Wednesday, 2015-05-06

*** josecastroleon has joined #openstack-keystone		00:00
*** gokrokve has quit IRC		00:01
*** josecastroleon has quit IRC		00:02
*** ayoung has joined #openstack-keystone		00:03
*** ChanServ sets mode: +v ayoung		00:03
*** josecastroleon has joined #openstack-keystone		00:03
*** josecastroleon has quit IRC		00:06
*** josecastroleon has joined #openstack-keystone		00:07
*** gokrokve has joined #openstack-keystone		00:08
*** josecastroleon has quit IRC		00:09
*** josecastroleon has joined #openstack-keystone		00:10
*** josecastroleon has quit IRC		00:12
*** _cjones_ has quit IRC		00:12
*** _cjones_ has joined #openstack-keystone		00:12
*** josecastroleon has joined #openstack-keystone		00:13
ankita_wagh	Hi , I am working on https://review.openstack.org/179624 . Its having this error. http://logs.openstack.org/24/179624/5/check/gate-tempest-dsvm-neutron-src-keystonemiddleware/bf3fa76/logs/screen-g-api.txt.gz?level=ERROR	00:14
*** josecastroleon has quit IRC		00:15
ankita_wagh	Not sure how are they related.. Any help will be highly appreciated	00:15
*** josecastroleon has joined #openstack-keystone		00:16
*** _cjones_ has quit IRC		00:17
*** josecastroleon has quit IRC		00:18
*** josecastroleon has joined #openstack-keystone		00:19
*** zzzeek has quit IRC		00:21
*** josecastroleon has quit IRC		00:21
*** josecastroleon has joined #openstack-keystone		00:22
*** josecastroleon has quit IRC		00:24
*** josecastroleon has joined #openstack-keystone		00:25
*** josecastroleon has quit IRC		00:27
morganfainberg	dstanek: trying to cross-track http://libertydesignsummit.sched.org/event/8f871516b7d1cf8bf342ada310d91180 but it wont let me assign QA as a track	00:28
morganfainberg	possibly because QA already has a session at that time :(	00:28
*** josecastroleon has joined #openstack-keystone		00:28
*** josecastroleon has quit IRC		00:31
*** josecastroleon has joined #openstack-keystone		00:32
*** dims_ has joined #openstack-keystone		00:32
*** dims has quit IRC		00:33
*** josecastroleon has quit IRC		00:34
*** josecastroleon has joined #openstack-keystone		00:35
*** josecastroleon has quit IRC		00:37
*** josecastroleon has joined #openstack-keystone		00:38
*** josecastroleon has quit IRC		00:40
*** josecastroleon has joined #openstack-keystone		00:41
*** ankita_wagh has quit IRC		00:41
*** ankita_wagh has joined #openstack-keystone		00:42
-openstackstatus- NOTICE: Restarted gerrit due to stuck stream-events connections. Events since 23:49 were missed and changes uploaded since then will need to be rechecked.		00:42
*** josecastroleon has quit IRC		00:43
*** josecastroleon has joined #openstack-keystone		00:44
*** josecastroleon has quit IRC		00:46
*** ankita_wagh has quit IRC		00:46
*** samueldmq has quit IRC		00:47
*** josecastroleon has joined #openstack-keystone		00:47
jamielennox	174202	00:48
jamielennox	dam	00:48
*** josecastroleon has quit IRC		00:49
*** samueldmq has joined #openstack-keystone		00:50
*** josecastroleon has joined #openstack-keystone		00:51
*** lhcheng has quit IRC		00:52
*** josecastroleon has quit IRC		00:52
*** josecastroleon has joined #openstack-keystone		00:54
*** josecastroleon has quit IRC		00:56
*** josecastroleon has joined #openstack-keystone		00:57
*** josecastroleon has quit IRC		00:59
*** josecastroleon has joined #openstack-keystone		01:00
*** josecastroleon has quit IRC		01:02
*** gokrokve has quit IRC		01:02
*** josecastroleon has joined #openstack-keystone		01:03
*** josecastroleon has quit IRC		01:05
*** josecastroleon has joined #openstack-keystone		01:06
ayoung	#rdo has this in the status: Please stay in channel after asking a question - it can take a while!	01:06
*** josecastroleon has quit IRC		01:08
ayoung	jamielennox, what do you think of splitting https://review.openstack.org/#/c/174799/ endpoint constraints out into its own middleware?	01:09
*** josecastroleon has joined #openstack-keystone		01:10
jamielennox	ayoung: i much prefer that than mixing up policy into auth_token	01:10
ayoung	jamielennox, cool. gonna suggest that	01:10
ayoung	it does mean we need to update the deployment in all endpoints, but I think that is preferable	01:10
ayoung	better than adding a new config option	01:10
*** josecastroleon has quit IRC		01:11
ayoung	jamielennox, I'm thinking that the policy rule name should be hard coded; global:servicecatalog or something like that. Is there a better name than global?	01:12
*** josecastroleon has joined #openstack-keystone		01:13
jamielennox	default?	01:13
jamielennox	no default implies it only runs if nothing else matches	01:13
jamielennox	you sure you want to embed it in a standard policy file?	01:14
*** josecastroleon has quit IRC		01:14
*** josecastroleon has joined #openstack-keystone		01:16
*** josecastroleon has quit IRC		01:17
*** josecastroleon has joined #openstack-keystone		01:19
*** josecastroleon has quit IRC		01:21
*** alexsyip has quit IRC		01:22
*** lhcheng has joined #openstack-keystone		01:22
*** ChanServ sets mode: +v lhcheng		01:22
*** josecastroleon has joined #openstack-keystone		01:22
*** josecastroleon has quit IRC		01:25
*** josecastroleon has joined #openstack-keystone		01:27
*** josecastroleon has quit IRC		01:28
*** josecastroleon has joined #openstack-keystone		01:30
*** josecastroleon has quit IRC		01:31
*** davechen1 has joined #openstack-keystone		01:32
*** josecastroleon has joined #openstack-keystone		01:33
ayoung	jamielennox, I think so. I think it should be possible to mix with the other policy file, not must	01:34
*** gokrokve has joined #openstack-keystone		01:34
*** josecastroleon has quit IRC		01:34
*** josecastroleon has joined #openstack-keystone		01:36
*** josecastroleon has quit IRC		01:37
*** josecastroleon has joined #openstack-keystone		01:39
*** josecastroleon has quit IRC		01:40
*** josecastroleon has joined #openstack-keystone		01:42
*** spandhe has quit IRC		01:43
*** josecastroleon has quit IRC		01:44
*** spandhe has joined #openstack-keystone		01:45
*** josecastroleon has joined #openstack-keystone		01:45
*** josecastroleon has quit IRC		01:47
*** spandhe has quit IRC		01:47
*** josecastroleon has joined #openstack-keystone		01:48
*** josecastroleon has quit IRC		01:50
*** josecastroleon has joined #openstack-keystone		01:51
*** browne has quit IRC		01:51
*** r-daneel has quit IRC		01:52
*** josecastroleon has quit IRC		01:53
*** josecastroleon has joined #openstack-keystone		01:54
*** josecastroleon has quit IRC		01:56
*** josecastroleon has joined #openstack-keystone		01:58
*** josecastroleon has quit IRC		01:59
*** josecastroleon has joined #openstack-keystone		02:01
*** josecastroleon has quit IRC		02:02
dstanek	morganfainberg: that's unfortunate	02:03
*** josecastroleon has joined #openstack-keystone		02:04
*** josecastroleon has quit IRC		02:05
*** josecastroleon has joined #openstack-keystone		02:07
*** josecastroleon has quit IRC		02:09
*** josecastroleon has joined #openstack-keystone		02:10
*** josecastroleon has quit IRC		02:12
*** josecastroleon has joined #openstack-keystone		02:13
*** raminoid has left #openstack-keystone		02:14
*** josecastroleon has quit IRC		02:15
ayoung	jamielennox, is it possible to skip "default" for policy	02:15
jamielennox	you mean global?	02:16
jamielennox	default is if nothing else is found	02:16
jamielennox	same with {}.get('abc', default='value')	02:16
jamielennox	so default only gets executed on fall through	02:16
*** josecastroleon has joined #openstack-keystone		02:16
jamielennox	i don't know if that's the behaviour you want though	02:16
*** josecastroleon has quit IRC		02:18
*** josecastroleon has joined #openstack-keystone		02:19
*** sigmavirus24 is now known as sigmavirus24_awa		02:19
*** richm has quit IRC		02:21
*** josecastroleon has quit IRC		02:22
*** josecastroleon has joined #openstack-keystone		02:23
*** mestery has joined #openstack-keystone		02:23
*** dims_ has quit IRC		02:24
*** josecastroleon has quit IRC		02:25
*** josecastroleon has joined #openstack-keystone		02:26
*** josecastroleon has quit IRC		02:28
*** browne has joined #openstack-keystone		02:28
*** josecastroleon has joined #openstack-keystone		02:29
*** gokrokve_ has joined #openstack-keystone		02:29
*** josecastroleon has quit IRC		02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env https://review.openstack.org/174202	02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function https://review.openstack.org/174201	02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Base use webob https://review.openstack.org/174200	02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building https://review.openstack.org/174199	02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Move project included validation https://review.openstack.org/174198	02:31
*** gokrokve_ has quit IRC		02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking https://review.openstack.org/174197	02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache https://review.openstack.org/174196	02:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Cleanup token hashes generated by cache https://review.openstack.org/174194	02:31
*** gokrokve_ has joined #openstack-keystone		02:31
*** josecastroleon has joined #openstack-keystone		02:32
*** gokrokve has quit IRC		02:33
*** josecastroleon has quit IRC		02:34
*** josecastroleon has joined #openstack-keystone		02:35
*** josecastroleon has quit IRC		02:37
*** josecastroleon has joined #openstack-keystone		02:38
*** josecastroleon has quit IRC		02:40
*** josecastroleon has joined #openstack-keystone		02:41
*** josecastroleon has quit IRC		02:43
*** josecastroleon has joined #openstack-keystone		02:44
morganfainberg	dstanek: I'll try and bug ttx about it tomorrow.	02:45
*** josecastroleon has quit IRC		02:47
*** josecastroleon has joined #openstack-keystone		02:48
*** spandhe has joined #openstack-keystone		02:48
ayoung	morganfainberg, where do audit CADF notification go by default?	02:49
ayoung	oslo messaging? a file?	02:49
*** josecastroleon has quit IRC		02:50
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling https://review.openstack.org/180385	02:50
morganfainberg	ayoung: uh message bus I think.	02:51
morganfainberg	ayoung: so... If not configured, the ether.	02:51
*** josecastroleon has joined #openstack-keystone		02:51
ayoung	morganfainberg, how configured?	02:51
ayoung	I'm looking in docs..do we explain this?	02:51
*** gokrokve_ has quit IRC		02:52
ayoung	morganfainberg, we docuemnt the hell out of the format but then say nothing about how to get them or what to do with them? Really	02:52
*** josecastroleon has quit IRC		02:53
ayoung	# Driver or drivers to handle sending notifications. (multi valued)	02:54
ayoung	#notification_driver =	02:54
ayoung	# AMQP topic used for OpenStack notifications. (list value)	02:54
ayoung	# Deprecated group/name - [rpc_notifier2]/topics	02:54
ayoung	#notification_topics = notifications	02:54
*** josecastroleon has joined #openstack-keystone		02:54
*** josecastroleon has quit IRC		02:56
*** kiran-r has joined #openstack-keystone		02:57
*** josecastroleon has joined #openstack-keystone		02:57
*** gokrokve has joined #openstack-keystone		02:59
*** josecastroleon has quit IRC		02:59
*** ankita_wagh has joined #openstack-keystone		03:00
*** josecastroleon has joined #openstack-keystone		03:00
*** josecastroleon has quit IRC		03:02
*** josecastroleon has joined #openstack-keystone		03:03
*** josecastroleon has quit IRC		03:05
*** josecastroleon has joined #openstack-keystone		03:06
*** josecastroleon has quit IRC		03:08
*** josecastroleon has joined #openstack-keystone		03:09
*** markvoelker has quit IRC		03:10
*** fifieldt has joined #openstack-keystone		03:11
*** josecastroleon has quit IRC		03:12
*** josecastroleon has joined #openstack-keystone		03:13
*** _cjones_ has joined #openstack-keystone		03:13
*** josecastroleon has quit IRC		03:15
*** josecastroleon has joined #openstack-keystone		03:16
*** josecastroleon has quit IRC		03:18
*** _cjones_ has quit IRC		03:19
*** josecastroleon has joined #openstack-keystone		03:19
*** fifieldt has quit IRC		03:20
*** josecastroleon has quit IRC		03:21
*** josecastroleon has joined #openstack-keystone		03:22
openstackgerrit	liusheng proposed openstack/keystone: doc: replace GitHub by git.openstack.org https://review.openstack.org/180390	03:22
*** josecastroleon has quit IRC		03:24
*** dims has joined #openstack-keystone		03:24
*** josecastroleon has joined #openstack-keystone		03:25
*** josecastroleon has quit IRC		03:27
*** josecastroleon has joined #openstack-keystone		03:29
*** dims has quit IRC		03:30
*** josecastroleon has quit IRC		03:30
*** josecastroleon has joined #openstack-keystone		03:31
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor request methods onto request object https://review.openstack.org/180394	03:32
*** josecastroleon has quit IRC		03:33
jamielennox	morganfainberg, ayoung: all these auth_token refactorings get us closer to sharing it between keystone and middleware - please review	03:34
*** kiran-r has quit IRC		03:34
*** josecastroleon has joined #openstack-keystone		03:35
ayoung	jamielennox, will do..but not now...need to get to bed	03:35
ayoung	got it open in my browser, will hit it in the morning	03:35
*** josecastroleon has quit IRC		03:37
*** josecastroleon has joined #openstack-keystone		03:38
*** josecastroleon has quit IRC		03:40
*** gokrokve has quit IRC		03:40
*** gokrokve has joined #openstack-keystone		03:41
*** josecastroleon has joined #openstack-keystone		03:41
*** links has joined #openstack-keystone		03:41
*** josecastroleon has quit IRC		03:43
*** aix has joined #openstack-keystone		03:44
*** josecastroleon has joined #openstack-keystone		03:44
*** rushiagr_away is now known as rushiagr		03:44
*** josecastroleon has quit IRC		03:46
*** josecastroleon has joined #openstack-keystone		03:47
*** josecastroleon has quit IRC		03:49
*** aix has quit IRC		03:50
*** josecastroleon has joined #openstack-keystone		03:51
*** josecastroleon has quit IRC		03:52
*** josecastroleon has joined #openstack-keystone		03:54
*** josecastroleon has quit IRC		03:55
*** josecastroleon has joined #openstack-keystone		03:57
*** josecastroleon has quit IRC		03:58
*** josecastroleon has joined #openstack-keystone		04:00
*** josecastroleon has quit IRC		04:02
*** josecastroleon has joined #openstack-keystone		04:03
*** josecastroleon has quit IRC		04:05
*** josecastroleon has joined #openstack-keystone		04:06
*** josecastroleon has quit IRC		04:08
*** josecastroleon has joined #openstack-keystone		04:09
*** josecastroleon has quit IRC		04:11
*** markvoelker has joined #openstack-keystone		04:11
*** rushiagr is now known as rushiagr_away		04:12
*** josecastroleon has joined #openstack-keystone		04:12
*** josecastroleon has quit IRC		04:14
*** gokrokve has quit IRC		04:15
*** markvoelker has quit IRC		04:16
*** josecastroleon has joined #openstack-keystone		04:16
*** aix has joined #openstack-keystone		04:17
*** gokrokve has joined #openstack-keystone		04:18
*** josecastroleon has quit IRC		04:45
*** josecastroleon has joined #openstack-keystone		04:47
*** josecastroleon has quit IRC		04:48
*** josecastroleon has joined #openstack-keystone		04:50
*** josecastroleon has quit IRC		04:51
*** josecastroleon has joined #openstack-keystone		04:53
*** josecastroleon has quit IRC		04:54
*** josecastroleon has joined #openstack-keystone		04:56
*** josecastroleon has quit IRC		04:58
*** josecastroleon has joined #openstack-keystone		04:59
*** gokrokve_ has joined #openstack-keystone		05:01
*** josecastroleon has quit IRC		05:01
*** josecastroleon has joined #openstack-keystone		05:03
*** rushiagr_away is now known as rushiagr		05:03
*** gokrokve has quit IRC		05:03
*** josecastroleon has quit IRC		05:04
*** samueldmq has quit IRC		05:05
*** gokrokve_ has quit IRC		05:05
*** josecastroleon has joined #openstack-keystone		05:06
*** josecastroleon has quit IRC		05:07
*** josecastroleon has joined #openstack-keystone		05:09
*** kiran-r has joined #openstack-keystone		05:09
*** josecastroleon has quit IRC		05:10
*** josecastroleon has joined #openstack-keystone		05:12
*** markvoelker has joined #openstack-keystone		05:12
*** josecastroleon has quit IRC		05:13
*** josecastroleon has joined #openstack-keystone		05:15
*** markvoelker has quit IRC		05:16
*** josecastroleon has quit IRC		05:18
*** josecastroleon has joined #openstack-keystone		05:19
*** lhcheng has quit IRC		05:19
*** josecastroleon has quit IRC		05:21
*** josecastroleon has joined #openstack-keystone		05:22
*** lhcheng has joined #openstack-keystone		05:24
*** ChanServ sets mode: +v lhcheng		05:24
*** josecastroleon has quit IRC		05:24
*** josecastroleon has joined #openstack-keystone		05:25
*** josecastroleon has quit IRC		05:27
*** josecastroleon has joined #openstack-keystone		05:28
*** spandhe_ has joined #openstack-keystone		05:29
*** spandhe has quit IRC		05:30
*** spandhe_ is now known as spandhe		05:30
*** josecastroleon has quit IRC		05:30
*** josecastroleon has joined #openstack-keystone		05:31
*** josecastroleon has quit IRC		05:34
*** josecastroleon has joined #openstack-keystone		05:35
*** josecastroleon has quit IRC		05:37
*** josecastroleon has joined #openstack-keystone		05:38
*** josecastroleon has quit IRC		05:40
*** rushiagr is now known as rushiagr_away		05:40
*** josecastroleon has joined #openstack-keystone		05:41
*** josecastroleon has quit IRC		05:43
*** josecastroleon has joined #openstack-keystone		05:44
*** josecastroleon has quit IRC		05:46
*** lhcheng has quit IRC		05:47
*** josecastroleon has joined #openstack-keystone		05:47
*** josecastroleon has quit IRC		05:49
*** gokrokve has joined #openstack-keystone		05:49
*** josecastroleon has joined #openstack-keystone		05:50
*** markvoelker has joined #openstack-keystone		05:51
*** dobson has quit IRC		05:52
*** josecastroleon has quit IRC		05:52
*** josecastroleon has joined #openstack-keystone		05:53
*** josecastroleon has quit IRC		05:55
*** markvoelker has quit IRC		05:55
*** josecastroleon has joined #openstack-keystone		05:56
*** josecastroleon has quit IRC		05:59
*** josecastroleon has joined #openstack-keystone		06:00
*** dobson has joined #openstack-keystone		06:07
*** topol has quit IRC		06:08
*** rushiagr_away is now known as rushiagr		06:22
*** mabrams has joined #openstack-keystone		06:24
*** openstackgerrit_ has joined #openstack-keystone		06:25
*** openstackgerrit_ has quit IRC		06:25
*** gokrokve_ has joined #openstack-keystone		06:27
*** gokrokve has quit IRC		06:28
*** david8hu has quit IRC		06:32
*** david8hu has joined #openstack-keystone		06:34
*** ericksonsantos has quit IRC		06:34
*** ericksonsantos has joined #openstack-keystone		06:35
*** davechen has joined #openstack-keystone		06:37
*** davechen1 has quit IRC		06:37
*** alex_xu has quit IRC		06:38
*** henrynash has joined #openstack-keystone		06:40
*** ChanServ sets mode: +v henrynash		06:40
*** henrynash has quit IRC		06:40
*** alex_xu has joined #openstack-keystone		06:42
*** Qlawy has quit IRC		06:45
*** Qlawy has joined #openstack-keystone		06:46
*** openstackgerrit_ has joined #openstack-keystone		06:46
*** openstackgerrit_ has quit IRC		06:46
*** markvoelker has joined #openstack-keystone		06:52
bigjools	does anyone have SAML auth working? I'm stuck in a redirect loop after following the docs.	06:54
*** markvoelker has quit IRC		06:56
marekd	bigjools: we can say i do :-)	06:56
marekd	bigjools: what's up exactly?	06:57
*** ankita_wagh has quit IRC		06:59
*** openstackgerrit_ has joined #openstack-keystone		07:06
*** openstackgerrit_ has quit IRC		07:06
*** jaosorior has joined #openstack-keystone		07:23
openstackgerrit	Merged openstack/keystone: Add openstack_user_domain to assertion https://review.openstack.org/172562	07:25
openstackgerrit	liusheng proposed openstack/keystone: Replace github reference by git.openstack.org https://review.openstack.org/180390	07:40
*** rushiagr has quit IRC		07:56
*** jistr has joined #openstack-keystone		07:59
*** openstackgerrit_ has joined #openstack-keystone		08:00
*** openstackgerrit_ has quit IRC		08:00
*** browne has quit IRC		08:05
*** lsmola has joined #openstack-keystone		08:11
*** rushiagr has joined #openstack-keystone		08:12
*** e0ne has joined #openstack-keystone		08:22
*** openstackgerrit_ has joined #openstack-keystone		08:26
*** openstackgerrit_ has quit IRC		08:26
*** pnavarro has joined #openstack-keystone		08:38
openstackgerrit	David Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec https://review.openstack.org/174799	08:42
*** henrynash has joined #openstack-keystone		08:43
*** ChanServ sets mode: +v henrynash		08:43
*** e0ne has quit IRC		08:43
*** rlt_ has joined #openstack-keystone		08:45
*** lhcheng has joined #openstack-keystone		08:48
*** ChanServ sets mode: +v lhcheng		08:48
openstackgerrit	liusheng proposed openstack/keystone: Replace github reference by git.openstack.org https://review.openstack.org/180390	08:51
*** lhcheng has quit IRC		08:52
*** mabrams has quit IRC		08:52
*** mabrams has joined #openstack-keystone		08:53
*** lsmola has quit IRC		08:58
*** trey has quit IRC		08:58
*** tsufiev has quit IRC		08:58
*** fhubik has joined #openstack-keystone		09:00
*** lsmola has joined #openstack-keystone		09:00
*** trey has joined #openstack-keystone		09:00
*** tsufiev has joined #openstack-keystone		09:00
bigjools	marekd: hey there	09:04
bigjools	I'm using Shibboleth as SP and simplesamlphp as Idp, and I'm not sure if I configured either of those wrong or Keystone. I see shibd processing the SSO response OK and then it ignores the session cookie and starts a new one, and redirects back to the IdP	09:06
*** mabrams has quit IRC		09:08
marekd	bigjools: this really looks like shibboleth/simplesamlphp problem, not keystone's	09:08
marekd	bigjools: i can suggest checking the logs on both sides, if you haven't done so	09:08
bigjools	I think so, yes, I was just wondering if I could see if anyone had any experience here	09:09
bigjools	I turned debug on Shibd and I'm none the wiser :(	09:09
bigjools	traced cookies etc in browser, all looks ok	09:09
bigjools	shibd is ignoring the session cookie I think, but I cannot work out why	09:09
marekd	so what shibd is saying in logs?	09:10
marekd	i think it doesnt accounce success	09:10
marekd	let's enable debug, it's super verbose	09:10
marekd	(includes encrypted and decrypted assertions even)	09:10
marekd	and informing whether the sesson was created or not.	09:11
bigjools	I have debug on	09:11
*** rushiagr is now known as rushiagr_away		09:11
bigjools	it says it's resolving attributes, after getting sso data	09:11
bigjools	and then starts a new session	09:12
bigjools	not sure if that's intended	09:12
marekd	it is	09:12
*** henrynash has quit IRC		09:13
bigjools	might be better if I pastebin this chunk of the log	09:13
marekd	bigjools: that's fine.	09:13
bigjools	ok, so after that it redirects to the protected websso url	09:14
bigjools	and the process repeats ad infinitum	09:14
bigjools	the last thing in shibd log is "OpenSAML.MessageEncoder.SAML2Redirect [1]: message encoded, sending redirect to client"	09:15
*** henrynash has joined #openstack-keystone		09:16
*** ChanServ sets mode: +v henrynash		09:16
marekd	what if you open another browser window and try enter protected url ?	09:16
marekd	bigjools: should already have cookie ready	09:16
marekd	(i am just wondering)	09:16
bigjools	let me see	09:16
bigjools	hits redirect loop too	09:17
marekd	so you wanna paste logs?	09:18
marekd	also check apache logs.	09:18
marekd	well, you need to check all logs :-(	09:18
marekd	i have never experienced such behaviour.	09:18
bigjools	it	09:18
bigjools	it is weird indeed	09:18
bigjools	nothing in apache logs either	09:19
bigjools	I'll have to talk to shibboleth people I think	09:19
marekd	maybe this idp is broken	09:20
bigjools	there's a few inconsistencies in the openstack docs BTW	09:20
marekd	bigjools: oh.	09:21
bigjools	I'll have to submit a fix	09:21
marekd	bigjools: would you mind opening the bug? I will take care of fixing that.	09:21
bigjools	sure	09:21
bigjools	I'm new to Openstack but will be contributing a lot more soon	09:21
marekd	bigjools: or you can it too, i will review. Whatever works for you.	09:21
marekd	bigjools: cool!	09:21
bigjools	unfortunately I will miss Vancouver	09:22
bigjools	ok, this is as good a first contribution as any :)	09:22
marekd	bigjools: next is Tokyo, more exotic	09:22
bigjools	a little nearer for me	09:22
marekd	which country are you located?	09:22
bigjools	australia	09:23
marekd	ok, much closer	09:23
bigjools	:)	09:23
bigjools	the problem is on this page http://docs.openstack.org/developer/keystone/extensions/websso.html	09:23
bigjools	the apache conf snippet is wrong	09:24
*** mabrams has joined #openstack-keystone		09:24
marekd	<VirtualHost *:5000> ?	09:24
marekd	that one?	09:24
bigjools	mismatched Location closing tag, and doesn't reference the other shib config you need	09:24
*** e0ne has joined #openstack-keystone		09:25
marekd	i can see the missing </Location> not sure if i know what other config you are talking about. maybe WSGIScriptAliasMatch ?	09:27
marekd	(and stuff)	09:27
bigjools	it needs the same config as in here http://docs.openstack.org/developer/keystone/extensions/shibboleth.html	09:28
bigjools	If I am understanding it all correctly?	09:28
marekd	yes	09:28
bigjools	ShibRequestSetting applicationId and so on	09:28
bigjools	ok, filing a bug now	09:28
marekd	i think this is why ... are there	09:28
*** mabrams has quit IRC		09:29
bigjools	I found it tremendously confusing as a newcomer, so let's improve it :)	09:31
marekd	sure	09:31
marekd	let me know when the bug is filled, i will subscribe.	09:31
bigjools	marekd: https://bugs.launchpad.net/keystone/+bug/1452197	09:32
openstack	Launchpad bug 1452197 in Keystone "websso docs have incorrect/incomplete Apache config snippets" [Undecided,New]	09:32
bigjools	marekd: are you using shibboleth too?	09:34
marekd	mod_shib?	09:35
bigjools	yeah	09:35
marekd	yes	09:35
bigjools	would you be able to give me a shibd debug log of you starting a new session so I can compare it with mine?	09:35
bigjools	I'd buy you a beer in Tokyo :)	09:36
*** henrynash has quit IRC		09:37
marekd	bigjools: allright.	09:38
marekd	but i will need to spin new vm.	09:39
bigjools	you're a champ	09:39
bigjools	thanks a million	09:39
marekd	i wish :-)	09:39
marekd	so you must wait a sec	09:39
bigjools	not a problem	09:39
bigjools	been at this all day	09:39
*** fhubik is now known as fhubik_afk		09:41
*** fhubik_afk is now known as fhubik		09:41
*** fhubik is now known as fhubik_afk		09:42
*** davechen has left #openstack-keystone		09:44
*** mabrams has joined #openstack-keystone		09:44
*** mabrams has quit IRC		09:45
openstackgerrit	David Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec https://review.openstack.org/174799	09:46
*** kiran-r has quit IRC		09:47
marekd	bigjools: http://cdn.pasteraw.com/mdymmvv43amrezfc41zxjt3kzxzyiwd	09:52
bigjools	marekd: awesome, thanks!	09:52
marekd	hope this helps.	09:53
marekd	anyway, i'd try setup with testshib as IdP	09:53
marekd	it's easy, fast and will help ou eliminate one potential problem (broken idp, because testshib works for sure)	09:53
bigjools	I'll try it out tomorrow, thanks for the tip	09:54
marekd	bigjools: no worries.	09:55
bigjools	I can already see that yours is quite a bit different	09:55
*** fhubik_afk is now known as fhubik		09:56
*** e0ne is now known as e0ne_		09:59
*** henrynash has joined #openstack-keystone		10:01
*** ChanServ sets mode: +v henrynash		10:01
*** e0ne_ is now known as e0ne		10:05
*** dims has joined #openstack-keystone		10:07
marekd	bigjools: you mean?	10:08
bigjools	marekd: there's a lot more going on after the response from the idp	10:08
marekd	bigjools: seriously, try testshib.	10:09
bigjools	ok :)	10:09
marekd	and adjust your shibboleth2.xml file to fit simplesamlphp	10:10
bigjools	I thought simplesamlphp was pretty, err, simple	10:10
marekd	never used.	10:10
breton	morning, folks	10:14
marekd	o/	10:15
*** rushiagr_away is now known as rushiagr		10:15
* breton slacked in reviews during last month, but is back to them		10:16
*** topol has joined #openstack-keystone		10:16
*** ChanServ sets mode: +v topol		10:16
*** fhubik is now known as fhubik_afk		10:17
* marekd welcome home, topol!		10:17
*** henrynash has quit IRC		10:20
*** topol has quit IRC		10:22
*** davidckennedy has joined #openstack-keystone		11:04
*** afaranha has joined #openstack-keystone		11:07
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Fixes remaining oslo imports from namespace https://review.openstack.org/167778	11:08
*** fhubik_afk is now known as fhubik		11:08
*** afaranha has quit IRC		11:11
openstackgerrit	David Stanek proposed openstack/python-keystoneclient: Removes temporary fix for doc generation https://review.openstack.org/121667	11:18
*** boris-42 has joined #openstack-keystone		11:27
*** henrynash has joined #openstack-keystone		11:30
*** ChanServ sets mode: +v henrynash		11:30
*** samueldmq has joined #openstack-keystone		11:33
samueldmq	morning	11:33
samueldmq	henrynash, hi, you around ?	11:35
*** aix has quit IRC		11:38
samueldmq	dstanek, you around ?	11:43
dstanek	samueldmq: somewhat	11:43
samueldmq	dstanek, nice, do you need help with something to the summit ?	11:44
samueldmq	dstanek, I mean the design sessions we were talking about in yesterday's meeting	11:44
dstanek	samueldmq: what do you mean?	11:44
samueldmq	^	11:44
dstanek	samueldmq: ah, no not i. i'm not running any, so i just have to make sure i am up to date on all the specs	11:44
*** arif-ali has quit IRC		11:45
samueldmq	dstanek, k are you maintaining a checklist of specs somewhere ?	11:45
samueldmq	dstanek, I would be interested on your 'learn to the summit' approach : )	11:46
dstanek	samueldmq: i'm working something right now that will generate the checklist for me - i'll post as soon as i get it complete	11:46
samueldmq	dstanek, wow nice, why do it yourself if you can get a script to do it for you ? :p	11:48
samueldmq	hehe	11:48
*** ctina_ has joined #openstack-keystone		11:50
dstanek	samueldmq: exactly	11:51
dstanek	samueldmq: plus i don't want to have to do it again if the details change	11:51
samueldmq	dstanek, ++ let me know when you have it posted, thanks	11:52
marekd	dstanek: you query gerrit api for that?	11:55
*** markvoelker has joined #openstack-keystone		11:59
*** bknudson has joined #openstack-keystone		12:04
*** ChanServ sets mode: +v bknudson		12:04
dstanek	marekd: no, scraping the summit site	12:14
dstanek	marekd: well, mostly	12:15
*** kiran-r has joined #openstack-keystone		12:16
marekd	ouch, is it parsable even?	12:18
marekd	no JS et all ?	12:18
*** gyee has joined #openstack-keystone		12:22
*** ChanServ sets mode: +v gyee		12:22
*** e0ne is now known as e0ne_		12:22
*** mabrams has joined #openstack-keystone		12:25
gyee	ayoung, for https://review.openstack.org/#/c/174799/	12:27
gyee	so you want to rule to live in policy.json?	12:27
*** aix has joined #openstack-keystone		12:27
*** e0ne_ is now known as e0ne		12:29
*** afaranha has joined #openstack-keystone		12:29
*** afaranha has left #openstack-keystone		12:30
*** mabrams has quit IRC		12:30
*** lmtaylor has joined #openstack-keystone		12:31
*** jdennis has quit IRC		12:36
*** mabrams has joined #openstack-keystone		12:37
*** dims has quit IRC		12:52
*** openstackgerrit has quit IRC		12:53
*** dims has joined #openstack-keystone		12:53
*** openstackgerrit has joined #openstack-keystone		12:53
*** links has quit IRC		12:54
*** wpf has quit IRC		12:56
openstackgerrit	Boris Bobrov proposed openstack/keystone: Use short names for drivers in the warning https://review.openstack.org/180523	12:57
*** wpf has joined #openstack-keystone		12:57
*** gordc has joined #openstack-keystone		12:58
*** joesavak has joined #openstack-keystone		12:59
*** rushiagr is now known as rushiagr_away		13:02
*** rushiagr_away is now known as rushiagr		13:02
*** rushiagr is now known as rushiagr_away		13:06
*** Bjoern___ has joined #openstack-keystone		13:12
*** e0ne is now known as e0ne_		13:19
*** e0ne_ is now known as e0ne		13:21
*** richm has joined #openstack-keystone		13:21
*** fhubik has quit IRC		13:22
*** lmtaylor has quit IRC		13:24
*** gokrokve has joined #openstack-keystone		13:25
*** spandhe has quit IRC		13:27
*** raildo_away is now known as raildo		13:28
openstackgerrit	David Charles Kennedy proposed openstack/keystonemiddleware: Refactor: extract echo_app from enclosing class https://review.openstack.org/175489	13:29
*** gokrokve_ has quit IRC		13:29
*** sigmavirus24_awa is now known as sigmavirus24		13:35
*** openstackgerrit has quit IRC		13:38
*** openstackgerrit has joined #openstack-keystone		13:38
*** packet has joined #openstack-keystone		13:39
*** Ephur has joined #openstack-keystone		13:40
*** kiran-r has quit IRC		13:41
*** lifeless has quit IRC		13:42
*** Ephur has quit IRC		13:44
*** gyee has quit IRC		13:45
*** gyee has joined #openstack-keystone		13:46
*** ChanServ sets mode: +v gyee		13:46
*** ctina_ has quit IRC		13:56
*** ctina_ has joined #openstack-keystone		13:58
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone-specs: API changes for Reseller https://review.openstack.org/153007	14:00
*** gokrokve has quit IRC		14:03
*** jdennis has joined #openstack-keystone		14:03
*** lifeless has joined #openstack-keystone		14:10
ayoung	gyee, good question. There is one wrinkle I've come up with, which is what to do about "default"	14:10
*** lmtaylor1 has joined #openstack-keystone		14:11
ayoung	gyee, the way policy works it should not be up to the config to specify the location of the policy blob, just the name of the rule	14:11
ayoung	I think it should look like this:	14:11
ayoung	gyee, in order to activate the endpoint binding, edit the paste.ini to add the endpoint_binding middleware. THat will check against the set of policy files for a specific rule. If that rule is not there...it should skip...but that is optional, I think	14:14
gyee	ayoung, we did consider a separate middleware at the beginning	14:17
gyee	but were asked to merged into auth_token to spare the trouble for the deployers	14:17
ayoung	gyee, who asked? What was their rationale	14:17
gyee	maybe it was morganfainberg?	14:18
gyee	but I am totally fine with a new middleware as it will be doing policy enforcement in general	14:18
ayoung	gyee, policy middleware?	14:19
gyee	sure	14:19
ayoung	yeah, I think I like that	14:19
gyee	it can do generic policy enforcement	14:19
ayoung	gyee, ++	14:19
gyee	eventually anyway	14:19
ayoung	gyee, the tricky part about general policy is this	14:19
ayoung	nova and other services have APIs that operate on object ids. you need to get the object from the database and see what project it is in before enforcing the policy on it	14:19
gyee	yes :)	14:20
ayoung	if we had a standard API "get project for resource" we could standardize ....	14:20
ayoung	standardize all the standards	14:20
gyee	I was going to respond to henrynash's email, but I don't really have a good answer right now	14:20
gyee	we don't have a good mechanism to authorized on resource access	14:21
gyee	authorizing on action is easy	14:21
ayoung	I think policy middleware is the right approach, just haven't been able to figure out how to deal with the "fetch first" policy decisions	14:21
*** rushiagr_away is now known as rushiagr		14:21
ayoung	gyee, ++	14:21
gyee	correct	14:22
ayoung	gyee, and the answer is we make an API that the services can implement that puts the info into the right format	14:22
ayoung	gyee, but we don't need that for your use case	14:22
gyee	ayoung, I understand your approach about capabilities	14:22
ayoung	so..you get to break ground with the policy middleware, and then we work on the next iteration	14:22
gyee	but resource authorization need some thinking	14:22
ayoung	gyee, ++ and we can iterate...	14:22
gyee	also, our policy engine can aggregate the resource relationships	14:23
gyee	it basically does flat dict comparison	14:23
gyee	say we have obj1 -> obj2 -> obj3, if we are authorizing access to obj1 based on some attribute in obj3	14:24
gyee	we would need to fetch all three and flatten them out	14:24
gyee	that's very cumbersome	14:25
*** blewis has joined #openstack-keystone		14:25
gyee	that's normally done by some resource selector, which we don't support in oslo policy	14:26
*** e0ne is now known as e0ne_		14:27
ayoung	gyee, any examples you can point me at>	14:27
ayoung	of the selector approach?	14:27
gyee	ayoung, looking	14:28
*** jsheeren has joined #openstack-keystone		14:28
ayoung	gyee, you want something that does arbitrary levels above?	14:28
ayoung	like...say a project is nested 4 levels down from the domain	14:29
ayoung	and you want to check all of the parent projects as well as the domain for some attribute?	14:29
*** gokrokve has joined #openstack-keystone		14:32
gyee	ayoung, this bug illustrates the problem with the shortcoming: https://bugs.launchpad.net/keystone/+bug/1437407	14:33
openstack	Launchpad bug 1437407 in Keystone "With using V3 cloud admin policy, domain admin unable to list role assignment for projects in his domain" [Medium,Confirmed] - Assigned to Priti Desai (priti-desai)	14:33
gyee	domain admin can assign role, but can't list the assignments	14:34
gyee	s/problem with the shortcoming/problem/	14:34
gyee	it hard to express that kind of relationship in a rule	14:36
ayoung	gyee, that is different, I think	14:36
ayoung	that is not policy, but rather the assignment backend at fault there	14:36
*** stevemar has joined #openstack-keystone		14:37
*** ChanServ sets mode: +v stevemar		14:37
*** e0ne_ is now known as e0ne		14:37
ayoung	gyee, also, with federation, the best he'd get would be the groups.	14:37
ayoung	"domain_id:%(target.project.domain_id)s",	14:38
ayoung	gyee, so...yeah, that is the same thing I was saying.	14:38
gyee	but we don't store the relationship in the assignment table	14:38
gyee	domain.project	14:38
ayoung	gyee, I think, in oslo policy, we need a an abstract API to get the auth attributes for a resources	14:38
gyee	ayoung, exactly!	14:38
ayoung	which is, think, your selector	14:38
ayoung	gyee, can you spec that out?	14:39
gyee	ayoung, sure, I am still thinking it through	14:39
ayoung	gyee, awesome	14:39
ayoung	gyee, we want to return a dictionary, but not require any specific fields on it. But if the fields are there, they need to be flat...	14:40
gyee	ayoung, yes I agree, we need a generic way to fetch the objects and their relationships	14:41
gyee	ayoung, we sorta of do that today to some degree https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L121	14:43
gyee	but we need a figure out a generic interface for the new policy enforcement middleware	14:43
ayoung	gyee, on the outside, it is the middleware interface. On the inside, it is oslo.policy to start. Second will be the "fetch" we just atalked about	14:45
ayoung	I think we need to assume multiple passes	14:45
ayoung	one is "global policy" and one is "policy for this exact api"	14:45
gyee	yes, pre authorize and post filtering	14:45
ayoung	and, to be honest, we can't say tthat there will only be one api level policy enforce;	14:45
ayoung	there might be a code branch deep in nova, and only one of them knows what to enforce...we can do that today, although I don't think people do that today	14:46
gsilvis	ayoung: okay, finally getting to this. I can't get the rdo-federation in https://github.com/nkinder/rdo-vm-factory to work. It creates the first VM, ipa, then waits an hour, then exits. I checked in the VM, and it	14:47
gyee	but then we don't have holistic authorization checks	14:47
gsilvis	ayoung: 's finished cloudinit, and the post-install script	14:47
ayoung	gsilvis, so the IPA setup went OK, but the RDO setup is hanging?	14:47
*** browne has joined #openstack-keystone		14:48
ayoung	gyee, I think you and I are understanding this at the same level. Can you loop this back into your spec? I'll link it into the dynamic policy spec	14:48
gsilvis	ayoung: The IPA setup finishes, and then the script hangs before even starting the RDO setup. I did some bash debugging, and it's stuck "waiting for the IPA setup to complete"	14:48
gyee	ayoung, sure	14:49
gsilvis	ayoung: actually, hang on, let me try something dumb	14:49
*** blewis` has joined #openstack-keystone		14:50
*** blewis has quit IRC		14:51
*** joesavak has quit IRC		14:51
ayoung	gsilvis, so I've never run the script. I always use it as a guide but perform the steps by hand.	14:52
ayoung	nkinder made a few assumptions that work for him, but not for how I deploy	14:53
ayoung	like hostname etc	14:53
ayoung	actually, I ran it once, but my machine was so resource constrained it was hard to use with the VMs both running	14:54
gsilvis	ayoung: hmph. What granularity do you do it manually at? I'm assuming you don't look inside setupvm.sh, because that script is a monster	14:54
nkinder	gsilvis: it's supposed to write an "installcomplete" file that is polls for	14:54
nkinder	gsilvis: look at the vm-*.sh files	14:55
nkinder	gsilvis: those are the called at cloud-init user-data time	14:55
*** bknudson has quit IRC		14:55
ayoung	gsilvis, I am usually working with an exsiting IPA server. I've always set that up by hand.	14:55
ayoung	I tend to leave the ipa server in place and setup/teardown rod instances around it	14:56
gsilvis	nkinder: are the vm-*.sh files supposed to create that file, or is cloudinit? The filename 'installcomplete' doesn't even occur in the former, so it seems like it has to be the latter	14:57
ayoung	gsilvis, I thinkthat is a cloud-init thing	14:58
ayoung	gsilvis, so. Let's check if you have a working ipa server	14:59
*** mabrams has quit IRC		15:00
*** raildo has quit IRC		15:00
ayoung	this is virsh. You can get into the machine with the virt console...but I think those are cloud images. No default password...	15:01
ayoung	nkinder, how do you tend to log in to those machines? ssh using key?	15:01
gsilvis	ayoung: they have a user and password set	15:01
ayoung	ah ok so log in with that	15:02
*** gyee has quit IRC		15:03
ayoung	and lets see if the ipa server is running	15:03
*** gyee has joined #openstack-keystone		15:06
*** ChanServ sets mode: +v gyee		15:06
*** zzzeek has joined #openstack-keystone		15:06
gsilvis	ayoung: It seems to be running to me. I can kinit, and list users	15:07
ayoung	gsilvis, OK...you can run the second script by hand, I think.	15:08
ayoung	Did it create the VM for you yet?	15:08
gsilvis	ayoung: yeah, I started running the second script a few minutes ago. It looks like it's done with post-install now... let me check	15:08
ayoung	cool	15:09
*** pnavarro has quit IRC		15:09
*** aix has quit IRC		15:09
ayoung	morganfainberg, https://github.com/fedora-infra/supybot-fedora/commit/1ba62ced08487fe4dcc8b5040c8fc64ae3b8ce0f	15:09
*** Bjoern___ has quit IRC		15:10
gsilvis	ayoung: yup, it's done installing too. Okay, let me try and do the rest of the install on my own, and see if it works	15:10
morganfainberg	Id kickban a bit doing that. Btw	15:10
gsilvis	ayoung: I'm about to have some double-ssh-tunneling adventures, because I'm running this all on a machine I'm ssh'd into... fun	15:10
ayoung	morganfainberg, nah, it is a great way to break a bad habit	15:11
ayoung	gsilvis, that is the norm	15:11
morganfainberg	ayoung: nope. Admonishing with a bot is not.	15:11
morganfainberg	It ads noise to the channel imo	15:11
ayoung	morganfainberg, the naked ping culture at Red Hat is horrible. We need to break that bone and reset. Maybe that is not the norm elsewhere	15:12
morganfainberg	And is not the polite way of encouraging people to be better about it.	15:12
morganfainberg	I am also looking at it from OpenStack land. Not Redhat land :)	15:12
ayoung	morganfainberg, disagree a bout polite. It is automated, which means it is not personal at all	15:12
ayoung	hits everyone equally.	15:13
ayoung	and especially good for repeat offenders	15:13
morganfainberg	And that is why I'd kickban in my channels.	15:13
ayoung	see?	15:13
morganfainberg	I greatly dislike bots that are responding outside of a clear utility	15:13
gsilvis	ayoung: Clearly, you should make an autorespond for your IRC client that, when someone pings you, replies with "what's up"	15:13
ayoung	gsilvis, I usually respond to a nkaed ping like this	15:14
morganfainberg	If you specifically respond to a long to you that is naked - I don't mind. Even if it is a bit	15:14
ayoung	64 bytes from ayoung (127.0.0.1): icmp_seq=1 ttl=64 time=0.082 ms	15:14
morganfainberg	Bot*	15:14
morganfainberg	My view is it shouldn't be responding to everyone for a naked ping as a 3rd party	15:15
morganfainberg	But that is my view.	15:15
ayoung	morganfainberg, we also have a culture of posting bots that are fun, annoying, and just part of breaking up the day	15:16
ayoung	that is where ++ comes from	15:16
ayoung	we had a bot that if you do	15:16
ayoung	morganfainberg, ++	15:16
gsilvis	ayoung: has rharwood ever shown you his bot, lurker?	15:16
ayoung	it adds karma to you	15:16
ayoung	gsilvis, nope	15:16
rharwood	oh jeez	15:16
morganfainberg	That stuff drives me batty. I'd not like that culture	15:16
ayoung	morganfainberg, you are soaking in it	15:17
ayoung	:)	15:17
morganfainberg	The "fun" bots annoy the crap out of me	15:17
*** ayoung is now known as eliza		15:18
morganfainberg	Because they are rarely truly passive.	15:18
eliza	morganfainberg, whay do you think The "fun" bots annoy the crap out of you	15:18
*** eliza is now known as ayoung		15:18
gyee	morganfainberg, something I can't tell if I was talking to ayoung or a bot	15:19
gyee	s/something/sometimes/	15:19
ayoung	gyee, Tell me more...	15:20
gyee	ayoung, ++	15:20
gyee	oops :)	15:21
gsilvis	ayoung: I can recommend an excellent book on the subject	15:21
ayoung	gyee ok oops, please tell me more	15:21
gyee	see, see!	15:21
ayoung	gsilvis did you come to me to recommend an excellent book on the subject?	15:21
ayoung	gyee, We were discussing you, not me.	15:22
*** ayoung is now known as ayoung-eliza		15:22
gyee	lmao	15:22
ayoung-eliza	gyee, I'm not sure I understand you fully.	15:23
*** ayoung-eliza is now known as ayoung		15:23
ayoung	OK, not more Eliza responses for now.	15:23
ayoung	gsilvis, any luck?	15:23
gsilvis	ayoung: still working	15:23
ayoung	++	15:24
*** Ephur has joined #openstack-keystone		15:24
*** r-daneel has joined #openstack-keystone		15:24
ekarlso	heya guys, i'm using keystonemiddleware, pecan and paste is there any easy way u think to make a / public route without the need for auth ?	15:25
*** jsheeren has quit IRC		15:30
gyee	ekarlso, maybe setting delay_auth_decision to True? but that's assuming you have authorization logic after auth_token middleware to protect your APIs	15:31
ayoung	ekarlso, yes	15:35
ayoung	what gyee said is right	15:35
*** openstackgerrit has quit IRC		15:37
*** openstackgerrit has joined #openstack-keystone		15:37
ayoung	morganfainberg, now that we are defaulting the running keystone in HTTPD, we need a way to warn people if they try to use keystone-manage to kick it off.	15:39
ayoung	I'll open a bug	15:39
gsilvis	ayoung: I'm trying to add Keystone to Ipsilon, and it says it's already there---and there is in fact a SAML provider named Keystone already	15:39
ayoung	gsilvis, probably added by the script. Let's delete and readd	15:40
ayoung	to delete, use the admin user to log in to ipsilon	15:40
gsilvis	ayoung: okay	15:40
ayoung	gsilvis, there are a few things we found out about this recently...it won't effect you, but we wneed to update things for ecp and CLI ops.	15:40
ayoung	but...anyway...it should be on your ipa server under hostname/idp	15:41
ayoung	the...	15:41
* ayoung has to find it to walk hiumself through		15:41
ayoung	click on administation link	15:41
gsilvis	I figured that part out, eventually	15:41
ayoung	select identity providers	15:41
gsilvis	I feel like ipsilon should just bring you to the adminstration page by default	15:42
ayoung	next to saml2 click manage	15:42
ayoung	gsilvis, yes it should	15:42
ayoung	gsilvis, then next to keystone, click delete	15:42
*** rdo has quit IRC		15:42
ayoung	gsilvis, you can actually re add the provider right from here, too	15:42
ayoung	which is what I have been doing manually	15:43
*** browne has quit IRC		15:43
gsilvis	ayoung: I've done this all---the new provider is there. But now I'm getting connection refused to rdo.rdodom.test:5000 for some reason. investigating	15:43
ayoung	but you need to figure out how to find the metadata url...it is basically the protected resources in keystone plus the mellon...	15:43
ayoung	cool. I'll let you run. Let me know if you get stuck	15:44
*** lhcheng has joined #openstack-keystone		15:44
*** ChanServ sets mode: +v lhcheng		15:44
*** lhcheng has quit IRC		15:44
*** Ephur has quit IRC		15:44
*** bknudson has joined #openstack-keystone		15:46
*** ChanServ sets mode: +v bknudson		15:46
gsilvis	ayoung: hm. Apache errors parsing config... </VirtualHost> with no corresponding <VirtualHost>	15:47
*** joesavak has joined #openstack-keystone		15:48
gsilvis	ayoung: It looks like https://github.com/nkinder/rdo-vm-factory/blob/master/rdo-federation-setup/vm-post-cloud-init-rdo.sh assumes that /etc/httpd/conf.d/10-keystone_wsgi_*.conf have contents already (see lines 105-122, for instance), and that didn't happen here	15:49
nkinder	gsilvis: those contents are set up by packstack (and the underlying puppet modules)	15:49
nkinder	gsilvis: if you're not using packstack, then you will need to adjust the httpd config in a different way	15:50
ayoung	gsilvis, did packstack run?	15:52
gsilvis	ayoung: It looks like the post-install script crashed during packstack while installing dependencies	15:52
ayoung	gsilvis, yuck	15:52
ayoung	gsilvis, try running the yum commands again. Might be yum mirror type issues	15:52
nkinder	gsilvis: what errors did you receive? Could you pastebin them?	15:56
*** _cjones_ has joined #openstack-keystone		15:57
gsilvis	nkinder: http://pastebin.com/xPspBRte	15:59
nkinder	gsilvis: looks like the epel repo isn't working	16:00
gsilvis	nkinder: yup, it does	16:00
nkinder	gsilvis: you're on centos 7 or RHEL?	16:00
*** joesavak has quit IRC		16:00
gsilvis	nkinder: this is centos 7	16:01
*** _cjones_ has quit IRC		16:01
*** _cjones_ has joined #openstack-keystone		16:02
*** amakarov_away is now known as amakarov		16:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/179495	16:04
*** ankita_wagh has joined #openstack-keystone		16:04
gsilvis	nkinder: I reran packstack, and it looks like it's working so far	16:04
*** lhcheng has joined #openstack-keystone		16:08
*** ChanServ sets mode: +v lhcheng		16:08
*** bknudson has quit IRC		16:09
openstackgerrit	Min Song proposed openstack/keystone: Use single connection in get_all function https://review.openstack.org/180247	16:10
*** kiran-r has joined #openstack-keystone		16:11
*** gyee has quit IRC		16:13
*** bknudson has joined #openstack-keystone		16:14
*** ChanServ sets mode: +v bknudson		16:14
*** rdo has joined #openstack-keystone		16:16
*** annasort_ has joined #openstack-keystone		16:18
*** davidckennedy has quit IRC		16:19
*** annasort has quit IRC		16:20
*** annasort_ is now known as annasort		16:20
*** gokrokve has quit IRC		16:21
*** gokrokve has joined #openstack-keystone		16:21
*** ankita_wagh has quit IRC		16:23
*** jistr has quit IRC		16:29
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Revert "Loosen validation on matching trusted dashboard" https://review.openstack.org/180343	16:38
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Revert "Loosen validation on matching trusted dashboard" https://review.openstack.org/180343	16:39
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Revert "Loosen validation on matching trusted dashboard" https://review.openstack.org/180343	16:39
*** browne has joined #openstack-keystone		16:41
*** e0ne has quit IRC		16:43
*** joesavak has joined #openstack-keystone		16:47
*** wolsen_ is now known as wolsen		16:47
*** ankita_wagh has joined #openstack-keystone		16:47
*** spandhe has joined #openstack-keystone		16:51
*** gordc has quit IRC		16:57
gsilvis	nkinder: btw, there's a typo at https://github.com/nkinder/rdo-vm-factory . rdo-federation-setup section, first manual command. The path should have '/etc/httpd/...', not '/etc/http/...'	16:57
openstackgerrit	Ramy Asselin proposed openstack/keystone: Remove version string from the setup.cfg https://review.openstack.org/180626	16:59
*** henrynash has quit IRC		17:00
*** ayoung has quit IRC		17:04
*** jsavak has joined #openstack-keystone		17:06
*** gyee has joined #openstack-keystone		17:08
*** ChanServ sets mode: +v gyee		17:08
nkinder	gsilvis: thanks, I'll get that updated	17:08
*** joesavak has quit IRC		17:09
gsilvis	nkinder: no problem	17:09
*** kiran-r has quit IRC		17:14
*** gyee has quit IRC		17:22
*** jdennis has left #openstack-keystone		17:28
*** boris-42 has quit IRC		17:28
*** mattfarina has joined #openstack-keystone		17:36
*** jdennis has joined #openstack-keystone		17:36
openstackgerrit	Ankita Wagh proposed openstack/keystonemiddleware: Improved handling of endpoints missing urls https://review.openstack.org/179624	17:38
*** emagana has joined #openstack-keystone		17:39
*** vhoward has left #openstack-keystone		17:41
openstackgerrit	Merged openstack/keystone: Use correct LOG translation indicator for errors https://review.openstack.org/167141	17:46
*** gyee has joined #openstack-keystone		17:46
*** ChanServ sets mode: +v gyee		17:46
samueldmq	I can't understand why we don't support multiple SQL databases in the domain-specific configs feature	17:47
samueldmq	It should be possible to create different sessions to differetn databases	17:47
samueldmq	http://www.quora.com/How-can-I-connect-to-multiple-databases-in-SQLAlchemy	17:47
*** e0ne has joined #openstack-keystone		17:51
dstanek	samueldmq: it wouldn't be terribly hard if people are asking for it	17:53
dstanek	samueldmq: the other thing to think about is the migrations	17:54
samueldmq	dstanek, I don't think there is any migration to do	17:55
samueldmq	dstanek, we are more restrictive now, we just don't allow	17:55
samueldmq	dstanek, making it possible shouldn't change existing deployments	17:55
samueldmq	dstanek, just making available one more option to deployers	17:55
dstanek	no i mean that the migrations would have to run for each configured database	17:55
samueldmq	dstanek, yeah that's the funny part	17:56
samueldmq	dstanek, btw nice point	17:56
samueldmq	dstanek, we should have a spec for that, I will sync up with henrynash, I think he has plans to implement this in L	17:57
*** browne has quit IRC		17:58
dstanek	hopefully it doens't end up making the code harder to read and deal with	17:58
samueldmq	dstanek, yeah sure, just having to handle different sessions	17:59
*** rlt_ has quit IRC		17:59
samueldmq	dstanek, a driver (sql in this case) owns a connection (and session)	17:59
samueldmq	dstanek, and we choose the driver as we already do: when an identity operation is requested, we first select the identity driver for that domain and perform actions with it	18:00
*** browne has joined #openstack-keystone		18:00
dstanek	samueldmq: that's how i'd do it; i would not was that logic in the driver	18:01
samueldmq	dstanek, the logic of choosing the backend ? no it isnt	18:02
samueldmq	dstanek, it's on the manager layer :)	18:03
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone: Instructions to install IETF ABFAB federation protocol on Keystone https://review.openstack.org/163878	18:12
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/179495	18:13
*** e0ne_ has joined #openstack-keystone		18:15
*** e0ne has quit IRC		18:15
*** e0ne has joined #openstack-keystone		18:17
*** e0ne_ has quit IRC		18:20
*** rushiagr is now known as rushiagr_away		18:23
*** gyee has quit IRC		18:37
*** mattfarina has quit IRC		18:42
*** spandhe has quit IRC		18:47
*** gokrokve has quit IRC		18:47
*** openstackgerrit has quit IRC		18:47
*** markvoelker has quit IRC		18:47
*** lsmola has quit IRC		18:47
*** trey has quit IRC		18:48
*** tsufiev has quit IRC		18:48
*** e0ne has quit IRC		18:48
*** browne has quit IRC		18:48
*** mkoderer has quit IRC		18:48
*** morganfainberg has quit IRC		18:48
*** pothole has quit IRC		18:48
*** dobson has quit IRC		18:48
*** cloudnull has quit IRC		18:48
*** hogepodge has quit IRC		18:48
*** raginbajin has quit IRC		18:48
*** jamiec has quit IRC		18:48
*** e0ne has joined #openstack-keystone		18:49
*** browne has joined #openstack-keystone		18:49
*** dobson has joined #openstack-keystone		18:49
*** cloudnull has joined #openstack-keystone		18:49
*** hogepodge has joined #openstack-keystone		18:49
*** pothole has joined #openstack-keystone		18:49
*** morganfainberg has joined #openstack-keystone		18:49
*** mkoderer has joined #openstack-keystone		18:49
*** raginbajin has joined #openstack-keystone		18:49
*** jamiec has joined #openstack-keystone		18:49
*** sendak.freenode.net sets mode: +v morganfainberg		18:49
*** spandhe has joined #openstack-keystone		18:49
*** gokrokve has joined #openstack-keystone		18:49
*** openstackgerrit has joined #openstack-keystone		18:49
*** markvoelker has joined #openstack-keystone		18:49
*** lsmola has joined #openstack-keystone		18:49
*** trey has joined #openstack-keystone		18:49
*** tsufiev has joined #openstack-keystone		18:49
*** mattfarina has joined #openstack-keystone		18:50
*** mattfarina has quit IRC		18:51
*** mattfarina has joined #openstack-keystone		19:00
*** gordc has joined #openstack-keystone		19:06
*** gyee has joined #openstack-keystone		19:07
*** ChanServ sets mode: +v gyee		19:07
samueldmq	gyee, hi	19:11
samueldmq	gyee, dynamic policy in a nutshell : https://etherpad.openstack.org/p/dynamic-policy-in-a-nutshell	19:12
samueldmq	gyee, let me know if you agree with what I am defining there : )	19:12
samueldmq	jamielennox, dstanek, everyone cc ^	19:13
samueldmq	I tried to simplify the subject in terms of goals and general steps	19:14
samueldmq	so we all can agree with the general idea/directions before struggling for details	19:14
*** boris-42 has joined #openstack-keystone		19:14
gyee	samueldmq, thanks, will take a look	19:15
gyee	samueldmq, for 1), I think we need to parse the policy.json files and store them into database, I think ayoung have a spec on that	19:18
*** amakarov is now known as amakarov_away		19:18
gyee	spec on the proposed schema I meant	19:18
*** e0ne has quit IRC		19:18
*** browne has quit IRC		19:18
*** mkoderer has quit IRC		19:18
*** morganfainberg has quit IRC		19:18
*** pothole has quit IRC		19:18
samueldmq	gyee, yes, "Script to upload existing policies to keystone"	19:18
*** e0ne has joined #openstack-keystone		19:19
*** browne has joined #openstack-keystone		19:19
*** pothole has joined #openstack-keystone		19:19
*** morganfainberg has joined #openstack-keystone		19:19
*** mkoderer has joined #openstack-keystone		19:19
*** sendak.freenode.net sets mode: +v morganfainberg		19:19
samueldmq	gyee, will add a step before, that is implement this database support	19:19
gyee	migration and new APIs to manage the new resources	19:19
samueldmq	gyee, "Enhance the API to allow more granular access"	19:20
*** morganfainberg has quit IRC		19:20
openstackgerrit	Doug Hellmann proposed openstack/python-keystoneclient: Drop use of 'oslo' namespace package https://review.openstack.org/180688	19:20
gyee	API to manage the "capabilities"	19:21
gyee	assuming we are calling them capabilities	19:21
*** morganfainberg has joined #openstack-keystone		19:21
*** ChanServ sets mode: +v morganfainberg		19:21
samueldmq	gyee, to manage individual entries of the policy right ?	19:21
gyee	yes, but we need to agree on the terminologies first	19:22
samueldmq	gyee, ++	19:22
gyee	per my understanding, we want something like this	19:22
samueldmq	gyee, like what is defined in that etherpad ?	19:23
gyee	role -> role(s)* -> capabilities* -> APIs*	19:23
samueldmq	hmm ..	19:23
samueldmq	gyee, yes I was thinkig about this, but the policy we have today is like the reverse of this	19:24
samueldmq	gyee, we deifne API -> roles that can access it	19:24
gyee	right, no distinction between role and capability today	19:25
samueldmq	gyee, could we change the way we define policies ?	19:25
samueldmq	gyee, http://paste.openstack.org/show/215508/	19:25
samueldmq	gyee, this paste show 1) how we have today 2) how we could have if we define things based on the roles	19:26
openstackgerrit	Henrique Truta proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	19:26
openstackgerrit	Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	19:27
gyee	I thought roles are only meaningful in Keystone	19:27
gyee	what ends up in token data will be just capabilities	19:27
gyee	similar to how we treat user groups	19:28
samueldmq	gyee, roles are set of capabilities (API), right ?	19:28
openstackgerrit	guang-yee proposed openstack/keystone-specs: Updated endpoint enforcement spec https://review.openstack.org/174799	19:29
openstackgerrit	Henrique Truta proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	19:29
samueldmq	gyee, today we don't map roles -> capabilities (API), we do capability (API) -> roles (as defined in the current polcieis)	19:29
gyee	today, roles are capabilities	19:29
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/178424	19:29
samueldmq	gyee, they can be, if we create one role per API	19:30
openstackgerrit	Doug Hellmann proposed openstack/python-keystoneclient-saml2: Drop use of 'oslo' namespace package https://review.openstack.org/180692	19:30
gyee	you mean one capability per API?	19:30
samueldmq	gyee, yes I think capability as somehting atomic	19:31
samueldmq	gyee, one API then, yes	19:31
gyee	yes	19:31
samueldmq	gyee, suppose we create a role (today's role) per API	19:31
samueldmq	gyee, so the token will end-up having all the capabilities for a user, right ?	19:31
gyee	no	19:31
gyee	that's too much	19:32
samueldmq	gyee, yes I know, in this case we must have a way to group capabilities	19:32
samueldmq	gyee, role-sets (domain-roles, hierarchical roles or whatever)	19:32
gyee	samueldmq, take keystone policy.json for example	19:33
*** ctina__ has joined #openstack-keystone		19:33
samueldmq	gyee, i) create the concept of capability on ks server (all API registered on keystone then)	19:34
samueldmq	gyee, ii) enhance current roles to contain capabilities or other roles	19:34
samueldmq	gyee, that should be all, and we don't need policy files anymore	19:34
samueldmq	gyee, ok go ahead	19:34
gyee	what do we call "rule:admin_required"?	19:35
samueldmq	gyee, it's a rule, a condition that must be satisfied	19:36
samueldmq	gyee, it may contain role checks + scope checks	19:36
gyee	right, but is it a capability?	19:36
*** ctina_ has quit IRC		19:36
gyee	is an interesting question isn't it?	19:37
samueldmq	gyee, no it isn't, just the ones prefixed, for example : 'idenitty:....'	19:37
*** ccrouch has joined #openstack-keystone		19:37
gyee	a capability set?	19:37
samueldmq	gyee, I know what you mean, based on that we can define a set of capabilities, depending on where we use that	19:37
samueldmq	gyee, ++	19:38
gyee	exactly? you see why we are having such a hard time agreeing on things now? :)	19:38
samueldmq	gyee, I think the way we bind role <-> capability is wrong :p	19:38
*** ctina__ has quit IRC		19:38
samueldmq	gyee, yeah I agree	19:39
samueldmq	gyee, did you see henry's email about dynamic policy ?	19:39
gyee	samueldmq, yes, I was going to respond, but I don't have any good answers right now	19:40
samueldmq	gyee, what do you think about one of the last sentences, where he states services could register themselves and self-service all using the API	19:41
david8hu	samueldmg, gyee, I like to get to a point where each domain can have it only policy.	19:41
samueldmq	david8hu, it will be so easy when we have the policy api on keystone using the database	19:41
samueldmq	david8hu, just add a column 'domain_id' :p	19:42
gyee	samueldmq, make sense, I don't how services can continue to maintain policy.json files	19:42
gyee	david8hu, yes, domain own role definitions are useful	19:42
samueldmq	gyee, we should still support, we start the keystone server loading what is in the existing policy files	19:42
david8hu	samueldmq, was thinking about a domain_id attrib in the db, too :)	19:42
samueldmq	gyee, but after that, forget policy.json files, everything is by api	19:43
gyee	damueldmq, I don't see how all this will work out if Keystone doesn't know know about the capabilities	19:43
david8hu	samueldmq, My thought exacly	19:43
ccrouch	has anyone got a suggestion for their preferred setup to demo SSO with Keystone/Horizon using SAML?	19:44
samueldmq	gyee, it will, we will introduce capability as a first-class citizen	19:45
ccrouch	I'm looking for the setup which is easiest to standup for a demo	19:45
david8hu	gyee, Are you suggesting that a way to call out capability? At this point, if a service think a capability, then it is a capability.	19:45
*** Raildo_ has joined #openstack-keystone		19:48
gyee	samueldmq, david8hu, I still need to go through ayoung's specs, I don't know what the schema for capabilities are	19:48
samueldmq	gyee, I don't think he is defining capabilities there, I think there are some details missing	19:49
samueldmq	gyee, I will think on a complete proposal that distinguish capabilities vs roles (contains capabilties)	19:50
samueldmq	gyee, talk to you alter	19:50
samueldmq	later*	19:50
*** Raildo_ has quit IRC		19:52
gyee	samueldmq, sure, we need to put some deep thinking into this	19:52
gyee	let do something! :D	19:52
*** Raildo has joined #openstack-keystone		19:52
*** jsavak has quit IRC		19:54
ccrouch	nkinder: would you happen to have a suggestion? ^	19:54
*** Rockyg has joined #openstack-keystone		19:55
breton	dolphm: re bug 1452418: maybe we should send a signal to keystone to re-read the keys?	20:00
openstack	bug 1452418 in Keystone "Fernet tokens read from disk on every request" [Medium,Triaged] https://launchpad.net/bugs/1452418	20:00
dolphm	breton: that'd be smart	20:01
breton	dolphm: like "reload" in "service apache2 reload"	20:01
dolphm	breton: i'm running tox on a simple fix right now (one that's backportable, at least) to only read them once per token provider instance	20:02
*** browne has quit IRC		20:03
breton	there is also this bug: https://bugs.launchpad.net/bugs/1452345	20:05
openstack	Launchpad bug 1452345 in Keystone "keystone-manage should not attempt to run if keystone is in httpd" [Undecided,New]	20:05
breton	does running from apache prevent doing keys-rotate?	20:06
*** browne has joined #openstack-keystone		20:10
*** annasort has quit IRC		20:12
dolphm	breton: that ... can't be true	20:12
*** gyee has quit IRC		20:13
bknudson	keystone-manage shouldn't attempt to run keystone ever.	20:14
breton	well, then it's just a poor bug description.	20:15
*** ankita_w_ has joined #openstack-keystone		20:16
*** mattfarina has quit IRC		20:17
*** ankita_wagh has quit IRC		20:19
*** pnavarro has joined #openstack-keystone		20:23
dolphm	bknudson: right	20:24
*** e0ne has quit IRC		20:26
*** mattfarina has joined #openstack-keystone		20:26
*** mattfarina has quit IRC		20:26
*** browne has quit IRC		20:27
*** browne has joined #openstack-keystone		20:28
*** joesavak has joined #openstack-keystone		20:29
*** emagana has quit IRC		20:29
*** e0ne has joined #openstack-keystone		20:34
*** browne has quit IRC		20:35
*** Raildo_ has joined #openstack-keystone		20:40
*** browne has joined #openstack-keystone		20:41
*** pnavarro has quit IRC		20:42
*** browne has quit IRC		20:42
*** browne has joined #openstack-keystone		20:42
*** Raildo has quit IRC		20:43
*** browne1 has joined #openstack-keystone		20:45
*** browne has quit IRC		20:45
*** e0ne has quit IRC		20:45
*** annasort has joined #openstack-keystone		20:47
*** joesavak has quit IRC		20:50
*** ayoung has joined #openstack-keystone		20:50
*** ChanServ sets mode: +v ayoung		20:50
*** Raildo_ has quit IRC		20:52
*** browne has joined #openstack-keystone		20:54
*** samueldmq has quit IRC		20:55
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Refactor _create_attribute_statement IdP method https://review.openstack.org/172647	20:55
*** browne1 has quit IRC		20:57
*** joesavak has joined #openstack-keystone		20:57
*** arif-ali has joined #openstack-keystone		21:00
*** annasort has quit IRC		21:01
marekd	rodrigods: ^^ voted	21:01
rodrigods	marekd, thx	21:01
marekd	btw, can i ask for a review here: https://review.openstack.org/#/c/175980/ ?	21:01
*** emagana has joined #openstack-keystone		21:01
rodrigods	marekd, sure, looking	21:01
marekd	stevemar: dstanek ^^ would appreciate your eyes too.	21:02
stevemar	NEVER!	21:02
rodrigods	lol	21:02
rodrigods	morganfainberg, there? wanted to ask you about the feature branch for Reseller	21:03
*** gokrokve has quit IRC		21:03
*** gokrokve has joined #openstack-keystone		21:04
*** gokrokve has quit IRC		21:05
*** gokrokve has joined #openstack-keystone		21:05
*** joesavak has quit IRC		21:05
dstanek	marekd: so you're just checking now that the number of things applied to the mapping matches the mapping, right?	21:05
*** emagana has quit IRC		21:06
rodrigods	marekd, did you update the API spec informing about this behavior?	21:06
dstanek	what would have been cool is to add the ability to use named sections: 'any_one_of': {'type':..., 'name':...} and use {name} in the local part of the rule	21:06
dstanek	rodrigods: it's not a change in behavior - this would have always failed	21:07
rodrigods	dstanek, yeah, but it is not a documented behavior AFAIK	21:07
marekd	dstanek: yep.	21:07
marekd	maybe we can update docs.	21:08
*** gokrokve has quit IRC		21:08
rodrigods	I mean, it is not mandatory to update first (like API changes)	21:08
*** gokrokve_ has joined #openstack-keystone		21:08
rodrigods	but would be nice to have it documented there	21:08
marekd	dstanek: i think we wil have more "would be cool ideas" that should be noted down and next cycle we could specify 1-st class DSL for mappings, without so many disambiguities.	21:09
rodrigods	btw, the example is wrong: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#create-a-mapping	21:09
rodrigods	it uses direct mappings	21:10
marekd	dstanek: i'd like to see it with some yaml-specs etc.	21:10
dstanek	marekd: yaml? you just killed my good mood	21:10
marekd	dstanek: oups. rollback!	21:11
dstanek	whew... feeling happy again!	21:11
marekd	rodrigods: what's wrong with the example ? it takes 0th (1st) value from the remote list which will always be UserName	21:11
rodrigods	marekd, true, we have two rules there :)	21:13
marekd	rodrigods: yes sir!	21:13
marekd	dstanek: i was thinking that maybe we should pass values tested with any_one_of etc but concluded we would simply make another blacklist/whitelist	21:15
dtroyer	morganfainberg: are you still working on the devstack v3-only stuff?	21:19
morganfainberg	dtroyer: I have some work needed I. Devstack but busy with some summit things.	21:19
morganfainberg	dtroyer: so next week if someone else hasn't worked on it n	21:20
dtroyer	Have you seen this? https://review.openstack.org/179663	21:21
dtroyer	It feels like its is going in a different direction to the same place than you were	21:22
dtroyer	NP on the timing, was just curious if that review should be re-directed somehow	21:24
*** david-lyle has quit IRC		21:29
ayoung	marekd, looking	21:29
ayoung	marekd, change maping to mapping and I will +2	21:30
openstackgerrit	Dolph Mathews proposed openstack/keystone: Cache the MultiFernet instance https://review.openstack.org/180758	21:31
*** lmtaylor1 has left #openstack-keystone		21:37
*** packet has quit IRC		21:47
*** packet has joined #openstack-keystone		21:49
lhcheng	morganfainberg: sorry just got back to look at the keystone driver interface	21:56
lhcheng	morganfainberg: what is StrictABC?	21:56
*** stevemar has quit IRC		21:57
openstackgerrit	Roxana Gherle proposed openstack/keystonemiddleware: Log the correct user-agent in keystone access log keystone access log should log explicitly which client made the request. For example when nova makes a request to validate a token we should log 'python-novaclient;python-keystoneclient' for the user-agent https://review.openstack.org/180769	22:01
*** gordc has quit IRC		22:07
nkinder	ccrouch: I've been setting up demos using my scripts here - https://github.com/nkinder/rdo-vm-factory/tree/master/rdo-federation-setup	22:13
nkinder	ccrouch: It's RDO based (using delorean repos for Kilo packages)	22:13
nkinder	ccrouch: if you want it to set up the websso stuff, you need to set USE_WEBSSO and USE_DELOREAN in rdo.conf	22:15
nkinder	ccrouch: there was a patch that was needed in Horizon or DOA though that has to handle the way RDO sets up WEBROOT. Maybe ayoung knows if that's merged already.	22:16
ayoung	it has, but not sure if there is a release of twe Django Openstack auth with it in ther	22:16
ayoung	e	22:16
ayoung	nkinder, did you see the discussion richm started about the need for all the config values? I'm kindof tripping on that myself. The thing I am finding is that, the more complex workflows (like rdo factor) need more config values	22:17
ayoung	so..fo puppet, we need the keystonerc values	22:18
ayoung	for rdo-factory, we also need to know: which flavor, key, etc, for creating the vm	22:18
ayoung	not sure if there is some place where this changes over from "environment variables" to config management	22:19
*** packet has quit IRC		22:19
morganfainberg	lhcheng: like ABCMeta, but enforces method signatures too	22:19
lhcheng	morganfainberg: that's awesome!	22:20
ccrouch	nkinder: thanks!	22:20
*** jaosorior has quit IRC		22:22
*** gokrokve_ has quit IRC		22:23
openstackgerrit	Ankita Wagh proposed openstack/keystonemiddleware: Improved handling of endpoints missing urls https://review.openstack.org/179624	22:25
ayoung	ccrouch, ask david-lyle to release a new version and we can package it	22:25
ayoung	It might be there already...let me check	22:25
lhcheng	morganfainberg: okay, so I looked at the specs. There are still some part that I am unclear, like this part "The KSDI definitions will be versioned and Keystone will ensure that it can load any version of the KSDI.".	22:26
ayoung	http://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=62ea62b6fc38d5352d3d09e6207c4d26285d8c23 merged 9 days ago	22:26
lhcheng	morganfainberg: if keystone can load any version of KSDI, doesn't that mean all the KSDI version have to share the same interface?	22:27
ayoung	ccrouch, and 1.3.0 was tagged two commits before it	22:27
ayoung	morganfainberg, before we commit to KSDI, I want to hammer down access info	22:28
ayoung	the objects that go between the Drivers and the front end are dioctionaries right now. they should be python objects	22:29
ayoung	othewise KSDI is a finger drill	22:29
lhcheng	morganfainberg: just trying to think of an example of this. would it be something like: V1 has "def get(user_id)" and V2 has "def get_user(user_id, domain_id=None)". And keystone should be able to support both.	22:30
lhcheng	ayoung: do we have a topic on access info for the summit?	22:30
ayoung	lhcheng, good question. I thought it was a done deal, but now people are griping about it	22:30
ayoung	maybe we need one	22:31
lhcheng	ayoung: I don't see it here: https://etherpad.openstack.org/p/Keystone-liberty-summit-brainstorm	22:31
ayoung	lhcheng, I need someone that knows SQL Alchemy better than I do say how to integrate something like access info into the SQL drivers	22:32
ayoung	lhcheng, that is cuz the damn thing should have been approved months ago	22:32
ayoung	instead the spec is still up there and getting more bikeshedding	22:33
ayoung	almost afraid to draw attention to it, but	22:33
ayoung	https://review.openstack.org/#/c/135774/	22:34
lhcheng	ayoung: I'll add an entry in the etherpad, so we could prioritize it. And add a note about nailing this down before commiting to KSDI	22:36
ayoung	lhcheng, I see you editing it	22:36
ayoung	thanks	22:36
ayoung	is KSDUI up there>?	22:36
lhcheng	#11	22:36
ayoung	yep	22:37
ayoung	lhcheng, rock on	22:38
lhcheng	added the item before KSDI, so the dependency would be more obvious	22:41
jamielennox	bknudson: are you still going on those reviews? i can fix https://review.openstack.org/#/c/174196/ but it means rebasing the like 10 follow up patches	22:42
bknudson	jamielennox: I'm not looking at the other patches in that chain	22:43
jamielennox	ok	22:44
bknudson	not sure what you're fixing in https://review.openstack.org/#/c/174196/ .	22:44
*** emagana has joined #openstack-keystone		22:45
jamielennox	trying to consolidate the expiry check, generally just simplifying cache	22:46
jamielennox	i was trying to make the flow through the validate call as standard as possible so that fetch from cache, fetch from keystone, decode from PKI all looked the same	22:47
morganfainberg	ayoung: sorry at a day long meeting. Will be back tomorrow	22:47
jamielennox	back in about 20 min	22:47
ayoung	jamielennox, I need to take the family out to eat now...but when I get back, I need to get you on board with AccessInfo.	22:48
openstackgerrit	Roxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	22:49
*** bknudson has quit IRC		22:58
*** packet has joined #openstack-keystone		23:01
*** browne1 has joined #openstack-keystone		23:02
*** samueldmq has joined #openstack-keystone		23:03
*** browne has quit IRC		23:05
openstackgerrit	Roxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	23:10
*** packet has quit IRC		23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling https://review.openstack.org/180385	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Fetch user token from request rather than env https://review.openstack.org/174202	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove the _msg_format function https://review.openstack.org/174201	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Base use webob https://review.openstack.org/174200	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't rely on token_info for header building https://review.openstack.org/174199	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Move project included validation https://review.openstack.org/174198	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Depend on keystoneclient for expiration checking https://review.openstack.org/174197	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Don't store expire into memcache https://review.openstack.org/174196	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Cleanup token hashes generated by cache https://review.openstack.org/174194	23:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor request methods onto request object https://review.openstack.org/180394	23:24
*** Rockyg has quit IRC		23:32
*** dims_ has joined #openstack-keystone		23:36
*** dims has quit IRC		23:38
*** david-lyle has joined #openstack-keystone		23:47
ccrouch	(05:27:36 PM) ayoung: ccrouch, and 1.3.0 was tagged two commits before it	23:51
ccrouch	thanks for checking!	23:51
*** ayoung has quit IRC		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!