Monday, 2015-06-08

*** markvoelker has joined #openstack-keystone		00:25
*** markvoelker has quit IRC		00:30
*** lhcheng has joined #openstack-keystone		00:42
*** ChanServ sets mode: +v lhcheng		00:42
*** mitz has joined #openstack-keystone		00:47
*** lhcheng has quit IRC		00:57
*** dims__ has quit IRC		01:06
*** jamielennox\|away is now known as jamielennox		01:07
*** aix has quit IRC		01:26
*** davechen_afk is now known as davechen		01:44
*** dims_ has joined #openstack-keystone		01:58
*** Kennan2 has joined #openstack-keystone		02:03
*** dims_ has quit IRC		02:03
*** Kennan has quit IRC		02:04
*** markvoelker has joined #openstack-keystone		02:14
*** markvoelker has quit IRC		02:19
*** rlt has quit IRC		02:30
*** dims_ has joined #openstack-keystone		03:03
*** dims_ has quit IRC		03:09
*** liusheng has joined #openstack-keystone		03:13
*** topol has joined #openstack-keystone		03:25
*** ChanServ sets mode: +v topol		03:25
*** tsufiev has quit IRC		03:27
*** grantbow has quit IRC		03:27
*** josecastroleon has quit IRC		03:27
*** bradjones\|away has quit IRC		03:27
*** mestery_afk has quit IRC		03:27
*** Swanson has quit IRC		03:27
*** josecastroleon has joined #openstack-keystone		03:28
*** Swanson has joined #openstack-keystone		03:28
*** bradjones has joined #openstack-keystone		03:28
*** bradjones has quit IRC		03:28
*** bradjones has joined #openstack-keystone		03:28
*** mestery has joined #openstack-keystone		03:28
*** tsufiev has joined #openstack-keystone		03:28
*** topol has quit IRC		03:41
*** naggappan has joined #openstack-keystone		04:01
naggappan	hi is there any flag in localrc file to turn on https during the devstack deployment ?	04:02
morganfainberg	naggappan: I do not think devstack does ca management for SSL termination.	04:12
naggappan	morganfinberg: So the only way is to install devstack in normal way, then enable https alone with ca certificates and restart the services ?	04:15
*** mabrams has joined #openstack-keystone		04:35
*** yottatsa has joined #openstack-keystone		05:10
*** belmoreira has joined #openstack-keystone		05:20
*** naggappan has quit IRC		05:26
breton	morning	05:31
*** iamjarvo has quit IRC		05:34
*** lsmola has joined #openstack-keystone		05:36
*** fangzhou has quit IRC		05:36
*** lhcheng has joined #openstack-keystone		05:38
*** ChanServ sets mode: +v lhcheng		05:38
*** yottatsa has quit IRC		05:40
*** yottatsa has joined #openstack-keystone		05:41
*** yottatsa has quit IRC		05:46
*** yottatsa has joined #openstack-keystone		05:46
*** Kennan2 has quit IRC		05:47
*** Kennan has joined #openstack-keystone		05:48
*** markvoelker has joined #openstack-keystone		05:52
*** markvoelker has quit IRC		05:56
*** geoffarnold has joined #openstack-keystone		05:58
*** belmoreira has quit IRC		06:06
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/186279	06:08
*** sks has joined #openstack-keystone		06:10
*** josecastroleon has quit IRC		06:19
marekd	breton: morning.	06:20
*** lhcheng has quit IRC		06:28
*** tobe has joined #openstack-keystone		06:45
*** mordred has quit IRC		06:46
*** andreaf has joined #openstack-keystone		06:48
*** abhishekk has joined #openstack-keystone		06:49
*** lufix has joined #openstack-keystone		06:50
*** ajayaa has joined #openstack-keystone		06:51
*** andreaf has quit IRC		06:53
*** andreaf has joined #openstack-keystone		06:54
morganfainberg	marekd: morning	06:58
morganfainberg	breton: morning	06:58
abhishekk	morganfainberg: hi, do you have some time?	07:02
morganfainberg	abhishekk: i have a little time	07:02
morganfainberg	abhishekk: what can i do for you?	07:03
abhishekk	need to discuss with you about service-token	07:03
abhishekk	you have given idea about using service-token for passing request-id (ref: https://review.openstack.org/#/c/156508/)	07:03
abhishekk	morganfainberg: as of now no client support is there for passing service-token, am I right?	07:04
morganfainberg	yeah i've seen that proposal	07:05
morganfainberg	abhishekk: i am fairly certain that is correct	07:05
abhishekk	morganfainberg: is there any work going on about this?	07:05
morganfainberg	abhishekk: i think jamielennox has been looking at that	07:07
morganfainberg	but no work yet has been started on it	07:07
abhishekk	morganfainberg: thanks for the update	07:08
morganfainberg	abhishekk: sure thing!	07:08
abhishekk	morganfainberg: I am planning to working on it for cinder	07:08
morganfainberg	nice	07:08
morganfainberg	so we're looking at baking it into the session object	07:08
morganfainberg	so you should get it for free	07:08
jamielennox	abhishekk: there is an auth_token patch, but as you can't serialize the plugin that implements the call there really isn't much use at the moment	07:09
jamielennox	https://review.openstack.org/#/c/141614/	07:09
jamielennox	because the token will be lost as soon as you RPC from the api to the worker	07:09
jamielennox	and no-one currently uses the plugin anyway	07:09
abhishekk	jamielennox: right	07:09
abhishekk	jamielennox, morganfainberg: thank you for the update	07:12
openstackgerrit	Marek Denis proposed openstack/keystone: Mapping Engine CLI https://review.openstack.org/188302	07:14
*** geoffarn_ has joined #openstack-keystone		07:14
*** jaosorior has joined #openstack-keystone		07:15
*** henrynash has joined #openstack-keystone		07:20
*** ChanServ sets mode: +v henrynash		07:20
*** yottatsa has quit IRC		07:31
openstackgerrit	Dave Chen proposed openstack/keystone-specs: Use oslo-versioned-objects to deal with upgrades https://review.openstack.org/167195	07:37
*** markvoelker has joined #openstack-keystone		07:40
*** markvoelker has quit IRC		07:45
*** rlt has joined #openstack-keystone		07:50
*** pnavarro_ has joined #openstack-keystone		07:51
*** jistr has joined #openstack-keystone		07:52
*** belmoreira has joined #openstack-keystone		08:00
*** fhubik has joined #openstack-keystone		08:06
*** fhubik is now known as fhubik_afk		08:06
*** afazekas_mtg has joined #openstack-keystone		08:06
*** dguerri` is now known as dguerri		08:11
*** lhcheng has joined #openstack-keystone		08:16
*** ChanServ sets mode: +v lhcheng		08:16
*** josecastroleon has joined #openstack-keystone		08:18
*** yottatsa has joined #openstack-keystone		08:20
*** lhcheng has quit IRC		08:21
*** fhubik_afk is now known as fhubik		08:23
*** dims_ has joined #openstack-keystone		08:28
openstackgerrit	Morgan Fainberg proposed openstack/keystonemiddleware: Ensure cache keys are a known/fixed length https://review.openstack.org/186971	08:32
*** dims_ has quit IRC		08:33
*** liusheng has quit IRC		08:36
*** liusheng has joined #openstack-keystone		08:36
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	08:39
fhubik	Hey, is anyone using keystone against Active Directory with "user db" write access? Is this even possible for now?	08:40
*** aix has joined #openstack-keystone		08:41
*** e0ne has joined #openstack-keystone		08:56
*** ajayaa has quit IRC		09:00
*** yottatsa has quit IRC		09:01
openstackgerrit	Merged openstack/keystone: Remove unnecessary dependencies from KerberosDomain https://review.openstack.org/189139	09:02
*** e0ne is now known as e0ne_		09:10
*** yogeshwars1 has left #openstack-keystone		09:12
*** geoffarn_ has quit IRC		09:14
*** geoffarnold has quit IRC		09:15
morganfainberg	fhubik: i would be very wary of letting keystone write to Active Directory	09:16
morganfainberg	fhubik: it is not impossible, but Active Directory might get cranky about the objects created in the tree	09:16
*** ajayaa has joined #openstack-keystone		09:16
morganfainberg	fhubik: there are better tools for managing users in AD than keystone.	09:16
*** e0ne_ has quit IRC		09:20
fhubik	morganfainberg: For me, it is necessary. I am triyng to run Tempest test-suites against AD and this needs write access to user DB.	09:25
morganfainberg	fhubik: ah.	09:26
morganfainberg	so, you may run into bugs	09:26
morganfainberg	because keystone may not create the correct object types in LDAP that AD needs	09:27
fhubik	morganfainberg: But no success there, either AD is prohibiting adding "correct-way" user with "unwilling_to_perform" or I can add "crippled" user thru keystone though, but I can not authenticate agains such user then (is disabled) :/	09:28
fhubik	morganfainberg: exactly, but I am wondering, is anyone using this usecase? I know about Cern only...	09:28
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	09:29
fhubik	morganfainberg: and thas is even maybe, of course ;)	09:29
*** markvoelker has joined #openstack-keystone		09:29
*** e0ne has joined #openstack-keystone		09:29
*** yottatsa has joined #openstack-keystone		09:34
*** markvoelker has quit IRC		09:34
*** fhubik is now known as fhubik_afk		09:34
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities https://review.openstack.org/188881	09:34
*** fhubik_afk is now known as fhubik		09:39
*** yottatsa has quit IRC		09:54
*** fhubik is now known as fhubik_afk		10:01
*** boris-42 has joined #openstack-keystone		10:04
*** lhcheng has joined #openstack-keystone		10:05
*** ChanServ sets mode: +v lhcheng		10:05
*** jsheeren has joined #openstack-keystone		10:07
*** openstackgerrit has quit IRC		10:09
*** dims_ has joined #openstack-keystone		10:09
*** openstackgerrit has joined #openstack-keystone		10:09
*** lhcheng has quit IRC		10:10
*** jsheeren has quit IRC		10:11
morganfainberg	fhubik_afk: you can ask marekd about it. But iirc mostly everyone just uses AD as read-only	10:29
*** lhcheng has joined #openstack-keystone		10:29
*** ChanServ sets mode: +v lhcheng		10:29
*** lhcheng has quit IRC		10:33
*** henrynash has quit IRC		10:38
*** varya_ has joined #openstack-keystone		10:39
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystonemiddleware: Remove install_venv_common and fix typo in memorycache https://review.openstack.org/189113	10:43
*** henrynash has joined #openstack-keystone		10:43
*** ChanServ sets mode: +v henrynash		10:43
*** henrynash has quit IRC		10:44
*** ajayaa has quit IRC		10:46
*** yottatsa has joined #openstack-keystone		10:49
*** fhubik_afk is now known as fhubik		10:53
fhubik	morganfainberg: ok, thanks	10:54
*** samueldmq has joined #openstack-keystone		10:54
samueldmq	morning	10:55
samueldmq	hope you all had a great weekend :)	10:55
*** e0ne is now known as e0ne_		10:56
morganfainberg	samueldmq: maaaaybe	10:57
*** e0ne_ is now known as e0ne		10:57
*** afazekas_mtg is now known as afazekas		10:58
*** ajayaa has joined #openstack-keystone		10:58
varya_	Hi all. I have a question, as part of creating a new tenant can we perform some custom actions in nova or neutron. For example creating a default network for every tenant as soon as the tenant is created? Sorry if this is not the right forum to ask this question.	10:59
*** merlin_ has quit IRC		10:59
samueldmq	morganfainberg, hi :)	11:01
samueldmq	morganfainberg, btw I found something on your patch 'Ensure cache keys are a known/fixed length'	11:01
samueldmq	morganfainberg, you defined "long_string = long_string = 8 * uuid.uuid4().hex"	11:02
samueldmq	morganfainberg, would you mind if I send a new patch set ?	11:02
morganfainberg	samueldmq: oh hah. sure	11:02
morganfainberg	feel free to	11:02
morganfainberg	samueldmq: you are always welcome to upload fixes like that to my patches, you never need to ask my permission	11:02
samueldmq	morganfainberg, cool, nice to know	11:03
samueldmq	morganfainberg, I like to check, I think some people don't like :)	11:03
samueldmq	morganfainberg, thanks	11:03
*** yottatsa has quit IRC		11:03
*** yottatsa has joined #openstack-keystone		11:05
openstackgerrit	Davanum Srinivas (dims) proposed openstack/python-keystoneclient: Remove unnecessary install_venv_common module https://review.openstack.org/189123	11:12
*** varya_ has quit IRC		11:12
*** ajayaa has quit IRC		11:18
*** dguerri is now known as dguerri`		11:19
*** rushiagr_away is now known as rushiagr		11:22
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Switch keystone over to oslo_log versionutils https://review.openstack.org/189267	11:23
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Switch keystone over to oslo_log versionutils https://review.openstack.org/189267	11:25
*** tobe has quit IRC		11:26
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Remove unnecessary install_venv_common.py https://review.openstack.org/189111	11:26
*** markvoelker has joined #openstack-keystone		11:30
*** markvoelker has quit IRC		11:35
*** ajayaa has joined #openstack-keystone		11:37
*** e0ne is now known as e0ne_		11:38
*** e0ne_ is now known as e0ne		11:39
*** henrynash has joined #openstack-keystone		11:40
*** ChanServ sets mode: +v henrynash		11:40
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	11:44
samueldmq	henrynash, hi, good morning	11:46
henrynash	samueldmq; hi	11:46
samueldmq	henrynash, I will be working on the list role assignments patch again this week :)	11:47
henrynash	samueldmq: YES!!!!!!!	11:47
henrynash	samueldmq: let me know what I can do to help you get this in	11:47
samueldmq	henrynash, I got a review from dstanek proposing to split i) passing the filters to driver and ii) moving the logic to manager	11:47
samueldmq	henrynash, yes I will be splitting and will ping you	11:48
henrynash	samueldmq: ok!!!	11:48
samueldmq	henrynash, so you can take a look at ... it should be time to get that in	11:48
samueldmq	henrynash, more than one complete cycle under review	11:48
henrynash	samueldmq:yep	11:48
samueldmq	henrynash, but we will get that merged soon :)	11:49
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities https://review.openstack.org/188881	11:49
samueldmq	henrynash, have something to talk to you .. just pm'ed	11:50
*** mflobo has left #openstack-keystone		12:02
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	12:07
*** ajayaa has quit IRC		12:07
*** henrynash has quit IRC		12:09
*** raildo has joined #openstack-keystone		12:11
*** yottatsa has quit IRC		12:11
*** yottatsa has joined #openstack-keystone		12:13
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystonemiddleware: Ensure cache keys are a known/fixed length https://review.openstack.org/186971	12:15
*** henrynash has joined #openstack-keystone		12:18
*** ChanServ sets mode: +v henrynash		12:18
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Correct memcached parameters in TokenCache https://review.openstack.org/171264	12:24
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Remove custom header handling https://review.openstack.org/180385	12:28
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol https://review.openstack.org/180816	12:28
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor request methods onto request object https://review.openstack.org/180394	12:28
*** pece has joined #openstack-keystone		12:29
marekd	morganfainberg: you are now in the middle of the night or somewhere in Europe ?	12:30
morganfainberg	marekd: i'm in budapest atm	12:31
marekd	morganfainberg: that explains a lot :-)	12:32
marekd	morganfainberg: some conference ?	12:32
*** woodster_ has quit IRC		12:32
morganfainberg	marekd: CEE Day	12:33
morganfainberg	marekd: tomorrow i'm off to Berlin	12:33
morganfainberg	then Tel Aviv	12:33
marekd	morganfainberg: whoa	12:33
marekd	i think i've never been to Berlin	12:34
morganfainberg	going to be there for ~3 days	12:34
morganfainberg	or more	12:34
* morganfainberg would have ot check itinerary		12:34
marekd	http://openstackceeday.com/ -> hah, the guy on the stage looks like noggin143	12:34
morganfainberg	hah	12:34
morganfainberg	marekd: he's been here to talk before iirc	12:35
marekd	morganfainberg: he talks a lot but hey, imho he does it really well (no biased because he is my boss)	12:35
*** fhubik is now known as fhubik_afk		12:35
morganfainberg	hahha	12:35
marekd	well, he talks a lot i mean he gives a lot of talks :P	12:36
marekd	(still not biased :P)	12:36
*** henrynash has quit IRC		12:38
*** fhubik_afk is now known as fhubik		12:39
*** dguerri` is now known as dguerri		12:46
*** dsirrine has joined #openstack-keystone		12:47
*** raildo has quit IRC		12:50
*** gabriel-bezerra has quit IRC		12:50
*** tellesnobrega has quit IRC		12:50
*** rushiagr is now known as rushiagr_away		12:50
*** iurygregory has quit IRC		12:51
*** samueldmq has quit IRC		12:51
*** nicodemos has quit IRC		12:51
*** ericksonsantos has quit IRC		12:51
*** noye has joined #openstack-keystone		12:57
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Correct memcached parameters in TokenCache https://review.openstack.org/171264	12:58
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: a test for memcache_pool https://review.openstack.org/189284	12:58
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Fix inheritance of memcache client used in pool https://review.openstack.org/189285	12:58
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Fix usage of memcache_pool as contextmanager https://review.openstack.org/189286	12:58
*** sks has quit IRC		12:59
breton	sorry	13:03
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Correct memcached parameters in TokenCache https://review.openstack.org/171264	13:03
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: a test for memcache_pool https://review.openstack.org/189284	13:03
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Fix inheritance of memcache client used in pool https://review.openstack.org/189285	13:03
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Fix usage of memcache_pool as contextmanager https://review.openstack.org/189286	13:04
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Fix usage of memcache_pool as contextmanager https://review.openstack.org/189286	13:06
*** ericksonsantos has joined #openstack-keystone		13:06
*** samueldmq has joined #openstack-keystone		13:06
*** tellesnobrega has joined #openstack-keystone		13:06
*** raildo has joined #openstack-keystone		13:06
*** iurygregory has joined #openstack-keystone		13:06
*** mflobo has joined #openstack-keystone		13:06
*** nicodemos has joined #openstack-keystone		13:06
*** gabriel-bezerra has joined #openstack-keystone		13:08
*** radez_g0n3 is now known as radez		13:09
*** dguerri is now known as dguerri`		13:12
*** mflobo has left #openstack-keystone		13:12
*** sks has joined #openstack-keystone		13:12
*** mflobo has joined #openstack-keystone		13:13
*** yottatsa has quit IRC		13:19
*** markvoelker has joined #openstack-keystone		13:20
*** jsavak has joined #openstack-keystone		13:20
*** varya has joined #openstack-keystone		13:23
*** dguerri` is now known as dguerri		13:24
*** markvoelker has quit IRC		13:25
*** abhishekk has quit IRC		13:26
*** dsirrine has quit IRC		13:27
*** dsirrine has joined #openstack-keystone		13:29
openstackgerrit	Merged openstack/keystone: Remove deprecated external authentication plugins https://review.openstack.org/125701	13:29
*** ayoung has joined #openstack-keystone		13:29
*** ChanServ sets mode: +v ayoung		13:29
*** afazekas has quit IRC		13:31
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	13:31
openstackgerrit	Alexander Maretskiy proposed openstack/keystone: Add more Rally scenarios https://review.openstack.org/188457	13:33
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	13:34
*** krotscheck has joined #openstack-keystone		13:34
*** woodster_ has joined #openstack-keystone		13:35
*** HT_sergio has quit IRC		13:35
*** krotscheck has quit IRC		13:38
*** krotscheck has joined #openstack-keystone		13:39
*** krotscheck has quit IRC		13:40
*** krotscheck has joined #openstack-keystone		13:41
*** htruta has joined #openstack-keystone		13:44
openstackgerrit	Alexander Maretskiy proposed openstack/keystone: Improvements for rally jobs files. https://review.openstack.org/188479	13:49
*** HT_sergio has joined #openstack-keystone		13:54
*** e0ne is now known as e0ne_		13:56
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities https://review.openstack.org/188881	13:57
*** HT_sergio has quit IRC		13:58
*** rushiagr_away is now known as rushiagr		13:58
*** e0ne_ has quit IRC		14:07
*** e0ne has joined #openstack-keystone		14:08
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Fix inheritance of memcache client used in pool https://review.openstack.org/189285	14:09
openstackgerrit	Boris Bobrov proposed openstack/keystonemiddleware: Fix usage of memcache_pool as contextmanager https://review.openstack.org/189286	14:09
*** fhubik is now known as fhubik_afk		14:10
marekd	rodrigods: dolphm: would you care reviewing https://review.openstack.org/#/c/188581 ?	14:10
*** csoukup has joined #openstack-keystone		14:11
*** sigmavirus24_awa is now known as sigmavirus24		14:11
*** sks has quit IRC		14:11
*** dvorak is now known as clayton		14:13
*** fhubik_afk is now known as fhubik		14:13
dstanek	morganfainberg: sound like an interesting time	14:18
*** varya has quit IRC		14:20
*** lastops has joined #openstack-keystone		14:20
*** merlin_ has joined #openstack-keystone		14:22
*** henrynash has joined #openstack-keystone		14:28
*** ChanServ sets mode: +v henrynash		14:28
openstackgerrit	Marek Denis proposed openstack/python-keystoneclient-saml2: Depend on python-keystoneauth https://review.openstack.org/186854	14:30
*** afazekas has joined #openstack-keystone		14:36
*** jamielennox is now known as jamielennox\|away		14:38
*** davechen is now known as davechen_afk		14:39
openstackgerrit	Boris Bobrov proposed openstack/keystoneauth: removed custom assertDictEqual https://review.openstack.org/189320	14:54
*** amakarov_away is now known as amakarov		14:54
amakarov	ayoung, hi! If we merge trusts and assignments to delegations, can we change use case "create assignment for user in project with roles" to "superuser delegates roles on project to the user"?	14:57
ayoung	amakarov, sounds right	14:57
amakarov	ayoung, I'm trying to figure out how hierarchical roles can fit here	14:58
*** HT_sergio has joined #openstack-keystone		15:00
*** nkinder has joined #openstack-keystone		15:02
*** zzzeek has joined #openstack-keystone		15:02
*** belmoreira has quit IRC		15:06
*** markvoelker has joined #openstack-keystone		15:08
*** markvoelker has quit IRC		15:13
ayoung	amakarov, role assignment and delegation are two names for the same thing	15:14
ayoung	I think that, maybe, we treat role-assignments as the special case	15:14
ayoung	being able to make a delegation "sticky" is a special power in itself	15:15
* ayoung having flashbacks to the incompleteness theorem		15:16
amakarov	ayoung, we can allow the superuser to create delegations, that has trustor == trustee	15:17
ayoung	amakarov, and how do we define "superuser"?	15:17
amakarov	ayoung, the one who creates a delegation ))	15:17
ayoung	and...a trust is checked based on role assignments, so there needs to be an assignment first	15:17
ayoung	amakarov, so, lets use a real world analogue	15:18
amakarov	ayoung, we have all-mighty admin without any explicit delegations	15:19
ayoung	A hiring manager accepts a new person into her organization. She tells HR about the new engineer, and HR puts Jane into the position from the Open Req	15:19
amakarov	and he is the source of all delegations	15:19
ayoung	HR is the one making the permanent assignments, cuz if the hiring manager quits or moves elsehere, the engineer still has their position	15:20
amakarov	ayoung, in this case role is delegated by HR who also has it delegated by her employer	15:21
amakarov	ayoung, oh, I see	15:21
amakarov	we can squash delegations	15:21
amakarov	ayoung, we can have delegation chain admin-HR-manager-employee	15:23
*** rlt has quit IRC		15:23
amakarov	if the manager quits it turns to admin-HR-employee	15:23
amakarov	ayoung, looks like spagetti :(	15:24
ayoung	amakarov, this is the problem with the term "Role" as it can mean a couple different thing. There are explicitly, long term assignments, and there are short term organizations, and we need both	15:24
ayoung	a user has a role in an organzation, but a user also has a role in accomplishing a task	15:25
amakarov	ayoung, I'd prefer action based access control...	15:25
ayoung	amakarov, so, the most genernic term is Attribute Based Access Control	15:25
ayoung	ABAC, is, of course, a tautology	15:25
ayoung	if you are making any access decision, you are making them based on attributes of something	15:26
ayoung	but..I digress	15:26
ayoung	so, when a user goes to perform an action, we take into account many things. For a paranoid organization, like, say, a hospital that needsd to be HIPAA compliant, y9ou might not even let people that are authorized perform certain operations if they are not sitting infront of a controlled termina. Like, say, turn on the x-ray machine...	15:28
amakarov	ayoung, aha, so we must consider not only the action requested, but also some necessary conditions?	15:29
ayoung	amakarov, well, Possibly	15:30
ayoung	amakarov, Keystone does not do that now. Its just an example of how Access Control evolves	15:30
amakarov	ayoung, may be just follow some use-cases? Access control has it's purpose as anything else - is it described somewhere?	15:32
ayoung	amakarov, yes, many pleaces..I have a whole body of links from reading up on this.	15:32
amakarov	maybe folmal user-stories or something?	15:32
ayoung	amakarov, but...lets focus in on the use cases already Identified	15:33
rodrigods	marekd, have some review requests too: https://review.openstack.org/#/c/188534/ :)	15:33
amakarov	ayoung, well, I'd like to place them to the blueprint: can you please provide a link or two?	15:34
*** aix has quit IRC		15:36
*** gyee_ has joined #openstack-keystone		15:36
ayoung	amakarov I will dig them up	15:37
amakarov	ayoung, thank you, it will be much easier to make a spec for the specific use case!	15:38
*** lufix has quit IRC		15:42
*** esp has joined #openstack-keystone		15:46
ayoung	amakarov, you are working on a spec for unified delegation, right?	15:48
*** pece has quit IRC		15:48
amakarov	ayoung, yes	15:48
ayoung	amakarov, cool	15:48
amakarov	ayoung, it is a blueprint yet :)	15:48
ayoung	amakarov, so, I don't want to get too academic about it. THe location based stuff, is actually policy, not assignment	15:48
ayoung	amakarov, so, all this is about delegation, which is just a subset of access control. I think there are 3 facets we want to cover:	15:49
*** _cjones_ has joined #openstack-keystone		15:49
ayoung	1. Long term assignements like we were discussing before	15:49
*** afazekas has quit IRC		15:49
ayoung	2. Short term delegations that are implicit or standard parts of defined workflows	15:50
ayoung	3. User to user delegations which are somewhere in between	15:50
ayoung	1. Is what Roles assignemnts do now, and they lack an audit trail, chain of responsibility, what ever you call it.	15:50
ayoung	3 is trusts	15:51
ayoung	2 we carry on the token right now (I give token to Nova, and have essentially granted all things to all parties), and that is the one I am most interested in fixing	15:51
ayoung	we have had a couple incremental steps lately worth noting	15:52
amakarov	ayoung, cool, I'll put it in the bp now	15:53
ayoung	an operator can now set up Keystone so that a user can explicitly reques an unscoped token. Why? SO that they can also limit token-for-token requests to unscoped to scoped only	15:53
ayoung	this feature needs to get into Horizon (DOA) so that Horizon holds on to the unscoped token (one per users web session) and uses that to get all the scoped tokens used later	15:54
ayoung	so ... how does this realte, you may ask...	15:54
ayoung	it provides securituy, but it is going to break some work flows that assume a user token can be converted to any other user token	15:55
ayoung	and we need to provide better ways to do that	15:55
ayoung	so...	15:55
*** Ephur has joined #openstack-keystone		15:55
ayoung	unified delegation acknowledges that whenever I get a scoped token, I am essentially creating a delegation	15:55
ayoung	it is the most ephemeral form	15:55
ayoung	and using it should minimize the side effects possible if someone misuses the token	15:56
amakarov	ayoung, so to put is simple: we want to replace scoped tokens with delegations?	15:57
ayoung	amakarov, if you take things to the extreme, I think that is where we are headed	15:58
ayoung	amakarov, lets, instead, say I would like to make that a possibility	15:58
amakarov	ayoung, understood	15:58
*** varya has joined #openstack-keystone		16:01
*** lastops has quit IRC		16:02
*** richm has joined #openstack-keystone		16:02
*** rushiagr is now known as rushiagr_away		16:04
*** jistr has quit IRC		16:10
amakarov	ayoung, can you please look at https://blueprints.launchpad.net/keystone/+spec/unified-delegation - haven't I miss something?	16:14
ayoung	amakarov, put in a line stating that it will hand the cases where the chain is broken or changed	16:15
*** hemna_ is now known as hemna		16:17
ayoung	amakarov, I want to make sure that the conceptual model this is based on is something that people can understand. One major stumbling block to understanding is not having a common model.	16:17
*** csoukup has quit IRC		16:18
amakarov	ayoung, updated	16:19
*** esp has left #openstack-keystone		16:23
*** mabrams has left #openstack-keystone		16:23
*** esp has joined #openstack-keystone		16:23
*** esp has left #openstack-keystone		16:24
*** esp has joined #openstack-keystone		16:24
*** csoukup has joined #openstack-keystone		16:24
*** lastops has joined #openstack-keystone		16:25
*** lhcheng has joined #openstack-keystone		16:35
*** ChanServ sets mode: +v lhcheng		16:35
samueldmq	ayoung, naked ping 123	16:35
samueldmq	ayoung, need to talk about writing policy files to directories	16:35
ayoung	Ha!	16:35
samueldmq	ayoung, from oslo policy config, we have 'policy_dirs'	16:35
samueldmq	ayoung, which means we will be writting the fetched policy in each one of the dirs listed there	16:36
ayoung	samueldmq, yes we do...and what do we do if we have multiples, you are wondering?	16:36
samueldmq	ayoung, am I right ?	16:36
ayoung	Its a mess alright	16:36
samueldmq	ayoung, yeah :-)	16:36
ayoung	samueldmq, don't you wish we had git for this?	16:36
samueldmq	ayoung, for what ? the code ?	16:37
samueldmq	ayoung, I am filling my code skeleton from last week (review #188561) with real code :-)	16:37
*** tqtran_ has joined #openstack-keystone		16:38
*** varya has quit IRC		16:40
ayoung	samueldmq, nah, for the policy management itself	16:41
ayoung	samueldmq, we want to let the projects havea base policy that we then override when it gets downloaded	16:41
samueldmq	ayoung, the new service ?	16:41
ayoung	not alawys, but some peopel are going to want that	16:41
samueldmq	ayoung, wait, I need a little bit of context :-)	16:42
ayoung	samueldmq, lets say you install an new version of nova, and they've added a new API, but that is not covered by what is in the policy uploaded to Keystone	16:42
ayoung	samueldmq, what should happen then?	16:42
samueldmq	ayoung, it needs a way to be uploaded there ... shouldn't use a kind of '/policy' from the service ?	16:43
ayoung	samueldmq, yeah...that, too	16:43
samueldmq	ayoung, you now liking the idea of having the /policy in services ?	16:43
ayoung	samueldmq, it needs to be deliberate	16:43
ayoung	samueldmq, no	16:44
samueldmq	ayoung, to provide the defautls ?	16:44
samueldmq	ayoung, k	16:44
*** belmoreira has joined #openstack-keystone		16:44
ayoung	I just meant "yeah, that discussion"	16:44
*** rushiagr_away is now known as rushiagr		16:44
samueldmq	ayoung, ok .. so the challenge is .. the service is the primary source of truth	16:44
samueldmq	ayoung, new APIs, API changes etc .. and that need to be synchronized with the policy server somehow	16:45
samueldmq	ayoung, (being /poicy or not is another discussion)	16:45
openstackgerrit	David Stanek proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	16:45
samueldmq	ayoung, so far so good ?	16:45
ayoung	samueldmq, this is an internal decision. I mean, /policy would make more sense as something that is returned from an unauthenitcated call on a specific API. But...From a Horizon standpoint, they need to know ... what it is across the board	16:45
ayoung	samueldmq, OK, thought experiement time....	16:45
ayoung	Gedankgedank....	16:45
samueldmq	ayoung, now let me know how do you plan to solve that problem	16:46
ayoung	lets say we have /policy from a service...and so when a user makes a call GET https://nova/v3.14/computer \then what	16:46
ayoung	it could make a http call to itslef...	16:46
samueldmq	ayoung, and how the git repo you said a few lines above fits in it :)	16:46
openstackgerrit	David Stanek proposed openstack/keystonemiddleware: Fixes a spelling error in a test name https://review.openstack.org/189365	16:46
ayoung	or it could read the same info out of the file system	16:46
ayoung	so../policy does not buy us anything at enforcement time...	16:47
ayoung	it does make the endpoint itself query-able	16:47
samueldmq	ayoung, yes, and that's all we need	16:47
ayoung	and so Horizon could use it to say "what can the user do against this Horizon server"	16:47
ayoung	er	16:47
samueldmq	ayoung, wait ..	16:47
ayoung	I mean and so Horizon could use it to say "what can the user do against this Nova server"	16:47
ayoung	but...that is expensive	16:47
samueldmq	ayoung, we load the defaults from the individual services	16:47
samueldmq	ayoung, at init time	16:47
ayoung	why go to each serivce in turn instead of a central repo?	16:48
samueldmq	ayoung, after that, /policy is no longer used .. and everything is as we designed	16:48
samueldmq	ayoung, ok .. I think I know why ..	16:48
ayoung	samueldmq, if it is push, why put in tin /policy? That only makes sense for pull	16:48
samueldmq	ayoung, some deployments may be running with some services on master and other services on grizzly	16:48
ayoung	so...if I restart a service...I send a notification to Keystone to reread the policy file?	16:48
ayoung	What if...however, that endpoint defines policy in a broken way?	16:49
samueldmq	ayoung, they should be allowed to do that .. we shouldn't be creating a must relationship between services	16:49
ayoung	Uploading a policy file to Keystone affects multile endpoint	16:49
ayoung	multiple	16:49
samueldmq	ayoung, how do we upgrade between versions ? do I need to touch keystone when upgrading nova ?	16:50
samueldmq	ayoung, (I am really asking, have no idea)	16:50
openstackgerrit	Priti Desai proposed openstack/keystone: Fix for listing role assignments by project admin https://review.openstack.org/189366	16:50
ayoung	samueldmq, I think you should upload policy to Keystone first, and we have arule that the contract for a given policy enforcement can't change.	16:51
samueldmq	ayoung, but how do we upload the policy ? manually ?	16:51
ayoung	samueldmq, how do we register endpoints with Keystone? Its out of band	16:52
samueldmq	ayoung, ok ..	16:52
samueldmq	ayoung, suppose we implemented the /policy in each service ..	16:53
*** roxanaghe has joined #openstack-keystone		16:53
samueldmq	ayoung, some services could simply read from the file and post the output	16:53
samueldmq	ayoung, others like nova could implement into their code with they want	16:53
samueldmq	ayoung, although I am not sure we want that ... I think we want consistency though the services	16:53
samueldmq	ayoung, let me think about your proposal	16:55
samueldmq	ayoung, i) the admin register and endpoint ii) admin register its policy on keystone iii) admin modifies policy on keystone iv) admin may upload a new policy, overwriting everything or just in "update mode" (in the case of upgrades)	16:57
samueldmq	ayoung, I think that is what you are saying ... and looks like something that makes sense ...	16:57
*** markvoelker has joined #openstack-keystone		16:57
*** david8hu has joined #openstack-keystone		16:57
*** fhubik has quit IRC		16:58
*** amaretskiy has quit IRC		16:59
*** markvoelker has quit IRC		17:02
*** e0ne has quit IRC		17:06
*** yottatsa has joined #openstack-keystone		17:06
*** dims has joined #openstack-keystone		17:07
ayoung	samueldmq, not in code directly. lets table that for a moment	17:09
ayoung	samueldmq, I think it is something like this	17:09
ayoung	Policy is a hash table	17:09
ayoung	local policy gets set first	17:10
*** dims_ has quit IRC		17:10
ayoung	any policy from the central server replaces local rules	17:10
ayoung	so, if a local rule covers a case not yet in the central server, it will be exposed	17:10
ayoung	this is how the Nova team sees it, but I think it is wrong	17:10
*** bradjones has quit IRC		17:10
ayoung	I think instead it should be:	17:10
samueldmq	ayoung, oh .. and if ksmiddleware detects that	17:11
ayoung	once any policy comes from the central server, all policy comes from there	17:11
samueldmq	ayoung, it could update the policy server	17:11
ayoung	if a rule does not exist, deny	17:11
*** bradjones has joined #openstack-keystone		17:11
*** bradjones has quit IRC		17:11
*** bradjones has joined #openstack-keystone		17:11
ayoung	so for any microversions, it is on the sys admin to make sure the new policy rules get uploaded to the policy server	17:11
ayoung	samueldmq, http://adam.younglogic.com/2015/06/dyn-policy-microversions/ you camn read that while I go have some lunch	17:12
samueldmq	ayoung, with microversions we should be expecting to have different policies for microverisons	17:12
samueldmq	ayoung, since the url changes	17:12
samueldmq	ayoung, already started .. will continue reading	17:12
samueldmq	ayoung, bon apetit	17:12
*** noye has quit IRC		17:22
*** david8hu has quit IRC		17:23
*** lufix has joined #openstack-keystone		17:29
*** david8hu has joined #openstack-keystone		17:31
*** dguerri is now known as dguerri`		17:31
*** lsmola has quit IRC		17:32
*** rushiagr is now known as rushiagr_away		17:33
*** g2` has quit IRC		17:38
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	17:41
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities https://review.openstack.org/188881	17:41
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Encapsulate Service Providers in AccessInfo https://review.openstack.org/188426	17:41
*** spandhe has joined #openstack-keystone		17:43
*** yottatsa has quit IRC		17:43
*** gyee_ has quit IRC		17:57
*** dontalton has joined #openstack-keystone		18:00
*** samleon has joined #openstack-keystone		18:03
*** pnavarro_ has quit IRC		18:06
*** noye has joined #openstack-keystone		18:08
*** e0ne has joined #openstack-keystone		18:08
*** openstackgerrit has quit IRC		18:09
*** openstackgerrit has joined #openstack-keystone		18:09
ayoung	henrynash, you still have posting powers for opensax.com?	18:16
henrynash	ayoung: err. probably!	18:16
ayoung	henrynash, http://abc7chicago.com/travel/video-couple-gets-married-aboard-jetblue-flight/768139/	18:17
ayoung	skip ahead to 2:47	18:17
ayoung	I made the evening news, and not in a "wanted" sort of way.	18:18
*** rushiagr_away is now known as rushiagr		18:18
henrynash	ayoung: that;s is hysterical!	18:19
henrynash	I’ll see what I can do!	18:19
*** browne has joined #openstack-keystone		18:19
ayoung	I am also available for Bar Mitzvas	18:20
*** krotscheck is now known as krotscheck_confe		18:21
*** krotscheck_confe is now known as krotsch_at_con		18:21
*** e0ne is now known as e0ne_		18:25
lbragstad	henrynash: let me know if you don't have access, I'll make sure you get an admin account!	18:26
lbragstad	henrynash: but you should have posting rights	18:26
*** lufix_ has joined #openstack-keystone		18:27
*** e0ne_ has quit IRC		18:30
*** g2` has joined #openstack-keystone		18:34
*** rushiagr is now known as rushiagr_away		18:40
*** e0ne has joined #openstack-keystone		18:46
*** krotsch_at_con is now known as krotsck_at_con		18:46
*** markvoelker has joined #openstack-keystone		18:46
*** jsavak has quit IRC		18:48
*** markvoelker has quit IRC		18:52
samueldmq	ayoung, you back ?	18:52
ayoung	samueldmq, sort of	18:53
ayoung	samueldmq, bout to head into a meeting	18:53
*** g2` has quit IRC		18:54
samueldmq	ayoung, ok, we can discuss later	18:55
samueldmq	ayoung, I think the simple solution where we let the admin in charge of uploading/updating the policy on keystone	18:55
samueldmq	ayoung, may be the better for now, since we can deliver everything in Liberty	18:56
*** g2` has joined #openstack-keystone		18:56
*** ayoung has quit IRC		18:58
*** Rockyg has joined #openstack-keystone		18:58
*** csoukup has quit IRC		19:00
*** BAKfr_ has joined #openstack-keystone		19:15
*** esp has quit IRC		19:15
*** BAKfr has quit IRC		19:15
*** BAKfr_ is now known as BAKfr		19:15
*** esp has joined #openstack-keystone		19:15
*** amakarov is now known as amakarov_away		19:18
*** dguerri` is now known as dguerri		19:21
*** pnavarro_ has joined #openstack-keystone		19:30
*** lufix has quit IRC		19:32
anteaya	so somehow the keystone etherpad link for the midcycle got replaced with a neutron etherpad: https://wiki.openstack.org/wiki/Sprints	19:41
morganfainberg	henrynash: ping if not I'll hit you up tomorrow.	19:41
morganfainberg	anteaya: someone messed up teh editing I am guessing.	19:42
anteaya	I guess the same	19:42
anteaya	I could have charged in and fixed it myself or tell you	19:42
anteaya	I choose the later	19:42
morganfainberg	I don't think there are any things in thenetherpad yet.	19:42
anteaya	I still want your etherpad	19:43
morganfainberg	I'll look into it tomorrow post sleep (it's getting late here)	19:43
morganfainberg	And at dinner	19:43
*** csoukup has joined #openstack-keystone		19:43
anteaya	give me the blank keystone etherpad	19:43
anteaya	enjoy dinner	19:43
morganfainberg	anteaya: hehe.	19:43
morganfainberg	anteaya: thnx!	19:44
*** samueldmq has quit IRC		19:46
anteaya	:)	19:51
*** ayoung has joined #openstack-keystone		20:00
*** ChanServ sets mode: +v ayoung		20:00
*** afazekas has joined #openstack-keystone		20:13
ayoung	https://trello.com/b/SXrl6UQ5/midcycle-planning If you are coming to the midcycle, please add your name to the checklist under Travel	20:22
*** radez is now known as radez_g0n3		20:23
dstanek	ayoung: i don't think i can edit	20:25
bknudson	the only button I have there is an X	20:26
openstackgerrit	Roxana Gherle proposed openstack/keystonemiddleware: Send the correct user-agent to Keystone https://review.openstack.org/180769	20:27
ayoung	dstanek, try again	20:28
*** Rockyg has quit IRC		20:29
ayoung	bknudson I don't think you are on trello, are you?	20:29
bknudson	ayoung: I haven't signed up for an account on trello	20:29
bknudson	I only recently got on twitter	20:29
ayoung	bknudson, I added you	20:30
ayoung	so long as I have a general list...	20:30
bknudson	ayoung: thanks. I'm planning to attend.	20:30
*** markvoelker has joined #openstack-keystone		20:35
henrynash	morganfainberg: hi	20:35
dstanek	ayoung: thx	20:36
ayoung	henrynash, I have you down as coming to the midcycle. Is that correct?	20:37
henrynash	ayoung: for SURE!	20:37
ayoung	good	20:37
*** c_soukup has joined #openstack-keystone		20:37
*** markvoelker has quit IRC		20:40
henrynash	ayoung: I think we need to get down and dirty about policy…how far can/should we go in step one etc.	20:40
ayoung	henrynash, welcome to the conversation!	20:40
ayoung	henrynash, I've been in the muck up to my elbows on policy for a while...	20:41
*** csoukup has quit IRC		20:41
ayoung	henrynash, I what we want to see in policy it is parallel to what Nova is pushing for with APIs: how do we break the stagnation	20:41
henrynash	ayoung: I’ll bring deoderant and a David Beckham talcum powder xmas set	20:42
ayoung	henrynash, so...lets talk one detail I think you will like....	20:42
ayoung	https://review.openstack.org/#/c/186929/ is especially for you	20:42
ayoung	henrynash, setting "admin domain" is the driving factor	20:43
henrynash	ayoung: yep, I see where you are going with that one	20:43
ayoung	henrynash, that way, we can take your cloudsample as the starting point.	20:43
ayoung	henrynash, what I would like to do with the cloudsample, BTW, is make a norm about how each rule is organized:	20:43
ayoung	on the left (and we tell users not to mess with) is the "find the scope" problem	20:44
ayoung	on the right is the "assign this role"	20:44
ayoung	and the operators are expected to concern themselves primarily with "assign the role"	20:44
ayoung	I think you were kindof working towards this, if I can extrapolate a bit	20:45
ayoung	you had a bunch of rules that were designed to document where the scope came from for different APIs	20:45
ayoung	what I think we want to enforce is that those rules should be consumed separately from assign the roles...so for example	20:45
* ayoung pulling up cloudsmaple		20:45
*** __afazekas has joined #openstack-keystone		20:46
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n25	20:46
ayoung	"identity:get_endpoint": "rule:admin_or_cloud_admin",	20:46
ayoung	I'd say that one should be something like:	20:46
ayoung	actually...let's leave Service catalog for a moment...	20:47
ayoung	"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",	20:47
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n39	20:47
ayoung	so, who should be able to "get" a project?	20:47
*** Ephur has quit IRC		20:48
ayoung	henrynash, lets say that it would be anyone with a rule on the project? Or, in current terms, Member?	20:48
ayoung	with Member implying Admin and so forth	20:48
ayoung	rule:cloud_admin is, I think, and override, and maybe we want to even extract that out of the policy file altogether, if it means that the cloud_admin can do anything anywhere....	20:48
ayoung	that leaves	20:48
ayoung	rule:admin_and_matching_target_project_domain_id	20:49
ayoung	so I would start by rewriting this rule as	20:49
ayoung	rule:matching_target_project_domain_id and role:admin	20:49
ayoung	now, we can potentially expand the role: rule to handle inference	20:49
ayoung	but, lets put that off, and use what we have now:	20:50
ayoung	rule_role_member: role:admin or role:Member	20:50
ayoung	and then	20:50
*** _afazekas has quit IRC		20:50
ayoung	"identity:get_project": "rule:matching_target_project_domain_id and rule:role_member",	20:50
henrynash	(sorry was awfk for a sec….catching up)	20:51
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	20:51
ayoung	henrynash, or, if we wanted to keep the origianly meaning it would be	20:51
ayoung	rule_role_admin: role:admin	20:51
ayoung	"identity:get_project": "rule:matching_target_project_domain_id and rule:role_admin",	20:51
henrynash	so there, as ever, a number of things going on in what you suggest...	20:54
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	20:56
*** belmoreira has quit IRC		20:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities https://review.openstack.org/188881	20:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Encapsulate Service Providers in AccessInfo https://review.openstack.org/188426	20:56
henrynash	1) Should there be an (external to policy rules) cloud admin override? Hmm, I thought people fought to get rid of deity access	20:56
henrynash	2) Does “member” imply “Admin” (etc.)….only if you agree with hierachical roles	20:56
ayoung	henrynash, deity access is bad, but I think it is around for a while	20:57
ayoung	lets try to isolate	20:57
ayoung	that from the other issues, I think that people need deity access to un_F*** broken systems. But, I am not certain it will actually work. If you have an admin-domain token, and you use it on some API call that looks to the scope of the token to figure out which resource to change...it ain't gonna work	20:59
rodrigods	dolphm, see you are reviewing some patches :) fixed a nit in https://review.openstack.org/#/c/188426/4	20:59
ayoung	henrynash, I don't think there really is an alternative to hierarchical roles...but, that is agreat starting point; if we namespace roles like we discussed, and we allow for role inference, do we have everything we need to solve your use cases?	21:00
*** raildo has quit IRC		21:00
henrynash	ayoung: so I actually do agree with the namespace roles proposal….I thikn that is the right approach…..as you know I think there might be an implementation timing issue in terms of whether they are pre or post token generation…..but in the end, post token generation is where we need to get to	21:02
henrynash	ayoung: I will try and re-cast my domain roles to be namespace roles as we discussed	21:04
ayoung	henrynash, so my understanding "domain" is the main namespace, but should not be the only one...right?	21:04
henrynash	ayoung: ++	21:04
ayoung	henrynash, so then the question is "what goes in the token"	21:05
ayoung	either it is all "inherited roles" or "the top one"	21:05
*** nkinder_ has joined #openstack-keystone		21:05
ayoung	namespace would have to be accommodted either way, I think	21:05
henrynash	ayoung: yep….one could expand out at token generation time, or carry the namespace in the toen along with the role	21:06
ayoung	so, maybe we say "admin" will become "openstack:admin" by default or something like that	21:06
*** pnavarro_ has quit IRC		21:06
ayoung	henrynash, I also have something else along these lines worth mentioning...	21:06
ayoung	allowing a user to explicitly request the roles that go into the token	21:06
ayoung	https://review.openstack.org/#/c/186979/	21:07
morganfainberg	henrynash: i see how painful it is to collaborate w/ the folks in our timezones now when here	21:07
morganfainberg	henrynash: though i think i'm +2 hrs from you.	21:07
henrynash	morganfainberg: quality of response is inversely proportional to time zone overlap :-)	21:07
morganfainberg	henrynash: hehe	21:08
morganfainberg	henrynash: though i'll say the food here in budapest has been fantastic	21:08
henrynash	morganfainberg: oh, budapest…nice….yes	21:08
morganfainberg	though tomorrow is off to berlin.	21:08
henrynash	morganfainberg: another day, another marriott (err, I mean city(	21:09
*** nkinder has quit IRC		21:09
*** nkinder_ has quit IRC		21:12
*** nkinder_ has joined #openstack-keystone		21:13
*** afazekas has quit IRC		21:13
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/189457	21:14
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/188477	21:14
*** ChanServ changes topic to "Liberty-1 June 23. This is Spec Proposal Freeze. Please Review and/or Propose Specs."		21:18
*** iurygregory has quit IRC		21:19
ayoung	henrynash, so...I think what I said above carries through regardless of how we expand the role inference: role:admin could be implemented either way	21:20
*** gyee_ has joined #openstack-keystone		21:22
*** nkinder_ has quit IRC		21:26
*** nkinder_ has joined #openstack-keystone		21:27
*** afazekas has joined #openstack-keystone		21:27
*** henrynash has quit IRC		21:33
*** EmilienM is now known as EmilienM\|afk		21:41
*** c_soukup has quit IRC		21:44
openstackgerrit	ayoung proposed openstack/keystone-specs: Tokens with subsets of roles or endpoints https://review.openstack.org/186979	21:54
*** lhcheng has quit IRC		21:56
openstackgerrit	David J Hu proposed openstack/keystone-specs: Unified namespaced is_admin policy https://review.openstack.org/189486	21:56
*** lhcheng has joined #openstack-keystone		21:57
*** ChanServ sets mode: +v lhcheng		21:57
*** nkinder__ has joined #openstack-keystone		21:58
*** lhcheng has quit IRC		21:58
*** lhcheng_ has joined #openstack-keystone		21:58
openstackgerrit	ayoung proposed openstack/keystone-specs: Tokens with subsets of roles or endpoints https://review.openstack.org/186979	21:58
*** nkinder_ has quit IRC		22:02
*** nkinder__ has quit IRC		22:03
*** nkinder__ has joined #openstack-keystone		22:04
*** krotsck_at_con is now known as krotscheck		22:08
*** afazekas has quit IRC		22:17
*** markvoelker has joined #openstack-keystone		22:21
openstackgerrit	Merged openstack/keystonemiddleware: Stop using function deprecated in py34 https://review.openstack.org/188226	22:21
*** markvoelker has quit IRC		22:26
*** diegows has joined #openstack-keystone		22:27
*** liusheng has quit IRC		22:28
*** liusheng has joined #openstack-keystone		22:28
*** HT_sergio has quit IRC		22:32
*** ankita_wagh has joined #openstack-keystone		22:54
*** e0ne has quit IRC		23:05
*** darrenc is now known as darrenc_afk		23:07
*** zzzeek has quit IRC		23:11
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/188477	23:14
*** nkinder__ has quit IRC		23:18
*** EmilienM\|afk is now known as EmilienM		23:20
*** jaosorior has quit IRC		23:31
*** hemna is now known as hemnafk		23:32
*** darrenc_afk is now known as darrenc		23:35
*** chlong has joined #openstack-keystone		23:36
*** dontalton has quit IRC		23:45
*** lhcheng_ is now known as lhcheng		23:58
*** ChanServ sets mode: +v lhcheng		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!