo | yea exit is the token in the conf | 18:56 |
jamielennox | ayoung: he's using endpoint= though - i think that would acutally work | 18:56 |
jamielennox | but i can't remember, old options are hard | 18:56 |
iamjarvo | old options? | 18:56 |
morganfainberg | ayoung: I'm going to make bootstrap a keystone-manage thing here next cycle. Admin-token causes weird side effects. | 18:56 |
jamielennox | :) | 18:56 |
jamielennox | iamjarvo: not using session/plugin - the equivalent would be | 18:57 |
ayoung | iamjarvo, https://review.openstack.org/#/c/82687/20/examples/scripts/initialize_keystone.py,cm | 18:57 |
jamielennox | from keystoneclient.auth import token_endpoint | 18:57 |
jamielennox | from keystoneclient import session | 18:57 |
jamielennox | a = token_endpoint.Token(token=TOKEN, endpoint=ENDPOINT) | 18:57 |
ayoung | You are correct: | 18:57 |
ayoung | endpoint_plugin = token_endpoint.Token( | 18:57 |
ayoung | endpoint=OS_SERVICE_ENDPOINT, | 18:57 |
ayoung | token=OS_SERVICE_TOKEN) | 18:57 |
jamielennox | s = session.Session(auth=a) | 18:57 |
jamielennox | c = client.Client(session=s) | 18:58 |
*** amakarov is now known as amakarov_away | 18:58 | |
ayoung | morganfainberg, ++ agreed, but we can't kill it since so much automation depends on it. | 18:59 |
ayoung | Getting the EOL papers filed though would be good. | 18:59 |
*** _cjones_ has quit IRC | 19:00 | |
jamielennox | morganfainberg, bknudson: so i was trying to resurrect the pecan patch, jsonhome makes an absolute mess and i don't know if i can replicate it exactly | 19:02 |
bknudson | jamielennox: does pecan support GET /v3 ? | 19:03 |
bknudson | what's the issue? | 19:03 |
iamjarvo | ayoung jamielennox tried this and getting The request you have made requires authentication. | 19:03 |
iamjarvo | here is the pastie http://pastie.org/private/beraj210768kty2ixn6jw | 19:03 |
jamielennox | bknudson: so pecan uses thread locals for everything, i can't make the GET / issue a GET /v3 call because it trashes the local state | 19:03 |
ayoung | iamjarvo, did you modify keystone-paste.ini? There is a middleware piece in there that is enabled by default to let in the admin token. If it is removed, it disables ADMIN_TOKEN login | 19:04 |
jamielennox | there is also a test there that says "if the accept type isn't known you should just return json" which i can probably get around but is just a bug IMO | 19:04 |
*** stevemar has joined #openstack-keystone | 19:04 | |
*** ChanServ sets mode: +v stevemar | 19:04 | |
bknudson | jamielennox: probably don't need to have GET / call GET /v3... the resources all have to be registered, so maybe GET / reads the registry like GET /v3 does. | 19:04 |
jamielennox | bknudson: the problem is that middleware is expanding the references | 19:05 |
bknudson | if the accept type isn't known the server should respond with 406 Not Acceptable | 19:05 |
jamielennox | so the main controller adds the routers it knows about and then each piece of middleware expands them as it goes out | 19:05 |
jamielennox | it's ugly - but clever | 19:05 |
iamjarvo | looks like its there http://cl.ly/image/3k1i151x1d0U | 19:06 |
iamjarvo | it was working at one point | 19:06 |
bknudson | jamielennox: one of the reasons JSON home was written the way it was because of extensions, and if we don't have that anymore we can just hard-code JSON Home doc. | 19:07 |
jamielennox | bknudson: yep, i want to fix that test to be a 406 and generally make the server enforce content types better - this is one of the pecan advantages IMO | 19:07 |
jamielennox | bknudson: sure, but that involves ripping up a lot of the paste pipeline | 19:07 |
jamielennox | which i think is a great idea, just not the relatively subtle change i was hoping this first patch to be | 19:08 |
*** stevemar has quit IRC | 19:08 | |
*** stevemar has joined #openstack-keystone | 19:08 | |
*** ChanServ sets mode: +v stevemar | 19:08 | |
iamjarvo | i am using ldap if that makes a diff | 19:11 |
*** diegows has joined #openstack-keystone | 19:11 | |
bknudson | jamielennox: HTTP doc actually says servers are allowed to sent back a response that doesn't match the accept. | 19:13 |
*** spandhe has quit IRC | 19:13 | |
bknudson | so 406 is not required. | 19:13 |
jamielennox | bknudson: that's annoying, i'm sure there must be a way around that part anyway, pecan is actually fairly strict on what it will let you do in terms of http violations | 19:14 |
*** rushiagr is now known as rushiagr_away | 19:14 | |
jamielennox | bknudson: so i would like this to be a start of us moving all those extensions into config rather than paste pipeline, i just need a way around the jsonhome stuff for now | 19:15 |
jamielennox | maybe i just drop it all as a static blob with a FIXME on it for now | 19:16 |
*** jsavak has quit IRC | 19:16 | |
*** blinky_ghost_ has quit IRC | 19:19 | |
dstanek | is anyone working on https://bugs.launchpad.net/keystone/+bug/1435174 ? | 19:22 |
openstack | Launchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Medium,Triaged] | 19:22 |
stevemar | dstanek, i took a look at it, not much else | 19:23 |
dstanek | i was planning on seeing if i could reproduce, but i didn't want to waste the time if someone was already working on it | 19:24 |
*** spandhe has joined #openstack-keystone | 19:28 | |
jamielennox | https://etherpad.openstack.org/p/from-zero-to-atc keystone is on the "Small and lean" project list :p | 19:29 |
iamjarvo | ayoung jamielennox any tips on debugging? | 19:29 |
jamielennox | iamjarvo: sorry, i wasn't following i though ayoung had you - where did you get up to | 19:30 |
iamjarvo | so i tried the pastie http://pastie.org/private/beraj210768kty2ixn6jw and verified the keystone.ni had the auth stuff | 19:30 |
jamielennox | iamjarvo: so the picture you posted ealier is just a pointer to where the middleware lives, you need to ensure that admin_token_auth is in the pipeline | 19:33 |
jamielennox | but it is by default so i assume that's ok | 19:33 |
jamielennox | iamjarvo: what is the keystone log telling you? | 19:34 |
*** spandhe has quit IRC | 19:35 | |
iamjarvo | bottom of log "2015-03-31 19:36:50.494388 17431 WARNING keystone.common.controller [-] Invalid token found while getting domain ID for list request | 19:37 |
iamjarvo | 2015-03-31 19:36:50.496410 17431 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication." | 19:37 |
iamjarvo | i see this 2015-03-31 19:36:50.437095 17431 WARNING keystone.common.controller [-] RBAC: Bypassing authorization | 19:37 |
stevemar | dstanek, the SSL bug seemed like an issue with an external lib | 19:38 |
dstanek | stevemar: that's what i was figuring - lot of SSL churn recently | 19:39 |
jamielennox | iamjarvo: ah, ok so off the top of my head if you list users without specifying a domain then it lists projects in the same domains as the token is in, because you are using an ADMIN token there is no domain | 19:39 |
jamielennox | (someone confirm thtat ^ ?) | 19:40 |
jamielennox | iamjarvo: what happens if you specify domain='default' in your list() | 19:41 |
iamjarvo | i think you are correct | 19:41 |
jamielennox | (assuming the default domain because of devstack) | 19:41 |
iamjarvo | so like this? c.users.list(domain='default') | 19:41 |
jamielennox | right | 19:41 |
jamielennox | iamjarvo: if that works (which it may not if you are using ldap) we'll see if it works with find() | 19:44 |
iamjarvo | jamielennox this passes user = c.users.list(domain='default', name='cloud_admin'); but this fails c.users.find(domain='default', name='cloud_admin') | 19:45 |
jamielennox | the CRUD commands are horrible :) | 19:45 |
iamjarvo | find raises the auth error | 19:46 |
jamielennox | if you turn on debug what URL is it actually hitting? | 19:46 |
ayoung | morganfainberg, it was your fault | 19:46 |
ayoung | self.identity_api.emit_invalidate_user_token_persistence(user_id) | 19:46 |
ayoung | the double revoke of the tokens? | 19:46 |
iamjarvo | 192.168.10.5:35357/v3 | 19:49 |
iamjarvo | jamielennox ^ | 19:49 |
jamielennox | iamjarvo: it should tell you the whole URL | 19:49 |
jamielennox | like /v3/projects?domain=xx | 19:50 |
iamjarvo | jamielennox ahh sorry how does debug get turned on? | 19:50 |
jamielennox | oh, um script | 19:50 |
jamielennox | try logging.basicConfig(level=logging.DEBUG) | 19:50 |
iamjarvo | jamielennox http://192.168.10.5:35357/v3/users?domain=default&name=cloud_admin | 19:52 |
jamielennox | iamjarvo: is find or list? i'm just wondering why they are different | 19:53 |
iamjarvo | list | 19:54 |
morganfainberg | ayoung, actually i think someone also refactored some of that too | 19:54 |
iamjarvo | the one that works | 19:54 |
jamielennox | so what does find do? | 19:54 |
iamjarvo | http://pastie.org/private/rp8cfi6mdq3gc8s0eoeldw | 19:54 |
ayoung | morganfainberg, so the issue is that we emit "revoke all tokens for this user" all over the place | 19:54 |
morganfainberg | ayoung, yep. we sure do | 19:54 |
iamjarvo | jamielennox comparison of find and list in the pastie | 19:55 |
jamielennox | iamjarvo: oh ok | 19:55 |
ayoung | morganfainberg, including places where, with the revoke API, we do explicit revokes | 19:55 |
jamielennox | iamjarvo: so list() knows how to handle domains: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L106 and it converts a domain object into a domain_id for you | 19:56 |
morganfainberg | ayoung, it' is partly because of the compat of token revocation list | 19:56 |
ayoung | /opt/stack/keystone/keystone/assignment/controllers.py(187)remove_role_from_user() | 19:56 |
jamielennox | iamjarvo: so it will rename the domain='default' to domain_id='default' | 19:56 |
jamielennox | iamjarvo: if you use find you would need to specify domain_id='default' | 19:56 |
morganfainberg | ayoung, almost all of those were already cases we did revokes, and therefore we needed to continue to issue them :( | 19:56 |
iamjarvo | jamielennox thanks man | 19:56 |
ayoung | http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/core.py#n380 | 19:56 |
iamjarvo | so helpful | 19:57 |
morganfainberg | ayoung, it's all part of digging ourselves out of the TRL | 19:57 |
iamjarvo | i will have to dig into the source some more | 19:57 |
jamielennox | iamjarvo: anytime | 19:57 |
ayoung | the logic before was "if revoke_by_id" | 19:57 |
*** gokrokve_ has joined #openstack-keystone | 19:57 | |
morganfainberg | ayoung, yes. we historically did a revoke *ALL* whenever a role changed | 19:57 |
morganfainberg | because scrubbing through the token table to find any token with a given role is a non-starter | 19:57 |
morganfainberg | since it's a text search | 19:57 |
morganfainberg | those emits were a lot of consolidation. | 19:58 |
ayoung | morganfainberg, yeah, but the logic should be to only call that code if token.revoke_by_id. Which is, I am pretty sure, how I wrote it origianlly | 19:58 |
morganfainberg | ayoung, except we still need the revocation event. what we need is we need the rev. event to grab the role and the TRL to revoke all | 19:59 |
morganfainberg | so if you turn off one or the other you get sane behavior | 19:59 |
*** gokrokve_ has quit IRC | 19:59 | |
ayoung | If we are doing revoke_by_id, we generate the TRL. If not, we don't | 19:59 |
ayoung | but...if that is too complex, then we need to close this bug "won't fix" | 19:59 |
*** gokrokve_ has joined #openstack-keystone | 19:59 | |
ayoung | or... | 19:59 |
morganfainberg | ayoung, we still need to revoke for the role (can rev. events handle a specific role revocation?) | 20:00 |
ayoung | nah, it has to be that, I think, as there are places where we count on the emit_invalidate_user_token_persistence for revoke by user_id | 20:00 |
morganfainberg | actually i think the logic is still the same | 20:00 |
morganfainberg | revoke all tokens for that scope if the role changes | 20:00 |
morganfainberg | just not revoke *all* tokens for the user. | 20:00 |
*** gokrokve has quit IRC | 20:00 | |
*** _cjones_ has joined #openstack-keystone | 20:01 | |
ayoung | can't have it both ways | 20:01 |
ayoung | the code tells us to revoke all tokens for the user | 20:01 |
morganfainberg | ayoung, we could include scope info. | 20:01 |
ayoung | for TRL? | 20:01 |
morganfainberg | if scope info is in the emit, we revoke on scope | 20:01 |
morganfainberg | TRL *and* rev. events can handle scope | 20:01 |
ayoung | It does not take any params | 20:01 |
ayoung | although..it must somehow deduce the userid | 20:01 |
morganfainberg | ayoung, we can fix that :P | 20:01 |
ayoung | but it is in the identity_api | 20:02 |
morganfainberg | ayoung, there is a case i overloaded how we emit the information | 20:02 |
ayoung | roles don't belong there | 20:02 |
morganfainberg | not role | 20:02 |
morganfainberg | scope | 20:02 |
ayoung | aslo not in the id api | 20:02 |
morganfainberg | if you change a role, you must revoke all tokens for that scope/user/group | 20:02 |
morganfainberg | oh | 20:02 |
ayoung | we need to think this through...not comfortable doing it as a bug fix. | 20:02 |
ayoung | Defer until Liberty | 20:02 |
morganfainberg | yeah. lets plan to restructure the internal-callback thingies | 20:03 |
morganfainberg | and pass real useful information through them | 20:03 |
ayoung | morganfainberg, or, we can make the revoke API central, and have it dispatch the logic how to handle an event | 20:03 |
ayoung | so if we are doing revoke by grant, it can be smart enough to revoke by userid for persisted tokens | 20:04 |
ayoung | drop the "emit" part of it, as the revoke API already operates that way | 20:04 |
ayoung | make sense? | 20:04 |
ayoung | and...let's not do it as decorator. It's abusive. | 20:05 |
morganfainberg | ayoung, notice other notifactions for cadf aren't decorators now? | 20:07 |
morganfainberg | ayoung, yeah | 20:07 |
morganfainberg | that is dieing. | 20:07 |
ayoung | ++ | 20:07 |
morganfainberg | ayoung, i plan on refactoring it as a context manager so you can get success/failure info too | 20:07 |
morganfainberg | rather than if/else/try/except/finally everywhere | 20:07 |
morganfainberg | i also want to rip out our policy enforcement decorators | 20:08 |
morganfainberg | move to "call enforcement when we want to enforce" | 20:08 |
morganfainberg | have a decorator that we use that "ensure enforce was called" or similar | 20:08 |
morganfainberg | so we can be alerted if a call that is meant to be protected isn't, or we can use it as a tracepoint. but enforcement happens where enforcement should happen. it would simplify a lot of things, no more needing wonky callbacks to make enforcement sane | 20:09 |
ayoung | Ah, wait, I was looking at the grant delete | 20:09 |
ayoung | he's revoking a token. I bet the code is the same, though. | 20:09 |
ayoung | Wow the revoke_token code has gotten complicated | 20:12 |
*** ayoung has quit IRC | 20:17 | |
*** henrynash has joined #openstack-keystone | 20:18 | |
*** ChanServ sets mode: +v henrynash | 20:18 | |
*** jeffDeville has quit IRC | 20:22 | |
*** _cjones_ has quit IRC | 20:22 | |
*** henrynash has quit IRC | 20:30 | |
*** ayoung has joined #openstack-keystone | 20:33 | |
*** ChanServ sets mode: +v ayoung | 20:33 | |
*** _cjones_ has joined #openstack-keystone | 20:33 | |
*** _cjones_ has quit IRC | 20:40 | |
*** david-lyle has quit IRC | 20:40 | |
*** bernardo-silva has joined #openstack-keystone | 20:41 | |
*** _cjones_ has joined #openstack-keystone | 20:42 | |
rodrigods | ayoung, +2 (hope anyone else complain about the extra space) | 20:42 |
ayoung | +2? | 20:42 |
rodrigods | ayoung, https://review.openstack.org/#/c/169045/ | 20:43 |
ayoung | Oh, yeah, its policy. TYVM! | 20:43 |
rodrigods | ayoung, heh np :) | 20:44 |
*** Ephur has quit IRC | 20:45 | |
dstanek | Vancouver sounds exciting - http://thefreethoughtproject.com/vancouver-police-officer-smashes-drivers-window-refusing-driver-arrest/ | 20:52 |
*** ayoung has quit IRC | 20:54 | |
openstackgerrit | Merged openstack/keystone: Rename notification for create/delete grants https://review.openstack.org/167501 | 20:54 |
*** nkinder has quit IRC | 20:57 | |
*** arif-ali has joined #openstack-keystone | 20:57 | |
*** nkinder has joined #openstack-keystone | 20:57 | |
stevemar | dstanek, yep, i heard about that | 20:58 |
stevemar | another bug down! yay | 21:02 |
dstanek | i hate that i have to do to each one to see if i've already reviewed it | 21:03 |
morganfainberg | oh my, PTL election season is upon us. | 21:05 |
morganfainberg | it's a magical time of year.. | 21:05 |
morganfainberg | or something | 21:05 |
rodrigods | are you starting the campaign, morganfainberg ? | 21:06 |
morganfainberg | nah. not until the time we have to send emails to the ML. | 21:06 |
morganfainberg | :P | 21:06 |
rodrigods | heh | 21:06 |
*** ayoung has joined #openstack-keystone | 21:07 | |
*** ChanServ sets mode: +v ayoung | 21:07 | |
*** packet has quit IRC | 21:08 | |
*** packet has joined #openstack-keystone | 21:10 | |
stevemar | morganfainberg, 4 more years! | 21:11 |
morganfainberg | i'd probably die | 21:11 |
morganfainberg | :P | 21:11 |
stevemar | die a hero though | 21:11 |
morganfainberg | i think i'll stick with 6 months more at a shot. tyvm | 21:11 |
dstanek | haha. seems like PTL is a sink hole | 21:12 |
stevemar | its something alright | 21:13 |
stevemar | all the blame, none of the glory | 21:13 |
stevemar | and no time for code :P | 21:13 |
morganfainberg | stevemar, c.. co... code? whjat is this C-oh-duh you speak of? | 21:14 |
morganfainberg | since topol isn't here, we should make him the PTL :P | 21:15 |
morganfainberg | oh it's not April 1st yet >.> | 21:15 |
stevemar | he is traveling tomorrow, it'll be a surprise for when he lands | 21:15 |
morganfainberg | oh.. | 21:15 |
*** raildo is now known as raildo|away | 21:15 | |
morganfainberg | i know | 21:15 |
morganfainberg | talked w/ him yesterday | 21:15 |
stevemar | hehe, i could msg him tomorrow saying he is now PTL. it'll be a great april fools day joke | 21:16 |
*** david-lyle_ has joined #openstack-keystone | 21:19 | |
*** henrynash has joined #openstack-keystone | 21:21 | |
*** ChanServ sets mode: +v henrynash | 21:21 | |
*** atiwari has quit IRC | 21:22 | |
*** atiwari has joined #openstack-keystone | 21:24 | |
*** atiwari has quit IRC | 21:30 | |
*** atiwari has joined #openstack-keystone | 21:31 | |
*** samueldmq_ has joined #openstack-keystone | 21:32 | |
*** samueldmq_ has quit IRC | 21:33 | |
*** gordc has quit IRC | 21:34 | |
*** samueldmq has quit IRC | 21:34 | |
*** samueldmq has joined #openstack-keystone | 21:35 | |
*** nkinder has quit IRC | 21:42 | |
*** david-lyle_ is now known as david-lyle | 21:43 | |
*** stevemar has quit IRC | 21:51 | |
openstackgerrit | Merged openstack/keystone: Updated from global requirements https://review.openstack.org/166437 | 21:51 |
*** mattfarina has quit IRC | 21:58 | |
openstackgerrit | Merged openstack/python-keystoneclient: Allow requesting an unscoped Token https://review.openstack.org/169111 | 21:59 |
*** david-lyle has quit IRC | 22:02 | |
*** harlowja_ is now known as harlowja_away | 22:04 | |
*** harlowja_away is now known as harlowja_ | 22:07 | |
openstackgerrit | Davanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call https://review.openstack.org/169535 | 22:18 |
openstackgerrit | Davanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call https://review.openstack.org/169535 | 22:19 |
openstackgerrit | Davanum Srinivas (dims) proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call https://review.openstack.org/169535 | 22:20 |
*** harlowja_ has quit IRC | 22:21 | |
*** bernardo-silva has quit IRC | 22:23 | |
*** bernardo-silva has joined #openstack-keystone | 22:24 | |
openstackgerrit | ayoung proposed openstack/keystone-specs: Service Catalog Subsets by ID https://review.openstack.org/160909 | 22:25 |
*** harlowja has joined #openstack-keystone | 22:26 | |
openstackgerrit | Brant Knudson proposed openstack/keystonemiddleware: Deprecate auth_token authentication https://review.openstack.org/127066 | 22:27 |
*** bernardo-silva has quit IRC | 22:28 | |
*** ayoung has quit IRC | 22:29 | |
jamielennox | wtf - there's a clippy on my gerrit review page | 22:33 |
morganfainberg | "it looks like you are trying to review some code" | 22:34 |
morganfainberg | jamielennox, let me guess it's April 1st for you... | 22:34 |
jamielennox | ah | 22:34 |
jamielennox | ergh | 22:34 |
bknudson | for april 1st I'm going to +2 every review. | 22:35 |
*** timcline has quit IRC | 22:35 | |
morganfainberg | bknudson, hah | 22:35 |
jamielennox | that would be special | 22:36 |
*** packet has quit IRC | 22:36 | |
*** nkinder has joined #openstack-keystone | 22:38 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 22:42 | |
*** iamjarvo has quit IRC | 22:48 | |
*** devlaps has joined #openstack-keystone | 22:50 | |
*** packet has joined #openstack-keystone | 22:50 | |
*** henrynash has quit IRC | 22:51 | |
*** devlaps1 has joined #openstack-keystone | 22:53 | |
*** devlaps has quit IRC | 22:54 | |
*** devlaps1 has quit IRC | 22:54 | |
*** devlaps has joined #openstack-keystone | 22:55 | |
*** darrenc is now known as darrenc_afk | 22:59 | |
*** iamjarvo has joined #openstack-keystone | 23:02 | |
*** thedodd has quit IRC | 23:07 | |
*** carlosmarin has quit IRC | 23:11 | |
*** dims_ has quit IRC | 23:14 | |
morganfainberg | nkinder, ping - I'll be in the bay area the 15/16th. presenting at the meetup in sunnyvale, but will be headed out for some drinks afterwards on the 16th. | 23:14 |
morganfainberg | nkinder, if you're around that is. | 23:14 |
*** atiwari1 has joined #openstack-keystone | 23:16 | |
nkinder | morganfainberg: cool! I'll be around. | 23:17 |
*** dims_ has joined #openstack-keystone | 23:17 | |
nkinder | morganfainberg: keep me updated with the plan as it gets closer | 23:17 |
morganfainberg | sure thing. | 23:17 |
*** atiwari has quit IRC | 23:18 | |
*** darrenc_afk is now known as darrenc | 23:22 | |
*** edmondsw has quit IRC | 23:24 | |
*** bigjools has joined #openstack-keystone | 23:28 | |
*** lhcheng is now known as lhcheng_afk | 23:31 | |
*** zzzeek has quit IRC | 23:38 | |
*** raildo has joined #openstack-keystone | 23:39 | |
*** iamjarvo has quit IRC | 23:49 | |
*** iamjarvo has joined #openstack-keystone | 23:51 | |
*** ayoung has joined #openstack-keystone | 23:57 | |
*** ChanServ sets mode: +v ayoung | 23:57 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!