Thursday, 2015-06-11

*** gyee has quit IRC		00:00
*** spandhe has joined #openstack-keystone		00:06
*** belmoreira has joined #openstack-keystone		00:11
*** darrenc_afk is now known as darrenc		00:14
*** spandhe has quit IRC		00:29
*** spandhe has joined #openstack-keystone		00:34
*** ankita_wagh has quit IRC		00:39
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/190405	00:42
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/190428	00:42
*** kiran-r has joined #openstack-keystone		00:44
mordred	jamielennox: I hear I can figure out my currently scoped domain from the keystone session, yeah?	00:44
*** pece has quit IRC		00:46
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/190436	00:48
*** spandhe has quit IRC		00:55
*** _cjones_ has quit IRC		00:57
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	01:00
*** browne has joined #openstack-keystone		01:02
*** bknudson has joined #openstack-keystone		01:04
*** ChanServ sets mode: +v bknudson		01:04
*** lhcheng has joined #openstack-keystone		01:06
*** ChanServ sets mode: +v lhcheng		01:06
*** lhcheng_ has joined #openstack-keystone		01:07
*** rdo has quit IRC		01:08
*** lhcheng has quit IRC		01:10
*** rdo has joined #openstack-keystone		01:10
*** ankita_wagh has joined #openstack-keystone		01:11
*** chlong has quit IRC		01:11
*** jdennis has left #openstack-keystone		01:11
*** richm has quit IRC		01:12
*** dims_ has joined #openstack-keystone		01:18
*** dims has quit IRC		01:21
*** tobe has joined #openstack-keystone		01:24
*** iamjarvo has joined #openstack-keystone		01:30
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	01:31
ayoung	jamielennox, on https://review.openstack.org/#/c/177661/ we've kindof made guang bounce back and forth on "separate middlewarea' versus "do it in "ATM" and there are pros and cons for each one	01:38
ayoung	morganfainberg, pretty much came down firmly on the side of "configuring it by adding it in all the service pipelines is bad"	01:39
*** richm has joined #openstack-keystone		01:39
ayoung	I was mixed, but now that I see the number of config options, I think we are better off with it in ATM	01:39
ayoung	mordred, You settled it then?	01:43
jamielennox	mordred: umm, not the currently scoped domain	01:46
jamielennox	mordred: it's not really something i ever thought would be useful	01:46
jamielennox	you can get the current project id and the current user id	01:46
jamielennox	and with the whole moving towards projects only i didn't figure it was required	01:47
jamielennox	ayoung: so you think in the same middleware as auth_token?	01:47
jamielennox	i just think that endpoint_id is not the only thing you are going to want there	01:47
jamielennox	i mean you can't even be sure that endpoint_id will be in the policy line, so we're going to have a bunch of enforce_* when they want to do something like you can only access this endpoint from this project	01:48
ayoung	jamielennox, so we had him write it generic enough that the endpoint Id is not the only thing it can enforce. It is Global policy...anything that is not specific to one particular API	01:48
jamielennox	ayoung: right, but you need to pass the endpoint you want to enforce against for him to make the target dict	01:48
ayoung	but endpoint_id (or maybe URL) will be pulled from context...I suspect the config file	01:49
ayoung	actually...good point, we should unify on URL	01:49
jamielennox	and i imagine in future we're going to want to have policy middleware that checks policy at the URL layer - which is essentially this	01:49
ayoung	jamielennox, so, populating the context for the query aside, yes, I think it should be in ATM...I can see qana rgument either way, butwe have to chose one	01:50
*** belmoreira has quit IRC		01:50
jamielennox	so my feeling is that this is a consumer of the information that auth_token middleware provides	01:50
jamielennox	and as soon as you have to have a flag that says enabled=True/False you can replicate that by in the pipeline vs out of it	01:50
ayoung	there would be an implied ordering anyway, that the token has to be expanded prior to the middleware enforcing this	01:50
ayoung	but it is a corss cutting concern, so it should be in middleware	01:51
jamielennox	sure	01:51
jamielennox	i'm not arguing the repo, just the file	01:51
ayoung	no, I mean that even if it were in a seaprate middelware, I'd have issues with it	01:51
jamielennox	oh, me too - i'm not convinced it's a good idea at all	01:51
ayoung	cus it implies the midddlewars need to specified in an order...an implied contract, and I really don't like that	01:51
jamielennox	ayoung: we have that for just about everything already	01:52
ayoung	heh	01:52
jamielennox	you can't do anything without auth info	01:52
ayoung	morganfainberg, was prety convince that editing the pipeline everywhere wwould be a non-starter	01:52
jamielennox	sounds like a puppet problem	01:52
ayoung	and...since it kindo needs other config values anyway, you'd end up having to change both paste and config in lock step	01:53
ayoung	paste doesn't really thrill me	01:53
*** ankita_wagh has quit IRC		01:53
jamielennox	i think we do too much in middleware now, but there are some things like this whjch are properly optional components that happen before you get to the main app which are perfect for it	01:53
*** stevemar has quit IRC		01:53
ayoung	yeah...so I agree the question is ATM or other...	01:53
jamielennox	and as you say, i'm really not convinced this is a great idea and if we put it in auth_token middleware we'll support it forever	01:53
ayoung	and...make a hard case for other and I think we'll let you and moprgan duke it out...I am "more ATM than other" but really just want progress	01:54
jamielennox	having done a lot of refactoring on it recently it really is too big	01:54
jamielennox	then again you could argue that everything like bind checking should really be done in seperate middleware as well	01:55
ayoung	well, two middlewares is just adifferent division of code, not less code	01:55
jamielennox	and i see the point that not everyone uses paste	01:55
jamielennox	a lot of the new projects hardcode auth_token middleware in place	01:55
jamielennox	so they wouldn't be configurable in the same way	01:56
mordred	jamielennox: oh - so - kinda bu maybe not really	01:56
jamielennox	mordred: do you mean the domain of the project or you've got a domain scoped token?	01:56
mordred	jamielennox: I'm punting right now and ooking in my input auth dict for a domain_id and using that as a default value if no domain is provided on api calls that want a domain	01:56
jamielennox	what api calls want a domain?	01:57
jamielennox	even in keystone?	01:57
mordred	one sec	01:57
mordred	create project	01:57
jamielennox	the reason i exposed project_id from plugin is like nova and cinder apis that have a project_id in the URI so you have to fetch it from somewhere	01:57
mordred	and create user	01:57
jamielennox	but you really shouldn't ever need the domain id	01:57
mordred	no?	01:57
mordred	it's in the python api parameter list	01:58
jamielennox	ayoung: do we default create_user to be the same domain as the token scope?	01:58
jamielennox	there was a conversation about that once	01:58
ayoung	jamielennox, I think so...I can check	01:58
ayoung	jamielennox, v3, right?	01:58
jamielennox	i'd need to check code and i just got back from a run so need a shower first	01:58
jamielennox	ayoung: yea	01:58
jamielennox	i think if you don't provide a domain_id it pulls it puts it in the same domain as the user is authed to	01:59
ayoung	jamielennox, OK starts here http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/controllers.py#n211	01:59
ayoung	_normalize_domain_id ... lets see waht that does	01:59
*** fangzhou has quit IRC		02:00
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n753	02:00
ayoung	So if not specified...	02:00
jamielennox	mordred: ^ so if you don't specify the user should be created in whatever the domain you are currently scoped to	02:01
ayoung	but that seesm to intend to leave the valeu submitted by the user	02:01
jamielennox	ayoung: it should allow a user to create a user in another domain, but by default you probably want to create them in the domain you're in now	02:01
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n745	02:02
ayoung	jamielennox, I think I disagree: I would argue that the token should be scoped to the DOmain in which you want to create the user.	02:02
jamielennox	balls - that's stupid	02:02
ayoung	Basektballs.	02:03
jamielennox	why would you go user -> project -> domain and find domain that way	02:03
jamielennox	cummon v4 api!	02:03
jamielennox	s/would/wouldn't	02:04
jamielennox	brb	02:04
*** fangzhou has joined #openstack-keystone		02:06
mordred	jamielennox: AWESOME! that is the behavior I wanted and was trying to achieve, I can remove some code	02:08
mordred	ayoung: also, I don't know what I'm talking about, but I would like to agree with jamie here	02:09
mordred	however - I'd like to use slightly different words	02:09
mordred	largely because I have never once in my life scoped a token to anything	02:09
mordred	I have a user, that user has the ability to do things.	02:09
mordred	one of the things that user might be able to do is create users in any domain, like a cloud admin, right?	02:10
*** fangzhou has quit IRC		02:10
mordred	would I expect the cloud admin user to present a new auth transaction to do that?	02:11
mordred	like, would I say "keystone.Session(user='admin', domain='foo'); do something " then "keystone.Session(user='admin', domain='bar'); do something"	02:12
mordred	OR	02:12
mordred	keystone.Session(user='admin', domain='foo'); do_something(domain='bar')	02:12
mordred	(I've now talked myself into not having an opinion and ammerely curious)	02:12
mordred	ayoung: hrm. I may have actually come around to completely agreeing with what I think you said above	02:13
*** richm has quit IRC		02:14
mordred	because if that's the case, I don't EVER have to worry about domain as a parameter to any action I want to do - I need to auth to a particular domain to do work there, and once auth'd, that's where I do work	02:14
mordred	assuming that acloud admin can auth to a user's domain and project in order to do things like set up networks on their behalf as part of an accoutn creation automation	02:15
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystonemiddleware: Remove install_venv_common and fix typo in memorycache https://review.openstack.org/189113	02:17
mordred	could I assume the same thing for create_user and project?	02:17
openstackgerrit	Davanum Srinivas (dims) proposed openstack/python-keystoneclient: Remove unnecessary install_venv_common module https://review.openstack.org/189123	02:17
ayoung	mordred, yeah, although we should still make people explicitly state what domain or project they are doing something in, and compare with the token, just so they don't accidentally do things in the worong project, etc	02:17
ayoung	mordred, SO, you touch on an interesting point	02:18
ayoung	with "admin somewhere is admin everywhere" like we have now, it is possible we have APIs where the cloud admin can't actually fix a broken situation...cuz it looks for context from the token	02:18
mordred	I mean, if I log in as foo@bar/projectA and run create user - you're saying you think I should still do create user bang@bar/projectA rather than just bang?	02:19
ayoung	mordred, there are some tricky things like with policy, where we need to fetch and object from the database to see what project it is in	02:19
mordred	(I ask for clarity, because it's quite a lot of work to do that with the v2/v3 api differences)	02:19
ayoung	mordred, from the WebUI, I think it makes sense that the user would see the domain in the listing, and not have to explicitly specify. From the CLI....I can see either view, but err more on the side of "be explicit" over "infer"	02:20
ayoung	mordred, what I don't think you should be able to do is get a token scoped to one domain, and perform an action on another	02:21
ayoung	the token has both a user scope and a project scope, and it is the project scope that counts	02:21
jamielennox	mordred: so yea - it's not going to work that simply apparently, if you don't specify domain it will work from a domain scoped token otherwise it uses the CONF.default_domain_id which is horrible	02:21
ayoung	you need to have a role on the project (or domain) to affect change in there	02:21
ayoung	jamielennox, and all that logic happens after the policy check, too	02:22
jamielennox	and thinking about it i guess it's because you would have to make a choice between whether project_domain_id or user_domain_id took priority in the other case	02:22
jamielennox	project seems logical there, but whatever	02:22
jamielennox	mordred: so there is a hacky way to do it that'll work 99% of the time	02:23
* mordred is starting to think he's thinking about this too hard since this is an admin function ...		02:23
jamielennox	auth.get_access(session) is an AccessInfo object which has domain_id (domain scope) user_domain_id and project_domain_id (project scoped)	02:23
mordred	ooh	02:23
jamielennox	that'll exist for all the keystone auth mechanisms	02:24
jamielennox	it's going to fail for things like TokenEndpoint and maybe future SSL certs and stuff like that which won't get an actual keystone token	02:24
jamielennox	the method just won't exist on those plugins	02:26
mordred	nod	02:26
ayoung	jamielennox, got this code sucks	02:26
mordred	so	02:26
jamielennox	ayoung: my stuff? :)	02:26
ayoung	no	02:26
ayoung	identity	02:26
mordred	I think I'm going to try a version of ayoung's be-explicit thing	02:26
ayoung	mordred, what are you working on?	02:27
mordred	and since it's an admin api, I'm ok with exposing v2/v3 differences to the end user - or expecting them to grok them	02:27
mordred	so I'll accept domain as a param, and if the endpint is v3 and they don't give one, I'll throw an error	02:27
mordred	ayoung: shade patches - leading towards ansible module	02:27
mordred	working on ansible module really - but the shade patches are required to get there	02:28
ayoung	mordred, heh	02:28
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/190436	02:28
ayoung	mordred, I was working on setting up a demo, got fed up with the varuious CLIs, and started using the python API directly	02:28
ayoung	mordred, so far I got this https://github.com/admiyo/ossipee/blob/master/rhosidm.py	02:29
mordred	ayoung: :)	02:29
ayoung	it just creates a network and a VM	02:29
mordred	ayoung: oh! you should use shade	02:29
ayoung	mordred, I might...	02:29
ayoung	mordred, jamielennox and I were both thinking that we had no permissions to clean up neutron stuff in our lab. Turns out we just were not deleting all of the objects in the right order...	02:30
mordred	yah	02:31
jamielennox	ayoung: oh? i tried a few different things	02:31
ayoung	the lab techs themselves were fighting cleaning this up....	02:31
ayoung	jamielennox, you need to start by deleting the VMs attached to the network....	02:31
ayoung	getting it right is labor intensive	02:31
jamielennox	and none of this was mentioned in the errors coming back from horizon	02:31
jamielennox	i just got permission denied	02:31
ayoung	jamielennox, exactly	02:31
ayoung	jamielennox, I thought the same thing until wfoster or someone set me straight. I still don't know why it let two subnets with overlapping subnets happen, as I got errors about that later, too	02:32
jamielennox	ayoung: i'm sure you're allowed to do that with neutron	02:33
ayoung	jamielennox, it sounds like they have a "tear down the network" script now	02:33
ayoung	jamielennox, maybe...	02:33
*** dims_ has quit IRC		02:33
ayoung	yeah, maybe it was just two subnets in the same network that is explicitly disallowed, but not on different networks...that would reflect what I saw. I think.	02:33
openstackgerrit	Merged openstack/keystoneauth: removed custom assertDictEqual https://review.openstack.org/189320	02:34
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/190428	02:34
mordred	jamielennox: https://review.openstack.org/190442	02:39
mordred	jamielennox, ayoung: updated that after this conversation - very helpful I think	02:39
ayoung	mordred, glad to hear it	02:39
openstackgerrit	Merged openstack/keystonemiddleware: Fixes a spelling error in a test name https://review.openstack.org/189365	02:40
*** ankita_wagh has joined #openstack-keystone		02:40
*** stevemar has joined #openstack-keystone		02:41
*** ChanServ sets mode: +v stevemar		02:41
openstackgerrit	Merged openstack/python-keystoneclient: Iterate over copy of sys.modules keys in Python2/3 https://review.openstack.org/189834	02:41
*** henrynash_ has joined #openstack-keystone		02:42
*** ChanServ sets mode: +v henrynash_		02:42
jamielennox	mordred: looks sane at first glance, i think it's always best to throw errors first and if people complain you can come up with some defaults, you just can't go the other way	02:43
*** varya has joined #openstack-keystone		02:43
*** henrynash has quit IRC		02:43
*** henrynash_ is now known as henrynash		02:43
*** lhcheng_ has quit IRC		02:44
*** tobe has quit IRC		02:46
*** tobe has joined #openstack-keystone		02:47
*** bknudson has left #openstack-keystone		02:49
*** tobe has quit IRC		02:50
*** kiran-r has quit IRC		02:51
mordred	jamielennox: yah	02:51
*** ajayaa has joined #openstack-keystone		02:51
mordred	jamielennox: so - for user creation - I should really require both domain and project, yes?	02:51
jamielennox	mordred: user creation domain only	02:51
mordred	s/project/default_project/	02:51
mordred	kk	02:51
*** tobe has joined #openstack-keystone		02:51
jamielennox	you can accept default_project - i'd like the concept to die but we're along way from that	02:52
ayoung	mordred, project means nothing for users....I would say that today, it would be adomain scoped token, but we are also looking at "a domain IS-A prjoejct" so an appropriate scoped project token would make sense...but that is Liberty timeframe	02:52
ayoung	users are owned by domains, not by projects.	02:53
mordred	does it make more sense in v2?	02:53
mordred	like, in v2, I need a tenant_id for a user creation, right?	02:53
ayoung	jamielennox, let me finish reviewing this patch, and then I have something to run by you on the endpoint thing...	02:53
jamielennox	mordred: umm, need... i'm not sure if you need it in v2 or it's optional	02:54
jamielennox	i'll need to check that	02:54
mordred	kk. I'll poke	02:54
jamielennox	mordred: it looks optional	02:55
jamielennox	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/controllers.py#n77	02:56
mordred	jamielennox: if I juse used the keystone v3 name - default_project - for the parameter name, would that be totally bonghits in v2?	02:57
mordred	(like, ignoring that it's tenant in v2)	02:57
jamielennox	mordred: yea, and because of the way keystone (stupidly) stores your random crap from the API i've no idea what would happen if you passed in default_project and then tried to read that user from v3	02:58
mordred	oh - no, I'll transform it to tenant_id if it's v2	02:58
mordred	I'm just thinking about the python api nming here ...	02:58
jamielennox	actually based on the code it would probably work just fine, but you're going off spec	02:59
mordred	oh - I'm so far off spec :)	02:59
ayoung	jamielennox, OK...so, lets take the idea that policy should be a middleware and accept that it can't, because we need to fetch the object from the database. I don't see that changing, as it would rqwuire redoing a bunch of APIs, like most of Keystone V3....but	02:59
ayoung	We need to keep policy in a stage after token expansion, but nothing says it has to be in the middleware	02:59
*** stevemar has quit IRC		02:59
ayoung	it could be part of the policy check	02:59
jamielennox	quote of the day so far	03:00
ayoung	what the current policy check does not have right now is a concept of a "also check this on every rule"	03:00
jamielennox	ayoung: so let me offer what i've been thinking of first	03:00
ayoung	so, maybe the right solution is to make Oslo.policy have a global section	03:01
ayoung	in addition to the "per API" section	03:01
ayoung	ah...go ahead	03:01
jamielennox	nova is already keen to move to a URI based policy enforcement	03:01
ayoung	right	03:01
jamielennox	and i think thats a great idea because it's dumb you have to figure out what functoin /v3/users/XXX/projects maps to for policy	03:01
jamielennox	why don't we just enforce policy twice?	03:02
jamielennox	once statically based on URI in middleware, it cannot have object specific information	03:02
jamielennox	that i think would cover a large number of uses	03:02
jamielennox	then once at like the Manager level	03:02
ayoung	and once later to make sure the project matches?	03:03
jamielennox	so get_user is actually on get_user protecting the database	03:03
ayoung	so...I like that idea. It aligns with something else I've been thinking	03:03
jamielennox	that would be enforced pretty much any time someone tried to access stored data	03:03
ayoung	we don't really want users messing with that second stage	03:03
jamielennox	(caching etc)	03:03
ayoung	the devs know where the project id is, and chagnign that should be outside the realm of configuration	03:03
ayoung	that check really should be in code	03:04
*** david-lyle has joined #openstack-keystone		03:04
*** varya_ has joined #openstack-keystone		03:04
jamielennox	ayoung: i'll be honest i think most of this should be in code but everyone wants to play with the options	03:04
ayoung	the part that needs to be modifiable is "what role do we assign to the user to allow them to do this"	03:04
jamielennox	so i don't know how practical that split is	03:05
jamielennox	there seems to be a lot of ownership testing going on	03:05
ayoung	I've been advocating it already as a "best practice"	03:05
jamielennox	and i don't know if this is better or worse in projects other than keystone	03:05
*** iamjarvo has quit IRC		03:05
ayoung	jamielennox, it varies...	03:06
ayoung	jamielennox, cielometer specifies a default rule and that is it...	03:06
ayoung	nova has really detailed rules	03:06
jamielennox	ayoung: i mean at the moment everyone just checks for admin role, so we can enforce that without object ownership	03:06
ayoung	jamielennox, so long as we check ownership as some point...but we need to scope in admin....	03:07
ayoung	the cutrent system is broken	03:07
ayoung	current	03:07
jamielennox	ayoung: it would take trying it really	03:07
*** varya has quit IRC		03:07
jamielennox	and i've got other fish	03:07
ayoung	jamielennox, this is my fish to dry...but...back to the origianl point	03:07
jamielennox	poor dry fish	03:08
jamielennox	that's just mean	03:08
ayoung	so if we could do policy on a per URL basis, and we did that in a middleware, then...the globarl thing still would work	03:08
ayoung	I forgot to put water in the fish bucket	03:08
jamielennox	ayoung: yep - also i don't want to call it global	03:08
ayoung	agreed	03:08
jamielennox	name it auth_token or something	03:08
ayoung	heh...I need a word that implies "applied on every rule"	03:09
jamielennox	meh, i think i prefer to name it based on where it's coming from	03:10
jamielennox	but either way	03:10
ayoung	so, putting aside the name, it would give us a way to do things like endpoint, but also the binding check, and so forth	03:10
ayoung	you could call it a Macro...its automatically applied.	03:11
openstackgerrit	Merged openstack/keystone: Fix spelling in configuration comment. https://review.openstack.org/190318	03:14
ayoung	jamielennox, so I wonder if the hierarchical thing that david is building into his engine could actually support this. If we somehow said that: here is a check that every rule inherits...	03:14
ayoung	so long as the tool supported it, and the policy files were autogenerated, there would be no reason to make it an explicit check in the code.	03:14
ayoung	that was my original approach to endpoint binding anyway	03:15
ayoung	but...the way that gyee is going about it, it would depend on the endpoint actually chosing to enforce it or not...and with a global policy file, it would be applied evently everywhere	03:16
openstackgerrit	Merged openstack/keystone: Avoid using the interactive interpreter for a one-liner https://review.openstack.org/188799	03:18
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol https://review.openstack.org/180816	03:21
openstackgerrit	Merged openstack/keystonemiddleware: Remove custom header handling https://review.openstack.org/180385	03:29
*** dims has joined #openstack-keystone		03:33
*** varya_ has quit IRC		03:35
*** kiran-r has joined #openstack-keystone		03:42
openstackgerrit	Merged openstack/keystonemiddleware: Refactor request methods onto request object https://review.openstack.org/180394	03:45
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class https://review.openstack.org/180818	03:47
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request https://review.openstack.org/180817	03:47
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol https://review.openstack.org/180816	03:47
*** varya_ has joined #openstack-keystone		03:51
jamielennox	ayoung: is there a reason to cache PKI tokens in middleware?	03:53
jamielennox	is there a useful advantage in memcache vs decrypting it again?	03:53
*** noye has quit IRC		03:54
ayoung	jamielennox, I think it is considered a performance tuen, and even there, I would question that	03:54
jamielennox	i'd be skeptical of the performance bump because you are commiting a lot of extra data to memcache	03:55
ayoung	especially if we get CMS support from python-cryptography, and lose the cost of the popen	03:55
ayoung	crypto is CPU intensive	03:55
ayoung	memcache is I/O	03:55
ayoung	so...meh?	03:55
jamielennox	ayoung: do you think people would complain if i removed it? :p	03:56
ayoung	jamielennox, Ha...I don't know	03:57
ayoung	jamielennox, this is PKI token only?	03:57
ayoung	would UUID tokens still be cached then?	03:57
*** kiran-r has quit IRC		03:57
jamielennox	sure, you'd still cache things you got from keystone	03:57
jamielennox	just always use pki to decode PKI tokens	03:57
ayoung	I'd be OK with that. I think.	03:58
*** fifieldt has joined #openstack-keystone		03:58
*** ajayaa has quit IRC		03:58
ayoung	jamielennox, I wonder how many people are still using PKI tokens. I suspect not many	04:00
jamielennox	ayoung: hmm, it might mess with the check_revocations_from_cache option - but that should exist anyay	04:00
jamielennox	again only for PKI tokens	04:00
*** iamjarvo has joined #openstack-keystone		04:01
ayoung	nothing is cached...so it will always check revocations	04:02
*** ankita_wagh has quit IRC		04:03
*** tobe has quit IRC		04:04
jamielennox	right	04:04
jamielennox	which is not what happens now	04:04
*** ankita_wagh has joined #openstack-keystone		04:06
ayoung	that should be OK...the revocation check is not a bad thing to do more frequently.	04:09
ayoung	Bed time	04:09
*** ayoung has quit IRC		04:09
*** tobe has joined #openstack-keystone		04:13
*** ajayaa has joined #openstack-keystone		04:15
*** markvoelker has quit IRC		04:26
*** Kennan2 has joined #openstack-keystone		04:36
*** Kennan has quit IRC		04:37
*** ajayaa has quit IRC		04:50
*** tobe has quit IRC		04:56
*** tobe has joined #openstack-keystone		05:01
*** ankita_wagh has quit IRC		05:08
*** varya_ has quit IRC		05:15
*** kiran-r has joined #openstack-keystone		05:15
*** varya has joined #openstack-keystone		05:16
*** davechen has quit IRC		05:17
*** belmoreira has joined #openstack-keystone		05:22
*** markvoelker has joined #openstack-keystone		05:27
*** markvoelker has quit IRC		05:32
*** belmoreira has quit IRC		05:38
*** rushiagr_away is now known as rushiagr		05:41
*** stevemar has joined #openstack-keystone		05:42
*** ChanServ sets mode: +v stevemar		05:42
stevemar	jamielennox, around?	05:44
jamielennox	stevemar: yes	05:44
marekd	stevemar: oh-hai	05:44
stevemar	jamielennox, marekd oh shit, both of the guys i wanted to talk to!	05:44
*** ajayaa has joined #openstack-keystone		05:44
stevemar	i finally got around to making that oidc plugin :)	05:44
marekd	stevemar: i will be here whole day!	05:45
marekd	stevemar: great1	05:45
stevemar	it helped that i was near the oidc experts all week long :)	05:45
*** varya has quit IRC		05:45
stevemar	I'm trying to test it out with openstack CLI, but i'm getting funky behaviour	05:45
*** varya has joined #openstack-keystone		05:45
stevemar	like, it's not passing along --os-identity-provider or --os-protocol forward	05:46
stevemar	i'll paste	05:46
stevemar	http://paste.openstack.org/show/283129/	05:48
stevemar	also, it seems to mess up depending on the order of things	05:48
marekd	stevemar: lxml installed?	05:50
stevemar	if i put the command first: http://paste.openstack.org/show/283130/ << this one gets farther	05:50
stevemar	i'm not samlizing anything, but i think so	05:50
marekd	stevemar: there was a weird behaviour where without lxml i didn't see options like identity-provider in osc....	05:50
stevemar	marekd, just checked, it's installed	05:51
jamielennox	stevemar: so the second one looks like your new plugin has lots of required arguments to __init__	05:51
marekd	stevemar: do you see those options in openstack --help list?	05:51
marekd	stevemar: ok	05:51
marekd	stevemar: yeah, which review?	05:51
stevemar	jamielennox, it does, but for some reason identity-provider and protocol are not being passed in	05:51
morganfainberg	hmmmmm.... zzzzzz	05:52
stevemar	let me push a new version	05:52
morganfainberg	stevemar: oidc folks helped out with stuff huh? :)	05:53
*** mabrams has joined #openstack-keystone		05:53
jamielennox	also OSC does stupid things with the auth options so it may come out werid	05:53
stevemar	jamielennox, yeah, i think that's occ not osc though :\	05:53
stevemar	but it seems to remove identity-provider and protocol from auth options?	05:54
jamielennox	stevemar: seems like a similar problem i was having	05:54
stevemar	morganfainberg, yes, they were :)	05:54
marekd	stevemar: so native cli support is already baked in OIDC specs ?	05:54
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	05:54
stevemar	marekd, https://review.openstack.org/#/c/134700/	05:54
stevemar	marekd, sort of yes, but it's optional. google for instance doesn't support it	05:55
marekd	stevemar: ok, so it's a matter of popularizing this 'extension' not extending the protocol...it's like with ECP	05:55
marekd	with openstack we can make it more popular as people may be forced to start supporting this :P	05:55
stevemar	hehe, maybe	05:56
stevemar	google's stance on it, is that 2fa would never work	05:56
stevemar	the other work around was to force users to authenticate with a browser, and copy a pin/code	05:56
jamielennox	stevemar: so i would put in a pdb where OCC is compiling the options	05:56
stevemar	jamielennox, way ahead of you...	05:56
jamielennox	check what's set on the argparse namespace	05:57
jamielennox	and why OCC isn't picking up the right thing	05:57
*** lsmola has joined #openstack-keystone		05:57
stevemar	jamielennox, actually, can you double check my get_options in here are kosher? https://review.openstack.org/#/c/134700/11/keystoneclient/contrib/auth/v3/oidc.py	05:57
jamielennox	the problem with v2 and v3 passwords was that it was changing the dest= of the options and so when OSC registered them altogether it was wrong	05:57
jamielennox	but i don't think that would be an issue with identity-provider	05:58
stevemar	hmm	05:58
jamielennox	stevemar: lol	05:58
jamielennox	stevemar: line 29	05:58
* marekd https://twitter.com/mxcl/status/608682016205344768 <-- heh		05:58
stevemar	hehe	05:59
stevemar	i feel like jamielennox is going to point out something silly i did	06:00
jamielennox	stevemar: i was expecting you to look and see it instantly	06:00
jamielennox	options = super(federated.FederatedBaseAuth, cls).get_options()	06:00
jamielennox	not	06:00
stevemar	it's late and i've been traveling all week :(	06:00
jamielennox	options = super(OidcUnscopedToken, cls).get_options()	06:00
stevemar	have mercy	06:01
stevemar	oh jeez	06:01
jamielennox	you're skipping the options for federatedbase	06:01
ajayaa	Hi guys. I am trying to run tempest with a customized policy file for Keystone. Does tempest work with domain scoped tokens? For example, tempest would try to do "user list" and fail because it tries it with a project scoped token.	06:01
stevemar	jamielennox, lets just ignore that :)	06:01
jamielennox	ajayaa: not last time i tried, but admittedly it's been a few months	06:01
jamielennox	stevemar: you also don't chain up in __init__	06:02
jamielennox	though it looks like you do handle all the options	06:02
stevemar	nowww they are in there, let me check..	06:02
ajayaa	jamielennox, That should not be too hard to add in tempest given that OSC already supports it.	06:02
ajayaa	stevemar ^^	06:03
ajayaa	one more question, Did OSC support domain scoped token in Icehouse?	06:03
jamielennox	ajayaa: so I added support to tempest to do domain based authentication, and i had one or two patches out there to get it started	06:03
jamielennox	tempest doesn't use OSC	06:04
*** stevemar2 has joined #openstack-keystone		06:04
*** ChanServ sets mode: +v stevemar2		06:04
jamielennox	but last i checked there was some issues with how it created projects and such for testing in that didn't work with the standard v3 policy file	06:04
stevemar2	jamielennox, hotel booted me off the connect	06:04
stevemar2	connectionnnn	06:04
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/186279	06:04
stevemar2	what did you mean by chain up in init?	06:05
marekd	stevemar: where are you now?	06:05
ajayaa	jamielennox, Since I am trying to test domain scoped tokens with tempest icehouse, I am almost sure that it's not there.	06:05
jamielennox	morganfainberg: do you want to have a look at https://review.openstack.org/#/c/186226/ and such	06:06
jamielennox	stevemar2: super().__init__	06:06
jamielennox	ajayaa: i am pretty sure that won't work	06:06
ajayaa	jamielennox, Thanks!	06:06
*** stevemar has quit IRC		06:06
ajayaa	If I get time, I will have a look at current status and try to improve it.	06:07
stevemar2	oh, what should i do about auth_ref? it's craping out there now	06:07
jamielennox	ajayaa: that would be great! we're waiting for a new OSC release then we can get devstack to run with v2 disabled at which point we should really be able to figure out what might not work from tempest	06:07
marekd	jamielennox: ah, btw, can you take a look at this: https://review.openstack.org/#/c/176746/ ? it's been there for a long time.	06:07
marekd	stevemar2: why aren't you returning AccessInfo in get_unscoped_auth_ref() ?	06:10
jamielennox	marekd: +A	06:10
marekd	jamielennox: thank you sir.	06:10
jamielennox	marekd: i'll be honest, it looked right but i don't have a way to test it and we've never released that lib so we won't break anyone	06:10
jamielennox	marekd: oh i have one for you though	06:11
*** woodster_ has quit IRC		06:11
jamielennox	marekd: https://review.openstack.org/#/c/188329/1	06:11
jamielennox	can you verify that works for you guys	06:11
stevemar2	marekd, i dunno	06:11
jamielennox	I've destroyed all my kerberos environments and it will take me ages to get it going again	06:12
stevemar2	where'd all the saml plugin code go?	06:12
marekd	jamielennox: i don't have any kerb env now, but will check it later on	06:12
marekd	stevemar2: ?	06:12
jamielennox	marekd: cern not running kerb anymore?	06:12
marekd	jamielennox: running, running!	06:13
marekd	jamielennox: i just don't have it configured on my local env.	06:13
jamielennox	marekd: ah, ok	06:13
openstackgerrit	Merged openstack/python-keystoneclient-saml2: Refactor SAML2 auth plugins https://review.openstack.org/176746	06:14
stevemar2	marekd, i dont know why i didn't use accessinfo	06:15
stevemar2	i keep copying and pasting my password into the example script, i'm totally going to check it in	06:15
marekd	stevemar2: other thing is i don't know whether you want to code in ksc. Depending on when ksa is going to be released (did it got delayed or it's happening in ~2weeks /cc morganfainberg jamielennox ). Otherwise you may need some extra work with moving it to ksa soon - base classes has changed a littlebit.	06:16
morganfainberg	jamielennox: looking.	06:17
jamielennox	marekd: it's really waiting for me and i haven't done much about it in the last week or so	06:17
jamielennox	i started posting cut over patches to keystoneclient to get it working with auth	06:17
jamielennox	they haven't been reviewed much	06:17
marekd	stevemar2: i would also refrain from calling entrypoint oidcunscoped, because new base classes allow for retuning both scoped and unscoped token (depending on whether you passed scoping info or not).	06:17
jamielennox	at the summit dtroyer and mordred were on to me that we should split plugin loading out from the base plugins themselves - i think i have a way to do it	06:18
stevemar2	marekd, leave remarks in the patch!	06:18
marekd	jamielennox: like this one: https://review.openstack.org/#/c/186226/1 ?	06:19
marekd	stevemar2: ok	06:19
jamielennox	marekd: yep, then the follow up	06:19
marekd	oh, maybe i will add such trick in https://review.openstack.org/#/c/186854/2 and up	06:20
stevemar2	does the plugin need an auth_ref property?	06:20
marekd	don't think so.	06:20
jamielennox	stevemar2: no..., it should have the object automatically though	06:21
jamielennox	stevemar2: if you called super().__init__	06:21
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	06:24
morganfainberg	marekd: I expect another ksa release in the next week or so. Trying to keep it moving through iterations so we can test/poke at things.	06:24
stevemar2	jamielennox, marekd ^	06:24
marekd	stevemar2: looking	06:25
jamielennox	stevemar2: still getting the auth_ref problem?	06:25
stevemar2	jamielennox, yessum	06:25
stevemar2	i shall paste	06:25
stevemar2	http://paste.openstack.org/show/283254/	06:26
stevemar2	jamielennox, le paste ^	06:26
*** iamjarvo has quit IRC		06:26
marekd	return super(OidcUnscopedToken, self).get_auth_ref(session, **kwargs) ?	06:27
marekd	last line of uidc.py	06:27
marekd	oidc.py	06:27
marekd	why?	06:28
marekd	stevemar2: ^^	06:28
*** markvoelker has joined #openstack-keystone		06:28
stevemar2	http://cdn.meme.am/instances2/500x/199726.jpg	06:29
stevemar2	marekd, i figured that was the way to get it to stop complaining about auth_ref	06:29
marekd	...aha	06:30
jamielennox	stevemar2: commented on review but i don't see what's wrong	06:31
*** lhcheng has joined #openstack-keystone		06:32
*** ChanServ sets mode: +v lhcheng		06:32
*** markvoelker has quit IRC		06:32
*** pnavarro_ has joined #openstack-keystone		06:34
marekd	stevemar2: ah, remove get_auth_ref completely from your plugin and only implement get_unscoped_auth_Ref()	06:36
morganfainberg	jamielennox: does pbr support the git link? I read somewhere i think?	06:37
stevemar2	marekd, hmm thats how i had it before...	06:37
morganfainberg	jamielennox: otherwise... Sure.	06:37
jamielennox	morganfainberg: it seems to work	06:37
morganfainberg	No problem with that.	06:37
morganfainberg	Ok.	06:37
jamielennox	morganfainberg: i had to remove the requirements job from that branch, but i think that's ok	06:37
marekd	stevemar2: 0_o	06:37
morganfainberg	jamielennox: sure. Just remember we need to cleanup that stuff before we merge back into master.	06:38
jamielennox	morganfainberg: oh yea, it's a while off yet	06:38
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	06:38
stevemar2	cleaning up some of the comments y'all made	06:38
*** lhcheng_ has joined #openstack-keystone		06:39
marekd	stevemar2: erm, can you paste again what's failing now?	06:40
morganfainberg	jamielennox: +2	06:40
stevemar2	marekd, y, 1 sec	06:41
*** lhcheng has quit IRC		06:41
stevemar2	marekd, http://paste.openstack.org/show/283255/	06:41
marekd	stevemar2: and your Python script (in the review) works fine?	06:42
stevemar2	yep	06:43
marekd	openstack federation project list <<- did we hange the way we pass commands?	06:44
marekd	i don't recall 'federation' in osc....	06:44
*** lufix has joined #openstack-keystone		06:44
stevemar2	marekd, its a real command	06:45
stevemar2	is that not what you do?	06:45
marekd	i haven't used osc since a while.	06:46
marekd	stevemar2: https://github.com/openstack/python-openstackclient/blob/master/openstackclient/common/clientmanager.py#L175-L182did you try pdb here?	06:47
marekd	i wonder what's returned by self.auth_get_auh_ref() or what self.auth is (as well as it's dir(self.auth) )	06:48
marekd	stevemar2: https://github.com/openstack/python-openstackclient/blob/master/openstackclient/common/clientmanager.py#L175-L182 (didn't put space between link and 'did')	06:49
*** rushiagr is now known as rushiagr_away		06:50
stevemar2	let me see	06:50
*** toddnni has joined #openstack-keystone		06:51
stevemar2	marekd, p self.auth results in AttributeError at line 175 :P	06:53
marekd	stevemar2: did you do python setup.py install in keystoneclient after the changes? :P	06:54
stevemar2	marekd, excessively so :P	06:54
jamielennox	stevemar2: is that review most recent? i'll try and run it myself	06:55
stevemar2	yep, i have to make 1 change to OSC	06:55
stevemar2	https://review.openstack.org/#/c/190509/	06:56
stevemar2	jamielennox, if you or marekd +1 that i'll push it through, i think dtroyer and terry are out this week	06:56
jamielennox	stevemar2: i really dislike that section	06:57
stevemar2	jamielennox, i hate it with the fury of a thousand fires	06:57
stevemar2	its meant to be a patch until something comes in and replaces it, but we needed it, or we force users to specify DOMAIN ALL THE THINGS!	06:58
jamielennox	stevemar2: what's your command line	06:58
stevemar2	http://paste.openstack.org/show/283255/	06:58
stevemar2	thurrr ^	06:58
morganfainberg	stevemar2: I have some cleanup on the preso we worked on. I'll share the link to you so we can continue to clean it up before converting to html for publication type things.	07:01
morganfainberg	stevemar2: also isn't it silly late for you? Or are you still west coast?	07:02
stevemar2	morganfainberg, i put it up at: http://www.slideshare.net/SteveMartinelli1/building-iam-for-openstack btw	07:02
stevemar2	morganfainberg, still on west coast til tomorrow	07:02
stevemar2	i made a few other minor changes	07:02
morganfainberg	Ah. I'll share what I've done. You might like some of the cleanup.	07:03
jamielennox	stevemar2: what is https://review.openstack.org/#/c/134700/12/keystoneclient/contrib/auth/v3/oidc.py line 114	07:03
jamielennox	auth=client_auth	07:03
jamielennox	that's not right at all	07:03
jamielennox	is that trying to do requests_auth somehow?	07:03
jamielennox	like basic auth?	07:03
stevemar2	jamielennox, that's according to the spec, you supply the client ID and secret as basic auth	07:03
jamielennox	ok, use requests_auth=auth	07:04
jamielennox	auth= thinks your trying to do a ksc plugin	07:04
stevemar2	oh	07:04
*** darrenc is now known as darrenc_afk		07:04
jamielennox	i think you want to say authenticated=False there as well	07:04
jamielennox	otherwise the ksc.session will try and use your plugin to put a token on the request	07:04
morganfainberg	stevemar2: I was doing some changes to make it more "already know OpenStack" targeted.	07:04
* morganfainberg lets you get back to chatting with Jamie.		07:05
jamielennox	also you probably want to say json=payload	07:05
jamielennox	although i don't know how requests handles that otherwise	07:05
stevemar2	jamielennox authenticated=False for both post calls?	07:05
jamielennox	stevemar2: i assume so, otherwise it will call back into your plugin and infinite recursion occurs	07:06
marekd	stevemar2: yes	07:06
marekd	https://review.openstack.org/#/c/177227/7/keystoneclient_saml2/v3/saml2.py -> here it's authenticate=False everywhere	07:07
*** e0ne has joined #openstack-keystone		07:08
marekd	morganfainberg: you are in Tel Awiw now ?	07:12
marekd	or still Berlin ?	07:12
*** e0ne has quit IRC		07:12
stevemar2	jamielennox, blah, lots of changes to make it use KSC sessions	07:14
stevemar2	jamielennox, do ksc sessions not like verify=False?	07:15
jamielennox	stevemar2: shouldn't be that many changes	07:15
jamielennox	verify=False is fine i think	07:15
jamielennox	i mean you probably shouldn't but you know	07:17
morganfainberg	marekd: Berlin still.	07:17
stevemar2	jamielennox, yeah, i intend to remove that but my idp has an expired cert :)	07:17
stevemar2	jamielennox, now my python example is le fail	07:19
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	07:20
stevemar2	jamielennox, uploaded a new version to make it ksc session friendly	07:20
jamielennox	stevemar2: so what errors?	07:21
jamielennox	unless it's pre the actual auth step i won't be able to help	07:22
stevemar2	i think it is	07:22
stevemar2	jamielennox, http://paste.openstack.org/show/283305/	07:23
jamielennox	oo, that's a 500 returned from somewhere	07:24
jamielennox	stevemar2: turn on debug	07:25
jamielennox	logging.basicConfig(level=logging.DEBUG) in a script	07:25
stevemar2	oh its that damn positional thing	07:25
*** ajayaa has quit IRC		07:27
*** bradjones has quit IRC		07:27
jamielennox	why is that coming back as a 500?	07:27
jamielennox	and also excellent, that's what it's for	07:27
*** e0ne has joined #openstack-keystone		07:28
stevemar2	looks like an encoding issue	07:28
stevemar2	the idp is barfing	07:28
*** bradjones has joined #openstack-keystone		07:29
*** bradjones has quit IRC		07:29
*** bradjones has joined #openstack-keystone		07:29
*** e0ne has quit IRC		07:29
stevemar2	probably failing to encode stevemar@ca.ibm.com	07:29
*** ajayaa has joined #openstack-keystone		07:30
*** jaosorior has joined #openstack-keystone		07:31
*** jistr has joined #openstack-keystone		07:33
stevemar2	hmm using requests it's fine	07:36
stevemar2	but if i switch auth=client_auth, data=payload, to requests_auth=client_auth, json=payload it goes caput	07:36
stevemar2	there we go	07:38
stevemar2	jamielennox, i needed to use ksc sessions for the calls	07:38
stevemar2	but i might have to use requests for the first one...	07:38
stevemar2	which i think is okay	07:38
jamielennox	stevemar2: i'd prefer we didn't have to	07:38
jamielennox	can you look at what's different between the two?	07:39
stevemar2	jamielennox, i will tomorrow	07:39
jamielennox	the only thing i can think of between those two is that json= uses jsonutils to encode	07:39
jamielennox	but i don't see why that would do anything there	07:39
stevemar2	that might be it	07:39
stevemar2	i doubt its the basic auth, cause those are both alphanumeric characters	07:40
stevemar2	the json payload contains at least an @ symble	07:40
jamielennox	yea, but i can't see why that would do anything	07:40
jamielennox	i didn't know that passing a dictionary to data= was even legal in requests	07:40
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	07:41
jamielennox	what if you leave it as data= instead of json=	07:41
stevemar2	lemme see	07:41
jamielennox	is there any funny redirections happening in oidc?	07:44
stevemar2	jamielennox, nope	07:44
*** browne has quit IRC		07:45
stevemar2	jamielennox, keeping it as data= works	07:45
jamielennox	that's weird	07:45
jamielennox	i'd be interested to know what requests does there that is different to session	07:46
stevemar2	jamielennox, CLI works too	07:47
stevemar2	i dunno	07:47
stevemar2	i'll submit another and use KSC session	07:47
stevemar2	but keep it as data=	07:47
jamielennox	stevemar2: ok, at least it works!	07:48
stevemar2	yup!	07:49
stevemar2	i didn't know all the nuances to the KSC session	07:49
stevemar2	like authenticated=False	07:49
stevemar2	i thought that was a request-ism	07:49
stevemar2	it's not	07:49
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support https://review.openstack.org/134700	07:50
stevemar2	i'll add some tests tomorrow	07:50
stevemar2	but i think it's in decent shape-ish	07:50
stevemar2	re: KSA, i dont care about resubmitting it there, i'd prefer to have something sooner rather than later though, i have a team breathing down my neck for it :)	07:51
stevemar2	i could always give them a patch	07:52
jamielennox	stevemar2: submit it to ksc, we're going to have to merge everything else anyway	07:52
stevemar2	\o/	07:52
jamielennox	it'll get migrated with everything eles	07:52
stevemar2	expect a blog post	07:52
jamielennox	sweet	07:53
stevemar2	with what will no doubt look like the rantings and ravings of a mad man	07:53
jamielennox	stevemar2: but no body believes you	07:53
jamielennox	because after all that the plugin is 128 lines of code and i'm guessing less than half that is actual code	07:54
stevemar2	jamielennox, indeed	07:54
stevemar2	i should have gone to CIS last year and figured this all out!	07:54
jamielennox	oh the people breathing down your neck are from conferences?	07:55
stevemar2	https://github.com/zandbelt is the man	07:55
jamielennox	i assumed ibm	07:55
stevemar2	jamielennox, i meant internal, but that was just a joke :P	07:55
jamielennox	i'd believe it	07:55
*** darrenc_afk is now known as darrenc		07:56
*** davechen has joined #openstack-keystone		07:58
stevemar2	well that was fun!	08:00
stevemar2	that was the most code i've done in weeks	08:00
stevemar2	now i can go to bed and i won't have nightmares of oauth tokens and openid connect claims	08:00
stevemar2	thanks for all your help jamielennox ! i owe you a beer in tokyo	08:01
jamielennox	stevemar2: sounds good	08:01
jamielennox	np	08:01
*** ajayaa has quit IRC		08:03
*** krykowski has joined #openstack-keystone		08:04
openstackgerrit	Morgan Fainberg proposed openstack/keystone-specs: Add specification for validating/indexing extra attributes https://review.openstack.org/190532	08:07
*** noye has joined #openstack-keystone		08:08
*** fhubik has joined #openstack-keystone		08:09
*** stevemar2 has quit IRC		08:09
morganfainberg	jamielennox: ^ since you care about the extra attr headache	08:14
jamielennox	morganfainberg: make it burn!	08:15
morganfainberg	jamielennox: this puts us on a path to remove them but not break people - and allow people to still manage the extra data they need for business logic	08:15
jamielennox	morganfainberg: can we have a flag to just turn it off as well?	08:16
morganfainberg	jamielennox: we can but that wont ever be used	08:16
morganfainberg	because we can't default it on	08:16
morganfainberg	we have to maintain compatibility	08:16
jamielennox	because i imagine we can't enforce that you can only set extra that conforms to schema by dfeault either	08:16
morganfainberg	yep	08:16
*** markvoelker has joined #openstack-keystone		08:16
morganfainberg	and we have to assume we can't take the feature away	08:16
morganfainberg	so, make it so that when we get microversions (we will get them after flask)	08:17
jamielennox	i think we have to be more aggressive in our "upgrade notes"	08:17
jamielennox	tehse are things that you need to do to get from stable version to stable versoin	08:17
jamielennox	grrr, microversions	08:17
jamielennox	such a bad idea	08:17
*** rlt has joined #openstack-keystone		08:18
jamielennox	also i don't think that will help here because microversions are an API concept	08:18
*** markvoelker has quit IRC		08:21
*** Nikkau has joined #openstack-keystone		08:22
morganfainberg	anyay	08:23
morganfainberg	that spec ^ is leading towards not removing the feature but also not making extra attributes a trainwreck	08:23
morganfainberg	it does need some work but that is a first pass	08:24
morganfainberg	e.g. needs to addres some key concerns about how handling the non-SQL backends, etc	08:24
jamielennox	morganfainberg: i don't think we should support indexes - at least not in the first step	08:24
morganfainberg	comment that	08:25
morganfainberg	but the big push i'm getting is the index side not the validator side	08:25
morganfainberg	i'd rather we didn't need to index	08:25
morganfainberg	but looking at every record to see if an extra is set - ugly	08:25
morganfainberg	or broken.	08:25
openstackgerrit	Marek Denis proposed openstack/keystone: Mapping Engine CLI https://review.openstack.org/188302	08:25
jamielennox	morganfainberg: i can understand the desire to restrict extra if we can't remove it, but adding indexes is improving it	08:26
morganfainberg	jamielennox: it is.	08:26
morganfainberg	unfortunately, we are getting that push and i'm worried we are going to see a lot more push for this	08:27
*** jistr has quit IRC		08:27
morganfainberg	heck adam is pushing for DNSSEC validated attributes (which I'm against)	08:27
morganfainberg	it shouldn't be everything needs to be a first-class attr, but you need to do searches for these values.	08:27
morganfainberg	and right now people do: iterate across all objects to find it	08:28
morganfainberg	so my view is we force the validator to get indexing	08:28
jamielennox	morganfainberg: comment	08:29
jamielennox	ed	08:29
morganfainberg	great	08:29
morganfainberg	this is also trying to kill the namespace thing arvind was pushing. give a generic tool that means we don't have an explosion of deployment-specific top-level attributes.	08:30
morganfainberg	jamielennox: thanks	08:30
jamielennox	adam keeps coming back to DNS for ideas, and i don't see any of it	08:30
morganfainberg	jamielennox: i don't either.	08:30
morganfainberg	jamielennox: really i don't	08:30
jamielennox	also no to what arvind's thing was at summit	08:30
morganfainberg	jamielennox: exactly what this is meant to address - without breaking people	08:31
jamielennox	so as you say the current option is people have to iterate through objects to find things	08:32
jamielennox	which is bad	08:32
jamielennox	which is good because hopefully it means they'll use something better instead	08:32
jamielennox	i get we can't remove it, but i'm of the same opinion of "fixing" extra as i am of improving the user model in keystone - let's just push people another way	08:33
morganfainberg	except the issue is they aren't they're changing keystone code afaik	08:33
morganfainberg	which isn't good either	08:33
jamielennox	i forsee this giant comment in the resource model	08:35
jamielennox	# HEY YOU! yea you! back away from the keyboard	08:35
morganfainberg	i have a few other followup plans - notably we can also make the cleaners better - only let top-level attributes and/or validated attributes back out	08:35
morganfainberg	which eliminates PII leaking	08:35
jamielennox	morganfainberg: right i was going to bring that up - is there an issue if the schema changes whilst there is info in the db?	08:36
marekd	morganfainberg: FYI, i wasn't at the meeting last Tuesday so I don't know what was your opinion on the idea to squeeze two auth plugins next to each other (one --os-auth-plugin for local cloud and --os-remote-auth-plugin=k2k for remote cloud) but from yesterday's convo w/ jamielennox looks like we will need to make users put --os-auth-plugin=k2k and probably make user make it 2-step operation - get local token, switch configuration (plugin, scopin	08:36
jamielennox	at which point you start needing default values etc..	08:36
morganfainberg	marekd: hadn't thought about that	08:36
morganfainberg	jamielennox: this is why i tossed the first pass spec up	08:36
marekd	morganfainberg: ah, ok.	08:37
morganfainberg	jamielennox: more comments/discussion to be done, i expect it	08:37
jamielennox	so i see the UI improvement by having your --os-auth-plugin the same regardless if it's local or remote cloud	08:38
jamielennox	but that is a fairly significant change to auth	08:38
marekd	jamielennox: i know.	08:38
jamielennox	whereas if you specify a k2k plugin then we can do whatever we like uniquely to that plugin	08:38
jamielennox	marekd: catching morganfainberg up	08:38
morganfainberg	jamielennox: i agree	08:39
morganfainberg	having the UX be the same is better	08:39
marekd	:(	08:39
morganfainberg	between local/remote	08:39
morganfainberg	jamielennox: where the k2k one can be a bit more specialized	08:40
morganfainberg	yeah	08:40
morganfainberg	marekd: i'm willing to be convinced otherwise	08:40
morganfainberg	my concern is we might end up chaining through clouds	08:41
*** afazekas has joined #openstack-keystone		08:41
morganfainberg	A -> B -> C -> A	08:41
morganfainberg	would we need 5 options that way?	08:41
marekd	morganfainberg: so you agree with jamielennox that for now we should make ppl do --os-auth-plugin=k2k ?	08:41
*** ajayaa has joined #openstack-keystone		08:42
morganfainberg	i'm inclined to say that the plugin may need to be specific like that	08:42
marekd	i don't know how that would solve cloud-chaining problem.	08:42
morganfainberg	i'm mixing it up	08:43
morganfainberg	cli vs non-cli	08:43
morganfainberg	sorry	08:43
morganfainberg	for cli	08:43
*** jistr has joined #openstack-keystone		08:43
morganfainberg	i worry that two separate auth options are suboptimal	08:43
morganfainberg	but there is someone i want to specifically ask about this	08:43
marekd	morganfainberg: unless there is a nice way to easily switch configurations for clouds (esp. scoping info) it's fine, but i think having user to do login to local cloud, saving token manually and passing it to the command with openstack --os-auth-plugin=k2k and bursting will also be a terrible thing.	08:44
morganfainberg	someone who uses cli a lot	08:44
morganfainberg	i don't think i can say which is better more i think about it	08:44
jamielennox	marekd: no i don't want to make users deal with tokens - ever	08:44
jamielennox	marekd: if nothing else it doesn't work for CONF files	08:44
morganfainberg	i think we might want to make it where it's something else (not a direct auth plugin)	08:45
morganfainberg	that the users utilize for the burst cases	08:45
* morganfainberg will think a bit more on it today		08:45
marekd	jamielennox: ok, so we will need make OSC to first know how to auth with local cloud, switch the plugin and burst....	08:45
morganfainberg	chanigng the auth pliugin later may be bad in general	08:45
morganfainberg	er,	08:46
morganfainberg	er	08:46
morganfainberg	erm*	08:46
marekd	jamielennox: and this all with multiple combinations and only one --os-auth-plugin and --os-project_id etc (whee we need different for each cloud, local and remote)	08:46
morganfainberg	through the --auth-plugin option	08:46
morganfainberg	since it forces the user to know tokens	08:46
jamielennox	so it's never a matter of knowing tokens	08:46
jamielennox	so --os-auth-plugin is just a way to indicate in what way should i load the other plugins	08:47
jamielennox	i'm actually working on dtroyer's idea now of splitting the plugin loading away from the actual plugin and i think i can make it work	08:47
jamielennox	it may or may not be worth making it it's own repo but i think either way i will want to keep the split	08:47
jamielennox	if nothing else it will allow multiple named ways of loading the same plugin	08:47
jamielennox	for example we could have 3 types of 'password' plugin that took different options, like read this from a file, or somewhere	08:48
jamielennox	but underneath they all load the same plugin object with those values it has discovered	08:48
jamielennox	so we can do complex parsing that way	08:49
marekd	jamielennox: do you have something on gerrit ?	08:49
jamielennox	--os-auth-plugin k2kcomplex --os-innerplugin password --os-username XX ... --os-inner-plugin password --os-username YY or some such and parse them in order	08:49
jamielennox	marekd: not yet	08:49
jamielennox	marekd: still trying to make tests work and then see how it relates to existing keystoneclient	08:50
jamielennox	but i think i can handle that	08:50
marekd	fur sure	08:50
marekd	for	08:50
jamielennox	i think it will give me a way to remove oslo.config as well	08:50
marekd	jamielennox: i wonder how you want to handle env variables	08:51
jamielennox	marekd: i've got no idea	08:51
marekd	jamielennox: right now you rely on position and order of the attributes.	08:51
jamielennox	i think maybe we just don't for that case	08:51
marekd	jamielennox: makes names static_dynamic	08:52
jamielennox	we find some way to utilize OCC such that it knows how to handle mutliple plugins in yaml	08:52
jamielennox	and we just say you have to do it that way	08:52
jamielennox	hmm, even that i'm not sure because it mixes in env variables	08:52
marekd	jamielennox: you know...i might accept keeping my passwd in my env but surely i don't want to put it everytime in comandline...	08:52
marekd	so saying 'no' to env is probably wrong and will make people frustrated	08:53
jamielennox	marekd: yea, i still want to keyring it at some point	08:53
jamielennox	marekd: ok, selective env, you can just do the basic options because you will never need to specify 'password' twice	08:53
jamielennox	after the first cloud it's always token handling	08:53
marekd	jamielennox: i wsa rather thinking about labeling plugins....	08:54
marekd	osc --os-auth-plugin=password --label=plugin1	08:54
jamielennox	marekd: we can have plugins that work in different ways :)	08:54
marekd	and have OS_PROJECT_PLUGIN1=skdfs	08:54
jamielennox	marekd: that seems statefull?	08:54
marekd	you mean?	08:55
* marekd be back in 5 minutes		08:56
jamielennox	are you saying that you somehow have osc store this information?	08:56
marekd	jamielennox: no	08:56
jamielennox	like you preload it with auth information in seperate calls - and then at the end you retrieve it all	08:56
*** amaretskiy has joined #openstack-keystone		08:57
marekd	jamielennox: i might miss some dependency here but rather wanted OSC to label a plugin with and later load options from env with that label in the name...	08:57
marekd	openstack --os-auth-plugin=password --label=passwd1 list servers	08:57
marekd	and env var for that plugin would be called OS_PROJECT_NAME_PASSWD1	08:57
marekd	osc would look for *_PASSWD1	08:58
marekd	i know that is not the smartest idea, but...	08:58
marekd	maybe it's something.	08:58
jamielennox	could work	08:58
jamielennox	as mentioned we can do plugins in a number of different ways and try it out	08:59
jamielennox	i'm certainly willing to give it a try	09:00
openstackgerrit	Merged openstack/keystone: Imported Translations from Transifex https://review.openstack.org/186279	09:03
*** lhcheng_ has quit IRC		09:04
marekd	jamielennox: morganfainberg it's acceptable to +A it, right?	09:07
jamielennox	marekd: which?	09:07
marekd	jamielennox: hah, sorry: https://review.openstack.org/#/c/186226/1	09:07
jamielennox	marekd: yea	09:07
marekd	so it approved now.	09:08
jamielennox	so it begins	09:08
*** dguerri` is now known as dguerri		09:08
marekd	until when are you today working?	09:08
jamielennox	me? i'll probably sneak a little more in later but not much	09:10
evrardjp	good morning	09:10
jamielennox	marekd: i'm in perth (australia west coast) so it's just gone 5:10 here	09:10
jamielennox	which is why i've been around the last few days	09:10
marekd	jamielennox: yes, i know you are on aus west coast, just didnt bother to check what time is there and when do you plan to end your shift....	09:11
lifeless	jamielennox: I thought you lived in syd?	09:11
marekd	brisbane	09:11
marekd	i think.	09:11
marekd	(?)	09:11
lifeless	marekd: that was then	09:11
jamielennox	sydney - but that's east	09:11
jamielennox	lifeless: just for a week or two	09:11
jamielennox	the in-laws are here	09:11
marekd	jamielennox: you moved to syd?	09:12
lifeless	jamielennox: nice, lovely area	09:12
jamielennox	marekd: yea, start of the year	09:12
marekd	jamielennox: oh, didn't know that	09:12
jamielennox	lifeless: it's sooo much warmer	09:12
marekd	cool	09:12
marekd	jamielennox: so what are the temps there	09:13
lifeless	jamielennox: he says, speaking to the person that left syd cause it was too hot :)	09:13
jamielennox	we've been getting around 20	09:13
jamielennox	it's more that sydney has been horrible	09:13
jamielennox	however once finished here we're going to visit some people in canberra and bathurst - that's going to be cold	09:14
jamielennox	canberra mins have been around -4 the last week or so	09:14
jamielennox	i got too used to brisbane for that sort of weather	09:15
jamielennox	bbl	09:15
marekd	jamielennox: ok, so it's 20 but it's almost winter, right?	09:18
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	09:43
*** dims_ has joined #openstack-keystone		09:44
*** kiran-r is now known as kiran-r\|afk		09:46
*** kiran-r\|afk is now known as kiran-r		09:46
*** dims has quit IRC		09:47
*** e0ne has joined #openstack-keystone		09:47
*** e0ne is now known as e0ne_		09:54
*** amakarov has joined #openstack-keystone		09:54
*** Daviey has quit IRC		09:55
*** Daviey has joined #openstack-keystone		09:55
*** e0ne_ has quit IRC		10:00
*** varya has quit IRC		10:01
*** e0ne has joined #openstack-keystone		10:01
*** markvoelker has joined #openstack-keystone		10:05
*** markvoelker has quit IRC		10:10
*** ajayaa has quit IRC		10:12
*** ajayaa has joined #openstack-keystone		10:16
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: install_venv_common no longer in oslo-incubator https://review.openstack.org/189111	10:22
*** e0ne is now known as e0ne_		10:33
*** e0ne_ is now known as e0ne		10:34
samueldmq	hi, morning	10:46
*** noye has quit IRC		10:54
samueldmq	morganfainberg, hi, you around ?	10:55
samueldmq	morganfainberg, I had a discussion yesterday with operator99 (gyee) about the fetching policy by endpoint in middleware	10:56
samueldmq	morganfainberg, I'd like to have your view on that, since it was you who proposed to fetch them by endpoint_url	10:56
*** mabrams has left #openstack-keystone		10:57
morganfainberg	yes	10:57
morganfainberg	please please use the endpoint_url as the id	10:57
samueldmq	morganfainberg, great	10:58
samueldmq	morganfainberg, basically, an URL does not uniquely identify an endpoint	10:58
morganfainberg	don't use uuids they are awful ux	10:58
morganfainberg	it uniquely identifies a set of endpoints	10:58
samueldmq	morganfainberg, but as we allow the association of a policy per endpoint_id	10:58
morganfainberg	each endpoint should be the same, if things are different behind an HAProxy it's broken	10:58
morganfainberg	no we should remove that	10:58
morganfainberg	that should go away	10:58
samueldmq	morganfainberg, what do I do in the case I get multiple policies from a given url ?	10:58
morganfainberg	ok first off, the substitution stuff and per-project policy needs to be set aside	10:59
morganfainberg	we aren't doing per-project	10:59
morganfainberg	not today, and definitely not tomorrow, maybe down the line	10:59
samueldmq	morganfainberg, ok so we should implement policy per URL, right ?	10:59
morganfainberg	it doesn't change that the endpoint itself can't really have a separate policy	10:59
morganfainberg	if it's got the same URL as a similar/neighbor behind like haproxy	11:00
morganfainberg	url = host + URI in this case [to be clear]	11:00
samueldmq	but can we assume they are behind a HAproxy ? shouldn't we still provide this flexibitiy ?	11:00
morganfainberg	i'm of the opinion we make it too flexible it is unusable	11:00
samueldmq	though in the case nobody uses, there is no need to maintain	11:00
morganfainberg	start with less flexible move to more usable	11:01
morganfainberg	erm more flexible	11:01
samueldmq	yes I agree	11:01
morganfainberg	as we have use-cases	11:01
morganfainberg	so start with url	11:01
morganfainberg	we also know url apriori (we have to)	11:01
samueldmq	but we are already too flexible in the policy binding	11:01
morganfainberg	since we have to populate the catalog	11:01
morganfainberg	no one uses policy from keystone	11:01
morganfainberg	period.	11:01
morganfainberg	they can't	11:01
morganfainberg	it's broken, awful, and unusable	11:01
samueldmq	ok, so ... I was thinking about 'namespace' policy ..	11:02
samueldmq	so a namespace may be a url for now	11:02
morganfainberg	that i need to put a blob of things in keystone first and get a uuid, then reconfigure the endpoint to use that id	11:02
morganfainberg	makes it bad	11:02
samueldmq	and could be a project, domain, etc in a whille	11:02
samueldmq	while*	11:02
morganfainberg	so my view is the endpoint_url is the id	11:02
morganfainberg	we also need to not be doing substitution in the catalog	11:02
morganfainberg	the clients should know how to do that	11:02
morganfainberg	it shouldn't require the catalog to be smart	11:02
morganfainberg	so we should drive that way	11:03
morganfainberg	if that makes sense	11:03
samueldmq	k I understood the direction you want to go	11:04
morganfainberg	:)	11:04
samueldmq	did you see the idea on namespace ^ just above ?	11:04
morganfainberg	what is a namespace	11:04
morganfainberg	explain what you're solving	11:04
morganfainberg	because i really want to avoid the idea that we overload namespace for things it doesn't help with.	11:04
morganfainberg	but if it's a real use case i'm willing to entertain it of course, but knowing what you're trying to do helps.	11:05
samueldmq	policy binding on whatever we want to allow (for now url, in the future domain, project ?)	11:05
morganfainberg	waht is policy binding	11:05
morganfainberg	i'm asking what you are really trying to solve.	11:05
samueldmq	policy association	11:05
morganfainberg	again, building flexibility for the sake of flexibility makes the ux worse	11:05
samueldmq	ok	11:05
morganfainberg	be specific of the use-case	11:06
samueldmq	ok so forget this	11:06
morganfainberg	not just an idea	11:06
samueldmq	we need to provide a CRUD of policy based on URL	11:06
morganfainberg	the way i want to approach things like this is: specific use-case, general use-case, does this still make sense	11:06
morganfainberg	right we need a CRUD based on url	11:06
*** fhubik is now known as fhubik_afk		11:06
*** aix has quit IRC		11:07
samueldmq	I wanted something flexible enough so it would be easy to add policy per url, domain, project, etc	11:07
samueldmq	so the policy table would be somehting like (service, api, role, scope_constraint)	11:07
samueldmq	and 'namespace' as a column as well, so we could easily have policies per url, project, domain, etc	11:08
samueldmq	if that makes sense	11:08
samueldmq	but I agree that 'namespace' could be confusing at API level ... and make UX bad (or not, I am just not sure how it would look like)	11:09
samueldmq	morganfainberg, ^	11:09
samueldmq	or we could just have different tables for association ... (policy_id, url) , (policy_id, domain_id) and so on	11:12
samueldmq	which is better since we are not trying to solve the world with something called namespace	11:12
*** openstackgerrit has quit IRC		11:13
*** openstackgerrit has joined #openstack-keystone		11:14
*** varya has joined #openstack-keystone		11:19
*** varya has quit IRC		11:19
samueldmq	morganfainberg, /policies/<pid>/endpoints/<enpoint_url> .. and if it isn't a UUID, then I assume it is an URL ?	11:19
samueldmq	morganfainberg, how could we solve this, since we already have this URL ^ expecting an uuid	11:19
openstackgerrit	Merged openstack/keystone: Add validity check of 'expires_at' in trust creation https://review.openstack.org/188315	11:20
morganfainberg	So let's start by throwing out what we have.	11:21
*** e0ne is now known as e0ne_		11:21
morganfainberg	Pretend we do not have an api for this or we are doing a new one.	11:21
*** markvoelker has joined #openstack-keystone		11:21
morganfainberg	That's what I'd start with.	11:21
samueldmq	morganfainberg, hmm, sounds like a good approach ... learning time!	11:22
samueldmq	morganfainberg, actually I'd not call it /endpoints, since the url doesn't identify an endpoint, and a set of them instead	11:24
samueldmq	morganfainberg, but I don't think we have a name for a set of endpoints which are represented by an url	11:24
samueldmq	morganfainberg, how would you do it ?	11:25
*** markvoelker has quit IRC		11:25
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Split plugin loading https://review.openstack.org/190594	11:31
jamielennox	morganfainberg: ^	11:31
jamielennox	marked WIP	11:32
*** e0ne_ has quit IRC		11:32
morganfainberg	jamielennox: cool.	11:32
*** e0ne has joined #openstack-keystone		11:36
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class https://review.openstack.org/180818	11:39
openstackgerrit	David Charles Kennedy proposed openstack/keystone: Remove services with no endpoints from catalog https://review.openstack.org/176383	11:40
*** radez_g0n3 is now known as radez		11:40
jamielennox	morganfainberg: with PKI we don't cache or otherwise decrypt it on the server side do we?	11:53
jamielennox	it's purely read by ID from the database	11:54
jamielennox	would it cause issues if i fixed that?	11:54
*** viktors has joined #openstack-keystone		11:56
*** markvoelker has joined #openstack-keystone		11:56
viktors	lbragstad: hi!	11:58
morganfainberg	jamielennox: hmm?	11:59
morganfainberg	Oh we read from the db. Because we have the short hash token.	11:59
morganfainberg	Since pki and UUID should be interoperable.	12:00
morganfainberg	According to the specification	12:00
jamielennox	morganfainberg: so i'm looking at auth_token in front of keysotne	12:01
jamielennox	and what level of refinement we need to provide	12:01
jamielennox	and ideally auth_token would handle decrytping PKI tokens the same way on both sides	12:01
jamielennox	but that's not really what we do now and i'm wondering if the change would be a problem	12:02
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Keystone2KeystoneAuthPlugin scoping capabilities https://review.openstack.org/188881	12:02
*** iamjarvo has joined #openstack-keystone		12:03
*** jdennis has joined #openstack-keystone		12:08
*** jdennis has quit IRC		12:08
*** aix has joined #openstack-keystone		12:09
openstackgerrit	Marek Denis proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/188581	12:10
*** afaranha has joined #openstack-keystone		12:13
*** afaranha has left #openstack-keystone		12:13
*** fhubik_afk is now known as fhubik		12:13
marekd	lbragstad: i have something for you: https://review.openstack.org/#/c/189625/3	12:20
marekd	morganfainberg: can we change the repo name from python-keystoneclient-saml2 (not released) to keystoneauth-saml2 (instead of python-keystoneauth-saml2) ?	12:29
morganfainberg	Sure. Need to ask infra really really nicely.	12:31
morganfainberg	And check with jamielennox	12:31
jamielennox	marekd: should be fine	12:31
marekd	jamielennox: morganfainberg ok, so i am pushing the patch and preparing my anthem for infra :-)	12:31
morganfainberg	jamielennox: it would t be a huge problem. Just make sure to support the UUID mode of pki validation.	12:31
morganfainberg	marekd: and link me the review so I can +1 it	12:32
marekd	of course.	12:32
jamielennox	morganfainberg: i think i can do it in smaller increments	12:32
jamielennox	morganfainberg: as in i think i can change around how i'm writing it and we can figure out those changes later	12:33
morganfainberg	jamielennox: you still will need the UUID validation of pki tokens but yes.	12:33
jamielennox	morganfainberg: but like it's dumb that we cache PKI tokens at all	12:34
morganfainberg	Because of UUID validation.	12:34
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/190405	12:34
*** dsirrine has joined #openstack-keystone		12:36
marekd	https://review.openstack.org/190619 /cc morganfainberg jamielennox	12:39
*** fhubik is now known as fhubik_afk		12:39
*** fhubik_afk is now known as fhubik		12:40
viktors	lbragstad: around?	12:40
*** jdennis has joined #openstack-keystone		12:42
*** davechen has quit IRC		12:43
*** davechen has joined #openstack-keystone		12:43
*** jdennis has quit IRC		12:45
*** jdennis has joined #openstack-keystone		12:45
*** woodster_ has joined #openstack-keystone		12:51
*** fifieldt has quit IRC		12:53
lbragstad	viktors: o/	12:55
lbragstad	viktors: I am now	12:55
*** tobe has quit IRC		12:55
*** tobe has joined #openstack-keystone		12:57
*** bknudson has joined #openstack-keystone		12:57
*** ChanServ sets mode: +v bknudson		12:57
*** ajayaa has quit IRC		12:58
*** ajayaa has joined #openstack-keystone		12:59
*** fhubik is now known as fhubik_afk		13:00
*** fhubik_afk is now known as fhubik		13:01
*** ajayaa has quit IRC		13:01
*** tobe has quit IRC		13:02
*** josecastroleon has quit IRC		13:05
marekd	morganfainberg: jamielennox : https://review.openstack.org/190631	13:09
marekd	jamielennox: allright, how do i proceed with https://review.openstack.org/#/c/173628/ ? I need to wait for infra to actually create/rename python-keystoneclient-saml2 to keystoneauth-saml2 so i can really clone it and play with the content ?	13:10
*** zzzeek has joined #openstack-keystone		13:21
amakarov	morganfainberg, hi! Tell me please, who can provide me an invitation letter to get visa? If I our US office issue this letter for me then I'll have to go to Boston through LA :)	13:23
amakarov	s/If I/If/	13:23
*** fhubik is now known as fhubik_afk		13:23
morganfainberg	amakarov: for? The midcycle?	13:24
amakarov	morganfainberg, yes	13:24
morganfainberg	Hmm.	13:25
viktors	lbragstad: hi! I would like to clarify some details, regarding your yesterdays reviews.	13:25
morganfainberg	How soon do you need it?	13:25
*** richm has joined #openstack-keystone		13:25
lbragstad	viktors: sure!	13:25
morganfainberg	amakarov: I can ask Lauren Sell about it.	13:25
amakarov	morganfainberg, next week, I guess... I don't think visa takes a full month to issue	13:26
viktors	lbragstad: as for `find a way to test` database state - it this task an actual at the moment?	13:27
lbragstad	viktors: this is regarding the change to update to the InnoDB engine, right?	13:28
viktors	lbragstad: yes	13:29
lbragstad	I was just curious if we could test it so that we don't have regression in the future, and reintroduce the bug	13:29
viktors	lbragstad: I've tried to make a test for synk sql-db state and model description, but this patch wasn't reviewed for a long time (	13:30
viktors	lbragstad: this one - https://review.openstack.org/#/c/80630/	13:30
*** radez is now known as radez_g0n3		13:31
lbragstad	viktors: looks like it's having some issues passing Jenkins,	13:31
lbragstad	I can try and take a look at it today	13:31
*** krykowski has quit IRC		13:31
*** HT_sergio has joined #openstack-keystone		13:32
viktors	lbragstad: I can rebase it and fix to satisfy Jenkins, but the only I want to ask - is to review it sometime )	13:33
lbragstad	viktors: I'll add it to my review queue for today :)	13:33
viktors	lbragstad: thanks! Will wait for your feedback and rebase then. :)	13:34
lbragstad	viktors: if you want to rebase it before hand, go for it.	13:34
*** jaosorior has quit IRC		13:35
viktors	lbragstad: i'm not sure, that I will have time for it today, but I'll work on this patch tomorrow	13:37
lbragstad	viktors: sounds good	13:37
*** jaosorior has joined #openstack-keystone		13:50
*** fangzhou has joined #openstack-keystone		14:04
*** sigmavirus24_awa is now known as sigmavirus24		14:10
*** browne has joined #openstack-keystone		14:16
*** fhubik_afk is now known as fhubik		14:21
openstackgerrit	Darren Hague proposed openstack/keystone-specs: v3 credentials project_id is not optional for type=ec2 https://review.openstack.org/190660	14:28
openstackgerrit	Diane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs https://review.openstack.org/187027	14:30
*** timcline has joined #openstack-keystone		14:31
*** fhubik is now known as fhubik_afk		14:34
*** e0ne is now known as e0ne_		14:34
*** ayoung has joined #openstack-keystone		14:36
*** ChanServ sets mode: +v ayoung		14:36
*** kiran-r has quit IRC		14:44
*** e0ne_ has quit IRC		14:45
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo https://review.openstack.org/179676	14:46
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching https://review.openstack.org/190673	14:46
*** fhubik_afk is now known as fhubik		14:53
*** browne has quit IRC		14:58
*** dims_ has quit IRC		15:02
*** dims has joined #openstack-keystone		15:02
*** geoffarnold has quit IRC		15:03
*** thedodd has joined #openstack-keystone		15:04
*** fhubik is now known as fhubik_afk		15:07
*** fangzhou has quit IRC		15:12
*** zzzeek has quit IRC		15:13
*** dguerri is now known as dguerri`		15:13
*** jistr is now known as jistr\|mtg		15:17
*** fhubik_afk is now known as fhubik		15:24
*** lufix has quit IRC		15:33
*** jistr\|mtg is now known as jistr		15:35
*** hemnafk is now known as hemna		15:40
*** afazekas has quit IRC		15:45
*** browne has joined #openstack-keystone		15:45
*** arunkant_ has joined #openstack-keystone		15:45
*** fhubik has quit IRC		15:52
*** geoffarnold has joined #openstack-keystone		15:57
*** Nikkau has quit IRC		16:10
*** radez_g0n3 is now known as radez		16:10
*** kiran-r has joined #openstack-keystone		16:10
*** _cjones_ has joined #openstack-keystone		16:15
*** lufix has joined #openstack-keystone		16:17
*** kiran-r has quit IRC		16:22
*** davechen has quit IRC		16:25
*** davechen has joined #openstack-keystone		16:25
*** amaretskiy has quit IRC		16:25
*** lufix has quit IRC		16:26
*** e0ne has joined #openstack-keystone		16:27
*** r-daneel has joined #openstack-keystone		16:27
*** roxanaghe has joined #openstack-keystone		16:37
*** Ephur has joined #openstack-keystone		16:38
*** lhcheng has joined #openstack-keystone		16:48
*** ChanServ sets mode: +v lhcheng		16:48
*** ayoung has quit IRC		16:54
*** stevemar has joined #openstack-keystone		16:54
*** ChanServ sets mode: +v stevemar		16:54
*** fangzhou has joined #openstack-keystone		16:59
openstackgerrit	Henrique Truta proposed openstack/keystone: List projects filtering by is_domain flag https://review.openstack.org/158398	17:03
*** RichardRaseley has joined #openstack-keystone		17:08
*** ankita_wagh has joined #openstack-keystone		17:09
*** e0ne has quit IRC		17:09
*** amakarov is now known as amakarov_away		17:10
*** spandhe has joined #openstack-keystone		17:13
*** ayoung has joined #openstack-keystone		17:19
*** ChanServ sets mode: +v ayoung		17:19
*** RichardRaseley has left #openstack-keystone		17:21
samueldmq	ayoung, hi, do you have some time to discuss dynamic policies roadmap, meeting time, etc?	17:21
ayoung	samueldmq, yeah...did you see what I just posted to the mailing list?	17:22
samueldmq	discuss about*	17:22
samueldmq	ayoung, no, going to check now	17:22
david8hu	ayoung, I see the evolution	17:22
ayoung	samueldmq, please do. We need buy in from the other teams, or this is going to go no-where, and that is an attempt to get there.	17:23
ayoung	david8hu, yeah...hard to track all the different things that have gone in to getting here...	17:23
david8hu	@ayoung, maybe we should go to other team's mid cycle meetup as well :)	17:23
ayoung	david8hu, heh...only ifI don't have to travel	17:24
ayoung	david8hu, you coming to the Keystone midcycle?	17:24
*** iamjarvo has quit IRC		17:24
*** pnavarro_ has quit IRC		17:24
david8hu	ayoung, I need to be there. Have not gotten approval yet.	17:24
samueldmq	ayoung, just saw that	17:24
samueldmq	ayoung, david8hu what I want to define is the next steps ... we need to:	17:25
samueldmq	i) have agreement on the roadmap with other services	17:25
samueldmq	ii) define the scope for Liberty	17:26
samueldmq	otherwise, we won't get this stuff in L, or in the best case just a little part of it (possibly not used by every service)	17:26
samueldmq	ayoung, makes sense ?	17:26
ayoung	yep	17:27
samueldmq	ayoung, great, I just created this	17:27
samueldmq	ayoung, https://etherpad.openstack.org/p/dynamic-policies	17:27
david8hu	samueldmq, agreed. bulk of it is still eveolving.	17:27
samueldmq	ayoung, as an start point to define the roadmap, I am also looking at the existing meetings	17:27
samueldmq	to try to find time for our dynamic policy meeting	17:27
samueldmq	I am looking at http://eavesdrop.openstack.org/irc-meetings.ical	17:28
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372	17:28
samueldmq	(actually I loaded that into google calendar, that is not human readable as it is)	17:28
samueldmq	looks like any day between 11:00 and 14:00 UTC would have free slots	17:29
ayoung	samueldmq, lets get the list of specs up there	17:30
*** ankita_wagh has joined #openstack-keystone		17:31
samueldmq	ayoung, ok I will associate that with the points I've defined in the roadmap, if you agree on them	17:31
samueldmq	ayoung, in that roadmap points, I am not talking about how to implement them at all	17:32
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	17:32
samueldmq	ayoung, it just define the directions, so it will be easier to start a cross-project understanding and agreement	17:32
ayoung	samueldmq, but, this is essentially the same thing as the trello...you think we should move over?	17:32
*** pnavarro_ has joined #openstack-keystone		17:33
samueldmq	ayoung, maybe .. at least etherpad will be better for cross-project collaboration/discussions/action points	17:33
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180	17:33
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	17:33
*** zzzeek has joined #openstack-keystone		17:33
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	17:33
samueldmq	ayoung, please check if you agree with the points defined at the main roadmap items: 'Out-of-band policy management' and 'Better delegation'	17:35
*** jistr has quit IRC		17:35
samueldmq	ayoung, let's start breaking those things in a high level ot have agreement on the ideas, after then we go to implementation	17:35
openstackgerrit	Kevin Fox proposed openstack/keystone-specs: Unscoped Service Catalog https://review.openstack.org/190732	17:35
samueldmq	ayoung, that's why I am trying to do, hope you agree in such approach	17:35
samueldmq	ayoung, roadmap maps to our overview spec	17:36
*** kfox1111 has joined #openstack-keystone		17:37
samueldmq	ayoung, after agreement in the meeting, we get overview spec merged and then start looking at individual specs (implementation details)	17:37
*** rlt has quit IRC		17:38
ayoung	samueldmq, lets keep this on Trello...too many tools, and I have the Kent folks engaged over there	17:43
samueldmq	ayoung, I am not wanting to stop our trello thing	17:44
ayoung	samueldmq, lets not split it then	17:44
samueldmq	ayoung, I am just summarizing the needed content to be discussed in the meeting	17:44
ayoung	put what you need in trello	17:45
samueldmq	ayoung, I am not sure trello is good to define the overview ... though it is good to do the implementation tracking	17:45
ayoung	samueldmq, then put an overcard on there and put it in there	17:46
samueldmq	ayoung, and we copy-paste from there at meeting time ? not sure trello is adequate to the cross-project discussions	17:46
ayoung	samueldmq, it will do fine	17:47
samueldmq	ayoung, I will add a list called Roadmap	17:48
samueldmq	ayoung, and that defines the roadmap specification, without implemnetation details	17:48
samueldmq	ayoung, as I've defined in the pad, ok?	17:48
david8hu	samueldmq, I see a roadmap card show up instantly	17:50
samueldmq	david8hu, a new list ? I just created it	17:50
david8hu	samueldmq, :) I think I saw the one you created	17:51
*** iamjarvo has joined #openstack-keystone		17:51
samueldmq	david8hu, nice :)	17:51
*** iamjarvo has quit IRC		17:51
*** iamjarvo has joined #openstack-keystone		17:52
*** iamjarvo has quit IRC		17:52
samueldmq	ayoung, done	17:56
ayoung	samueldmq, thanks	17:57
samueldmq	ayoung, np ... let me know if you agree with what is in those cards	17:57
ayoung	samueldmq, looking now	17:57
samueldmq	ayoung, and if it's complete/correct	17:57
ayoung	samueldmq, nothing you wrote there is wrong.	17:58
samueldmq	ayoung, and contains, in a high-level, everything we are going to address, right ?	17:59
samueldmq	ayoung, first meeting we will i) agree on that with others, ii) get the overview spec approved, and iii) define scope for L	18:00
*** hemna is now known as hemnafk		18:01
ayoung	samueldmq, there are cards already for most of your line items.	18:02
roxanaghe	dstanek, do you want me to try to address the feedback from the review of https://review.openstack.org/#/c/180769/ ?	18:02
samueldmq	ayoung, and that's great, since the specific cards map what is in the roadmap	18:03
samueldmq	ayoung, as individual specs map to what is in hte overview one	18:03
samueldmq	if that makes sense	18:03
*** sigmavirus24 is now known as sigmavirus24_awa		18:19
*** ankita_wagh has quit IRC		18:20
*** ankita_wagh has joined #openstack-keystone		18:24
dstanek	roxanaghe: i started to address them - i'll push up what i have in a few and then we can see what's left	18:25
*** spandhe has quit IRC		18:26
*** spandhe has joined #openstack-keystone		18:29
*** operator99 has quit IRC		18:32
*** iamjarvo has joined #openstack-keystone		18:32
*** iamjarvo has quit IRC		18:33
*** iamjarvo has joined #openstack-keystone		18:33
*** iamjarvo has quit IRC		18:33
*** iamjarvo has joined #openstack-keystone		18:35
*** iamjarvo has quit IRC		18:35
*** csoukup has joined #openstack-keystone		18:41
*** gyee has joined #openstack-keystone		18:41
*** ChanServ sets mode: +v gyee		18:41
*** hemnafk is now known as hemna		18:43
*** ayoung has quit IRC		18:49
*** aix has quit IRC		18:49
*** e0ne has joined #openstack-keystone		18:51
*** e0ne is now known as e0ne_		18:51
*** dsirrine has quit IRC		18:51
*** e0ne_ is now known as e0ne		18:53
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	18:57
*** e0ne is now known as e0ne_		19:00
stevemar	i found ayoungs equivalent at cloud identity summit	19:01
*** greghaynes has quit IRC		19:05
*** greghaynes has joined #openstack-keystone		19:06
*** jdennis has quit IRC		19:08
*** jdennis has joined #openstack-keystone		19:09
*** stevemar has quit IRC		19:12
*** cuddyt has joined #openstack-keystone		19:24
*** dsirrine has joined #openstack-keystone		19:34
*** e0ne_ is now known as e0ne		19:35
*** stevemar has joined #openstack-keystone		19:40
*** ChanServ sets mode: +v stevemar		19:40
htruta	stevemar: is it supposed to be a good thing?	19:42
samueldmq	htruta, I guess at very least it is expected to be someone with a lot of energy :)	19:43
*** hemna is now known as hemnafood		19:44
*** dguerri` is now known as dguerri		19:44
*** jaosorior has quit IRC		19:45
htruta	hey guys, in case you haven't seen in the ML, raildo sent an email with the etherpad describing the options of getting a project scoped token after reseller	19:45
htruta	this is the etherpad: https://etherpad.openstack.org/p/reseller-project-token	19:46
htruta	in case you have any questions, we have until keystone meeting on tuesday to discuss, improve and maybe add alternatives	19:48
*** dguerri is now known as dguerri`		19:49
stevemar	htruta, it's a fun thing :)	19:55
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix tests failing on slower system https://review.openstack.org/190790	20:00
htruta	stevemar: hehe	20:00
*** lhcheng_ has joined #openstack-keystone		20:05
*** lhcheng has quit IRC		20:08
*** HT_sergio has quit IRC		20:08
*** spandhe has quit IRC		20:27
*** spandhe has joined #openstack-keystone		20:28
*** spandhe has quit IRC		20:28
*** stevemar has quit IRC		20:30
*** radez is now known as radez_g0n3		20:38
*** dguerri` is now known as dguerri		20:39
*** bknudson has quit IRC		20:45
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	20:45
*** e0ne has quit IRC		20:54
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180	20:54
*** raildo has quit IRC		21:04
-openstackstatus- NOTICE: Gerrit has been restarted to terminate a persistent looping third-party CI bot		21:07
*** thedodd has quit IRC		21:08
*** ayoung has joined #openstack-keystone		21:09
*** ChanServ sets mode: +v ayoung		21:09
*** sbfox has joined #openstack-keystone		21:09
roxanaghe	dstanek, ok - thanks	21:09
sbfox	Hi all, I have a question I cant find the answer to. Can I mix mysql (for admin and services) identity and LDAP (users etc) identity?	21:12
*** timcline has quit IRC		21:12
brad[]	sbfox: Yes you can	21:13
sbfox	Great! that'll keep my boss happy :) do you happen to have a doc/howto I could follow?	21:14
brad[]	sbfox: I'm in the late stages of research on the topic myself, but tbh ayoung's blog was the best starting point for me	21:16
brad[]	sbfox: http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/	21:16
ayoung	sbfox, coun't a said it better myself	21:16
sbfox	Fab, thanks for the links	21:17
ayoung	sbfox, the later the openstack version, the better it works	21:17
sbfox	Im on Juno	21:17
ayoung	sbfox, should be good enough	21:18
ayoung	I figured brad[] was topol. But in python that would be (brad)	21:18
ayoung	or is that (brad,)	21:18
ayoung	actually, I guess brad(,)	21:19
*** hemnafood is now known as hemna		21:21
*** dguerri is now known as dguerri`		21:21
brad[]	fortunately it's not lisp (brad() ))))))))	21:22
*** geoffarnold has quit IRC		21:22
sbfox	So (if im reading this correctly), users are separated into a domain with the ldap identity driver?	21:23
sbfox	Is the domain name arbitrary?	21:23
*** spandhe has joined #openstack-keystone		21:30
*** ayoung has quit IRC		21:33
*** spandhe_ has joined #openstack-keystone		21:35
*** spandhe has quit IRC		21:37
*** spandhe_ is now known as spandhe		21:37
*** dims_ has joined #openstack-keystone		21:44
*** dims has quit IRC		21:46
*** bknudson has joined #openstack-keystone		21:47
*** ChanServ sets mode: +v bknudson		21:47
*** pnavarro_ has quit IRC		21:51
openstackgerrit	henry-nash proposed openstack/keystone-specs: Enable listing of role assignments in a project hierarchy https://review.openstack.org/187045	22:09
*** RichardRaseley has joined #openstack-keystone		22:20
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor use auth_ref.version rather than _token_is_v* https://review.openstack.org/189018	22:22
*** ayoung has joined #openstack-keystone		22:22
*** ChanServ sets mode: +v ayoung		22:22
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor TokenCache store takes auth_ref https://review.openstack.org/189019	22:25
*** RichardRaseley has quit IRC		22:32
*** csoukup has quit IRC		22:43
*** geoffarnold has joined #openstack-keystone		22:49
*** drjones has joined #openstack-keystone		22:53
*** _cjones_ has quit IRC		22:54
*** _cjones_ has joined #openstack-keystone		22:54
*** dsirrine has quit IRC		22:56
*** geoffarnold has quit IRC		22:57
*** drjones has quit IRC		22:57
*** lhcheng_ has quit IRC		22:58
*** lhcheng has joined #openstack-keystone		22:58
*** ChanServ sets mode: +v lhcheng		22:58
*** geoffarnold has joined #openstack-keystone		22:59
*** lhcheng has quit IRC		23:02
*** zzzeek has quit IRC		23:05
*** cuddyt has quit IRC		23:06
*** ayoung has quit IRC		23:07
*** markvoelker has quit IRC		23:11
*** geoffarnold has quit IRC		23:14
*** geoffarnold has joined #openstack-keystone		23:14
*** zzzeek has joined #openstack-keystone		23:15
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract method for offline validation https://review.openstack.org/188650	23:21
*** roxanaghe has quit IRC		23:34
*** sbfox has quit IRC		23:35
*** chlong has joined #openstack-keystone		23:35
openstackgerrit	Deepti Ramakrishna proposed openstack/keystone: Reuse token_ref fetched in AuthContextMiddleware. https://review.openstack.org/190863	23:36
*** sigmavirus24_awa is now known as sigmavirus24		23:39
*** hemna is now known as hemnafk		23:45
*** ankita_wagh has quit IRC		23:52
*** zzzeek has quit IRC		23:52
*** ankita_wagh has joined #openstack-keystone		23:54
*** lhcheng has joined #openstack-keystone		23:56
*** ChanServ sets mode: +v lhcheng		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!