Monday, 2015-04-27

« Sunday, 2015-04-26 Index Tuesday, 2015-04-28 »
stevemarbknudson, dstanek when y'all get a chance.. https://review.openstack.org/#/c/177620/00:14
bknudsonstevemar: not passing jenkins.00:14
bknudsonseems like we should pick a standard name for the config file gen tox env.00:15
stevemarit's a requirement failing to download, don't think it's related to the change00:15
bknudsone.g., I think nova uses genconfig00:15
stevemarbknudson, yeah. i noticed that last week00:15
stevemarML topic?00:15
bknudsonsure00:15
bknudsonit doesn't matter to me which is used, just should be consistent.00:16
stevemary, i'm of the same opinion00:21
stevemarbknudson, jenkins is failing cause of HTTP error 404 while getting http://pypi.DFW.openstack.org/packages/2.7/s/sphinxcontrib-blockdiag00:25
*** dims_ has quit IRC00:34
*** samueldmq has quit IRC00:34
*** stevemar has quit IRC00:57
openstackgerritMerged openstack/keystone: pep8 whitespace changes  https://review.openstack.org/17740201:06
openstackgerritMerged openstack/keystone: Fixes order of imports for pep8  https://review.openstack.org/17740301:08
*** sigmavirus24_awa has quit IRC01:16
*** Trozz_ has quit IRC01:16
*** Trozz has joined #openstack-keystone01:17
*** ctracey has quit IRC01:20
openstackgerritMerged openstack/keystone: Ignore multiple imports per line for six.moves  https://review.openstack.org/17740401:20
*** sigmavirus24_awa has joined #openstack-keystone01:22
*** ctracey has joined #openstack-keystone01:22
bretonthat feel when I open a book about blue gene/p and see Brant Knudson01:23
bretonin authors01:23
openstackgerritMerged openstack/keystone: Replaced filter with a list comprehension  https://review.openstack.org/17740501:32
*** erkules_ has joined #openstack-keystone01:32
*** erkules has quit IRC01:35
*** stevemar has joined #openstack-keystone01:53
*** ChanServ sets mode: +v stevemar01:53
*** lhcheng has joined #openstack-keystone01:58
*** ChanServ sets mode: +v lhcheng01:58
*** lhcheng has quit IRC02:12
morganfainberghm.02:13
stevemarmorganfainberg, ?02:18
morganfainbergwas checking my connection02:18
morganfainbergtyping from ~35k ft sometimes means icky connection02:18
*** davechen has joined #openstack-keystone02:29
morganfainbergstevemar: do you happen to have the etherpad for liberty priroties?02:31
morganfainbergstevemar: my history seems to have disappeared. i can hunt through logs if you don't have it ready02:31
stevemarlet me see if it's in my history02:32
morganfainbergstevemar, found it02:35
morganfainbergstevemar: https://etherpad.openstack.org/p/keystone-liberty-priority-specs02:35
stevemarmorganfainberg, oops, sorry - got distracted by twitter02:35
morganfainbergnice02:35
morganfainbergstevemar: i see how it is...02:38
morganfainbergstevemar: :P02:38
stevemarmorganfainberg, blame sigmavirus24_awa he's the one distracting me02:39
*** lhcheng has joined #openstack-keystone02:48
*** ChanServ sets mode: +v lhcheng02:48
*** spandhe has quit IRC02:53
*** lhcheng has quit IRC02:55
*** sudorando has quit IRC03:48
*** sudorandom has joined #openstack-keystone03:50
*** henrynash has quit IRC03:56
*** henrynash has joined #openstack-keystone03:56
*** ChanServ sets mode: +v henrynash03:56
*** arif-ali has quit IRC03:58
morganfainbergstevemar: suuuuure04:01
stevemarmorganfainberg, landed yet?04:05
morganfainbergyeah04:05
morganfainbergall checked in and in my hotel room04:05
*** ChanServ changes topic to "Liberty Development Open | RC2 For Kilo has been tagged, please look for any new RC blockers | Review Liberty Specs | Provide feedback on Liberty Priorities: https://etherpad.openstack.org/p/keystone-liberty-priority-specs"04:30
*** ChanServ changes topic to "Liberty Development Open | Review Liberty Specs | Provide feedback on Liberty Priorities: https://etherpad.openstack.org/p/keystone-liberty-priority-specs"04:30
*** lhcheng has joined #openstack-keystone04:51
*** ChanServ sets mode: +v lhcheng04:51
*** browne has joined #openstack-keystone05:09
*** Trozz has quit IRC05:11
*** Trozz has joined #openstack-keystone05:12
*** ncoghlan has joined #openstack-keystone05:13
*** wolsen_ is now known as wolsen05:33
*** lhcheng has quit IRC05:37
*** lhcheng has joined #openstack-keystone05:41
*** ChanServ sets mode: +v lhcheng05:41
*** lhcheng has quit IRC05:46
*** kiran-r has joined #openstack-keystone06:03
*** mflobo has joined #openstack-keystone06:11
*** mabrams has joined #openstack-keystone06:16
*** afazekas has joined #openstack-keystone06:21
*** e0ne has joined #openstack-keystone06:24
*** stevemar has quit IRC06:27
*** e0ne has quit IRC06:28
*** mabrams1 has joined #openstack-keystone06:30
*** mabrams1 has left #openstack-keystone06:30
marekdGood morning.06:34
jamielennoxmarekd: hey06:40
marekdjamielennox: hi!06:40
jamielennoxmarekd: i was away for the end of last week - however those saml2 review06:41
jamielennoxs06:41
marekdjamielennox: heh, i messed up a little bit.06:41
marekdjamielennox: there is an 'interface' like class in ksc already, and i'd like it to stay there.06:42
jamielennoxmarekd: ok, so you've seen v2/auth/federated? that's pretty much what i was going to point you to06:42
*** lhcheng has joined #openstack-keystone06:42
*** ChanServ sets mode: +v lhcheng06:42
marekdjamielennox: unless you are super-against it.06:42
marekdjamielennox: yes, i noticed it on Friday 6pm.06:42
jamielennoxheh, yea that happens06:43
marekdjamielennox: anyway, are we ok to remove saml2.py from ksc, simply move to ksc-saml2 and cut new version of ksc?06:43
marekdsaying "from now on, download another repo" ?06:43
jamielennoxi don't know if we're allowed to remove it from ksc06:43
jamielennoxit might be that we have to deprecate it06:43
jamielennoxhowever with the creation of ks auth repo that's another nail in the coffin06:44
marekdjamielennox: uh.06:44
marekdjamielennox: ok, i will fix the reviews, leave both plugins (in ksc and ksc-saml2).06:45
jamielennoxthe existing one in ksc will just stay there for a while and go into maintanence mode like the auth_token middleware that is still in keystoneclient06:46
jamielennoxi'm not sure how we'll handle the stevedore entry points yet, but we're going to have to deal with that for ksa anyway06:46
marekdksa repo doesn't exist yet, does it?06:47
jamielennoxi think it's still waiting for infra06:47
jamielennoxnormally they process those things on a friday so i was hoping it would be done by now06:47
marekdjamielennox: unless it's not called https://github.com/openstack/python-keystoneclient-auth, it's not there.06:48
jamielennoxeven once infra creates the repos it will still take a while before we're ready to do a release06:48
marekdjamielennox: so, eventually ksc-saml2 should have ksa as dependency, right?06:49
jamielennoxright06:50
jamielennoxfor ksc-saml2 (though we might need to rename again to ksa-saml2) it won't make much difference06:50
marekdright06:50
jamielennoxthe change to ksa means we get to change some interfaces and drop some old code, but the stuff around session/auth will move more or less as is06:51
marekdOK06:51
*** Bsony has joined #openstack-keystone06:56
*** lhcheng has quit IRC07:02
marekdjamielennox: still here?07:12
marekdjamielennox:  I just wanted to ask what's the plan for deprecation method in ksc ?07:12
marekdjamielennox: are you going to pursue https://review.openstack.org/#/c/147026/ ?07:13
*** Nakato has quit IRC07:16
*** Nakato has joined #openstack-keystone07:16
jamielennoxmarekd: yea, i think it should just go in as is07:16
marekdw/o debtcollector ?07:17
jamielennoxi'll bring it up with dolphm when i see him, but i don't want to add a new dependency07:17
jamielennoxyea07:17
jamielennoxdebtcollector is pretty simple, it'd give much the same functionality07:17
jamielennoxif we ever need it we'll add it but we've had trouble with having so many dependencies i think it's easiest just to wait on that07:18
marekdhm, i will put thich patch a a dependency and deprecate the auth plugins then.07:18
jamielennoxdeprecation is relatively easy - removal almost impossible07:18
marekdwhich makes some mess in the code (lot's of code that is not used and simply must sit in the codebase)07:18
jamielennoxright07:19
jamielennoxhopefully breaking out ksa will mean a lot less people actually rely on ksc07:19
marekdthink so.07:19
jamielennoxbecause there aren't many consumers of the actual CRUD07:19
marekdjamielennox: one more thing - k2k auth plugin - i'd put it in ksc-saml2 just because it's saml2 specific plugin, some ppl argue it's ok to leave it in ksc as it doesn't have any heavy deps (like lxml).07:20
marekdWhat's your opinion on that?07:20
*** browne has quit IRC07:20
jamielennoxmarekd: i want to say that saml2 is an implementation detail of something we do actually want in ksc and that if we don't actually do any xml stuff then it should be fine in ksc07:22
jamielennoxmy problem at the moment is that i don't know how it's supposed to work07:22
jamielennoxthe plugin that is up for review - i cannot imagine how you are supposed to use that with like OSC07:23
marekdjamielennox: oh, that one....OSC would need to combine two plugins07:23
jamielennoxor if that's even something we would want to do in the k2k case07:23
jamielennoxmarekd: right - so given the ksa/ksc split - would k2k live in ksa or ksc?07:23
marekdksa07:24
jamielennoxit's a plugin so ksa, but it involves talking to CRUD so it's ksc07:24
*** krykowski has joined #openstack-keystone07:24
jamielennoxunless they are defining that you fetch the K2K saml packet on the AUTH_INTERFACE - which makes sense but i haven't seen07:24
jamielennoxbecause you have to scope to a project before you can fetch the saml07:25
marekdjamielennox: i think it's okay to expect user to know some information prior to auth07:25
marekdlike SP07:25
jamielennoxsure, i don't mind that07:25
*** markvoelker has joined #openstack-keystone07:26
jamielennoxi mean, i don't like the redundancy and if the server knows that information i'd prefer it provide it than have the client specify each time07:26
jamielennoxbut i think we want K2K to be as close to a standard ECP exchange as possible07:26
marekdwhich information you you mean?07:26
jamielennoxin one of the plugins we were discussing as to whether one of the urls (i thought maybe sp) could be returned as a header along with the saml data07:27
jamielennoxbut i can't remember what came of that discussion07:27
marekdjamielennox: oh, yes. and the urls are returned.07:28
marekdbut you still need to know the *name* (defined in the Keystone) of the SP07:28
jamielennoxcool - so for example i want to use that rather than have the user supply something that keystone already knows07:28
jamielennoxthat's all i meant07:28
marekdallright.07:28
jamielennoxso what do you think the K2K plugin would look like?07:29
jamielennox--os-auth-plugin=k2k --os-inner-plugin-password --os-username XXX --os-auth_url XXXX --os-sp-url XXX ?07:30
jamielennox--os-auth-plugin=k2k --os-inner-plugin=password --os-username XXX --os-auth_url XXXX --os-sp-url XXX ?07:30
marekdi was about to write that we need design implementing something like --os-inner-plugin07:30
*** markvoelker has quit IRC07:30
marekdand maybe not --os-sp-url but --os-sp07:31
jamielennoxso the way that get_options() work we might be able to do some sort of prefix like --os-inner-username07:31
jamielennox(need something better than inner obviously)07:31
jamielennoxmarekd: is there any collision between the local keystone and remote keystone params?07:33
jamielennoxi haven't looked for a while - but do you respecify a project_id on remote or is that handled via mapping?07:34
marekdjamielennox: you gen unscoped token and need to scope it again.07:35
marekdprojects will not have much in common07:35
jamielennoxright - of course, everything that goes through OS-FEDERATED must be unscoped initially07:35
jamielennoxit just leads to an interesting situation where you have to provide 2 different project ids or other scoping data07:36
marekdwhich is very uncomfortable for me.07:37
marekdbecause this is slowly going away from "request-response" model07:37
marekdand becomes kind of "transactional workflow, with many queries and parameters specified in the runtime"07:38
jamielennoxoh yea - particularly in the CLI case we're up to like 5 or 6 requests just to do the initial auth - and OSC doesn't cache it07:38
jamielennoxit makes me think i made a mistake in combining unscoped and scoped tokens in ksc - but i don't think there is anything i can do about it07:39
marekdin OS-FEDERATION or generally ?07:39
jamielennoxgenerally07:39
jamielennoxwell we did it generally which impacted the design for OS-FEDERATION07:39
jamielennoxto make federated plugins look like regular plugins07:40
marekdhm, scoping the token internally is quite easy, the problem is that you still need to put local-project-id, remote-project-id and so on.07:40
jamielennoxright - yep let's ignore that design problem - i don't see any way to change it now07:40
jamielennoxso we can handle prefixes07:41
marekdI predict soon we will need to design something for "multi token" clients.07:41
jamielennoxeach plugin has its register_conf_options or whatever and we could make some way that they could handle it for an inner plugin07:41
jamielennoxmarekd: i was thinking about multi token a while ago07:42
marekdjamielennox: and what was the conclusion ?07:42
jamielennoxmarekd: what i have for now is that session and auth plugin are the only thing with any state, creating a client with that is cheap07:42
jamielennoxso what i have for now is create a session standalone, create 3 plugins that you need, create 3 clients that share a session and have a unique auth plugin07:43
marekdwhere auth plugin keeps the token07:43
jamielennoxit's not great but it actually solves a lot of problems for us in not having to have a client juggle auth07:43
jamielennoxbecause otherwise you have to find some way to specify a plugin when making a request, and for all clients - it's a mess07:44
jamielennoxmarekd: right - auth plugins always hold the token data07:44
jamielennoxso 1 client object per token07:44
jamielennoxmake the users have multiple clients and hope that the SDK comes along with something that can operate at a higher level07:45
*** pnavarro has joined #openstack-keystone07:46
*** Bsony has quit IRC07:46
marekdmakes sense.07:46
*** marekd has left #openstack-keystone07:49
*** marekd has joined #openstack-keystone07:49
marekdjamielennox: FYI, I am also starting to think about some usecases like "inter cloud image sharing"07:50
marekdjamielennox: (well, that's something management wants me to do, not my "because i am bored" idea)07:50
marekdjamielennox: ideally you would command glance-a to fetch available image from glance-b (federated clouds), and the identity part is somewhat non obvious07:51
jamielennoxhmm, that'll be interesting because you need to do permissions across clouds right?07:52
marekdjamielennox: i'd reuse k2k07:52
jamielennoxmarekd: right, i mean you can download from one cloud and upload to another using k2k07:52
marekdas a identity layer across the clouds, and the mapping on the remote cloud07:52
jamielennoxbut to get glance to talk directly to another glance you'd need some sort of permissions?07:53
marekdjamielennox: exactly07:53
jamielennoxor nova in one cloud to glance in another07:53
jamielennoxthat's.... going to be interesting07:53
marekdthe way you say that means "you are doomed, good luck"07:53
marekd:-)07:54
marekdor "that's interesting, but i am happy i am not the one who is going to do that"07:54
marekdanyway, i'd like to two glances connect directly07:55
marekdnot push it through poor client07:56
jamielennoxheh, i'm happy throw advice from the sidelines07:57
marekddo you have any right now? :-)07:57
*** jistr has joined #openstack-keystone07:57
jamielennoxnew employment?07:58
marekdi am afraid i didn't understand.07:58
jamielennoxheh, i don't know, i haven't got that far yet07:58
jamielennoxi don't know how much of a client issue it will be07:58
jamielennoxi think more likely it will be a signalling issue07:58
*** rm_work has quit IRC07:59
marekdso, ksm is built on top of ksc, right?07:59
*** rm_work|away has joined #openstack-keystone07:59
*** rm_work|away is now known as rm_work07:59
*** rm_work has joined #openstack-keystone07:59
jamielennoxif you have the remote points (or a way to find them) in your catalog, you need a way to tell nova to go to the other cloud to get images rather than the local one08:01
jamielennoxwe might be able to build that in to discover08:01
jamielennoxbut you'd need a way to name the remote endpoints that uniquely identified them08:01
jamielennoxlike via regions or something08:01
jamielennoxand then a way to tell nova that08:01
jamielennoxnone of which i think exists08:01
jamielennoxi have to run - but interesting problem and i'll have more of a think08:01
marekdjamielennox: ok.08:01
marekdcheers08:02
*** henrynash has quit IRC08:04
*** fhubik has joined #openstack-keystone08:04
*** lhcheng has joined #openstack-keystone08:05
*** ChanServ sets mode: +v lhcheng08:05
*** openstackstatus has joined #openstack-keystone08:06
*** ChanServ sets mode: +v openstackstatus08:06
-openstackstatus- NOTICE: Restarting gerrit because it stopped sending events (ETA 15 mins)08:10
*** openstackgerrit has quit IRC08:13
*** openstackgerrit has joined #openstack-keystone08:16
*** ncoghlan has quit IRC08:17
*** markvoelker has joined #openstack-keystone08:27
*** markvoelker has quit IRC08:32
*** fhubik is now known as fhubik_afk08:39
*** jaosorior has joined #openstack-keystone08:39
*** lhcheng has quit IRC08:42
*** erkules_ is now known as erkules08:45
*** erkules has quit IRC08:45
*** erkules has joined #openstack-keystone08:45
*** fhubik_afk is now known as fhubik08:54
*** aix has joined #openstack-keystone08:58
*** e0ne has joined #openstack-keystone08:59
*** ajayaa has joined #openstack-keystone09:10
*** e0ne has quit IRC09:10
*** e0ne has joined #openstack-keystone09:13
*** davechen has left #openstack-keystone09:22
*** fhubik is now known as fhubik_afk09:25
openstackgerritVictor Stinner proposed openstack/python-keystoneclient: Remove discover, iso8601 and oslotest dependencies  https://review.openstack.org/17768709:27
*** markvoelker has joined #openstack-keystone09:27
*** fhubik_afk is now known as fhubik09:29
*** henrynash has joined #openstack-keystone09:31
*** ChanServ sets mode: +v henrynash09:31
openstackgerritVictor Stinner proposed openstack/python-keystoneclient: Remove keystoneclient.middleware  https://review.openstack.org/17769409:34
*** markvoelker has quit IRC09:36
*** fhubik is now known as fhubik_afk09:44
*** fhubik_afk is now known as fhubik09:46
openstackgerritVictor Stinner proposed openstack/keystonemiddleware: Port keystonemiddleware to Python 3  https://review.openstack.org/17770109:58
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Rename v3/federated.py to federation.py  https://review.openstack.org/17770410:06
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Add docstrings for ``protocol`` parameter  https://review.openstack.org/17730310:12
*** dims has joined #openstack-keystone10:14
*** markvoelker has joined #openstack-keystone10:28
*** samueldmq has joined #openstack-keystone10:32
samueldmqmorning10:32
*** markvoelker has quit IRC10:33
morganfainbergZzzzz10:33
morganfainbergI think I hate waking up at 060010:33
*** jsheeren has joined #openstack-keystone10:33
morganfainbergsamueldmq: mornin.10:34
samueldmqmorganfainberg, haha I thought it was earlier there where you are :) it's 7 36 am here10:36
*** henrynash has quit IRC10:38
morganfainbergI'm on the east coast of the U.S. This week.10:49
samueldmqah, so closer to us from Brazil, in terms of tz10:50
samueldmqand maybe the reason you woke up earlier, tz always messing things up :p10:51
*** fhubik is now known as fhubik_afk10:59
*** afazekas has quit IRC11:05
*** henrynash has joined #openstack-keystone11:05
*** ChanServ sets mode: +v henrynash11:05
*** josecastroleon has quit IRC11:06
*** josecastroleon has joined #openstack-keystone11:06
*** e0ne is now known as e0ne_11:07
*** e0ne_ is now known as e0ne11:07
*** josecastroleon has quit IRC11:08
*** e0ne is now known as e0ne_11:19
morganfainbergsamueldmq: I wake up at 0600ish every day.11:20
morganfainbergSometimes I go back to sleep. ;)11:20
*** afazekas has joined #openstack-keystone11:21
samueldmqmorganfainberg, hahaha :-) for me the same, but don't go back to sleep :p11:22
samueldmqmorganfainberg, have to take my kid to school hehe11:23
samueldmqhenrynash, hello, you around ?11:26
bretongood day, folks11:29
*** e0ne_ has quit IRC11:29
*** markvoelker has joined #openstack-keystone11:29
samueldmqbreton, hey morning :)11:30
marekdhi11:32
*** markvoelker has quit IRC11:33
*** markvoelker has joined #openstack-keystone11:38
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins  https://review.openstack.org/17674611:48
samueldmqhenrynash, I was taking a look at dynamic policies and would like to talk about hierarchical roles ...11:48
*** chmouel has quit IRC11:48
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722711:48
*** chmouel has joined #openstack-keystone11:50
*** fhubik_afk is now known as fhubik11:52
*** fhubik is now known as fhubik_afk11:53
*** afazekas has quit IRC11:54
*** chmouel_ has joined #openstack-keystone11:57
*** chmouel has quit IRC11:57
*** e0ne has joined #openstack-keystone11:59
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Rename v3/federated.py to v3/federation.py  https://review.openstack.org/17770412:00
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Add docstrings for ``protocol`` parameter  https://review.openstack.org/17730312:01
*** krykowski has quit IRC12:02
*** krykowski has joined #openstack-keystone12:03
*** krykowski has quit IRC12:05
*** krykowski has joined #openstack-keystone12:05
*** openstackgerrit has quit IRC12:06
*** openstackgerrit has joined #openstack-keystone12:06
*** afazekas has joined #openstack-keystone12:07
*** htruta has joined #openstack-keystone12:14
*** Ctina_ has joined #openstack-keystone12:18
henrynashsamueldmq: hi12:19
*** fhubik_afk is now known as fhubik12:20
*** jsheeren has quit IRC12:22
samueldmqmorganfainberg, dolphm <andreaf> samueldmq, kiran-r: there are n-net and neutron identity v3 jobs defined in tempest experimental queue, you can also check the generated tempest.conf for them, e.g. http://logs.openstack.org/81/153681/40/experimental/check-tempest-dsvm-keystonev3-full/a7526e2/logs/tempest_conf.txt.gz12:23
samueldmqhenrynash, hi :)12:23
henrynashsamueldmq: dynamica policy….12:24
samueldmqhenrynash, so basically I think the hierarchical roles could be split from dynamic policies12:24
samueldmqhenrynash, since they're about the granularity we give to users (as well as domain-roles)12:24
henrynashsamuledmq: how do you define “dynamic policy”….ones that can be fine grained read/set in the DB?12:24
*** fhubik is now known as fhubik_afk12:25
samueldmqhenrynash, hmm.. I was thinking more about read/set in the db, and retrieving from the api12:25
henrynashsamueldmq: so yes, I mean via an API…..12:25
samueldmqhenrynash, the fine grained support could be discussed out of that12:26
samueldmqhenrynash, since we need to discuss the domain-roles as well12:26
henrynashsamueldmq: so agreed - no reasons why hierachyical roles should be tied to that12:26
samueldmqhenrynash, nice so we agreed on thsi12:26
*** jsheeren has joined #openstack-keystone12:26
henrynashsamueldmq: getting to the state where servcies get their policy from Keystone (rather than a file) will be a mojor first step12:26
samueldmqhenrynash, probably I will be helping ayoung on that front as well (my managers want me to) ... most specs need update12:27
samueldmqhenrynash, ++12:27
henrynashsamueldmq: then making the access to those more fine-grained is step 212:27
*** fhubik_afk is now known as fhubik12:27
samueldmqhenrynash, and at a glance I see we could split that from the dynamic-policy thing12:27
samueldmqhenrynash, agree, but step 1 and 2 can be parallelized, they're independent12:28
henrynashsamueldmq: hierachical roles, imho, is a totally separate thing (and as most people know, I’m still to be convinved on them)12:28
samueldmqhenrynash, we could still implement them with domain-roles12:28
henrynashsamueldmq: well maybe, but if a service isn’t getting their poicy file from keystone…how do we make it more granular?12:28
henrynash(that’s to your point about step 1 and 2 being parallel)12:29
henrynash(agree domain-roles are independant)12:29
samueldmqhenrynash, hmmn.. we were about to implement domain-roles without dynamic-policies right ?12:29
samueldmqhenrynash, this makes more granular, and has no dependency on it12:29
samueldmqhenrynash, actually it depends on how we are going to implement the more fine-grained access ...12:30
andreafsamueldmq: I think it would be nice to re-use the existing DEVSTACK_GATE_KEYSTONE_V3 flag (http://git.openstack.org/cgit/openstack-infra/project-config/tree/jenkins/jobs/devstack-gate.yaml#n1283) to switch not only tempest configuration - but every service configuration - to use identity v3 only - so we can use a single flag12:30
*** gordc has joined #openstack-keystone12:30
*** bknudson has quit IRC12:31
henrynashsamueldmq: so i see see “granularity” as being able to not having to treat the policy file as a blob as far as the API is concerned12:32
samueldmqandreaf, great, I plan to have more jobs on this soon ... me, morganfainberg, dolphm are working on that front12:32
samueldmqandreaf, we want a identity v3 only cloud running, and all the jobs being v3 only for L12:32
henrynashsamueldmq: domain-roles doesn’t change that12:32
samueldmqandreaf, I have no experience on the gate jobs, will need to bug you more on that later12:33
*** chmouel_ is now known as chmouel12:33
andreafsamueldmq: let me know if you need anything12:33
samueldmqhenrynash, k I agree, I was thinking about fine-grained as more power on the role definitions, as you can re-use domain-roles etc ..12:34
samueldmqhenrynash, I need to go afk for a bit, have a meeting now, will be back in a bit12:34
henrynashsamueldmq: yes, I think that is a separate thing (good, but separate)...12:35
henrynashok12:35
samueldmqandreaf, nice thx12:35
*** raildo has joined #openstack-keystone12:35
*** josecastroleon has joined #openstack-keystone12:36
*** openstackgerrit has quit IRC12:37
*** openstackgerrit has joined #openstack-keystone12:37
marekdCan I ask for a review here: https://review.openstack.org/#/c/175980/ ?12:40
henrynashmarekd: lookinh12:42
henrynashlooking12:42
marekdhenrynash: thanks12:42
*** ayoung has joined #openstack-keystone12:43
*** ChanServ sets mode: +v ayoung12:43
*** fhubik is now known as fhubik_afk12:48
*** Ctina_ has quit IRC12:50
samueldmqhenrynash, I am bakc12:54
samueldmqhenrynash, I think we could have domain-roles constrained to domains or not (so let's step back and call it role-groups)12:54
samueldmqhenrynash, we then can essentially implement the hierarchical roles with this12:55
samueldmqhenrynash, where they can be global (not tied to a domain), or domain specific (the domain-roles)12:55
*** bknudson has joined #openstack-keystone12:56
*** ChanServ sets mode: +v bknudson12:56
morganfainberghow is everyone today?13:03
morganfainbergayoung: so this is what it's like when i'm on east coast time13:03
marekdmorganfainberg: greatish13:03
ayoungmorganfainberg, are you on the East Coast?13:03
lbragstaddolphm: o/ I attempted building the Fernet branch of keystone-deploy into the master branch. I added it as a dependency of the convert to Cent commit. https://github.com/dolph/keystone-deploy/pull/713:03
morganfainbergayoung: yeah in D.C. this week13:03
*** fhubik_afk is now known as fhubik13:03
ayoungmorganfainberg, Hope you found your coffee already.  Its about 6 hours before you usally get breakfast, too13:04
lbragstaddolphm: once that's merged, I'm going to attempt converting the galera branch for centos support as well.13:04
lbragstadayoung: fyi ^13:04
ayounglbragstad, branch?13:05
ayoungAh, this is the Deployment via Ansible?13:05
morganfainbergayoung: already had coffe and breakfast13:05
ayounglbragstad, you guys are doing that via git based code, right?13:05
lbragstadayoung: yep, I was able to verify the centos commit13:05
morganfainbergayoung: this is what happens when i'm on the road for conference/meetings.13:05
lbragstadayoung: it pull the branches from gerrit13:06
ayounglbragstad, do you get systemd support any way?13:06
lbragstadhttps://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/tasks/main.yaml#L27-L2913:06
morganfainbergayoung: can I has a distro that just says no to systemd?13:06
lbragstad^ that's cool because you can deploy wip changes that are up for review to a Keystone cluster13:06
ayoungmorganfainberg, you can have docker.13:06
morganfainbergayoung: that doesn't remove the need for systemd13:07
ayoungmorganfainberg, systemd is just different13:07
morganfainbergayoung: what was wrong with sysv init?13:07
morganfainberg:P13:07
* morganfainberg slides a soapbox back under the desk.13:07
ayoungand after you've lived with the boot speedup for a while, you don't really want to go back13:07
ayoungum.. alo tactually13:07
ayoungmorganfainberg, systemd, SELinux...all the things that people complain about from the Fedora side of the house, they are all addressing real issues.  Its like X.org.  Yeah, as the app user you don;'t want to have to know about these things, but you are feeling the pain13:09
morganfainbergSELinux i don't complain about13:09
ayoungmorganfainberg, do you run with SELinux enabled?13:09
morganfainbergsystemd is, imo the wrong approach13:09
morganfainbergayoung: when I run RH-based linux, yes - provided i don't have a simple dev environment that doesn't need to care [e.g. devstack testing a keystone change]13:10
morganfainbergayoung: but my throwaway devstacks tend to be ubuntu13:10
ayoungmorganfainberg, work with systemd for a while.  It is just different, but, really, it is just a codification or what people have developed as best practices in shell scripting systemV init, ported to a native library to speed up boot and to enforce the interface.  All the issues we have with API stability in Keystone?  The OS has that at the App layer.13:10
morganfainbergayoung: I don't like that systemd has started consuming everything.13:11
*** jsheeren has quit IRC13:11
morganfainbergayoung: I am fine with the signaling and other benefits it brings. but it shou;dn't be a massive monolithic-do-everything process [the way it's headed]13:11
ayoungmorganfainberg, one thing that reading about systemd has me itching to do is to make a custome Socket factory for Java, that can open a socket as root on port 80 and pass it to a Systemd activated Tomcat instance13:11
ayoungI'm actually wondering if sssd should be rolled into systemd13:12
morganfainbergayoung: god no13:12
ayoungmorganfainberg, so you think customer process monitoring, once per problem domain is good?13:12
ayoungnot the plugins...those stay as separate repos...systemd is the activation layer, with dbus the commo between them13:13
morganfainbergayoung: I am of the view you should focus on doing something and doing it well especially at the OS level. not try to be everything for everyone13:13
*** jsheeren has joined #openstack-keystone13:13
ayoungmorganfainberg, what are the aspects that you think systemd addresses that it should not?13:14
morganfainbergayoung: right now, udev.13:14
morganfainbergayoung: well udev + hard dep on kbus13:14
morganfainbergor headed that way13:14
ayoungthat is Kernel, though.  Systemd just consumes it13:14
morganfainbergayoung: udev was moved into systemd, so now you're going to need systemd to use it.13:15
morganfainbergit's grabbing too much into a single space that is hard to work with13:15
morganfainberganyway13:15
ayoungUm..I thought udevd was a separate prov\ces ,monitored by systemd?  Is it not?13:15
morganfainbergayoung: my concern is more that if we're not careful systemd turns issues with the system level into "only recourse is reboot" to address issues13:15
ayoung/usr/lib/systemd/systemd-udevd13:15
morganfainbergayoung: systemd is going to be required in the near(ish) future from what i can tell to run udevd at all13:16
ayoungmorganfainberg, looks like that is the case in Fedora13:16
morganfainbergayoung: I aslo don't like that systemd and kernel are meant to be upgraded in lockstep13:16
ayoung]$ rpmquery -f /usr/lib/systemd/systemd-udevd13:16
ayoungsystemd-216-17.fc21.x86_6413:16
ayoungAndy Tannenbaum is gloating13:16
morganfainberganyway13:17
* morganfainberg is not a fan of the direction systemd is headed.13:17
*** dims has quit IRC13:17
ayoungI picture him sitting infront of a monitor, watching the Linux change sets, wearing a monicle and stroking a Persian Cat.13:17
morganfainbergprobably13:17
*** dims has joined #openstack-keystone13:18
ayounglbragstad, it is amazing how much that yaml file looks like the spec for an RPM13:21
*** openstackgerrit has quit IRC13:21
*** openstackgerrit has joined #openstack-keystone13:22
samueldmqmorganfainberg, hi, in the case you didnt see yet, we already have n-net and neutron identity v3 jobs defined in tempest experimental queue13:22
ayoungmarekd, I was trying the ecp code against Ipsilon late last week.  Last thing I got was, when hitting (internal URL) http://ecp.cloudlab.freeipa.org:5000/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth13:23
samueldmqmorganfainberg, my approach now is to have such experimental job for devstack project, and then we can run it against your changes in devstack13:23
ayoung gets back13:23
ayoung<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">13:23
ayoung<html><head>13:23
ayoung<title>303 See Other</title>13:23
ayoungetc13:23
ayoungmarekd, jdennis was looking at it.  His last communique was: I just took a look at the Keystone ECP coded and it doesn't look like they are doing full ECP, rather it appears they are doing IdP initiated responses and only doing 1 step of the ECP process, returning a PAOS response.13:24
marekdayoung: so it made a round trip: sp->idp->sp and with the 3rs step you got 303 ?13:24
ayoungmarekd, I'm still trying to figure out how to get logging from the script.  Not sure how many round trips...13:24
marekdayoung: maybe log every http req/resp...13:25
ayoungmarekd, can we do that by setting a config value in the script?  Where was your code again, anyway?13:25
marekdayoung: did jdennis look at https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L88 ?13:26
ayoungmarekd, I think he did. He was asking where the saml2 code is.  We need to rpm package it still.13:26
marekdayoung: i was using pdb and pure requests lib when i was debugging such flows13:26
ayoungah13:27
marekdayoung: the code was here https://gist.github.com/zaccone/9ff1f240b3d26eb0dcb713:28
marekdwhere can i talk with jdennis (channel e.g).13:28
ayoungmarekd, ok,  nothing different.13:28
ayoungmarekd, he'll be here off and on...he's moving (Houses) and might still be getting his new setup finished13:29
*** krykowski has quit IRC13:29
ayounghe was a rock star last week...taking breaks at lunch and what not between the movers to keep me pointed in the right direction.  I have a shell script he adapted from the shib code that shows that ECP works against Ipsilon, but now we need to close the gaps in assumptions between that and what the KC code does13:30
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300713:31
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion  https://review.openstack.org/14873013:31
*** ajayaa has quit IRC13:32
*** mestery_ is now known as mestery13:32
*** pnavarro has quit IRC13:34
marekdayoung: nice. I will wait for him to appear here.13:38
*** krykowski has joined #openstack-keystone13:38
marekdI would like to know what he meant what's up with the KC code.13:38
ayoungmarekd, yeah, I'm just learning ECP, but he's spent the past several weeks/months learning it13:42
*** josecastroleon has quit IRC13:43
*** josecastroleon has joined #openstack-keystone13:44
*** morganfainberg has quit IRC13:44
*** xianghui has quit IRC13:45
*** fhubik is now known as fhubik_afk13:46
*** xianghui has joined #openstack-keystone13:46
-openstackstatus- NOTICE: gerrit has been restarted to clear a problem with its event stream. change events between 13:09 and 13:36 utc should be rechecked or have approval votes reapplied as needed to trigger jobs13:47
*** morganfainberg has joined #openstack-keystone13:47
*** ChanServ sets mode: +v morganfainberg13:47
*** henrynash has quit IRC13:47
marekdayoung: i found specs a little bit blurry. Like..you read tons of specs, profiles, parameters and end up with "okkkay, so how do I run this?".13:50
ayoungmarekd, heh13:50
*** fhubik_afk is now known as fhubik13:51
ayoungmarekd, I'll fpaste his spec temporarily.  I don't think there is much issue with that, as it comes from the Shib repo, but he doesn13:51
ayoung't want it posted for posterity13:51
ayoungthere is a better version coming in straight python13:51
marekdayoung: so wait, you claim that KC ECP code doesn't work with Ipsilon, whereas you have a working version of it?13:52
* marekd just got confused13:53
ayoungmarekd, I have A shell script that tests the ECP workflow against ipsilon,  not keystone13:55
*** mkoderer has quit IRC13:55
ayoungI have used the script to get a Keystone token13:55
ayoungso the issue is with the KC code, not Ipsilon, in my case13:55
*** vishy has quit IRC13:55
marekdayoung: this is what i am asking about.13:55
ayoungit might be that Ipsilon 's ECP support is too stringent, or making a different assumption, than SHib was13:56
ayoungmarekd, the shell script does command line curl13:56
ayoungmarekd, easier for me to mail it to you.13:56
marekdayoung: sure13:56
marekdmarek.denis at cern . ch13:57
ayoungmarekd, sent13:57
*** mkoderer has joined #openstack-keystone13:57
*** vishy has joined #openstack-keystone13:58
ayoungmarekd, I don't yet have a public Ipsilon with ECP.  I think I can update my younglogic one, though13:59
*** joesavak has joined #openstack-keystone13:59
marekdayoung: i'd be happy to play with it14:00
marekdas long as i don't need to configure it :-)14:00
*** edmondsw has joined #openstack-keystone14:02
ayoungmarekd, ok...RPMs are updated, but I think I need to make a change to the httpd config file...let14:02
ayoung's see14:02
*** richm has joined #openstack-keystone14:04
*** sigmavirus24_awa is now known as sigmavirus2414:05
sigmavirus24morganfainberg: to be fair, I was distracting stevemar14:06
marekdayoung: this script..it was written by jdennis? I think i'd seen something similar before.14:06
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872014:07
*** Ephur has joined #openstack-keystone14:07
ayoungmarekd, nah, he adapted it from the shob code14:07
ayoungshib14:07
marekdah, that you mean by saying shib code.....14:08
ayoungmarekd, OK,  I have it sort of running ...need to set up ca cert14:08
*** fhubik is now known as fhubik_afk14:08
*** stevemar has joined #openstack-keystone14:10
*** ChanServ sets mode: +v stevemar14:10
marekdayoung: i don't say what sits in KC repo is perfect, but I was also kind of relying on what's provided in the shib reference.14:10
marekdayoung: probably the best way is to talk with jdennis once he is online.14:11
ayoungmarekd, yes.  But let me try to get a public demo, so we can all confirm what works etc14:11
marekdayoung: yep, happy to help14:12
*** fhubik_afk is now known as fhubik14:13
*** davechen has joined #openstack-keystone14:13
davechendstanek: ping?14:15
dstanekdavechen: pong14:16
*** rushil has joined #openstack-keystone14:16
davechendstanek: just a quick question, will we support to run functional testing on the py27?14:16
davechendstanek: I saw basepython is set to python3.4 in tox.ini, does that means only py3.4 will be supported?14:17
dstanekdavechen: no, you must have py3.4 to run the functional tests14:18
davechendstanek: any reason, I am curious about that :)14:18
dstanekdavechen: we eventually want to move to py3 anyway - no reason to make it support py2 if developers should already have py314:18
marekddstanek: with the advent of dropping eventlet (or eventlet supportinh py3 now) is it happening in L cycle?14:19
dstanekmarekd: nope, this has nothing to do with what we have to support on the server side14:20
dstanekthe functional tests will run in py3.4, but will hit what ever service you point to14:20
davechendstanek: An, make sense.14:20
dstanekso you can run keystone in py2.7 or whatever and point the functional tests at it14:20
marekddstanek: is it happening in next 6 months, then? ;)14:21
dstanekmarekd: functional tests?14:21
marekdyes14:21
dstanekhopefully more of the patches will be merged in the next few weeks - some have already been merged14:21
marekdand py314:22
davecheneventually, we will drop py27 supporting even for unit test?14:22
dstanekmarekd: i have a huge stream of work to get py3 going - probably 30 commits total - half of them were pushed on Friday and several merged over the weekend14:23
dstanekdavechen: only when OpenStack stop supporting it - maybe 5+ years14:24
dstanekdavechen: actually, probably longer14:24
davechen:-Dhope openstack is still alive then.14:24
dstanekwe only recently dropped 2.6 and that was released more than a decade ago14:24
dstanekjust remember that functional tests and unit tests are completely separate14:25
dstanekunit tests have to run in the versions of Python we officially support, whereas functional tests do not14:25
davechenbut seems Keystoneclient still want to support py2.614:25
davechenI saw some comments told me about that. some patches is on the way.14:26
dstaneki wonder if the classifiers need to be updated - i thought that i removed some of the old 2.6 stuff from it14:26
dstanekdavechen: yeah they don't test in 2.6 anymore14:27
dstanekmorganfainberg: ^ see about about ksc and 2.614:27
dstanekjamielennox: ^14:28
davechen+1, formal announcement maybe.14:28
morganfainbergKsc needs to support 2.6. Keystone likely needs to update classifieds.14:29
dstanekmorganfainberg: the classifiers say 2.6 so they're fine - we should be testing against 2.6 then right?14:29
*** mattfarina has joined #openstack-keystone14:29
morganfainbergFor ksc, don't we still test 2.6?14:29
openstackgerritMerged openstack/keystone-specs: Add spec for python-3 compatibility  https://review.openstack.org/17738014:30
morganfainbergFor keystone, we don't need to test 2.6. It is no longer supported for the server.14:30
marekddstanek: just in time regarding my question: https://review.openstack.org/#/c/177380/3/specs/liberty/python3.rst14:30
morganfainbergdstanek/davechen: looks like ksc still tests 2.614:32
*** nkinder has joined #openstack-keystone14:33
*** ajayaa has joined #openstack-keystone14:33
marekdmorganfainberg: a question for you.  In the KSC there is a stub class merged, yet out auth plugins (saml2 in particular) is not using. I would like to rename that class from federated to federation. Is it safe to do this without any mess with deprecations/warnings/ and all this stuff? Link : https://review.openstack.org/#/c/177704/14:34
morganfainbergi'll need to think about that14:34
davechenmorganfainberg: yeah, I saw gerrit still do that.14:34
morganfainbergmarekd: it maaaaaaaaayyyy be ok14:35
marekdmorganfainberg: it's not a super big deal, but since we all use federation module why not use federation also in ksc - and if i want to unify it i'd say the moment when we split repos, move modules, is the best one.14:35
morganfainbergit's probably ok14:35
marekdmorganfainberg: if that's ok,please comment/vote. One thing I must already warn: all the modules in the ksc-saml2 will fail, because the new class is not in the codebase, so I think we would need to wait for the new ksc cut and only than ksc-saml2 modules will start pasing Jenkins.14:36
morganfainbergright14:37
openstackgerritVictor Stinner proposed openstack/python-keystoneclient: Remove discover and iso8601 dependencies  https://review.openstack.org/17768714:37
dstanekmorganfainberg: yes, just looked - we do have a 26 gate test :-)14:38
*** browne has joined #openstack-keystone14:38
openstackgerritVictor Stinner proposed openstack/python-keystoneclient: Remove keystoneclient.middleware  https://review.openstack.org/17769414:42
*** davechen has left #openstack-keystone14:43
*** krykowski has quit IRC14:48
*** ajayaa has quit IRC14:50
marekdayoung: why don't you give a try with Ipsilon/lasso ECP setup with that Python script: https://wiki.shibboleth.net/confluence/download/attachments/4358416/ecp.py?api=v2 ?14:52
ayoungmarekd, I think that is what he started with.  Not sure why it ended up as a bash script14:54
ayoungmarekd, my Horizon setup is not behaving right now.  Its a devstack, and my test env is RDO, so I suspect some wonkyness...not sure what14:55
marekdayoung: i doubt you need horizon for ecp.14:56
marekdayoung: you *don't want* horizon for ecp :P14:57
ayoungmarekd, heh...I don't just it checks SAML, as a prereq...also I have both Horizon and Keystone on the same machine14:57
ayoungso when I say Horizon, I really mean the whole WebSSS14:57
ayoungSSo14:57
*** mabrams has quit IRC15:00
*** zzzeek has joined #openstack-keystone15:00
*** henrynash has joined #openstack-keystone15:02
*** ChanServ sets mode: +v henrynash15:02
*** fhubik has quit IRC15:06
*** ajayaa has joined #openstack-keystone15:06
*** aix has quit IRC15:09
*** afazekas has quit IRC15:15
*** joesavak has quit IRC15:23
marekdhenrynash: I responded to the comment. But I'd value dstanek 's opinion on that as well: https://review.openstack.org/#/c/175980/2/keystone/contrib/federation/utils.py15:25
marekdhenrynash: the rest of your comments is about right and I am going to fix it.15:25
henrynashmarekd: sounds good….fyi, on that other patch to the protocol docstring15:26
henrynashmarekd: is the “keystone service provider” the same as the “idenity provdier” or are they different?15:26
stevemardifferent15:27
marekdhenrynash: they are differeent15:27
marekdkeystone is the service provider15:27
dstanekmarekd: is that error message happening when evaluating a user or when it's being added?15:27
marekddstanek: it's part of the Mapping engine15:28
henrynashmarekd: ok, so that protocol config option, is teh thing that the IDP and the keystone server must agree on….15:28
marekdand mapping values from saml assertion into token data15:28
marekdhenrynash: not in the 'protocol' case. Essentially, protocol is the parameter that will be used in the auth url: /OS-FEDERATION/identity_providers/{idp}/protocols/{protocol-values-from-parameter/auth15:29
marekdthis bit is also configured at the keystone, so you, the client must provide one that is also configured at the remote keystone (service provider) of your choice15:30
marekdhenrynash: so, if Keystone had protocol configured via our APIs called say...'some_proto', your clients will need to specify --os-federation-protocol='some_proto'15:31
henrynashok, right got it15:31
marekdif that's not super clear from the help/docstring i'd be happy to see advices on how it should look like.15:32
*** joesavak has joined #openstack-keystone15:32
henrynashmarekd: yeah, I still think that help text could be clearer…perhaps only because it seems a bit repetative….let me try a suggestion15:33
henrynashi’ll respond to the patch in a little while15:34
henrynasht15:34
marekdhenrynash: please do15:34
marekddstanek: re: https://review.openstack.org/#/c/175980/2/keystone/contrib/federation/utils.py : v.format() is used for filing {0}, {1} in the mapping rules.15:34
marekdso it's not when anything is added but it executes when user is authorizing.15:34
marekdsadly it's so deep in the Mapping Engine that I cannot even freely raise parameters like mapping_id or something like that. Yet, I am not so sure if exposing any values is acceptable and will not pose any security risks.15:36
bknudsonmorganfainberg: keystoneclient and keystonemiddleware stable/kilo release today?15:36
morganfainbergbknudson: that is the plan.15:37
bknudsongreat!15:37
bknudsonneed any help?15:37
marekdany chances that this would be merged and included in the release? https://review.openstack.org/#/c/177704/15:37
marekdit'd make my life with ksc-saml2 easier15:38
bknudsonmarekd: the stable/kilo release?15:38
marekdif that's even possible15:38
marekdbut i guess it's not.15:39
marekd:P15:39
marekd(always worth trying)15:39
morganfainbergbknudson: I just need to tag and push the tags. Will be done post lunch.15:40
bknudsonI think the stable clients only get security fixes15:40
morganfainbergbknudson: it's about as much work as setting up someone else to do it.15:40
morganfainbergbknudson: security fixes or other critical bugs.15:40
*** browne has quit IRC15:41
marekdgot it15:41
bknudsonit sounds like they're not worried about keystonemiddleware not having the requirements update.15:42
openstackgerritVictor Stinner proposed openstack/keystonemiddleware: Remove unused iso8601 dependency  https://review.openstack.org/17783115:43
*** josecastroleon has quit IRC15:48
morganfainbergbknudson: let me ping ttx on that.15:50
openstackgerritMarek Denis proposed openstack/keystone: Correctly handle direct mapping with keywords  https://review.openstack.org/17598015:50
*** e0ne is now known as e0ne_15:53
*** e0ne_ is now known as e0ne15:54
*** gyee has joined #openstack-keystone15:55
*** ChanServ sets mode: +v gyee15:55
*** henrynash has quit IRC15:58
*** browne has joined #openstack-keystone15:58
*** afazekas has joined #openstack-keystone16:00
*** david-ly_ is now known as david-lyle16:01
*** SpamapS has quit IRC16:12
*** tqtran has joined #openstack-keystone16:12
morganfainbergbknudson: yep not a worry16:14
morganfainbergbknudson: spinning up everything for the release now.16:14
*** alexsyip has joined #openstack-keystone16:18
*** lhcheng has joined #openstack-keystone16:18
*** ChanServ sets mode: +v lhcheng16:18
*** jsheeren has quit IRC16:19
*** lhcheng has quit IRC16:19
*** lhcheng has joined #openstack-keystone16:19
*** ChanServ sets mode: +v lhcheng16:19
morganfainbergoh boy, have to rework all the tools for this release process now.16:19
*** joesavak has quit IRC16:19
morganfainbergbknudson: can you help me find the bugs for ksc that made it into stable/kilo, make sure they are targeted to kilo (as well as where they are) and the 1.3.1 milestone?16:20
bknudsonmorganfainberg: will do.16:20
morganfainbergthanks. i'm standing up the milestone(s) for middleware now16:20
*** jistr has quit IRC16:21
*** esp has left #openstack-keystone16:23
bknudsonmorganfainberg: there's only a couple of commits since the last tag, and only one fixes a bug: https://bugs.launchpad.net/keystonemiddleware/+bug/141106316:23
openstackLaunchpad bug 1411063 in keystonemiddleware kilo "[OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)" [Critical,Fix committed] - Assigned to Brant Knudson (blk-u)16:23
bknudsonI marked it as fix committed.16:23
morganfainbergyeah i expect there to be very very few16:23
bknudsonand, set target for keystoneclient - kilo to 1.3.116:23
morganfainbergyep. 1.5.1 for ksm should now be in LP16:24
bknudsonit's the same for keystonemiddleware kilo, only the fix for that bug.16:25
morganfainbergok cool16:25
morganfainbergjustwasn't 100% sure16:25
morganfainbergbknudson: thnx for the help16:25
*** _cjones_ has joined #openstack-keystone16:27
*** esp has joined #openstack-keystone16:28
*** gordc is now known as gordc_afk16:35
*** afazekas has quit IRC16:35
*** afazekas has joined #openstack-keystone16:36
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: enforce endpoint constraint  https://review.openstack.org/17766116:41
morganfainbergayoung: ping re- midcycle16:47
morganfainbergayoung: status update tomorrow at the meeting but i'd like to get the venue pinned down so we can send out the midcycle email16:48
*** afazekas has quit IRC16:52
openstackgerritMerged openstack/python-keystoneclient: Remove keystoneclient.middleware  https://review.openstack.org/17769416:54
samueldmqayoung, hi, need me to update all those dynamic policy specs ?16:55
samueldmqayoung, actually I am officially allocated to work on this with you :)16:56
*** vhoward has joined #openstack-keystone16:58
dstanekhmmm...devstack master seems broken16:58
samueldmqdstanek, what's happening ?16:59
samueldmqdstanek, I ran into issues this weekend with it ..16:59
samueldmqdstanek, after deploying it, if I did 'sudo service apache2 restart', I got 500 from keystone oO16:59
dstanek500 from keystone and it's log files are useless17:00
samueldmqdstanek, yeah, see ^17:00
*** afazekas has joined #openstack-keystone17:00
ayoungmorganfainberg, last week was April vacation in Mass,, and the person from BU that needed to do things was out.  I'll check right now17:00
samueldmqdstanek, did you restart apache2?17:00
ayoungsamueldmq, yes please17:00
samueldmqayoung, nice, will do, starting on the Overview one now17:01
ayoungsamueldmq, I'll work on the Hierarchical ones17:01
samueldmqayoung, hierarchical roles, right ?17:01
ayoungfeel free to touch up any of the others samueldmq17:01
ayoungsamueldmq, yeah, Henrynash has some fundamental questions on that one17:01
dstaneksamueldmq: no. i ran ./stack.sh and it failed17:01
ayoungsamueldmq, the others are mostly details I think17:01
samueldmqdstanek, even worst than what I got17:01
samueldmqayoung, yes I think too .. + the thing on fetching the policy on kc vs middleware17:02
ayoungsamueldmq, yeah...some gremlins there.  I would love to code up a proof-of-concept for that for Nova17:02
ayoungI think actually coding something there and showin the details would clarify a lot17:02
samueldmqayoung, actually I was thinking hierarchical roles could be split from dynamic policies17:03
ayoungwe can use the same cache directory approach as the certs for the first go-round17:03
samueldmqayoung, I think dynamic comes from handling the policy via api right ?17:03
ayoungsamueldmq, we need to address the scope of it.  Let's have that on the agenda for tomorrow17:03
samueldmqayoung, nice, I also had such discussion with henrynash17:04
samueldmqayoung, perfect, let's discuss it tomorrow17:04
ayoung++17:04
dstaneksamueldmq: i see the 500 in the access log, but nothing in the key.log17:04
samueldmqayoung, I am going to add the point17:04
samueldmqdstanek, import controllers ?17:04
samueldmqdstanek, for me, it couldn't import keystone.assignment.controllers from keystone.assignment.__init__17:04
samueldmqdstanek, somehting like this ...17:05
samueldmqiirc17:05
samueldmqdstanek, oh! I was seeing on the keystone one, let me retrieve it for you17:05
dstaneksamueldmq: i can import assignment ok17:06
dstanekit seems that most of the keystone requests were fine - there were just a few PUTs that failed and devstack didn't start17:07
samueldmqdstanek, http://paste.openstack.org/show/208618/17:07
samueldmqdstanek, I was getting this ^ and I did no change on the keystone code17:08
samueldmqI got scaried17:08
mfischanyone seen this before?17:08
mfisch2015-04-27 17:06:52.104 31328 TRACE sqlalchemy.pool.QueuePool ProgrammingError: (2014, "Commands out of sync; you can't run this command now")17:08
mfischseems scary17:08
mfischand I know that tokens are 2x slower here than in my other region17:08
*** ericksonsantos has joined #openstack-keystone17:09
*** joesavak has joined #openstack-keystone17:09
*** spandhe has joined #openstack-keystone17:09
*** samleon has joined #openstack-keystone17:14
*** EmilienM is now known as EmilienM|afk17:17
*** afazekas has quit IRC17:18
*** kiran-r has quit IRC17:19
*** e0ne has quit IRC17:21
*** henrynash has joined #openstack-keystone17:30
*** ChanServ sets mode: +v henrynash17:30
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300717:34
*** mattfarina has quit IRC17:34
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Dual Scoped Token  https://review.openstack.org/17605417:35
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: API changes for Reseller  https://review.openstack.org/15300717:36
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Recursive deletion  https://review.openstack.org/14873017:36
*** joesavak has quit IRC17:41
ericksonsantosdstanek, lhcheng, ping about that: https://review.openstack.org/#/c/158372/17:41
samueldmqlhcheng, ping - you aroung ? need to talk about your comment on the 'dynamic policy' spec17:41
samueldmqlhcheng, https://review.openstack.org/#/c/147651/3/specs/backlog/dynamic-policy.rst17:41
ericksonsantosI've just replied your comments.17:42
*** henrynash has quit IRC17:46
samueldmqayoung, just to confirm, we want all this dynamic policy stuff for L, right ?17:49
ayoungsamueldmq, as much as possible, yes17:50
ayoungsamueldmq, but lets focus on getting it approved in backlog17:50
samueldmqayoung, ++17:50
*** joesavak has joined #openstack-keystone17:50
ayoungmoving from backlog to L is easy once it is approved17:50
samueldmqnie17:50
samueldmqnice*17:50
samueldmqayoung, I have some questions on the spec ....  https://review.openstack.org/#/c/147651/3/specs/backlog/dynamic-policy.rst17:51
ayoungsamueldmq, fire away17:51
samueldmqayoung, great! so first thte Other End User Impact section17:52
*** harlowja_away is now known as harlowja_17:52
samueldmqayoung, you want to add apis to, based on a token, return a list of operations that token can perform ?17:52
ayoungsamueldmq, did you see my policy CLI?17:52
samueldmqayoung, not yet ... sorry17:53
ayoung1sec I'll link17:53
samueldmqayoung, where can I find it ?17:53
samueldmqk17:53
ayoungsamueldmq, https://review.openstack.org/#/c/170978/17:53
ayoungso,  think in terms of "we have this policy, what can we do with it"17:53
ayounghorizon already has some of this, as Lin points out.  Perhaps we move that code to the policy library17:54
samueldmqayoung, nice it tests the token ...17:54
ayoungsamueldmq, yeah, that rule is essential for refactoring a policy file:  make sure I have not broken anything17:54
ayoungsamueldmq, the Kent folks have the databsse stuff working ,but it needs Python3.  We just chatted, and maybe we push to make policy its own endpoint17:55
samueldmqayoung, k .. what if we stored *role X* can do *actions i,j,k* instead of *actions i,j,k*: *role X etc*17:56
samueldmqayoung, we could get the list of actions for a given role more directly17:57
ayoungsamueldmq, I've thought that several times.  It would be cleaner17:58
samueldmqayoung, instead of going through all APIs and asking if a role can do that, we index by the role17:58
samueldmqayoung, ++17:58
ayoungsamueldmq, it would be easier, I think, for people to maintain that way..but the database can do that.  Maybe what we do is have an alternative policy format that reverses things, once we have the DB support17:59
samueldmqayoung, yes and we would have the right answer for 'what this role can do ?' , and would help to get a atrue RBAC17:59
samueldmqayoung, ++ great I agree, just would like to sync things with u17:59
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Prohibit invalid ids in subtree and parents list  https://review.openstack.org/15872018:00
samueldmqayoung, hmm .. btw, this way we described above, it's like having 'capabilities' as an attribute of a 'role' right ?18:01
ayoungsamueldmq, yes...I think that is accurate18:01
samueldmqayoung, and could be /roles/xpto?capabilities18:01
samueldmqayoung, and we could add capabilities to a role by the API, as we do for grouping18:01
ayoungsamueldmq, I know that Kent folks are coming up with a fine grained API.18:02
*** gordc_afk is now known as gordc18:02
ayoungI suspect it is along those lines, lets catch up wioth them tomorrow as well18:02
samueldmqayoung, ++18:02
samueldmqayoung, I will make a new patch set of the overview spec and will ping you to have a look at18:03
samueldmqayoung, I also see the introduction needs to be clearer ... anyway will do and you review it18:03
ayoungsamueldmq, thanks a lot18:04
samueldmqayoung, np18:04
*** kiran-r has joined #openstack-keystone18:04
*** EmilienM|afk is now known as EmilienM18:06
*** josecastroleon has joined #openstack-keystone18:18
*** ajayaa has quit IRC18:20
dstanekmfisch: i know i've seen people in here talk about it, but i'm not sure what it is18:26
*** kiran-r has quit IRC18:29
samueldmqwhen was the current policy mechanism introduced ?18:31
samueldmqthe beginning of openstack a few years ago ?18:31
marekdayoung: specs currently sitting in backlock are  should be reviewed now?18:38
marekdayoung: like https://review.openstack.org/#/c/134656/5/specs/backlog/policy-unified.rst18:38
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742718:38
ayoungmarekd, yes.  one advantage of using backlog is the specs don't need to be -2ed to be frozen when we hit spec freeze18:42
*** e0ne has joined #openstack-keystone18:46
*** josecastroleon has quit IRC18:48
*** ajayaa has joined #openstack-keystone18:54
*** arif-ali has joined #openstack-keystone18:57
ayoungmorganfainberg,from Orran Krieger:   "I think its fine to say planning on BU.  From my chat with Cheryl, it shouldn’t be a problem. "18:57
morganfainbergayoung: ok19:01
*** Ephur has quit IRC19:01
*** ajayaa has quit IRC19:02
*** dguerri is now known as _dguerri19:11
*** _cjones_ has quit IRC19:17
*** _dguerri is now known as dguerri19:17
*** amakarov is now known as amakarov_away19:19
dstaneksamueldmq: so, what's weird is that if i start devstack with key,mysql services it's fine - add my usual list and it's broken, add just glance and it's broken19:24
*** joesavak has quit IRC19:28
samueldmqdstanek, hmm, any thought why that's happening ?19:28
samueldmqdstanek, did you ask people on #qa if there is any known issue19:28
dstaneki'm trying again with just key,mysql to see if i can replicate success again - this i'll know if this issue is real19:31
morganfainbergdstanek: dependency resolution?19:31
morganfainbergdstanek: also are the upstream gate jobs failing?19:31
*** dguerri is now known as _dguerri19:32
dstaneki don't think it's that because i get a few 500s from keystone and devstack fails to start19:33
morganfainbergdstanek: weird19:33
morganfainbergdstanek: are we seeing this in the upstream devstack setup?19:34
morganfainbergdstanek: also 14.04?19:34
morganfainbergor cent? or fedora?19:34
dstanekmorganfainberg: i was on 14.04 - starting a fedora20 vm right now to test19:36
morganfainberghm19:36
samueldmqayoung, ping - on the policy overview, I need to make something clearer19:37
samueldmqayoung, For example, we could distinguish between actions that can only read state from those that can change it: "Observer" and "Editor" Member would inherit editor, and editor would inherit observer.19:37
samueldmqayoung, what would be the right inheritance logic ?19:38
samueldmqayoung, just editor inherit observer ?19:38
ayoungsamueldmq, what you have there:   if -> means inherits all operations then19:38
ayoungmember->editor->observer19:38
ayoungsamueldmq, I hate the term inherits19:39
ayoungI like to think in terms of sets19:39
samueldmqayoung, yeah, so lets implement sets of roles :p19:39
ayoungthe editor set contains all elements of the observer set19:39
samueldmqayoung, I am ttossing role groups on you :p19:39
ayoungsamueldmq, I said I would take that one19:40
samueldmqayoung, great, I will wait for tomorrow's meeting ,when we will agree on all this :)19:40
ayoungheh19:40
samueldmqo/19:40
stevemardstanek, o/19:40
dstanekstevemar: o/19:41
stevemardstanek, can you take a look at: https://review.openstack.org/#/c/177620/19:41
samueldmqdstanek, will try to reproduce the issue on my pc19:41
dstanekstevemar: sure19:42
samueldmqdstanek, ubuntu 14.04.219:42
*** _cjones_ has joined #openstack-keystone19:43
dstanekstevemar: neat19:43
dstaneksamueldmq: something like that19:44
samueldmqayoung, also, we will need a tool for migrating the existing policies to the new mechanism right ?19:44
samueldmqayoung, I will add a point for this19:44
stevemardstanek, i just need someone to make sure i'm not thinking crazy things here19:45
ayoungsamueldmq, possibly.I think the Kent mechanism might cover that19:45
samueldmqayoung, great, I will add  a point to this ... making sure we are caring about the existing deployments19:46
ayoungsamueldmq, rock on19:46
dstanekstevemar: that doesn't look crazy19:48
dstanekstevemar: jenkins doesn't seem to love you19:48
stevemar\o/19:48
stevemari just rechecked, there was a 404 error in downloading a requirement19:48
stevemarmaybe i should add another argument? one for tox -e <arg> ?19:49
stevemari'm assuming sample_config, but i think nova uses tox -e genconf or something19:50
samueldmqstevemar, btw, nice patch! I will take a deeper look on it later, so I can learn how to introduce a completely new job :)19:51
stevemardstanek, it's passing now19:53
openstackgerritErickson Filipe Guedes dos Santos proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837219:54
stevemarsamueldmq, just throw some stuff up and hope it works19:55
samueldmqstevemar, yeah it will o/19:58
*** joesavak has joined #openstack-keystone20:04
samueldmqdstanek, mine is failing randomly20:07
samueldmqdstanek, wget localhost:5000/v2.020:07
samueldmqdstanek, alternating from 500 and 20020:07
samueldmqlol20:07
samueldmqdstanek, just deployed and ran wget20:07
dstaneksamueldmq: nice20:10
ayounglbragstad, if you look here: https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-federation-setup/vm-post-cloud-init-rdo.sh#L58  you can see what to add to your deployment in order to get WebSSO and Federation20:13
lbragstadayoung: sweet!20:13
samueldmqdstanek, not nice hehe20:16
samueldmq:p20:16
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376320:19
*** _dguerri is now known as dguerri20:20
samueldmqmorganfainberg, so it should be openstack-infra/devstack-gate who should deploy devstack and then disable it after that ?20:24
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/17723220:25
openstackgerritDavid J Hu proposed openstack/keystone: Version independent token issuance pipeline  https://review.openstack.org/15062920:27
morganfainbergsamueldmq: devstack needs to learn how to disable v220:27
morganfainbergsamueldmq: then it should be signaled from ds-gate to do that20:27
samueldmqmorganfainberg, yeah we define a flag on the job definition20:28
samueldmqmorganfainberg, and the flag is read at devstack-gate, which will deploy devstack and tehn disable v2 (since we cannot disable v2 by default on devstack, right) ?20:28
morganfainbergsamueldmq: yep20:28
morganfainbergsamueldmq: so ds-gate takes the flag and makes sure the ENV is passed down to devstack20:29
samueldmqmorganfainberg, ah20:29
samueldmqmorganfainberg, so devstack reads on what ds-gate tells it, and decide to deploy v2 or not based on that20:29
morganfainbergyeah20:29
samueldmqmorganfainberg, ah sorry for not getting this earlier, I am still getting familiar with all this :)20:30
morganfainbergsamueldmq: don't be sorry :) most of us only know this cause we have dealt with it20:30
samueldmqmorganfainberg, hehe o/20:31
samueldmqmorganfainberg, do you have a patch for your devstack changes already?20:31
morganfainbergsamueldmq: I do have a partial one20:32
morganfainbergsamueldmq: just at a conference atm20:32
morganfainbergsamueldmq: so that is somewhat on hold for today/tomorrow/wed20:32
samueldmqmorganfainberg, great, I will be taking a look on how things happen on infra more deeply20:33
samueldmqmorganfainberg, and working with ayoung on the dynamic policy specs while you get that20:33
samueldmqmorganfainberg, thanks20:33
morganfainberg:)20:33
* morganfainberg is looking at SCIM20:35
morganfainbergit's very interesting20:35
*** samleon has quit IRC20:37
*** dguerri is now known as _dguerri20:39
*** _dguerri is now known as dguerri20:39
marekdmorganfainberg: SCIM: System for Cross-domain Identity Management ?20:45
morganfainbergmarekd: yeah20:45
marekdmorganfainberg: a promising SAML replacement?20:46
morganfainbergmarekd: looks more like managing the actual identity data20:47
marekdmorganfainberg: pity20:47
*** tqtran has quit IRC20:48
*** turul has joined #openstack-keystone20:51
*** turul is now known as afazekas20:52
stevemarmorganfainberg, which conference you at?20:58
morganfainbergstevemar: Internet220:59
stevemarah20:59
*** jimbaker has joined #openstack-keystone21:04
*** thinrichs has joined #openstack-keystone21:07
thinrichsAnyone have 2 minutes to answer a question about the keystone python client?21:09
*** stevemar has quit IRC21:10
morganfainbergdstanek: ping21:15
morganfainberglhcheng: ping21:16
lhchengmorganfainberg: pong21:16
*** joesavak has quit IRC21:17
*** gyee has quit IRC21:20
lhchengsamueldmq: ping21:21
*** thinrichs has left #openstack-keystone21:26
*** alexsyip has quit IRC21:28
*** alexsyip has joined #openstack-keystone21:31
*** vhoward has quit IRC21:41
*** vhoward has joined #openstack-keystone21:42
*** rushil has quit IRC21:53
*** gordc has quit IRC21:56
*** bknudson has quit IRC22:03
*** e0ne has quit IRC22:05
*** alexsyip has quit IRC22:06
*** vhoward has quit IRC22:09
*** vhoward has joined #openstack-keystone22:10
*** vishy has quit IRC22:17
*** cyeoh has quit IRC22:17
*** cyeoh has joined #openstack-keystone22:19
*** vishy has joined #openstack-keystone22:20
*** Ephur has joined #openstack-keystone22:22
dstanekmorganfainberg: pong22:31
morganfainbergdstanek: hmm had a question. Now I spaced on it.22:31
dstanekmorganfainberg: haha, ok. i just got back from dinner so i'll be around for a while22:31
morganfainbergI'm about to head out for dinner :P22:32
*** jaosorior has quit IRC22:32
*** sigmavirus24 is now known as sigmavirus24_awa22:33
*** _cjones_ has quit IRC22:42
*** _cjones_ has joined #openstack-keystone22:48
openstackgerritDavid J Hu proposed openstack/python-keystoneclient: Access Info Formatter  https://review.openstack.org/17799722:50
*** spandhe has quit IRC22:56
*** _cjones_ has quit IRC23:00
*** drjones has joined #openstack-keystone23:01
*** spandhe has joined #openstack-keystone23:04
*** drjones has quit IRC23:06
*** spandhe has quit IRC23:09
*** _cjones_ has joined #openstack-keystone23:18
*** zzzeek has quit IRC23:19
*** zzzeek has joined #openstack-keystone23:19
*** _cjones_ has quit IRC23:23
*** _cjones_ has joined #openstack-keystone23:25
*** Ephur has quit IRC23:41
*** dims has quit IRC23:46
*** alexsyip has joined #openstack-keystone23:47
*** _cjones_ has quit IRC23:54
*** rushil has joined #openstack-keystone23:56
« Sunday, 2015-04-26 Index Tuesday, 2015-04-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!