Wednesday, 2015-06-10

*** josecastroleon has joined #openstack-keystone		00:00
*** bradjones has joined #openstack-keystone		00:00
*** bradjones has quit IRC		00:00
*** bradjones has joined #openstack-keystone		00:00
*** josecastroleon has quit IRC		00:03
*** dims has quit IRC		00:03
*** dims has joined #openstack-keystone		00:03
*** josecastroleon has joined #openstack-keystone		00:04
*** stevemar has quit IRC		00:05
*** josecastroleon has quit IRC		00:06
*** josecastroleon has joined #openstack-keystone		00:07
*** bknudson has joined #openstack-keystone		00:07
*** ChanServ sets mode: +v bknudson		00:07
*** josecastroleon has quit IRC		00:09
openstackgerrit	Merged openstack/keystoneauth: Encapsulate Service Providers in AccessInfo https://review.openstack.org/188426	00:09
*** jsavak has quit IRC		00:09
*** josecastroleon has joined #openstack-keystone		00:10
*** josecastroleon has quit IRC		00:12
*** josecastroleon has joined #openstack-keystone		00:13
*** josecastroleon has quit IRC		00:15
*** josecastroleon has joined #openstack-keystone		00:16
*** chlong-zzz has joined #openstack-keystone		00:17
*** josecastroleon has quit IRC		00:18
*** josecastroleon has joined #openstack-keystone		00:19
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Stop using tearDown https://review.openstack.org/189539	00:20
*** josecastroleon has quit IRC		00:21
*** markvoelker has joined #openstack-keystone		00:21
*** josecastroleon has joined #openstack-keystone		00:22
*** Rockyg has quit IRC		00:22
*** josecastroleon has quit IRC		00:24
*** josecastroleon has joined #openstack-keystone		00:25
*** markvoelker has quit IRC		00:26
*** josecastroleon has quit IRC		00:27
*** josecastroleon has joined #openstack-keystone		00:28
*** josecastroleon has quit IRC		00:30
*** josecastroleon has joined #openstack-keystone		00:31
*** josecastroleon has quit IRC		00:33
*** josecastroleon has joined #openstack-keystone		00:34
*** hichtakk has quit IRC		00:34
*** hichtakk has joined #openstack-keystone		00:35
*** josecastroleon has quit IRC		00:36
*** josecastroleon has joined #openstack-keystone		00:37
*** josecastroleon has quit IRC		00:39
*** josecastroleon has joined #openstack-keystone		00:40
*** josecastroleon has quit IRC		00:42
*** josecastroleon has joined #openstack-keystone		00:43
*** josecastroleon has quit IRC		00:45
*** ankita_wagh has quit IRC		00:46
*** josecastroleon has joined #openstack-keystone		00:46
*** josecastroleon has quit IRC		00:48
*** josecastroleon has joined #openstack-keystone		00:49
*** josecastroleon has quit IRC		00:51
*** josecastroleon has joined #openstack-keystone		00:52
*** josecastroleon has quit IRC		00:54
*** josecastroleon has joined #openstack-keystone		00:55
*** josecastroleon has quit IRC		00:57
*** samueldmq has joined #openstack-keystone		00:58
*** josecastroleon has joined #openstack-keystone		00:58
*** _cjones_ has quit IRC		00:59
*** josecastroleon has quit IRC		01:00
*** Guest5484 has quit IRC		01:01
*** josecastroleon has joined #openstack-keystone		01:01
*** josecastroleon has quit IRC		01:03
*** josecastroleon has joined #openstack-keystone		01:04
*** josecastroleon has quit IRC		01:06
*** josecastroleon has joined #openstack-keystone		01:07
*** josecastroleon has quit IRC		01:09
*** ncoghlan has joined #openstack-keystone		01:09
*** darrenc is now known as darrenc_afk		01:10
*** josecastroleon has joined #openstack-keystone		01:10
*** josecastroleon has quit IRC		01:12
*** josecastroleon has joined #openstack-keystone		01:13
*** josecastroleon has quit IRC		01:15
*** toddnni has quit IRC		01:16
*** josecastroleon has joined #openstack-keystone		01:16
*** radez is now known as radez_g0n3		01:17
*** toddnni has joined #openstack-keystone		01:18
*** tobe has joined #openstack-keystone		01:18
*** josecastroleon has quit IRC		01:18
samueldmq	I thought an URL uniquely identified an endpoint ..	01:19
*** josecastroleon has joined #openstack-keystone		01:19
*** radez_g0n3 is now known as radez		01:20
samueldmq	but actually an URL can match multiple endpoints	01:21
*** josecastroleon has quit IRC		01:21
*** fangzhou_ has joined #openstack-keystone		01:21
samueldmq	in devstack, for example, there are 3 endpoints for glance, defining public, internal and admin interfaces	01:21
*** davechen_afk is now known as davechen		01:21
*** josecastroleon has joined #openstack-keystone		01:22
*** fangzhou has quit IRC		01:22
*** fangzhou_ is now known as fangzhou		01:22
*** markvoelker has joined #openstack-keystone		01:22
*** dims has quit IRC		01:23
davechen	samueldmq: Is there anything wrong if one URL can match multiple ep?	01:24
*** josecastroleon has quit IRC		01:24
samueldmq	I am thinking in the dynamic policies case	01:24
samueldmq	davechen, let's say nova is running at http://controller:8774	01:25
davechen	ye	01:25
samueldmq	so that ksmiddleware will download the policy associated to that URL (endpoint)	01:25
samueldmq	but actually it can match multiple endpoints, and as consequence, multiple policids	01:25
*** josecastroleon has joined #openstack-keystone		01:25
samueldmq	policies*	01:25
samueldmq	I wonder what to do in that case, we need to be clear about that	01:25
*** toddnni has quit IRC		01:26
davechen	there ep are associated with each other.	01:26
samueldmq	I think we though an URL uniquely identified an endpoint .. in a talk with morganfainberg and ayoung	01:26
davechen	s/there/these	01:26
samueldmq	davechen, I am not convinced that we could have different policies for diferent interfaces of the same endpoint	01:27
samueldmq	but the fact is that we allow this today	01:27
*** josecastroleon has quit IRC		01:27
*** markvoelker has quit IRC		01:27
*** josecastroleon has joined #openstack-keystone		01:28
davechen	+1, so the logic will be easier if we define the same policies for the different interfaces. :)	01:28
*** josecastroleon has quit IRC		01:30
lifeless	jamielennox: hi so	01:31
*** josecastroleon has joined #openstack-keystone		01:31
lifeless	jamielennox: pyconau, we're thinking to take two keystone talks; neither quite what folk proposed :).	01:31
lifeless	jamielennox: 1) deep dive into federation. 2) keystone project update and future plans.	01:32
davechen	samueldmq: You are already starting to coding for dynamic policy overview?	01:32
lifeless	jamielennox: what do you think of that idea?	01:32
davechen	samueldmq: Do you have any patches up for that?	01:32
samueldmq	davechen, yes , and in that case it would be a policy for service	01:33
samueldmq	davechen, and we already allow that	01:33
samueldmq	davechen, no it wouldn't	01:33
samueldmq	davechen, because we can have multiple endpoints per service	01:33
*** darrenc_afk is now known as darrenc		01:33
*** josecastroleon has quit IRC		01:33
davechen	what's morgan's or ayoung's concerns if we do like this?	01:34
samueldmq	davechen, I don't think they were concerned about that ..	01:34
samueldmq	davechen, we had decided as I explained	01:34
samueldmq	davechen, howeer I caught this detail when implementing it :)	01:35
davechen	samueldmq: That's great.	01:35
*** josecastroleon has joined #openstack-keystone		01:35
samueldmq	davechen, I think we will have something demonstrable by the end of this week	01:35
samueldmq	davechen, where we upload a policy for glance to keystone, update it on keystone and have enforcement affected in glance side	01:36
samueldmq	davechen, i.e, ksmiddleware fetching and caching the policy for the endpoint :)	01:36
davechen	samueldmq: where is your demo? it's fast!!	01:36
*** josecastroleon has quit IRC		01:36
*** hichtakk has quit IRC		01:37
samueldmq	davechen, well ... I am working locally for now	01:37
samueldmq	davechen, https://review.openstack.org/#/c/188561/	01:37
*** josecastroleon has joined #openstack-keystone		01:37
samueldmq	davechen, this is from last week ... where I set up a code 'skeleton'	01:38
davechen	samueldmq: seems like the overall implementation is already done, cool.	01:38
samueldmq	davechen, based on that , I am adding the code to implement the fature	01:38
samueldmq	davechen, yes I think we are close to have something very nice up and running :)	01:38
davechen	samueldmq: going to check the details from the patch. :)	01:39
samueldmq	davechen, however the details on how to improve the policy definition + its management is the tricky part	01:39
*** josecastroleon has quit IRC		01:39
samueldmq	davechen, k, that's just a very very initial cahnge .... I will be sending something more complete tomorrow	01:40
davechen	samueldmq: you already did great!	01:40
samueldmq	davechen, haha thanks :) but we still have a ton of work to do	01:41
*** josecastroleon has joined #openstack-keystone		01:41
samueldmq	davechen, spec freeze coming ... lots of things to be defined	01:41
samueldmq	davechen, I want to have this working this week , also I need to check and update specs , etc	01:41
davechen	samueldmq: I am a little lazy recently, just review couple of ayoung's spec.	01:41
samueldmq	davechen, L1 is spec freeze	01:41
samueldmq	davechen, lazy ? maybe you have other priorities from your employee	01:42
samueldmq	davechen, that's understandable	01:42
davechen	samueldmq: you understanding me, buddy :)	01:42
samueldmq	employer*	01:42
*** josecastroleon has quit IRC		01:42
samueldmq	davechen, yeah; I think that happens to everyone	01:43
samueldmq	davechen, I am having more time on this since my employer is paying me to work on that	01:43
*** josecastroleon has joined #openstack-keystone		01:44
davechen	samueldmq: you are lucky. we need convince and manage our boss. :)	01:44
*** radez is now known as radez_g0n3		01:44
samueldmq	davechen, you have to sell the subject, so they get convinced that's interesting enouhg to put you on that box	01:45
davechen	samueldmq: Are you still in the University?	01:45
samueldmq	davechen, I work at a laboratory in the university	01:45
*** toddnni has joined #openstack-keystone		01:45
*** josecastroleon has quit IRC		01:45
samueldmq	davechen, though I graduated last year	01:46
*** tqtran_ has quit IRC		01:46
samueldmq	davechen, in September .. since then I am working a bit more on keystone :)	01:46
*** bknudson has quit IRC		01:46
davechen	samueldmq: so you can mentor some guys in your labs.	01:46
*** josecastroleon has joined #openstack-keystone		01:47
samueldmq	davechen, yes, at least I try to share knowledge with others	01:47
davechen	samueldmq: You may need change your affiliations since I notice you are independent from stackalytics.	01:48
*** topol has joined #openstack-keystone		01:48
*** lhcheng has joined #openstack-keystone		01:48
*** ChanServ sets mode: +v lhcheng		01:48
*** ChanServ sets mode: +v topol		01:48
*** josecastroleon has quit IRC		01:49
*** spandhe has quit IRC		01:49
samueldmq	davechen, yeah .. although stackalytics sums up my reviews/commits to the university	01:49
samueldmq	davechen, they're identified by my email .. @lsd.ufcg.edu.br	01:50
*** josecastroleon has joined #openstack-keystone		01:50
davechen	samueldmq: that's fine.	01:50
*** josecastroleon has quit IRC		01:52
*** josecastroleon has joined #openstack-keystone		01:53
*** josecastroleon has quit IRC		01:55
*** fangzhou has quit IRC		01:55
*** josecastroleon has joined #openstack-keystone		01:56
*** fangzhou has joined #openstack-keystone		01:56
*** josecastroleon has quit IRC		01:58
*** josecastroleon has joined #openstack-keystone		01:59
*** josecastroleon has quit IRC		02:01
*** josecastroleon has joined #openstack-keystone		02:02
*** jsavak has joined #openstack-keystone		02:02
*** josecastroleon has quit IRC		02:04
*** josecastroleon has joined #openstack-keystone		02:05
*** dan_ has joined #openstack-keystone		02:05
*** dan_ is now known as Guest19563		02:05
*** josecastroleon has quit IRC		02:07
*** josecastroleon has joined #openstack-keystone		02:08
jamielennox	lifeless: here now	02:08
jamielennox	lifeless: ok, i am happy enough to do either of those, though you should probably give morganfainberg first pick	02:09
*** josecastroleon has quit IRC		02:10
*** ajayaa has joined #openstack-keystone		02:10
*** josecastroleon has joined #openstack-keystone		02:11
*** jsavak has quit IRC		02:12
*** boris-42 has quit IRC		02:12
*** dims has joined #openstack-keystone		02:12
*** josecastroleon has quit IRC		02:13
*** evrardjp has quit IRC		02:13
*** josecastroleon has joined #openstack-keystone		02:14
*** fangzhou has quit IRC		02:15
*** evrardjp has joined #openstack-keystone		02:16
lifeless	jamielennox: sure	02:17
jamielennox	lifeless: did you get many submissions this time around?	02:17
lifeless	morganfainberg: when you get online; ping ^ :)	02:17
lifeless	jamielennox: it was close :)	02:17
*** josecastroleon has quit IRC		02:17
jamielennox	close? close to getting one keysotne talk or not filling the spots ?	02:17
jamielennox	only one	02:18
lifeless	we started the planning thinking we might be 3.5 hours short of content\	02:18
jamielennox	ooo, ouch	02:18
*** josecastroleon has joined #openstack-keystone		02:18
*** lhcheng has quit IRC		02:20
*** josecastroleon has quit IRC		02:20
*** josecastroleon has joined #openstack-keystone		02:21
*** josecastroleon has quit IRC		02:23
*** dims has quit IRC		02:23
*** josecastroleon has joined #openstack-keystone		02:24
*** spandhe has joined #openstack-keystone		02:25
*** josecastroleon has quit IRC		02:26
*** josecastroleon has joined #openstack-keystone		02:27
*** spandhe_ has joined #openstack-keystone		02:28
*** spandhe has quit IRC		02:29
*** spandhe_ is now known as spandhe		02:29
*** josecastroleon has quit IRC		02:29
*** josecastroleon has joined #openstack-keystone		02:30
*** josecastroleon has quit IRC		02:32
*** josecastroleon has joined #openstack-keystone		02:33
*** josecastroleon has quit IRC		02:35
*** hichtakk has joined #openstack-keystone		02:36
*** josecastroleon has joined #openstack-keystone		02:36
*** josecastroleon has quit IRC		02:38
lbragstad	mfisch: don't we omit token ids from logging?	02:38
*** josecastroleon has joined #openstack-keystone		02:39
*** josecastroleon has quit IRC		02:41
*** gyee is now known as operator99		02:42
*** josecastroleon has joined #openstack-keystone		02:43
mfisch	lbragstad: I dont think you did before, if not I wonder what that ID is that you have there	02:44
*** josecastroleon has quit IRC		02:44
lbragstad	mfisch: the id of a fernet token is the fernet token I believe	02:45
*** josecastroleon has joined #openstack-keystone		02:46
*** varya has joined #openstack-keystone		02:46
*** josecastroleon has quit IRC		02:47
*** josecastroleon has joined #openstack-keystone		02:49
*** josecastroleon has quit IRC		02:50
*** bradjones has quit IRC		02:52
*** josecastroleon has joined #openstack-keystone		02:52
*** bradjones has joined #openstack-keystone		02:53
*** bradjones has quit IRC		02:53
*** bradjones has joined #openstack-keystone		02:53
lbragstad	mfisch: are you extracting the token from the logs for something?	02:53
*** josecastroleon has quit IRC		02:53
*** josecastroleon has joined #openstack-keystone		02:55
*** varya_ has joined #openstack-keystone		02:55
*** varya has quit IRC		02:56
*** josecastroleon has quit IRC		02:56
*** josecastroleon has joined #openstack-keystone		02:58
*** josecastroleon has quit IRC		02:59
*** josecastroleon has joined #openstack-keystone		03:01
*** kiran-r has joined #openstack-keystone		03:02
*** josecastroleon has quit IRC		03:03
*** kiran-r has quit IRC		03:04
*** josecastroleon has joined #openstack-keystone		03:04
*** kiran-r has joined #openstack-keystone		03:04
*** rushiagr_away is now known as rushiagr		03:05
*** josecastroleon has quit IRC		03:06
*** ajayaa has quit IRC		03:07
*** josecastroleon has joined #openstack-keystone		03:07
morganfainberg	lifeless: hmm?	03:08
morganfainberg	lifeless: either or	03:09
*** josecastroleon has quit IRC		03:09
*** hichtakk has quit IRC		03:10
*** josecastroleon has joined #openstack-keystone		03:10
*** markvoelker has joined #openstack-keystone		03:11
*** josecastroleon has quit IRC		03:12
*** josecastroleon has joined #openstack-keystone		03:13
*** josecastroleon has quit IRC		03:15
*** markvoelker has quit IRC		03:16
*** josecastroleon has joined #openstack-keystone		03:16
*** josecastroleon has quit IRC		03:18
morganfainberg	lbragstad: we should be hashing the token I'd to something anytime you see it in logs. Since tokens are considered privileged data	03:19
morganfainberg	mfisch: ^ cc	03:19
*** josecastroleon has joined #openstack-keystone		03:19
lifeless	morganfainberg: pick one; or we will :)	03:20
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol https://review.openstack.org/180816	03:20
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor request methods onto request object https://review.openstack.org/180394	03:20
morganfainberg	lifeless: make jamielennox talk about federation ;)	03:21
lifeless	done	03:21
*** josecastroleon has quit IRC		03:21
morganfainberg	Since he does tons of client things.	03:21
openstackgerrit	Merged openstack/keystone: Revocation engine refactoring https://review.openstack.org/188131	03:21
jamielennox	crap, this is what happened for last pyconau	03:21
morganfainberg	jamielennox: seriously you want to talk future stuff instead? Happy to let you.	03:22
jamielennox	i do the user side of all this, and i go back and learn all the server side weirdness	03:22
jamielennox	no	03:22
jamielennox	this makes more sense	03:22
morganfainberg	Ok.	03:22
*** josecastroleon has joined #openstack-keystone		03:22
*** kiran-r has quit IRC		03:23
*** samueldmq has quit IRC		03:23
jamielennox	morganfainberg: i was talking with gyee earlier, i was going to make him do the policy/endpoint enforcement as seperate middleware. you don't want that/	03:24
*** josecastroleon has quit IRC		03:24
*** rushiagr is now known as rushiagr_away		03:25
*** josecastroleon has joined #openstack-keystone		03:25
*** josecastroleon has quit IRC		03:27
*** josecastroleon has joined #openstack-keystone		03:28
lbragstad	morganfainberg: yeah, that's what I was thinking... dolphm just shared that with me recently in a review...	03:30
lbragstad	morganfainberg: let me dig it up	03:30
lbragstad	morganfainberg: https://review.openstack.org/#/c/186396/2/keystone/token/providers/fernet/token_formatters.py	03:31
*** sigmavirus24 is now known as sigmavirus24_awa		03:32
lifeless	jamielennox: whats your email?	03:33
*** josecastroleon has quit IRC		03:33
jamielennox	lifeless: jamielennox@redhat.com or @gmail.com	03:33
*** josecastroleon has joined #openstack-keystone		03:34
*** richm has quit IRC		03:35
*** josecastroleon has quit IRC		03:36
*** josecastroleon has joined #openstack-keystone		03:37
*** josecastroleon has quit IRC		03:39
*** josecastroleon has joined #openstack-keystone		03:40
*** josecastroleon has quit IRC		03:42
openstackgerrit	Chenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains https://review.openstack.org/187899	03:42
*** josecastroleon has joined #openstack-keystone		03:43
*** josecastroleon has quit IRC		03:45
*** josecastroleon has joined #openstack-keystone		03:46
*** josecastroleon has quit IRC		03:48
*** ankita_wagh has joined #openstack-keystone		03:49
*** josecastroleon has joined #openstack-keystone		03:49
*** josecastroleon has quit IRC		03:51
*** josecastroleon has joined #openstack-keystone		03:52
*** josecastroleon has quit IRC		03:54
*** josecastroleon has joined #openstack-keystone		03:55
*** josecastroleon has quit IRC		03:57
*** josecastroleon has joined #openstack-keystone		03:58
*** josecastroleon has quit IRC		04:00
*** josecastroleon has joined #openstack-keystone		04:01
*** josecastroleon has quit IRC		04:03
*** josecastroleon has joined #openstack-keystone		04:04
*** rushiagr_away is now known as rushiagr		04:05
*** rushiagr is now known as rushiagr_away		04:05
*** rushiagr_away is now known as rushiagr		04:06
*** josecastroleon has quit IRC		04:06
*** josecastroleon has joined #openstack-keystone		04:07
*** josecastroleon has quit IRC		04:09
*** josecastroleon has joined #openstack-keystone		04:10
morganfainberg	lbragstad: yeah. We should fix that.	04:11
morganfainberg	lifeless: I will do the updates probably tonight-ish	04:12
*** josecastroleon has quit IRC		04:12
*** spandhe has quit IRC		04:13
*** josecastroleon has joined #openstack-keystone		04:13
*** chlong-zzz is now known as chlong		04:32
lbragstad	morganfainberg: do you mean that you want a hash added to that log message?	04:32
morganfainberg	We should not log the token ID itself	04:33
morganfainberg	That is all	04:33
morganfainberg	If we are hashing it we should indicate we are.	04:33
morganfainberg	{SHA1} is what we prefix with elsewhere	04:33
lbragstad	morganfainberg: ok, makes sense	04:39
*** josecastroleon has quit IRC		04:43
*** josecastroleon has joined #openstack-keystone		04:44
*** josecastroleon has quit IRC		04:46
*** josecastroleon has joined #openstack-keystone		04:47
*** josecastroleon has quit IRC		04:49
*** josecastroleon has joined #openstack-keystone		04:51
*** josecastroleon has quit IRC		04:52
*** josecastroleon has joined #openstack-keystone		04:54
*** josecastroleon has quit IRC		04:55
*** rushiagr is now known as rushiagr_away		04:55
*** josecastroleon has joined #openstack-keystone		04:56
*** josecastroleon has quit IRC		04:58
*** ankita_wagh has quit IRC		04:59
*** josecastroleon has joined #openstack-keystone		05:00
*** markvoelker has joined #openstack-keystone		05:00
*** josecastroleon has quit IRC		05:03
*** josecastroleon has joined #openstack-keystone		05:04
*** markvoelker has quit IRC		05:04
*** josecastroleon has quit IRC		05:06
*** josecastroleon has joined #openstack-keystone		05:07
*** josecastroleon has quit IRC		05:09
*** josecastroleon has joined #openstack-keystone		05:10
*** ajayaa has joined #openstack-keystone		05:10
*** josecastroleon has quit IRC		05:12
*** josecastroleon has joined #openstack-keystone		05:13
*** josecastroleon has quit IRC		05:15
*** josecastroleon has joined #openstack-keystone		05:16
*** josecastroleon has quit IRC		05:18
*** josecastroleon has joined #openstack-keystone		05:19
*** merlin_ has quit IRC		05:19
*** josecastroleon has quit IRC		05:21
*** josecastroleon has joined #openstack-keystone		05:22
*** josecastroleon has quit IRC		05:24
*** josecastroleon has joined #openstack-keystone		05:25
*** rushiagr_away is now known as rushiagr		05:25
openstackgerrit	Merged openstack/keystone: Merge tag '2015.1.0' https://review.openstack.org/179288	05:26
openstackgerrit	Merged openstack/keystone: Merge tag '2014.2' https://review.openstack.org/128930	05:27
*** josecastroleon has quit IRC		05:27
*** kiran-r has joined #openstack-keystone		05:27
*** josecastroleon has joined #openstack-keystone		05:28
*** josecastroleon has quit IRC		05:30
*** josecastroleon has joined #openstack-keystone		05:31
*** kwills has joined #openstack-keystone		05:32
*** josecastroleon has quit IRC		05:33
*** josecastroleon has joined #openstack-keystone		05:34
*** josecastroleon has quit IRC		05:36
*** josecastroleon has joined #openstack-keystone		05:37
*** topol has quit IRC		05:37
*** kwills has quit IRC		05:38
*** kwills has joined #openstack-keystone		05:39
*** josecastroleon has quit IRC		05:39
*** josecastroleon has joined #openstack-keystone		05:40
*** josecastroleon has quit IRC		05:42
*** josecastroleon has joined #openstack-keystone		05:43
*** josecastroleon has quit IRC		05:45
*** josecastroleon has joined #openstack-keystone		05:46
*** josecastroleon has quit IRC		05:48
*** josecastroleon has joined #openstack-keystone		05:49
*** josecastroleon has quit IRC		05:51
*** josecastroleon has joined #openstack-keystone		05:52
*** merlin_ has joined #openstack-keystone		05:59
*** belmoreira has joined #openstack-keystone		06:01
*** kwills has quit IRC		06:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/186279	06:03
marekd	jamielennox: hello, sir!	06:10
openstackgerrit	Merged openstack/python-keystoneclient-saml2: Updated from global requirements https://review.openstack.org/188497	06:27
*** lsmola has joined #openstack-keystone		06:27
openstackgerrit	Merged openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/188496	06:27
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Fetch Service Providers urls from auth plugins https://review.openstack.org/189625	06:33
*** jaosorior has joined #openstack-keystone		06:39
*** henrynash has quit IRC		06:42
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Properly handle Service Provider in token fixtures https://review.openstack.org/189803	06:48
*** markvoelker has joined #openstack-keystone		06:49
*** browne has quit IRC		06:50
*** markvoelker has quit IRC		06:53
*** rlt has joined #openstack-keystone		07:00
*** kiran-r has quit IRC		07:03
*** kiran-r has joined #openstack-keystone		07:04
*** kiran-r has quit IRC		07:04
*** kiranr has joined #openstack-keystone		07:04
*** lufix has joined #openstack-keystone		07:04
*** kiranr has quit IRC		07:04
*** kiranr has joined #openstack-keystone		07:05
*** kiranr is now known as kiran-r		07:05
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	07:14
*** pnavarro_ has joined #openstack-keystone		07:21
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/189901	07:22
jamielennox	marekd: hey	07:31
jamielennox	marekd: i'm happy with https://review.openstack.org/#/c/189625 needs some tests though	07:32
*** jistr has joined #openstack-keystone		07:37
marekd	jamielennox: great, i will add tests.	07:40
marekd	for the https://review.openstack.org/#/c/188881/7/keystoneauth/auth/identity/v3/federation.py i explicitely want store remote-project-id and the rest of the remote-* as this is for remote clouds scoping information. the old paramters would still be needed for local plugin.	07:43
marekd	jamielennox: i'd like to make them orthogonal to each other - local plugin and remote.	07:43
jamielennox	marekd: so we're going to have to do something funky there regarding how we load the plugin from options	07:43
*** toddnni has quit IRC		07:44
marekd	jamielennox: why ?	07:44
jamielennox	however by inheriting BaseAuth those objects already have project_id and project_name etc options on them	07:44
marekd	i might be missing something, but i'd see it as:	07:44
evrardjp	good morning everyone	07:44
marekd	openstack --os-auth-plugin=password (for auth with local cloud) --os-project-id=uuid (local cloud) --os-remote-auth=k2k --os-service-provider=sp1 --os-remote-project-id=<remote project id> (remote cloud) remote token issue/remote server list	07:45
marekd	remote [command]	07:46
marekd	jamielennox: makes sense?	07:46
jamielennox	marekd: so --os-auth-plugin is the thing that describes the object that is going to be loaded, so that is going to have to be k2k	07:47
jamielennox	otherwise i'm not sure how you'd tell it to load --os-remote-auth	07:47
marekd	is it a matter of osc or ksa ?	07:48
jamielennox	ksa	07:48
jamielennox	we only have one entrypoint for auth loading	07:49
jamielennox	the only way to do what you're suggesting is to add remote loading functionality to all the local plugins	07:50
jamielennox	but i don't think that parts a big deal	07:50
jamielennox	it just means you specify --os-auth-plugin k2k --os-local-auth password	07:50
marekd	which will make me use remote cloud by default	07:50
marekd	and switching to my local one will mean options change.	07:51
marekd	i'd be easier to be able to have my local cloud as a primary,and switch between remotes by setting another SP_ID	07:51
*** chlong has quit IRC		07:51
jamielennox	ok, but if we specify auth-plugin=password then we need to tell the Password plugin object how to load the k2k remote right? and share that amongst every available plugin type	07:53
jamielennox	so Password.get_options would need to return remote-auth	07:53
jamielennox	or are you looking to change it so that we always provide the ability to load two plugins from like auth.load_from_cli_options?	07:54
marekd	where is the code that prevents me from loading two entry points?	07:54
jamielennox	so looking at https://github.com/openstack/keystoneauth/blob/master/keystoneauth/auth/cli.py#L21	07:55
jamielennox	to register a plugins arguments on the CLI we look up the name of the plugin in stevedore from --os-auth-plugin and then hand off to that plugin to do a .get_options() and register it https://github.com/openstack/keystoneauth/blob/master/keystoneauth/auth/base.py#L212	07:56
jamielennox	so i guess we could add --os-remote-auth to register_argparse_arguments but that means it would show up all the time regardless of the local plugin	07:57
jamielennox	or if k2k is even a possibility on the cloud	07:57
marekd	it would, just like os-auth-plugin shows.	07:59
marekd	shows up	07:59
marekd	well, to me it'd simply be merging k2k into standard workflow	08:00
*** toddnni has joined #openstack-keystone		08:00
jamielennox	right, you'd be making k2k a very fundamental part of auth	08:00
jamielennox	but i mean is there a value of --os-remote-auth besides k2k that we'd ever expect?	08:01
marekd	nothing except for bursting capabilities.	08:03
marekd	i really don't nothing special about that - that would become another auth option and if not used, it'd be working as it works today.	08:04
marekd	do you want me to start a ML thread?	08:04
marekd	so others can weight	08:04
jamielennox	yea it can't hurt	08:05
jamielennox	i definitely see where you are coming from	08:05
jamielennox	i had just always considered it slotting in as another plugin rather than a permanent change to auth	08:05
marekd	me too at the beginning, but later i concluded it may be easier to make it a way i am proposing. If we make k2k another auth plugin then we will need to work on hierarchical plugins, and something (I think) you proposed where K2K accepts local auth plugin as a parameter doesn't make much sense to me.	08:07
jamielennox	it will only affect that last review that is currently out of date, the plugin implementation will still be required as is	08:08
jamielennox	we will still need to figure out some way to have a single plugin object	08:09
marekd	so you are against handling two auth plugins at the same time - one for local and another for remote clouds ?	08:10
jamielennox	there are so many places that would cause problems	08:10
jamielennox	looking through session there are a bunch of places we take auth= as a parametr	08:11
marekd	ok, so i don't know how to make robust hierarchy of the plugins, especially in terms of options.	08:11
jamielennox	right, the options are the problem	08:11
marekd	jamielennox: another thing i will be trying to push will be handling many remote clouds at the same time. so for each remote cloud i'd like to be able to define set of scoping information (project, domain, trust, etc.), so i can later ideally say openstack remote server list --sp=sp1, openstack remote server list --sp-sp2	08:12
jamielennox	marekd: sure, that's an osc things and what os-client-config tries to solve	08:13
jamielennox	sorry, re-reading i think it's a CLI thing	08:13
marekd	it's a matter of options grouping.	08:14
marekd	in the end i am afraid we will need to add some fundamental changes in the way we handle auth....	08:15
jamielennox	ok, i don't think i'm following you - why? in your example you'd still be executing each command with one set of auth options	08:15
*** fhubik has joined #openstack-keystone		08:15
marekd	it's auth plugin that exposes options - project_id, domain_id etc etc	08:16
marekd	right?	08:16
jamielennox	yes	08:16
marekd	so projecT_id today is for my local cloud.	08:16
marekd	now i need a smart way to distinguish whether project_id is for remote_cloud_1 or remote_cloud_2	08:16
marekd	ok, let me rephrase it	08:17
marekd	you can setup your env and store all the information there so ksc/ksa will use them for scoping the token	08:17
marekd	OS_PROJECT_NAME etc	08:17
marekd	so in the cli you can use openstack server list	08:17
marekd	now we are talking about adding something like OS_REMOTE_PROJECT_ID so this is used for scoping token in remote cloud.	08:18
marekd	but that makes us limited to use k2k with only one remote cloud	08:18
*** lhcheng has joined #openstack-keystone		08:19
*** ChanServ sets mode: +v lhcheng		08:19
jamielennox	... erg, i have not figured out how to make this work with one remote cloud.... i haven't even considered multiple	08:19
marekd	i'd like to be able to setup all my remote clouds and later only type: openstack remote --sp=SP1 server list (one set of scpoping information wold be used) and right after that type: openstack --sp=sp2 remote server list	08:19
jamielennox	so i think that is an OCC problem	08:20
jamielennox	because that is a question of switching auth options	08:20
*** afazekas has joined #openstack-keystone		08:20
jamielennox	have you seen OCC?	08:20
marekd	yep, but it's auth plugin (BaseAuthPlugin) that exposes the options like project_id etc, right?	08:20
marekd	OCC?	08:20
marekd	nope	08:20
jamielennox	os-client-config	08:21
marekd	#link ?	08:21
jamielennox	ok, so that's mordred's thing about managing multiple auths in a yaml file rather than ENV and CLI	08:21
jamielennox	so you'll have everything in a file in home and you name your auth options so you can do openstack --cloud HP project list etc	08:21
marekd	alright, that's great	08:22
marekd	yet, even for one remote cloud we will need options like project_id and remote_project_id as we need scoping info for local cloud, for local token and scoping info for remote cloud.	08:22
marekd	that's why i proposed remote-* options in https://review.openstack.org/#/c/188881/7/keystoneauth/auth/identity/v3/federation.py	08:23
jamielennox	right, so i don't have an answer for how we chain through multiple	08:23
jamielennox	so an auth flow like local cloud -> remote cloud -> public cloud	08:23
marekd	what's the difference between remote and public cloud? from your perspective that can be equal	08:24
jamielennox	marekd: i mean the relationships	08:24
*** fhubik is now known as fhubik_afk		08:24
*** Nikkau has joined #openstack-keystone		08:24
jamielennox	so get local auth, k2k to remote cloud, k2k to public	08:24
jamielennox	so you'd need --remote-remote-project-id	08:25
marekd	yes	08:25
marekd	and that's why i proposed that	08:25
jamielennox	that is going to be a much larger problem	08:26
*** lsmola has quit IRC		08:27
jamielennox	and not something solved by passing around 2 plugins	08:27
marekd	even in a hierarchy ?	08:28
jamielennox	so a command can only be authed to one place, so a hierarchy of 2 is not that different to a hierarchy of 10	08:28
jamielennox	as in it will be a chain and not a tree	08:29
jamielennox	it's just a matter of loading them	08:29
jamielennox	it's something i've always punted on for other v3 plugins - like how to do mutliple auth methods in v3	08:29
*** lhcheng has quit IRC		08:29
marekd	:	08:31
marekd	:(	08:31
*** woodster_ has quit IRC		08:31
marekd	ok, so i don't know how to handle that all.....	08:31
jamielennox	it's also a good argument for what dtroyer has been saying about how the code for loading plugins should be seperate from the plugins themselves	08:32
jamielennox	because that way we could a 'compexk2k' plugin type that still loads the same k2k plugin internally but presents its options in a way that can be nested	08:32
* jamielennox hand waves what that would be		08:33
*** fhubik_afk is now known as fhubik		08:33
marekd	so it's OSC thing/	08:34
*** lsmola has joined #openstack-keystone		08:34
jamielennox	no, we were talking a library that would be somewhere in the middle	08:34
marekd	jamielennox: ok, so i think working on the exiting k2k patches in a current shape doesn't make much sense	08:34
jamielennox	because i don't want this to only be consumed by OSC, i want there to be a standard way to load plugins from CONF files and from other CLIs so it would need to be reusable	08:34
marekd	right	08:35
jamielennox	i've no idea how to write all this in a way that is compatible with current code :(	08:36
jamielennox	marekd: i would continue the reviews around the k2k plugin itself and put a raise NotImplemented in the cls.load_from_options() method	08:37
jamielennox	and get_options()	08:37
*** markvoelker has joined #openstack-keystone		08:37
jamielennox	because the structure of the plugin itself is correct and it will allow us to test k2k from python scripts	08:37
marekd	yeah, i am trying to figure next steps for making this happen - who to talk with etc.	08:37
jamielennox	we just don't have a way to load it from the cli or anything	08:38
jamielennox	i guess i'd ask the OSC guys what their ideal CLI interface would be and explain the nesting	08:38
jamielennox	then we can see if it's possible to match it	08:39
jamielennox	I will have another go at seperating the loading logic from the plugin itself	08:39
jamielennox	i haven't had a lot of enthusiasm for that because it's going to make compatibility a nightmare	08:40
*** bradjones has quit IRC		08:40
jamielennox	because then we can have a 'simplek2k' option which is just one cloud and continue to come up with ideas for what 'complexk2k' looks like	08:41
marekd	as far as i can tell we have problem with making simplek2k happen.	08:41
*** markvoelker has quit IRC		08:42
marekd	and i think with ksa we can not care about backward compatibility?	08:42
*** bradjones has joined #openstack-keystone		08:42
*** bradjones has quit IRC		08:42
*** bradjones has joined #openstack-keystone		08:42
jamielennox	we don't care from ksa, but we were looking to make ksc rely on ksa and move as much as possible over	08:42
jamielennox	and we can't break ksc	08:43
marekd	allright	08:43
jamielennox	it might be the only way to do that would be to leave the code in ksc for a while and look to deprecate it as fast as possible	08:44
marekd	ok, so for blanking load_from_options() and get_options() - i can still accept remote-* like parameters in the Keystone2KeystoneAuthPlugin.__init__() ?	08:44
jamielennox	i don't think you need to from __init__	08:45
jamielennox	you can just use the normal params	08:45
jamielennox	I mean seperate the use case of loading from CLI and what you'd use if you were writing a script	08:45
marekd	oh, so you want to get a local token (scoped), and in another step pass that token and scoping info would be for remote cloud.	08:45
*** dguerri` is now known as dguerri		08:45
jamielennox	if you do K2KAuth(local_plugin, project_id=XXX) that still makes sense without the remote-* prefix	08:46
jamielennox	oo, i gotta run	08:46
marekd	project_id is for remote or local cloud?	08:46
marekd	sure, thanks.	08:46
marekd	i will ping you more.	08:46
jamielennox	it would be for remote	08:46
marekd	so, a local token would already need to exist and be passes from external source...	08:47
jamielennox	it would be the standard scoping info for the plugin in the remote cloud	08:47
jamielennox	a local plugin	08:47
marekd	that would still make TWO OSC runs.	08:47
jamielennox	seperate the OSC case from what the python case looks like	08:48
jamielennox	we can make the OSC options different to the __init__ options	08:48
jamielennox	we can make load_from_options do whatever we like - it just so happens that most plugins up until now have been fairly simple and just need to pass everything to __init__	08:48
jamielennox	do you get what i mean by that?	08:49
marekd	more or less.	08:50
jamielennox	marekd: so if you were operating plugins directly from your own python script we could nest this as far as we like	08:54
jamielennox	a = Password(auth_url, ...)	08:54
jamielennox	b = K2K(a, service_provider='XX', project_id='YY')	08:54
jamielennox	c = K2K(b, service_provider='AA', project_id='BB')	08:55
jamielennox	d = K2K(c, service_provider='CC', project_id='DD')	08:55
jamielennox	etc	08:55
jamielennox	all of the stuff regarding options and loading is just a way of constructing those patterns that can be used from the CLI or a CONF file	08:56
jamielennox	the K2K plugin you've got up for review looks good in terms of this pattern, we just need to find a better way of doing the loading part	08:57
marekd	jamielennox: sure.	08:58
jamielennox	there's no requirement that the options are all named exactly the same between get_options() and __init__	08:58
jamielennox	and that's why not all params in __init__ are in get_options()	08:58
marekd	sure.	08:58
marekd	ok, i need to run too. cheers.	09:01
*** fhubik is now known as fhubik_afk		09:13
*** fhubik_afk is now known as fhubik		09:13
*** toddnni has quit IRC		09:13
*** dims has joined #openstack-keystone		09:27
*** dims has quit IRC		09:31
*** aix has joined #openstack-keystone		09:34
*** varya_ has quit IRC		09:40
*** varya_ has joined #openstack-keystone		09:42
openstackgerrit	Dave Chen proposed openstack/keystone-specs: query configuration via web API https://review.openstack.org/186926	09:48
*** rushiagr is now known as rushiagr_away		09:49
*** pnavarro_ has quit IRC		09:50
*** dims has joined #openstack-keystone		09:51
*** dims_ has joined #openstack-keystone		09:52
*** e0ne has joined #openstack-keystone		09:55
*** dims has quit IRC		09:56
*** ncoghlan has quit IRC		09:59
*** e0ne is now known as e0ne_		10:01
*** Kennan2 has joined #openstack-keystone		10:03
*** Kennan has quit IRC		10:04
*** fhubik is now known as fhubik_afk		10:05
*** e0ne_ has quit IRC		10:07
*** fhubik_afk is now known as fhubik		10:08
*** boris-42 has joined #openstack-keystone		10:09
*** toddnni has joined #openstack-keystone		10:14
*** fhubik is now known as fhubik_afk		10:17
*** lhcheng has joined #openstack-keystone		10:18
*** ChanServ sets mode: +v lhcheng		10:18
*** lhcheng has quit IRC		10:22
*** markvoelker has joined #openstack-keystone		10:23
*** markvoelker has quit IRC		10:27
*** e0ne has joined #openstack-keystone		10:35
*** varya_ has quit IRC		10:42
*** Kennan2 is now known as Kennan		10:42
*** samueldmq has joined #openstack-keystone		10:54
samueldmq	morning	10:54
*** spandhe has joined #openstack-keystone		11:01
*** spandhe_ has joined #openstack-keystone		11:02
*** fhubik_afk is now known as fhubik		11:04
*** spandhe has quit IRC		11:06
*** spandhe_ is now known as spandhe		11:06
*** amakarov_away has quit IRC		11:12
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator https://review.openstack.org/189111	11:14
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Switch keystone over to oslo_log versionutils https://review.openstack.org/189267	11:14
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator https://review.openstack.org/189111	11:14
*** amakarov has joined #openstack-keystone		11:18
*** mabrams1 has joined #openstack-keystone		11:18
*** mabrams has quit IRC		11:20
*** markvoelker has joined #openstack-keystone		11:24
dstanek	samueldmq: morning	11:24
*** markvoelker has quit IRC		11:28
openstackgerrit	Alexander Makarov proposed openstack/keystone: Tuple constants in revocation engine https://review.openstack.org/189810	11:34
*** varya has joined #openstack-keystone		11:37
samueldmq	dstanek, hi	11:44
samueldmq	dstanek, we do need functional tests, see https://review.openstack.org/#/c/186874/	11:45
*** rdo has quit IRC		11:45
samueldmq	dstanek, :(	11:45
*** rdo has joined #openstack-keystone		11:47
*** tobe has quit IRC		11:47
*** markvoelker has joined #openstack-keystone		11:54
marekd	samueldmq: everybody needs them!	11:56
samueldmq	marekd, ++ :(	12:03
samueldmq	marekd, in that case, our internal test passes ... :(	12:03
*** fhubik is now known as fhubik_afk		12:04
*** rushiagr_away is now known as rushiagr		12:06
*** lhcheng has joined #openstack-keystone		12:07
*** ChanServ sets mode: +v lhcheng		12:07
*** varya has quit IRC		12:08
*** grantbow has joined #openstack-keystone		12:09
*** grantbow has joined #openstack-keystone		12:09
*** lhcheng has quit IRC		12:12
*** aix has quit IRC		12:14
*** raildo has joined #openstack-keystone		12:25
*** bradjones has quit IRC		12:26
*** bradjones has joined #openstack-keystone		12:27
*** bradjones has quit IRC		12:27
*** bradjones has joined #openstack-keystone		12:27
*** chlong has joined #openstack-keystone		12:29
*** fhubik_afk is now known as fhubik		12:30
*** lhcheng has joined #openstack-keystone		12:31
*** ChanServ sets mode: +v lhcheng		12:31
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator https://review.openstack.org/189111	12:32
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: Switch keystone over to oslo_log versionutils https://review.openstack.org/189267	12:32
*** jsavak has joined #openstack-keystone		12:32
*** lhcheng has quit IRC		12:36
rodrigods	dolphm, ping	12:40
*** lufix2 has joined #openstack-keystone		12:44
*** iurygregory has joined #openstack-keystone		12:44
*** e0ne is now known as e0ne_		12:47
*** woodster_ has joined #openstack-keystone		12:48
*** e0ne_ is now known as e0ne		12:50
*** aix has joined #openstack-keystone		12:50
*** bknudson has joined #openstack-keystone		12:53
*** ChanServ sets mode: +v bknudson		12:53
*** sigmavirus24_awa is now known as sigmavirus24		12:58
*** richm has joined #openstack-keystone		13:11
*** HT_sergio has quit IRC		13:14
*** ajayaa has quit IRC		13:15
*** rushiagr is now known as rushiagr_away		13:20
lbragstad	for the mid-cycle, I assume most will be flying into Boston Logan since it's close to Boston University?	13:22
*** radez_g0n3 is now known as radez		13:32
morganfainberg	lbragstad: dunno	13:34
lbragstad	morganfainberg: ok, just curious. Google is telling me Boston Logan is 5.7 miles from BU	13:34
lbragstad	which doesn't seem too bad	13:34
morganfainberg	that is probably the place to fly into... unless you want to hit NYC up before heading up to Boston	13:37
morganfainberg	or something	13:37
dstanek	lbragstad: morganfainberg: not i have to pick a hotel - seems like the group may be spread out quite a bit	13:49
lbragstad	dstanek: I'm really leaning towards the BU dorms option	13:50
lbragstad	dstanek: but I need to sync with ayoung on that again	13:50
lbragstad	dstanek: the walking distance part would be awesome	13:50
lbragstad	dstanek: and I did something similar to that when I lived in Nashville (I stayed in the dorms at Vanderbilt) and it was a really cool way to experience the city/college	13:51
*** e0ne is now known as e0ne_		13:51
*** zzzeek has joined #openstack-keystone		13:51
*** fhubik is now known as fhubik_afk		13:57
*** radez is now known as radez_g0n3		13:57
*** lastops has joined #openstack-keystone		13:59
*** e0ne_ is now known as e0ne		13:59
*** topol has joined #openstack-keystone		14:03
*** ChanServ sets mode: +v topol		14:04
*** fhubik_afk is now known as fhubik		14:06
*** fangzhou has joined #openstack-keystone		14:06
*** kiran-r has quit IRC		14:08
*** lufix2 has quit IRC		14:11
*** dencaval has quit IRC		14:20
*** radez_g0n3 is now known as radez		14:21
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	14:25
*** timcline has joined #openstack-keystone		14:25
*** varya has joined #openstack-keystone		14:30
openstackgerrit	Rodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	14:31
*** elmiko has left #openstack-keystone		14:34
*** fangzhou has quit IRC		14:39
*** openstackgerrit has quit IRC		14:41
*** openstackgerrit has joined #openstack-keystone		14:41
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816	14:49
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816	14:50
*** belmoreira has quit IRC		14:57
*** HT_sergio has joined #openstack-keystone		14:57
*** afazekas has quit IRC		14:59
*** dims_ has quit IRC		15:03
*** dims has joined #openstack-keystone		15:08
*** dims has quit IRC		15:08
*** dims has joined #openstack-keystone		15:08
*** mikedillion has joined #openstack-keystone		15:16
*** mikedillion has quit IRC		15:18
*** ajayaa has joined #openstack-keystone		15:23
*** jsavak has quit IRC		15:32
*** jsavak has joined #openstack-keystone		15:33
*** kiran-r has joined #openstack-keystone		15:40
*** radez is now known as radez_g0n3		15:44
*** Daviey has quit IRC		15:44
*** radez_g0n3 is now known as radez		15:45
*** lhcheng has joined #openstack-keystone		15:45
*** ChanServ sets mode: +v lhcheng		15:45
*** Ephur has joined #openstack-keystone		15:45
*** lhcheng has quit IRC		15:46
*** lhcheng has joined #openstack-keystone		15:46
*** ChanServ sets mode: +v lhcheng		15:46
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816	15:47
*** kiran-r has quit IRC		15:48
*** Daviey has joined #openstack-keystone		15:50
*** ayoung has joined #openstack-keystone		15:53
*** ChanServ sets mode: +v ayoung		15:53
*** varya has quit IRC		15:55
*** fhubik has quit IRC		15:55
*** toddnni has quit IRC		15:55
*** browne has joined #openstack-keystone		15:56
*** fangzhou has joined #openstack-keystone		16:02
openstackgerrit	Diane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs https://review.openstack.org/187027	16:04
*** rushiagr_away is now known as rushiagr		16:06
*** fangzhou has quit IRC		16:08
*** _cjones_ has joined #openstack-keystone		16:13
*** jistr has quit IRC		16:14
*** varya has joined #openstack-keystone		16:14
*** Nikkau has quit IRC		16:18
*** e0ne is now known as e0ne_		16:25
*** varya has quit IRC		16:25
*** e0ne_ is now known as e0ne		16:25
*** pnavarro_ has joined #openstack-keystone		16:30
*** stevemar has joined #openstack-keystone		16:31
*** ChanServ sets mode: +v stevemar		16:31
*** spandhe has quit IRC		16:32
*** browne has quit IRC		16:33
lbragstad	ayoung: o/ question on the dorms at BU	16:40
ayoung	lbragstad, fire 'way	16:40
lbragstad	do I have to reach out to someone to get one reserved?	16:40
lbragstad	like at BU?	16:40
lbragstad	ayoung: ^	16:42
*** jsavak has quit IRC		16:46
*** pnavarro_ has quit IRC		16:47
*** ajayaa has quit IRC		16:48
*** amaretskiy has quit IRC		16:50
*** ankita_wagh has joined #openstack-keystone		16:50
*** mabrams1 has left #openstack-keystone		16:54
*** esmute has joined #openstack-keystone		16:55
*** dguerri is now known as dguerri`		16:56
*** esmute has quit IRC		17:00
*** topol has quit IRC		17:00
*** spandhe has joined #openstack-keystone		17:06
*** mordred has joined #openstack-keystone		17:07
mordred	ok - so, I know I've asked this again, but someone help me out with my brainhole here	17:07
mordred	if I'm a normal user in a normal install of a cloud with keystone v3	17:07
mordred	I can create users and projects associated with a domain	17:08
mordred	do _I_ create roles? or does my cloud admin create roles?	17:08
mordred	currently I'm mapping out create_endpoint, create_service, create_domain as things a cloud admin does, and create_user, create_project as things a non-admin user and an admin user might do	17:09
stevemar	mordred, create role is probably a cloud admin thang	17:10
mordred	ok	17:10
*** e0ne has quit IRC		17:11
*** amakarov has quit IRC		17:11
mordred	what about role grant/revoke?	17:12
*** browne has joined #openstack-keystone		17:13
samueldmq	mordred, hi	17:18
mordred	hi samueldmq !	17:18
samueldmq	mordred, I'd say CRUD user/groups would be domain admin	17:18
mordred	samueldmq: right - but not cloud admin	17:18
samueldmq	mordred, regarding roles, I'd say every admin could grant roles	17:18
samueldmq	mordred, ++	17:18
samueldmq	mordred, cloud admin shouln't touch people's domains	17:18
mordred	samueldmq: so as a person who gets an account on a cloud that gets me my own domain, I should be able to create users and projects in that domain and to give them roles	17:18
mordred	yeah?	17:19
samueldmq	mordred, exactly	17:19
mordred	awesome	17:19
mordred	now - I'm assuming I cannot grant the global cloud admin role to any of my users ...	17:19
samueldmq	mordred, btw... the way we define roles and what they can do will e improving soon ;.. with dynamic policies	17:19
mordred	oh good. I was worried that it wasn't complex enough	17:20
samueldmq	mordred, I'd suggest you to create different roles for cloud_admin, domain_admin and project_admin	17:20
samueldmq	mordred, (remembering other services do not know about domain)	17:20
mordred	well - I'm working on a general library	17:21
samueldmq	mordred, in dynamic policies, we will be adding some relationship between roles ... so let's say a domain_admin cannot grant cloud_admin role, and so on	17:21
mordred	so I don't actually have a cloud I'm running in this case	17:21
samueldmq	mordred, you should be able to delegate a subset of your roles	17:21
mordred	as much as trying to make sure that I expose the right things into ansible modules	17:21
samueldmq	mordred, nice	17:22
mordred	samueldmq: when I grant a role to a user, I am granting it to a user for a given project, right?	17:22
*** esmute has joined #openstack-keystone		17:22
samueldmq	mordred, or for a given domain	17:22
mordred	oh - so I can grant a role for a user in a project scope, or for a user in a domain scope, yeah?	17:22
mordred	nod	17:22
mordred	I grok now	17:22
samueldmq	mordred, exactly, that's what we call role assignment	17:23
samueldmq	mordred, that is composed by (actor, target, role), where actor in (user, group) and target in (domain, project)	17:23
samueldmq	^	17:23
mordred	group?	17:25
mordred	what's a group?	17:25
*** tsufiev has quit IRC		17:25
*** tsufiev has joined #openstack-keystone		17:25
samueldmq	mordred, group of users	17:25
mordred	excellent. so is that something a domain admin can create too?	17:25
samueldmq	mordred, so granting a role assignment to a group has the same effect as granting to every user on that group separately	17:25
mordred	gotcha	17:26
samueldmq	mordred, yes, as users, they are at the same level (domain), representing identity :)	17:26
mordred	sweet	17:27
*** esmute_ has joined #openstack-keystone		17:30
*** esmute has quit IRC		17:30
*** esmute_ has quit IRC		17:30
*** belmoreira has joined #openstack-keystone		17:30
*** esmute has joined #openstack-keystone		17:31
*** aix has quit IRC		17:33
*** fangzhou has joined #openstack-keystone		17:40
*** roxanaghe has joined #openstack-keystone		17:46
*** lastops has quit IRC		17:49
*** dguerri` is now known as dguerri		17:51
*** harlowja has quit IRC		17:58
*** dguerri is now known as dguerri`		18:00
*** fangzhou_ has joined #openstack-keystone		18:01
*** harlowja has joined #openstack-keystone		18:02
*** fangzhou has quit IRC		18:02
*** fangzhou_ is now known as fangzhou		18:02
*** lastops has joined #openstack-keystone		18:02
*** dguerri` is now known as dguerri		18:05
ayoung	lbragstad, I'll let the BU administrator know that you are interested.	18:09
lbragstad	ayoung: ok, am I suppose to reach out to them?	18:10
ayoung	lbragstad, I'll find out	18:10
*** stevemar has quit IRC		18:10
lbragstad	ayoung: thanks!	18:10
samueldmq	ayoung, I have something to discuss with you related to getting policy per endpoint	18:11
samueldmq	ayoung, let me know when you have some minutes	18:11
ayoung	samueldmq, ok, 2 minutes	18:11
samueldmq	ayoung, you have 2 minutes (in this case I just waste 1 already) or are you asking me to wait 2 mins ? :)	18:12
ayoung	samueldmq, nah, I just had to finish up another task...what is up?	18:14
samueldmq	ayoung, you, morganfainberg and I talked about endpoint_url uniquely identifying an endpoint a few days ago ..	18:15
ayoung	samueldmq, right	18:15
samueldmq	ayoung, however .. a given url can be mappend in several endpoints	18:15
samueldmq	ayoung, in a devstack installation localhost:9292 maps to 3 galnce endpoints	18:16
samueldmq	ayoung, for public, internal and admin interfaces	18:16
samueldmq	ayoung, so GET /policies?endpoint_url=<encoded_url> could return a set of policies, instead of a single one	18:17
*** rlt has quit IRC		18:19
*** iamjarvo has joined #openstack-keystone		18:21
ayoung	samueldmq, so you are concerned that we might set different policy for different endpoint_ids, and then a single URL points to multiple endpoints, as we can't determine which to use?	18:22
samueldmq	ayoung, exactly	18:22
*** rushiagr is now known as rushiagr_away		18:23
*** bradjones has quit IRC		18:23
*** bradjones has joined #openstack-keystone		18:24
*** bradjones has quit IRC		18:24
*** bradjones has joined #openstack-keystone		18:24
ayoung	samueldmq, ok, so let's say we do what you say, we still have the problem of selecting the right policy for the request	18:26
ayoung	the endpoint does not know its own endpoint id	18:26
ayoung	so, what we are really saying is we need to assign policy per URL, not per endpoint id	18:27
ayoung	and I think we will all agree to that.	18:27
samueldmq	ayoung, yes!!! and that will be easier to the CSM to handle endpoint per URL (imho)	18:27
ayoung	that would be a constraint on the endpoint_policy API: multiple endpoints that share the same URL cannot have different policies assigned	18:27
samueldmq	ayoung, CRUD on policies per URL	18:28
samueldmq	ayoung, ++	18:28
ayoung	so, what happens if someone tries to assign different policies? I would say "last one wins"	18:28
samueldmq	ayoung, but how to migrate ? tehre are interesting questions to answer	18:28
ayoung	the alternative is report an error	18:28
*** gyee has joined #openstack-keystone		18:29
*** ChanServ sets mode: +v gyee		18:29
ayoung	samueldmq, we don't have a "time it was assigned" value, do we?	18:29
samueldmq	ayoung, checking ..	18:29
ayoung	so we chose one at random and make that the policy for all the endpoints for the same URL	18:29
samueldmq	ayoung, no we don't	18:30
*** fangzhou has quit IRC		18:30
ayoung	samueldmq, does the policy have a "last updated time on it"?	18:30
ayoung	guessing no	18:30
samueldmq	ayoung, we should be able to CRUD policies per namespace, it doesn't matter what that namespace is (domain, project, endpoint, url, parents or dog names)	18:30
ayoung	samueldmq, yeah, just a question of what to do for migrations if things are broken.	18:31
ayoung	HMMMM, NAMESPACE	18:32
ayoung	that has some interesting ....	18:32
ayoung	lets stick to endpoints for now. I think that we need to make all endpoints with the same URL have the same policy. We need to figure out how to enforce that	18:33
openstackgerrit	Merged openstack/keystone: Switch keystone over to oslo_log versionutils https://review.openstack.org/189267	18:35
ayoung	david8hu, sorry to -2 https://review.openstack.org/#/c/189486/2, but merge that doc into the namespaced roles spec if you can, or the hierarchcial roles spec...I think it draws a little bit from each	18:38
samueldmq	ayoung, yes .. do you think we should add the capability to CRUD based on the URL ?	18:38
ayoung	samueldmq, probably	18:38
samueldmq	ayoung, or keep it as it is for now .. and enforce that constraint (same url -> same policy)	18:38
ayoung	samueldmq, CRUD would be more useful, I think	18:39
samueldmq	ayoung, ++	18:39
samueldmq	ayoung, and we could deprecate the current policy CRUD ..	18:39
david8hu	ayoung, split it into 2, then merge? I thought it gives a little more focus as seperate spec:)	18:40
*** topol has joined #openstack-keystone		18:43
*** ChanServ sets mode: +v topol		18:43
ayoung	david8hu, I want is_admin to die	18:45
david8hu	@ayoung, any suggestions?	18:45
david8hu	@ayoung, now is the time to do it right :)	18:46
ayoung	david8hu, yeah...so namespaced roles is the most direct competition for your spec	18:46
david8hu	Do you have a pointer?	18:46
ayoung	you are essentially describing a subset of namespacing roels, with compute:admin etc...	18:46
ayoung	yeah one sec	18:46
ayoung	david8hu, https://review.openstack.org/#/c/133855/	18:47
gyee	ayoung, david8hu, commented on the spec, can't we take baby steps?	18:48
ayoung	gyee, I think that he's addressing the same problem as Henrynash was targetting with "Domain scoped roles." If you say that all roles should be namespaced, then domain becomes just another namespace	18:49
ayoung	gyee, and that is the heart of what david8hu is proposing, just that I want to keep Henry's spec as the canonical version	18:50
gyee	ayoung, domain owned roles are different than service admin segregation though	18:50
ayoung	gyee, they can be handled by the same mechanism	18:50
gyee	I would think they are orthogonal	18:50
ayoung	gyee, and, it is also hierarchical roles	18:51
gyee	ayoung, I agree the end goal is dynamic policies	18:51
gyee	but we can take incremental improvements	18:51
ayoung	gyee, heh, I am trying	18:51
david8hu	@ayoung, I am solving a slightly different problem. Say once unified policy goes through, having context_is_admin for global is a diaster.	18:52
*** e0ne has joined #openstack-keystone		18:52
gyee	context_is_admin needs to disappear eventually	18:52
ayoung	david8hu, so, splitting admin by servic is only one way to divvy it up	18:53
*** iamjarvo has quit IRC		18:53
ayoung	so...I tihnk you are on the right general track, just have not gone far enough in thinking it through...	18:53
*** zzzeek has quit IRC		18:54
samueldmq	ayoung, an endpoint with several interfaces should still be a single enpoint which has several interfaces	18:55
samueldmq	ayoung, and not different endpoint objects (different ids) that only differ in 'interface' attribute	18:56
gyee	samueldmq, not in v3	18:56
gyee	endpoint ids are different	18:56
samueldmq	gyee, why ?	18:56
gyee	samueldmq, an endpoint is just a set of attributes	18:57
gyee	URL doesn't make an endpoint unique	18:57
samueldmq	gyee, why do we need, let's say for glance, have 3 different endpoints only differing in the interface	18:57
*** fangzhou has joined #openstack-keystone		18:57
samueldmq	gyee, http://paste.openstack.org/show/281944/	18:57
samueldmq	gyee, what does an URL identify ?	18:57
samueldmq	gyee, does it uniquely identify anything ?	18:57
david8hu	@ayoung, are you suggesting context_is_admin should be global? Currently, each service has its only context_is_admin policy, eventhough the definition might be the same.	18:57
*** e0ne has quit IRC		18:57
gyee	samueldmq, no, url is just a url	18:58
gyee	endpoint is uniquely identified by its id right now	18:58
david8hu	@ayoung I mean in the context of unified policy.	18:58
ayoung	david8hu, I am saying context_is_admin should die a fiery death	18:58
samueldmq	gyee, so we want to CRUD policy per URL	18:58
ayoung	david8hu, rules should be written like this:	18:59
ayoung	" namespace:api" :" scope and role "	18:59
samueldmq	gyee, the motivation behind this is that CMS already knows the URL a priori when configuring the cloud, does that make sense ?	18:59
ayoung	scope is the proejct or domain matching	18:59
ayoung	role is hierarchical	18:59
gyee	samueldmq, a url can be many things, in production, it is likely a VIP	19:00
ayoung	gyee, that is not the answer, thought	19:00
ayoung	the reason is that different operations require differnt endpoints for hysterical raisons	19:00
*** e0ne has joined #openstack-keystone		19:00
ayoung	admin versus main for v2 in Keystone for example	19:01
ayoung	and, the asumption was that you could run those servcies on different machines if necessary	19:01
gyee	ayoung, there are good reasons for them	19:01
*** lastops has quit IRC		19:01
gyee	for example, infra services can use internal URLs because they are more efficient	19:01
ayoung	yep	19:02
gyee	they don't have to go through firewall	19:02
gyee	rate limit, and a bunch of other stuff	19:02
ayoung	but you could have the interanl and extnreal endpoints served by the same URL out of the service catlaaog	19:02
samueldmq	gyee, but they should all have the same policy at the end .. is that right ?	19:02
gyee	this also offers deployment flexibility, for example, we can split Keystone out into two groups	19:03
gyee	the admin group APIs hits are less frequent than the public APIs hits	19:03
gyee	therefore, I can optimized on the public APIs	19:03
*** pece has joined #openstack-keystone		19:04
ayoung	samueldmq, so, one thought: the endpoint itself could request "list endspoins for URLS' and then chose which endpoint id to use	19:04
*** iamjarvo has joined #openstack-keystone		19:04
ayoung	Or event, get the whole service catalog, look through, find the URLs that matche, and then pull out the appropriate endpoint ID	19:04
*** iamjarvo has quit IRC		19:05
gyee	so in production, services likely shared a single public endpoint	19:05
ayoung	it would need to know how to distinguish between two endpoints, though	19:05
gyee	sorry I mean single public URL	19:05
*** e0ne has quit IRC		19:05
*** iamjarvo has joined #openstack-keystone		19:05
*** iamjarvo has quit IRC		19:05
*** iamjarvo has joined #openstack-keystone		19:06
*** iamjarvo has quit IRC		19:06
samueldmq	ayoung, how do we filter per endpoint id ? I think this is the thing we were trying to stay away ..	19:06
*** iamjarvo has joined #openstack-keystone		19:07
samueldmq	ayoung, if the CMS will need to configure the endpoint_id, it shouldn't need to configure the url as well	19:07
*** iamjarvo has quit IRC		19:07
ayoung	samueldmq, nah, it would still set the URL	19:07
ayoung	just thinking	19:07
samueldmq	ayoung, gyee we need to synchronize on this as well .. I saw there is a token endpoint binding thing	19:07
david8hu	@ayoung, unified policy spec alone won't address " namespace:api" :" scope and role ". It just a merge of policy policies from OpenStack Services. Probably,l need another spec to get rid iff context_is_admin.	19:07
*** iamjarvo has joined #openstack-keystone		19:07
*** iamjarvo has quit IRC		19:07
samueldmq	ayoung, gyee that is based on the endpoint id, right ?	19:08
ayoung	samueldmq, lets say we could make no changes to the server right now...but we could to Middleware, we'd do what I just said	19:08
pece	Which version of python-openstackclient is compatible with Juno?	19:08
ayoung	ie. map url to endpoint in middleware	19:08
gyee	samueldmq, it can be based on anything, its just a general policy rule	19:08
*** iamjarvo has joined #openstack-keystone		19:08
*** iamjarvo has quit IRC		19:08
gyee	endpoint_id, service type, service name, region, etc	19:08
*** iamjarvo has joined #openstack-keystone		19:09
*** iamjarvo has quit IRC		19:09
samueldmq	gyee, ok I need to review that work to have a better opinion on that point :)	19:09
ayoung	samueldmq, and then middleware could use the current API to fetch policy by the endpoint_id it pulled out of the service catalog	19:09
*** iamjarvo has joined #openstack-keystone		19:09
*** iamjarvo has quit IRC		19:09
ayoung	samueldmq, probably the best option is to make it explicit, which means assigning policy per URL, not endpoint, but, that is better long run anyway	19:10
*** iamjarvo has joined #openstack-keystone		19:10
samueldmq	ayoung, how does middleware know the endpoint id	19:10
*** iamjarvo has quit IRC		19:10
dtroyer	pece: any recent one should be, we try to keep things compatible for all supported releases	19:10
samueldmq	ayoung, the service catalog may contain several endpoints for, let's say, nova	19:10
*** iamjarvo has joined #openstack-keystone		19:10
gyee	samueldmq, its provisioned as part of bootstrap	19:10
*** iamjarvo has quit IRC		19:11
samueldmq	gyee, yes .. but I need to know exactly what CSM will put into the middleware config	19:11
david8hu	@ayoung Getting rid off context_is_admin will need additional collboration effort with other service. Doable, but is going to be massive. For example, nova has a is_admin chk. It needs to be retrained.	19:11
samueldmq	gyee, the endpoint_id specifically ?	19:11
*** iamjarvo has joined #openstack-keystone		19:11
*** iamjarvo has quit IRC		19:11
pece	dtroyer, thx ... I meant compatible in requirements.txt means	19:11
gyee	samueldmq, we don't any control over the deployment options	19:12
*** iamjarvo has joined #openstack-keystone		19:12
*** iamjarvo has quit IRC		19:12
samueldmq	gyee, sure .. but we need to define what the options are	19:12
dtroyer	pece: ah, that's totally different, you'd have to look at release dates, we didn't intentionally time a release to match juno, but there should be one close	19:12
*** iamjarvo has joined #openstack-keystone		19:12
*** iamjarvo has quit IRC		19:13
samueldmq	gyee, and we are adding a new option, which is dynamic fetch of policies... so we need to tell the deplyer how to enable it	19:13
dtroyer	pece: from my notes, 1.0.1 should be close	19:13
gyee	samueldmq, see https://review.openstack.org/#/c/177661/14/keystonemiddleware/auth_token/__init__.py	19:13
*** iamjarvo has joined #openstack-keystone		19:13
gyee	we expect the endpoint_id to be configured as part of auth_token middleware configuration	19:13
*** iamjarvo has quit IRC		19:14
pece	dtroyer, ok thank you :)	19:14
samueldmq	gyee, yes that's the point	19:14
*** iamjarvo has joined #openstack-keystone		19:14
*** iamjarvo has quit IRC		19:14
gyee	samueldmq, it would a global option, just like any oslo options	19:14
samueldmq	gyee, morganfainberg, ayoung and I had agreed that defining the URL would be better to CMS than the endpoint id	19:14
*** iamjarvo has joined #openstack-keystone		19:15
samueldmq	gyee, since it already knows the URL a priori	19:15
*** iamjarvo has quit IRC		19:15
gyee	in your case, it would probably be a new option in oslo.policy	19:15
samueldmq	gyee, but it looks like it is not going ot work	19:15
*** iamjarvo has joined #openstack-keystone		19:15
samueldmq	gyee, no, ksmiddleware fetches the policy	19:15
*** iamjarvo has quit IRC		19:15
gyee	samueldmq, you have the same complexity with url	19:15
samueldmq	gyee, oslo policy only does the enforcement (at least for now)	19:15
gyee	url changes	19:16
*** iamjarvo has joined #openstack-keystone		19:16
*** iamjarvo has quit IRC		19:16
samueldmq	gyee, if we are going to have a config option for endpoint_id, we should use that in my case as well	19:16
*** iamjarvo has joined #openstack-keystone		19:17
samueldmq	gyee, if we go with url (not sure this works) you should use that as well	19:17
*** iamjarvo has quit IRC		19:17
samueldmq	gyee, my point is that we should be consistent between these two features, since we need something that maps to th esma	19:17
samueldmq	the same*	19:17
*** iamjarvo has joined #openstack-keystone		19:17
*** iamjarvo has quit IRC		19:17
*** lastops has joined #openstack-keystone		19:17
gyee	samueldmq, sure if we are doing policy enforcement via middleware	19:17
*** iamjarvo has joined #openstack-keystone		19:18
*** iamjarvo has quit IRC		19:18
samueldmq	gyee, does it make sense to have different policies for different endpoints (which only differ in the interface attribute) ?	19:18
*** iamjarvo has joined #openstack-keystone		19:18
*** iamjarvo has quit IRC		19:19
*** iamjarvo has joined #openstack-keystone		19:19
*** iamjarvo has quit IRC		19:19
*** iamjarvo has joined #openstack-keystone		19:20
*** iamjarvo has quit IRC		19:20
gyee	samueldmq, sure it make sense	19:20
*** iamjarvo has joined #openstack-keystone		19:21
*** iamjarvo has quit IRC		19:21
*** iamjarvo has joined #openstack-keystone		19:21
gyee	you can't what's running behind it by just looking at the url	19:21
gyee	you can't tell	19:21
*** iamjarvo has quit IRC		19:22
samueldmq	gyee, so that could be the same url or not	19:22
samueldmq	gyee, so a url may be define a group of endpoints	19:22
*** iamjarvo has joined #openstack-keystone		19:22
*** henrynash has joined #openstack-keystone		19:22
*** ChanServ sets mode: +v henrynash		19:22
gyee	it could be a bunch of service running behind a proxy for all we know :)	19:22
samueldmq	gyee, and providing a CRUD of policiies which can be bind to URL makes sense as well	19:23
gyee	samueldmq, service is a group of endpoints :)	19:23
samueldmq	gyee, yes but in a public cloud env we need something between the service and endpoints	19:23
gyee	and region is a group of services	19:23
samueldmq	gyee, a group of endpoints which are not all the endpoints of a service	19:24
gyee	yes, we do have endpoint group too	19:24
*** ankita_wagh has quit IRC		19:24
samueldmq	gyee, how do we group endpoints ? what is that ?	19:24
gyee	better yet, dynamic endpoint groups	19:25
samueldmq	ayoung, let me know what you know :)	19:25
gyee	samueldmq, dynamic endpoint groups is just a set of filters	19:25
gyee	based on region, interface, and service	19:25
samueldmq	gyee, and those filters have ids ?	19:25
gyee	samueldmq, yes, endpoint group have unique ids	19:26
*** ankita_wagh has joined #openstack-keystone		19:26
samueldmq	gyee, hmm ... this is opening my mind I think	19:26
samueldmq	gyee, the policy fetch should be somehting more generic	19:26
*** ankita_wagh has quit IRC		19:26
samueldmq	gyee, you could ask for the policy for a region/service/endpoint/whatever makes sense	19:26
samueldmq	gyee, and that would be configurable at middleware ... (I think this is kind of what you are doing for the token binding)	19:27
gyee	samueldmq, https://github.com/openstack/keystone/blob/master/keystone/contrib/endpoint_filter/controllers.py#L144	19:27
samueldmq	gyee, makes sense ? ^	19:27
gyee	samueldmq, ++ on flexibility	19:28
samueldmq	gyee, great	19:28
*** ankita_wagh has joined #openstack-keystone		19:28
samueldmq	ayoung, morganfainberg ^	19:28
gyee	samueldmq, about the endpoint hierarchy region->(sub-region)*->service->endpoint	19:29
gyee	I though we also allow override mechanism, no?	19:29
samueldmq	gyee, where we get the most specific policy, right ?	19:30
*** lhcheng has quit IRC		19:30
gyee	say if a policy is set on region, it got inherited down, and can be overridden at the child	19:30
samueldmq	gyee, ++	19:30
*** stevemar has joined #openstack-keystone		19:30
*** ChanServ sets mode: +v stevemar		19:30
samueldmq	gyee, but in the case there is a policy for the endpoint ksmiddleware is and the deployer has explicitly set the region policy to be used	19:31
samueldmq	gyee, we should use the region one	19:31
samueldmq	gyee, in other hand, if he has set ksmiddleware to fetch the policy for that endpoint and there is no policy directly associated to it	19:31
samueldmq	gyee, look at its service -> subregions -> region until find a valid one	19:31
gyee	samueldmq, I don't think we have a use case for setting the region id in middleware right now	19:33
gyee	maybe some sort of customized region API proxy or something, but that's too much of an imagination :)	19:34
samueldmq	gyee, but we allow policies per region, so I think we should allow that option as well	19:34
samueldmq	gyee, we allow you to get a policy for anything you can bind one to (endpoint, service, region)	19:35
samueldmq	gyee, and we apply endpoint hierarchy in the case we don't find a policy associated to the direct entity that was defined (endpoint -> service -> region)	19:36
gyee	samueldmq, isn't that how the endpoint policy behaves today? Walk up the hierarchy till you find a policy	19:39
samueldmq	gyee, I don't know .. maybe it is, I will check	19:41
samueldmq	gyee, however ... step back .. should we only allow the deployer to define the endpoint_id and then get its policy	19:41
samueldmq	gyee, without adding the options to explicitely get policies per service/region at middleware?	19:42
samueldmq	gyee, (I am just trying to make sure we have a good and consistent proposal)	19:42
gyee	samueldmq, yes, endpoint_id should be adequate for now	19:43
samueldmq	gyee, ok so in few words ... endpoint_id instead of URL (which does not uniquely identify an endpoint)	19:44
openstackgerrit	Lance Bragstad proposed openstack/keystone: Fix spelling in configuration comment. https://review.openstack.org/190318	19:44
samueldmq	gyee, I will revisit this with ayoung and morganfainberg	19:44
gyee	samueldmq, sure	19:45
samueldmq	gyee, nice thanks	19:45
gyee	samueldmq, no thank you! :)	19:46
*** ayoung has quit IRC		19:46
*** iamjarvo has quit IRC		19:50
*** aix has joined #openstack-keystone		19:53
*** e0ne has joined #openstack-keystone		20:00
*** iamjarvo has joined #openstack-keystone		20:01
dstanek	looking at rooms now	20:05
*** lhcheng has joined #openstack-keystone		20:09
*** ChanServ sets mode: +v lhcheng		20:09
*** lhcheng_ has joined #openstack-keystone		20:12
*** roxanaghe has quit IRC		20:13
*** lhcheng has quit IRC		20:15
*** lastops has quit IRC		20:18
*** ayoung has joined #openstack-keystone		20:26
*** ChanServ sets mode: +v ayoung		20:26
openstackgerrit	guang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint https://review.openstack.org/177661	20:26
*** timcline has quit IRC		20:29
*** radez is now known as radez_g0n3		20:32
*** lhcheng_ has quit IRC		20:34
*** timcline has joined #openstack-keystone		20:34
*** e0ne has quit IRC		20:35
*** hemna is now known as hemnafk		20:38
*** stevemar has quit IRC		20:38
*** dguerri is now known as dguerri`		20:46
mordred	are there any keystone v3 enabled devstacks yet?	20:51
*** stevemar has joined #openstack-keystone		20:52
*** ChanServ sets mode: +v stevemar		20:52
lbragstad	mordred: I think dolphm was interested in that ^	20:52
*** dguerri` is now known as dguerri		20:52
mordred	lbragstad: ossum	20:52
mordred	dolphm: I'm about to write some fairly blind code in shade to deal with keystone v3 and would love to have a good way to have funtional tests ... so let me know if there are things I can help with wrt keystonev3 and devstack	20:52
lbragstad	mordred: actually, I think we're all interested in it :) but I want to say I heard someone was trying to get things wired up (I can't remember who that was)	20:53
mordred	:)	20:53
mordred	yah. interested in and working on are two different things :)	20:53
richm	mordred: I think jamielennox was working on this	20:53
*** zzzeek has joined #openstack-keystone		20:54
bknudson	v3 is used in a devstack setup	20:56
bknudson	for the auth_token middleware	20:56
mordred	bknudson: does that mean I can create domains in a devstack?	20:56
bknudson	there's a lot of code that makes the mistake of requiring configuring the auth version rather than doing discovery	20:57
bknudson	mordred: you can create domains in devstack	20:57
mordred	bknudson: neat! that's all I need	20:57
mordred	I mean, I want to create all the things - but I figure if the cloud groks domains it'll grok the other things to	20:58
mordred	too	20:58
openstackgerrit	Merged openstack/keystone: Use lower default value for sha512_crypt rounds https://review.openstack.org/165295	20:58
bknudson	right now you might have to override the --os-identity-api-version 3 when running openstack add domain	20:58
bknudson	openstack --os-identity-api-version 3 --os-auth-url http://192.168.122.186:5000/v3 domain create ldap	20:58
mordred	I should not need to	20:58
bknudson	does devstack create a clouds.yaml?	20:59
*** spandhe has quit IRC		21:00
*** radez_g0n3 is now known as radez		21:01
*** belmoreira has quit IRC		21:04
*** ayoung has quit IRC		21:08
*** topol has quit IRC		21:12
*** pnavarro_ has joined #openstack-keystone		21:17
gyee	bknudson, come to think of it, why can't we default os-identity-api-version to 3?	21:20
bknudson	gyee: I can't think of a reason that it shouldn't be 3.	21:20
gyee	bknudson, lets do this!	21:20
bknudson	I think that's in the openstack CLI	21:20
gyee	yeah, lemme submit a patch to see what breaks	21:21
bknudson	gyee: the list of what works might be shorter.	21:21
gyee	hah	21:22
stevemar	bknudson, it doesn't just yet...	21:22
gyee	well what do ya mean?!	21:22
bknudson	stevemar are there deployments out there that don't have v3 enabled?	21:22
bknudson	or at least enough of them that we shouldn't default to v3	21:23
gyee	bknudson, stevemar, sheeit! the params are not backward compat	21:24
bknudson	that's what I was worried might happen	21:24
gyee	so with v3, I can't just specify --os-tenant-name and get away with it	21:24
bknudson	maybe there's some kind of shim we could do	21:24
bknudson	(like support --os-tenant-name)	21:24
bknudson	we need to figure out some way to be able to change the default to 3, otherwise we're stuck forever	21:25
*** radez is now known as radez_g0n3		21:25
gyee	bknudson, ++	21:26
bknudson	maybe have a --version=v3compat that looks just like v2 but converts everything to v3?	21:26
gyee	we should make it smarter	21:26
gyee	so if version is not specified and --os-tenant-name is there, behave like v3	21:27
gyee	I think jamielennox crated a version independent auth plugin just for that purpose	21:27
gyee	we should be able to use the same logic for openstack cli	21:27
bknudson	openstack cli uses the auth plugins	21:27
gyee	bknudson, what I mean is we need to map the commands as well	21:28
gyee	tenant list -> project list	21:28
bknudson	y, so how to do that?	21:28
bknudson	we have a tenant list command that just does project list?	21:28
bknudson	and spits out a deprecation warning	21:29
bknudson	maybe it's not even listed in the help text	21:29
gyee	right we need to canonicalize the commands	21:29
gyee	in the same way as accessinfo perhaps	21:29
bknudson	y, seems like openstack CLI is working at the wrong level. there should be an abstraction layer.	21:30
gyee	bknudson, yeah I agree	21:30
bknudson	user doesn't care if they're doing v2 or v3.	21:30
*** zzzeek has quit IRC		21:30
gyee	user cares about UX	21:31
gyee	developers cares about flexibility	21:31
bknudson	they just want to create a project or tenant... they don't care if it uses v2 or v3.	21:31
gyee	right	21:32
bknudson	maybe we can get a list of the identity v2 commands	21:32
bknudson	and a list of the v3 commands	21:32
bknudson	and then create v2 compat commands in v3	21:33
bknudson	like tenant list	21:33
bknudson	and hopefully we can have the v2 compat commands not show up in help and print a deprecated message when used.	21:33
bknudson	then we can change the cli to default to v3	21:33
bknudson	(or, even better, change the cli to use version discovery by default)	21:34
stevemar	why would be support compat?	21:35
stevemar	its a new project	21:35
stevemar	you can set OS_TENANT_NAME and use that	21:35
bknudson	openstack project create / openstack tenant create	21:35
bknudson	maybe we should have v3 compat commands in v2.	21:36
samueldmq	mordred, bknudson, gyee I have set up devstack + tempest experimental jobs with keystone v3 only (v2 disabled), so we can work towards having everything with v3 by default	21:36
gyee	bknudson, I don't think we need compat commands	21:36
gyee	just some AI to make it smarter	21:37
bknudson	y, could just call an AI web service.	21:37
gyee	like if user specify v2 params, just use v2	21:37
bknudson	like siri or cortana	21:37
stevemar	they are already switching from issuing a "keystone" command to an "openstack" command....	21:37
gyee	like my self learning thermostat	21:37
stevemar	the user can just use project	21:38
stevemar	kill tenant in a fire	21:38
bknudson	doesn't devstack use openstack command now?	21:38
gyee	stevemar, damn straight	21:38
samueldmq	jamielennox already have some patches to make devstack use v3 to set up its own resources	21:38
stevemar	bknudson, yes it does	21:38
bknudson	does it do tenant create or project create?	21:38
gyee	samueldmq, nice!	21:38
bknudson	./exercises/neutron-adv-test.sh: openstack project create $1	21:39
bknudson	so it's already using v3?	21:39
stevemar	devstack uses v2	21:40
bknudson	openstack CLI has project create for v2...	21:41
stevemar	we even ditched the 'tenant' name in osc	21:41
bknudson	I thought gyee said it used tenant for something?	21:41
bknudson	is that just auth?	21:41
stevemar	it'll support OS_TENANT_NAME in your auth if you set it	21:41
gyee	oh?	21:41
gyee	stevemar you mean one can do this? openstack --os-identity-api-version 2.0 project create	21:42
*** dguerri is now known as dguerri`		21:42
bknudson	devstack is doing that already	21:42
bknudson	./tools/create_userrc.sh: eval $(openstack project create -f shell -c id $name)	21:43
stevemar	yes	21:43
bknudson	stevemar: why is the default for identity-api-version 2?	21:43
gyee	stevemar, if that's the case, then we should just default identity-api-version to 3	21:44
stevemar	bknudson, because devstack will fall on it's face if it's 3	21:44
bknudson	why? all the commands are compatible	21:44
stevemar	at least when i tried it a while ago	21:44
stevemar	submit a patch and see?	21:44
bknudson	that sounds like a dare	21:47
gyee	you have my moral support	21:49
morganfainberg	moral support gyee, should i be worried?	21:50
gyee	heh	21:50
morganfainberg	stevemar: btw: how was CISID	21:50
stevemar	morganfainberg, not bad	21:50
stevemar	morganfainberg, learning a lot	21:50
morganfainberg	stevemar: i'd like to grab a time to sync up w/ you re: what you've gathered from the conf and how it impacts us	21:51
*** iamjarvo has quit IRC		21:51
stevemar	morganfainberg, sure, monday-ish?	21:51
morganfainberg	yeah sounds good. i should be home by then	21:51
gyee	what's CISID?	21:52
morganfainberg	Cloud Identity Summit	21:52
gyee	fancy	21:52
*** radez_g0n3 is now known as radez		21:52
*** iamjarvo has joined #openstack-keystone		21:55
*** ayoung has joined #openstack-keystone		21:56
*** ChanServ sets mode: +v ayoung		21:56
*** spandhe has joined #openstack-keystone		21:56
*** HT_sergio has quit IRC		21:56
*** pnavarro_ has quit IRC		21:56
stevemar	gyee, SO FANCY!	21:58
*** radez is now known as radez_g0n3		21:58
stevemar	the projector just died during a guys talk	21:59
stevemar	poor guy	21:59
bknudson	I'm looking forward to reviews from stevemar -- -2, at CISID we decided to frobnaz the gipplezorp.	22:00
*** esmute has quit IRC		22:00
stevemar	bknudson, umm, thats so last year, it's all about the rufflebits now	22:00
stevemar	it's like you don't even work on identity, pfft	22:01
bknudson	hopefully it's all recorded.	22:01
bknudson	then I can catch up	22:01
stevemar	i think it is	22:01
*** lsmola has quit IRC		22:01
stevemar	but they didn't get the super mega package like openstack gets	22:01
stevemar	its all uploaded after the summit, not 10 minutes after the session	22:02
stevemar	bbl	22:02
morganfainberg	yah FNTech is amazing	22:02
bknudson	$1,695 !	22:02
morganfainberg	hard to find a similar production company	22:03
morganfainberg	bknudson: have you looked at the price of the OpenStack summit (full price?)	22:03
bknudson	that's why I commit something.	22:03
morganfainberg	lol!	22:03
bknudson	they mentioned at the summit they might tighten the reqs for the free pass.	22:05
*** __afazekas has quit IRC		22:05
bknudson	http://www.cloudidentitysummit.com/schedule/ -- these do look interesting	22:06
bknudson	"Beyond Identity & Federation"	22:06
*** stevemar has quit IRC		22:06
bknudson	http://www.cloudidentitysummit.com/cr3ativconference/building-open-source-iam-for-clouds/	22:07
bknudson	these guys are way behind since there are no docker talks.	22:10
bknudson	"SAML in SAML out (or maybe WS-Fed) "	22:11
morganfainberg	bknudson: is that like garbage in garbage out?	22:12
bknudson	here's a competitor to stevemar: Identity across Google for Work and Google Cloud Platform	22:12
bknudson	some of these look like sales pitches	22:13
bknudson	ah, it's FIDO and SCIM that are the new hotness.	22:14
bknudson	I'm glad we've got someone there from OpenStack since our competitors are there.	22:14
gyee	morganfainberg, ayoung, can you guys address jamielennox questions on patch 14 when you have a chance? https://review.openstack.org/#/c/177661/	22:14
gyee	now I need to figure out wtf's wrong with jenkins	22:15
gyee	everything's green, but a -1 from jenkins	22:15
ayoung	gyee, is that endpoint bindings?	22:15
morganfainberg	bknudson: yeah that was my goal, make sure we had someone there.	22:15
bknudson	gyee: incompatible requirements	22:15
morganfainberg	bknudson: it's good to know what the state of other technologies are	22:15
gyee	ayoung, yes, jamielennox was asking for separate middleware	22:15
morganfainberg	esp. the Identity-As-A-Service crowd	22:15
gyee	bknudson, which one?	22:16
*** timcline has quit IRC		22:16
bknudson	http://logs.openstack.org/61/177661/15/check/gate-keystonemiddleware-requirements/a796f57/console.html#_2015-06-10_20_30_42_057	22:16
bknudson	oslo.policy>=0.3.1 does not match openstack/requirements value oslo.policy>=0.5.0	22:16
bknudson	it's a moving target you're trying to hit.	22:16
bknudson	by the time you update to 0.5.0 it'll be 1.0.0	22:17
gyee	ah	22:17
gyee	but at least jenkins should show red somewhere right?	22:17
bknudson	gyee: probably, but don't complain to -infra or you'll have to fix it	22:18
bknudson	if you toggle CI it shows the failure	22:18
ayoung	What if we said "OK, SAML it is"	22:18
ayoung	then make Swift accept a SAML assertion instead of the tiny token they wanty	22:18
ayoung	want	22:18
gyee	bknudson, got it, thanks for the tip!	22:20
bknudson	we could provide a service to take your SAML and turn it into a short token for ref	22:20
ayoung	Keystone would export the mapping, perform it all in middleware	22:20
openstackgerrit	guang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint https://review.openstack.org/177661	22:22
bknudson	ayoung: what's the mapping? attributes to roles?	22:23
ayoung	bknudson, yeah	22:23
*** merlin_ has quit IRC		22:23
ayoung	bknudson, get rid of tokens	22:24
bknudson	I don't see why not.	22:24
bknudson	SCIM is a REST API -- http://www.simplecloud.info/ -- we could implement that in keystone	22:25
bknudson	or leave it to an identity provider	22:25
ayoung	bknudson, replace PKI tokens with in this http://adam.younglogic.com/2014/10/who-can-sign-for-what/	22:25
*** Ephur has quit IRC		22:25
gyee	bknudson, any reference impl of SCIM out there?	22:26
bknudson	gyee: https://docs.oracle.com/cd/E52734_01/oim/OMDEV/scim.htm#OMDEV5526	22:26
gyee	ayoung, you mean like AWS access keys? brilliant! :)	22:27
bknudson	https://www.osiam.org/display/ZLIintranet/Documentation	22:27
*** ankita_w_ has joined #openstack-keystone		22:27
*** harlowja has quit IRC		22:27
*** noye has joined #openstack-keystone		22:28
ayoung	gyee, I mean nothing like AWK access keys	22:28
ayoung	gyee, I mean like we let SAML do SAML things, and provide a sane alternative to XACML for the rest	22:29
*** ankita_wagh has quit IRC		22:29
*** stevemar has joined #openstack-keystone		22:29
*** ChanServ sets mode: +v stevemar		22:29
bknudson	these jerks are stealing keystone's thunder: https://github.com/osiam/osiam	22:30
bknudson	OSIAM is a secure identity management solution providing REST based services for authentication and authorization	22:30
bknudson	We achieve this by implementing two important open standards.	22:30
bknudson	open standards!	22:30
bknudson	looks like they're doing oauth rather than saml	22:31
*** harlowja has joined #openstack-keystone		22:32
gyee	hah	22:32
bknudson	it's java	22:33
gyee	bknudson, but we have federation and trust delegation and all the fancy terminologies	22:33
*** dsirrine has quit IRC		22:33
gyee	java? booo	22:33
bknudson	https://github.com/osiam/auth-server/blob/master/src/main/java/org/osiam/security/controller/TokenController.java#L50	22:34
bknudson	maybe they're just converting keystone to java?	22:34
bknudson	RequestMapping(value = "/token")	22:34
bknudson	@RequestMapping(value = "/revocation", method = RequestMethod.POST)	22:34
bknudson	@RequestMapping(value = "/revocation/{userId}", method = RequestMethod.POST)	22:34
bknudson	maybe there's only one way to do it.	22:35
stevemar	bknudson, did you make that patch yet? punk?	22:36
bknudson	stevemar: I'm too scared.	22:36
gyee	punk?	22:36
gyee	bknudson, tell stevemar you need no standing inline for ID check when you ask for an adult beverage :)	22:37
stevemar	gyee, i'm trying to be intimidating	22:37
stevemar	ha	22:37
bknudson	grow a beard	22:37
bknudson	and add some grey extensions	22:37
gyee	and shave your head	22:37
bknudson	always a good decision	22:38
bknudson	no lice	22:38
bknudson	stevemar: you have to find these osiam jokers and get them to contribute to keystone instead	22:38
stevemar	bknudson, forcefully get the to contribute?	22:39
*** lufix has quit IRC		22:39
stevemar	i wonder if this will work bknudson https://review.openstack.org/#/c/190388/	22:39
bknudson	yes... you're very intimidating	22:39
bknudson	from keystoneclient.v2_0 import client as identity_client_v2 ?	22:40
stevemar	what about it?	22:40
bknudson	should be v3	22:40
stevemar	i think that's fine. we only use that to override tenant stuff	22:41
stevemar	identity_client = utils.get_client_class() is what actually gets the client	22:42
bknudson	keystoneclient has that functionality built in.	22:42
openstackgerrit	Merged openstack/keystone: Remove identity_api from AuthInfo dependencies https://review.openstack.org/182032	22:46
*** sigmavirus24 is now known as sigmavirus24_awa		22:46
*** dsirrine has joined #openstack-keystone		22:48
*** bknudson has quit IRC		22:54
mordred	hey all	23:01
mordred	I ahve two different sets of code I'm looking at for user creation	23:02
mordred	in one, it creates a user with a project as a parameter, in another with a domain	23:02
*** geoffarnold has joined #openstack-keystone		23:02
mordred	when I look at keystone clieent, I see that both are possible input parameter	23:03
mordred	when I look at keystone clieent, I see that both are possible input parameters	23:03
mordred	I think I just answered my own question	23:03
*** jaosorior has quit IRC		23:05
*** ankita_wagh has joined #openstack-keystone		23:07
*** ankita_w_ has quit IRC		23:07
*** iamjarvo has quit IRC		23:20
*** browne has quit IRC		23:34
*** david-lyle has quit IRC		23:40
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/190405	23:44
*** dsirrine has quit IRC		23:48
*** dsirrine has joined #openstack-keystone		23:48
*** spandhe has quit IRC		23:49
*** darrenc is now known as darrenc_afk		23:54
*** harlowja has quit IRC		23:54
*** harlowja has joined #openstack-keystone		23:55
*** dsirrine has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!