Thursday, 2015-04-23

« Wednesday, 2015-04-22 Index Friday, 2015-04-24 »
dstanekbesides a few 'if' statements in migrations, do we actually maintain sqlite specific code?00:00
*** browne has quit IRC00:00
morganfainbergdstanek: i'm hoping to ditch pysqlite00:00
morganfainbergdstanek: if we have another option, maybe since we do SQL-A, we can do something that mocks up what SQL-A does for "Test backend"00:01
dstanekdo we need that now that we don't support 2.6?00:01
*** markvoelker has joined #openstack-keystone00:01
morganfainbergdstanek: oh was that a 2-6 specific thing?00:01
*** browne has joined #openstack-keystone00:01
morganfainbergdstanek: dude if it is kill it from our requirements00:01
dstanekactually...it may have been 2.5 specific00:01
dstanekpython has had that builtin for a long time00:01
morganfainbergdstanek, then we literally are "migrate from python-ldap to ldap3" from being 3.4 compatible00:01
morganfainbergat least from a "does this install"00:01
morganfainbergnot making any guarantees we didn't do 3.4 incompatible things in our codebase00:02
morganfainbergbut we can actually work on fixing it all.00:02
dstanekwe have to delete eventlet and fix python-memcache00:02
morganfainbergdstanek, python-memcache installs on 3.4 now00:02
morganfainbergand eventlet is 3 compatible00:02
dstaneki have a ton of py3 patches to push00:02
morganfainbergdstanek, and we could move to pymemcache00:03
morganfainbergit's less work than migrating from python-ldap to ldap300:03
dstaneki don't know much about pymemcache, but i don't see why not00:03
morganfainbergdstanek, it's not a hard switch00:04
morganfainbergit is a *way* better library00:04
*** roxanaghe has joined #openstack-keystone00:04
morganfainbergamazingly so00:04
morganfainbergdstanek but if python-memcache works and we can ditch pysqlite00:05
morganfainbergi'm quite happy00:05
dstanekmorganfainberg: i'll put a little effort into python-memcache if you think we may stay on it, otherwise i'll leave it be00:06
dstanekit's pretty close, but there are still a few issues00:06
morganfainbergdstanek: i'd rather move to the other library00:07
dstanekthen i'll ignore the github thread :-)00:07
morganfainbergdstanek: tbh. pymemcache just has less baggage and is a much better design00:07
morganfainbergdstanek: we need to convert middleware over to it as well.00:07
*** zzzeek has quit IRC00:08
morganfainbergalso ldap3 would mean we could support OS X (hahahahahahahahahaha) again for keystone >.>00:08
dstanek:-( just as i'm ditching it00:09
morganfainbergdstanek, i wont change course on it being "use at your own risk"00:09
morganfainbergbecause i don't want to guess what will break again00:10
* morganfainberg sticks w/ VMs for testing even if it'll work.00:10
morganfainbergmostly cause then if i have to test for juno etc i'm already in that mode00:10
*** gyee has quit IRC00:23
*** stevemar has quit IRC00:24
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove pysqlite test-requirement dependency  https://review.openstack.org/17655700:26
morganfainbergdstanek: ^^00:26
dstanekmorganfainberg: neat, running the tests now00:31
*** _cjones_ has quit IRC00:38
*** _cjones_ has joined #openstack-keystone00:39
*** sdake has joined #openstack-keystone00:44
*** bknudson has quit IRC00:45
*** dramakri has quit IRC00:46
*** sdake has quit IRC00:50
*** roxanaghe has quit IRC01:11
*** _cjones_ has quit IRC01:15
ayoungsamleon, I think that we should support basic auth, but it is something that I think we will get by default with your exisitng patch.01:16
*** bknudson has joined #openstack-keystone01:20
*** ChanServ sets mode: +v bknudson01:20
*** sdake has joined #openstack-keystone01:31
*** markvoelker has quit IRC01:33
*** erkules_ has joined #openstack-keystone01:37
*** tqtran has quit IRC01:38
*** erkules has quit IRC01:40
morganfainbergayoung, is there a legitimate case we would have a python interpreter that can't do SSL?01:49
ayoungmorganfainberg, HMMM01:50
ayoungmorganfainberg, as a client or as a server?01:50
morganfainbergayoung, in keystone01:50
ayoungyou mean eventlet?01:50
morganfainbergayoung, no i mean python itself.01:50
morganfainbergpython01:50
morganfainbergimport ssl01:50
* morganfainberg is working to provide a patch that converts keystone from python-ldap to ldap301:51
ayoungmorganfainberg, ah01:51
dstanekmorganfainberg: i think only if Python was compiled on the machine01:51
morganfainbergwhich is pure python, and py2/3 compat01:51
morganfainbergbut it doesn't have the nice pretty compat stuff built01:51
dstanekpretty sure all major packages will have it included01:51
morganfainbergdstanek, my thought is... we require a python interpreter that can do ssl01:52
morganfainbergdstanek, waaaaaaaay less magic import testing01:52
*** browne has quit IRC01:52
ayoungmorganfainberg, muy kneejerk reaction is please don't...I want to get us out of that world.  But I know you must have a reason for wanting ldap3.  I'd ask richm or rcrit or simo myself01:52
ayoungnkinder is at a conf this week01:52
morganfainbergayoung, because python-ldap is awful01:52
morganfainbergand we can't get rid of ldap support01:53
ayoungyeah, but is ldap3 going to fix it?01:53
morganfainbergayoung, well ldap3 does 1 major thing for us01:53
morganfainbergpy34 compat01:53
morganfainbergit and python-memcache (to be replaced with pymemcache) are the blockers01:53
ayoungdo we know have that possibilituy now?  That alone is a deal-maker01:53
ayoungah...ok...so, to answer your question, I think we are OK01:54
ayoungif a platform can't make an ssl call, it shouldn't be supported01:54
morganfainbergayoung, it looks like (key: LOOKS) like we need to fix 2 libraries and we can run in py3401:54
morganfainbergand probably a bunch of "fix our bad py27 assumptions"01:54
morganfainbergbut doable in liberty01:54
morganfainbergayoung, also ldap3 has some nice interfaces that *might* help to make it easier to cleanup our code01:55
ayoungthat would be nice01:56
morganfainbergayoung, since we can't be rid of LDAP in any definitive timeframe (anything beyond 2-3 cycles is too far out to see)01:56
*** davechen1 has joined #openstack-keystone01:56
morganfainbergayoung, it has an orm-ish like abstraction01:56
morganfainbergso you have less digging into the lists of tuples of list of ick01:56
ayoungso, I would move ahead with the assumption that we can do ssl anywhere we need to.  Post to the mailing list to cover us, but if there are any real issues, I think the answer is "tough luck"01:57
morganfainbergayoung, first will be the POC change so we can get you/nkinder/brant to run through the uses01:57
ayoung++01:57
morganfainbergmake sure we aren't massively missing things.01:57
morganfainbergthankfully the ldap core code has been mostly static01:57
ayoungyeah01:57
morganfainbergmeans less rebase hell issues.01:58
morganfainbergalso... we can support server pools01:58
morganfainbergas in "server X, Y and Z" nicely with this new lib01:58
ayoungpart of me is contrite for having written it, but then I realize I just copied what was tin the pre-KSL wholesale, and I become a whole lot more contrite...01:58
morganfainbergthe python-ldap version does bad things.01:59
*** sigmavirus24_awa is now known as sigmavirus2401:59
morganfainbergwhen you try that.01:59
morganfainbergwhile this new lib is not even remotely drop in compat...01:59
*** david-lyle has quit IRC01:59
dstanekso is the plan to have no ldap backends at all?01:59
ayoungwe need to deprecate a whole slew of LDAP config options that no one should be using01:59
morganfainbergit looks to be good.01:59
ayoungdstanek, I'd like to replace it with an SSSD and mod_lookup_identity based approach01:59
morganfainbergdstanek, i'd like to push people towards federated identity or SSSD01:59
morganfainbergdstanek, but that is a long long way out02:00
ayoungdstanek, combine that with Kerberos and Federation and it works very nicely02:00
morganfainbergdstanek, and i don't think we can say people wont still want direct ldap support02:00
morganfainbergdstanek, direct ldap support is unlikely to be deprecated in the next 3 cycles at least02:00
ayoungwe need to firmly deprecate the assignment backend in Liberty02:00
bknudsonanybody got a hint as to what might be going wrong here: https://review.openstack.org/#/c/176576/1/tests/unit/test_service.py02:00
morganfainbergayoung, uh.02:00
morganfainbergayoung, ldap assigment is deprecated in kilo02:01
ayoungmorganfainberg, I thought we backed off...I am happy to hear we did not02:01
morganfainbergayoung, i sure as hell haven't backed off02:01
bknudsonthe app creates a subprocess, which writes to stdout, but there's nothing on out_q, only err_q.02:01
dstanekbknudson: still not working?02:01
bknudsondstanek: I'm trying to write a test for it now.02:01
morganfainbergayoung, we had 1 person crop up saying "We use this" besides cern and wikimedia02:01
bknudsonthe test is harder to write than the fix.02:01
ayoungso we need to support it until Mike?02:01
morganfainbergayoung, not sure when we slated it. probably M02:02
dstanekbknudson: you are trying to use a queue across processes?02:02
morganfainberg    @versionutils.deprecated(02:02
morganfainberg        versionutils.deprecated.KILO,02:02
morganfainberg        remove_in=+2,02:02
morganfainberg        what='keystone.assignment.backends.ldap.Assignment')02:02
morganfainbergyeah in M release02:02
ayoungnice02:02
bknudsondstanek: no, the queue is just to enqueue the output of the subprocess.02:02
morganfainbergayoung, in all seriousness if we had a clear "we really use this" from more than 1 deployer and 2 shops committed to moving to sql02:03
ayoungmorganfainberg, so...wanna see what Amazon does with Federation?  http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html#cconfiguring-IdP02:03
morganfainbergayoung, and the 1 deployer was "this is a bug".02:03
morganfainbergayoung, yeah i need to read up on that02:03
ayoungnote where there flow starts.  Hint, it is not with "go to amazon and try to log in"02:03
dstanekbknudson: what about iter(f.readline, ...) does that actually call readline()?02:03
morganfainbergayoung, i was asked if I wanted to represent Keystone and OpenStack at Cloud Identity Summit (or find someone else)02:03
bknudsonthat does look fishy.02:03
dstaneki wouldn't expect that to work02:04
morganfainbergayoung, so need to read up on AWS IAM, google identity, MSFT identity etc for the IaaS track02:04
bknudsondstanek: shouldn't it just be for line in f?02:04
ayoungit has at least one person in #ipsilon scratching their head02:04
dstanekbknudson: i would think so02:04
morganfainbergayoung, if your entire product is predicated on "you're logged into Amazon"02:04
morganfainbergayoung, ...02:04
ayoungbut this is to log in to Amazon02:05
morganfainbergayoung, we have a similar requirement02:05
morganfainbergayoung, create an IDP02:05
ayoungyeah, I know02:05
morganfainbergayoung, it's a chicken-egg issue02:05
ayoungI dojn;t have an answer for it.  I'll try to figure out how people do it when using Amazon02:05
morganfainbergayoung, they use a "local" account to IAM02:05
ayoungI think that the best we can do is host a weblogin in the users project02:06
morganfainbergayoung, same as we would02:06
morganfainbergayoung, then they setup the SAML Federation02:06
ayoungnah, that is not what I am talking about02:06
ayounglook at their SAML flow02:06
ayoungin the diagram, step one is browser to IdP02:06
ayoungFor us step one is browser to horizon02:07
morganfainbergoh02:07
morganfainbergayoung, i think they just omitted the "go to SP and redirect to IDP"02:07
ayoungright, if the service provbider does not start the workflow, SAML assertions are bearer tokens02:07
ayoungNo, they didn't02:07
ayoungits the same issue we have02:07
morganfainbergThe user browses to your organization's portal and selects the option to go to the AWS Management Console. In your organization, the portal functions as a identity provider (IdP) that handles the exchange of trust between your organization and AWS.02:08
ayoungHorizon can't enumerate all of the IdPs02:08
bknudsondstanek: I tried regular f.readline(), and still don't get the stdout... https://review.openstack.org/#/c/176576/2/tests/unit/test_service.py02:08
morganfainbergportal i think is AWS portal02:08
morganfainbergin this case02:08
ayoungmorganfainberg, are you looking at the diagram in the link I posted?02:08
morganfainbergyes02:08
morganfainbergi am looking at the text below it02:08
ayoungstep one is to a box in "your organization"02:09
morganfainbergstep 1 is what i pasted to you02:09
morganfainberglook right below the diagram02:09
morganfainbergsomeone sucked at making a diagram02:09
morganfainbergthis is a "portal" that does that redirect stuff02:09
morganfainbergnot your orgs "IDP" like ipsilon02:09
morganfainbergnotice they also use a LDAP store02:10
ayoung"portal"  is on the diagram inside the users organization, not in Amazon.  I think they expect you to host something that kicks off the workflow02:10
morganfainbergthis is an AWS "portal"02:10
morganfainbergnot "ipsilon" portal02:10
morganfainbergor generic portal02:10
ayoungnot according to the rest of the document02:10
morganfainbergah so it is bearer:02:11
morganfainberg You also configure your organization's portal to route user requests for the AWS Management Console to the AWS SAML endpoint for authentication using SAML assertions.02:11
morganfainbergthis is a "put a link on sharepoint"02:11
morganfainbergor similar02:11
ayoungyep, but it has to have the same magic we have "here is a generated poage that posts to the web protal"  just posting SAML, not A token02:12
*** samueldmq has quit IRC02:12
morganfainbergoooor it's the AWS portal02:12
morganfainbergthat does the initial redirect02:12
*** samueldmq has joined #openstack-keystone02:12
*** harlowja is now known as harlowja_away02:12
*** TommyTheKid has joined #openstack-keystone02:12
morganfainbergi think portal is: http://aws.amazon.com/partners/apn-portal/02:13
morganfainbergayoung, i *think* this really is just bad documentation02:13
ayoungTommyTheKid, http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2015-04-23.log02:13
TommyTheKidheh, thanks02:13
ayoungmorganfainberg, TommyTheKid here is the one that pointed it out to me...02:13
morganfainbergTommyTheKid, allo02:13
bknudsondstanek: I'm going to try not using pipes... write to a file instead.02:13
TommyTheKidhello02:14
TommyTheKidI used to work with OpenSSO when I worked at Sun and later HPES, but today I am doing Ipsilon ... :)02:14
ayoungmorganfainberg, how would that know to kick you over to the right IdP?02:14
ayoungits just form auth02:14
ayoungand nothing on their Knoweldge Base about SAML02:15
TommyTheKidSo, that is where the Amazon docs seem to indicate that your "portal" (part of the M$ Federation thing?) should have a link to Amazon and know its supopsed to send a SAMLv2 assertion with the redirect?02:15
morganfainbergayoung, you configure the portal: You also configure your organization's portal to route user requests for the AWS Management Console to the AWS SAML endpoint for authentication using SAML assertions.02:15
morganfainbergayoung, i think this is very poor docs02:15
*** _cjones_ has joined #openstack-keystone02:15
morganfainbergand probably written by someone who hasn't been living SAML2 or SSO02:16
morganfainbergjust was told "put these things in a doc and make a diagram like X"02:16
morganfainbergsmart tech writer, but may not be eating/breathing/sleeping SSO like we have02:16
ayoungMaybe, but I don't parse it that way02:16
morganfainbergayoung, i'm reading this and the *only* way this makes sense is the APN portal02:16
ayoungthere is too much technical content for that big of an error to slip through02:16
morganfainbergand *that* is configured for the IDP02:17
ayoungit needs to be an organziation specific url02:17
TommyTheKidso, how do I bounce a request through IdP to Amazon from my portal? (that I don't have) .. but lets just say I have a link in a wiki ... what would that link point to?02:17
morganfainbergit is.02:17
morganfainbergeach partner gets a portal02:17
morganfainbergTommyTheKid, you'd go to the APN portal and select "login with IDP" or whatever it is.02:17
TommyTheKidhmmm02:18
morganfainbergTommyTheKid, then you'd do the SAML/Federation dance for credentials02:18
TommyTheKidright02:18
TommyTheKidAPN Portal.. looking...02:18
morganfainbergTommyTheKid, http://aws.amazon.com/partners/apn-portal/02:18
* ayoung takes a perverse pleasure in being able to type his full state name correctly02:18
morganfainbergTommyTheKid or it's http://aws.amazon.com just the org-specific login page02:19
TommyTheKidbut I am not a "P"02:19
*** sigmavirus24 is now known as sigmavirus24_awa02:19
morganfainbergany org with AWS can have their own login page02:19
TommyTheKidsomething like accountid.signin.aws.amazon.com02:19
TommyTheKid*https://02:19
morganfainbergwe used Google Auth at my last job to access amazon at one point02:19
morganfainbergbecause we used gapps for stuff02:19
morganfainbergTommyTheKid, yeah but i think it's aws.amazon.com/<account>02:20
TommyTheKidoh, thats actually our IAM login screen02:20
morganfainbergTommyTheKid, Yeh.02:20
TommyTheKidGoogle auth would work too02:20
morganfainbergTommyTheKid, so the IAM login bounces you to the IDP02:20
morganfainberglike an SP would.02:20
morganfainbergsince it is the SP effectively02:20
morganfainbergfor the console02:20
TommyTheKidmy IAM login prompts for user/pass/MFA02:20
morganfainbergit's a configuration afaik02:21
morganfainbergall i can say is these docs are not good.02:21
TommyTheKidand that might be the key02:21
morganfainbergworse than some of our bitrotting ones02:21
morganfainbergit's mixing "federation" verbiage with aws verbiage and it isn't clear what is what02:22
*** browne has joined #openstack-keystone02:22
*** markvoelker has joined #openstack-keystone02:22
TommyTheKidhttp://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-manualURL.html02:24
TommyTheKidI (think) that is what I am looking for?02:25
ayoungmorganfainberg, I've been doing OpenStack for how long now and I 've just now signed up for an Amazon account.  Scary02:26
TommyTheKidbut I have a meeting now, sorry I can't continue this fun :)02:26
ayoungOK  morganfainberg more serious question02:26
morganfainbergayoung, my guess is you need a org account not the free one fwiw02:26
ayoungis it ok to use a lime to make a hot Toddy?02:26
morganfainbergjust a hunch02:26
morganfainbergayoung, uh02:26
morganfainbergayoung, sounds like the wrong citrus to me02:26
ayoungtouch of a sore throat...but we have a fresh lime we used earlier and I'd hate to waste it02:27
morganfainbergbut people do it w/ lime02:27
morganfainberglooks like02:27
ayoungOK...whew02:27
morganfainberghot toddy + ginger + lime02:27
morganfainbergetc02:27
ayoungoooh, ginger02:27
morganfainbergyeah02:27
morganfainbergsounds good02:27
ayounghadn't thought of that...going to add that in02:27
ayoungexport OS_AUTH_URL=https://us-west-2.console.aws.amazon.com/console/home02:28
ayoungheh02:28
morganfainbergHAH02:28
morganfainbergkeystone get-token02:28
morganfainbergor is that token-get02:28
* morganfainberg uses that command line *never*02:28
ayoungthe latter...I see you've moved on to useing OSC02:28
morganfainbergyeah02:28
ayoungI think we actually need to add support for it in OSC02:28
morganfainbergwell been fighting OSC02:29
ayoungit is a key debugging tool02:29
morganfainbergto get devstack to build with V3 only02:29
morganfainbergi think i'm down to maybe 10 functions to fix02:29
morganfainbergthat use osc02:29
morganfainbergbut it's almost working02:29
morganfainbergdoesn't mean it'll work for tempest02:30
ayoungIAM users sign-in link:02:31
ayounghttps://979316197786.signin.aws.amazon.com/console02:31
ayoung|02:31
ayoungI wonder if that is it02:31
ayoungI should read up on this before Vancouver https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html02:33
bknudsonsubprocess.Popen behavior is non-obvious.02:34
ayoungbknudson, I could have told you that02:37
morganfainbergbknudson, oh haha02:40
bknudsonI guess you can't do .stdout.readline()02:40
morganfainbergwhy can't we have nice things?02:40
* morganfainberg wants SSLContext instead of crummy Tls() wrapper object02:41
ayoungmorganfainberg, P2 vs p3 with popen is painful02:41
morganfainbergayoung, yesh02:41
morganfainbergsolution: ditch popen02:41
morganfainbergayoung, :P02:41
morganfainbergrunning in apache the benefit of popen yielding is minimized02:41
ayoungmorganfainberg, especially when you are trying to popoen, something that returns binary data instead of a string...say cuz you need to compress it before base64 encoding it02:41
morganfainbergso we *could* potentially move to pyasn1 or something similar02:42
ayoungI think pythin cryptography has all we need..or its on the way02:42
morganfainbergand just consume process/stack space vs needing to fork out02:42
morganfainbergayoung, yeah it does02:42
morganfainbergayoung, just would be a *bad* choice until eventlet dies02:42
morganfainbergsince it would lockup the worker02:42
ayoungI'm ok with that02:42
ayoung:)02:42
morganfainbergayoung, actually we could just say "if eventlet: popen02:43
morganfainbergfor another cycle02:43
morganfainbergthen watch that all go away02:43
morganfainbergthe eventlet flush is coming.02:43
ayoungso, I think the issue would be PKIZ + eventlet + python3 if I pushed to not to the PEM format...I have not plans to touch any of that02:44
ayoungso..yeah02:44
* morganfainberg glares02:44
morganfainbergthe hardest thing to replicate in this new ldap module: paged searches02:45
ayoungcuz they are dumb02:47
morganfainberghow many bloody ldap handlers do we need.02:48
ayoungmorganfainberg, two02:49
ayoungusers and groups02:49
ayoungor do you mean something else?02:50
morganfainbergayoung, PooledLDAPHandler, LDAPHandler, PythonLDAPHandler, KeystoneLDAPHandler02:50
morganfainbergthis is all in common ldap core02:50
* morganfainberg is trying to figure out which ones of these are even used.02:50
morganfainbergoh gah02:51
morganfainbergthere is black magic in here02:51
morganfainbergoh look we instantiate a handler every time02:53
morganfainbergayoung, i think i'm staring at the abyss02:55
morganfainbergayoung, i'm going to back away slowly and just duplicate our current mechanisms. but i think i see some reasons ldap is bloody awful performance02:56
ayounglink?02:56
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L1252-L125702:57
morganfainbergif you chase the _get_connection we instantiate a handler every time02:57
morganfainbergoh we have a static pool dict02:58
morganfainbergon the ldappool handler02:58
morganfainbergbut this is so many layers of indirection02:58
morganfainbergit's painful.02:58
ayoungit really is bad code02:59
ayoungmorganfainberg, OTOH, I just ran into the fact that Ipsilon requires a version of sssd so recent no one has built it for EPEL yet03:00
morganfainbergoh cool03:01
morganfainbergcan specify at the connection level read_only=False,03:01
morganfainbergthats nice. extra safety net if we want03:01
ayoungOK...with that, I am officially giving up and stopping work for the evening03:03
*** _cjones_ has quit IRC03:04
morganfainberghm03:09
* morganfainberg is wondering if we want connections to auto_bind or lazy bind03:10
bknudsonI think you have to import threading early.03:12
bknudsonoh, and I guess you have to have a bunch of print statements too.03:14
*** stevemar has joined #openstack-keystone03:15
*** ChanServ sets mode: +v stevemar03:15
bknudsonno, must be a timing issue...03:15
stevemarbknudson, *you* are a timing issue03:20
*** samueldmq has quit IRC03:26
*** lhcheng_ has joined #openstack-keystone03:28
*** lhcheng has quit IRC03:28
openstackgerritMerged openstack/keystone: Sync oslo-incubator Ie51669bd278288b768311ddf56ad31a2f28cc7ab  https://review.openstack.org/17639103:49
*** spandhe has quit IRC03:53
*** tqtran has joined #openstack-keystone04:03
*** rm_work is now known as rm_work|away04:06
*** ayoung has quit IRC04:06
*** tqtran has quit IRC04:07
*** richm has quit IRC04:38
*** sdake has quit IRC04:41
*** sdake has joined #openstack-keystone04:46
*** sdake_ has joined #openstack-keystone04:49
*** sdake has quit IRC04:50
*** david-lyle has joined #openstack-keystone04:59
*** sdake has joined #openstack-keystone05:05
*** sdake_ has quit IRC05:10
*** markvoelker_ has joined #openstack-keystone05:21
*** markvoelker has quit IRC05:21
*** rwsu has quit IRC05:21
openstackgerritPengtao Huang proposed openstack/keystone: Please enter the commit message for your changes. Lines starting  https://review.openstack.org/17662005:27
openstackgerritPengtao Huang proposed openstack/keystone: dddd  https://review.openstack.org/17662105:27
stevemarpengtao seems to be having some difficulties05:29
*** ajayaa has joined #openstack-keystone05:31
*** josecastroleon has joined #openstack-keystone05:38
*** _cjones_ has joined #openstack-keystone05:48
*** _cjones_ has quit IRC05:53
*** kiran-r has joined #openstack-keystone05:53
*** lhcheng_ is now known as lhcheng06:06
*** ChanServ sets mode: +v lhcheng06:06
*** sdake has left #openstack-keystone06:11
*** afazekas_ has joined #openstack-keystone06:11
*** stevemar has quit IRC06:32
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412406:39
*** erkules_ is now known as erkules06:50
*** erkules has joined #openstack-keystone06:50
*** rushiagr_away is now known as rushiagr07:12
*** davechen has joined #openstack-keystone07:14
*** alex_xu has quit IRC07:15
*** alex_xu_ has joined #openstack-keystone07:15
*** davechen1 has quit IRC07:16
kiran-rHello! Why am I seeing this warning while using keystone clients. /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.07:17
kiran-r  'python-keystoneclient.', DeprecationWarning)07:17
lhchengkiran-r: it is going to be deprecated in favor of openstackclient07:21
marekdkiran-r: because we now recommend using unified CLI which is pythyon-openstackclient07:21
openstackgerritDave Chen proposed openstack/keystone: Misuse `versionutils.deprecated`  https://review.openstack.org/17664607:22
marekdkiran-r: try typing07:22
marekd# openstack07:22
marekd(shell cmd)07:22
*** davechen1 has joined #openstack-keystone07:22
davechen1kiran-r: why are you thinking it's incorrect? :)07:23
*** davechen has quit IRC07:24
davechen1kiran-r: It's deprected in favor of OSC, and it's only supported in OSC for Keystone V3 APIs07:26
kiran-rdavechen1: Thanks! :)07:26
*** browne has quit IRC07:27
davechen1kiran-r: This link may help, link: http://docs.openstack.org/developer/keystone/cli_examples.html07:29
kiran-rdavechen1: I was not aware of the new python client.07:30
lhchengactually OSC supports both Keystone V2 and V3 API. :)07:30
*** henrynash has quit IRC07:32
kiran-rlhcheng: cool!07:33
*** toddnni has quit IRC07:37
*** _cjones_ has joined #openstack-keystone07:37
*** jistr has joined #openstack-keystone07:38
*** e0ne has joined #openstack-keystone07:41
*** _cjones_ has quit IRC07:42
*** e0ne is now known as e0ne_07:53
*** lhcheng has quit IRC07:56
*** e0ne_ is now known as e0ne08:14
*** davidckennedy has joined #openstack-keystone08:14
*** fhubik has joined #openstack-keystone08:17
*** e0ne is now known as e0ne_08:25
*** e0ne_ is now known as e0ne08:26
*** e0ne has quit IRC08:32
*** fhubik is now known as fhubik_afk08:50
*** pnavarro has joined #openstack-keystone08:56
*** fhubik_afk is now known as fhubik09:04
*** e0ne has joined #openstack-keystone09:13
openstackgerritDave Chen proposed openstack/keystone: Fix the misuse of `versionutils.deprecated`  https://review.openstack.org/17664609:14
*** d0ugal has quit IRC09:29
*** d0ugal has joined #openstack-keystone09:29
*** d0ugal is now known as Guest8147209:29
*** e0ne is now known as e0ne_09:31
*** fhubik is now known as fhubik_afk09:34
*** aix has joined #openstack-keystone09:35
*** e0ne_ is now known as e0ne09:35
*** fhubik_afk is now known as fhubik09:37
*** Guest81472 is now known as d0ugal209:40
*** d0ugal2 is now known as d0ugal09:47
*** d0ugal has quit IRC09:47
*** d0ugal has joined #openstack-keystone09:47
*** josecastroleon has quit IRC09:51
*** e0ne is now known as e0ne_09:53
*** davechen1 has quit IRC09:59
*** fhubik has quit IRC10:02
*** fhubik has joined #openstack-keystone10:02
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose base check classes as part of public API  https://review.openstack.org/17668310:03
*** e0ne_ has quit IRC10:03
*** e0ne has joined #openstack-keystone10:09
*** afazekas_ has quit IRC10:14
*** samueldmq has joined #openstack-keystone10:19
*** fhubik is now known as fhubik_afk10:21
samueldmqmorning10:21
*** fhubik_afk is now known as fhubik10:25
*** afazekas has joined #openstack-keystone10:32
*** rushiagr is now known as rushiagr_away10:40
*** fhubik is now known as fhubik_afk10:50
openstackgerritDavid Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec  https://review.openstack.org/17479910:51
*** fhubik_afk is now known as fhubik11:11
*** _cjones_ has joined #openstack-keystone11:14
openstackgerritDavid Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec  https://review.openstack.org/17479911:15
*** _cjones_ has quit IRC11:19
*** aix has quit IRC11:22
*** fhubik is now known as fhubik_afk11:22
*** jaosorior has joined #openstack-keystone11:26
*** david-lyle has quit IRC11:29
*** fhubik_afk is now known as fhubik11:34
*** alex_xu_ has quit IRC11:38
*** alex_xu has joined #openstack-keystone11:41
*** josecastroleon has joined #openstack-keystone11:43
*** bknudson has quit IRC11:57
*** aix has joined #openstack-keystone12:00
*** aix has quit IRC12:00
*** aix has joined #openstack-keystone12:00
*** e0ne is now known as e0ne_12:04
*** david-lyle has joined #openstack-keystone12:05
*** raildo has joined #openstack-keystone12:05
*** tqtran has joined #openstack-keystone12:09
*** tqtran has quit IRC12:14
*** richm has joined #openstack-keystone12:16
*** e0ne_ is now known as e0ne12:24
*** gordc has joined #openstack-keystone12:27
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: New attributes for SAML assertion  https://review.openstack.org/17446212:27
*** josecastroleon has quit IRC12:28
*** david-lyle has quit IRC12:31
*** fhubik is now known as fhubik_afk12:34
*** fhubik_afk is now known as fhubik12:38
*** ajayaa has quit IRC12:39
*** krykowski has joined #openstack-keystone12:49
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Refactor federation plugins.  https://review.openstack.org/17672712:50
*** rushil has joined #openstack-keystone13:00
*** bknudson has joined #openstack-keystone13:00
*** ChanServ sets mode: +v bknudson13:00
*** edmondsw has joined #openstack-keystone13:02
*** _cjones_ has joined #openstack-keystone13:03
*** davechen has joined #openstack-keystone13:05
*** _cjones_ has quit IRC13:09
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Refactor federation plugins.  https://review.openstack.org/17672713:10
*** josecastroleon has joined #openstack-keystone13:13
*** ayoung has joined #openstack-keystone13:14
*** ChanServ sets mode: +v ayoung13:14
*** davechen1 has joined #openstack-keystone13:16
*** mattfarina has joined #openstack-keystone13:16
*** davechen has quit IRC13:19
*** joesavak has joined #openstack-keystone13:23
*** e0ne has quit IRC13:25
*** amakarov_away is now known as amakarov13:26
*** davechen1 has left #openstack-keystone13:26
*** e0ne has joined #openstack-keystone13:27
openstackgerritIhar Hrachyshka proposed openstack/oslo.policy: Expose base check classes as part of public API  https://review.openstack.org/17668313:28
*** fhubik has quit IRC13:29
*** kiran-r has quit IRC13:32
*** pnavarro has quit IRC13:33
*** ihrachyshka has joined #openstack-keystone13:36
*** kiran-r has joined #openstack-keystone13:36
ihrachyshkahey all. can anyone clear up my confusion (and it seems, other teams too) on which term is blessed one - project or tenant?13:37
bretonihrachyshka: project13:44
ihrachyshkabreton, ok. I am considering adding a new attribute to oslo.context, and it already has .tenant, so I choose between project_name and tenant_name: https://review.openstack.org/17633313:46
ihrachyshkabreton, should we plan for .tenant deprecation?13:46
bretonihrachyshka: i'm not really sure, I was not around yet when the decision was done :) Maybe US folks will answer you in a couple of hours13:47
breton*decision was made13:48
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674613:56
*** rdo has quit IRC13:58
*** BAKfr has quit IRC13:59
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674613:59
*** rdo has joined #openstack-keystone14:00
*** BAKfr has joined #openstack-keystone14:01
*** ajayaa has joined #openstack-keystone14:08
*** browne has joined #openstack-keystone14:18
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Standardize federated auth token scoping  https://review.openstack.org/17675914:22
*** rwsu has joined #openstack-keystone14:24
*** rdo has quit IRC14:29
*** stevemar has joined #openstack-keystone14:32
*** ChanServ sets mode: +v stevemar14:32
*** jistr is now known as jistr|mtg14:35
*** rdo has joined #openstack-keystone14:42
*** pnavarro has joined #openstack-keystone14:42
*** davidckennedy has quit IRC14:43
openstackgerritVictor Stinner proposed openstack/python-keystoneclient: Enable test_auth_token_middleware() on Python 2  https://review.openstack.org/17677814:44
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674614:48
marekdstevemar: Hi Boss. Any idea how to solve my issue from the comment here: https://review.openstack.org/#/c/176746/3/keystoneclient_federation/v3/saml2.py ?14:50
*** josecastroleon has quit IRC14:57
dstanekmarekd: about the deprecation?14:58
marekddstanek: that's what i am basically asking about :-) Just a comment somewhere around is enough or some more actions need to be done ?14:59
*** ajayaa has quit IRC14:59
dstanekmarekd: if you want to eventually remove that default value and force one to be specified you'll have to issue a deprecation warning14:59
dstaneki would think you would go to where the DEFAULT_PROTOCOL is used and if it's the default then issue a warning15:00
marekddstanek: uh, that might be hard as i would imagine many people would like to use value which is now equal in DEFAULT_PROTOCOL15:01
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674615:02
dstanekmarekd: you could change the value to be nonsense, issue the warning and then use the real default15:02
marekddstanek: hacky, but may work in fact. Ok, let me go that way.15:02
*** gordc has quit IRC15:03
*** gordc has joined #openstack-keystone15:03
dstanekhacky is my middle name!15:03
*** ihrachyshka has quit IRC15:03
marekdlet's see how others like this workaround. anyway, how do i add deprecation warning? :( I think i've never done in the past.15:04
*** zzzeek has joined #openstack-keystone15:05
*** csoukup has joined #openstack-keystone15:09
*** ajayaa has joined #openstack-keystone15:12
*** henrynash has joined #openstack-keystone15:13
*** ChanServ sets mode: +v henrynash15:13
stevemarmarekd, use @versionutils.deprecated ?15:14
marekdstevemar: allright15:14
marekdstevemar: i think ksc is more manual in that way15:16
marekdjust a comment is the way to do that...15:16
stevemarmarekd, no LOG.warning?15:17
dstanekmarekd: do we actually remove code without a warning and only a comment?15:17
marekdstevemar: LOG.warning() but not via versionutils.deprecated15:17
marekddstanek: ^^15:17
dstanekah15:18
dstanekthat's all versionutils.deprecated does - just give you a standard language for the message15:18
stevemaryep15:19
stevemardstanek, i think it uses the class / method name15:19
stevemarand other goodness15:19
stevemaryou added stuff to that i think... so why am i explaining it to you15:19
* dstanek wrote it! :-P15:20
*** bdossant has joined #openstack-keystone15:20
marekdhah15:20
*** vhoward- has quit IRC15:24
*** vhoward has joined #openstack-keystone15:24
*** david-lyle has joined #openstack-keystone15:29
*** rm_work|away is now known as rm_work15:29
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674615:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/17683315:30
stevemar:)15:30
stevemardstanek, didn't know you wrote it, i thought you added stuff... but good to know15:30
stevemardstanek, speaking of... https://review.openstack.org/#/c/176646/2/keystone/token/providers/common.py15:36
ayoung  stevemar, morganfainberg, https://review.openstack.org/#/c/138519/  (Access info) passed check, but doesn't have the +1 from CI on it.  but it  is ready for review, with a lot waiting on it15:37
morganfainberg.15:40
morganfainbergayoung, cool.15:41
morganfainbergayoung, thanks.15:41
dstanekstevemar: looking15:45
*** _cjones_ has joined #openstack-keystone15:53
dstanekmarekd: i just dug up https://review.openstack.org/#/c/130013/2/keystone/catalog/backends/sql.py for another review - i just deprecated in a unique way there15:53
*** gabrielbezerra is now known as gabriel-bezerra15:55
marekddstanek: what i ended up doing something like that: https://review.openstack.org/#/c/176746/5/keystoneclient_federation/v3/saml2.py lines ~8015:56
*** david-lyle has quit IRC15:56
dstanekmarekd: deprecated as of when? when will it go away?15:56
marekddstanek: yeah, so this  where i need some help from more experienced colleagues.15:57
marekddstanek: usually there are 2 cycles in keystone15:57
*** _cjones_ has quit IRC15:57
marekddstanek: in ksc case that would be what...two releases too ?15:57
morganfainbergksc is harder to deprecate things15:58
morganfainbergbecause the general contract is "it works with any version of keystone"15:58
marekdmorganfainberg: it will in my case.15:58
marekdmorganfainberg: what i want to do is to make users specify one parameter and not rely on something default15:58
dstanekmorganfainberg: he's really deprecating something that effects plugin devs and should work regardless of keystone version15:59
marekddstanek: ++15:59
morganfainbergdstanek, hm15:59
morganfainbergi'll need to look at it.15:59
marekdhttps://review.openstack.org/#/c/176746/5/keystoneclient_federation/v3/saml2.py15:59
marekdmorganfainberg: ^^15:59
*** bdossant has quit IRC16:00
*** _cjones_ has joined #openstack-keystone16:01
*** gyee has joined #openstack-keystone16:03
*** ChanServ sets mode: +v gyee16:03
*** jsavak has joined #openstack-keystone16:04
*** joesavak has quit IRC16:06
*** pnavarro has quit IRC16:10
*** rm_work is now known as rm_work|away16:11
openstackgerritBaldemar Silva proposed openstack/pycadf: Add test to cover mask value for utils.mask_value  https://review.openstack.org/17647916:12
*** arunkant_ has joined #openstack-keystone16:16
*** aix has quit IRC16:17
*** jistr|mtg is now known as jistr16:18
*** lhcheng has joined #openstack-keystone16:19
*** ChanServ sets mode: +v lhcheng16:19
*** lhcheng_ has joined #openstack-keystone16:21
*** pnavarro has joined #openstack-keystone16:23
*** lhcheng has quit IRC16:23
*** kiran-r has quit IRC16:28
openstackgerritFernando Diaz proposed openstack/pycadf: Added a testcase to cover ValueError in tag.py  https://review.openstack.org/17690116:29
*** _cjones_ has quit IRC16:29
*** _cjones_ has joined #openstack-keystone16:31
morganfainbergmarekd, oh16:34
morganfainbergmarekd, this is fine we never did a release of this project16:34
morganfainbergmarekd, saml2/federation plugin can be mucked with at anypoint right now16:35
morganfainbergsince it's in it's own repo16:35
*** e0ne has quit IRC16:36
*** jsavak has quit IRC16:36
*** jaosorior has quit IRC16:42
*** spandhe has joined #openstack-keystone16:42
*** jistr has quit IRC16:43
*** dramakri has joined #openstack-keystone16:46
*** alexsyip has joined #openstack-keystone16:47
*** dramakri has left #openstack-keystone16:47
*** sigmavirus24_awa is now known as sigmavirus2416:49
samueldmqmorganfainberg, ping - given that to have v3 auth on all services will require changes in clients, etc, I have a different plan to get there16:49
samueldmqmorganfainberg, starting by simply testing the services REST APIs directly (curl)16:50
morganfainbergsamueldmq, most clients use session16:50
morganfainbergthis should be a non issue really16:50
morganfainbergjust need the right endpoints passed.16:50
samueldmqmorganfainberg, see http://paste.openstack.org/show/205246/16:50
samueldmqmorganfainberg, hmm, nice ... will ease things16:50
morganfainbergyeah all clients should support v3 already16:50
morganfainbergfor auth16:50
samueldmqmorganfainberg, nice, and we're talking about v3 auth for L right ?16:51
morganfainbergyes.16:51
samueldmqmorganfainberg, or do you want further ?16:51
samueldmqah k16:51
morganfainbergwe should be able to run openstack w/ keystone v2 disabled in liberty16:51
samueldmqmorganfainberg, I was thinking if we could actually do this16:51
morganfainbergalmost everything should work with just v3 already16:52
samueldmqmorganfainberg, if we disable v2 completely, we'll be disabling auth + the other APIs16:52
samueldmqmorganfainberg, if someone did /tenants/xpto will need to do /projects/xpto , and I dunno if services are all prepared to fully support all the keystoen v3 api16:53
samueldmqmorganfainberg, besides auth16:53
morganfainbergsamueldmq, correct16:53
morganfainbergsamueldmq, everything should work with v316:53
morganfainbergmost clients/services [except heat]16:53
morganfainbergdon't care about talking to keystojne16:53
morganfainbergkeystone*16:53
morganfainbergthey only care what is in the token16:53
samueldmqmorganfainberg, that's what I was suspecting, they just need a project id, and store resources binded to it16:54
samueldmqmorganfainberg, ++16:54
samueldmqmorganfainberg, did you see http://paste.openstack.org/show/205246/ ?16:55
samueldmqmorganfainberg, I think this bottom-up approach works well (starting at the rest apis and make sure incompatibilities instead of starting at the tempest/osclient)16:56
samueldmqmorganfainberg, let me know if you disagree/have any suggestion16:56
morganfainbergi think heat will break16:57
morganfainbergfwiw16:57
morganfainbergbut yes. that works16:58
samueldmqmorganfainberg, nice ! I am just bugging you more to make sure we will always be on right path16:58
morganfainbergme personally, i'm only focused on the "make devstack spin evertyhign up using v3 apis only"16:58
morganfainberg:)16:58
samueldmqmorganfainberg, yeah, I know, that's the final goal anyway16:58
samueldmqmorganfainberg, just having a plan to get there incrementally16:59
samueldmqmorganfainberg, and have a way to delegate work :)16:59
morganfainbergoh no no. i'm a step below that16:59
morganfainbergthis is make it so if you tell devstack to use v3, it actually uses v3 to do the install17:00
morganfainbergnot some v2 some v3 and some other stuff randomly17:00
morganfainbergnot even to the point of "fix things to work with the v3 things"17:00
morganfainbergyour stuff is all spot on17:00
*** rushil has quit IRC17:02
samueldmqmorganfainberg, so 2 things: i) devstack deploy a full v3 auth working cloud so gate jobs can rely on it17:02
samueldmqmorganfainberg, ii) devstack uses v3 auth (I think it uses osclient) to setup everything17:02
morganfainbergyeah17:03
samueldmqmorganfainberg, and we want both, am I right ?17:03
morganfainbergyes. and we also want devstack to use v3 crud for bootstrapping the data in17:03
morganfainbergnot some v2 some v317:03
morganfainbergthat last bit is what i'm working on. so when you type ./stack.sh it doesn't rely on keystone v217:04
samueldmqmorganfainberg, ++ sure17:04
morganfainbergor some weird mix of v2/v317:04
samueldmqmorganfainberg, in my plan, after having testes/get all clients working on v3, we go to osclient17:04
*** rushil has joined #openstack-keystone17:04
samueldmqmorganfainberg, and after that, we'll have a fully v3 devstack cloud, and we can get i) and ii)17:04
morganfainbergosclient is just a cli btw17:05
samueldmqmorganfainberg, since devstack will just need to configure/use the v3 auth on clients17:05
morganfainbergand devstack uses osc for stuff17:05
samueldmqmorganfainberg, for everything ? not mixing other clients ?17:05
morganfainbergafaik it uses osc for it's work17:05
morganfainbergremember osc uses all the other client libs17:06
*** gyee has quit IRC17:07
samueldmqmorganfainberg, yeah, that's why I am making sure all the clients work with v3 auth first17:07
*** rushiagr_away is now known as rushiagr17:07
morganfainbergthey should17:07
samueldmqI am not saying they wouldn't as we have today, but we need to make sure17:07
*** krykowski has quit IRC17:07
samueldmq:)17:07
morganfainbergjamielennox|away has done a ton of work for them to17:07
morganfainbergif they use session it should work.17:07
samueldmqyeah, I was thinking we will need him when looking at the clients17:08
samueldmqmorganfainberg, I will bug him to talk a bit more about it later, thx17:08
morganfainbergmy guess is everything will actually work with v317:08
samueldmqmorganfainberg, I hope too, and it makes sense to work17:09
samueldmqmorganfainberg, since middleware supports v3 and clietns use sessions17:09
samueldmqmorganfainberg, sorry I need to go afk for a bit17:10
morganfainbergno worried17:10
morganfainbergworries*17:10
samueldmqo/17:10
*** tqtran has joined #openstack-keystone17:11
samleonayoung, hey17:13
ayoungsamleon !17:13
*** harlowja_away is now known as harlowja17:13
ayoungsamleon, get your patch to pass check!17:13
ayoungI! am! speak! ing! with! BANGS!17:13
samleonayoung, that's great!, sure, let me do that and appreciate for another review!17:14
*** openstackgerrit_ has joined #openstack-keystone17:14
*** openstackgerrit_ has quit IRC17:14
*** tqtran has quit IRC17:17
*** tqtran has joined #openstack-keystone17:18
*** browne has quit IRC17:20
*** kiran-r has joined #openstack-keystone17:34
*** jaosorior has joined #openstack-keystone17:36
dolphmayoung: o/ you left me hanging yesterday with an ellipsis on ldap identity vs heat in juno, do you remember your line of thinking?17:37
*** rm_work|away is now known as rm_work17:37
ayoungdolphm, I was trying to mine the email trail17:39
ayoungthe issue is with how usable multiple domains are, and for Juno...we couldn't have service users in non-default domains, right?17:40
ayoungwhich meant that non-service users (LDAP users) had to be in non-default domains...which Horizon can support17:40
dolphmayoung: right17:40
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy  https://review.openstack.org/17342417:41
ayoungand Keystone can support...not sure about the other services in the Juno time frame17:41
ayoungdolphm, but...assuming that you can put service users in LDAP, you could make the LDAP domain the default domain, and still have a SQL Identity backend17:41
ayoungthen heat could put temporary users in a non-default domain17:41
dolphmayoung: but not in juno, right?17:41
dolphmayoung: actually, that does make sense to me, if it works in juno17:43
*** cloudnull has joined #openstack-keystone17:44
*** claco has joined #openstack-keystone17:44
*** alextrcitiy has joined #openstack-keystone17:44
*** miguelgrinberg has joined #openstack-keystone17:45
ayoungdolphm, that should work in Juno...let's assume your installer is smart enough to set up LDAP with service users in an LDAP backend, you could then reconfig Keystone to make SQL the backend, but domain specific config for the LDAP backed domain be the default17:45
dolphmayoung: interesting; i hadn't thought about domain-specific config being used for the default domain at all...17:46
amakarovhenrynash, greetings! I've described the concept of moving sub-trees and eager to present it :) https://review.openstack.org/#/c/17342417:46
ayoungdolphm, the one part I have not tested is making a domain specific config the default domain ex-post-facto, but I think henrynash tried it17:46
dolphmmiguelgrinberg: did you just join, or do you have backlog?17:48
miguelgrinbergI don't have the backlog unfortunately17:48
dolphmmiguelgrinberg: copy pasta of the last few minutes w/ ayoung http://cdn.pasteraw.com/s7rharjaxlhco3x4dq3a93ug3d500e817:48
dolphmmiguelgrinberg: what i'm not familiar with at all is how heat ended up managing temporary users with v3. is heat creating temporary domains? or it just needs one domain to create temporary users in?17:50
*** BjoernT has joined #openstack-keystone17:50
miguelgrinbergdolphm: there is one domain, heat puts all its temp users in it17:50
dolphmBjoernT: o/17:50
dolphmBjoernT: backlog http://cdn.pasteraw.com/s7rharjaxlhco3x4dq3a93ug3d500e817:50
BjoernThey17:50
dolphmmiguelgrinberg: and its expected to be a non-default domain, correct?17:51
BjoernTit's right, we have no users outside off the default domain17:51
miguelgrinbergyes, it is expected. Not sure what happens if you set the config entry for that domain to "default" though17:51
BjoernTbut there is also a customer requirement to enable multi domain support in horizion which  would mean we have users separated by domains17:52
dolphmmiguelgrinberg: so you configure heat with a domain ID to use, or something?17:52
miguelgrinbergyes, a domain name17:52
BjoernTbut I doubt this is working with ldap anyway17:52
miguelgrinbergusing anything other than keystone will require changes in heat17:52
BjoernTwe were configuring heat to use the domain id, not the name17:53
dolphmmiguelgrinberg: so as long as heat has free reign to manage users & projects in a single, arbitrary domain, it shouldn't have any issues17:53
dolphmthe best way to guarantee that is with a non-default SQL-backed domain17:53
dolphmBjoernT: good to know that it supports both17:53
*** e0ne has joined #openstack-keystone17:53
miguelgrinbergfor the creation of these temp users it should be fine, but there are other problems. You can't use auth plugins right now17:53
dolphmBjoernT: and using the domain ID would be slightly more efficient17:53
dolphmand more reliable!17:54
BjoernTyepp, no additional lookup17:54
dolphmmiguelgrinberg: the temp users can't use auth plugins? or?17:54
miguelgrinbergdolphm: heat can't17:54
*** saltsa has left #openstack-keystone17:54
miguelgrinberglet me find the launchpad bug17:54
dolphmi'd be curious what that's blocking17:55
miguelgrinbergdolphm: https://bugs.launchpad.net/heat/+bug/144691817:56
openstackLaunchpad bug 1446918 in heat "Heat uses keystone_authtoken for trustee user -can't do v3 auth" [Undecided,New]17:56
miguelgrinbergheat goes in the [keystone_authtoken] section and uses settings from there, it does not entirely rely on keystone to manage that17:56
dolphmah, so instead of owning it's own config, it's just hijacking ours17:57
miguelgrinbergright17:57
*** amakarov is now known as amakarov_away17:59
dolphm... if we left config in paste pipelines, i don't think that would be possible ...17:59
bknudsonheat should stop doing that18:00
bknudsonnot a public interface18:00
*** e0ne is now known as e0ne_18:01
dolphmagree18:01
miguelgrinbergI think we all agree, there's consensus on the heat side as well18:01
bknudsonwe have all sorts of client configs in other server config files, so do something like what they do...18:02
bknudsone.g., nova for neutron, etc., and neutron for nova notifications18:02
dolphmmiguelgrinberg: cool. but i'm lost on how / if that poses an issue vs ldap identity?18:02
bknudsonseems like heat is going to require that keystone has a r/w domain.18:02
miguelgrinbergdolphm: so maybe this is my own lack of knowledge. I assumed you would use an auth plugin, which will require different set of args in [keystone_authtoken]18:03
bknudsonluckily keystone supports domain-specific backends.18:03
bknudsonheat should have a separate section for its own comm with keystone.18:03
BjoernTwasn't that  domain-specific backend support only in kilo?18:04
*** browne has joined #openstack-keystone18:04
bknudsonit should also be a different role that heat uses and we configure the policy to allow only whatever operations heat needs.18:04
*** kiran-r has quit IRC18:04
bknudsondon't make the mistake that nova and neutron made and require your user to have admin.18:05
BjoernTyes, currently we do use admin for heat...18:05
bknudsonBjoernT: domain-specific backends are in juno, also.18:05
dolphmmiguelgrinberg: that's correct18:06
bknudsonthe new feature in kilo is that you can create domain-specific backends using the REST API.18:06
*** e0ne_ has quit IRC18:06
BjoernTso all that means we can use a sqldb backend for heat only, already in Juno ?18:07
dolphmbknudson: but is the domain-specific backend support in juno sufficiently mature to have LDAP as the default domain, while backing all other domains to SQL?18:07
*** david-lyle has joined #openstack-keystone18:07
ayoungdolphm, Heat using temporary users in their own domain is yet another thing that I am somewhat responsible for suggesting.18:07
bknudsonwell, you really need SQL as the default domain18:07
dolphmayoung: i don't have an opinion on that behavior :P18:07
*** david-lyle_ has joined #openstack-keystone18:07
dolphmbknudson: why?18:08
BjoernTDebugging that issue, let me with the impression that the missing domain id from the heat user causes this issue18:08
ayoungdolphm, it was the only way I could see to solve their problem18:08
bknudsonsince in juno and kilo the services don't really support v3 auth18:08
BjoernTit was reporting heat inside the default domain18:08
bknudsonso the service users need to be in the default domain18:08
dolphmBjoernT: the ldap driver *should* be returning a domain ID with all it's users -- it's just not getting that attribute from LDAP18:08
BjoernTso mixing it with LDAP as the default domain might not work unless we get the domain id correctly reported for the hear user18:08
dolphmbknudson: right, that makes sense18:09
bknudsonif we had v3 everywhere then you could use any domain.18:09
ayoungWith V2, you will not get a domain, with V3, you will, even for something in the default domain18:09
BjoernTdolphm : Right, that's why heat was reported as default domain as well so how should it work for heat, if ldap does not support it and keystone won't lookup the heat specific configuration because all users are inside the default domain?18:10
ayoungthere may be a bug, but  I know the code that does domain specific backends adds it in.  LDAP ID backned  also reads the values out of the config file to fill in domain data18:10
bknudsonyour default domain is typically SQL, since you typically can't put service users in LDAP18:10
ayoungis the problem in token or list users?18:10
BjoernTIn our case we added the service users to ldap, just FYI18:11
dolphmBjoernT: oh awesome, that solves a constraint here18:12
bknudsonyou have more permissive ldap admins than most.18:12
morganfainbergi *think* heat is the last of the services doing something really wonky w/ auth that prevents v3 use18:12
morganfainbergi *think*18:12
BjoernTdolphm: we manually created them inside the AD18:12
richmI think Jamie Lennox was looking at heat and how it uses v3 auth18:13
*** e0ne has joined #openstack-keystone18:13
dolphmBjoernT: so then it sound you need to set [identity] domain_specific_drivers_enabled = True in keystone.conf and move the ldap configuration into /etc/keystone/domains/keystone.Default.conf18:14
bknudsonmorganfainberg: are keystonclient stable/kilo releases open now? https://review.openstack.org/#/q/project:openstack/python-keystoneclient+branch:stable/kilo,n,z18:14
dolphmBjoernT: then create an arbitrary domain in keystone for use by heat, and then configure heat to use that domain you just created, which will be backed by sql18:14
bknudsonI heard that other clients were being released.18:14
morganfainbergbknudson, need to check w/ ttx on it but probably18:15
morganfainbergbknudson, there was a blocker18:15
*** gyee has joined #openstack-keystone18:15
*** ChanServ sets mode: +v gyee18:15
dolphmayoung: bknudson: does that sound right? ^ (keystone will default to the sql backend for domains without a domain-specific conf)18:15
ayoung1 sec18:15
morganfainbergdolphm, correct18:15
dolphmrichm: he definitely was, but i figure he's asleep at the moment :)18:15
morganfainbergdolphm, if you don't override a specific domain, it goes into the SQL backend18:15
morganfainbergdolphm, provided the driver is SQL not LDAP18:16
richmyeah, Jamie should be online in a few hours18:16
bknudsondolphm: if you create a domain it's going to be whatever's in your keystone.conf. Which I think should be SQL.18:16
morganfainbergif you have LDAP as the base driver... well don't ever expect domains18:16
bknudsonI also think if you're not using SQL as the driver in keystone.conf you won't be able to create domains?18:16
bknudsonsince LDAP only has one domain.18:16
morganfainbergbknudson, well domains are a resource/assigment thing18:17
morganfainbergand you can still create per-domain backends18:17
morganfainbergbut you can only ever have 1 SQL backed domain. so best bet is make the driver SQL and override specific domains for LDAP18:17
bknudsony, I agree with that.18:17
morganfainbergwith a per-domain identity store config18:17
morganfainbergand the default domain should be 100% workable with LDAP as a per-domain backend... *if* all the relevant users are loaded into that LDAP store for things that only do v218:18
bknudsonif we get tokenless auth you won't need service users.18:19
dolphm++18:19
morganfainbergbknudson, and we should get tokenless in Liberty :)18:19
bknudsonmaybe heat could take advantage of that.18:19
bknudsonheat should be its own idp18:19
bknudsonplug in that way18:20
morganfainbergbknudson, heat would need to work w/ normal tokens too. but tokenless would be way better.18:20
miguelgrinbergguys where can I find info on the tokenless auth? Sounds interesting, but know nothing about it18:20
gyee++tokenless :)18:21
gyeethere's a spec18:21
miguelgrinbergso it's work in progress18:21
gyeemiguelgrinberg, https://review.openstack.org/#/c/156870/18:22
miguelgrinberggyee: thanks18:23
gyeeis miguelgrinberg a reflection of morganfainberg?18:23
gyeejust curious18:23
miguelgrinberg:)18:23
bknudsonhe he18:23
miguelgrinbergyou know I always have to read his nick twice to make sure it's not me18:23
*** morganfainberg is now known as grebniafnagrom18:24
grebniafnagrombetter?18:24
gyeehah18:24
*** grebniafnagrom is now known as morganfainberg18:24
gyeeword scrambling18:24
clacoɯıƃnǝlƃɹıuqǝɹƃ18:24
dstanekhow quickly we get off topic in here :-)18:25
morganfainbergclaco, toobad can't use multi-byte chars for nics18:25
*** csoukup has quit IRC18:25
gyeemiguelgrinberg, https://github.com/openstack/keystone-specs/blob/master/specs/backlog/keystone-tokenless-authz-with-x509-ssl-client-cert.rst18:25
morganfainberggyee, someone needs to move that to liberty18:25
gyeeI think we need to move it to Liberty once the patch gets in18:25
morganfainbergno before the patch goes in18:25
gyeek18:26
gyeelet me do18:26
*** e0ne is now known as e0ne_18:28
gyeethough tokenless auth does not support ephemeral users right now, but we can make it configurable18:28
*** jlk has left #openstack-keystone18:28
*** ashishjain has joined #openstack-keystone18:28
gyeeshould be trivial18:28
ashishjainHello.18:28
ashishjainI am stuck for quite sometime in a problem, need just one simple clue18:29
*** e0ne_ is now known as e0ne18:29
ashishjainIs it possible to get the tokens for all the users using admin token18:29
*** gyee has quit IRC18:30
*** david-lyle_ has quit IRC18:30
*** esp has left #openstack-keystone18:30
bknudsonthere wasn't a backport to stable/kilo keystonemiddleware for this CVE, so I posted one: https://review.openstack.org/#/q/Id674f40532215788675c97a8fdfa91d4420347b3,n,z18:30
ashishjainMy problem is to get all the instances for all the users and I do not want to give credential details for all the user18:30
morganfainbergoh hm.18:31
morganfainbergyeah18:31
*** BjoernT has left #openstack-keystone18:37
*** e0ne is now known as e0ne_18:40
dolphmashishjain: with regard to fetching other user's tokens: no, and that wouldn't be reliable anyway because there might not be active tokens for all users18:41
dolphmashishjain: nova client has an --all-tenants option (IIRC, someone can correct me on that) to do that if you have admin authorization18:42
dolphmashishjain: at least, in openstackclient it's exposed as "openstack server list --all-projects"18:43
*** e0ne_ is now known as e0ne18:44
ashishjaindolphm: So it means once I get an  admin token I can always get details of all the instances using http://<host>:8774/v2/<tenant_id>/servers for all the tenants18:45
dolphmashishjain: i don't know what nova's HTTP API call is for that, but yes, any token with the "admin" role assignment included should work18:45
ashishjainand I just use X-Auth-Token as admin token18:45
ashishjainhttp://developer.openstack.org/api-ref-compute-v2.html#listServers18:45
ashishjaindolphm: The problem I am facing is I cannot list instance lists for another tenant using admin token18:49
dolphmashishjain: what do you mean by "admin token"?18:50
ashishjainSo this means for each username/password combination I need to first generate the auth token and than use that token for finding out instances under that tenant or user18:51
ashishjainadmin token is basically a user which has got admin privileges18:51
dolphmashishjain: one admin token should be able to list all instances in all tenants / projects in a single API call19:00
dolphmashishjain: i just wanted to make sure you weren't referring to keystone.conf's admin_token which is a different concept19:00
ashishjaindolphm: I am using passwordCredentials for admin user and genenrating a token19:02
ashishjainthan I am  using it to list instance as pointed out earlier http://<host>:8774/v2/<tenant_id>/servers19:03
ashishjainI know the keystone.conf concept is for initially creating users etc19:03
dolphmashishjain: then you're authorization should be correct, but i can't speak as to whether or not that's correct HTTP API call or not. i use the client bindings to talk to nova myself19:03
ashishjainmy policy.json is default and which says "admin_required": "role:admin or is_admin:1"19:04
ashishjainI have created a admin role and added admin user to it19:04
ashishjainso that means the user is admin19:04
ashishjainBut I keep 401 unauthorised19:05
ashishjainbecause I am using a different tenant_id other than admin19:05
*** ayoung has quit IRC19:05
ashishjainand the token has been generated for user admin19:06
*** claco has left #openstack-keystone19:06
ashishjainand the moment I generate another set of token for the said tenant I am able to get all what I want19:06
ashishjainSo that means my admin user auth token is good for itself19:06
ashishjainand not for any other tenants19:07
ashishjainI have used the following guide to configure all the users19:10
ashishjainhttp://docs.openstack.org/juno/install-guide/install/apt/content/keystone-users.html19:10
*** _cjones_ has quit IRC19:12
dolphmashishjain: i suspect you're making the wrong api call to nova19:12
dolphmashishjain: but you do need to specify a tenant / project when authenticating with keystone in order to consume the admin role assignment19:13
*** rushiagr is now known as rushiagr_away19:14
ashishjaindolphm: Here is the payload I pass when authenticating to keystone19:15
ashishjainhttp://paste.openstack.org/show/205368/19:15
ashishjainand url used is http://192.168.56.57:5000/v2.0/tokens19:15
dolphmashishjain: looks good19:15
ashishjainnow I get a token19:15
ashishjainwhich is basically my X-Auth-Token19:15
ashishjainhttp://192.168.56.57:8774/v2/d8e084688c154c84b10afe0bccc2e406/servers19:16
ashishjainthis is the call to nova to list all the servers19:16
ashishjainthe token_id here is for a user called demo19:16
ashishjainI get 40119:16
ashishjainsorry tenant_id19:16
ashishjainnot token_id19:17
ashishjainWhat I try next is to include X-Auth-Token as a header I still get 40119:17
ashishjainthis is the tenant id for my admin tenant 9e1d18ac5e3b47e1b87c305c2d1a94ef19:18
*** browne has quit IRC19:18
ashishjainonce I use this all is well and no longer 20119:18
ashishjain*40119:18
*** browne has joined #openstack-keystone19:19
*** _cjones_ has joined #openstack-keystone19:19
dolphmashishjain: what does nova client do when you get an instance list with --all-tenants?19:19
ashishjainit lists me the instances19:21
ashishjainOS_AUTH_URL=http://openstackcontroller:35357/v2.019:21
ashishjainOS_USERNAME=admin19:21
ashishjainOS_TENANT_NAME=admin19:21
ashishjainif u see I am using all admin but still I am able to get instance list for demo tenant too19:21
ashishjainwhen I use --all-tenants option19:22
ashishjainCould this be a bug19:22
ashishjain?19:22
ashishjainThis is the response I get http://paste.openstack.org/show/205369/19:25
*** esp has joined #openstack-keystone19:26
*** _cjones_ has quit IRC19:40
openstackgerritMerged openstack/pycadf: Add test to cover mask value for utils.mask_value  https://review.openstack.org/17647919:44
*** tqtran has quit IRC19:50
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/17683319:52
*** jaosorior has quit IRC19:52
*** ajayaa has quit IRC19:58
*** ashishjain has quit IRC19:59
*** _cjones_ has joined #openstack-keystone20:09
*** Ephur has quit IRC20:15
*** ayoung has joined #openstack-keystone20:19
*** ChanServ sets mode: +v ayoung20:19
openstackgerritgordon chung proposed openstack/pycadf: drop audit middleware  https://review.openstack.org/17696920:24
*** e0ne is now known as e0ne_20:26
*** e0ne has joined #openstack-keystone20:27
morganfainbergRC2 should be tagged and released20:30
*** tqtran has joined #openstack-keystone20:37
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove unused arguments from method signature  https://review.openstack.org/17697620:43
*** ayoung has quit IRC20:44
*** ayoung has joined #openstack-keystone20:45
*** ChanServ sets mode: +v ayoung20:45
dolphmmorganfainberg: just approved this then noticed you had outstanding concerns from a previous patchset https://review.openstack.org/#/c/141854/20:45
*** raildo has quit IRC20:45
morganfainbergdolphm,will look in a moment..20:45
morganfainbergfighting expense report system for the next couple minutes20:46
dolphmmorganfainberg: be strong, i believe in you20:46
morganfainbergi think my concerns might have been addressed. but i'll +A it once i look.20:46
morganfainbergdolphm, hah.20:46
morganfainbergdolphm, expense reports... always painful20:46
*** e0ne has quit IRC20:47
samueldmqdolphm, morganfainberg I also had concerns on that change back in patch set 13 ... my concerns still apply20:48
samueldmqI put a comment in there, will let morgan decide what way to go20:48
samueldmqthanks20:48
*** samueldmq has quit IRC20:51
*** mattfarina has quit IRC21:01
*** pnavarro has quit IRC21:12
*** vhoward has quit IRC21:12
*** vhoward has joined #openstack-keystone21:13
openstackgerritgordon chung proposed openstack/pycadf: drop audit middleware  https://review.openstack.org/17696921:17
openstackgerritSteve Martinelli proposed openstack/pycadf: Add trove conf file to setup.cfg  https://review.openstack.org/17698821:19
*** tqtran_ has joined #openstack-keystone21:20
*** tqtran has quit IRC21:21
*** vhoward has quit IRC21:23
*** vhoward has joined #openstack-keystone21:24
*** pnavarro has joined #openstack-keystone21:24
*** mwhahaha has joined #openstack-keystone21:26
ayoungdolphm, sorry, I've been in SAML/ECP-land all day.  I just read what you wrote and it looks right21:33
ayounganyone know how to get debugging output from a sample python script using KC and auth plugins?21:35
ayoungactually, I am not even creating a client, just doing:21:35
ayoung response = self.saml2plugin.get_auth_ref(self.session)21:35
morganfainbergdolphm, yah my concerns not addressed21:38
morganfainbergdolphm, unless we're getting rid of TRL support (don't think we can) this isn't a compatible change21:39
* morganfainberg goes back to fighting travel and expense systems.21:39
*** gyee has joined #openstack-keystone21:48
*** ChanServ sets mode: +v gyee21:48
*** samueldmq has joined #openstack-keystone21:50
*** mwhahaha has left #openstack-keystone21:54
*** lhcheng_ is now known as lhcheng21:54
*** ChanServ sets mode: +v lhcheng21:54
*** rm_work is now known as rm_work|away21:55
*** rushil has quit IRC22:02
*** openstackstatus has quit IRC22:09
*** pnavarro has quit IRC22:10
*** sigmavirus24 is now known as sigmavirus24_awa22:19
*** browne has quit IRC22:25
openstackgerritgordon chung proposed openstack/pycadf: drop audit middleware  https://review.openstack.org/17696922:26
*** arunkant_ has quit IRC22:27
openstackgerritguang-yee proposed openstack/keystone-specs: Tokenless authz with X.509 SSL client cert  https://review.openstack.org/17701922:31
*** bknudson has quit IRC22:33
*** browne has joined #openstack-keystone22:33
openstackgerritMerged openstack/pycadf: Added a testcase to cover ValueError in tag.py  https://review.openstack.org/17690122:33
*** gordc has quit IRC22:36
*** edmondsw has quit IRC22:41
*** tqtran_ has quit IRC22:44
*** tqtran has joined #openstack-keystone22:48
*** arunkant_ has joined #openstack-keystone22:55
*** tqtran_ has joined #openstack-keystone23:14
*** tqtran has quit IRC23:15
*** tqtran has joined #openstack-keystone23:17
*** arunkant_ has quit IRC23:18
*** browne has quit IRC23:20
*** tqtran has quit IRC23:22
*** tqtran_ has quit IRC23:34
*** ncoghlan has joined #openstack-keystone23:42
*** tqtran has joined #openstack-keystone23:47
*** tqtran_ has joined #openstack-keystone23:55
*** tqtran has quit IRC23:57
« Wednesday, 2015-04-22 Index Friday, 2015-04-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!