Tuesday, 2015-05-05

*** emagana_ has quit IRC		00:06
*** stevemar has joined #openstack-keystone		00:06
*** ChanServ sets mode: +v stevemar		00:06
*** Raildo_ has joined #openstack-keystone		00:06
*** emagana has joined #openstack-keystone		00:06
*** emagana has quit IRC		00:10
*** Raildo has quit IRC		00:11
*** _cjones_ has joined #openstack-keystone		00:13
*** Raildo_ has quit IRC		00:13
*** edmondsw has quit IRC		00:20
*** lhcheng has joined #openstack-keystone		00:25
*** ChanServ sets mode: +v lhcheng		00:25
*** stevemar has quit IRC		00:32
*** ankita_wagh has quit IRC		00:36
*** _cjones_ has quit IRC		00:43
*** zzzeek has quit IRC		00:56
*** ankita_wagh has joined #openstack-keystone		00:58
*** henrynash has quit IRC		00:59
*** henrynash has joined #openstack-keystone		00:59
*** ChanServ sets mode: +v henrynash		00:59
openstackgerrit	Ankita Wagh proposed openstack/keystonemiddleware: Handling endpoints with missing URL types https://review.openstack.org/179624	01:02
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Ensure that failing responses are logged https://review.openstack.org/179984	01:02
*** alexsyip has quit IRC		01:08
samueldmq	jamielennox, hi you around ?	01:11
jamielennox	samueldmq: yep	01:11
samueldmq	jamielennox, https://review.openstack.org/#/q/status:open+topic:identity-v3-only-jobs,n,z	01:11
samueldmq	jamielennox, after this get merged, morganfainberg will have the changes in devstack to make it use v3 to create its resources, etc	01:12
samueldmq	jamielennox, and then tempest will starting showing up the errors	01:12
samueldmq	jamielennox, we then add this job to projects as needed and submit the fixes	01:13
jamielennox	samueldmq: cool i saw that link you posted earlier - one has apparently already merged	01:14
samueldmq	jamielennox, no, in fact I removed the devstack-gate flag and then I set the flag IDENTITY_V3_ONLY directly in devstack	01:15
jamielennox	oh - ok	01:15
samueldmq	jamielennox, without needing to change d-g, so I abandoned that one	01:15
jamielennox	samueldmq: cool - i will keep an eye on it	01:16
samueldmq	jamielennox, nice	01:17
samueldmq	jamielennox, among your patches, you have something with higher priority ?	01:17
samueldmq	I am entering in review mode now	01:17
*** henrynash_ has joined #openstack-keystone		01:17
*** ChanServ sets mode: +v henrynash_		01:17
jamielennox	umm, i had a chat with the glance people this morning so i'm hoping that will start moving again	01:17
jamielennox	and i need to circle back to the heat guys, you can look into any of those	01:18
jamielennox	beyond that we are not in a super urgent phase between release and summit	01:18
samueldmq	jamielennox, ++	01:20
*** henrynash has quit IRC		01:20
*** henrynash_ is now known as henrynash		01:20
openstackgerrit	Merged openstack/keystone: Pass-in domain when testing saml signing https://review.openstack.org/179846	01:24
*** _cjones_ has joined #openstack-keystone		01:39
*** darrenc is now known as darrenc_afk		01:40
*** _cjones_ has quit IRC		01:44
*** Ephur has joined #openstack-keystone		01:47
*** ncoghlan has joined #openstack-keystone		01:52
*** darrenc_afk is now known as darrenc		01:52
openstackgerrit	Dave Chen proposed openstack/keystone: Refactor: Join multiple criteria together https://review.openstack.org/133135	01:58
*** ankita_wagh has quit IRC		01:59
*** davechen has joined #openstack-keystone		01:59
*** ankita_wagh has joined #openstack-keystone		02:00
*** browne has quit IRC		02:00
*** ankita_wagh has quit IRC		02:05
*** davechen1 has joined #openstack-keystone		02:25
*** davechen has quit IRC		02:25
openstackgerrit	Dave Chen proposed openstack/keystone: Minor change in the docstring https://review.openstack.org/172329	02:27
*** samueldmq has quit IRC		02:27
*** sigmavirus24 is now known as sigmavirus24_awa		02:33
*** browne has joined #openstack-keystone		02:36
*** ankita_wagh has joined #openstack-keystone		02:43
*** dobson has quit IRC		02:48
*** richm has quit IRC		02:55
*** dobson has joined #openstack-keystone		03:01
*** lhcheng has quit IRC		03:08
*** lhcheng has joined #openstack-keystone		03:09
*** ChanServ sets mode: +v lhcheng		03:09
*** spandhe has quit IRC		03:10
*** dobson has quit IRC		03:18
*** dobson has joined #openstack-keystone		03:22
*** dims_ has quit IRC		03:23
*** davechen1 has quit IRC		03:27
*** _cjones_ has joined #openstack-keystone		03:28
*** davechen has joined #openstack-keystone		03:29
*** links has joined #openstack-keystone		03:31
*** _cjones_ has quit IRC		03:32
*** stevemar has joined #openstack-keystone		03:43
*** ChanServ sets mode: +v stevemar		03:43
*** mabrams has joined #openstack-keystone		03:53
*** ayoung-dadmode has quit IRC		04:05
*** henrynash has quit IRC		04:14
*** henrynash has joined #openstack-keystone		04:14
*** ChanServ sets mode: +v henrynash		04:14
*** gokrokve has joined #openstack-keystone		04:16
*** gokrokve has quit IRC		04:20
*** dims has joined #openstack-keystone		04:23
*** _cjones_ has joined #openstack-keystone		04:28
*** dims has quit IRC		04:28
*** ankita_wagh has quit IRC		04:32
*** ankita_wagh has joined #openstack-keystone		04:32
*** _cjones_ has quit IRC		04:33
*** gokrokve has joined #openstack-keystone		04:45
*** henrynash has quit IRC		05:16
*** emagana has joined #openstack-keystone		05:16
*** henrynash has joined #openstack-keystone		05:16
*** ChanServ sets mode: +v henrynash		05:16
*** haneef_ has quit IRC		05:17
openstackgerrit	Merged openstack/keystone: Fixes test nits from a previous review https://review.openstack.org/179796	05:26
*** mabrams has left #openstack-keystone		05:46
*** ajayaa has joined #openstack-keystone		05:46
*** spandhe has joined #openstack-keystone		05:54
*** spandhe_ has joined #openstack-keystone		05:57
*** gokrokve_ has joined #openstack-keystone		05:58
*** spandhe has quit IRC		05:58
*** spandhe_ is now known as spandhe		05:58
*** gokrokve has quit IRC		06:01
*** gokrokve_ has quit IRC		06:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/179331	06:03
*** _cjones_ has joined #openstack-keystone		06:17
*** _cjones_ has quit IRC		06:22
*** openstackgerrit has quit IRC		06:23
*** openstackgerrit has joined #openstack-keystone		06:24
*** svasheka has quit IRC		06:25
*** emagana has quit IRC		06:32
*** lhcheng has quit IRC		06:32
*** emagana has joined #openstack-keystone		06:33
*** svasheka has joined #openstack-keystone		06:37
*** emagana has quit IRC		06:38
*** lhcheng has joined #openstack-keystone		06:50
*** ChanServ sets mode: +v lhcheng		06:50
*** e0ne has joined #openstack-keystone		06:51
*** e0ne has quit IRC		07:06
*** rlt has joined #openstack-keystone		07:19
*** stevemar has quit IRC		07:22
*** chlong has quit IRC		07:44
*** davechen has left #openstack-keystone		07:53
*** lhcheng has quit IRC		08:03
*** henrynash has quit IRC		08:04
*** henrynash has joined #openstack-keystone		08:04
*** ChanServ sets mode: +v henrynash		08:04
*** _cjones_ has joined #openstack-keystone		08:06
*** _cjones_ has quit IRC		08:12
*** ankita_wagh has quit IRC		08:14
*** fhubik has joined #openstack-keystone		08:14
*** fhubik is now known as fhubik_afk		08:24
*** e0ne has joined #openstack-keystone		08:28
*** e0ne is now known as e0ne_		08:28
*** fhubik_afk is now known as fhubik		08:28
*** e0ne_ is now known as e0ne		08:44
*** e0ne is now known as e0ne_		08:45
*** e0ne_ is now known as e0ne		08:46
*** pnavarro has joined #openstack-keystone		08:53
*** jistr has joined #openstack-keystone		08:56
*** aix has quit IRC		08:59
*** fhubik is now known as fhubik_afk		09:02
openstackgerrit	Victor Sergeyev proposed openstack/keystone: Run SQL migration tests on PostgreSQL and MySQL https://review.openstack.org/171115	09:10
*** dobson has quit IRC		09:11
*** fhubik_afk is now known as fhubik		09:18
*** ncoghlan has quit IRC		09:22
*** samueldmq has joined #openstack-keystone		09:25
*** aix has joined #openstack-keystone		09:26
*** henrynash has quit IRC		09:47
*** markvoelker has quit IRC		09:48
*** dobson has joined #openstack-keystone		09:51
*** fhubik is now known as fhubik_afk		09:52
*** _cjones_ has joined #openstack-keystone		09:56
*** samueldmq has quit IRC		09:58
*** f13o has joined #openstack-keystone		09:58
*** _cjones_ has quit IRC		10:01
*** bdossant has joined #openstack-keystone		10:01
*** dobson has quit IRC		10:03
*** aix has quit IRC		10:12
*** fhubik_afk is now known as fhubik		10:12
*** dobson has joined #openstack-keystone		10:13
*** henrynash has joined #openstack-keystone		10:14
*** ChanServ sets mode: +v henrynash		10:14
*** f13o has quit IRC		10:15
*** dims has joined #openstack-keystone		10:20
*** dims_ has joined #openstack-keystone		10:22
openstackgerrit	David Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec https://review.openstack.org/174799	10:23
*** samueldmq has joined #openstack-keystone		10:23
samueldmq	morning	10:24
*** henrynash has quit IRC		10:24
*** kiran-r has joined #openstack-keystone		10:24
*** henrynash has joined #openstack-keystone		10:25
*** ChanServ sets mode: +v henrynash		10:25
*** aix has joined #openstack-keystone		10:25
*** dims has quit IRC		10:26
samueldmq	henrynash, hello	10:27
henrynash	samueldmq: hi	10:27
samueldmq	henrynash, morning :) I'd like to talk a little bit about dynamic policies with you	10:28
henrynash	samueldmq: ok….I’m actualy just finishing off a long email on that very subject!	10:28
samueldmq	henrynash, cool, let me know when you available thanks	10:28
henrynash	samueldmq: ok…should be done in a bit	10:29
samueldmq	henrynash, k np	10:29
*** bigjools has quit IRC		10:34
*** bigjools has joined #openstack-keystone		10:34
*** bigjools has joined #openstack-keystone		10:34
*** e0ne is now known as e0ne_		10:35
*** e0ne_ is now known as e0ne		10:36
*** e0ne is now known as e0ne_		10:56
*** fhubik has quit IRC		11:01
*** fhubik has joined #openstack-keystone		11:02
*** henrynash_ has joined #openstack-keystone		11:02
*** ChanServ sets mode: +v henrynash_		11:02
*** lhcheng has joined #openstack-keystone		11:04
*** ChanServ sets mode: +v lhcheng		11:04
*** dobson has quit IRC		11:04
*** henrynash has quit IRC		11:04
*** henrynash_ is now known as henrynash		11:04
henrynash	samueldmq: hi	11:07
samueldmq	henrynash, reading your email, talk to you in a minute :)	11:07
henrynash	ok :-)	11:07
*** lhcheng has quit IRC		11:08
*** dobson has joined #openstack-keystone		11:19
*** henrynash has quit IRC		11:27
*** dobson has quit IRC		11:36
*** dobson has joined #openstack-keystone		11:37
*** ajayaa has quit IRC		11:40
*** ctina_ has joined #openstack-keystone		11:44
*** _cjones_ has joined #openstack-keystone		11:45
*** _cjones_ has quit IRC		11:50
*** markvoelker has joined #openstack-keystone		11:51
*** e0ne_ is now known as e0ne		11:51
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Enforce policy from keystonemiddleware https://review.openstack.org/133480	11:52
*** henrynash has joined #openstack-keystone		11:58
*** ChanServ sets mode: +v henrynash		11:58
samueldmq	henrynash, hi	11:59
henrynash	hi	11:59
samueldmq	henrynash, so basically I agree with you on all those	11:59
henrynash	:-)	11:59
samueldmq	henrynash, we have talked about capibilities, etc early in K	12:00
henrynash	most of it was not controversial…but (almost for my own sake) needed to kind of put it all down in one go	12:00
samueldmq	henrynash, ++	12:00
samueldmq	henrynash, I think we should provide a CRUD for capabilities	12:00
samueldmq	henrynash, which would contains all the capabilities loaded from the unified policy	12:01
samueldmq	initially	12:01
*** ajayaa has joined #openstack-keystone		12:01
henrynash	samueldmq: nad capablities would be indexed by what….service type/id and capability name or something like that?	12:01
samueldmq	henrynash, yeah	12:02
henrynash	++	12:02
samueldmq	henrynash, and you should be able to list_capabilities based on the namespace (service name, etc) or	12:02
samueldmq	henrynash, based on the token	12:02
samueldmq	henrynash, based on the token will be amazing for horizon, for g	12:02
samueldmq	eg	12:02
henrynash	samueldmq: ooh…yes, that would be nice	12:03
samueldmq	henrynash, nice	12:03
samueldmq	henrynash, in addition, regarding the approach, I like the way you propose	12:03
samueldmq	henrynash, step-by-step, incrementally	12:03
samueldmq	henrynash, dynamic policy as it is today looks like a bunch of things not necessarily well connected (at least not well described)	12:04
henrynash	samueldmq: …and that’s kind of what I mean by lets concentrate on geting the API right…even if the implementaion underneath takes time to morph into the right places (or indeed may not be fully functional…e.g. we might not let you create capabilities via an API yet)	12:04
samueldmq	henrynash, yes, just load it from the existing policies for now	12:04
henrynash	agreed	12:04
samueldmq	henrynash, and we implement further as we go/need	12:05
*** fhubik has quit IRC		12:05
samueldmq	henrynash, I tried to clarify the dynmaic policy overview spec	12:05
samueldmq	henrynash, I described the change in terms of the problems we are trying to solve	12:05
henrynash	saw you updated that…I’llreview later today	12:05
*** fhubik has joined #openstack-keystone		12:06
samueldmq	henrynash, we then would have roles containing capabilities, and contraints (scope for now)	12:06
samueldmq	henrynash, this makes the rules (loaded from the existing rules in the policy)	12:06
samueldmq	henrynash, note : roles CONTAIN capabilities, this is true RBAC	12:07
*** raildo has joined #openstack-keystone		12:07
henrynash	I agree…roles caontain capabiliies…and that was my comment in my email…that’s really what we have….it’s just implemented in an odd way!	12:07
henrynash	and not one that you can obvious list the capabilities a given role gives you!	12:08
samueldmq	we implement the opposite I think, capabilities -> roles :/	12:08
samueldmq	henrynash, ++	12:08
samueldmq	henrynash, we can do that if we go thorugh all the policy and analyze capability per capability, because we do capability ->role	12:09
samueldmq	instead of role -> capability	12:09
henrynash	yes, our implementation is kind of back to front…..although the result is the same eventually…..you end of turning a role into a set of capabilities that is checked to see if you can execute aan API….	12:09
samueldmq	henrynash, ++	12:09
samueldmq	henrynash, btw thanks for helping on this front	12:10
samueldmq	henrynash, we will end up with a great API, I am sure :)	12:10
henrynash	np…I’ve been struggling with it all myself!	12:10
samueldmq	henrynash, let's struggle to get there	12:10
henrynash	:-)	12:10
samueldmq	yeah : )	12:11
samueldmq	henrynash, should we discuss something about this in the meeting today ?	12:11
samueldmq	henrynash, so people keep it in mind for further discussion at the summit	12:11
*** ajayaa has quit IRC		12:13
henrynash	samueldmq: I think this is really a summit discussion…not that that works in an IRC meeting so well…there are sjust so many threads….I sent the email since I wanted to kind of put some stakes inthe ground as sadly I won’t be in Vancouver	12:13
samueldmq	henrynash, oh really ? I am sad you won't be there :/	12:15
henrynash	samueldmq: yeah, I’m moving house the week of the summit…and just no way I could get a on a plane at that time!	12:16
samueldmq	henrynash, you was on my checklist of people to talk in the summit, and discuss lots of things :/	12:16
henrynash	samueldmq: just lousy timing	12:16
samueldmq	henrynash, k good luck	12:16
samueldmq	henrynash, hopefully we will meet at midcycle	12:17
henrynash	thx	12:17
samueldmq	henrynash, I am sure yet I will be attending it, I don't know if I will get sponsored	12:17
henrynash	samueldmq: I bl**dy hope so!	12:17
samueldmq	henrynash, :-)	12:18
samueldmq	henrynash, my goals in L are policies + identity v3 everywhere	12:18
samueldmq	henrynash, I am focusing on them wiht other people to get them by L	12:19
henrynash	v3 everywhere is a must	12:19
samueldmq	henrynash, ++ I already created a experimental job for devstack	12:20
samueldmq	henrynash, which is under review https://review.openstack.org/#/q/status:open+topic:identity-v3-only-jobs,n,z	12:20
samueldmq	henrynash, I am working with morganfainberg and jamielennox on that front	12:21
henrynash	yeah, nice!!!	12:21
samueldmq	henrynash, regarding role-sets ... what if we re-use the existing role api ?	12:24
samueldmq	henrynash, just extending it to support grouping	12:24
henrynash	samueldmq: yes, that’s a debate I was having with gyee	12:24
samueldmq	henrynash, it would be easier to deployers to manage all together	12:24
samueldmq	++	12:24
marekd	samueldmq: henrynash: sory to interrupt - are you discussing a concept of a hash identifying a container of roles (easier to keep in fernet tokens for example) ?	12:25
henrynash	samueldmq: we jdut ahve to think through how this works with domain specific role sets….since if the name goies in the token, how do we suppoer namedspaces role sets	12:25
*** lmtaylor has joined #openstack-keystone		12:25
*** fhubik is now known as fhubik_afk		12:25
samueldmq	henrynash, right ,I will mull it a bit	12:26
henrynash	ok	12:26
samueldmq	marekd, no, we are discussing how to define container of roles, etc ... hashing or anything else related on how to represent in the token is to be discussed	12:27
*** fhubik_afk is now known as fhubik		12:27
samueldmq	marekd, expanding in token generation (keystone) vs expanding at token evalutaion (services)	12:27
samueldmq	marekd, also, we were discussing the changes in the policy implementation we have today	12:28
marekd	samueldmq: ok, end user gain would be a hash-like value instead of list of roles the uses has.	12:28
marekd	am i right?	12:28
samueldmq	marekd, yeah, kindof .. you can assign the user a role-set	12:29
samueldmq	marekd, which is a group of roles, or other role-sets	12:29
marekd	do you have something on paper (like spec, review) or it's just here on irc so far? that would be interesting.	12:29
samueldmq	marekd, and yes, the cloud admin will be able to define role-sets that are meaningful to their cloud	12:29
samueldmq	marekd, and assign them to their users	12:30
marekd	samueldmq: ah ok, this explains one of my question.	12:30
samueldmq	marekd, : )	12:30
samueldmq	marekd, see henrynash's email on the ml, he has some links there	12:30
marekd	samueldmq: re: dynamic policy - i am curious whether the http response body of GET /policy would change or it'd be a blob like today?	12:31
marekd	samueldmq: ok, i see it. quite fresh e-mail, i was on lunch at that time.	12:32
marekd	:-)	12:32
samueldmq	marekd, yeah	12:32
samueldmq	marekd, the existing api won't change I guess, we must maintain the compatibility	12:32
marekd	samueldmq: you are proposing much enough to simpy use other endpoints.	12:32
samueldmq	marekd, what I was discussing with henrynash was to have a CRUD for capabilities, and roles have a set of capabilities	12:32
marekd	samueldmq: no no, i kind of changed the topic.	12:33
samueldmq	marekd, under certain constraints (scope constraints)	12:33
samueldmq	marekd, hehe k	12:33
marekd	switched to your spec on dynamic policy.	12:33
samueldmq	marekd, yes, on the spec we still didnt define how the API will be more powerful	12:34
marekd	kind of interesing topic, and since i am not policy master i am trying to also learn something here. Looks like there are some dangling bits today in Keystone (like already implemented /policy API)	12:34
*** gordc has joined #openstack-keystone		12:34
samueldmq	marekd, we will need a spec for this , and what I was talking just above will probably be there	12:34
marekd	which was confusing for me at the beginning.	12:34
samueldmq	(capability management, etc)	12:34
marekd	that would be nice, esp. for tokens size problem.	12:34
samueldmq	marekd, that spec comprises a lot of things	12:34
samueldmq	marekd, sorry I need to go afk for a bit	12:34
marekd	i alredy saw lots of references	12:35
marekd	samueldmq: sure.	12:35
marekd	cu	12:35
dstanek	i'm very interested in the policy discussion as well - i haven't ready henrynash's email yet	12:35
marekd	dstanek: spec on dynamic policy may interst you then.	12:35
samueldmq	dstanek, sure, we can talk about it later once I am back (I am not here)	12:35
samueldmq	:-)	12:35
*** gyee has joined #openstack-keystone		12:39
*** ChanServ sets mode: +v gyee		12:39
dstanek	marekd: yeah, it's on my list of pre-summit reading	12:39
*** dobson has quit IRC		12:39
marekd	dstanek: ++	12:40
dstanek	i don't know anything about it, but my impression based on the name is that it's not a good thing due to auditing	12:40
marekd	nothing about policy ?	12:40
*** dims_ has quit IRC		12:41
marekd	dstanek: my undestating of that is Keystone would become kind of global policy master, instead of multiple policy rules defined independently and locally at every service.	12:41
*** dims has joined #openstack-keystone		12:41
dstanek	so what is dynamic?	12:41
marekd	dunno	12:42
marekd	maybe full api access that makes it more 'dynamic'	12:42
dstanek	as long as the actual rules aren't changing then i'm not as worried	12:43
marekd	i still have few questions to the authors, but i think samueldmq said the ksm would fetch and cache rules on some interval basis.	12:44
marekd	but i don't know more details (not specified)	12:44
*** dobson has joined #openstack-keystone		12:46
*** links has quit IRC		12:52
*** vhoward has quit IRC		13:00
*** vhoward has joined #openstack-keystone		13:01
*** openstack-kid has joined #openstack-keystone		13:02
*** openstack-kid has left #openstack-keystone		13:03
*** ctina_ has quit IRC		13:03
*** rlt has quit IRC		13:04
*** openstack-kid has joined #openstack-keystone		13:05
samueldmq	dstanek, marekd hey what's up	13:05
samueldmq	I am back :)	13:05
samueldmq	dstanek, so dynamic is the way we manage the policy (via api)	13:06
samueldmq	dstanek, and the changes automatically impact the enforcement in individual services	13:07
gordc	dhellmann: just an fyi, i'm planning on releasing a stable/juno pycadf 0.6.1	13:07
samueldmq	dstanek, you may want to change either the organization of roles (role-sets, etc) and the policy rules	13:07
gordc	it is to address: http://lists.openstack.org/pipermail/openstack-dev/2015-April/061920.html	13:07
samueldmq	dstanek, both will affect enforcement	13:07
*** ajayaa has joined #openstack-keystone		13:08
*** richm has joined #openstack-keystone		13:10
marekd	dstanek: samueldmq so that's what i thought - dynamic because it is accessible via resful api	13:11
dstanek	samueldmq: do you have a link to the spec?	13:11
openstack-kid	is keystone auth plugins are always need to be a single file?	13:11
samueldmq	dstanek, sure, let me find it	13:12
samueldmq	dstanek, https://review.openstack.org/#/c/147651/	13:12
marekd	dstanek: https://review.openstack.org/#/c/147651/4/specs/backlog/dynamic-policy.rst	13:12
marekd	samueldmq: why most of this stuff is still in backlog?	13:12
dstanek	samueldmq: marekd: thanks	13:12
samueldmq	marekd, because they're not approved ?	13:12
dstanek	marekd: it's in the backlog until we approved it and schedule it for a release	13:12
samueldmq	dstanek, ++	13:12
marekd	....why not propose in the libery dir like last release?	13:13
*** Ctina has joined #openstack-keystone		13:13
marekd	i thought backlog was just for something postponed for next release	13:13
samueldmq	marekd, backlog is for things we still haven't targeted yet	13:14
samueldmq	marekd, if we target them to L we can move them, even if not approved yet (I think)	13:14
marekd	isn't dynamic-policy a goal for l ?	13:14
samueldmq	marekd, yeah it is, but we have to approve the specs to make sure what we will get in L	13:15
samueldmq	marekd, and them move the specs	13:15
dstanek	yeah, we are going for a sort of agile process here. just about everything hits the backlog until it's approved and targeted.	13:15
*** afaranha has quit IRC		13:16
marekd	when was decided? i am pretty sure last cycle everybody was proposing against 'kilo' directory (and unltil merged it didn't appear either way)	13:16
marekd	i think i missed something (maybe when i was away past few weeks)	13:16
* marekd is ashamed		13:16
samueldmq	marekd, don't be :p	13:17
samueldmq	marekd, we decided to keep everything in the backlog (the directory already existed but we wasn't using it)	13:17
samueldmq	marekd, so we keep things in the backlog till we approve and target them	13:17
marekd	ok ok	13:17
openstack-kid	quit	13:17
*** openstack-kid has left #openstack-keystone		13:17
marekd	^^ oups	13:18
samueldmq	heheh	13:18
samueldmq	think he's kidding :p	13:18
*** amakarov_away is now known as amakarov		13:20
*** lmtaylor has quit IRC		13:20
marekd	samueldmq: so you are going to be in Vancouver, right?	13:20
*** gyee has quit IRC		13:22
dstanek	marekd: i actually don't remember when we decided that	13:22
*** annasort has quit IRC		13:23
*** annasort has joined #openstack-keystone		13:23
*** bknudson has joined #openstack-keystone		13:26
*** ChanServ sets mode: +v bknudson		13:26
*** gyee has joined #openstack-keystone		13:27
*** ChanServ sets mode: +v gyee		13:27
samueldmq	marekd, yes I will :)	13:29
marekd	samueldmq: who else from your uni is coming ?	13:30
marekd	rodrigo	13:30
marekd	for sure	13:30
samueldmq	marekd, tons of people	13:30
marekd	lol	13:30
*** afaranha has joined #openstack-keystone		13:30
*** annasort has quit IRC		13:30
*** afaranha has left #openstack-keystone		13:31
marekd	good	13:31
samueldmq	marekd, me, raildo, rodrigods, htruta, abrito, afaranha, gabriel-bezerra and others	13:31
samueldmq	marekd, the last ones from our ironic team	13:31
marekd	get it	13:31
samueldmq	marekd, hehe I need to prepare myself to the discussions, start the pre-reading on other things than policy and v3 everywhere	13:32
*** ajayaa has quit IRC		13:32
raildo	\o/ let's go invade Vancouver #BrazilTeam	13:32
samueldmq	raildo, o/	13:32
samueldmq	btw today is raildo's bday :)	13:32
* marekd happy bday, raildo!		13:33
raildo	samueldmq, marekd thanks!	13:33
*** _cjones_ has joined #openstack-keystone		13:34
samueldmq	henrynash, so roles should be namespace, for the existing ones, we put a global namespace (maybe none value) to indicate it's visible everywhere	13:35
samueldmq	henrynash, domain specific roles have their namespaces set to domain's name/id	13:35
samueldmq	henrynash, that's easy to implement/migrate	13:35
*** jaosorior has joined #openstack-keystone		13:35
samueldmq	gyee, talking about domain specific roles^	13:36
samueldmq	gyee, and how we should implement them (usign the existing role api (extending it), so it would be easier to deployers/cloud admins)	13:36
*** _cjones_ has quit IRC		13:39
gyee	samueldmq, still trying to digest henrynash's email	13:40
samueldmq	gyee, k I am available to discuss anything about dynamic policies, etc	13:41
samueldmq	gyee, let me know if you have concerns	13:41
gyee	samueldmq, I think we maybe attempting to solve too many problems in one shot	13:43
gyee	we already have the policy CRUD APIs in v3, making them usable take some thinking	13:44
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/179867	13:44
gyee	also, we if are going to support role groups/hierarchy, I can 't see how we can avoid increasing the token size	13:47
*** zzzeek has joined #openstack-keystone		13:48
raildo	gyee, today we already have the list of roles, I don't think this will increase (so much) the token size.	13:49
gyee	raildo, so with role groups/hierarchies, we are either going to put the "effective roles" or the hierarchies in the token	13:50
gyee	either way, token size will grow	13:51
*** lmtaylor1 has joined #openstack-keystone		13:51
raildo	gyee, in the fernet token we don't have the roles inside the token, right?	13:52
raildo	(just curious)	13:52
gyee	no	13:52
gyee	with fernet, roles lookup on token validation	13:52
raildo	fernet may be the default kind of token in liberty?	13:53
gyee	I hope so	13:53
bknudson	do we have devstack set up so that it can configure for fernet?	13:53
raildo	gyee, ok.. thanks :)	13:53
*** annasort has joined #openstack-keystone		13:53
gyee	bknudson, I am not aware	13:54
samueldmq	gyee, yep, that spec cover a lot of changes	13:54
samueldmq	gyee, there are individual specs for individual changes	13:54
samueldmq	gyee, I am still improving/clarifying the overview spec	13:54
samueldmq	gyee, which is https://review.openstack.org/#/c/147651/	13:54
gyee	samueldmq, I think we need to do this in phases	13:55
gyee	1. policy management	13:55
samueldmq	gyee, ++	13:55
gyee	2. policy enforcement	13:55
gyee	3. role groups/hierarchy	13:56
samueldmq	gyee, I tried to show these phases by splitting the whole solution into problems	13:56
marekd	gyee: explain 1,2, please. policy management would be accessing policy rules from central endpoint via some APIs?	13:56
samueldmq	gyee, problems we are going to solve with dynmaic policies	13:56
samueldmq	gyee, in that spec	13:56
gyee	for policy management, how do we make the existing policy CRUD usable	13:56
*** e0ne is now known as e0ne_		13:56
gyee	i.e. how do I enable nova manage their policies in Keystone with having them "accidentially" mess up swift's policy	13:57
*** dobson has quit IRC		13:57
gyee	that needs granular access control, which we don't have today	13:57
gyee	we don't have the concept of policy ownership in Keystone today	13:58
samueldmq	gyee, I and henry were thinking about introducing a capabilities CRUD on keystone	13:58
gyee	we generally lacking service user "self-service" features	13:58
samueldmq	gyee, so that roles would contain a set of capabilities and constraints (scope constraints)	13:58
samueldmq	gyee, it should be loaded from the existing policies initially	13:58
*** e0ne_ is now known as e0ne		13:59
raildo	I think that we need a design session for this... so samueldmq can explain for everyone in just one time, and we can define better this feature.	13:59
*** e0ne is now known as e0ne_		13:59
*** e0ne_ is now known as e0ne		14:00
*** e0ne is now known as e0ne_		14:00
*** e0ne_ is now known as e0ne		14:00
samueldmq	raildo, sure, we will be discussing all this at the summit, I think ayoung has a session for dynamic policy	14:01
gyee	so what is a "role"? don't think we even have a common understanding on that one, let a lone role groups	14:01
samueldmq	gyee, role is a set of capabilities	14:01
*** ajayaa has joined #openstack-keystone		14:01
gyee	what does that mean at the atomic level? :)	14:01
samueldmq	gyee, capabilities	14:01
gyee	what is a capability?	14:02
gyee	API?	14:02
samueldmq	gyee, yes	14:02
samueldmq	gyee, loaded from the current policies	14:02
samueldmq	gyee, capabilities are namespaced to services	14:02
gyee	which is to perform a set of action and a set of resource	14:02
samueldmq	gyee, yes	14:02
*** ayoung has joined #openstack-keystone		14:03
*** ChanServ sets mode: +v ayoung		14:03
*** sigmavirus24_awa is now known as sigmavirus24		14:03
gyee	action = CURD, resource = arguments	14:03
gyee	that much we know	14:03
*** joesavak has joined #openstack-keystone		14:04
samueldmq	gyee, by resource you mean the scope the action is constrained to right ?	14:04
gyee	resource, in oslo policy lango, would be targets	14:04
gyee	which are essentially args to the API	14:04
*** dobson has joined #openstack-keystone		14:04
*** blewis has joined #openstack-keystone		14:05
samueldmq	gyee, I will write up an etherpad to clarify things, without the need of a long motivation problem description as we need in a spec	14:07
samueldmq	gyee, need to go afk for a bit, sorry	14:07
gyee	samueldmq, no problem, I still haven't think it through yet, this is not an easy problem by any means	14:09
*** gokrokve has joined #openstack-keystone		14:10
*** bdossant_ has joined #openstack-keystone		14:14
*** bdossant has quit IRC		14:15
*** fhubik is now known as fhubik_afk		14:16
*** bdossant_ has quit IRC		14:19
*** ajayaa has quit IRC		14:19
*** lifeless has quit IRC		14:20
*** lifeless has joined #openstack-keystone		14:27
*** fhubik_afk is now known as fhubik		14:35
openstackgerrit	Lauren Taylor proposed openstack/keystonemiddleware: Add keystone v3 API to fetch revocation list https://review.openstack.org/180172	14:35
*** kiran-r has quit IRC		14:36
*** mattfarina has joined #openstack-keystone		14:36
morganfainberg	gyee: I like my curd interfaces.	14:37
morganfainberg	gyee: :p. Ok I know... Silly typo. That implies milk instead of api :P	14:38
*** emagana has joined #openstack-keystone		14:40
*** iurygregory has quit IRC		14:42
gyee	heh	14:42
*** gokrokve_ has joined #openstack-keystone		14:43
*** blewis has quit IRC		14:46
*** gokrokve has quit IRC		14:46
*** pnavarro has quit IRC		14:49
*** blewis has joined #openstack-keystone		14:49
*** mattfarina has quit IRC		14:55
*** mattfarina has joined #openstack-keystone		14:55
*** fhubik has quit IRC		14:56
*** vhoward has left #openstack-keystone		15:03
*** _cjones_ has joined #openstack-keystone		15:05
*** _cjones_ has quit IRC		15:09
*** gyee has quit IRC		15:13
*** gyee has joined #openstack-keystone		15:14
*** ChanServ sets mode: +v gyee		15:14
*** davidckennedy has joined #openstack-keystone		15:15
lbragstad	spec proposal freeze for liberty is l-1 right?	15:22
*** esp_ has joined #openstack-keystone		15:23
lbragstad	and feature freeze for liberty is l-2?	15:23
*** esp_ has quit IRC		15:24
*** lhcheng has joined #openstack-keystone		15:26
*** ChanServ sets mode: +v lhcheng		15:26
gyee	lbragstad, that's what I heard from the street :)	15:27
lbragstad	gyee: cool, thanks!	15:27
openstackgerrit	Alexander Makarov proposed openstack/keystone: Add redelegation columns to Trust SQL model https://review.openstack.org/172090	15:27
*** dims_ has joined #openstack-keystone		15:32
*** dims has quit IRC		15:34
*** Ctina is now known as ctina		15:43
*** spandhe has quit IRC		15:51
*** lhcheng has quit IRC		15:52
openstackgerrit	Lauren Taylor proposed openstack/keystonemiddleware: Add keystone v3 API to fetch revocation list https://review.openstack.org/180172	15:59
*** chlong has joined #openstack-keystone		16:00
*** _cjones_ has joined #openstack-keystone		16:04
*** josecastroleon has quit IRC		16:06
*** ankita_wagh has joined #openstack-keystone		16:07
*** josecastroleon has joined #openstack-keystone		16:07
*** henrynash has quit IRC		16:07
openstackgerrit	Cyril Roelandt proposed openstack/keystonemiddleware: Prevent a UnicodeDecodeError in the s3token middleware https://review.openstack.org/179777	16:08
*** henrynash has joined #openstack-keystone		16:08
*** ChanServ sets mode: +v henrynash		16:08
*** josecastroleon has quit IRC		16:09
dstanek	morganfainberg: not much on the meeting agenda for today	16:10
*** josecastroleon has joined #openstack-keystone		16:10
*** josecastroleon has quit IRC		16:12
*** josecastroleon has joined #openstack-keystone		16:13
morganfainberg	dstanek: yeah. I expect it to be light with summit soon	16:14
*** bknudson has quit IRC		16:14
*** josecastroleon has quit IRC		16:15
openstackgerrit	Cyril Roelandt proposed openstack/keystonemiddleware: Prevent a UnicodeDecodeError in the s3token middleware https://review.openstack.org/179777	16:16
*** josecastroleon has joined #openstack-keystone		16:16
*** henrynash has quit IRC		16:16
*** Bjoern__ has joined #openstack-keystone		16:17
*** chlong has quit IRC		16:18
*** josecastroleon has quit IRC		16:18
*** Bjoern__ is now known as BjoernT		16:18
*** josecastroleon has joined #openstack-keystone		16:20
*** _cjones_ has quit IRC		16:20
*** josecastroleon has quit IRC		16:21
*** josecastroleon has joined #openstack-keystone		16:23
*** josecastroleon has quit IRC		16:24
*** _cjones_ has joined #openstack-keystone		16:25
*** josecastroleon has joined #openstack-keystone		16:26
*** jistr has quit IRC		16:26
*** josecastroleon has quit IRC		16:27
*** davidckennedy has quit IRC		16:28
*** josecastroleon has joined #openstack-keystone		16:29
*** lhcheng has joined #openstack-keystone		16:29
*** ChanServ sets mode: +v lhcheng		16:29
*** alexsyip has joined #openstack-keystone		16:31
*** josecastroleon has quit IRC		16:31
*** ctina has quit IRC		16:32
*** josecastroleon has joined #openstack-keystone		16:32
*** ctina has joined #openstack-keystone		16:32
*** josecastroleon has quit IRC		16:34
*** josecastroleon has joined #openstack-keystone		16:35
*** josecastroleon has quit IRC		16:37
*** ankita_wagh has quit IRC		16:37
*** josecastroleon has joined #openstack-keystone		16:38
*** gokrokve_ has quit IRC		16:39
*** josecastroleon has quit IRC		16:40
*** joesavak has quit IRC		16:40
*** josecastroleon has joined #openstack-keystone		16:41
openstackgerrit	Lauren Taylor proposed openstack/keystonemiddleware: Add keystone v3 API to fetch revocation list https://review.openstack.org/180172	16:42
*** josecastroleon has quit IRC		16:43
*** josecastroleon has joined #openstack-keystone		16:45
*** josecastroleon has quit IRC		16:46
*** ajayaa has joined #openstack-keystone		16:48
*** josecastroleon has joined #openstack-keystone		16:48
*** josecastroleon has quit IRC		16:49
*** josecastroleon has joined #openstack-keystone		16:51
*** josecastroleon has quit IRC		16:52
*** josecastroleon has joined #openstack-keystone		16:54
*** mattfarina has quit IRC		16:57
*** browne has quit IRC		16:57
*** mattfarina has joined #openstack-keystone		16:57
*** joesavak has joined #openstack-keystone		17:03
-openstackstatus- NOTICE: zuul has been restarted to troubleshoot an issue, gerrit events between 15:00-17:00 utc were lost and changes updated or approved during that time will need to be rechecked or have their approval votes readded to trigger testing		17:04
*** e0ne has quit IRC		17:05
*** gokrokve has joined #openstack-keystone		17:07
*** gokrokve has quit IRC		17:07
*** harlowja has quit IRC		17:08
*** ankita_wagh has joined #openstack-keystone		17:08
*** harlowja has joined #openstack-keystone		17:09
*** gokrokve has joined #openstack-keystone		17:12
*** gokrokve has quit IRC		17:12
*** gyee has quit IRC		17:14
*** topol has joined #openstack-keystone		17:16
*** ChanServ sets mode: +v topol		17:16
*** gyee has joined #openstack-keystone		17:21
*** ChanServ sets mode: +v gyee		17:21
*** josecastroleon has quit IRC		17:23
*** josecastroleon has joined #openstack-keystone		17:25
*** josecastroleon has quit IRC		17:26
*** josecastroleon has joined #openstack-keystone		17:28
*** josecastroleon has quit IRC		17:29
*** josecastroleon has joined #openstack-keystone		17:31
*** josecastroleon has quit IRC		17:32
*** dims_ has quit IRC		17:33
openstackgerrit	Min Song proposed openstack/keystone: Use single connection in get_all function for getting "enabled" values for all ldap users. https://review.openstack.org/180247	17:33
*** browne has joined #openstack-keystone		17:33
*** josecastroleon has joined #openstack-keystone		17:34
*** dims has joined #openstack-keystone		17:34
*** josecastroleon has quit IRC		17:36
*** josecastroleon has joined #openstack-keystone		17:37
*** josecastroleon has quit IRC		17:39
*** henrynash has joined #openstack-keystone		17:39
*** ChanServ sets mode: +v henrynash		17:39
*** josecastroleon has joined #openstack-keystone		17:40
*** Zanatoz has quit IRC		17:41
*** josecastroleon has quit IRC		17:42
*** jsavak has joined #openstack-keystone		17:43
*** josecastroleon has joined #openstack-keystone		17:43
*** edmondsw has joined #openstack-keystone		17:44
*** josecastroleon has quit IRC		17:45
openstackgerrit	henry-nash proposed openstack/keystone: Use correct LOG translation indicator for errors https://review.openstack.org/167141	17:45
*** joesavak has quit IRC		17:46
*** josecastroleon has joined #openstack-keystone		17:46
openstackgerrit	henry-nash proposed openstack/keystone: Use correct LOG translation indicator for errors https://review.openstack.org/167141	17:48
*** josecastroleon has quit IRC		17:48
*** rdo has quit IRC		17:49
openstackgerrit	henry-nash proposed openstack/keystone: Use correct LOG translation indicator for errors https://review.openstack.org/167141	17:49
*** e0ne has joined #openstack-keystone		17:50
*** josecastroleon has joined #openstack-keystone		17:50
*** e0ne is now known as e0ne_		17:50
*** e0ne_ is now known as e0ne		17:51
*** packet has joined #openstack-keystone		17:51
*** josecastroleon has quit IRC		17:51
*** josecastroleon has joined #openstack-keystone		17:53
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372	17:54
openstackgerrit	Min Song proposed openstack/keystone: Use single connection in get_all function for getting "enabled" values for all ldap users. https://review.openstack.org/180247	17:54
*** josecastroleon has quit IRC		17:54
*** ajayaa has quit IRC		17:55
*** josecastroleon has joined #openstack-keystone		17:56
*** josecastroleon has quit IRC		17:57
david8hu	samueldmq, gyee, The current v3 policies lack of who can change what policy. It is kind of like free for all if you are a admin. It leaves room for improvement :)	17:58
gyee	david8hu, yes sir indeed	17:59
*** josecastroleon has joined #openstack-keystone		17:59
*** joesavak has joined #openstack-keystone		18:00
*** bknudson has joined #openstack-keystone		18:00
*** ChanServ sets mode: +v bknudson		18:00
*** jsavak has quit IRC		18:02
*** josecastroleon has quit IRC		18:03
*** samleon has quit IRC		18:04
*** josecastroleon has joined #openstack-keystone		18:04
*** josecastroleon has quit IRC		18:06
*** josecastroleon has joined #openstack-keystone		18:07
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	18:08
*** gokrokve has joined #openstack-keystone		18:09
*** josecastroleon has quit IRC		18:09
*** josecastroleon has joined #openstack-keystone		18:10
*** josecastroleon has quit IRC		18:12
*** gokrokve has quit IRC		18:12
*** josecastroleon has joined #openstack-keystone		18:13
*** packet has quit IRC		18:14
*** josecastroleon has quit IRC		18:15
openstackgerrit	Min Song proposed openstack/keystone: Use single connection in get_all function for getting "enabled" values for all ldap users. https://review.openstack.org/180247	18:17
*** josecastroleon has joined #openstack-keystone		18:17
openstackgerrit	Min Song proposed openstack/keystone: Use single connection in get_all function for getting "enabled" values for all ldap users. https://review.openstack.org/180247	18:17
*** josecastroleon has quit IRC		18:18
openstackgerrit	Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870	18:19
*** josecastroleon has joined #openstack-keystone		18:20
*** josecastroleon has quit IRC		18:22
*** josecastroleon has joined #openstack-keystone		18:23
*** kiran-r has joined #openstack-keystone		18:24
*** gokrokve has joined #openstack-keystone		18:24
*** josecastroleon has quit IRC		18:25
*** josecastroleon has joined #openstack-keystone		18:26
*** josecastroleon has quit IRC		18:28
*** jsavak has joined #openstack-keystone		18:29
*** gokrokve has quit IRC		18:29
*** josecastroleon has joined #openstack-keystone		18:29
*** josecastroleon has quit IRC		18:31
*** joesavak has quit IRC		18:32
*** josecastroleon has joined #openstack-keystone		18:32
*** rdo has joined #openstack-keystone		18:33
*** gokrokve has joined #openstack-keystone		18:34
*** josecastroleon has quit IRC		18:34
*** josecastroleon has joined #openstack-keystone		18:35
*** josecastroleon has quit IRC		18:37
*** josecastroleon has joined #openstack-keystone		18:38
*** packet has joined #openstack-keystone		18:39
*** j_king has quit IRC		18:40
*** j_king has joined #openstack-keystone		18:40
*** josecastroleon has quit IRC		18:41
bknudson	dstanek: https://bugs.launchpad.net/pbr/+bug/1260495 !	18:41
openstack	Launchpad bug 1260495 in python-keystoneclient "Setting autodoc_tree_index_modules makes documentation builds fail" [Low,Confirmed] - Assigned to David Stanek (dstanek)	18:41
*** josecastroleon has joined #openstack-keystone		18:42
*** josecastroleon has quit IRC		18:44
dstanek	bknudson: yeah, i just saw that email come across	18:44
*** josecastroleon has joined #openstack-keystone		18:45
*** josecastroleon has quit IRC		18:47
*** josecastroleon has joined #openstack-keystone		18:48
*** josecastroleon has quit IRC		18:50
*** josecastroleon has joined #openstack-keystone		18:51
*** BjoernT has quit IRC		18:53
*** josecastroleon has quit IRC		18:53
*** josecastroleon has joined #openstack-keystone		18:54
*** josecastroleon has quit IRC		18:56
*** josecastroleon has joined #openstack-keystone		18:57
*** josecastroleon has quit IRC		18:59
*** bknudson has quit IRC		19:00
*** henrynash has quit IRC		19:00
*** kiran-r has quit IRC		19:00
*** josecastroleon has joined #openstack-keystone		19:00
*** gokrokve has quit IRC		19:01
*** gokrokve has joined #openstack-keystone		19:01
*** josecastroleon has quit IRC		19:03
gyee	ayoung, morganfainberg, endpoint constraint and dynamic policy are two different thing	19:03
gyee	don't confuse the two	19:03
ayoung	gyee, enpoind contraint is one form of policy	19:04
ayoung	there are details there you have missed	19:04
*** josecastroleon has joined #openstack-keystone		19:04
gyee	but they don't manage the same way	19:04
ayoung	for example, we want to let some operations go by without a token at all	19:04
ayoung	also, endpoibnt, service, region...we filter on them today	19:04
ayoung	there might be other things	19:04
gyee	ayoung, no, this is strictly endpoint checking	19:04
gyee	ayoung, this is a concentrated task, not trying to boil the ocean	19:05
ayoung	gyee, we are close on this.	19:05
ayoung	It might be endpoint in once case, and service in another	19:05
ayoung	it might be region as well	19:05
ayoung	we don't want separate mechanisms for each	19:06
*** josecastroleon has quit IRC		19:06
gyee	yes, its a filter, specified in the form of a rule	19:06
ayoung	we want a service catalog filter applied on all API calls	19:06
gyee	ayoung, we can expend it to include other policies later	19:06
gyee	but lets do this in stages	19:06
ayoung	make it so it accepts the policy format and we get that now	19:06
ayoung	it does not need to be in the core policy file, although it probably should be	19:06
gyee	ayoung, you mean make it configurable where to pull the rules?	19:06
ayoung	we could have it as a standard rule	19:07
ayoung	something like global:catalog	19:07
ayoung	or you know, something that doesn;t suck	19:07
gyee	oh	19:07
*** josecastroleon has joined #openstack-keystone		19:07
gyee	you mean tagging the config?	19:07
gyee	it's a configurable rule right now	19:08
*** jistr has joined #openstack-keystone		19:08
gyee	it doesn't suck	19:08
ayoung	gyee, I mean make it something that works in the same namespace as compute: identity: and so on	19:09
*** josecastroleon has quit IRC		19:09
ayoung	so it can be in the global policy file or we can do the policy directory thing	19:09
gyee	ayoung, no need for namespace as the operation is internal	19:09
ayoung	gyee, NO	19:10
ayoung	you are missing the point	19:10
ayoung	this is part of what we want operators to manage	19:10
ayoung	we provide a reasonable default	19:10
*** josecastroleon has joined #openstack-keystone		19:10
ayoung	it is not internal	19:10
ayoung	just make the default do the sane thing	19:10
lhcheng	dstanek: wanted to circle back on this, are you okay with the current validation on the trusted_dashboard or make it a little more restrictive. https://bugs.launchpad.net/keystone/+bug/1440958	19:11
openstack	Launchpad bug 1440958 in Keystone "loosen validation on matching trusted dashboard" [Medium,Fix committed] - Assigned to Lin Hua Cheng (lin-hua-cheng)	19:11
gyee	like	19:11
ayoung	BTW, endpoint binding is going to be one of my examples in the Dynamic policy talk	19:11
gyee	nova:endpoint_constraint: endpoint_id:12345	19:11
ayoung	exactly	19:11
gyee	k, that's an easy change	19:11
*** josecastroleon has quit IRC		19:12
gyee	ayoung, will roll a patch with your suggestion, thanks	19:12
ayoung	gyee and we use the existing policy mechanism to enforce. There is support for a directory, so it will be one file with one rule in it	19:12
*** spandhe has joined #openstack-keystone		19:12
ayoung	gyee, you rock thanks so much	19:12
ayoung	and with that...gotta fly	19:12
dstanek	lhcheng: it's definitely not secure as designed	19:13
*** gyee has quit IRC		19:13
mordred	question about domains	19:13
*** josecastroleon has joined #openstack-keystone		19:13
mordred	if I don't know what's up - but the cloud has told me that my user_domain_name is "foo" - should I assume in the absence of other information that the project is in that domain too?	19:13
dstanek	lhcheng: i think the check itself is useless if we just accept a querystring param of host header and check it against a keystone controlled string since those are too easy to spoof	19:14
*** ayoung has quit IRC		19:14
*** josecastroleon has quit IRC		19:15
*** EmilienM is now known as EmilienM\|afk		19:15
*** gyee has joined #openstack-keystone		19:15
*** ChanServ sets mode: +v gyee		19:15
*** raminoid has joined #openstack-keystone		19:16
*** josecastroleon has joined #openstack-keystone		19:16
gyee	ayoung, one problem	19:17
dstanek	mordred: unfortunately i don't know the answer to that question	19:17
*** ankita_wagh has quit IRC		19:17
gyee	the name of the operations has to be known	19:17
mordred	dstanek: awesome	19:17
gyee	that means we'll have to add a third config option	19:17
dstanek	someone else in here should though....hopefully you don't have to wait too long	19:18
*** jdennis has quit IRC		19:18
david-lyle	mordred what type of token did you get?	19:18
*** josecastroleon has quit IRC		19:18
lhcheng	dstanek: would making the suggested change in the ticket (comment #9) make it better?	19:19
*** josecastroleon has joined #openstack-keystone		19:19
dstanek	lhcheng: the problem isn't just what to match, but what you are matching against - we're taking user defined input to match against right?	19:21
*** josecastroleon has quit IRC		19:21
gyee	dstanek, what's up with the Cavs?!	19:22
dstanek	lhcheng: it's possible that there is not risk to this attack (i don't know the entire flow), but generally speaking we can't trust user controlled inputs	19:22
mordred	david-lyle: no idea - I'm trying to both help a problem someone else and also learn things	19:22
dstanek	gyee: La Failure sucks, always has and alway will	19:22
*** josecastroleon has joined #openstack-keystone		19:23
mordred	david-lyle: what should I know about this:	19:23
gyee	no Love	19:23
mordred	echo "Please enter the OpenStack domain name of your project: "	19:23
lhcheng	dstanek: yes, the host in the query param is user defined. Which means any dashboard (like horizon) can define what the redirect_url would be.	19:23
mordred	read OS_PROJECT_DOMAIN_NAME_INPUT	19:23
mordred	export OS_PROJECT_DOMAIN_NAME=$OS_PROJECT_DOMAIN_NAME_INPUT	19:23
mordred	david-lyle: from horizon	19:23
mordred	david-lyle: why would a project_domain_name not be in that file	19:23
mordred	?	19:23
dstanek	lhcheng: that's the problem to me... while i couldn't find the issue in horizon another dashboard may be vulnerable to unvalidated redirects	19:24
dstanek	lhcheng: and then if there were would that be an issue?	19:24
*** josecastroleon has quit IRC		19:24
david-lyle	mordred: should just be the name of the containing domain	19:25
*** josecastroleon has joined #openstack-keystone		19:26
mordred	david-lyle: how does someone know that?	19:26
david-lyle	not sure why it wouldn't be in the openrc file	19:26
david-lyle	is that the file you're talking about?	19:26
mordred	yup	19:26
mordred	that was a paste from one	19:26
mordred	but I'm trying to use it to try to understand domains more :)	19:27
*** josecastroleon has quit IRC		19:27
*** amakarov is now known as amakarov_away		19:27
lhcheng	dstanek: so the value in the trusted_dashboard config is validated against the redirect url provided by the dashboard initiating the request	19:27
lhcheng	dstanek: would that be a sufficient validation?	19:28
dstanek	lhcheng: an exact match or a startswith?	19:28
*** josecastroleon has joined #openstack-keystone		19:28
david-lyle	mordred: the user's domain name should match, the project domain name in most cases	19:29
david-lyle	trying to remember if cross-domain role assignment is supported in keystone	19:29
gyee	david-lyle, yes	19:29
lhcheng	dstanek: we used exact match before, then replaced it matching just <scheme>://<netloc> to make it easier for deployer to setup	19:29
david-lyle	gyee: boom	19:30
lhcheng	dstanek: we could replace it with startswith	19:30
david-lyle	mordred, ok so most cases	19:30
david-lyle	99.5%	19:30
lhcheng	dstanek: so it would be up to deployer how restrictive they want it to be	19:30
dstanek	lhcheng: so exact match should be safe, but a startswith would open the security hole	19:30
gyee	99.14159%	19:30
david-lyle	the other fraction gets messy	19:30
*** josecastroleon has quit IRC		19:31
*** Bjoern__ has joined #openstack-keystone		19:32
lhcheng	dstanek: so let's just revert the change? I have no problem reverting the change.	19:32
*** josecastroleon has joined #openstack-keystone		19:32
mordred	david-lyle: ok. I'll start with that	19:32
*** josecastroleon has quit IRC		19:34
dstanek	lhcheng: probably. i cant' think of an attack for exact matching. maybe stevemar or marekd could shed some light on what info the dashboard gets that could be stolen.	19:34
lhcheng	dstanek: would appreciate if you can add your feedback to https://bugs.launchpad.net/keystone/+bug/1440958	19:35
openstack	Launchpad bug 1440958 in Keystone "loosen validation on matching trusted dashboard" [Medium,Fix committed] - Assigned to Lin Hua Cheng (lin-hua-cheng)	19:35
*** josecastroleon has joined #openstack-keystone		19:35
lhcheng	dstanek: I can follow-up with marekd and stevemar when they get online later.	19:35
dstanek	lhcheng: just added a comment; take a look and let me know if my worry isn't clear	19:37
*** josecastroleon has quit IRC		19:37
*** josecastroleon has joined #openstack-keystone		19:38
*** josecastroleon has quit IRC		19:40
*** josecastroleon has joined #openstack-keystone		19:41
*** emagana has quit IRC		19:42
*** emagana has joined #openstack-keystone		19:42
*** josecastroleon has quit IRC		19:43
*** josecastroleon has joined #openstack-keystone		19:45
*** josecastroleon has quit IRC		19:46
*** ankita_wagh has joined #openstack-keystone		19:47
*** mestery has quit IRC		19:48
*** josecastroleon has joined #openstack-keystone		19:48
*** vhoward has joined #openstack-keystone		19:48
samueldmq	mordred, what's up ? you're trying to use the CLI ?	19:48
*** jistr has quit IRC		19:49
*** josecastroleon has quit IRC		19:49
*** josecastroleon has joined #openstack-keystone		19:54
samueldmq	mordred, in a multi-domain env, when you want to get a token to a project, if you don't specify the project_id directly (want to specify the project name instead)	19:54
samueldmq	mordred, you then need to specify the domain owns that project	19:55
samueldmq	mordred, since project names are unique inside domains, not globally	19:56
samueldmq	mordred, https://github.com/openstack/keystone/blob/master/keystone/resource/backends/sql.py#L259	19:56
*** josecastroleon has quit IRC		19:56
*** josecastroleon has joined #openstack-keystone		19:58
*** Rockyg has joined #openstack-keystone		19:59
*** josecastroleon has quit IRC		19:59
mordred	samueldmq: yah - but what I don't know is - how do I learn the domain that owns the project	19:59
*** josecastroleon has joined #openstack-keystone		20:01
samueldmq	mordred, domains are usually created to separate different customers, in which you would be able to delegate users, groups and proejct management	20:02
samueldmq	mordred, if you have a domain for your org, it shouldn't be hard to know what that domain is	20:02
*** josecastroleon has quit IRC		20:02
samueldmq	mordred, and in most cases it will be the same domain as you're in (as said above by david)	20:03
samueldmq	mordred, you are supposed to at least know where the project you are trying to use comes from	20:03
*** josecastroleon has joined #openstack-keystone		20:04
*** josecastroleon has quit IRC		20:05
*** josecastroleon has joined #openstack-keystone		20:07
morganfainberg	Which change is the issue ^^	20:08
openstackgerrit	Ankita Wagh proposed openstack/keystonemiddleware: Handling endpoints with missing URL types https://review.openstack.org/179624	20:08
*** josecastroleon has quit IRC		20:08
*** josecastroleon has joined #openstack-keystone		20:10
samueldmq	morganfainberg, there is no project outside a domain, so I can't use a domain-less project :p	20:11
samueldmq	morganfainberg, unless we get back to tenants	20:11
*** josecastroleon has quit IRC		20:11
*** rushiagr_away is now known as rushiagr		20:12
morganfainberg	samueldmq: uhh. Correct.	20:12
morganfainberg	Domain less project shouldn't exist.	20:12
morganfainberg	I mean... That would be a broken project afaik.	20:12
samueldmq	morganfainberg, ++ that's why we need to specify the project + containing domain (its namespace)	20:12
*** josecastroleon has joined #openstack-keystone		20:13
morganfainberg	Yep	20:13
richm	mordred: openstack project list --long # will show the domain id of the project	20:13
richm	er, openstack --os-identity-api-version 3 project list --long	20:13
samueldmq	richm, you should already have token to make this call	20:13
richm	right	20:14
samueldmq	richm, how did you get it ? what if you have no rights to list all projects ?	20:14
*** ctina_ has joined #openstack-keystone		20:14
*** josecastroleon has quit IRC		20:14
richm	samueldmq: I don't know - if you don't rights to list projects, then some admin with those rights should tell you, or grant you access to find out for yourself	20:15
samueldmq	richm, why do you know the project you want to use without know the domain which contains it ?	20:15
samueldmq	richm, it's the project namespace	20:16
*** josecastroleon has joined #openstack-keystone		20:16
richm	because you are used to the old v2 style of user+project?	20:16
richm	and you're not used to having to deal with domains yet?	20:16
samueldmq	richm, so it's the domain default if you haven't a multi-domain cloud	20:16
richm	right	20:16
richm	grep default_domain_id /etc/keystone/keystone.conf	20:17
richm	or just 'default' if that's not set	20:17
samueldmq	richm, I guess you can specify the domain name	20:17
richm	yes	20:17
richm	I think openstack allows you to specify the domain name or id for users, projects, etc.	20:17
*** josecastroleon has quit IRC		20:17
richm	--os-user-domain-id or --os-user-domain-name, etc.	20:18
*** ctina has quit IRC		20:18
*** josecastroleon has joined #openstack-keystone		20:19
*** ctina_ has quit IRC		20:19
mordred	well, I don't run a cloud	20:19
mordred	so I can't ever grep in keystone	20:19
mordred	so I can't ever grep in keystone.conf	20:19
richm	mordred: if your keystone is v3 enabled, who is the admin? Can they either tell you which domain to use, or grant you access to list projects?	20:20
mordred	richm: well, right now I don't have a keystonev3 cloud - but I'm trying to make sure that the ansible modules do the right hting	20:21
*** josecastroleon has quit IRC		20:21
mordred	but part of this is that a user figuring out their auth information for a cloud is always a terrible experience	20:21
mordred	so I'm trying to learn as much as I can to point people who know nothing about openstack to being able to put the right values into thier config files	20:21
richm	mordred: then we are probably solving the same problems - I'm working on implementing v3 support in puppet	20:22
mordred	richm: woot!	20:22
*** josecastroleon has joined #openstack-keystone		20:22
mordred	richm: my work is all in the shade library (openstack-infra/shade) which is also being consumed in ansible, fwiw	20:22
richm	I don't know if it is kosher for an ansible person to ask questions in puppet-openstack, but you might get answers	20:23
*** spandhe has quit IRC		20:23
mordred	well, I'm a puppet person too	20:23
mordred	we do use ansible to run puppet over in openstack-infra after all	20:23
*** josecastroleon has quit IRC		20:24
richm	ok	20:24
richm	mordred: You may have seen the recent os-dev email thread about Keystone v3 and puppet	20:25
*** josecastroleon has joined #openstack-keystone		20:25
*** josecastroleon has quit IRC		20:27
*** gyee has quit IRC		20:28
*** josecastroleon has joined #openstack-keystone		20:28
*** josecastroleon has quit IRC		20:30
*** josecastroleon has joined #openstack-keystone		20:31
*** lhcheng has quit IRC		20:33
*** josecastroleon has quit IRC		20:34
*** lhcheng_ has joined #openstack-keystone		20:34
*** josecastroleon has joined #openstack-keystone		20:35
*** josecastroleon has quit IRC		20:36
*** e0ne has quit IRC		20:38
*** josecastroleon has joined #openstack-keystone		20:38
*** aix has quit IRC		20:38
*** Trozz has quit IRC		20:39
*** Trozz has joined #openstack-keystone		20:39
*** josecastroleon has quit IRC		20:39
*** rushiagr is now known as rushiagr_away		20:40
*** d34dh0r53 has quit IRC		20:41
*** josecastroleon has joined #openstack-keystone		20:41
*** josecastroleon has quit IRC		20:42
*** josecastroleon has joined #openstack-keystone		20:44
*** d34dh0r53 has joined #openstack-keystone		20:45
*** josecastroleon has quit IRC		20:46
*** r-daneel has joined #openstack-keystone		20:47
*** josecastroleon has joined #openstack-keystone		20:47
*** josecastroleon has quit IRC		20:49
*** raildo is now known as raildo_away		20:50
*** josecastroleon has joined #openstack-keystone		20:50
*** josecastroleon has quit IRC		20:52
*** josecastroleon has joined #openstack-keystone		20:53
*** gyee has joined #openstack-keystone		20:54
*** ChanServ sets mode: +v gyee		20:54
*** annasort has quit IRC		20:54
openstackgerrit	guang-yee proposed openstack/keystone-specs: Updated endpoint enforcement spec https://review.openstack.org/174799	20:55
*** josecastroleon has quit IRC		20:55
*** josecastroleon has joined #openstack-keystone		20:57
*** josecastroleon has quit IRC		20:59
*** spandhe has joined #openstack-keystone		20:59
*** josecastroleon has joined #openstack-keystone		21:00
*** ankita_w_ has joined #openstack-keystone		21:00
*** ankita_wagh has quit IRC		21:02
*** josecastroleon has quit IRC		21:03
*** josecastroleon has joined #openstack-keystone		21:04
*** josecastroleon has quit IRC		21:06
*** jsavak has quit IRC		21:06
*** josecastroleon has joined #openstack-keystone		21:07
*** josecastroleon has quit IRC		21:09
openstackgerrit	Min Song proposed openstack/keystone: Use single connection in get_all function https://review.openstack.org/180247	21:09
*** josecastroleon has joined #openstack-keystone		21:10
*** josecastroleon has quit IRC		21:12
*** josecastroleon has joined #openstack-keystone		21:13
*** josecastroleon has quit IRC		21:15
*** josecastroleon has joined #openstack-keystone		21:16
*** josecastroleon has quit IRC		21:18
*** josecastroleon has joined #openstack-keystone		21:19
*** josecastroleon has quit IRC		21:21
*** josecastroleon has joined #openstack-keystone		21:22
*** josecastroleon has quit IRC		21:24
*** Bjoern__ has left #openstack-keystone		21:25
*** josecastroleon has joined #openstack-keystone		21:25
*** josecastroleon has quit IRC		21:27
*** gyee has quit IRC		21:27
*** boris-42 has quit IRC		21:28
*** josecastroleon has joined #openstack-keystone		21:28
*** lmtaylor1 has left #openstack-keystone		21:30
*** josecastroleon has quit IRC		21:30
*** josecastroleon has joined #openstack-keystone		21:31
*** dguerri is now known as _dguerri		21:33
*** josecastroleon has quit IRC		21:33
*** _dguerri is now known as dguerri		21:33
*** josecastroleon has joined #openstack-keystone		21:34
*** topol has quit IRC		21:36
*** josecastroleon has quit IRC		21:37
*** josecastroleon has joined #openstack-keystone		21:38
*** dguerri is now known as _dguerri		21:38
*** _dguerri is now known as dguerri		21:38
*** lhcheng_ is now known as lhcheng		21:39
*** ChanServ sets mode: +v lhcheng		21:39
*** josecastroleon has quit IRC		21:40
*** josecastroleon has joined #openstack-keystone		21:41
*** josecastroleon has quit IRC		21:43
marekd	dstanek: lhcheng: Hi what's up?	21:43
*** josecastroleon has joined #openstack-keystone		21:44
*** josecastroleon has quit IRC		21:46
*** stevemar has joined #openstack-keystone		21:47
*** ChanServ sets mode: +v stevemar		21:47
*** josecastroleon has joined #openstack-keystone		21:47
*** edmondsw has quit IRC		21:49
richm	stevemar: is there a way to tell the openstack command to use auth settings from the [keystone_authtoken] section of a config file? There is a common idiom in puppet openstack modules where you put the auth parameters in your component config file in the [keystone_authtoken] section - then to use openstack, you read them out and format them in the form of arguments like --os-user-name, etc.	21:49
*** josecastroleon has quit IRC		21:49
richm	stevemar: I would rather just say openstack --os-auth-file /etc/glance/glance-api.conf image list	21:50
*** blewis has quit IRC		21:50
stevemar	richm, not yet, that wasn't really a use case, since that's for keystonemiddleware	21:50
stevemar	richm, did you look @ the new cloud-config stuff?	21:50
*** josecastroleon has joined #openstack-keystone		21:51
richm	stevemar: cloud-config?	21:51
marekd	dstanek: lhcheng honesly, i think not checking the exact url is already wrong.	21:51
stevemar	richm, yeah, trying to find you some docs	21:52
*** josecastroleon has quit IRC		21:52
*** annasort has joined #openstack-keystone		21:53
marekd	dstanek: lhcheng i might have my dashboard stored at the public provider, say https://public.provider.com/marek and somebody may make my users to enter https://public.provider.com/.marek and afar netlock would match, as it would be public.provider.com	21:53
lhcheng	marekd: you're working late now too? :p	21:53
stevemar	richm, http://docs.openstack.org/developer/python-openstackclient/configuration.html#configuration-files	21:53
*** josecastroleon has joined #openstack-keystone		21:54
marekd	lhcheng: i just opened the terminal and saw that somebody called my irc handle...	21:54
marekd	:-)	21:54
marekd	need to get up in 6h so i will not stay long.	21:54
marekd	lhcheng: anyway, what's the issue btw now?	21:54
marekd	lhcheng: btw, i never got the answer why the validation got loosen?	21:54
marekd	lhcheng: who asked/complained about that?	21:55
lhcheng	marekd: it is about the validation of the trusted dashboard	21:55
marekd	lhcheng: yep, which now checks scheme and netloc	21:55
stevemar	marekd, cause at one point we failed validation due to a missing slash	21:55
*** ptoohill is now known as pothole		21:55
lhcheng	marekd: we loosened it to just match <scheme>://<netloc>	21:55
*** josecastroleon has quit IRC		21:55
marekd	lhcheng: yep, saw the patchset.	21:56
lhcheng	marekd: dstanek raised a concern that it is a security hole, a malicious user could put an unvalidated redirects	21:56
*** josecastroleon has joined #openstack-keystone		21:57
marekd	lhcheng: like?	21:57
marekd	say https://public.provider.com/marek and https://public.provider.com/.marek ?	21:57
lhcheng	marekd: redirect_url=http://dashboard/redirect?url=http://hacked_site	21:57
marekd	(mind dot at the latter .marek)	21:57
marekd	lhcheng: oh, that's nice, actually i have the same concern.	21:58
lhcheng	after dashboard login the user, it will redirect to hacked site	21:58
marekd	just came up with different example	21:58
*** josecastroleon has quit IRC		21:58
marekd	lhcheng: if you really need to loosen the validation i'd go with startswith() like you proposed.	21:58
lhcheng	marekd: dstanek provided that example, much easier to visualize the attack	21:58
marekd	if the problem is the configuration and slashes I think we should improve logs/erros to quickly catch such errors.	21:59
marekd	not loosen validation.	21:59
lhcheng	marekd: even with that, there is potential for the same attack above.	21:59
*** josecastroleon has joined #openstack-keystone		22:00
*** esp_ has joined #openstack-keystone		22:00
lhcheng	marekd: with something like redirect_url=http://dashboard/identity/?next=http://hacked_site	22:00
marekd	lhcheng: ah, with startswith() you mean?	22:00
lhcheng	marekd: yes!	22:01
lhcheng	I guess, we'll just revert it back. And have a patch to improve logging	22:01
richm	stevemar: https://bugs.launchpad.net/python-openstackclient/+bug/1452045	22:01
openstack	Launchpad bug 1452045 in python-openstackclient "read auth parameters from a config file" [Undecided,New]	22:01
marekd	lhcheng: so i'd revert to the initial concept and mak it very strict	22:01
lhcheng	marekd: it is already strict :P we just have to make it more easier to troubleshoot I guess	22:02
marekd	and again - if the problem is that configuration is error prone because every slash matters - let's improve logs/error msg	22:02
lhcheng	stevemar: ^	22:02
lhcheng	marekd: agree	22:02
*** josecastroleon has quit IRC		22:02
*** ankita_w_ has quit IRC		22:03
*** josecastroleon has joined #openstack-keystone		22:04
*** ankita_wagh has joined #openstack-keystone		22:04
*** josecastroleon has quit IRC		22:05
marekd	lhcheng: i don't see the strict check.	22:06
marekd	lhcheng: i see https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L269-L283	22:06
*** josecastroleon has joined #openstack-keystone		22:07
stevemar	richm, hmm, i'm not sure how much traction that bug will get -- especially since we just added cloud config support and it's so similar	22:08
lhcheng	marekd: used to be exact match here: https://github.com/openstack/keystone/blob/9b11d13856034e3a2cf6ab1f6ca80a6965818d17/keystone/contrib/federation/controllers.py#L286	22:08
*** josecastroleon has quit IRC		22:08
lhcheng	marekd: the redirect_url must exactly match an entry in trusted_dashboards	22:09
marekd	lhcheng: used to be, but it's not anymore in master.	22:10
*** josecastroleon has joined #openstack-keystone		22:10
richm	stevemar: understood - it would just save a considerable amount of puppet code + resources	22:10
lhcheng	marekd: yeah, so that's the concern of dstanek. I'll revert it back :)	22:10
marekd	:-)	22:11
stevemar	richm, and we're already having a tough time handling the priorities if: occ properties + env vars + in-line options are all passed in	22:11
stevemar	a fourth... oy vei	22:11
marekd	lhcheng: what redirect_url did you have to specify?	22:11
*** josecastroleon has quit IRC		22:11
marekd	was is simply https://my-horizon.company.com or with some razy suffixes?	22:12
*** packet has quit IRC		22:12
marekd	s/razy/crazy/	22:12
richm	stevemar: understood - it's really just a convenience to save the puppet code from having to read the ini and convert to --os- arguments or yaml or env - just a few more lines of ruby . . .	22:12
lhcheng	marekd: including the suffixes	22:13
*** josecastroleon has joined #openstack-keystone		22:13
lhcheng	marekd: something like: http://localhost:8020/auth/websso/	22:14
lhcheng	marekd: the redirect_url for horizon dashboard is something like that.	22:14
*** josecastroleon has quit IRC		22:15
marekd	in the public providers versions ports would be probably skipped, and i personally consider suffixes like /auth/websso/ nice :-)	22:15
marekd	i was worrying that would be http://localhost:8020/auth/websso/?param=sdjfnksfuysbjhbsfsdf&auth=lksjndfksefkhsbdfhsdf&cookie=jsndfklhsfouayrjhfbgdfgdfg	22:15
*** josecastroleon has joined #openstack-keystone		22:16
lhcheng	marekd: cool, nice that we're on the same side on that :D	22:16
marekd	:-)	22:17
marekd	yep	22:17
lhcheng	but that settings could be possible too, if the deployer wants it :P	22:17
marekd	so he will have a guy who will take care of carefull url copy/pasting	22:18
marekd	:-)	22:19
lhcheng	yeah, copy/paste expert	22:19
lhcheng	:)	22:19
*** josecastroleon has quit IRC		22:19
marekd	anyway, i think the concept with the websso design was that we only allow trusted and defined apriori dashboards to use it, and unless we decide to loosen this constraint we shouldnt loosen mechanisms to enfore that. this is my opinion.	22:20
marekd	dstanek: ^^	22:20
marekd	and let me end with that :-)	22:20
marekd	good night everybody	22:20
lhcheng	marekd: thanks for checking in	22:21
lhcheng	marekd: have a good night	22:21
*** josecastroleon has joined #openstack-keystone		22:21
marekd	no worries! you too!	22:21
*** jdennis has joined #openstack-keystone		22:21
lhcheng	dstanek: thanks for raising the issue too!	22:21
*** gordc has quit IRC		22:22
*** josecastroleon has quit IRC		22:22
*** josecastroleon has joined #openstack-keystone		22:24
*** stevemar has quit IRC		22:24
*** josecastroleon has quit IRC		22:25
*** josecastroleon has joined #openstack-keystone		22:27
*** Ephur has quit IRC		22:28
*** josecastroleon has quit IRC		22:28
*** rwsu_ has quit IRC		22:30
*** josecastroleon has joined #openstack-keystone		22:30
*** Rockyg has quit IRC		22:30
*** rwsu_ has joined #openstack-keystone		22:30
*** josecastroleon has quit IRC		22:31
*** josecastroleon has joined #openstack-keystone		22:33
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Revert "Loosen validation on matching trusted dashboard" https://review.openstack.org/180343	22:33
*** josecastroleon has quit IRC		22:34
*** josecastroleon has joined #openstack-keystone		22:36
*** josecastroleon has quit IRC		22:38
*** josecastroleon has joined #openstack-keystone		22:39
*** josecastroleon has quit IRC		22:41
*** josecastroleon has joined #openstack-keystone		22:42
*** josecastroleon has quit IRC		22:44
*** josecastroleon has joined #openstack-keystone		22:45
*** josecastroleon has quit IRC		22:47
*** josecastroleon has joined #openstack-keystone		22:48
*** alex_xu has quit IRC		22:49
*** josecastroleon has quit IRC		22:50
*** alex_xu has joined #openstack-keystone		22:51
*** EmilienM\|afk is now known as EmilienM		22:52
*** josecastroleon has joined #openstack-keystone		22:52
*** josecastroleon has quit IRC		22:53
dstanek	marekd: lhcheng: i just skimmed, but i agree about making sure there are no holes	22:54
dstanek	lhcheng: yw	22:54
*** josecastroleon has joined #openstack-keystone		22:55
*** josecastroleon has quit IRC		22:56
*** emagana has quit IRC		22:57
*** josecastroleon has joined #openstack-keystone		22:58
*** emagana has joined #openstack-keystone		22:58
*** josecastroleon has quit IRC		22:59
*** esp_ has quit IRC		23:01
*** josecastroleon has joined #openstack-keystone		23:01
*** emagana has quit IRC		23:02
*** josecastroleon has quit IRC		23:03
*** josecastroleon has joined #openstack-keystone		23:04
*** topol has joined #openstack-keystone		23:05
*** ChanServ sets mode: +v topol		23:05
*** josecastroleon has quit IRC		23:06
*** josecastroleon has joined #openstack-keystone		23:07
*** josecastroleon has quit IRC		23:09
*** emagana has joined #openstack-keystone		23:09
*** alex_xu has quit IRC		23:10
*** josecastroleon has joined #openstack-keystone		23:10
*** alex_xu has joined #openstack-keystone		23:11
*** josecastroleon has quit IRC		23:12
*** josecastroleon has joined #openstack-keystone		23:13
*** emagana has quit IRC		23:14
*** josecastroleon has quit IRC		23:15
*** josecastroleon has joined #openstack-keystone		23:17
*** josecastroleon has quit IRC		23:18
*** josecastroleon has joined #openstack-keystone		23:20
*** josecastroleon has quit IRC		23:21
*** josecastroleon has joined #openstack-keystone		23:23
*** josecastroleon has quit IRC		23:25
*** josecastroleon has joined #openstack-keystone		23:26
*** josecastroleon has quit IRC		23:28
*** josecastroleon has joined #openstack-keystone		23:29
*** josecastroleon has quit IRC		23:31
*** jaosorior has quit IRC		23:32
*** josecastroleon has joined #openstack-keystone		23:32
*** josecastroleon has quit IRC		23:34
*** josecastroleon has joined #openstack-keystone		23:35
*** josecastroleon has quit IRC		23:37
*** josecastroleon has joined #openstack-keystone		23:38
*** josecastroleon has quit IRC		23:41
*** josecastroleon has joined #openstack-keystone		23:42
*** josecastroleon has quit IRC		23:44
*** josecastroleon has joined #openstack-keystone		23:45
*** josecastroleon has quit IRC		23:47
*** josecastroleon has joined #openstack-keystone		23:48
*** josecastroleon has quit IRC		23:50
*** josecastroleon has joined #openstack-keystone		23:51
*** josecastroleon has quit IRC		23:53
*** josecastroleon has joined #openstack-keystone		23:54
*** josecastroleon has quit IRC		23:56
*** josecastroleon has joined #openstack-keystone		23:57
*** josecastroleon has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!