Friday, 2015-06-12

« Thursday, 2015-06-11 Index Saturday, 2015-06-13 »
*** radez_g0n3 is now known as radez00:05
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support  https://review.openstack.org/13470000:07
*** lhcheng_ has joined #openstack-keystone00:09
*** _cjones_ has quit IRC00:10
*** _cjones_ has joined #openstack-keystone00:11
*** lhcheng has quit IRC00:12
*** markvoelker has joined #openstack-keystone00:12
*** drjones has joined #openstack-keystone00:12
*** _cjones_ has quit IRC00:15
*** markvoelker has quit IRC00:17
*** Kennan2 is now known as Kennan00:19
*** sbfox has joined #openstack-keystone00:30
jamielennoxbknudson: this is kind of where i was aiming for the middleware changes https://review.openstack.org/#/c/190673/00:31
jamielennoxoo, and it appears i moved one of your reviews out of sequence to do it, sorry00:32
bknudsonno problem00:32
bknudsonso keystone would have its implementation of _BaseAuthProtocol ?00:34
*** drjones has quit IRC00:35
jamielennoxbknudson: yep, it comes down to this much in keystone: https://github.com/jamielennox/keystone/blob/middlewareinkeystone/keystone/middleware/auth_token.py00:36
jamielennoxwhich we would probably combine into the AuthContext one rather than be standalone00:36
bknudson_BaseAuthProtocol can't be private then00:36
jamielennoxbknudson: right, i just want to get it to a point where i know it works then make public what is needed00:37
*** ankita_wagh has quit IRC00:37
bknudsonso it's really just _handle_token00:38
jamielennoxi was also thinking we should be able to refine it a bit more, so instead of just handle we do the offline validation in middleware before ever going to keystone00:38
jamielennoxthat would give us non-persistent pki00:39
*** sigmavirus24 is now known as sigmavirus24_awa00:39
bknudsonyou'd need to override getting the certs is all00:39
jamielennoxbknudson: right00:39
bknudsonand revocation list00:39
bknudsonif you want to support that00:39
bknudsonor events00:39
jamielennoxso revocations is where i hope this makes the most sense00:39
jamielennoxbecause we have part of an implementation on the server side and none in auth_token00:40
*** kfox1111 has quit IRC00:40
bknudsonrevocation events?00:40
jamielennoxyep00:40
bknudsonthere's something in keystoneclient, I think.00:40
jamielennoxso you'd have an abstract "fetch events" then handle revocation in the same place00:40
jamielennoxthere is, but it involves building custom models and it's not been used by auth_token middleware00:41
bknudsonthere's probably no reason to have support in keystoneclient.00:41
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support  https://review.openstack.org/13470000:41
bknudsonmaybe an application would want to handle revocation events00:42
jamielennoxi saw alexander got his refactor of the event processing code through, hopefully we can make that work with the objects that auth_token provides00:42
bknudsonwhat objects?00:42
*** stevemar has joined #openstack-keystone00:42
*** ChanServ sets mode: +v stevemar00:42
jamielennox_UserToken00:42
jamielennoxhttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_user_plugin.py00:43
jamielennoxUserAuthPlugin - i was close00:43
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Add openid connect client support  https://review.openstack.org/13470000:44
bknudsonyield data -- why can't we yield auth_ref?00:44
stevemarjamielennox, i'd appreciate a review of that guy ^ should be in a good state - there's a failing test that i am skipping related to config options00:44
bknudsondon't we want handle_token to return an auth_ref?00:45
*** r-daneel_ has joined #openstack-keystone00:45
jamielennoxbknudson: so i started like that, it meant that we were constructing an AccessInfo on the keystone side as well as on the middleware side00:45
*** r-daneel has quit IRC00:45
bknudsonnice!00:45
bknudsonisn't that what we want?00:46
jamielennoxbknudson: if we yield data instead then keysotne never needs to know about AccessInfos00:46
jamielennoxAccessInfo is still returned from the function00:46
bknudsonI want keystone to know about AccessInfo.00:46
jamielennoxand we still do all our validation with AccessInfo but middleware is constructing it for us00:46
bknudsonwe could push construction of AccessInfo up to the token provider00:47
*** radez is now known as radez_g0n300:47
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reuse token_ref fetched in AuthContextMiddleware.  https://review.openstack.org/19086300:48
stevemarisn't that what adam wanted?00:48
jamielennoxadam was looking for a much more complex object representation00:48
jamielennoxmy understanding is they didn't want AccessInfo as it is today on the server side, it does stupid things like add extra data to the token dictionary00:49
stevemarah00:49
bknudsonshoot. I thought we had something that was actually useful for once. :(00:49
bknudsonI guess I should have looked at it first.00:49
stevemarhave fun boys, i'm heading to dinner then airport00:49
jamielennoxthe ksa version should be better00:49
jamielennoxstevemar: have a good trip00:50
bknudsongodspeed00:50
stevemari'm with delta and stopping in detroit... bad omens all over00:50
bknudsonconference must be done00:51
*** sbfox has quit IRC00:51
jamielennoxbknudson: anyway looking at the breakdown there it would seem to make sense, what's in fetch is always dealing with data, because the cache should just be another source of token data, like PKI or the identity server00:51
jamielennoxbut it conflicts with some of the stuff like having the cache deal with AccessInfo directly00:52
bknudsoncache can't deal with accessinfo?00:52
jamielennoxnot if we keep yield data00:52
jamielennoxbecaues the validation logic is creating the AccessInfo00:53
jamielennoxi was hoping i could yield and return so that you could do like auth_ref = yield data but i think that's why python 3's yield from is for00:54
*** stevemar has quit IRC00:55
jamielennoxi don't think i can do it in py200:55
bknudsonlet's drop py2 support00:55
jamielennox:)00:56
bknudsonso keystone is going to use the regular headers that auth_token would set00:57
jamielennoxbknudson: that's my hope00:58
bknudsonthen it can just go through mapping like federation00:58
jamielennoxor preferrably just the obect00:58
bknudsonwhat's the object ? AccessInfo?00:59
jamielennox_UserAuthPlugin00:59
jamielennoxit's essentially just a stripped down AccessInfo00:59
bknudsonoh, it can pass that to policy?00:59
jamielennoxbknudson: that's where i'm going with this00:59
jamielennoxi want oslo.policy, oslo.context all to be based off of that01:00
bknudson_UserAuthPlugin?01:00
jamielennoxrather than every service make up their own context dicts01:00
jamielennoxyes01:00
bknudsonuntil then we'll have to create context from _UserAuthPlugin01:01
jamielennoxyes, and there are a couple of fields we may need to include in the _UserAuthPlugin that aren't currenlty there01:01
jamielennoxbut that's not a problem - honestly i don't think we use half of what's in our context anyway01:02
jamielennoxi guess we can't remove the fields though because they're exposed to policy01:02
bknudsonif auth_ref.version == 'v2.0' and not auth_ref.project_id: is going to need to be auth-token only since you can have unscoped v2 tokens.01:03
bknudsondo we have to do delay_auth_decision?01:03
bknudsonoh, and we need to support stupid admin token01:04
bknudsonor else figure out a different way to bootstrap, which should probably do anyways01:04
jamielennoxso delay_auth_decision is kept in the auth_token specific class01:09
jamielennoxi don't enforce that on the base at all so we would need to check that via policy - which is how i think it should be done anyway01:10
jamielennoxadmin token i think is fairly easy, we just put a check in process_request before any of this validation happens01:10
jamielennoxbut yea, i have a comment for v2.0 and project_id, that should be auth_token only01:11
bknudsonmakes sense01:11
jamielennoxit was almost a little disappointing that the only common checks left were binding and expiry time, but with revocations etc it will get more01:12
jamielennoxi was looking at rearranging the auth_token validate as well, i think we should make it so that we do not cache PKI tokens01:13
bknudsonwhat's the point of caching a PKI token?01:13
jamielennoxthat would make it cleaner to do PKI validation for keystone as well because we don't have to deal with the cache layer01:14
jamielennoxbknudson: i've no idea01:14
jamielennoxbut we do it01:14
bknudsonhttps://review.openstack.org/#/c/188650/ might help, since it puts offline validation into a method01:14
bknudsonthen could just move the call to _validate_offline before cache work01:15
jamielennoxbknudson: yep, i had that patch rolled into this dependency for a while01:15
bknudsonoh... did I mess it up?01:15
bknudsonI didn't think it was in the list.01:15
jamielennoxno i removed it because i was modifying the patch itself and it can be easily applied after as well01:16
jamielennoxbecause i removed the AccessInfo bits and i didn't want to mess up your review chain01:16
jamielennoxbut yes, i think that should go first - before the cache check and limit the cache to online validations01:17
bknudsonI wasn't sure how "Refactor _validate_token returns auth_ref only" fits in here anymore. Figured I'd just wip it and figure that out later if it's still interesting.01:18
jamielennoxbknudson: oh - i thought that was applied?01:18
*** henrynash has quit IRC01:18
jamielennoxthere should be no reason to still be returning data from -validate_token01:19
bknudsonwell, your changes are returning data rather than auth_ref01:19
bknudsonthere's probably no need for that one anymore.01:20
* jamielennox was looking at the wrong review and getting confused01:21
jamielennoxso _validate_token returns AccessInfo01:21
jamielennoxwhich is what is used at the top level01:21
bknudsonhmm, maybe it happens some other way01:21
jamielennoxdata is only used in _handle_token - which really should be called _fetch_token01:21
bknudsonif we're going to be sharing _BaseAuthProtocol then it really does need its own unit tests.01:22
*** browne has quit IRC01:23
jamielennoxagreed, there are a few reviews in front of it still to go through01:24
jamielennox(though they are moving well)01:24
bknudsonjamielennox: I thought the class was modeled on oslo_middleware.base.Middleware because you were going to use it?01:24
jamielennoxi just wanted to discuss it with you because of the differences with the AccessInfo changes01:24
jamielennoxbknudson: i looked at using it but there are a bunch of dependencies to oslo_middleware01:24
jamielennoxbecause it's not just the base class there are common middlewares in there01:25
bknudsonI think there's some that we re-implement in keystone...01:25
jamielennoxprobably01:25
bknudsonlike a sizelimiter or something01:25
bknudsonalthough we won't need that middleware with flask!01:26
jamielennoxbut i figured i could take the pattern that other middleware uses and just not take the actual class01:26
bknudson(and it is something that the container should implement for security)01:26
jamielennoxreplacing app with application for example needed changes all through the tests01:26
*** ankita_wagh has joined #openstack-keystone01:26
*** henrynash has joined #openstack-keystone01:27
*** ChanServ sets mode: +v henrynash01:27
bknudsonwell, probably don't even mention it in the comment then01:27
jamielennoxbknudson: that was my plan :) i saw you reviewed it again and i was just going to remove all reference to oslo_middleware01:27
bknudsonif it's like it but not the same then you'll need to explain all the differences or people are left guessing01:27
jamielennoxand it does look like i'll need some sort of factory01:28
jamielennoxi was hoping to avoid it on the keystone side01:28
bknudsonyou can always add it later (along with a test for it)01:28
jamielennoxor at least not deal with options from paste01:28
bknudsonmaybe change the commit message to say "this class can eventually be used by keystone where the behavior is overridden to validate tokens against the database" or something... should be clearer01:30
bknudsonof course it would be better to not mention keystone by name since it'll be available to anybody.01:31
bknudson"this class can eventually be used by a server where the behavior is overridden to validate tokens via some other method"01:31
jamielennoxi was thinking of explicitly saying keystone01:32
jamielennoxlike don't override this unless you are keystone01:32
bknudsononce it's public you can't stop me from using it.01:32
jamielennoxbecause i can't imagine who else would use it01:32
bknudsonbetter put some docs on it.01:32
jamielennoxcan't stop, but i might be able to say that the API is only as stable as keystone requires it to be01:33
bknudsonmaybe it could be used during testing to stub out keystone01:33
bknudsonor maybe there will eventually be no keystone and it'll be overridden to validate saml01:34
bknudson^ right ayoung ?01:34
*** dims_ has quit IRC01:35
bknudsonI was just thinking about fernet tokens and the offline/online validation...01:35
bknudsonsince some validation is done offline and some online.01:35
bknudsonalthough it's all online now01:36
jamielennoxbknudson: i don't think any of fernet is validated by middleware?01:36
bknudsonnot yet but it could be in future01:37
jamielennoxall the keys are handled on keystone side01:37
bknudsonwe just need a REST API to fetch the keys... he he01:37
jamielennoxnever again01:38
jamielennoxdstanek: here?01:42
dstanekjamielennox: on cell phone yes :-)01:43
*** sigmavirus24_awa is now known as sigmavirus2401:43
jamielennoxdstanek: hmm, so this might be a bit difficult to see01:43
jamielennoxdstanek: looking at https://review.openstack.org/#/c/190673/ is there anyway i can get a value back from the yield statement?01:44
jamielennoxyielding data which is going to a contextmanager01:44
dstanekjamielennox: jas ill go back to laptop01:45
jamielennoxdstanek: i guess the question can be theoretical, if you yield to a contextmanager can you get a value back from the yield01:45
bknudsonI was surprised that the base _handle_token could just return and not yield.01:45
jamielennoxand it's got to be python 2 compatible - because i *think* yield from would solve this01:45
*** r-daneel_ has quit IRC01:46
bknudsondon't you iterate over it?01:47
dstanekjamielennox: and _handle_token is expected to return a list?01:48
dstaneka yield just turns a method into a generator or something that "returns" an iterable01:49
*** ayoung has joined #openstack-keystone01:49
*** ChanServ sets mode: +v ayoung01:49
jamielennoxdstanek: but not when used with a contextmanager right?01:49
bknudsondstanek: I think he's taking advantage of https://docs.python.org/2/library/contextlib.html#contextlib.contextmanager01:49
jamielennoxthat just gives me a with01:49
bknudson? maybe return self._handle_token(token) -> yield self._handle_token(token)01:50
jamielennoxthere is a oneline function line 504 that just wraps a contextmanager around a call01:50
jamielennoxbknudson: thinking about it now i don't know if i want it there anyway01:51
dstanekjamielennox: yes correct because that treats it like a list on your behalf01:51
bknudsonthis stuff should be able to be implemented with abstract methods.01:52
bknudsonalthough maybe the context manager is prettier01:52
dstanekhttps://hg.python.org/cpython/file/3156dd82df2d/Lib/contextlib.py#l5701:53
dstanekcontextmanager expects a generator that only generates one thing - the code is different in 2.7, but does the same thing01:54
*** sbfox has joined #openstack-keystone01:54
dstanekwhy use a contextmanager in that code if there isn't really any cleanup?01:54
jamielennoxsorry back01:55
jamielennoxdstanek: there is some cleanup01:55
jamielennoxif everything goes well in the yielded function then you have to cache the token, or cache the failure01:55
jamielennoxi was experimenting with like a before_ and after_ method, but if i used contextmanager i can just yield to the actual validator function and then handle the response01:56
jamielennox(or lack of exception)01:56
jamielennoxand that way all the error handling i do is unique to the subclass01:57
dstanekall that would have to change to get rid of the contextmanager is to move the caching up a level right?01:57
jamielennoxdstanek: i can't move the caching up01:57
dstanekalso, i'm playing devil's advocate. in reality i'd probably be fine with this. doesn't look awful01:57
jamielennoxso that function will be implemented on the keystone side as well01:58
jamielennoxso to move it up a level would mean we would need to implement caching in the same way on the keystone side as well01:58
bknudsonkeystone could override _cache_token to do nothing01:58
jamielennoxso the reason i was looking to get an auth_ref back from the yield is so i could do additional validation in _handle_token01:58
jamielennoxbut i think that's probably the wrong place for it anyway, you should override a validate function and do it after the contextmanager bit01:59
jamielennoxbknudson: yea, i tried that - it can be done but the contextmanager is so much prettier01:59
bknudsoneverything is better with generators02:00
bknudsonthat should be all we do02:00
dstanek:-)02:00
jamielennoxi pulled out an itertools.product the other day - felt like a god02:00
bknudsonthat was prety02:00
bknudsonI figured twisted would be built on generators but the examples don't show much02:01
*** markvoelker has joined #openstack-keystone02:01
dstaneki'll be back in a bit ...02:02
jamielennoxdstanek: np, thanks02:02
*** htruta has quit IRC02:02
jamielennoxbknudson: i think in newer versions you can do generator based stuff02:02
jamielennoxwhen i last used twisted it was all addCallback02:03
bknudsonthe mail client example here uses it: https://twistedmatrix.com/trac/02:03
bknudsonyikes!02:03
jamielennoxi have just not done enough to figure out what that means02:04
*** dims has joined #openstack-keystone02:05
*** sbfox has quit IRC02:06
*** markvoelker has quit IRC02:07
*** browne has joined #openstack-keystone02:07
*** bknudson has quit IRC02:10
*** ankita_wagh has quit IRC02:23
*** Ephur has quit IRC02:24
*** BAKfr has quit IRC02:31
openstackgerritChenhong Liu proposed openstack/keystone: Add testcases for list_role_assignments of v3 domains  https://review.openstack.org/18789902:32
*** BAKfr has joined #openstack-keystone02:37
*** dims has quit IRC02:39
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698802:57
*** dsirrine has joined #openstack-keystone03:04
*** stevemar has joined #openstack-keystone03:09
*** ChanServ sets mode: +v stevemar03:09
*** kiran-r has joined #openstack-keystone03:12
*** spandhe has quit IRC03:15
*** sigmavirus24 is now known as sigmavirus24_awa03:18
*** ankita_wagh has joined #openstack-keystone03:20
*** geoffarnold has quit IRC03:25
*** sbfox has joined #openstack-keystone03:25
*** geoffarnold has joined #openstack-keystone03:26
*** sbfox has quit IRC03:27
*** sbfox1 has joined #openstack-keystone03:27
*** geoffarnold has quit IRC03:30
*** geoffarnold has joined #openstack-keystone03:30
*** richm has quit IRC03:31
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337703:39
*** dims has joined #openstack-keystone03:40
*** stevemar has quit IRC03:41
*** stevemar2 has joined #openstack-keystone03:41
*** ChanServ sets mode: +v stevemar203:41
*** fifieldt has joined #openstack-keystone03:42
*** dguerri` is now known as dguerri03:44
*** dsirrine has quit IRC03:44
*** kiran-r has quit IRC03:45
*** dims has quit IRC03:45
*** geoffarnold has quit IRC03:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching  https://review.openstack.org/19067303:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967603:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081803:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081703:46
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081603:46
openstackgerritDave Chen proposed openstack/keystone: Move endpoint filter into keystone core  https://review.openstack.org/18337703:46
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698803:46
*** sbfox1 has quit IRC03:49
*** markvoelker has joined #openstack-keystone03:50
*** geoffarnold has joined #openstack-keystone03:50
*** kiran-r has joined #openstack-keystone03:51
*** dguerri is now known as dguerri`03:54
*** markvoelker has quit IRC03:55
*** kiranr has joined #openstack-keystone03:55
*** kiran-r has quit IRC03:55
*** kiranr has quit IRC04:02
*** tobe has joined #openstack-keystone04:04
*** sbfox has joined #openstack-keystone04:06
*** stevemar2 has quit IRC04:12
*** fangzhou has quit IRC04:14
*** sbfox has quit IRC04:19
*** fangzhou has joined #openstack-keystone04:21
*** ozialien has joined #openstack-keystone04:22
*** sbfox has joined #openstack-keystone04:24
*** fangzhou has quit IRC04:34
*** sbfox has quit IRC04:39
*** chlong is now known as chlong_mtg04:59
*** geoffarnold has quit IRC05:02
*** geoffarnold has joined #openstack-keystone05:04
*** tobe has quit IRC05:06
*** kiran-r has joined #openstack-keystone05:17
*** kiran-r has quit IRC05:21
*** kiran-r has joined #openstack-keystone05:21
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698805:23
*** tobe has joined #openstack-keystone05:28
*** geoffarnold has quit IRC05:29
*** geoffarnold has joined #openstack-keystone05:30
*** markvoelker has joined #openstack-keystone05:39
*** markvoelker has quit IRC05:44
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor token fetching  https://review.openstack.org/19067305:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094005:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094105:59
openstackgerritDave Chen proposed openstack/keystone: Move endpoint_filter migrations into keystone core  https://review.openstack.org/18698806:04
*** tobe has quit IRC06:05
*** chlong_mtg is now known as chlong06:06
*** ajayaa has joined #openstack-keystone06:15
ajayaaHI guys. Can a single LDAP server contain identity data for multiple domains?06:16
ajayaaIt seems no from https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L4706:17
ajayaajamielennox ^^06:17
jamielennoxajayaa: umm, i should know this but LDAP isn't really my area06:18
jamielennoxi'm not sure sorry06:18
ajayaanp jamielennox.06:19
lhcheng_ajayaa: I think that should be possible.   In the ldap config, you can specify a filter to used. So for single ldap, you can setup a domain and map it to a certain org only.06:30
ajayaalcheng_, Do I have to enable domain specific driver for this?06:32
ajayaalhcheng_ ^^06:32
*** belmoreira has joined #openstack-keystone06:40
*** tobe has joined #openstack-keystone06:42
*** ozialien has quit IRC06:45
*** henrynash has quit IRC06:50
lhcheng_ajayaa: yeah06:50
*** henrynash has joined #openstack-keystone06:51
*** ChanServ sets mode: +v henrynash06:51
lhcheng_ajayaa: you probably need to setup something like: https://github.com/openstack/keystone/tree/master/keystone/tests/unit/config_files/domain_configs_multi_ldap06:51
*** browne has quit IRC06:53
ajayaaI think in Kilo, you can store domain specific conf data in database rather than in files.06:54
ajayaalhcheng_ ^^06:55
lhcheng_yup06:55
lhcheng_that would be better than having the domain config files06:57
lhcheng_just trying to describe the setup of a multiple domains that may point to same ldap for identity06:57
*** ajayaa has quit IRC06:57
*** lufix has joined #openstack-keystone07:05
*** ajayaa has joined #openstack-keystone07:13
morganfainberglhcheng_: oh god. Ouch brain hurts.07:15
morganfainberg:P07:16
*** lhcheng_ has quit IRC07:21
*** ankita_wagh has quit IRC07:27
*** markvoelker has joined #openstack-keystone07:28
*** markvoelker has quit IRC07:33
*** gordc has joined #openstack-keystone07:35
*** rlt has joined #openstack-keystone07:35
*** henrynash has quit IRC07:58
*** dims has joined #openstack-keystone08:02
*** ajayaa has quit IRC08:02
*** dims has quit IRC08:07
*** kiranr has joined #openstack-keystone08:15
*** kiran-r has quit IRC08:15
*** kiranr has quit IRC08:15
*** kiranr has joined #openstack-keystone08:16
*** chlong is now known as chlong_afk08:16
*** kiranr is now known as kiran-r08:18
*** ajayaa has joined #openstack-keystone08:19
*** jistr has joined #openstack-keystone08:20
*** henrynash has joined #openstack-keystone08:23
*** ChanServ sets mode: +v henrynash08:23
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Ensure cache keys are a known/fixed length  https://review.openstack.org/18697108:37
*** e0ne has joined #openstack-keystone08:38
*** ajayaa has quit IRC08:40
*** fhubik has joined #openstack-keystone08:42
*** tobe has quit IRC08:47
*** tobe has joined #openstack-keystone08:48
*** crinkle has quit IRC08:50
*** esp has quit IRC08:52
*** esp has joined #openstack-keystone08:53
*** pnavarro_ has joined #openstack-keystone08:55
*** e0ne has quit IRC08:57
*** woodster_ has quit IRC09:01
*** chlong_afk has quit IRC09:03
*** afazekas has joined #openstack-keystone09:04
*** dguerri` is now known as dguerri09:05
*** jimbaker has quit IRC09:10
*** jimbaker has joined #openstack-keystone09:13
*** jimbaker has quit IRC09:14
*** jimbaker has joined #openstack-keystone09:14
*** markvoelker has joined #openstack-keystone09:16
*** markvoelker has quit IRC09:21
*** aix has joined #openstack-keystone09:22
*** jimbaker has quit IRC09:35
*** jimbaker has joined #openstack-keystone09:39
*** jimbaker has quit IRC09:39
*** jimbaker has joined #openstack-keystone09:39
*** davechen is now known as davechen_afk09:43
*** dims has joined #openstack-keystone09:49
*** dims has quit IRC09:50
*** dims has joined #openstack-keystone09:56
*** aix has quit IRC10:00
openstackgerrithenry-nash proposed openstack/keystone-specs: Support data driven test plans for role assignment testing  https://review.openstack.org/19099610:04
*** e0ne has joined #openstack-keystone10:04
*** e0ne is now known as e0ne_10:04
*** e0ne_ is now known as e0ne10:06
openstackgerrithenry-nash proposed openstack/keystone-specs: Support data driven test plans for role assignment testing  https://review.openstack.org/19099610:08
*** henrynash has quit IRC10:12
*** jimbaker has quit IRC10:13
*** jimbaker has joined #openstack-keystone10:18
*** jimbaker has quit IRC10:18
*** jimbaker has joined #openstack-keystone10:18
*** aix has joined #openstack-keystone10:28
openstackgerritMorgan Fainberg proposed openstack/keystoneauth: Move to the keystoneauth1 namespace  https://review.openstack.org/19100310:32
morganfainbergjamielennox: ^10:33
*** pnavarro_ has quit IRC10:36
samueldmqmorning10:44
morganfainbergsamueldmq: allo10:45
*** fifieldt has quit IRC10:58
*** crinkle has joined #openstack-keystone10:59
*** henrynash has joined #openstack-keystone11:03
*** ChanServ sets mode: +v henrynash11:03
*** fhubik is now known as fhubik_afk11:07
*** tobe has quit IRC11:10
morganfainbergayoung: ping11:19
morganfainbergayoung: re: old reviews, since you are one of the people hanging onto a bunch of them11:19
morganfainbergayoung: i know you keep saying you might be working on them in the future, but lets be honest, having a bunch of lingering reviews with no eyes on them causes headaches for reviews / new reviewers. We should be abandoning things that haven't been actively worked on in a while, they can be restored later (even searchable in gerrit)11:21
morganfainbergayoung: I'd like to cleanup the lingering stuff so we really only have at most ~60days of reviews that are active [assuming negative feedback and no followup]11:21
*** fhubik_afk is now known as fhubik11:35
*** e0ne is now known as e0ne_11:38
samueldmqmorganfainberg, what do I do regarding the policy meeting ?11:45
samueldmqmorganfainberg, just wait until next week to find a good time for it11:45
samueldmqmorganfainberg, or should I at least add a point in the cross-project meeting ?11:46
morganfainbergsamueldmq: what is becoming a cross project meeting thing?11:47
morganfainbergsamueldmq: i am not sure what this meeting is supposed to accomplish11:47
samueldmqmorganfainberg, i) agreement on the roadmap of dynamic policies, then overview spec merged11:48
samueldmqmorganfainberg, ii) agreement on specific implementation points from roadmap11:49
*** e0ne_ has quit IRC11:49
samueldmqmorganfainberg, this all can be accomplished through reviews and ML threads, however a meeting would accelerate the process11:50
samueldmqmorganfainberg, and then ensure we will have a good portion of dynamic policies in L11:50
*** markvoelker has joined #openstack-keystone11:50
morganfainbergsamueldmq: the overview spec should not be merged11:53
morganfainbergat all11:53
morganfainbergit is not a represenataion of what is going on11:54
morganfainbergsamueldmq: i've been meaning to -2 that giant spec of doom for a while11:56
morganfainbergsamueldmq: so what I'm looking for is a set of clearly scoped specs for work in L. or even one spec.11:58
morganfainbergbut this wish-washy dumping ground of a spec that contains "everything" is not helpful11:58
morganfainbergwe can break it up into work-items that are tied together. loosly, etc11:59
morganfainbergand we can move the specs to L series as the dependencies are completed.11:59
samueldmqmorganfainberg, makes sense11:59
samueldmqmorganfainberg, would a wiki be helpful ?12:00
morganfainbergbut right now i still have not seen anything but a mass of specs that describe something that we can gauge success against.12:00
morganfainbergyes12:00
samueldmqmorganfainberg, so we could keep the overview there12:00
morganfainberga wiki that contains the overview and links to specs would be great12:00
morganfainbergthat isn't tied to a release12:00
samueldmqmorganfainberg, and a spec should be12:00
samueldmqmorganfainberg, I agree with you on this point12:00
morganfainbergyes12:00
morganfainbergsomething we can say "this was successfuly completed"12:00
morganfainbergthe overview spec cannot ever be successful in it's current incarnation12:01
samueldmqhaha12:01
morganfainbergsince dynamic policy is a massive moving target12:01
morganfainbergwhcih is why i am concerned that I have yet to see clear targets for L12:01
morganfainbergor even a clear "put the scaffolding in place" work item.12:01
samueldmqok, from my point of view, having the policy CRUD + fetch in ksmiddleware is a good target, but need to discuss with others12:02
morganfainbergit's "this is how everything has to work in a perfect world" all at once12:02
morganfainbergso, I don't think KSM should be pulling the policy file12:02
morganfainbergthis should be something not "auth_token"12:03
morganfainbergit can live in the KSM package12:03
morganfainbergbut i don't see this as being "auth_token"12:03
samueldmqmorganfainberg, but in a standalone middleware12:03
morganfainbergwe should really keep to the "do one thing and do it well"12:03
morganfainbergyes12:03
samueldmqmorganfainberg, a different filter, as auth_token is12:03
morganfainbergyes12:03
morganfainbergthough we're doing the hardpart before we're addressing the other hard part12:03
samueldmqmorganfainberg, I agree ... I have poc locally where I've put it in the auth_token, but I will refactor it12:04
morganfainbergwe should be making sure olso.policy and all the tools we rely on can handle the new policy constructs12:04
morganfainbergwe should *not* be trying to centrally source these files until we are there. don't change how people work for a worse UX for the deployers12:04
morganfainbergbut honestly, i think we're backwards here now.12:04
samueldmqmorganfainberg, so first improve/create whatever CRUD for policies we will need12:04
morganfainbergno12:04
samueldmqmorganfainberg, and then try to get people using it ?12:04
morganfainbergimprove/create the tools around policy12:05
morganfainbergcreate crud interfaces that make sense12:05
morganfainbergland use-ful things that pull from crud interfaces12:05
morganfainbergthe 2nd and 3rd items can be done concurrently12:05
morganfainbergbut right now we need things such as overlay in oslo.policy (ability to merge policy constructs)12:05
openstackgerritMerged openstack/python-keystoneclient: tox env for Bandit  https://review.openstack.org/18291212:05
morganfainbergetc12:05
* morganfainberg is stepping in here because this is headed into a road that is very rocky12:06
* marekd where is morganfainberg today? 12:06
morganfainbergstill in berlin12:06
morganfainbergi head home tomorrow12:06
marekdmorganfainberg: so you cant be in berlin, they have the best roads in the world :P12:07
samueldmqmorganfainberg, ok12:07
samueldmqmorganfainberg, but role sets, hierarchical roles, etc can come later12:07
samueldmqmorganfainberg, after the dynamic mechanism for CRUD on policies right /12:07
samueldmq?12:07
morganfainbergsamueldmq: pretty much. and i want to see some specs that clearly define what is being approached12:09
samueldmqmorganfainberg, k I will create the wiki first, with overview (I won't copy paste, will create based on that)12:10
samueldmqmorganfainberg, and point to existing specs + see what is missing12:10
morganfainbergoh you can c&p the spec ;)12:10
morganfainbergand then change it for wiki-ness12:10
samueldmqmorganfainberg, k will see12:10
samueldmqmorganfainberg, I will create it under https://wiki.openstack.org/wiki/Keystone12:10
morganfainbergsounds good12:10
samueldmqmorganfainberg, is that the right place ?12:10
samueldmqmorganfainberg, nice12:10
morganfainbergin short we want to have some clear targets to hit12:10
morganfainbergand a graph of the work and how we're approaching it12:11
morganfainbergi'm not willing to take on a moving target that is likely to get 1/3 implemented and just stall12:11
samueldmqmorganfainberg, ++ I will make it as better as I can, will ping you once I have that wiki done12:12
samueldmqmorganfainberg, thanks for helping :)12:12
*** bknudson has joined #openstack-keystone12:25
*** ChanServ sets mode: +v bknudson12:25
*** raildo has joined #openstack-keystone12:27
*** josecastroleon has joined #openstack-keystone12:30
*** dsirrine has joined #openstack-keystone12:35
morganfainberggyee, topol, bknudson: stable interface discussion - http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html we should do this.12:41
morganfainberg(cc mordred )12:41
bknudsonswitch to libtool?12:41
morganfainbergno12:42
morganfainbergthe type of versioning12:42
morganfainbergfor the API12:42
bknudsonsemver would be more consistent12:42
morganfainbergbknudson: this would be for the backend interface and/or REST interface12:43
bknudsonit kind of looks like how nova microversioning works12:44
morganfainbergit's a little different12:44
morganfainbergbut yeah12:44
morganfainbergnova's microversioning is a full API contract for version X.Y12:44
mordredbknudson: yah - it's microversioning except it's been aroudn for ages and has well understood semantics12:44
morganfainbergyeah12:45
*** devananda has joined #openstack-keystone12:45
mordredbknudson: so I'm suggesting we lift some of the verbage for ease of communication12:45
* morganfainberg waves at devananda12:45
mordredsince it's conceptually the same and is how every C library on linux systems knows if it can link or not these days12:45
*** afazekas has quit IRC12:46
bknudsonthis allows you to have multiple libhellos on the system?12:47
mordredyes12:47
bknudsonI must be able to look at a lib and see what it supports...12:47
mordredit's a system for describing ranges of supported versions12:47
openstackgerritVictor Sergeyev proposed openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063012:47
bknudsonobjdump -p /lib/libc.so.612:48
bknudsonVersion definitions:12:48
bknudsonis that it?12:48
bknudson"1 0x01 0x0865f4e6 libc.so.6" -> "27 0x00 0x0b792650 GCC_3.0"12:49
bknudsonso it seems like you'd increase the "current" and "age" as you add new features and increase the "age" as you drop deprecated12:50
bknudsonrevision must be for bug fixes12:51
mordredhttp://www.gnu.org/software/libtool/manual/libtool.html#Updating-version-info12:51
mordredyah12:51
mordredrevision is for bug fixes12:51
mordredthere's a set of rules about when to update library versions there12:51
*** fhubik is now known as fhubik_afk12:52
bknudson"If any interfaces have been removed or changed since the last public release, then set age to 0."12:53
*** fhubik_afk is now known as fhubik12:53
samueldmqmorganfainberg, I added a subsection in the wiki called 'Liberty Priorities', so we can add 'dynamic policies' + others (reseller, etc ?) if needed12:56
morganfainbergsamueldmq: thanks12:56
samueldmqmorganfainberg, np, (I am still doing that, was just checking the naming for the section) :)12:57
*** fhubik has quit IRC12:59
*** dsirrine has quit IRC13:00
*** e0ne has joined #openstack-keystone13:01
*** dims is now known as dimsum__13:02
*** henrynash has quit IRC13:04
*** htruta has joined #openstack-keystone13:07
*** henrynash has joined #openstack-keystone13:16
*** ChanServ sets mode: +v henrynash13:16
*** richm has joined #openstack-keystone13:17
ayoungmorganfainberg, they are all active.  If I have a lingering review that I am not going to pursue, I kill it.  What you are seeing is an artifact of how slow our process is.13:19
ayoungI have mostly spec reviews.  Specs need to die.13:20
morganfainbergayoung: the reasons specs suck is because git is the wrong tool for it13:22
ayoungmorganfainberg, as for the -2 on https://review.openstack.org/#/c/147651/  that has been the most valuable document I've had for communicating the overall concept.  It is not a dumping ground, but rather a real roadmap.  What I was hoping for on that was approal for the whole process13:22
ayoungbut people are too detail oriented when it come to specs13:22
morganfainbergit is a dumping ground spec. it should be in the wiki (samueldmq is doing that now)13:22
ayoungthe reason specs suck is because specs are the wrong approach13:23
ayounghere is what I would rather have13:23
morganfainbergno git is thr wrong tool for the job13:23
ayoungHold on13:23
morganfainbergspecs are not bad, specs should be tied to the BP system13:23
ayoung1.  We define a problem to solve and agree on that, no solution13:23
*** nkinder__ has quit IRC13:23
morganfainbergbps are just *so* bad in launchpad we can't collaborate on anything there13:23
ayoung2.  We write code and docs for that solution in one go13:23
ayoungIT should just be an etherpad for design13:24
*** henrynash has quit IRC13:24
ayoungBP should link to an etherpad.13:24
ayoungWe are smothering ourselves with workflow here.13:24
morganfainbergi'm ready to kill specs and bps, everything is a bug collaborate on the bug so we have a coherant conversation13:24
ayoungmorganfainberg, YES!13:25
morganfainbergetherpad is not a good tool13:25
morganfainbergit is fine for live collab, it is not fine for the cannonical source13:25
ayoungmorganfainberg, ether pad is a good tool, just not a good "definitive one"13:25
ayoungtyes, you and eye agree....13:25
ayoungheh13:25
ayoungyou and I agree13:25
bknudsonsomebody was asking me about a keystonemiddleware release -- we added support for using v3 to get the revocation list and they want to use it.13:26
ayoungmorganfainberg, the cannonical should be the docs that get written with the code.  Not the spec.13:26
morganfainberganyway, the overview spec is a dumping ground spec, intended or not. samueldmq is moving it to the wiki - so we can split things up into peices we can say "are complete"13:26
*** jdennis has quit IRC13:26
morganfainbergayoung: but we don't lose the data. it also less "git" / tool specific then13:26
ayoungmorganfainberg, that is fine. It was originally a blog post, that I kep updating with the links to the specs.  I wanted something more official.13:26
morganfainbergayoung: yeah wiki.openstack is a good place for this13:26
ayoungWorkds for me.  But I did want to get an official approval of the approach13:27
ayoungI think most people still don't understand it13:27
*** jdennis has joined #openstack-keystone13:27
ayoungI think you do, and maybe team Brazil.13:27
morganfainbergayoung: I don't get it at all now13:27
morganfainberghonestly13:27
ayoungmorganfainberg, Ha13:27
morganfainbergi have no clue what you're driving at anymore13:27
ayoungIs that a response to my last email?13:27
morganfainbergand i don't like the fact that the whole thing looks like a giant moving target that will not be implemented13:27
morganfainbergsomewhat13:28
samueldmqmorganfainberg, ayoung yes, and I agree that is mostly describing the use case (like better describing what is in the bp), so wiki should be fine13:28
samueldmqwe keep specs for the steps13:28
samueldmqayoung, I think I do :)13:28
*** jdennis has quit IRC13:28
morganfainbergayoung: but it's not really clear to me or (afaict) othe rpeople what the target is.13:28
ayoungmorganfainberg, that might be an artifact of it being in the Spec.  Maybe this is one that, for now, best belongs in an etherpad, so we can treat it as a collaboration13:28
morganfainbergi can't concentrate on this today tbh though13:28
morganfainberggetting things dealt with so i can fly home tomorrow13:29
bknudsonstill in berlin?13:29
morganfainbergbknudson: yes13:29
morganfainbergbknudson: leave tomorrow morning13:29
morganfainbergskipping israel and headed home instead.13:30
ayoungmorganfainberg, I'm tryin g to get people to collaborate on an essentially broken piece of OpenStack.  I'm willing to concede, oto shift, to work with people, but  everyone is either so heads down i ntheir corner or ,when they do pop up, propsing solutions that will break the dross project aspec, that it is hard.  NP Hard.13:30
samueldmqmorganfainberg, ayoung I can setup an etherpad to improve collaboration as well, and keep the wiki updated with it ...13:30
bknudsonI'm also boycotting israel.13:30
ayoungmorganfainberg, so I am trying to focus on getting the incremental changes in that all show value themselves13:30
ayoungsuch as just fetching policy from Keystone  etc13:30
bknudsondue to the palestinian situation13:30
morganfainbergayoung: that isn't really clear to me that your focusing on that13:30
morganfainbergand hoensty i think that is not the part we need to be working on, but that is a separate conversation13:31
ayoungmorganfainberg, I'm doing my best to communicate it.  Blame it on my inability to communicate then.13:31
ayoungblame it on the rain13:31
ayoungmorganfainberg, there is an ordering to the solution13:31
morganfainbergayoung: no it's that the conversation is all over the map and we have a spec that "encompasses *everything*" and that has been the source of truth13:32
ayoungand that is why the overview spec....13:32
morganfainbergso the conversation can't be about "yes this is on the map but we need X anyway, lets do X"13:32
ayoungmorganfainberg, that is why the overview13:32
*** jdennis has joined #openstack-keystone13:32
morganfainbergexcept the overview is the onlything anyone is talking about13:32
ayoungI don't care the format, but it needs to be the starting point13:32
ayounggood13:32
morganfainbergthen this wont go anywhere13:32
morganfainbergsorry13:32
morganfainbergwhat you need is overview + current target13:33
morganfainbergcurrent target should be in work while the steps beyond are being discussed in the overview13:33
morganfainbergwithout that, you're looking at M or N or O cycle for the start of the work afaict13:33
morganfainbergif there is something non-controversial13:33
morganfainbergthat is the foundation, we should be getting that in place as well13:33
morganfainbergconcurrent with the other further reaching things that are a bit more nebulous13:34
bknudsonwhen I was following the dynamic policy the steps that were outlined looked like they were useful and good to do by themselves.13:34
bknudsonwe've already got all sorts of wacky stuff that nobody uses so if nobody uses it then this will just be another thing13:34
morganfainbergbknudson: that is kind of what i want to avoid.13:35
morganfainbergi want less 1/2 implemented things.13:35
ayoungmorganfainberg, then we need people to engage on the problem in a cross project reasonable way13:35
morganfainbergin fact maybe we just punt this whole thing into it's own project including the Policy Admin thing.13:35
ayoungI;'ve been trying to do this right13:35
morganfainbergdivorce this from keystone itself.13:35
*** bradjones has quit IRC13:35
ayoungI posted the specs, I've gotten the summit session, I13:36
ayoung've broken it down in to reasonalbe -to implement standalong-show their own value steps13:36
ayoungwe can shit can the whiole effort if you really think that things are o\k as is13:36
morganfainbergthat way there it is less shoehorn this into keystone13:36
ayoungmorganfainberg, we should shitcan keystone as well13:37
ayoungmaybe all of openstack13:37
morganfainbergayoung: sure do it13:37
ayoungjust run vCloud13:37
ayoungor just run everything on Amazon and Google13:37
morganfainberganyway i need to go.13:37
ayounghell, lets go back to  running it all on mainframes13:37
morganfainbergi'm really needing food13:37
bknudsonif you've got a "reasonalbe -to implement standalong-show their own value step" that we can do in L then let's get that done.13:37
ayoungbknudson, I do, and they are posted as specs13:38
bknudsonwhich one is it?13:38
ayoungthe overveiw spec origianlly had l;inks to them13:38
morganfainbergayoung: it is not clear what that is. i see a ton of specs13:38
*** bradjones has joined #openstack-keystone13:38
*** bradjones has quit IRC13:38
*** bradjones has joined #openstack-keystone13:38
morganfainbergand the overview seems to span multiple cycles13:38
morganfainberghence the -2 this morning13:38
ayoungmorganfainberg, blame it on the revisions of the overview, then. THey were all there an laid out13:38
ayoungI'll get them into an etherpad or something13:38
ayoungI have them all in the trello, too13:40
bknudsonI think you're asking a lot for us to all follow the whole arc of what you're proposing... what the first step that we can get done in L?13:40
ayounghttps://trello.com/b/260v4Gs7/dynamic-policy13:40
morganfainbergayoung: please don't use trello.13:40
samueldmqbknudson, another  challenge is to get things agreed in a cross-project view13:40
morganfainbergit's another place for a source of truth13:40
morganfainbergwe are going to get kanban boards here in openstack soon13:40
ayoungbknudson,  I don't know.  The answer changes the closer we get to the release.  THe number of changes for Keystione itself are relativley small, most of them are in middleware and policy13:41
bknudsonsamueldmq: sure, but you don't have to convince keystone cores of that.13:41
morganfainberglets keep the source of truth to the official sources13:41
ayoungmorganfainberg, I tired.  You just -2ed it, though13:41
samueldmqI think an etherpad is fine for now13:41
bknudsonif this is cross-project then it should be a cross-project spec13:42
samueldmqbknudson, get things agreed with keystone cores ?13:42
bknudsonthere's a place for thos13:42
morganfainbergno, get this into the wiki and/or etherpads [wiki for things that are less in flux]13:42
samueldmqbknudson, I think cross-project specs is for adoptions (after implemented ? not sure)13:42
ayoungmorganfainberg, there is no good solution, so please stop being critical of my attempts to actuall communicate this.13:43
ayoungbknudson, I had a cross-project session at the summit. You might recall no one from the other projects showed up13:43
morganfainbergi am being critical that you're moving it to a tool that most of the people in the community does not use.13:43
ayoungkeystone needs to solve this13:43
morganfainbergand will not use.13:43
bknudson:(13:43
samueldmqhttps://etherpad.openstack.org/p/dynamic-policies should be fine for now13:43
morganfainbergmoving to trello is hiding this from view13:43
morganfainbergplease do not do that.13:44
bknudsonevery project somehow needs to be convinced that this is worth their while13:44
bknudsonmaybe need to get the TC involved?13:44
ayoungmorganfainberg, meh.  I don;'t love trello, just give me something close to as useful.  Etherpad provides no notifications, and there is too much in flux for it to be a wiki.13:44
bknudsonif this is really hurting openstack adoption13:44
ayoungBPs suck,. specs suck. it all sucks...so let me just use it through this release, and we'll use Kanban when we get them13:44
bknudsondo you have a spec proposed to nova, for example?13:45
samueldmqbknudson, maybe we will need that later .. but I think organizing our docs ^ + trying to setup a dynamic policies meeting are good first steps13:45
bknudsongetting a meeting going is great!13:45
samueldmqbknudson, yes, and we could add a point to the existing cross-project meeting to talk a bit about that , and setup our own meeitng13:46
bknudsonbut considering how much time it takes to get things done, if you want to get something going in L ...13:46
samueldmqbknudson, if people don't get involved enoguh, we call TC police :)13:46
samueldmqyes I wanted to set it up for next week ... I am looking at our docs now, so we can move on that front13:47
bknudsonare there changes needed in nova and other projects?13:47
samueldmqnova wants to define their very default policy (source of truth) in python code13:48
bknudsondo they have a blueprint for that already?13:48
morganfainbergayoung: i can't stop you from using trello, i can say i seriously disapprove13:48
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs  https://review.openstack.org/18702713:48
samueldmqthey have some requirements, we need to put them on the table and discuss them13:48
samueldmqand make everybody aware of what's going on13:48
samueldmqso we won't suffer with adoption later13:48
bknudsondo other projects also want to have default policy in python?13:49
samueldmqbknudson, we don't know, for now just nova showed up13:49
morganfainbergbknudson: i think other projects are going to follow nova13:49
*** kiran-r has quit IRC13:49
morganfainbergbknudson: to be faiur13:49
morganfainbergbknudson: whatever nova moves on13:49
bknudsonhow about keystone?13:50
bknudsonI guess I don't see how this is related to dynamic policy.13:50
morganfainbergbknudson: i'm inclined to follow nova as well - if it works, it presents some aspect of consistency in OpenStack13:50
openstackgerritDiane Fleming proposed openstack/keystone-specs: Add side-by-side comparison table of v2 and v3 APIs  https://review.openstack.org/18702713:50
morganfainbergbknudson: it is only tangentially related13:51
morganfainbergbknudson: it's how the base policy is defined. which could be 100% independant of the dynamic policy13:51
*** woodster_ has joined #openstack-keystone13:51
samueldmqbknudson, today dynamic policies includes the dynamic CRUD of policies + improvement of roles, etc13:51
morganfainbergbknudson: nothing proposed in dynamic policy mandates that we own policy at the base level if we wanted to pivot away from that13:51
samueldmqbknudson, I think we should split that, and call dynamic policies what really makes it change/move dinamically, i.e, policy crud13:52
morganfainbergif*13:52
bknudsonmaybe it will be good just to get all projects talking about and working on policy if we pick up this work for nova.13:52
bknudsonso get the workgroup going and discussing what nova wants to do, get it done for L, and then for M maybe they'll be more interested in dynamic policy.13:53
morganfainbergbknudson: it's the same pattern microversions (APIs) has taken13:53
morganfainbergbknudson: ++ that is a perfect goal13:53
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix mysql_engine and FK in *_token tables  https://review.openstack.org/17487113:54
morganfainbergbknudson: having a clear goal for L that we can say is complete (internal to Keystone or not) would help with things when wemove to tyring to drive adoption [esp. if nova is involved]13:54
samueldmqbknudson, that's a good approach I think ... 'hey, nova is working with the dynamic policy stuff, we need that as well ... it's M priority'13:54
morganfainbergi think this cycle is going to be laying some groundwork in the tools that policy is based on [not nessiciarly the stuff keystone itself does]13:55
morganfainberghow policy files are layered together, how the base policy for a project is defined - putting the markers in the ground to change the direction we're headed on policy13:56
samueldmqmorganfainberg, maybe  + CRUD of policies and dynamic fetch on ksmiddleware, which is pretty simple (I ahve a poc locally)13:56
morganfainbergsamueldmq: you're going to find you have to deal with cache coherancy13:57
morganfainbergfor that13:57
morganfainbergit's not easy13:57
morganfainbergthat is *very* hard13:57
morganfainbergit's not a simple fetch13:57
samueldmqmorganfainberg, for now we use a cache_timeout13:58
morganfainbergit's a fetch and make sure policy is sync'd between all nodes behind a given HAProxy (for example) at the same time13:58
morganfainbergannnnnnnnnd13:58
samueldmqmorganfainberg, oh, and with haproxy it is a single ksmiddleware .. right13:58
morganfainbergif someone does partial upgrades (possible with microversions) now you have to handle incompatible policy files13:58
samueldmq?13:58
morganfainbergyeah13:58
morganfainbergno*13:59
morganfainbergit isn't13:59
morganfainbergeach process has it's own middleware13:59
samueldmqmorganfainberg, yeah13:59
morganfainbergheck each eventlet worker process has it's own middleware13:59
morganfainbergthis is not "easy"13:59
morganfainbergthe POC is easy, the solution is hard.13:59
samueldmqmorganfainberg, even harder if they have different versions13:59
morganfainbergalso granted that policy files between versions of APIs are not guaranteed to be compatible14:00
samueldmqmorganfainberg, you see it better than me, but yes, there are some challenges in there14:00
morganfainbergthe nova defining the policy makes a lot more sense in my view than keystone owning the baseline policy14:00
samueldmqmorganfainberg, I don't think keystone should own the primary source of truth14:00
morganfainberganyway14:00
morganfainbergi'm still trying to et out of here for food14:01
* morganfainberg checks out for a bit14:01
*** sigmavirus24_awa is now known as sigmavirus2414:01
samueldmqmorganfainberg, I think nova should own that (suppose policy.json as today) ... the CMS would be in charge of uploading that policy for nova endpoint, and setting middleware to keep it in sync14:01
samueldmqmorganfainberg, k bon apetit14:01
*** jaosorior has joined #openstack-keystone14:02
*** csoukup has joined #openstack-keystone14:03
*** henrynash has joined #openstack-keystone14:03
*** ChanServ sets mode: +v henrynash14:03
*** fangzhou has joined #openstack-keystone14:06
ayoungsamueldmq, bknudson  so...the idea of splitting the policy (yesterdays) email is to let Nova control what is essential for Nova, and let the dynamic stuff continue as well14:06
ayoungdid you guys read it and understand what I was proposing, cus that is probably a good starting point14:07
bknudsonI haven't been able to keep up with the mailing list lately -- too much work :(14:07
ayoungbknudson, http://www.mail-archive.com/openstack-dev@lists.openstack.org/msg55467.html14:08
ayoungsamueldmq, image we called enforce twice, but with two different policy files14:09
ayoungand each has a check for an api14:09
ayoungso...for example:14:09
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n4314:10
ayoungcreate_project14:10
ayounghenrynash, coded that as rule:admin_and_matching_project_domain_id14:10
ayoungso the check from the first policy would look like this:14:10
ayoung(ignoring cloud_admin for the moment)14:11
*** kfox1111 has joined #openstack-keystone14:11
ayoung"identity:create_project": "role:admin"14:11
*** browne has joined #openstack-keystone14:11
ayoungthe second check would look like this14:11
ayoung"identity:create_project": "domain_id:%(project.domain_id)s"14:12
ayoungnow if we want to change the role that can perform create project, people would only edit the first file14:12
ayoungsay we create a new role called project_admin14:13
ayoungthey would change the first file to14:13
henrynashayoung: the thing I was unclear about was the “scope check”….is it really a check?  Or is it maybe “scope source” or something liek that?14:13
ayoung"identity:create_project": "role:project_admin"14:13
ayounghenrynash, you are right14:13
ayounghenrynash, it could be done in code14:13
ayoungit just needs to be done14:14
ayounghenrynash, once again, I am trying to do incrementals, so I'm just shifting from a known point.14:15
*** gordc has left #openstack-keystone14:15
henrynashayoung: the only thing that makes me a bit nervous is whether there might be different scope references needed…..I always wondered about an update where you wanted to to check something about both the unmodified entity as well as what you wanted to set it to14:16
henrynashayoung: and but maybe the source scope would still be teh same14:16
henrynashayoung: what you suggest would certaiinly, I think, take some of the black art out of wrting policy rules…since you have to sort of just know where to pick up the appropriaet scope from…which ci different from in a GET, LIST and DELETE14:18
henrynash(I’m not sure my example is stricly correct, but you get the idea)14:19
*** nkinder__ has joined #openstack-keystone14:20
ayounghenrynash, lets take the hardest thing you bring up "you wanted to to check something about both the unmodified entity as well as what you wanted to set it to"14:21
ayoungI think the answer there is:  would you reallt want to make that dynamic14:21
ayoungif so, then, we'd have an issue, but that is where we are at today14:22
ayoungBut I suspect that making that dynamic would be unlikely;  you'd need to know way too much about the details of the objects.  It seems to me more like something you want to turn-on or off completely14:23
*** timcline has joined #openstack-keystone14:26
*** timcline has quit IRC14:29
henrynashayoung: I suspect you are right…I think it would be one way or the other....14:33
*** geoffarnold has quit IRC14:34
ayounghenrynash, look how long that took, and this is one detail, and you are saavy on policy....14:34
ayoungany wonder why I am getting frustrated?14:35
henrynashayoung: fair comment, guv14:36
ayoungThere are so many WTF moments I have had with OpenStack.  *IF* We're trying to head to a micro-service architecture, we need to distribute authorization14:36
ayoungif we don't distribute authorization...lets not do a microservice architecture14:36
ayoungmerge nova and cinder and glance back into a single project, implicitly trust and be done with it14:37
ayoungbut...we are headed the other way,  more and more services, each providing their own addition14:38
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858114:38
ayoungand we want them to have a common view of authorization.14:38
*** e0ne is now known as e0ne_14:49
*** fangzhou has quit IRC14:53
*** fangzhou_ has joined #openstack-keystone14:54
*** e0ne_ is now known as e0ne14:55
*** htruta has quit IRC14:59
*** zzzeek has joined #openstack-keystone15:08
*** belmoreira has quit IRC15:10
*** alex_xu is now known as alexus15:11
*** e0ne is now known as e0ne_15:18
*** obedmr has joined #openstack-keystone15:24
obedmrhi there, does anyone knows if token_flush is not anymore required in Kilo? I used to see it in the Icehouse documentation, but not in Kilo's. I tried to run the "keystone-manage token_flush" and got a "NotImplemented" exception, thanks15:26
*** e0ne_ is now known as e0ne15:27
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858115:31
*** _cjones_ has joined #openstack-keystone15:40
morganfainbergobedmr: it is not reuqired if you use fernet tokens15:42
morganfainbergobedmr: it is required / should be used if you use pki, pkiz, or uuid tokens15:42
morganfainbergobedmr: fernet tokens do not store anything in the DB, so there is nothing to flush15:42
ayoungmorganfainberg, more correct to say "ayoung learned from mistakes of the past and made the revocation events flush automatically so you don't need to schedule anything"15:43
ayoungand then add15:43
ayoung"that is going to come back to bite us, too"15:43
morganfainberg ayoung: tomato, tomato..15:44
*** fangzhou_ has quit IRC15:44
ayoungwas token flush implemented as a backend specific thing?15:44
obedmrmorganfainberg: got it, thanks for that, actually I'm using uuid tokens, so, what would be the correct way to flush it?15:45
morganfainbergobedmr: the same as in juno, it's a keystone-manage command15:46
morganfainbergobedmr: you can schedule it with cron15:46
morganfainbergfor example15:46
morganfainbergbut make sure you're running it in only one place at any given time15:46
obedmryea, but when I run the command "keystone-manage token_flush", I'm getting NotImplemented exception,15:47
obedmrI'm trying that on Ubuntu 14.04 with Kilo Release15:48
morganfainbergobedmr: weird..15:50
morganfainbergobedmr: it should be there....15:51
morganfainbergobedmr: https://github.com/openstack/keystone/blob/stable/kilo/keystone/cli.py#L23515:51
morganfainbergobedmr: can you use paste.openstack.org and show me the exception?15:52
obedmrsure, for some reason it's going to https://github.com/openstack/keystone/blob/stable/kilo/keystone/token/persistence/backends/kvs.py#L35515:52
obedmrmorganfainberg:  here is: http://paste.openstack.org/show/285217/15:53
morganfainberguhm.. what are you setting the driver= in the [token] section of the keystone config?15:53
ayoungobedmr, does your config file ...15:54
ayoungyeah what morganfainberg said15:54
morganfainbergayoung: I'm awake *i swear*15:54
morganfainbergayoung:  :P15:54
obedmrmorganfainberg:  driver = keystone.token.persistence.backends.memcache.Token15:54
morganfainbergobedmr: ah the flush is only needed if you use SQL backend15:54
morganfainbergobedmr: don't worry about it with memcached15:54
morganfainbergthough we should probably catch NotImplemented and make the error message "not needed" or soemthing like that15:55
*** belmoreira has joined #openstack-keystone15:55
*** belmoreira has quit IRC15:55
ayoungmorganfainberg, he needs to switch to SQL, or a restart will un-revoke tokens15:55
ayoungor switch to using revocation events15:56
obedmrmorganfainberg:  oooh, got it, excellent, yeah, NotNeeded would be a better thing. Thanks a lot for the help. Next time I'll be able to help others if they have same question15:56
morganfainbergayoung: memcache is broken as a persistence backend and it's pretty much just awful15:56
morganfainbergayoung: we should probably docment "THIS BACKEND SHOULD NEVER BE USED"\15:56
morganfainbergayoung: uuid tokens = restart means no un-revoke15:56
morganfainbergayoung: pki tokens, it would cause an unrevoke15:56
ayoungmorganfainberg, ah...right15:57
morganfainbergayoung: my recommendation is: use fernet ;)15:57
*** _cjones_ has quit IRC15:58
ayoungmorganfainberg, is there a real problem with memcache and HTTPD?  I thought there were only issues with eventlet15:58
morganfainbergayoung: yes. the memcache backend is slow, has a ton of house keeping, doesn't handle failover between memcache servers, potentially causes your whole environment to explode if you issue too many tokens for a single user /revoke too many globally15:59
morganfainbergayoung: if we went to 100% revocation events, memcache would be a lot less bad [just suffers the "restart unauthorizes everything" issue]16:00
morganfainbergsince all the housekeeping logic could be stripped out (which is what makes it slow)16:00
ayoungmorganfainberg, and we could even do that for PKI, if it were not for the Horizon hash issue.16:00
morganfainbergayoung: yep16:00
ayoungmorganfainberg, I saw the Rev Event refactoring went through.  Next step is to make it use model and access info16:01
ayounganyone interested in picking that up and running with it?16:01
*** roxanaghe has joined #openstack-keystone16:05
*** wuhg has joined #openstack-keystone16:06
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185416:09
*** lufix has quit IRC16:10
*** kiran-r has joined #openstack-keystone16:14
wuhganyone has installed keystone kilo by following http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-install.html16:14
wuhgi met the same problem as https://www.mail-archive.com/openstack@lists.openstack.org/msg12425.html16:15
*** henrynash has quit IRC16:18
*** diazjf has joined #openstack-keystone16:21
*** dguerri is now known as dguerri`16:22
*** htruta has joined #openstack-keystone16:22
*** henrynash has joined #openstack-keystone16:24
*** ChanServ sets mode: +v henrynash16:24
*** e0ne has quit IRC16:24
*** viktors is now known as viktors|afk16:26
samueldmqayoung, hi.. was afk, reading up16:26
samueldmqayoung, so the point is to split role checking (do I have access to this api? ) of scope checking (in which circumstances I may access this api)16:28
*** gyee_ has joined #openstack-keystone16:28
*** _cjones_ has joined #openstack-keystone16:32
*** pnavarro has joined #openstack-keystone16:33
samueldmqayoung, and role checking could be done out of service (middleware ? )16:34
ayoungsamueldmq, yep16:34
samueldmqayoung, nice makes sense, but we can split that after having middleware fetching policy right ?16:35
ayoungsamueldmq, either order.16:35
gyee_ayoung, are the dorms still available?16:35
samueldmqayoung, I think morganfainberg had some directions where we could start , it would be amazing if we could agree easily on that16:35
ayounggyee_, yes.  She reserved a handful of rooms16:35
samueldmqayoung, we can both split policy file or split the roles themselves16:36
ayoungsamueldmq, amazing indeed.16:36
samueldmqayoung, the latter is better imo16:36
samueldmqayoung, for example16:36
ayoungspolit the roles?16:36
samueldmqI meant rules16:37
samueldmq"identity:create_project": (("role:admin"), ("domain_id:%(project.domain_id)s"))16:38
samueldmqnot sure separating in a tuple is a good example16:38
gyee_ayoung, how do we reserve the dorms?16:38
samueldmqbut in a way we could distinguish between the roles enforced vs scope16:39
ayounggyee_, I'm in touch with an admin at BU16:39
samueldmqayoung,  ~16:39
samueldmq^16:39
ayoungits cheaper that way, I'll put you and lbragstad in touch with her directly16:39
ayoungah, yeah, split rules16:39
gyee_ayoung, thanks, we may have three attending16:39
ayounggyee_, you need dorms for 3 ?16:39
*** pnavarro has quit IRC16:40
gyee_ayoung, yes, they are co-ed right? roxanaghe may be joining us as well16:40
samueldmqayoung, or just keep role + scope in a same sentence, we can parse them and identify what roles are, anyway16:41
ayounggyee_, fairly sure they are.16:42
*** browne has quit IRC16:43
*** lhcheng has joined #openstack-keystone16:49
*** ChanServ sets mode: +v lhcheng16:49
*** lhcheng has quit IRC16:51
lbragstadayoung: I ended up booking at the Hyatt (same as dstanek)16:51
lbragstadayoung: sorry, I should have updated you16:52
ayounglbragstad, ah, good to know. Not a problem16:52
*** obedmr has quit IRC16:52
ayounglbragstad, she's got 5 rooms reserved.  I don;t think there is any cost associated with that. I'm guessing that dorm occupancy is low enough during the summer that they tend to be used more for transient housing than during the winter16:53
lbragstadayoung: ++ yeah, that's pretty common16:53
gyee_lbragstad, that 300 simoleons per night right?16:57
gyee_for hyatt16:57
lbragstadgyee_: I ended up using the corporate travel tool and got it at a cheaper rate16:59
lbragstadgyee_: but when I called them, that's what they were saying16:59
lbragstads/they were/the hotel person was/16:59
gyee_ding, its not even showing up on our corp travel tool, lemme double click17:00
lbragstadgyee_: there was a cheaper room at the buckminster17:00
lbragstadgyee_: but i believe it was the last one they had available17:00
*** henrynash has quit IRC17:01
gyee_that's ok, I don't mind bunk with somebody at the dorm17:02
*** obedmr has joined #openstack-keystone17:06
*** henrynash has joined #openstack-keystone17:07
*** ChanServ sets mode: +v henrynash17:07
*** HT_sergio has joined #openstack-keystone17:08
*** ankita_wagh has joined #openstack-keystone17:09
*** ankita_wagh has quit IRC17:10
*** kiran-r has quit IRC17:10
HT_sergiodoes anyone know "coreycb" or how I can get in touch with him17:10
*** ankita_wagh has joined #openstack-keystone17:10
*** henrynash has quit IRC17:11
HT_sergiohe opened a bug against python-memcache that pytohn-keystoneclient is having in python3.17:12
HT_sergiocan anyone point me in the direction of the guys working on that please17:12
*** lhcheng has joined #openstack-keystone17:15
*** ChanServ sets mode: +v lhcheng17:15
*** jaosorior has quit IRC17:15
*** browne has joined #openstack-keystone17:20
*** gyee_ has quit IRC17:23
openstackgerritMichael Tupitsyn proposed openstack/keystone: Fix debug message in flush_expired_tokens job  https://review.openstack.org/19115717:30
*** ankita_wagh has quit IRC17:32
*** radez_g0n3 is now known as radez17:38
david8huayoung, I will be attending the mid-cycle meetup.17:40
ayoungdavid8hu, excellent.17:40
david8huayoung, I like to stay at the dorm, but hated making the bed every morning, so Hyatt for me :)17:40
*** spandhe has joined #openstack-keystone17:42
ayoungHeh17:42
ayoungdavid8hu, I can teach you how to make a bed to West Point standards.  Hospital corners at 45 degrees, tight enough to bounce a dime off the collar17:42
ayoungWanna know the secret?17:43
*** kiran-r has joined #openstack-keystone17:43
openstackgerritMichael Tupitsyn proposed openstack/keystone: Fix debug message in flush_expired_tokens job  https://review.openstack.org/19115717:45
*** ankita_wagh has joined #openstack-keystone17:46
david8huayoung, I rather have the expert do it for me.  LOL17:46
*** jistr has quit IRC17:48
ayoungdavid8hu, you can't afford my rates17:48
david8huayoung, very limited budget17:49
ayoungThe hyatt is a good option.  It is right across the river from BU, so an easy walk, and really nice in summer time.17:50
ayoungI was at BU yesterday checking out the room we have.  We actually have two reserved, a larger room for the main meeting, and an overflow room.  The overflow is downstairs, and I don't expect we will actually need it17:52
ayoungThe main room is roughly the size of what we used at Rackspace, approx  twice the size of what we used at Geekdom....maybe the size of the larger rooms from the summit.17:53
ayoungSo, enough space for a main discussion, and also break down into subgroups17:53
*** roxanaghe has quit IRC17:54
*** gyee_ has joined #openstack-keystone17:57
*** fangzhou has joined #openstack-keystone18:00
*** e0ne has joined #openstack-keystone18:00
*** ankita_w_ has joined #openstack-keystone18:02
*** ankita_wagh has quit IRC18:02
*** cloudnull is now known as cloudkiller18:03
*** Ephur has joined #openstack-keystone18:04
*** cloudkiller is now known as cloudnull18:06
*** e0ne has quit IRC18:13
*** e0ne has joined #openstack-keystone18:19
*** aix has quit IRC18:22
*** e0ne is now known as e0ne_18:25
david8huayoung, I do like to see westpoint style bed making18:28
ayoung ++18:29
openstackgerritKevin Fox proposed openstack/keystone-specs: Unscoped Service Catalog  https://review.openstack.org/19073218:29
*** kiran-r has quit IRC18:30
*** e0ne_ has quit IRC18:30
samueldmqdavid8hu, ayoung 'Making A West Point Bed' https://www.youtube.com/watch?v=Yra3Fwux2p818:34
samueldmqhah18:34
david8husamueldmq, I am sure ayoung can do it faster then the boys in the videos ;)18:39
*** bknudson has quit IRC18:39
samueldmqdavid8hu, ++18:40
kfox1111ayoung: thanks for the reviews. Would a domain scoped token run into the same issues with the catalog? Can you convert a domain scoped token to a project scoped one later?18:43
ayoungthat is a joke.  It would not actually work18:44
ayoungyou sleep on it one night and it gets all loose, you need to tighten it each day18:44
ayoungkfox1111, two different tokens, get them each with the original request18:45
kfox1111I was thinking you'd want to pass an unscoped token to the vm so that it can talk to keystone and convert it to a domain scoped or a project scope as it needed.18:45
ayoungkfox1111, ok  that is better, but you would not want to pass an unscoped token to the VM...too much power....let me think....18:46
kfox1111I was under the impression scoped -> unscoped or scoped to a different type of scoped was going to be restricted at some point?18:46
kfox1111really ideally, there would be a service scoped token too.18:46
ayoungkfox1111, I need coffee to think...one sec18:46
kfox1111ok. :)18:47
kfox1111with a service scoped token, the service couldn't give it to a different service to use.18:47
kfox1111ala kerberos service tokens.18:47
samueldmqayoung, kfox1111 it would require one request to keystone for every request on other projects = bottleneck18:48
ayoungnah]18:48
ayoungok...let's start at the begining18:48
ayoungNova itself is creating the new users,  not the user that requested the workflow18:48
kfox1111correct.18:49
ayoungthe nova service user needs a scoped token in order to create the VM user.18:49
kfox1111sure. its an admin currently.18:49
ayoungnow, it gets that token using its credentials, and explicitly scoping to the the service-user domain18:49
kfox1111ok.18:49
ayoungnow...that the vm-specific user exists, you inject it whereever it needs to go...the VM in this case, right?18:50
kfox1111no, it sticks the username/password in the nova database for future reference.18:50
kfox1111now, when the vm needs its token, it contacts the metadata server and says "give me a token"18:50
ayoungkfox1111, what is that "future reference?"18:50
ayoungwhy ?18:50
kfox1111the metadata server then looks up the username/password for the keystone user associated with the vm that's trying to get the token,18:51
kfox1111authenticate with keystone using that username/password, and get the unscoped token for the user.18:51
ayoungkfox1111, no way!18:51
kfox1111it then passes the token back to the vm.18:51
kfox1111in this way, the vm user's creds are never known to the vm.18:51
ayoungkfox1111, you don't need a user per VM...just use the nova user, and a trust from the person that requested it.18:52
*** rlt has quit IRC18:52
kfox1111earlier when the I discussed this with some keystone folks at the summit, trusts were considered too heavy for this task. Also the trust roles are very very corse grained and give the vm way too much power with trusts.18:53
ayoungkfox1111 completely backwards18:53
ayoungtrusts are as light weight as new user records18:53
kfox1111heat does create users in a similar manner today.18:53
ayoungtrust roles are more fine grained than user records18:54
ayoungkfox1111, I know, but heat is doing something different18:54
ayoungkfox1111, if you want to make a new user, it is to separate concerns.  Let that user request tokens itself18:54
ayoungput the password on the VM and let it fly18:54
kfox1111that was brought up in the spec.18:54
ayoungbut trusts make more sense:18:54
kfox1111there's a major flaw with that though.18:54
kfox1111policy at sites like mine won't allow users to create multiple user accounts, especially ones that could potentially out last the user's stay at the lab.18:55
kfox1111but vm's will need to since they are part of the project.18:55
ayoungkfox1111, trusts make more sense18:55
ayoungkfox1111, OK,...here is how is should work18:55
kfox1111by having nova manage the user/password, and never making it available to the user, that issue is sidestepped.18:55
kfox1111if trusts were fine enough grained, I almost might agree. I'm not sure how  they would work with barbican acl's though.18:56
ayounguser talks to nova to do something.  Nova creates a trust, and stick that trust ID in the VM.  VM needs a token, NOva user executes the trust and gets token.  Trustor is the user that asked for the initial work18:56
ayoungnow, say I am that user18:56
ayoungand I, lazy slob that I am, get fired18:56
kfox1111how do you restrict a subset of secrets to a specific vm with a trust?18:56
ayoungnova goes to get token using trust, buit it can't cuz I not longerh ave that power myself18:57
ayoungkfox1111, is thei Barbican secrets type thing?18:57
kfox1111I'd expect the vm is owned by the project and if the project manager wants to keep the project alive, the vm's shouldn't break because one user left the project.18:57
kfox1111yeah. so you may have 10 secrets associated with your project, and you, as a project member have access to them all.18:58
kfox1111you may want to delegate access to a vm for just the 1 key it needs access to.18:58
kfox1111with barbican acl's, you can say user foo can download just this one secret.18:58
kfox1111so if each instance has its own user, you can setup the acls to allow it to access only the keys it needs access to, blocking all the rest, keeping the rest of the secrets in the same project safe.18:59
ayoungkfox1111, put them each in a separate project, then19:00
ayoungkfox1111, I have a meeting now...I will give you a fuller answer in a bit. If I miss you, I'll post to the mailing list19:00
*** ayoung is now known as ayoung-mtg19:00
kfox1111ok. thanks. I think we're making it increadibly hard to manage secrets. :/19:00
kfox1111when you make secret management hard, everyone does it wrong. :/19:01
*** ankita_w_ has quit IRC19:02
*** wuhg has quit IRC19:04
*** csoukup has quit IRC19:05
*** dontalton has joined #openstack-keystone19:09
*** e0ne has joined #openstack-keystone19:09
*** tqtran has joined #openstack-keystone19:16
*** e0ne is now known as e0ne_19:18
*** e0ne_ is now known as e0ne19:22
openstackgerritDeepti Ramakrishna proposed openstack/keystone: Reuse token_ref fetched in AuthContextMiddleware.  https://review.openstack.org/19086319:32
*** lhcheng has quit IRC19:37
*** dontalton has quit IRC19:52
samueldmqmorganfainberg, ayoung-mtg https://wiki.openstack.org/wiki/DynamicPolicies#Evolution19:52
samueldmqmorganfainberg, ayoung-mtg I will recheck it against the overview spec + add links to existing specs (linking them with the items in the roadmap) this weekend19:53
samueldmqoops, just  https://wiki.openstack.org/wiki/DynamicPolicies  .. #Evolution is a section in there :)19:53
*** lhcheng has joined #openstack-keystone19:59
*** ChanServ sets mode: +v lhcheng19:59
*** chmouel has quit IRC20:07
*** csd has quit IRC20:07
*** redrobot has quit IRC20:07
*** Guest19563 is now known as dan20:07
*** redrobot has joined #openstack-keystone20:08
*** redrobot is now known as Guest6707420:08
kfox1111morganfainberg: could you please have a look at https://review.openstack.org/#/c/186617/ and weigh in when you get a minute? I kind of feel like we keep going around and around without pinning anything down. :/20:09
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add Keystone2KeystoneAuthPlugin for K2K federation  https://review.openstack.org/18858120:09
*** EmilienM is now known as EmilienM|afk20:10
*** csd has joined #openstack-keystone20:11
*** chmouel has joined #openstack-keystone20:12
*** e0ne has quit IRC20:19
*** greghaynes has quit IRC20:27
*** radez is now known as radez_g0n320:34
*** ayoung-mtg has quit IRC20:36
openstackgerritKevin Fox proposed openstack/keystone-specs: Unscoped Service Catalog  https://review.openstack.org/19073220:39
*** htruta has quit IRC20:41
*** ozialien has joined #openstack-keystone20:44
*** raildo has quit IRC20:46
*** ayoung-mtg has joined #openstack-keystone20:50
*** lhcheng has quit IRC20:54
openstackgerritDolph Mathews proposed openstack/keystone-specs: User groups in token bodies  https://review.openstack.org/18856420:56
*** pnavarro has joined #openstack-keystone21:13
*** edmondsw has joined #openstack-keystone21:14
*** dguerri` is now known as dguerri21:17
*** iurygregory has quit IRC21:17
openstackgerritKevin Fox proposed openstack/keystone-specs: Unscoped Service Catalog  https://review.openstack.org/19073221:18
*** ayoung-mtg has quit IRC21:20
*** ozialien has quit IRC21:26
*** edmondsw_ has joined #openstack-keystone21:27
*** ayoung-mtg has joined #openstack-keystone21:32
*** gyee_ has quit IRC21:33
*** edmondsw_ has quit IRC21:36
*** edmondsw has quit IRC21:40
*** nkinder__ has quit IRC21:42
-openstackstatus- NOTICE: Gerrit will be offline for project renames between 22:00 and 22:30 UTC21:43
*** ChanServ changes topic to "Gerrit will be offline for project renames between 22:00 and 22:30 UTC"21:43
*** pnavarro has quit IRC21:49
*** diazjf has left #openstack-keystone21:57
*** Raildo has joined #openstack-keystone21:59
-openstackstatus- NOTICE: Gerrit is offline for project renames. ETA 20:3022:04
*** ChanServ changes topic to "Gerrit is offline for project renames. ETA 20:30"22:04
-openstackstatus- NOTICE: Gerrit is offline for project renames. ETA 22:4022:08
*** ChanServ changes topic to "Gerrit is offline for project renames. ETA 22:40"22:08
ayoung-mtgdolphm, just  one group for scoped tokens, but all groups for unscoped.  Make sense?22:09
kfox1111depends on the resolution to the instance user thing too?22:13
kfox1111I'm really nervious without some kind of filtering it will break on one of our clouds.22:14
kfox1111wait... how do you pick a group when scoping?22:14
kfox1111I didn't think that was a thing.22:15
kfox1111We're using groups right now to allow users access to tenants, and it seems to work fine with the dashboard and launching vm's but no where does the user pick a group when logging in.22:16
ayoung-mtgkfox1111, so when a user authenticates, we look up the list of groups for that user.  If they request a scoped token, we look for role assignement, first based on their userid, ehtn based on their group assingments22:16
*** ayoung-mtg is now known as ayoung22:16
ayoungkfox1111, for revocations, we only care about the group actually used to assign the user to the project.22:17
kfox1111ah, so its filtered by role association. I see.22:17
kfox1111So it still could be multiple groups, but probably just one.22:17
ayoungI guess in theory, the user could have multiple ways to be assigneed to the project, including multiple groups.22:17
kfox1111that makes sense.22:17
ayoungin theory it could be direct assignment plus group22:17
kfox1111I would assume I'm a normal user and an admin in some projects...22:18
kfox1111probably through different groups.22:18
ayoungso, we could remove a direct assignment, but leave on that the user got due to being in a group22:18
ayoungso, their are edge conditions, but I think there are anyway22:18
ayoungso if we revoke by group, and the token has multiple groups in it....22:19
kfox1111yeah.22:19
ayoungactually, we have to limit the groups in the token relevant to the assignemnt, otherwise we can't revoke by group22:19
ayoungis that what he said and I misread it?22:19
kfox1111It might be good to bring up filtering by role back to the barbican guys. I'm thinking that they would not expect that behavior.22:19
ayoungand....gherrit is down22:20
kfox1111thought any more about the instance user use case? I was under the impression the barbican folks came up with the whole acl thing to avoid needing lots of projects.22:23
kfox1111I also see a good use case where a vm may need to be given access to just one zaqar queue owned by a project.22:33
*** ChanServ changes topic to "Gerrit is offline for project renames. ETA 20:30"22:42
-openstackstatus- NOTICE: Gerrit is back online. Zuul reconfiguration for renamed projects is still in progress, ETA 23:30.22:42
*** lhcheng has joined #openstack-keystone22:50
*** ChanServ sets mode: +v lhcheng22:50
*** ChanServ changes topic to "Liberty Development Open | Review Liberty Specs | See you at the summit!"22:50
*** zzzeek has quit IRC22:51
*** lhcheng_ has joined #openstack-keystone22:53
*** dguerri is now known as dguerri`22:54
*** sigmavirus24 is now known as sigmavirus24_awa22:54
*** obedmr has quit IRC22:55
*** lhcheng has quit IRC22:55
*** arunkant has quit IRC22:56
*** arunkant has joined #openstack-keystone22:56
*** Ephur has quit IRC22:59
*** Raildo has quit IRC23:02
ayoungkfox1111, OK,  so putting hte password in Nova is no more secure than just sticking the secret in nova23:13
kfox1111Disagree. For the following reasons.23:14
kfox1111the metadata for a vm outlasts its life span (soft deletes)23:14
kfox1111a secret's lifespan/usefullness often outlives the vm's.23:15
kfox1111orchistration is very important to the process, and you don't want secrets passing through both nova and heat and stored in both db's like it must be done today.23:16
kfox1111associating a vm's instance to a container, allows you to update the secrets in the container without having to modify stuff in nova.23:16
kfox1111there may be other reasons. those are just off the top of my head.23:17
kfox1111the lifespan of the acl associating the vm's and the secrets can be less then the lifespan of the secret.23:18
kfox1111it can be revoked after the vm is put in place and then the pw in the nova database no longer can be used to get the secret.23:18
kfox1111if sticking the secret in the db was ok, barbican wouldn't buy you anything over just sticking it in swift as well.23:20
kfox1111barbican buys you other things like hardware encryption devices.23:20
*** openstackgerrit has quit IRC23:22
*** openstackgerrit has joined #openstack-keystone23:22
kfox1111oh. and barbican lets you provision secrets. so generating a ssl certificate on the fly, and keeping it up to date when it expires.23:24
ayoungkfox1111, all you said is true, and yet what  I just said is still true23:36
kfox1111I'm not sure I follow.23:37
kfox1111If a keystone user is associated with the vm, but on vm delete the instance user is thrown away, the secret is no longer accessable via anything stored in nova's database. therefore, its more secure then simply storing the secret in nova since soft deletes ensure a secret stored in the nova database outlasts the vm's deletion.23:38
kfox1111someone breaking into the nova database won't find anything useful in the password case, only the stored secret case.23:40
lhcheng_question, we only set the 'is_admin' in the policy check context for authentication using admin_token right?23:41
*** dan is now known as Guest7440923:49
*** dan_ has joined #openstack-keystone23:50
*** dan_ is now known as Guest6854923:50
kfox1111well, I gota head out. have a great weekend.23:58
« Thursday, 2015-06-11 Index Saturday, 2015-06-13 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!