Tuesday, 2015-06-23

« Monday, 2015-06-22 Index Wednesday, 2015-06-24 »
*** markvoelker has joined #openstack-keystone00:00
*** r-daneel has quit IRC00:01
openstackgerritMerged openstack/keystone: Remove unused requirements  https://review.openstack.org/19373400:02
openstackgerritMerged openstack/keystone: Update sample configuration file  https://review.openstack.org/19387800:02
*** shaleh has joined #openstack-keystone00:05
openstackgerritMerged openstack/keystone: Refactor extract function load_auth_method  https://review.openstack.org/18700400:10
*** pballand has joined #openstack-keystone00:14
*** kfox1111 has quit IRC00:19
*** kfox1111 has joined #openstack-keystone00:19
*** arunkant__ has joined #openstack-keystone00:20
*** darrenc_afk is now known as darrenc00:20
*** shaleh has quit IRC00:23
*** arunkant_ has quit IRC00:23
*** jasondotstar has quit IRC00:29
*** jamielennox|away is now known as jamielennox00:29
jamielennoxbknudson: https://github.com/ionrock/cachecontrol is the one i've seen - but anything works00:31
*** pballand has quit IRC00:34
*** browne has quit IRC00:35
*** browne has joined #openstack-keystone00:36
*** kfox1111 has quit IRC00:39
jamielennoxinteresting - that one like ptaches requests globaly00:46
*** vilobhmm has joined #openstack-keystone00:51
*** bradjones has quit IRC00:54
*** dims has quit IRC00:55
*** dims has joined #openstack-keystone00:57
*** bradjones has joined #openstack-keystone00:59
*** bradjones has quit IRC00:59
*** bradjones has joined #openstack-keystone00:59
bknudsonwe don't want to patch it globally01:04
bknudsonhttps://github.com/ionrock/cachecontrol/tree/master/cachecontrol/caches has redis and file01:04
*** bradjones has quit IRC01:07
*** charlesw has joined #openstack-keystone01:08
*** bradjones has joined #openstack-keystone01:09
*** bradjones has quit IRC01:09
*** bradjones has joined #openstack-keystone01:09
*** chengkunye has joined #openstack-keystone01:12
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967601:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081801:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094001:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081701:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094101:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081601:15
*** jasondotstar has joined #openstack-keystone01:15
*** Kennan has quit IRC01:16
*** Kennan has joined #openstack-keystone01:16
*** chengkunye has left #openstack-keystone01:19
*** stevemar has joined #openstack-keystone01:19
*** ChanServ sets mode: +v stevemar01:19
*** cing has joined #openstack-keystone01:21
*** larainema has joined #openstack-keystone01:34
*** zzzeek has quit IRC01:43
*** dramakri has quit IRC01:44
*** spandhe has quit IRC01:44
*** scorpio-xiatian has joined #openstack-keystone01:46
*** davechen has joined #openstack-keystone01:47
*** davechen1 has joined #openstack-keystone01:52
*** davechen has quit IRC01:53
openstackgerritjanonymous proposed openstack/keystone: Python 3: Use six.moves.range  https://review.openstack.org/19382001:55
openstackgerritjanonymous proposed openstack/keystone: Python 3: Fix Python 3 unicode issue.  https://review.openstack.org/19386601:59
*** liusheng has joined #openstack-keystone02:02
*** roxanaghe has quit IRC02:05
openstackgerritjanonymous proposed openstack/keystone: Python 3: Use range instead of xrange.  https://review.openstack.org/19382002:06
*** csoukup has joined #openstack-keystone02:10
*** fangzhou has quit IRC02:12
*** zzzeek has joined #openstack-keystone02:17
*** csoukup has quit IRC02:18
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't allow webob to set a default content type  https://review.openstack.org/19447002:24
*** csoukup has joined #openstack-keystone02:35
*** dims has quit IRC02:36
*** csoukup has quit IRC02:39
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Rename _LOG to log in auth_token middleware  https://review.openstack.org/19294802:40
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967602:40
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081802:40
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094002:40
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081702:40
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094102:40
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081602:40
*** zzzeek has quit IRC02:41
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967602:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract basic validation processing to base class  https://review.openstack.org/18081802:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Separate the fetch and validate token processes  https://review.openstack.org/19094002:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081702:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens  https://review.openstack.org/19094102:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Create a simple base class from AuthProtocol  https://review.openstack.org/18081602:45
jamielennoxi'm going to get openstackgerrit flood kicked02:45
*** diazjf has joined #openstack-keystone02:47
*** jasondotstar has quit IRC02:47
*** scorpio-xiatian has quit IRC02:50
*** scorpio-xiatian has joined #openstack-keystone02:51
*** rushiagr_away is now known as rushiagr02:53
stevemarjamielennox, possibly, possibly...02:53
*** scorpio-xiatian has quit IRC02:54
*** vilobhmm has quit IRC02:55
*** richm has quit IRC02:56
davechen1jamielennox: looks grand, so many patches in a chain...02:58
jamielennoxdavechen1: the theory is it's easier to review small patches, the practical is you have to do a hell of a lot of rebasing when there are small issues in the early ones02:58
*** davechen1 is now known as davechen02:59
*** nkinder has quit IRC03:06
*** davechen1 has joined #openstack-keystone03:07
*** davechen1 has quit IRC03:08
*** davechen has quit IRC03:11
*** davechen has joined #openstack-keystone03:11
*** nkinder has joined #openstack-keystone03:19
*** tobe has joined #openstack-keystone03:26
*** rushiagr is now known as rushiagr_away03:32
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_token_data to token CRUD  https://review.openstack.org/19448403:33
*** mgarza has joined #openstack-keystone03:35
*** larainema has quit IRC03:40
*** spandhe has joined #openstack-keystone03:42
*** nkinder has quit IRC03:43
*** harlowja has quit IRC03:43
*** charlesw has quit IRC03:45
*** nkinder has joined #openstack-keystone03:52
*** ajayaa has joined #openstack-keystone03:54
*** vilobhmm has joined #openstack-keystone03:56
*** mgarza has quit IRC03:58
*** iamjarvo has joined #openstack-keystone03:59
*** brad[] has joined #openstack-keystone03:59
*** dramakri has joined #openstack-keystone03:59
*** dramakri has left #openstack-keystone04:00
*** kiran-r has joined #openstack-keystone04:01
*** pballand has joined #openstack-keystone04:02
*** david-lyle_ has quit IRC04:03
*** rushiagr_away is now known as rushiagr04:11
stevemaroh man, i just noticed how much cruft the auth entrypoint patch gets rid of bknudson04:11
stevemarits lovely04:11
*** rushiagr is now known as rushiagr_away04:14
*** rushiagr_away is now known as rushiagr04:15
*** pballand has quit IRC04:17
*** mestery has joined #openstack-keystone04:19
*** iamjarvo has quit IRC04:25
openstackgerritMerged openstack/keystone: Use stevedore for auth drivers  https://review.openstack.org/18210204:29
*** brad[] has quit IRC04:35
*** mgarza_ has joined #openstack-keystone04:38
*** mgarza__ has joined #openstack-keystone04:41
*** mgarza_ has quit IRC04:43
*** mestery has quit IRC04:49
*** brad[] has joined #openstack-keystone04:54
openstackgerritMerged openstack/keystone-specs: Groups are not included in federated scoped tokens  https://review.openstack.org/19430005:06
*** tobe has quit IRC05:11
*** boris-42 has quit IRC05:12
*** tobe has joined #openstack-keystone05:17
*** tobe has quit IRC05:19
*** woodster_ has quit IRC05:21
*** arunkant_ has joined #openstack-keystone05:28
*** arunkant__ has quit IRC05:32
*** diazjf has quit IRC05:42
*** stevemar has quit IRC05:54
*** d43pan has joined #openstack-keystone05:54
*** stevemar has joined #openstack-keystone05:54
*** ChanServ sets mode: +v stevemar05:54
d43panhi all - quick question about debugging models?05:55
d43panI have two files models which both reference and are both referenced by the same other models... and in one of them I keep getting "TypeError: Cannot read property '{ModelName}' of undefined"when trying to create a new instance of a third model05:57
d43pannew keystone.list('{ModelName}').model   ----05:58
*** vilobhmm has quit IRC05:58
d43panso then i think... ok ... i'll just try to include that list at the every top of the model ....06:00
d43pansame error06:01
*** stevemar2 has joined #openstack-keystone06:10
*** ChanServ sets mode: +v stevemar206:10
*** Kennan has quit IRC06:11
*** Kennan2 has joined #openstack-keystone06:11
*** stevemar has quit IRC06:12
*** mgarza__ has quit IRC06:16
morganfainbergstevemar2: shady shady stevemar2 is here06:16
morganfainbergstevemar2: i don't trust stevemar2, he did something with stevemar06:17
stevemar2morganfainberg, bunch of tstorms in toronto are causing flakiness with my isp06:17
*** browne has quit IRC06:17
*** stevemar2 is now known as stevemar06:17
morganfainbergyou should get a bouncer man06:17
morganfainbergznc ftw06:17
*** arunkant__ has joined #openstack-keystone06:18
* morganfainberg realizes he should read the irc meeting plan for the week06:18
stevemarmorganfainberg, a bunch of bknudson's stuff is landing, that's good06:18
morganfainbergyes i know06:18
*** arunkant_ has quit IRC06:20
d43pan(is this the wrong place to ask questions?)06:21
*** tobe has joined #openstack-keystone06:22
morganfainbergd43pan: it's not really the wrong place, but a lot of us are US timezones, right now it's ~2330 on the west coast of the US (and I'm usually one of the few up late around here)06:23
morganfainbergd43pan: you might have to be patient for some folks to get going in the morning - i'm about to go to bed personally.06:24
d43panyeah... i'm US east coast :-) about to go to bed too --- way too late06:24
morganfainbergthere are a lot of us keystone-types who are east coast and central timezones06:24
morganfainbergso i'd hit up people tomorrow morning then :) my advice, get some sleep.06:25
morganfainbergopenstack is usually easier post sleep (and morning coffee)06:25
*** spandhe has quit IRC06:25
d43panthanks06:26
*** belmoreira has joined #openstack-keystone06:26
*** markvoelker has quit IRC06:40
*** rushiagr is now known as rushiagr_away06:42
*** Kennan2 is now known as Kennan06:53
*** pnavarro has joined #openstack-keystone06:56
*** smija has joined #openstack-keystone07:00
*** rlt has joined #openstack-keystone07:08
*** pnavarro has quit IRC07:10
openstackgerritliusheng proposed openstack/keystone: Remove the unused config_files parameter of service entry  https://review.openstack.org/18698707:11
*** vilobhmm has joined #openstack-keystone07:13
*** pnavarro has joined #openstack-keystone07:19
jamielennoxmorganfainberg: not around for meeting tomorrow but back next week07:25
*** jdandrea has quit IRC07:31
*** boris-42 has joined #openstack-keystone07:32
*** markvoelker has joined #openstack-keystone07:41
*** stevemar has quit IRC07:43
*** jaosorior has joined #openstack-keystone07:45
*** markvoelker has quit IRC07:46
*** kiran-r has quit IRC07:57
*** d43pan has quit IRC08:01
*** davechen_ is now known as davechen_away08:05
evrardjpgood morning everyone08:08
*** vilobhmm has quit IRC08:10
*** mabrams has joined #openstack-keystone08:15
*** fhubik has joined #openstack-keystone08:16
openstackgerritDave Chen proposed openstack/keystone: Upgrade Foreign key in Endpoint with ondelete='CASCADE'  https://review.openstack.org/17976708:25
*** fhubik is now known as fhubik_afk08:26
*** e0ne has joined #openstack-keystone08:32
*** fhubik_afk is now known as fhubik08:35
*** e0ne is now known as e0ne_08:38
*** e0ne_ has quit IRC08:44
*** e0ne has joined #openstack-keystone08:48
*** dguerri` is now known as dguerri08:48
*** aix has quit IRC08:53
openstackgerritDave Chen proposed openstack/keystone: Upgrade Foreign key in Endpoint with ondelete='CASCADE'  https://review.openstack.org/17976708:56
*** e0ne is now known as e0ne_09:06
*** aix has joined #openstack-keystone09:07
*** e0ne_ has quit IRC09:11
*** e0ne has joined #openstack-keystone09:15
*** fhubik is now known as fhubik_afk09:17
*** markvoelker has joined #openstack-keystone09:17
*** fhubik_afk is now known as fhubik09:20
*** markvoelker has quit IRC09:22
*** afazekas has joined #openstack-keystone09:22
*** afazekas has quit IRC09:23
*** afazekas has joined #openstack-keystone09:24
*** vg_ has joined #openstack-keystone09:25
*** mancdaz has quit IRC09:25
*** mancdaz has joined #openstack-keystone09:25
vg_Guys , anyone has any doc available for migrating the v2.0 API to v3 API for keystone in devstack ?09:25
vg_I am running devstack kilo version09:25
*** fhubik is now known as fhubik_afk09:30
vg_<samueldmq> there ?09:35
*** janonymous has joined #openstack-keystone09:37
*** jasondotstar has joined #openstack-keystone09:37
*** fhubik_afk is now known as fhubik09:42
*** smija has quit IRC09:43
*** marzif has joined #openstack-keystone09:48
*** davechen is now known as davechen_afk09:51
*** davechen_afk has left #openstack-keystone09:51
*** vg__ has joined #openstack-keystone09:53
*** vg_ has quit IRC09:55
vg__hi09:55
*** pdar has joined #openstack-keystone10:03
*** dims has joined #openstack-keystone10:06
*** e0ne is now known as e0ne_10:10
*** henrynash has quit IRC10:20
*** cing has quit IRC10:20
*** e0ne_ has quit IRC10:20
*** arunkant_ has joined #openstack-keystone10:34
*** smija has joined #openstack-keystone10:35
*** tobe has quit IRC10:39
*** arunkant__ has quit IRC10:39
*** jamielennox is now known as jamielennox|away11:00
*** radez is now known as radez_g0n311:01
vg__<bknudson> u there ?11:02
*** fhubik is now known as fhubik_afk11:02
*** markvoelker has joined #openstack-keystone11:06
*** liusheng has quit IRC11:08
*** liusheng has joined #openstack-keystone11:08
*** e0ne has joined #openstack-keystone11:09
*** markvoelker has quit IRC11:11
samueldmqvg__: hi, morning11:11
*** aix has quit IRC11:15
*** radez_g0n3 is now known as radez11:19
vg__so as suggested by community - I would like to use the Keystone API 3 ...right now when I stood up new instance of stable/kilo , my all service endpoints on Horizon shows up v2.011:22
vg__but in keystone-paste.ini i can see the support for v311:23
vg__I need to know how to do the migration of my keystone v2.0 to v3 - any doc ?11:23
vg__or if no doc. how do i setup a new Devstack so by default it has v3 support for all services11:24
vg__or atleast I want keystone to be v311:24
samueldmqvg__: keystone is already v3, it's running both v2.0 and v3 endpoints, respectively on localhost:5000/v2.0/ and localhost:5000/v3/11:25
samueldmqvg__: do you want to do something specific ? or just to use keystone v3 through horizon?11:26
vg__well Initially i wanted to use Keystone through Horizon11:27
vg__but now I just have a simple use case11:27
vg__I need a Tenant Admin role created11:27
samueldmqvg__: when you manage users/projects/roles, etc through Horizon, you're using keystone11:27
samueldmqvg__: see https://docs.hpcloud.com/helion/openstack/1.1/services/identity/configure/11:27
vg__and define the permissions for this - so if any user has this role , he should be able to create new users, manage them11:28
samueldmqvg__: this might help to make Horizon use keystone v3 API11:28
*** aix has joined #openstack-keystone11:28
samueldmqvg__: you definitely can do that, but such role cannot be on the domain, it must be in a project11:28
samueldmqvg__: since horizon is not able to work with domain scoped tokens yet11:29
vg__yes11:29
vg__agree , i have this user under one project and that role is also accessible in that project11:29
samueldmqvg__: nice11:29
samueldmqvg__: in step 1 of the link I just sent you11:29
samueldmqvg__: as you're running devstack, I think your file will be in devstack/horizon/openstack_dashboard/local/local_settings.py11:30
vg__ok11:30
samueldmqvg__: so you modify configs a,b,c in step 211:30
vg__yes11:30
samueldmqvg__: and then restart, this is quite simple11:31
*** radez is now known as radez_g0n311:31
vg__trying now11:31
*** e0ne is now known as e0ne_11:36
*** kiran-r has joined #openstack-keystone11:38
vg__#OPENSTACK_API_VERSIONS = { #    "data-processing": 1.1, #    "identity": 3, #    "volume": 2, #}11:39
*** Ctina__ has joined #openstack-keystone11:40
vg__<samueldmq> http://paste.openstack.org/show/pyYECquY9N6Md0xcy75M/11:40
vg__is this correct ?11:40
samueldmqvg__: need to uncomment, see http://paste.openstack.org/show/316485/11:41
*** henrynash has joined #openstack-keystone11:43
*** ChanServ sets mode: +v henrynash11:43
*** e0ne_ has quit IRC11:46
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Depend on python-keystoneauth  https://review.openstack.org/18685411:55
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722712:03
*** d43pan has joined #openstack-keystone12:03
*** markvoelker has joined #openstack-keystone12:05
*** jasondotstar has quit IRC12:06
*** fhubik_afk is now known as fhubik12:06
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Depend on keystoneauth  https://review.openstack.org/18685412:06
*** iurygregory has joined #openstack-keystone12:11
*** gordc has joined #openstack-keystone12:12
*** raildo has joined #openstack-keystone12:15
*** dguerri is now known as dguerri`12:15
*** dguerri` is now known as dguerri12:15
d43panhi all... anyone have any thoughts on what to do when this happens:  ---- i'm requiring keystone at the top of every model (along with keystone.Filed.Types and some other modules I use)  i've added new models i need also... but now when referencing certain models from other models via keystone.list('ModelName}').model()  I'm getting the following error12:18
d43panTypeError: Cannot read property 'ModelName' of undefined12:18
*** mgarza_ has joined #openstack-keystone12:19
*** kiran-r has quit IRC12:24
*** woodster_ has joined #openstack-keystone12:25
*** edmondsw has joined #openstack-keystone12:28
*** aix has quit IRC12:31
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722712:33
*** bknudson has quit IRC12:35
*** ajayaa has quit IRC12:37
*** fhubik is now known as fhubik_afk12:37
*** fhubik_afk is now known as fhubik12:37
*** e0ne has joined #openstack-keystone12:37
*** radez_g0n3 is now known as radez12:39
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Depend on keystoneauth  https://review.openstack.org/18685412:40
*** janonymous_ has joined #openstack-keystone12:41
*** boris-42 has quit IRC12:42
*** aix has joined #openstack-keystone12:47
*** d43pan has quit IRC12:50
openstackgerritjanonymous proposed openstack/keystone: Python 3: Use range instead of xrange for py3 compatibility.  https://review.openstack.org/19382012:52
vg__<samueldmq> my UI has became unresponsive after that12:57
samueldmqvg__: oh I need to use memcache as session backend13:02
samueldmqvg__: I am stepping in a meeting now, talk to you later, someone on horizon channel would be able to help you better13:03
*** vg__ has quit IRC13:04
openstackgerritjanonymous proposed openstack/keystone: Python 3: Replace unicode with six.text_type.  https://review.openstack.org/19386613:08
*** richm has joined #openstack-keystone13:17
*** jasondotstar has joined #openstack-keystone13:17
*** openstack has quit IRC13:17
*** openstack has joined #openstack-keystone13:17
*** ajayaa has joined #openstack-keystone13:29
*** aix has quit IRC13:29
*** ayoung has joined #openstack-keystone13:33
*** ChanServ sets mode: +v ayoung13:33
*** janonymous_ has quit IRC13:38
*** aix has joined #openstack-keystone13:42
*** fhubik_afk is now known as fhubik13:43
*** bknudson has joined #openstack-keystone13:48
*** ChanServ sets mode: +v bknudson13:48
*** charlesw has joined #openstack-keystone13:49
*** bknudson has quit IRC13:54
openstackgerritMarek Denis proposed openstack/python-keystoneclient-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722713:56
*** browne has joined #openstack-keystone13:59
*** rwsu has joined #openstack-keystone14:01
*** timsim has left #openstack-keystone14:07
*** sigmavirus24_awa is now known as sigmavirus2414:07
*** bknudson has joined #openstack-keystone14:08
*** ChanServ sets mode: +v bknudson14:08
*** HT_sergio has joined #openstack-keystone14:12
*** fangzhou has joined #openstack-keystone14:12
*** fhubik is now known as fhubik_afk14:16
*** mgarza_ has quit IRC14:17
*** iamjarvo has joined #openstack-keystone14:19
*** jasondotstar has quit IRC14:31
*** fhubik_afk is now known as fhubik14:33
*** afazekas has quit IRC14:36
*** csoukup has joined #openstack-keystone14:38
*** e0ne is now known as e0ne_14:44
*** fangzhou has quit IRC14:46
*** jasondotstar has joined #openstack-keystone14:46
*** stevemar has joined #openstack-keystone14:46
*** ChanServ sets mode: +v stevemar14:46
*** thedodd has joined #openstack-keystone14:47
*** mgarza_ has joined #openstack-keystone14:48
*** e0ne_ is now known as e0ne14:49
*** kiran-r has joined #openstack-keystone14:51
*** zzzeek has joined #openstack-keystone14:58
*** charlesw_ has joined #openstack-keystone15:00
*** kiran-r has quit IRC15:02
*** charlesw has quit IRC15:02
*** charlesw_ is now known as charlesw15:02
*** vilobhmm has joined #openstack-keystone15:06
*** fhubik is now known as fhubik_afk15:07
*** r-daneel has joined #openstack-keystone15:07
*** fhubik_afk is now known as fhubik15:08
*** diazjf has joined #openstack-keystone15:11
*** vilobhmm has quit IRC15:12
openstackgerritBrant Knudson proposed openstack/keystone: admin and main httpd files  https://review.openstack.org/19444215:13
*** mabrams has quit IRC15:15
*** belmoreira has quit IRC15:21
*** fhubik has quit IRC15:23
*** kiran-r has joined #openstack-keystone15:23
*** pnavarro is now known as pnavarro|off15:28
*** vg_ has joined #openstack-keystone15:29
*** kfox1111 has joined #openstack-keystone15:31
*** pballand has joined #openstack-keystone15:32
*** rlt has quit IRC15:33
*** mabrams has joined #openstack-keystone15:34
*** mestery has joined #openstack-keystone15:34
*** mestery_ has joined #openstack-keystone15:35
*** kiranr has joined #openstack-keystone15:36
*** navid__ has joined #openstack-keystone15:37
*** mestery has quit IRC15:39
*** mestery_ is now known as mestery15:40
*** kiran-r has quit IRC15:40
bretonfolks, what is AccessInfo?15:40
morganfainbergbreton: it is a structure that we use internally that unifies the forms of token data15:40
morganfainbergso we don't need to have tons of conditionals because the token body changed15:40
morganfainbergbetween v2 and v315:40
kfox1111morganfainberg: did the changes I made look ok to you?15:41
morganfainbergkfox1111: haven't looked yet.15:42
*** mgarza_ has quit IRC15:42
kfox1111ok.15:42
bretonso, it's a wrapper for token data fetched from ks, right?15:43
morganfainbergkfox1111: +1 specifically from a keystone interaction standpoint15:43
*** mgarza_ has joined #openstack-keystone15:43
*** pballand has quit IRC15:43
morganfainbergkfox1111: commented that i am not in favor or against the whole concept, but you've addressed my concerns re: keystone interaction15:44
morganfainbergbreton: essentially15:44
*** e0ne is now known as e0ne_15:46
bretonwhere do we mainly develop it now -- in ks-auth or ks-client?15:46
bretonI see they are different there15:46
*** mgarza_ has quit IRC15:47
kfox1111morganfainberg: ok. I was hoping for a +1 but if a non -1 is the best I can do, thats ok. Thanks for the help in coming up with a good solution to the problem.15:47
*** e0ne_ is now known as e0ne15:47
morganfainbergkfox1111: you have a +1, but i don't have a strong opinion if nova instances should be able to do this15:47
morganfainbergkfox1111: so my +1 is "you aren't doing anything that makes me cringe with keystone"15:48
kfox1111yeah, but I think nova's only caring about seeing +1's on the review. :/15:48
kfox1111I'll try and relay that info though.15:48
morganfainbergkfox1111: then they are not utilizing the review system very well from a cross-project standpoint15:48
kfox1111:/15:49
morganfainbergkfox1111: again, i did +1 it, just i left a comment as well saying that this +1 is really just about keystone interaction15:49
kfox1111I think thats a big issue with most openstack projects. :/15:49
morganfainbergbreton: you'll need to talk to ayoung and jamielennox|away - it's in a bit of flux15:50
kfox1111but it doesn't show up as Code-Review+1 so they don't catch it unless they are looking very closely. Would you be willing to review +1 it and then say in the comments your not for or against the feature, but are ok with the solution as specified?15:51
*** mgarza_ has joined #openstack-keystone15:51
kfox1111ah. nm. just saw your review.15:52
kfox1111thanks. :)15:52
*** pballand has joined #openstack-keystone15:52
kfox1111I really appreciate all your help with this.15:52
morganfainbergkfox1111: yeah i get the need to +1. if they take that as support for the concept, i'll correct them when asked. but you've addressed all my concerns wrt keystone and interactions15:53
dstanekJust an FYI... My wife has to have surgery later today so I may not be at the meeting15:54
morganfainbergkfox1111: if i was able to +2 that spec, i would still +1 because i don't have a strong opinion on if instances should have that superpower15:54
morganfainbergdstanek: lets make it easy, don't show up even if you're around15:54
morganfainbergdstanek: family > openstack15:54
morganfainbergfamily > irc meetings15:54
morganfainbergdstanek: take care of your wife :)15:55
dstanekI may be sitting the with nothing to do. if I don't keep busy I may go crazy15:55
morganfainbergdstanek: i promise keystone will still be here when you're back.15:55
kfox1111morganfainberg: Thats cool. totally understand. You don't need the feature so I understand not having an opinion about it. I'm actually glad that you are taking that stance. Some folks say "I dont need that feature, so I'll -1 it.15:55
dstanek:)15:55
kfox1111which is way worse.15:56
morganfainbergdstanek: hah, ok, just know that i expect you should be gone for things like that. if you still want to show up and have time/energy for it, by all means... but ...15:56
morganfainbergdstanek: like i said, keystone will still be here (I don't think i can get the rm -rf patch through the gate between now and tomorrow)15:57
morganfainbergdstanek :P15:57
dstanekStart with deleting the tempest tests first!15:57
*** rwsu has quit IRC15:58
stevemardstanek, best of luck to the wife :)15:58
bretonbradjones: what was the problem with https://review.openstack.org/#/c/189018/3?15:58
morganfainbergkfox1111: i think that view (oh i don't need this -1) is far different than "this is a terrible idea". The "i don't need this, -1" is equivalent to bikeshedding imo15:58
bretonerr15:58
bretonbknudson: was the problem with https://review.openstack.org/#/c/189018/3 ?15:59
morganfainbergbreton: jenkins hated it.15:59
bknudsonbreton: I need to figure out where it belongs in jamielennox|away 's patches15:59
morganfainbergbreton: it probably needs a rebase and some extra eyes to see what tempest is barfing on.15:59
bknudsonor even if we need it anymore.15:59
*** gordc_ has joined #openstack-keystone15:59
*** gordc has quit IRC16:00
*** gordc_ is now known as gordc16:00
morganfainbergbknudson: it might not be needed - but that not being needing is probaly when keystoneauth becomes a reality16:00
bknudsonbut I'd rather just wait for some of jamielennox|away 's patches to merge and then I'll look at it again16:00
*** Lactem has joined #openstack-keystone16:01
LactemHey dolphm .16:01
*** pballand has quit IRC16:01
bretonjamie's patch looks good, I don't see why it wouldn't merge16:01
ayoungbreton, Ok, so access Info is defined the name of the client view of the data;  it is a dictionary created from the token.  WHat I was doing, to dynamically create tokens, is the server side (only) model16:01
ayoungbreton, so acces info is, I think, moving to ks-auth, but jamie is the authoritative on that. I've actually not looked at the ks-auth code in a few16:02
bretonayoung: so, there will be keystoneauth-AccessInfo and kestone-AccessInfo?16:02
ayoungnot the latter16:03
ayoungbreton, one sec, I'll link16:03
dstanekmorganfainberg, stevemar: thx16:03
*** Lactem has quit IRC16:03
*** pballand has joined #openstack-keystone16:04
ayoungbreton, https://review.openstack.org/#/c/184651/  is mine...server side.  Now, server side, we will be importing the  keystoneauth-AccessInfo  ( I think)  to do validation and revocation checking16:04
*** charlesw_ has joined #openstack-keystone16:04
bretonayoung: is there a spec?16:05
*** henrynash has quit IRC16:05
ayoungbreton, ther are a million specs, for all facets of keystone, including these.  What part?16:06
*** charlesw has quit IRC16:06
ayounggoing to get lunch16:06
*** charlesw_ is now known as charlesw16:06
*** ayoung is now known as ayoung-lunch16:06
bretonayoung-lunch: regarding accessinfo. Or it's a no-spec change and considered refactoring?16:07
*** spandhe has joined #openstack-keystone16:09
*** iamjarvo has quit IRC16:13
*** RichardRaseley has joined #openstack-keystone16:13
*** vg_ has quit IRC16:16
*** samueldmq has quit IRC16:21
openstackgerritBrant Knudson proposed openstack/keystone: admin and public httpd files  https://review.openstack.org/19444216:22
*** _cjones_ has joined #openstack-keystone16:24
*** samueldmq has joined #openstack-keystone16:24
samueldmqayoung-lunch: morning, let me know when you're back16:25
samueldmqayoung-lunch: I'd like to synchronize with you the points to be addressing in the meeting16:26
openstackgerritMichael Tupitsyn proposed openstack/keystone: Fix for LDAP filter on group search by name  https://review.openstack.org/19473316:27
*** vg has joined #openstack-keystone16:27
*** roxanaghe has joined #openstack-keystone16:28
*** _kiran_ has joined #openstack-keystone16:28
*** mestery has quit IRC16:28
*** e0ne has quit IRC16:29
*** spandhe has quit IRC16:30
*** dims has quit IRC16:30
*** vg has quit IRC16:31
*** kiranr has quit IRC16:32
*** d43pan has joined #openstack-keystone16:32
*** dims has joined #openstack-keystone16:33
*** mabrams has left #openstack-keystone16:35
*** _kiran_ has quit IRC16:36
*** _kiran_ has joined #openstack-keystone16:36
*** jasondotstar has quit IRC16:43
*** kiranr has joined #openstack-keystone16:43
samueldmqmorganfainberg: hello, good morning16:45
samueldmqmorganfainberg: for the scope of our dynamic policies discussion today with nova folks16:46
samueldmqmorganfainberg: I am planning to address two main points: i) whether have a unified policy or not; ii) microversions and redefine scope for L16:46
samueldmqmorganfainberg: ayoung-lunch sounds good ? ^16:46
*** fangzhou has joined #openstack-keystone16:46
*** _kiran_ has quit IRC16:47
*** fangzhou has quit IRC16:48
david8hujamielennox,  Have you read this email thread http://lists.openstack.org/pipermail/openstack-dev/2015-June/067795.html.  Cinder thinks that there is a bug in the keystoneclient discovery.16:48
morganfainbergdavid8hu: yeah we've been discussing it with thingee and cinder folks16:49
*** marzif_ has joined #openstack-keystone16:50
*** ayoung-lunch is now known as ayoung-burp16:50
david8hucool,  I wonder if it is cinder specific.  Nova, heat clients also uses the discovery code.16:50
*** ayoung-burp is now known as ayoung16:51
*** jasondotstar has joined #openstack-keystone16:52
ayoungsamueldmq, I'd like to save unified for last.  I think it might derail the other discussions16:54
ayoungsamueldmq, lets focus on support for microversions16:55
*** brad[] has quit IRC16:55
samueldmqayoung: that works fine for me, then16:55
samueldmqayoung: i) microversions and revisit scope for L ii) whether unify16:56
*** marzif has quit IRC16:56
ayoungsamueldmq, and then a unified policy file would just be the starting point, but we'd need the microversion support to update it once it is deployed16:56
samueldmqayoung: what if common roles came to projects from a sort of oslo-incubator, and their individual policies would include that, and define checks using that ?16:58
samueldmqayoung: just an idea ..16:58
ayoungsamueldmq, I like the idea that the policy files are additive somehow.  I think importing a common set of roles would be a good step16:59
ayoungsamueldmq, I think we also need to seriously consider splitting the file into two parts, and only let end users customize one of them16:59
ayoungsamueldmq, we could do that by naming them differently, list policy-rbac.json versus policy-scope.json17:00
samueldmqayoung: make sense ... that's already a story in our plans ..17:00
ayoungstill not 100% sold on that, buit it is the best I've come across yet17:00
samueldmqayoung: however, agreeing in common definitions coming from a sort of oslo-incubator, we agree that we don't need to unify17:01
ayoungI'd like to discuss that part, as I think it would benefit from other brains chewing on it17:01
samueldmqayoung: to keep common rules consistent17:01
*** dontalton has joined #openstack-keystone17:01
*** shaleh has joined #openstack-keystone17:01
openstackgerritMerged openstack/keystonemiddleware: Rename _LOG to log in auth_token middleware  https://review.openstack.org/19294817:02
d43pananyone have any insights into why keystone models aren't loaded in model files ?  They seem to be loaded alphabetically upto the model which is including keystone.... I am trying to go through keystone.list('ModelName') to create new instances to attach them in pre-saves, but I don't have access to models alphabeically after the model i'm currently in17:02
samueldmqayoung: if you agree with me in that ... since from what I uderstood, keepign common rules consistent was the best motivation for unifying :017:02
samueldmq:)17:02
ayoungsamueldmq, I think that should be our #1 design goal:  " keep common rules consistent"17:03
samueldmqayoung: yes, and doing so for a sort of oslo-incubator would interfeer in other things17:03
ayoungsamueldmq, as well as fix 96869617:03
samueldmqayoung: like what sdague pointed out as issues with unifying17:04
samueldmqayoung: I agree with you about common definitions, we need to fix that, and provide better default policies17:04
*** sirushti has joined #openstack-keystone17:04
openstackgerritMerged openstack/keystonemiddleware: Make token bind work with a request  https://review.openstack.org/18081717:05
samueldmqayoung: I am 100% with you on this (and I am sure my team is as well, since we've been trying to introduce better defaults during last year)17:05
ayoungsamueldmq, something came up that might affect reseller.  Was talking with someone about Juno, and they wanted some form of HMT.  I suggested that the may a domain per customer, and then put an admin project in each domain.  To execute domain scoped operations needed a token scoped to the domains project named domain_admin.17:05
*** jaosorior has quit IRC17:05
ayoungI think we need to enforce that the token is not used for scoping in the operation itself, but that scope needs to be somewhere in the request17:06
ayoungor needs to be somewhere on the resource, in the case of a modify/delete by ID17:06
samueldmqayoung: operations already know their scopes .. hm ..17:08
samueldmqayoung: but maybe you want to check 'indirect' scopes .. like the project's domain17:08
ayoungsamueldmq, more than that17:08
ayoungsamueldmq, If I have a token on the admin_project, I want to be able to assign a role on any project in that domain17:08
ayoungso the domain matches ,but not the project id17:09
ayoungit toally breaks my idea of "split the RBAC from the scope"17:09
ayoungtotally17:09
samueldmqayoung: yeah... did you see https://review.openstack.org/#/c/193543/ ?17:10
samueldmqayoung: look at lines 38-42, that's the interesting part17:11
ayoungsamueldmq, so the admin projects would eventually be rolled up by that...would just need a migration of some sort17:12
ayoungsamueldmq, I think that is essentially OK, although is_domain really means "this is the admin proejct"17:14
ayoungI think I'17:14
ayoungm OK with it...17:14
raildohaha http://openstackreactions.enovance.com/2015/06/getting-a-token-from-keystone/17:14
*** HT_sergio has quit IRC17:15
samueldmqayoung: hm .. but we need to be careful, since the is_domain project has the same id as the domain17:15
ayoungsamueldmq, that actually does not bother me at all17:15
samueldmqayoung: which is not true in the case one has a domain and a project called is_domain in it17:15
ayoungHeh17:16
samueldmqayoung: that's great then, that solves the case you were talking above (your customer with domain_project)17:16
ayoungsamueldmq, yeah, they could migrate once Liberty becomes available to them17:16
samueldmqayoung: ++17:16
samueldmqayoung: yeah , that's a great idea on how to represent those things in the policy (talked about this with henry last friday :))17:17
samueldmqayoung: ok ... you said me: 'I think I'm OK with it....'17:17
ayoungsamueldmq, I mean, the wording is dumb, but meh17:18
samueldmqayoung: is that related to henry's spec ? or the idea of having common definitions coming from oslo-incubator (or somehting like)17:18
samueldmqayoung: :-)17:18
ayoungjust "is_domain"17:18
ayoungmeh17:18
ayounggood enough, I think17:18
*** kiranr has quit IRC17:19
samueldmqayoung: k :-)17:19
samueldmqayoung: you're hard to be convinced, but I am making sure we communicate as much as we can with our ideas17:20
samueldmqayoung: and then we agree sometimes,:)17:20
*** dguerri is now known as dguerri`17:21
*** mestery has joined #openstack-keystone17:25
*** harlowja has joined #openstack-keystone17:26
*** rwsu has joined #openstack-keystone17:31
*** gyee_ has quit IRC17:33
*** rwsu has quit IRC17:33
*** nkinder has quit IRC17:34
*** gyee has joined #openstack-keystone17:36
*** ChanServ sets mode: +v gyee17:36
*** rwsu has joined #openstack-keystone17:39
*** rwsu has quit IRC17:42
*** rwsu has joined #openstack-keystone17:43
*** RichardRaseley has quit IRC17:44
david8huayoung, samueldmq, will common defintion include context_is_admin?  I guess the direction is not, but that that diverges from what is there already.17:49
ayoungdavid8hu, that rule is not a helpful one17:50
ayoungI'd like it to go away17:50
morganfainbergayoung: (/s) Lets make a rule "admin_is_context" and... oh wait...17:50
ayoungdavid8hu, the content of the policy files can change, just not the meaning17:50
ayoungmorganfainberg, /me tired and cranky today.17:51
ayoungSaving my good natured reserves for the meeting17:51
morganfainbergayoung: to be fair, i've been fighting off a cold for the last 5 days17:51
morganfainbergso i've mostly not gotten out of bed.17:51
david8huI will be taking the keystone meeting from my jaccuzi, but I do not have a jaccuzi.17:53
morganfainbergdavid8hu: i'd worry about electronics :P17:54
morganfainbergin a jaccuzi17:54
kfox1111"What could go wrong... " :)17:55
david8huayoung, should we get rid of context_is_admin when we go common unified header?  If we can get it done is one shot why not.17:55
david8huIphone 6+ is 2915 mAh.  Is that enough to eletricute a person? :)17:57
ayoungdavid8hu, my current hack looks like this https://github.com/admiyo/openstack-core-policy17:58
ayounghttps://github.com/admiyo/openstack-core-policy/blob/master/policy.json17:58
david8huayoung, looking17:58
ayoungdavid8hu, that is built from the different sources:17:59
openstackgerritBrant Knudson proposed openstack/keystone: admin and public httpd files  https://review.openstack.org/19444217:59
ayoung"is_admin:True needs to die, too...haven't finished it17:59
samueldmqmeeting time ! right ? :-)17:59
*** mestery has quit IRC18:00
*** mestery has joined #openstack-keystone18:01
*** henrynash has joined #openstack-keystone18:02
*** ChanServ sets mode: +v henrynash18:02
*** spandhe has joined #openstack-keystone18:03
*** htruta_ has joined #openstack-keystone18:03
*** roxanaghe has quit IRC18:04
*** ericksonfgds is now known as ericksonsantos18:04
*** HT_sergio has joined #openstack-keystone18:04
*** iamjarvo has joined #openstack-keystone18:05
*** jasondotstar has quit IRC18:07
*** spandhe has quit IRC18:07
*** e0ne has joined #openstack-keystone18:08
*** mestery has quit IRC18:10
*** spandhe has joined #openstack-keystone18:13
*** jasondotstar has joined #openstack-keystone18:14
stevemarso much doug hellmann in my inbox :)18:19
morganfainbergjamielennox|away: ping you awake?18:20
morganfainbergjamielennox|away: if not no worries18:20
morganfainbergstevemar: haha18:20
openstackgerrithenry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain  https://review.openstack.org/19354318:26
*** e0ne is now known as e0ne_18:27
openstackgerrithenry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain  https://review.openstack.org/19354318:27
*** dguerri` is now known as dguerri18:28
*** dguerri is now known as dguerri`18:29
*** e0ne_ has quit IRC18:32
openstackgerritFernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations  https://review.openstack.org/19285018:33
stevemardiazjf, btw, we're all in #openstack-meeting - the keystone meeting is happening now18:34
*** ksavich has joined #openstack-keystone18:35
*** e0ne has joined #openstack-keystone18:41
diazjfstevemar, thanks for the heads up, just joined18:41
*** aix has quit IRC18:42
*** marzif_ has quit IRC18:43
*** janonymous_ has joined #openstack-keystone18:43
*** lhcheng has joined #openstack-keystone18:45
*** ChanServ sets mode: +v lhcheng18:45
*** spandhe has quit IRC18:48
*** belmoreira has joined #openstack-keystone18:51
*** rwsu has quit IRC18:51
*** dguerri` is now known as dguerri18:53
*** rwsu has joined #openstack-keystone18:53
*** dguerri is now known as dguerri`18:54
marekdstevemar: does mod_auth_oidc sets REMOTE_USER by default?18:55
samueldmqayoung: wait .. I think there is still some misunderstanding on things... terminologies, needs, etc18:56
stevemarmarekd, ....... hmm... i believe so18:56
marekddiazjf: ^^18:56
samueldmqayoung: that conversation will continue :)18:56
ayoungsamueldmq, endlessly18:56
samueldmqayoung: morganfainberg said : Further discussion on policy needed.18:56
ayoungsamueldmq, the bottom line is it is not heading in a direction that will solve any problem18:57
diazjfmarekd, stevemar, thanks.18:57
samueldmqayoung: I see three steps:18:57
diazjfI'll make note of it in the documentation18:57
ayoungsamueldmq, I see an scher draing18:57
ayoungescher18:57
samueldmq1) stock policies are uploaded to keystone18:57
stevemarmarekd, diazjf "By default the module sets the REMOTE_USER variable to the id_token [sub] claim"18:57
samueldmq2) policies are customized18:57
ayoungsamueldmq, you ahave already diverged18:57
stevemarhttps://github.com/pingidentity/mod_auth_openidc18:58
samueldmq3) keystone gives back updated policies to services18:58
samueldmqayoung: why ?18:58
samueldmqand where ?18:58
ayoungbecvause /policy means we have to go and query them...but continue18:58
ayoungand we have no way of knowing htat and endpoint has changed18:58
samueldmqayoung: timeout18:58
samueldmqayoung: as we currently do in the middleware side18:58
ayoungsamueldmq, you and I can talk until we are blue in the face. It Does not matter18:59
ayoungwhat he is saying is that the code will win.  ALways18:59
diazjfstevemar, marekd, I'll make sure the documentation shows that the user attribute is not necesarry if using mod_auth_openidc18:59
diazjfbut neccessary otherwise18:59
marekddiazjf: no.18:59
diazjfgood catch18:59
samueldmqayoung: when I said  i'm resigned to this being a useless cycle18:59
samueldmq                      │15:27:18 morganfainberg | at this point18:59
david-lyleayoung: trying to catch up on the scrollback in #openstack-meeting19:00
samueldmqayoung: 1) stock policies are uploaded to keystone19:00
marekddiazjf: please, don't assume this is normal situation. Make it other way round. Say, normally it's required, unless the plugin sets REMOTE_USER19:00
david-lyleso now we're pushing defaults into the code and having to query from each service endpoint?19:00
samueldmqayoung: I don't mind if this is being uploaded via /policy or19:00
samueldmqayoung: policy files19:00
diazjfSorry, I mean style the documentation using user as a standard case and adding a Note for the exception. :-/19:01
marekddiazjf: anyway, your tests got me thinking about keystone-manage mapping_engine19:01
marekddiazjf: i will have to fix it and make it work correctly. Thanks.19:01
ayoungsamueldmq, no19:02
ayoungbecause /policy will never happen19:02
diazjfmarekd, thanks and no problemo19:02
ayoungit would require a change getting into every single openstack proejct19:02
ayoungit would never fly...adn any one porject coukld veto it19:02
ayoungits a non-starter19:02
morganfainbergayoung: this becomes an x-project spec19:02
henrynashmorganfainberg: I added the description of the rules under which you can get project scoped token to a project acting as a domain to https://review.openstack.org/#/c/193543/, so that it is now a complete package that will allow us to do this19:02
stevemarayoung, just get the change into nova, and the rest follow suit19:02
morganfainbergand then the TC is involved19:02
morganfainbergnot a "one project can veto" thing19:03
david8hustevemar, ++19:03
ayoungstevemar, it is a broken proposal19:03
henrynashayoung: so what would make a nice (small) incremental step in the right direction that would help solve this issue?19:04
ayoungwe have 18+ projects, and now we tell them they all need to implement a new public API.  With data that is only used at astart up?19:04
morganfainbergdavid-lyle: the thought was /policy for the endpoint is where we start, it's a basis of truth [what the basic policy is] - keystone would eventually receive this base policy and/or provide an update to the endpoint so you could query either keystone or the endpoint19:04
ayoungcome on...this is not even worth discussing19:04
morganfainbergdavid-lyle: at least that was what was tossed out as the way to get to centralized19:04
*** mgarza_ has quit IRC19:04
ayoungmorganfainberg, and how does Horizon know that one endpoint out of 50 has changed?19:05
ayoungIs horizon going to go and poll every time>19:05
morganfainbergayoung: maybe we should just punt all policy out of keystone and make a new service that does this.19:05
ayoungmorganfainberg, it still does not matter19:05
*** rwsu has quit IRC19:05
ayoungmorganfainberg, please, no.  Evalute the dynamic policy approach on its own merits19:06
ayoungwe have a unified view of policy across all the services of an opnestack deployemnt19:06
ayoungbecause work flowas go across policues19:06
ayoungwe have hierarchical roles, and we have scoped RBAC19:06
morganfainbergi don't think we're going to get out of this mire. i think you're trying to boil the ocean19:07
morganfainbergand that is where we're locked19:07
ayoungNO.  I am not trying to boil the ocean19:07
ayoungI've laid out a very straight forward step by steps seris of specs, with an over view that show how we will get there eventually19:07
morganfainbergyes you are. everything i'm hearing is the solution must be perfect out the door19:07
ayoungNo...19:07
morganfainbergit's an all or nothing -19:07
morganfainbergthat is what i'm seeing19:08
morganfainbergthe specs are not clearly lined up as a scope of work it's a lot of "we need all of this"19:08
ayoungthen you are not apying attention, and,. as distracted as you are as PTL, I don't fault you for that19:08
morganfainbergok, i'm going to step out of this conversation and get lunch19:08
samueldmqmorganfainberg: enjoy, bon apetit19:09
ayoungWe have to deal with large distributions19:09
ayoungnot a single Nova19:09
openstackgerritMerged openstack/keystonemiddleware: Refactor _confirm_token_bind takes AccessInfo  https://review.openstack.org/17967619:09
ayoungwe need to deal with multi site, pmulpte endpoitns of nova19:09
ayoungwe need to deal with an ever increasing number of services19:10
ayoungso...step by step.19:10
*** htruta_ has quit IRC19:10
ayoungEach end point gains the ability to fetch its policy from keystone19:11
ayoungso..lets start right there19:11
ayoung...you knwo what....go eat19:11
*** geoffarnold has joined #openstack-keystone19:12
*** dramakri has joined #openstack-keystone19:12
*** csoukup has quit IRC19:12
*** rwsu has joined #openstack-keystone19:13
*** mgarza_ has joined #openstack-keystone19:15
browneayoung: on the role descriptions, what are your thoughts?  i think it would be useful once policy is easy enough for users to create custom roles.19:16
*** htruta_ has joined #openstack-keystone19:17
ayoungbrowne, ok,  so in short, there is nothing per-se wrong with descriptions.  They are, at this point, rearraingeing deck chairs on the titanic19:20
ayoungbrowne right now we have one role19:21
ayoungadmin19:21
ayoungwe have Member, but nothing actually chekcs member19:21
ayoungso..until we have a non-trivial number of roles, desciption is superfluous19:21
ayoungand..weith that. I am going out for some exercise19:21
*** openstackgerrit has quit IRC19:21
*** htruta_ has quit IRC19:22
brownetrue by default.  what if a deployer creates others?19:22
browneok19:22
*** openstackgerrit has joined #openstack-keystone19:22
*** spandhe has joined #openstack-keystone19:25
*** yottatsa has joined #openstack-keystone19:28
*** janonymous_ has quit IRC19:29
*** fifieldt_ has joined #openstack-keystone19:31
openstackgerritBrant Knudson proposed openstack/keystone: admin and public httpd files  https://review.openstack.org/19444219:31
openstackgerritBrant Knudson proposed openstack/keystone: admin and public httpd files  https://review.openstack.org/19444219:32
*** fifieldt has quit IRC19:34
*** belmoreira has quit IRC19:35
*** shaleh has quit IRC19:35
*** pnavarro|off has quit IRC19:37
*** iamjarvo has quit IRC19:39
*** pnavarro|off has joined #openstack-keystone19:39
openstackgerritFernando Diaz proposed openstack/keystone: This patch allows the keystone-manage mapping engine to be able to process a mapping containing regex. It alters the mapping schema to use a string value for regex rather than using a boolean value.  https://review.openstack.org/19479519:41
*** rwsu has quit IRC19:41
*** HT_sergio has quit IRC19:41
*** aix has joined #openstack-keystone19:43
*** rwsu has joined #openstack-keystone19:45
*** rdo has quit IRC19:45
*** rdo has joined #openstack-keystone19:47
openstackgerritFernando Diaz proposed openstack/keystone: regex support in keystone-manage mapping engine  https://review.openstack.org/19479519:48
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Refactor extract method for offline validation  https://review.openstack.org/18865019:48
*** rwsu has quit IRC19:51
*** Rockyg has joined #openstack-keystone19:51
sigmavirus24I was wondering if there were any stable maintainers that could take a look at https://review.openstack.org/#/c/181007/19:53
bknudsonsigmavirus24: I already looked at it.19:54
sigmavirus24*any stable maintainers other than bknudson =P19:54
*** brad[] has joined #openstack-keystone19:56
*** roxanaghe has joined #openstack-keystone19:56
*** csoukup has joined #openstack-keystone20:01
*** spandhe has quit IRC20:03
rodrigodsendpoint filter for service providers requires spec? cc morganfainberg marekd20:03
ayoungbrowne, OK,  I'm back.  Look, I don't disagree, just that description is a new field, which means we either need to fill it in or provide a defualt or something.  It provides more work at deployment time, and it is an API change.  I THe amount of churn does not justify the effort, compared to what i really wrong with how we do RBAC today20:04
*** yottatsa has quit IRC20:05
ayoungsamueldmq, OK...I went for a run.  Got a shower. Ready for a rational discussion20:05
ayounghenrynash, sorry, just saw your question.20:05
ayoung" so what would make a nice (small) incremental step in the right direction that would help solve this issue?"20:05
*** e0ne is now known as e0ne_20:05
*** e0ne_ is now known as e0ne20:05
morganfainbergstevemar: i'm going to miss the x-project meeitng likely -- STILL haven't gotten lunch (family phone call... was not fun)20:06
morganfainbergstevemar: can you be there for the meeting as a proxy for me20:06
ayoungmorganfainberg, sorry for being so touchy20:06
morganfainbergayoung: wasn't you20:06
morganfainbergayoung: seriously i've been trying to go get lunch for an hour20:06
morganfainbergor more now20:06
ayoungmorganfainberg, probablym ore correct to say it wasn't just me20:06
morganfainbergnope, wasn't you in this case, i walked away frmo the compute the moment i said i was going to lunch ;)20:07
ayoungmorganfainberg, I'll try to put together a coherent presentation for the midcycle20:07
morganfainbergayoung: so definitively not you this time.20:07
morganfainbergbut phone call happned right at that moment and just ended20:07
samueldmqZanatoz: morganfainberg ayoung ... :-)20:07
ayoungsamueldmq, I don't think I can get Zanatoz without a prescription20:08
samueldmqZanatoz: not sure why I included you name above, sorry20:08
samueldmqhaha20:08
* samueldmq is tired .. :(20:08
*** greghaynes has quit IRC20:08
*** yottatsa has joined #openstack-keystone20:08
samueldmqayoung: I need to go home in a bit and have a shower20:08
ayoungsamueldmq, OK.  so...we need to make clear what we are working on here.  I think that you and I can have detail discussion, and a few other people get pieces of it20:08
samueldmqayoung: we talk later today .. if that works for you20:09
ayoungsamueldmq, of course20:09
*** navid__ has quit IRC20:09
samueldmqayoung: nice20:09
bknudson"Surveys say Brazilians are the world's most frequent bathers,"20:09
morganfainbergbknudson: if stevemar can't proxy for me @ x-project meeting, would you mind representing keystone?20:09
bknudsonmorganfainberg: I'll be at the x-project meeting20:10
ayoungbknudson, its a mistranslation.  The Portugeuse word is used from swimming, too.20:10
morganfainbergbknudson: awesome thankx20:10
samueldmqbknudson: it's very hot here :)20:10
ayoungI'd go swimming more if I had Brzailian beaches20:10
samueldmqayoung: haha20:10
samueldmqayoung: bknudson we should have a midcycle in Brazil in a few cycles20:10
samueldmqmidcycle meetup I meant :)20:11
bknudsonwhy wait?20:11
raildoor a OpenStack Summit Rio :D20:11
samueldmqbknudson: M midcycle ?20:11
samueldmqbknudson: I'd be happy to help organizing if enough people are interested on it20:11
yottatsahello everybody20:12
samueldmqyottatsa: hey20:12
yottatsawe've done migrating onto new pluggable auth framework: class YandexOauth(base.AuthConstructor):20:13
yottatsaso there is a question20:13
*** Ctina__ has quit IRC20:14
yottatsapython-keystoneclient package in kilo is way too old20:14
bretonwhat is AuthConstructor?20:14
bretonoh, nevermind20:15
ayoung$851 .3220:15
morganfainbergyottatsa: in kilo is way too old? what is way too old? and what distribution?20:15
ayoungsamueldmq, ^^ price for a round trip flight from Boston to Rio in Mid Janauary20:16
bknudsoncan we get rid of the keystone-v3 feature branch? http://git.openstack.org/cgit/openstack/python-keystoneclient/log/?h=feature/keystone-v320:16
* morganfainberg thinks there has only been one release or so since kilo 20:16
bknudsonlast commit is 201220:16
morganfainbergbknudson: uhm sure.20:16
morganfainbergbknudson: you'll need to ask dhellmann or ttx to do so i think20:16
yottatsa *** 1:1.2.0-0ubuntu1~cloud0 020:16
yottatsatrusty-updates/kilo/main20:16
ayoungadd in recife and it becomes...$1,11420:16
morganfainbergyottatsa: i can't control what is shipped by ubuntu20:16
*** ksavich has quit IRC20:17
morganfainbergyottatsa: you can grab what is in git and use that or on pypi20:17
samueldmqayoung: Recife would be a good place :)20:17
morganfainbergyottatsa: that is the best answer i can give, unfortunately20:17
samueldmqayoung: is that too expensive?20:17
bknudsonI'll ask on -dev.20:17
yottatsamorganfainberg: yup20:17
yottatsamorganfainberg: I'll file a bug about it on launchpad20:18
ayoungsamueldmq, let's just say it would be difficult to justify20:18
*** shaleh has joined #openstack-keystone20:18
samueldmqayoung: haha yes, expensive is very relative20:19
morganfainbergyottatsa: make sure to file it against ubuntu not against keystone/keystoneclient20:19
raildoayoung, now you understand how difficult is to us go to the mid cycle in Boston :P20:19
stevemarohhh i should book my boston flight20:20
ayoungstevemar, or drive20:20
ayoung8 h 5 min without traffic20:20
yottatsamorganfainberg: sure! still trying to find right one on lp ))20:21
ayounglooks likethe worst traffic is between Toronto and Burlington20:21
yottatsahope I found it https://launchpad.net/~ubuntu-cloud-archive20:22
samueldmqayoung: I won't be able to attend Boston midcycle meetup :(20:22
*** iamjarvo has joined #openstack-keystone20:22
ayoungsamueldmq, too bad, but I kindof expected that20:22
*** jasondotstar has quit IRC20:22
samueldmqayoung: yeah :(20:22
morganfainbergyottatsa: that looks correct to me20:22
ayoungOpenstack is a lot of travel, even if you limit it to stateside20:22
bknudsonmorganfainberg: https://review.openstack.org/#/c/194801/20:22
bknudsoninfra change20:22
samueldmqayoung: need to go home, talk to you in a bit20:23
morganfainbergbknudson: +120:23
raildoayoung, can you take a look on that later? https://review.openstack.org/#/c/193543/ :)20:23
bknudsonI don't know who's supposed to have merge powers but keystone-core seems good enough20:23
morganfainberggood enough for the feature branch20:23
bknudsonmorganfainberg: I was wondering if the keystoneauth_integration branch is essentialy keystoneclient 2.0 ?20:23
morganfainbergyep20:24
morganfainbergit is20:24
morganfainbergthat is the plan at least20:24
bknudsonb/c we could put delete of middleware in it20:24
yottatsaBTW when openstack/keystoneauth is goint to be released?20:24
morganfainbergyottatsa: hopefully soon20:24
morganfainbergyottatsa: but we're not sure exactly when yet20:24
morganfainbergbknudson: sure do it20:24
morganfainbergbknudson: and delete cli20:25
yottatsamorganfainberg: Will it be introduced in liberty?20:25
bknudsonmorganfainberg: great, thanks.20:25
morganfainbergyottatsa: yes that is the plab20:25
morganfainbergplan*20:25
*** henrynash has quit IRC20:29
*** fangzhou has joined #openstack-keystone20:30
david8huayoung, samuldmq, please include me as well.20:32
*** dontalton has quit IRC20:32
ayoungdavid8hu, happy to20:32
*** dontalton has joined #openstack-keystone20:33
david8huthanks ayoung20:33
stevemarayoung, yeah toronto has horrible traffic these days :(20:34
*** pnavarro|off has quit IRC20:38
dramakridolphm: ping... can you please take a look at the patch which reuses token_ref fetched in AuthContextMiddleware - https://review.openstack.org/#/c/190863/? Rally test result shows that there is ~35 improvement in latency (average, median, 90%ile) for both create and delete token.20:39
dramakrihttps://review.openstack.org/#/c/190863/20:39
dolphmdramakri: awesome!20:39
*** rwsu has joined #openstack-keystone20:39
*** Rockyg has quit IRC20:40
*** ajayaa has quit IRC20:41
*** Rockyg has joined #openstack-keystone20:41
*** rm_work is now known as rm_work|away20:42
bknudsoncrap, merge conflict in keystoneauth_integration somehow :(20:43
tobascolooking for a good token driver for keystone, want to avoid sql and go with multiple haproxy loadbalanced memcached or same with redis or redis replication with custom token driver, anybody deployed a big keystone setup with a different token driver than sql also with caching (dont even know if caching is needed)20:45
yottatsatobasco: our installation is pretty big, BTW we're still using sql backend and lookin forward on new fernet tokens20:46
yottatsa~200k tokens per day is not really a problem20:47
*** Rockyg has quit IRC20:47
*** spandhe has joined #openstack-keystone20:48
*** Rockyg has joined #openstack-keystone20:48
*** htruta has quit IRC20:52
morganfainbergtobasco: you really don't want to use the memcache driver. Sql is the best option if you can't use fernet.20:53
*** d43pan has left #openstack-keystone20:54
*** csoukup has quit IRC20:56
*** Raildo_ has joined #openstack-keystone21:03
*** csoukup has joined #openstack-keystone21:04
*** shaleh has quit IRC21:05
tobascoyottatsa: morganfainberg thanks for your input, i'm looking up fernet asap, is there any downsides/stuff that won't work with fernet tokens?21:06
*** shaleh has joined #openstack-keystone21:06
dolphmtobasco: fernet does not handle token "binding" (x509/kerberos)21:06
dolphmtobasco: (but we haven't heard from anyone using that recently)21:07
*** yottatsa has quit IRC21:07
*** arunkant__ has joined #openstack-keystone21:07
*** arunkant_ has quit IRC21:10
tobascodolphm: ok thanks i will research and maybe do a quick lab, i actually see now i got your blog(?) in one of the search result, nice writeup!21:11
ekarlsowhat blog is that ? :d21:11
tobascoekarlso: http://dolphm.com/benchmarking-openstack-keystone-token-formats/21:13
tobascoekarlso: i did an assumption it was him :]21:13
*** rm_work|away is now known as rm_work21:15
*** shaleh has quit IRC21:18
*** shaleh has joined #openstack-keystone21:20
*** diazjf has quit IRC21:25
dolphmtobasco: thank you! hopefully you find it helpful21:25
dolphmtobasco: a related post http://dolphm.com/openstack-keystone-fernet-tokens/21:25
dolphmtobasco: and mfisch and lbragstad have several as well on their blogs21:25
*** charlesw has quit IRC21:25
*** arunkant_ has joined #openstack-keystone21:27
tobascodolphm: thank you :]21:28
*** e0ne is now known as e0ne_21:28
*** e0ne_ has quit IRC21:29
*** arunkant__ has quit IRC21:30
*** radez is now known as radez_g0n321:33
*** iamjarvo has quit IRC21:34
*** e0ne has joined #openstack-keystone21:34
mfischwe have not seen a downside yet tobasco21:41
*** e0ne is now known as e0ne_21:42
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/19040521:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19237521:43
*** e0ne_ is now known as e0ne21:45
morganfainbergmfisch: that is the kind of endorsement I like to hear.21:47
mfischmorganfainberg: When you run openstack as long as you're not currently on-fire it's a good day21:48
mfischwe had a "minor" firewall change last night at 2am that only set off about 50 pagerduties21:48
morganfainbergmfisch: meh. My rule is I don't take a job where pager duty calls me :p21:49
mfischI'm not on call which is good21:49
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/19231921:49
*** spandhe has quit IRC21:50
*** henrynash has joined #openstack-keystone21:51
*** ChanServ sets mode: +v henrynash21:51
mfischdolphm: did you guys consider keeping the fernet keys with the API services so that they dont have to call back to keystone?21:51
*** thedodd has quit IRC21:53
morganfainbergmfisch: nope. The pki token issue would occur.21:54
mfischwhats that?21:54
morganfainbergmfisch: we don't store all he token data in he fernet payload.21:54
mfischah21:54
morganfainbergWe store minimal data to ensure the token stays small. Just enough to reconstruct the token.21:55
lbragstadmfisch: there was a case around that from atwari, but that was focused on HMAC signing21:55
*** e0ne has quit IRC21:55
morganfainbergmfisch: I also don't trust nova with a way to issue its own keys.21:55
morganfainbergmfisch: since fernet is symmetrical.21:55
mfischwouldn't it just use the same keys that everyone uses?21:56
mfischI'd deploy them to every API node21:56
morganfainbergS/nova/any service not keystone/21:56
lbragstadit also would have meant a "roll your own" implementation versus just building off the Fernet spec that exists in cryptography21:56
morganfainbergmfisch: if you do that any endpoint can issue a new valid token. We don't want that exposure.21:56
*** spandhe has joined #openstack-keystone21:56
morganfainbergmfisch: better to limit that to keystone itself.21:57
lbragstadmfisch: dolphm has an idea for getting to that use case through the fernet path though21:57
morganfainbergAsymmetric encryption was about a minimum of 1KB overhead. Which also added to the token size issues.21:57
morganfainbergFor pki.21:57
morganfainbergmfisch: I'd rather tell people to scale out keystone.21:59
mfischafter fernet I'm retired from keystone, no more changes ;)21:59
morganfainbergmfisch: but......21:59
morganfainbergWe <3 you.22:00
bknudsonmfisch: just wait till we deprecate the identity API22:00
bknudsonand switch to SCIM at least22:01
mfischoperators file bugs and you guys deprecate in retaliation, I know the drill22:01
bknudsonwe could automate that...22:01
mfischCI/CD for Deprecations22:01
bknudsonmorganfainberg: "--Morgab" -- is that your autocorrect again?22:03
morganfainbergNo just a typo22:03
morganfainbergStupid smudgy tiny screen.22:04
*** shaleh_ has joined #openstack-keystone22:05
*** edmondsw has quit IRC22:05
tobascothanks mfisch, good news if fernet token can become standard when liberty goes stable, offtopic im off see you later22:06
*** Rockyg has quit IRC22:08
*** shaleh has quit IRC22:08
*** bknudson has quit IRC22:09
*** radez_g0n3 is now known as radez22:11
*** Raildo_ has quit IRC22:11
*** dontalton2 has joined #openstack-keystone22:19
*** gyee has quit IRC22:23
*** Ctina__ has joined #openstack-keystone22:25
*** sigmavirus24 is now known as sigmavirus24_awa22:26
*** henrynash has quit IRC22:26
*** gyee has joined #openstack-keystone22:27
*** ChanServ sets mode: +v gyee22:27
*** pballand has quit IRC22:28
*** pballand has joined #openstack-keystone22:31
*** charlesw has joined #openstack-keystone22:37
*** zzzeek has quit IRC22:40
*** rwsu has quit IRC22:47
*** csoukup has quit IRC22:59
*** r-daneel has quit IRC23:00
*** bknudson has joined #openstack-keystone23:02
*** ChanServ sets mode: +v bknudson23:02
*** shaleh_ has quit IRC23:08
*** lhcheng has quit IRC23:10
*** richm has quit IRC23:11
*** pballand has quit IRC23:12
*** charlesw has quit IRC23:15
*** dontalton2 has quit IRC23:16
*** dontalton has quit IRC23:16
*** mgarza_ has quit IRC23:22
*** jasondotstar has joined #openstack-keystone23:23
*** stevemar has quit IRC23:29
*** pballand has joined #openstack-keystone23:32
*** pballand has quit IRC23:34
*** Ctina__ has quit IRC23:45
*** Ctina__ has joined #openstack-keystone23:45
*** Ctina___ has joined #openstack-keystone23:48
*** roxanaghe has quit IRC23:49
*** Ctina__ has quit IRC23:50
*** dims has quit IRC23:56
« Monday, 2015-06-22 Index Wednesday, 2015-06-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!