Thursday, 2015-05-14

*** gyee has quit IRC00:14
bknudsonwhat happened to keystoneclient functional tests?00:14
jamielennoxis that what's currently breaking the gate?00:17
jamielennoxi saw a few things failed to merge but i hadn't looked why00:18
bknudsonI get the same results when running locally.00:19
jamielennoxthat's weird, the only thing functional tests are really doing at the moment is cli (and one other) none of which should change00:20
bknudsonsomething must have changed... like it's not passing env vars anymore?00:21
*** samleon has quit IRC00:22
bknudsontests pass locally when I set env vars00:22
bknudsonand the test log shows it setting env vars... wonder what's different00:23
bknudsonjamielennox: clarkb: bknudson: new tox filters out env vars, you can either whitelist them or explicitly setenv in your tox.ini00:27
jamielennoxbknudson: yep saw it in -infra00:27
jamielennoxi had not heard of a new tox00:27
bknudsonwouldn't have known if they didn't break us.00:29
bknudsonlooks like we can do
jamielennoxwas thinking it was annoying to pass everything, but OS_* works00:30
jamielennoxbecause we want to convert these to v3 soon00:30
bknudsonThat worked locally so I'll post a patch00:32
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Pass OS_* env vars fix for tox 2.0
*** edmondsw has quit IRC00:41
openstackgerritMerged openstack/python-keystoneclient: Don't autodoc the test suite
*** ericksonfgds has joined #openstack-keystone00:46
*** Ephur has quit IRC00:51
*** lhcheng has quit IRC01:01
*** alexsyip has quit IRC01:04
*** mattfarina has joined #openstack-keystone01:13
*** browne has quit IRC01:15
*** mattfarina has quit IRC01:16
*** sigmavirus24 is now known as sigmavirus24_awa01:18
*** jsavak has joined #openstack-keystone01:20
*** jsavak has quit IRC01:24
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: tox env for Bandit
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: tox env for Bandit
*** ankita_wagh has joined #openstack-keystone01:37
*** dims has quit IRC01:42
*** davechen has joined #openstack-keystone01:47
*** Rockyg has quit IRC01:47
*** davechen1 has joined #openstack-keystone01:50
openstackgerritdarren-wang proposed openstack/keystone-specs: Adding 'domain_id' filter to list_user_projects().
*** davechen has quit IRC01:53
*** ericksonfgds has quit IRC01:57
openstackgerritdarren-wang proposed openstack/keystone-specs: Adding 'domain_id' filter to list_user_projects().
openstackgerritdarren-wang proposed openstack/keystone-specs: Adding 'domain_id' filter to list_user_projects().
*** davechen has joined #openstack-keystone02:03
*** davechen1 has quit IRC02:04
*** richm has quit IRC02:05
*** browne has joined #openstack-keystone02:08
*** packet has quit IRC02:12
*** packet has joined #openstack-keystone02:19
*** lhcheng has joined #openstack-keystone02:36
*** ChanServ sets mode: +v lhcheng02:36
*** lhcheng_ has joined #openstack-keystone02:38
ayoungjamielennox, how can we get "explicit unscoped" into the request from DOA?02:40
*** lhcheng has quit IRC02:42
ayoungjamielennox, so...what if we forced a change to DOA to always pass that?02:43
ayoungwould it brteak on older keystones?  And do we care?02:43
jamielennoxi dont' know what horizon's requirements are for which keystone's they support02:44
jamielennoxbut i expect if you pass that to an old keystone it will break02:44
jamielennoxthere's no discovery on the AUTH_INTERFACE - we would need
jamielennoxi thinik02:46
ayoungjamielennox, actually, it should run just fine02:47
ayoungif unscoped is in the request, the old code would ignore it02:47
ayoungneed a Juno Keystone to test that out against...I know where to find one, too02:47
jamielennoxif passing unscoped to old keystones are ignored then it'll be fine02:48
ayoungjamielennox, we keep changing the updated fiekld in the verisions, right?  so  "updated": "2013-03-06T00:00:00Z"  means the one that went out 2 years ago?02:51
*** ankita_wagh has quit IRC02:51
jamielennoxayoung: haha - no02:52
ayoungI know I've hacked on that in the past, though02:53
jamielennoxso at least the went out with juno02:53
ayoung{"error": {"message": "Expecting to find project, domain, or OS-TRUST:trust in scope - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}02:54
jamielennoxi can't remember what but there was a reason we hadn't bumped it before02:54
*** Kennan has joined #openstack-keystone02:54
ayoungso it would need to be a config option...or discoverable02:54
jamielennoxwas explicit unscoped in kilo?02:55
jamielennoxok so we can discover - but again we need
jamielennoxso you would make your unscoped plugin like we do in doa02:56
ayoungjamielennox, ++02:56
jamielennoxdo if plugin.get_endpoint(service_type='identity', version=(3, 4), interface=AUTH_INTERFACE)02:56
jamielennoxand if true add unscoped to the request02:56
jamielennoxbugger - which you can't because you've already made the object02:57
ayoungfind . -name \*py | xargs grep jamielennox | wc -l02:57
*** topol has joined #openstack-keystone02:57
*** ChanServ sets mode: +v topol02:57
ayoungthen number of comments you have in KC02:57
jamielennoxmakes sense02:57
ayoungonly 42...I expected more02:57
ayoungI have 16 in Keystone02:58
ayoungtermie still has 2602:58
jamielennoxnot everything has a name02:58
jamielennoxbecause some of those are horrible and we still deal with it02:58
ayoungjamielennox, already made what object?02:59
jamielennoxso unscoped is a public attribute on the plugin, so you could create it once, do the get_endpoint thing, it shouldn't prompt auth because of the AUTH_INTERFACE, set plugin.unscoped=True then continue02:59
jamielennoxayoung: you need the plugin to fetch the auth to set the auth param03:00
ayoungchicken meet egg03:00
jamielennoxso it's public so it should be fine03:00
ayoungI wish there were a way to specify the auth  parameters from local_settings in horizon03:01
jamielennoxi don't konw about local_settings, it's fine from config file03:02
ayoungthat is the horizon config file meant to be edited in deployment03:02
ayoungits a python file...03:02
jamielennoxwhat auth are you putting in there?03:02
ayoungjamielennox, ?03:03
ayoungyou know the local_settings file,right?  You don't specify the auth anything in there03:03
ayoungexecpt version of the API...or am I misremembering?03:03
jamielennoxso what auth_params are you trying to put in there?03:03
jamielennoxs/_/ /03:04
ayoungjamielennox,well, it has come up before...during the kerb work, we worked to not put any config params in due to the horizon/DOA dividie03:04
*** alex_xu has quit IRC03:05
jamielennoxyep, that's just specifying a plugin right?03:05
ayoungyeah, I think plugin is the major one...but I think maybe I want to take a different tack now03:06
ayoungwhat if...we switch to always doing Federation03:06
ayounglets wave a majik wand and say we could do basic auth to the sql backend03:06
ayoungand used the map-to-existing-user functionality03:07
jamielennoxso you can choose which plugin to use from outside of DOA, that's how we made S4U2 work03:07
ayoungah.  right...I'd forgotten you got that in03:07
ayoungok, so it could be a separate auth plugin, too03:08
ayoungor...better yet, we could make the one that does not do the explicit unscoped an alternate, and build explicit unscoped into the main one...03:08
ayoungmain password auth plugin03:08
jamielennoxi think we're better of getting it in the main one, either via config option or discovery03:09
jamielennoxit's not a nice experience to change those plugins for something we want to make default03:09
jamielennoxbut you need to be careful somehow that you only set unscoped = True on the main plugin, it might now work with all plugins03:11
ayoungjamielennox, it could do the unscoped by default, and fall back to dropping the param if it gets the 400?03:11
ayoungthen useing the alternate plugin is a perf tune03:11
*** markvoelker has joined #openstack-keystone03:18
*** dims has joined #openstack-keystone03:31
*** packet has quit IRC03:31
openstackgerritliusheng proposed openstack/keystone-specs: Correct the klwt link
*** dims has quit IRC03:36
jamielennoxayoung: here still?03:39
jamielennoxor anyone else core?03:39
jamielennoxhave a look at it's needed to fix gate jobs03:39
*** packet has joined #openstack-keystone03:41
*** spandhe has joined #openstack-keystone03:41
ayoungjamielennox, still here03:50
ayoungjamielennox, +2a03:51
jamielennoxayoung: thanks03:51
*** amerine has joined #openstack-keystone04:08
*** packet has quit IRC04:18
*** lhcheng_ has quit IRC04:19
*** ankita_wagh has joined #openstack-keystone04:29
openstackgerritMerged openstack/python-keystoneclient: Pass OS_* env vars fix for tox 2.0
*** markvoelker has quit IRC04:47
*** markvoelker has joined #openstack-keystone04:49
*** alex_xu has joined #openstack-keystone05:03
*** turul_ has quit IRC05:07
*** spandhe has quit IRC05:08
*** amerine has quit IRC05:10
*** dhague has joined #openstack-keystone05:11
morganfainbergbknudson: did we deal with the pycadf issue?05:19
morganfainbergIf not I'll see what I can do tomorrow.05:19
*** toabctl has quit IRC05:21
*** topol has quit IRC05:24
*** ankita_wagh has quit IRC05:29
morganfainbergayoung: ... Well then. I guess this makes it official.
*** kiran-r has joined #openstack-keystone05:32
openstackgerritMerged openstack/keystone: Move bandit requirement to test-requirements-bandit.txt
openstackgerritRoxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone
*** spandhe has joined #openstack-keystone05:49
openstackgerritJamie Lennox proposed openstack/keystone: Make Pecan the root routing framework
morganfainbergHmm. jamielennox did we get a quick doc fix for ksa / setup.cfg?05:50
jamielennoxi put in a readme with a statement05:51
morganfainbergjamielennox: no worries if not. Just checking. (Been a swamped day)05:51
jamielennoxand the exception reordering05:51
morganfainbergWill poke those and pypi-pre release tomorrow.05:51
morganfainbergWant to make sure it's on pypi before you're on a plane.05:51
*** ankita_wagh has joined #openstack-keystone05:54
jamielennoxi don't expect to have network, i'm just going to make sure i check out an environment before it go05:55
jamielennoxthough i might... should check that...05:56
morganfainbergjamielennox: nah, if we have it tagged we can start tracking the work to 1.x that is all05:58
morganfainbergVs "change stuff"05:59
jamielennoxmorganfainberg: presentation monday at 9am....05:59
jamielennoxgoing to have to be up early and everything05:59
morganfainbergSince you're going to be doing work w/ksc and ksa I want to be able to quantify what is needed between pre-release and release.05:59
morganfainbergjamielennox: hehe05:59
morganfainbergjamielennox: when do you get to BC?06:00
*** dims has joined #openstack-keystone06:00
jamielennoxthe way timezones work out it's friday06:00
morganfainbergOh nice and early06:00
jamielennoxwell and it was planned for jetlag + tourism purposes06:01
morganfainbergI won't be there till sat. Evening.06:01
jamielennoxsend me a message when you get in, i'm going to try and find a sim card for the week06:01
jamielennoxbasically just to have google maps when i'm wandering around doing my own thing06:02
jamielennoxi don't know when anyone else is getting there06:03
*** dims has quit IRC06:06
morganfainbergCrap. I should go get a tmo sim for the week. Vzw is stupid pricy in Canadia06:07
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
morganfainbergjamielennox: will do.06:12
morganfainbergFree international data.06:13
jamielennoxoh, right06:13
jamielennoxyea, nothing like that from here06:13
morganfainbergAnd I have a spare android phone I can use while at the summit.06:13
jamielennoxstupid expensive to even consider using local sim there06:13
*** afazekas has joined #openstack-keystone06:25
*** afazekas_ has joined #openstack-keystone06:25
*** kiran-r has quit IRC06:35
Kennanhi there ?06:37
KennanI have quesiton about keystone06:37
KennanI found it always had06:37
KennanWARNING [keystonemiddleware.auth_token] Configuring auth_uri to point to the public identity endpoint is required; clients may not be able to authenticate against an admin endpoint06:37
KennanARNING [keystonemiddleware.auth_token] Configuring admin URI using auth fragments. This is deprecated, use 'identity_uri' instead.06:37
Kennancould it cause failure in keystone authenticate ?06:37
Kennanor it just a warn06:37
Kennannot cause any issue ?06:38
openstackgerritMerged openstack/keystonemiddleware: Improved handling of endpoints missing urls
openstackgerritMerged openstack/python-keystoneclient: Remove unused fixtures
openstackgerritMerged openstack/python-keystoneclient: Sync from oslo incubator
openstackgerritMerged openstack/python-keystoneclient: Drop use of 'oslo' namespace package
jamielennoxKennan: they're both warnings - it will work as is but they're suggestions on how to configure06:53
*** amerine has joined #openstack-keystone06:54
jamielennoxauth_uri should be the root public url of keystone06:54
jamielennoxthe second one means use identity_uri= instead of admin_host, admin_port and all those options06:55
openstackgerritxu-haiwei proposed openstack/keystonemiddleware: Change auth_url to identity_uri
*** ankita_wagh has quit IRC07:07
*** ankita_wagh has joined #openstack-keystone07:08
*** spandhe has quit IRC07:08
*** ankita_wagh has quit IRC07:12
*** amerine has quit IRC07:13
*** e0ne has joined #openstack-keystone07:16
Kennanthanks jamielennox07:24
*** afazekas_ has quit IRC07:25
*** afazekas has quit IRC07:25
*** afazekas has joined #openstack-keystone07:27
*** jistr has joined #openstack-keystone07:34
openstackgerritMerged openstack/keystoneauth: Add a readme
openstackgerritMerged openstack/keystoneauth: Reorder catalog exceptions
bretonjust use osmand for maps07:54
bretonthey are offline. And FOSS.07:54
bretonmiorning, folks07:55
openstackgerritBoris Bobrov proposed openstack/keystone: after dstanek's patch
openstackgerritBoris Bobrov proposed openstack/keystone: Test before dstanek's patch
bretonKennan: jamielennox: we have a bug about it already07:59
*** mabrams has joined #openstack-keystone07:59
openstackLaunchpad bug 1429179 in keystonemiddleware "Spam log with warn by default" [Wishlist,Confirmed]07:59
*** links has joined #openstack-keystone08:02
*** kiran-r has joined #openstack-keystone08:10
*** kiranr has joined #openstack-keystone08:10
*** kiranr has quit IRC08:10
*** kiran-r is now known as kiranr08:11
*** e0ne has quit IRC08:40
bretondstanek: rally's authenticate test is slower with patch ( than without patch (
*** ericksonfgds has joined #openstack-keystone09:10
*** afazekas has quit IRC09:32
*** dims has joined #openstack-keystone09:36
*** dims has quit IRC09:40
*** e0ne has joined #openstack-keystone09:44
*** e0ne is now known as e0ne_09:44
*** ericksonfgds has quit IRC09:45
*** lufix_ has joined #openstack-keystone09:51
*** e0ne_ is now known as e0ne09:52
*** davechen has left #openstack-keystone09:53
*** afazekas has joined #openstack-keystone09:58
*** dims has joined #openstack-keystone10:07
*** dguerri is now known as _dguerri10:11
*** topol has joined #openstack-keystone10:12
*** ChanServ sets mode: +v topol10:12
*** _dguerri is now known as dguerri10:15
*** aix has joined #openstack-keystone10:20
*** amakarov_away is now known as amakarov10:34
*** aix has quit IRC10:42
jamielennoxsamueldmq: - this is related to v2/v3. Fails in tempest setup, but i expected it to fail before that10:42
jamielennoxi'll look into it, just letting you know10:43
*** dguerri is now known as _dguerri10:47
*** topol has quit IRC10:57
*** topol has joined #openstack-keystone10:57
*** ChanServ sets mode: +v topol10:58
*** jamielennox is now known as jamielennox|away10:58
samueldmqjamielennox|away, nice, thanks I will take a look11:10
samueldmqjamielennox|away, btw, the gate jobs should be close to merge11:11
samueldmqjamielennox|away, I like this: "The v2 identity API is going away." - Lennox, Jamie11:11
*** e0ne is now known as e0ne_11:12
*** e0ne_ is now known as e0ne11:19
*** kairat_kushaev has quit IRC11:24
*** fhubik has joined #openstack-keystone11:39
*** chlong has joined #openstack-keystone11:48
*** diegows has joined #openstack-keystone11:52
*** _dguerri is now known as dguerri11:58
*** aix has joined #openstack-keystone11:58
*** e0ne is now known as e0ne_12:05
*** e0ne_ is now known as e0ne12:06
*** gordc has joined #openstack-keystone12:10
*** lmtaylor has joined #openstack-keystone12:21
*** lufix_ has quit IRC12:24
*** lufix_ has joined #openstack-keystone12:25
*** markvoelker has quit IRC12:31
*** markvoelker has joined #openstack-keystone12:31
*** stevemar has joined #openstack-keystone12:38
*** ChanServ sets mode: +v stevemar12:38
*** ericksonfgds has joined #openstack-keystone12:42
*** bknudson has quit IRC12:42
*** ericksonfgds has quit IRC12:46
*** e0ne is now known as e0ne_12:51
ayoungmorganfainberg, cool12:51
*** e0ne_ is now known as e0ne12:53
*** Ephur has joined #openstack-keystone12:54
*** gordc has quit IRC12:56
*** radez_g0n3 is now known as radez12:59
*** dguerri is now known as _dguerri12:59
*** _dguerri is now known as dguerri13:01
*** afazekas has quit IRC13:05
*** afazekas has joined #openstack-keystone13:08
*** topol has quit IRC13:19
*** jsavak has joined #openstack-keystone13:21
*** zzzeek has joined #openstack-keystone13:22
*** gordc has joined #openstack-keystone13:33
*** lastops has joined #openstack-keystone13:33
*** dguerri is now known as _dguerri13:40
*** bknudson has joined #openstack-keystone13:41
*** ChanServ sets mode: +v bknudson13:41
*** _dguerri is now known as dguerri13:43
*** lmtaylor has left #openstack-keystone13:47
*** e0ne is now known as e0ne_13:47
*** richm has joined #openstack-keystone13:48
*** blewis has joined #openstack-keystone13:56
*** blewis has quit IRC14:01
*** jorge_munoz has quit IRC14:02
*** gokrokve has joined #openstack-keystone14:03
*** blewis has joined #openstack-keystone14:03
*** sigmavirus24_awa is now known as sigmavirus2414:05
*** e0ne_ is now known as e0ne14:06
*** mattfarina has joined #openstack-keystone14:10
ayoung  bknudson dstanek I think that patch is super valuable, and would benefit from some attention from you two in particular.  I'd like to get it in so we can move to doing pecan everywhere over time.14:12
ayoungI'm going through it again now, too.14:12
bknudsonthe blueprint needs to be approved14:12
*** kiranr has quit IRC14:12
*** markvoelker has quit IRC14:13
dstanekayoung: yeah, i've been unfortunately looking into pecan more and more14:15
ayoungdstanek, why unfortunately?14:15
ayoungbknudson, so approve it14:15
ayoungwe spend way too much effort on BPs14:15
dstanekayoung: i don't really like it, but it looks like we are stuck with it14:16
ayoungdstanek, all frameworks suck.  Why don't you like Pecan?  What would you prefer?14:16
dstanekflask or falcon are much better suited for apis14:17
ayoungdstanek, I want to be able to do HTML rendering as a possibility in the future.  I like that Pecan makes that possible.  What is the real difference in approach between Flask, Falcon, and Pecan?14:18
ayoungand why are we stuck with it?14:18
*** Ctina has joined #openstack-keystone14:19
dstanekthere's too many differences to enumerate, but flask would be nice because more people than just OpenStack use it14:19
*** Ctina is now known as ctina14:20
dstaneki think we are stuck because OpenStack's NIH seems to have made pecan the standard14:21
ayoungdstanek, ah14:22
rodrigodsstevemar, marekd to write automated configuration for federation, we should contrib to, right?14:22
ayoungdstanek, so flask is more mature?14:22
stevemarrodrigods, yessir14:23
rodrigodsstevemar, cool we already have some automated scripts for it, but not using puppet14:24
dstanekayoung: from my perspective yes.14:24
* richm hears puppet-keystone14:24
stevemarrodrigods, yeah most deployers will use puppet or some variation for configuring keystone14:24
ayoungrodrigods, I suspect that we could benefit from a ruby port of keystoneauth14:24
ayoungright richm ?14:24
stevemarrodrigods, richm is the puppet pro14:24
ayoungstevemar, he's the Wolf.  He solves problems14:25
rodrigodsstevemar, richm cool! so let me introduce iurygregory - our config automation pro14:25
*** fhubik has quit IRC14:26
richmDo you have any sheets, bedspreads, big towels?  I'm sure Uncle Marcellus would be willing to reimburse you.14:26
*** fhubik has joined #openstack-keystone14:26
*** lhcheng has joined #openstack-keystone14:27
*** ChanServ sets mode: +v lhcheng14:27
bknudsonflask has "support for secure cookies (client side sessions)" -- no tokens reqd.14:27
*** fhubik has quit IRC14:38
*** fhubik has joined #openstack-keystone14:39
*** markvoelker has joined #openstack-keystone14:40
*** mordred has quit IRC14:40
*** fhubik is now known as fhubik_afk14:41
*** mordred has joined #openstack-keystone14:42
*** dguerri is now known as _dguerri14:48
*** _dguerri is now known as dguerri14:48
*** dguerri is now known as _dguerri14:49
dstanekbknudson: then it's settled, ditch the tokens14:49
*** topol has joined #openstack-keystone14:49
*** ChanServ sets mode: +v topol14:49
*** _dguerri is now known as dguerri14:50
*** fhubik_afk is now known as fhubik14:53
*** jimbaker has quit IRC14:53
*** browne has quit IRC14:55
*** jimbaker has joined #openstack-keystone14:58
*** jimbaker has quit IRC14:58
*** jimbaker has joined #openstack-keystone14:58
*** fhubik has quit IRC14:58
*** lhcheng has quit IRC15:00
morganfainbergdstanek: I don't think your have massive complaints about flask. Falcon I have other feelings about now due to some significant discussions I've had both on and off ML.15:04
morganfainbergdstanek: flask would be my #1 choice (for exactly the reason you outlined) if we aren't wedged into pecan for OpenStack reasons (and you can convince people flake is the right choice for g-r inclusion, etc)15:05
dstanekmorganfainberg: sounds like a good discussion for next week15:05
morganfainbergdstanek: I'm happy to discuss this a bit more hallway track.15:05
*** amerine has joined #openstack-keystone15:07
dstanekwe have so many contexts in different places - auth_context, user_context, etc. - do we have a request_context area to stuff request level variables/data?15:07
*** dguerri is now known as _dguerri15:12
*** _dguerri is now known as dguerri15:12
morganfainbergdstanek: that would be nice. Pecan (I think) does this via thread.local isms15:17
morganfainbergdstanek: but I think we (keystone) have some request context stuff wedged into our custom auth_context15:18
morganfainbergRequest context could contain auth context data15:18
*** links has quit IRC15:24
*** gsilvis_ is now known as gsilvis15:27
*** dhague has quit IRC15:30
*** amerine has quit IRC15:49
*** amerine has joined #openstack-keystone15:49
*** markvoelker has quit IRC15:50
*** gyee has joined #openstack-keystone15:51
*** ChanServ sets mode: +v gyee15:51
*** mabrams has left #openstack-keystone15:56
*** dims has quit IRC15:56
*** dims has joined #openstack-keystone15:56
*** markvoelker has joined #openstack-keystone15:59
*** blewis has quit IRC16:08
*** _cjones_ has joined #openstack-keystone16:09
*** _cjones_ has quit IRC16:12
*** _cjones_ has joined #openstack-keystone16:12
*** tqtran has joined #openstack-keystone16:14
*** e0ne is now known as e0ne_16:18
*** lhcheng has joined #openstack-keystone16:21
*** ChanServ sets mode: +v lhcheng16:21
*** browne has joined #openstack-keystone16:24
*** afazekas has quit IRC16:24
*** e0ne_ is now known as e0ne16:25
bknudsonwe don't want the request context to go any deeper than the controller layer16:27
*** gokrokve_ has joined #openstack-keystone16:30
*** lhcheng has quit IRC16:30
*** gokrokve has quit IRC16:33
*** gokrokve_ has quit IRC16:34
*** jistr has quit IRC16:42
stevemarayoung, i hope you're ready for a massive policy talk16:43
ayoungstevemar, I'm scouring the internet for relevant and properly copyright acessable images to make it non boring16:43
ayoungrodrigods, samueldmq morganfainberg, been thinking about a large life for Keystone...providing policy to apps running in the cloud as opposed to to just the management of openstack services.  Seems like it would require some sort of limitation, so that a user assigned admin for an application would not be able to create virtual machines.   Seems to me this would require a modifying on the project defintion, kindof like the d16:52
ayoungomain-is-a-project  aspect we want for Reseller.  CHew on that, and we can discuss next week as well16:52
*** zzzeek has quit IRC16:55
*** Bjoern__ has joined #openstack-keystone16:56
*** gokrokve has joined #openstack-keystone16:58
*** atiwari has joined #openstack-keystone16:58
*** ankita_wagh has joined #openstack-keystone16:59
*** zzzeek has joined #openstack-keystone16:59
samueldmqayoung, you mean a third-party app connected to the cloud and using keystone for authn and authz ?17:01
*** raildo has quit IRC17:02
ayoungsamueldmq, Wordpress or Drupal17:02
ayoungsamueldmq, so, Keystone provides enough config info so you can let someone log in to your Woprdpress site using their home credentials17:02
ayoungstep 1: ayoung runs wordpress on dreamhost, and dstanek logs in to it using creds from RAX.17:03
*** mestery has joined #openstack-keystone17:03
samueldmqayoung, if I understand correctly, you want an easy way to plug another service with keystone17:03
ayoungstep2:  ayoung assigns dstanek@rax  the admin role, but only for Wordpress17:03
*** samleon has joined #openstack-keystone17:04
samueldmqayoung, hmm ... so the token scope would also include the service ?17:04
ayoungsamueldmq, maybe not using tokens17:05
samueldmqayoung, you have admin on this project for that service17:05
ayoungwhen you log in to wordpress, you don't need a token, but rather wordpress has something like auth_token that fetches the roles assigned to you  for that project17:05
*** e0ne has quit IRC17:05
ayoungbut, the role assignment would be for a project of the "Wordpress" flavor....or maybe we make  "application"  a proejct powertypoe, like domain is a project powertype17:06
ayoungso...Wordpress could be come a service17:07
ayoungI often thought the split between services and projects was artificial.  What if we made "Service " a type of project?17:08
samueldmqayoung, classify projects in services ?17:08
samueldmqayoung, why not create a domain for each external app ?17:08
ayoungdomain-is-a-project  services-is-a-project17:08
ayoungsamueldmq, domains are different than apps17:09
samueldmqayoung, domain-is-a-project because it has more than a project (when it specializes, right)17:09
samueldmqayoung, what app add?17:09
ayoungsamueldmq, apps are leaf nodes?17:10
gyeepolicy is a project17:10
samueldmqayoung, I mean, as apps would specialize projects, what do they add ? (domains add users, etc)17:10
samueldmqgyee, you forgot the - .... policy-is-a-project17:10
ayoungsamueldmq, as a way to distinguish what the admin role means.17:11
samueldmqayoung, project-is-an-app this way17:11
ayoungadmin on wordpress means something different than admin on Nova17:11
samueldmqno ?17:11
*** amakarov is now known as amakarov_away17:11
samueldmqayoung, admin already can mean different things on different services (nova, keystone, wordpress?)17:12
samueldmqayoung, it all depends on the policy17:12
ayoungsasmbut I should not be able to accidentally assign that17:12
*** raildo has joined #openstack-keystone17:12
samueldmqayoung, so maybe wordpress needed to have  policy?17:12
ayoungthis is what arvind was talking about...two years ago?...when he wanted roles scoped to services17:12
samueldmqayoung, or you want a higher-level mechanism17:13
*** gokrokve has quit IRC17:13
ayoungnot role assignments, but roles themselves17:13
samueldmqayoung, roles on projects ? without actors ?17:13
*** gokrokve has joined #openstack-keystone17:13
ayoungnah,...  wordpress:admin vs nova:admin  vs neutron:admin17:14
ayoungve domain:admin....17:14
samueldmqayoung, so roles that are valid in a given service's context17:14
ayoungsamueldmq, and only in a given17:15
*** gyee has quit IRC17:16
samueldmqayoung, roles will be namespaced to domains (domain roles?)/service (what you're talking about)17:16
samueldmqayoung, it adds complexity, we just need to evaluate if it's worth it to have17:17
samueldmqayoung, I am not against it, just trying to understand and see pros vs cons17:17
ayoungsamueldmq, is future stuff.17:17
*** gokrokve has quit IRC17:17
*** gokrokve has joined #openstack-keystone17:18
samueldmqayoung, cool .. I will mull it a bit more and we talk at the summit17:18
*** atiwari has quit IRC17:20
*** atiwari has joined #openstack-keystone17:22
*** lhcheng has joined #openstack-keystone17:24
*** ChanServ sets mode: +v lhcheng17:24
*** gokrokve has quit IRC17:26
*** gokrokve has joined #openstack-keystone17:26
*** gokrokve has quit IRC17:31
*** atiwari has quit IRC17:38
ayoungI have a lot of slides.  Too many17:41
*** harlowja has quit IRC17:41
*** harlowja has joined #openstack-keystone17:42
*** haneef has quit IRC17:42
*** haneef has joined #openstack-keystone17:43
*** jsavak has quit IRC17:50
*** jsavak has joined #openstack-keystone17:50
*** atiwari has joined #openstack-keystone17:50
*** e0ne has joined #openstack-keystone17:53
*** blewis has joined #openstack-keystone18:02
*** ctina_ has joined #openstack-keystone18:02
*** ctina has quit IRC18:05
*** blewis has quit IRC18:06
*** ctina_ has quit IRC18:06
mordredmorganfainberg, jamielennox|away: so - I just pushed up a patch to devstack to create a clouds.yaml18:08
mordredmorganfainberg, jamielennox|away: as we look at adding devstack support for thigns other than v2password - we might want to also add some nice logic to output the appropriate auth dict and auth_type into that clouds.yaml as well18:08
mordredso we coudl test that not only other api versions, but also other api plugins work - both for keystone, and for shade18:09
*** gyee has joined #openstack-keystone18:19
*** ChanServ sets mode: +v gyee18:19
openstackgerritBrant Knudson proposed openstack/keystone: Sync oslo-incubator cc19617
morganfainbergmordred: ah18:28
*** atiwari has quit IRC18:34
*** atiwari has joined #openstack-keystone18:34
*** aix has quit IRC18:38
*** atiwari has quit IRC18:43
morganfainbergjamielennox|away: is the place we should target any 1.x stuff for ksa18:46
morganfainbergmordred: i just released 0.1.0 pre-release of ksa18:46
morganfainbergmordred: to pypi18:46
morganfainbergmordred: so please tell us what sucks about it so we can fix before 1.0 release18:46
morganfainbergand yes, docs suck18:47
mordredmorganfainberg: the docs can't possibly be worse than what I've been working with so far :)18:48
morganfainbergmordred: docs for KSA are... non-existent afaik18:48
mordredmorganfainberg: does it mostly work like keystone session does today?18:48
morganfainbergmordred: it has some interface changes18:48
morganfainbergbut it should be close. it wont be a drop in18:48
morganfainbergbecause we are trying to fix the stupid compat stuff we don't want to carry18:48
mordredmorganfainberg: once it's all good and stuff18:49
mordredand I get a session from it18:49
mordredI shoudl still be able to pass those sessions to the other python-*clients right?18:49
morganfainbergbut yes session is there, and most things are similar18:49
morganfainbergmordred: 2x check w/ jamielennox|away, but that is the hope18:49
morganfainbergmordred: the session object should still just work the same18:49
morganfainbergit's the other associated interfaces (like discovery) that will be different18:50
morganfainbergand exceptions have changed a lot18:50
mordredwell, I current except Exception ... so that probably won't hurt me :)18:50
morganfainbergby the 1.x release we should also be no longer dependent on oslo.serialization18:50
morganfainbergand a few other things18:50
mordredyour git repo looks strange to me18:50
mordredoh nevermind18:50
mordredmy bad18:50
mordredI totally don't know how to work unix18:51
mordredwow. you have a lot of depends still...18:51
* mordred wags fingers18:51
morganfainbergyeah the goal was get this in gerrit18:51
morganfainbergpre-release, then fix stuff like depends after it was in gerrit18:52
morganfainbergso we can 1.x release this cycle18:52
mordredlike, PrettyTable and oslo.serialization seem a bit much18:52
morganfainbergyep, those will go away18:52
mordredmorganfainberg: oh - is it possible (yet) or have you thought about how I might make queries of things at the root of a service?18:53
morganfainbergi think we will be stevedor, pbr, iso8601, argparse, six, and requests by the time we're done18:53
morganfainbergmordred: that is the kind of stuff i'd like to get logged as a "we need it"18:53
morganfainbergmordred: to make this useful18:53
mordredmorganfainberg: like, the / of the nova service gets me a version list- but the nova url in the catalog is the versioned url18:54
*** markvoelker has quit IRC18:54
mordredand I know there is a whole OTHER conversation about that18:54
morganfainbergyep. i'd like that kind of stuff logged as "what we want to make this really the right tool"18:54
mordredwell, I'll be in the service catalog session18:54
morganfainbergvs just a copy of "session" but else where.18:54
morganfainbergso will i18:54
mordredand I expect to just scream the entire time18:54
mordredI may not even say words18:54
mordredjust a single very long scream18:54
morganfainbergi expect to just sit in the corner and pretend let you scream18:55
mordredbtw:     def get_endpoint(self, auth=None, **kwargs):18:55
* morganfainberg goes to get lunch now that he's done yelling at expense systems.18:55
mordredI know it's a passthrough18:56
mordredbut it seems like some of the kwargs might be things that could be documented?18:56
morganfainbergmordred: yeah - we shouldn't be doing **kwargs anywhere18:56
mordredso, I'll consider that bug filed18:56
morganfainbergbut at the very least, we should docstring document args18:57
morganfainbergjamielennox|away: ^^18:57
mordred        There are no required keyword arguments to ``get_endpoint`` as a plugin18:57
mordredI think changing that to "there are some arguments taht all plugins are required to handle, and some others that may vary by plugin" will make the bunny rabbits smile18:57
*** markvoelker has joined #openstack-keystone19:00
*** harlowja has quit IRC19:03
mordredmorganfainberg: k.
*** edmondsw has joined #openstack-keystone19:05
*** harlowja has joined #openstack-keystone19:05
mordredmorganfainberg: there is complete-untested-me-porting-to-keystoneauth19:05
*** lufix__ has joined #openstack-keystone19:07
*** lufix_ has quit IRC19:09
*** lufix_ has joined #openstack-keystone19:09
*** ankita_wagh has quit IRC19:10
*** ankita_wagh has joined #openstack-keystone19:11
*** lufix__ has quit IRC19:12
*** Bjoern__ has left #openstack-keystone19:15
*** ankita_wagh has quit IRC19:16
*** ankita_wagh has joined #openstack-keystone19:16
*** zzzeek has quit IRC19:21
*** stevemar has quit IRC19:25
*** harlowja has quit IRC19:25
*** harlowja has joined #openstack-keystone19:26
*** atiwari has joined #openstack-keystone19:29
*** atiwari has quit IRC19:30
*** lastops has quit IRC19:31
*** radez is now known as radez_g0n319:49
dstanekmordred: morganfainberg: ++ not a kwargs fan19:50
*** openstackgerrit has quit IRC19:52
*** openstackgerrit has joined #openstack-keystone19:52
openstackgerritDavid Stanek proposed openstack/keystone: Refactor: create the lookup object once
openstackgerritDavid Stanek proposed openstack/keystone: Refactor: use __getitem__ when the key will exists
openstackgerritDavid Stanek proposed openstack/keystone: WIP: reduce redundant get_user calls
*** markvoelker has quit IRC19:57
*** lufix_ has quit IRC20:03
*** wasmum has quit IRC20:09
*** ankita_w_ has joined #openstack-keystone20:09
*** ankita_wagh has quit IRC20:09
*** markvoelker has joined #openstack-keystone20:11
ayoungI think I am bringing my Sax to every design session.  If I don't like the way things are going, I'll just start playing something like "When the Saints go Marching In"20:20
raildoayoung,  ++ haha20:20
*** ankita___ has joined #openstack-keystone20:35
*** ankit____ has joined #openstack-keystone20:37
*** ankita___ has quit IRC20:37
*** ankita_w_ has quit IRC20:38
*** ankit____ has quit IRC20:38
*** ankita_w_ has joined #openstack-keystone20:39
*** alanf-mc has joined #openstack-keystone20:59
*** ayoung has quit IRC21:06
*** gordc has quit IRC21:06
*** lhcheng has quit IRC21:08
*** chlong has quit IRC21:08
*** edmondsw has quit IRC21:09
*** jsavak has quit IRC21:10
*** dstanek has quit IRC21:10
*** dstanek has joined #openstack-keystone21:14
*** ChanServ sets mode: +v dstanek21:14
*** markvoelker has quit IRC21:14
*** openstackgerrit has quit IRC21:22
*** openstackgerrit has joined #openstack-keystone21:22
*** markvoelker has joined #openstack-keystone21:24
*** ankita_w_ has quit IRC21:28
*** wasmum has joined #openstack-keystone21:28
*** ankita_wagh has joined #openstack-keystone21:28
*** ankita_wagh has quit IRC21:30
*** ankita_wagh has joined #openstack-keystone21:31
*** ankita_wagh has quit IRC21:33
*** ankita_wagh has joined #openstack-keystone21:33
*** ankita_w_ has joined #openstack-keystone21:34
*** ankita_wagh has quit IRC21:34
*** e0ne has quit IRC21:39
*** e0ne has joined #openstack-keystone21:40
*** mattfarina has quit IRC21:44
openstackgerritJeremy Stanley proposed openstack/keystone: Replace ci.o.o links with docs.o.o/infra
*** topol has quit IRC21:53
*** ankita_w_ has quit IRC21:54
*** e0ne has quit IRC22:01
*** Rockyg has joined #openstack-keystone22:02
*** markvoelker has quit IRC22:04
*** lhcheng has joined #openstack-keystone22:04
*** ChanServ sets mode: +v lhcheng22:04
*** ankita_wagh has joined #openstack-keystone22:07
*** wasmum has quit IRC22:07
*** bknudson has quit IRC22:20
*** ayoung has joined #openstack-keystone22:22
*** ChanServ sets mode: +v ayoung22:22
*** markvoelker has joined #openstack-keystone22:25
*** zzzeek has joined #openstack-keystone22:33
openstackgerritayoung proposed openstack/oslo.policy: CLI Policy Check tool
*** wasmum has joined #openstack-keystone22:50
*** hemna is now known as hemnafk22:55
*** markvoelker has quit IRC22:58
morganfainbergayoung: bonus points if you make it sound like geese honking while playing the sax to convince people to stop :P23:00
morganfainbergI hear geese are mean animals.23:01
*** redrobot has quit IRC23:04
*** ayoung has quit IRC23:04
*** Trozz has quit IRC23:04
*** markvoelker has joined #openstack-keystone23:05
*** redrobot has joined #openstack-keystone23:05
*** redrobot is now known as Guest1989523:05
*** chlong has joined #openstack-keystone23:10
*** alanf-mc has quit IRC23:13
*** alanf-mc has joined #openstack-keystone23:17
*** _cjones_ has quit IRC23:32
*** _cjones_ has joined #openstack-keystone23:33
*** sigmavirus24 is now known as sigmavirus24_awa23:33
openstackgerritMonty Taylor proposed openstack/keystoneauth: Remove pbr as runtime depend
*** darrenc is now known as darrenc_afk23:40

Generated by 2.14.0 by Marius Gedminas - find it at!