Monday, 2015-06-29

bknudson	with service users in the default domain in sql there's no need to use v3 there.	00:00
bknudson	I don't know when the multi-domain support went into horizon...	00:01
kfox1111	I want to say I tried that a few times and couldn't make it work because of the nova -> neutron code not working.	00:01
kfox1111	its in juno. I got it all working except vm launching.	00:01
bknudson	who cares about launching vms.	00:02
kfox1111	heh. our users unfortunatly. ;)	00:03
*** stevemar has quit IRC		00:10
*** stevemar has joined #openstack-keystone		00:10
*** trey has quit IRC		00:10
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Update README.rst and remove ancient reference https://review.openstack.org/178759	00:12
stevemar	bknudson: jamielennox ^	00:12
openstackgerrit	Steve Martinelli proposed openstack/python-keystoneclient: Remove keystoneclient CLI references in README https://review.openstack.org/196413	00:12
Kennan	bknudson: there?	00:16
*** trey has joined #openstack-keystone		00:16
*** stevemar has quit IRC		00:19
jamielennox	stevemar: i'm slowly getting through my auth_token changes, want to have a look at https://review.openstack.org/#/c/180816	00:19
*** stevemar has joined #openstack-keystone		00:20
*** miguelgrinberg has quit IRC		00:26
*** darrenc is now known as darrenc_afk		00:26
*** jamielennox is now known as jamielennox\|away		00:26
*** jamielennox\|away is now known as jamielennox		00:30
morganfainberg	stevemar: how many bloody ways do we need to represent "roles" in a token?!	00:30
stevemar	at least 4?	00:30
morganfainberg	i think i'm up to needing to copy roles into 3 distinct places in a v2 token	00:30
morganfainberg	ugh	00:30
morganfainberg	this is stupid	00:30
morganfainberg	"lets just stick this crap here, and here, and here, and here"	00:30
jamielennox	why did the fernet provider need stuff so different?	00:31
stevemar	size issues i guess	00:31
jamielennox	size is just the initial info, like the user_id and project_id	00:31
jamielennox	roles etc come out of the db and it should share that code with initial token creation	00:32
*** trey has quit IRC		00:36
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/196485	00:41
morganfainberg	jamielennox: because instead of trying to make the generic provider work in a way that would support fernet, fernet was developed on the side	00:43
morganfainberg	jamielennox: so i'm now chasing down a bunch of this trying to fix that we have ... totally different code paths again for token types	00:44
jamielennox	morganfainberg: there's a lot of refactoring needed, i was hoping it would come as we pushed things onto flask/pecan	00:44
morganfainberg	this is below where flask will help	00:44
jamielennox	there would be like the old code and new folders so you start moving across only the sane stuff	00:44
morganfainberg	but when i'm done with this chain, all v2 tokens will be issued as v3 tokens and then converted	00:45
morganfainberg	like fernet tokens are	00:45
morganfainberg	that way you really only have 1 way to issue tokens.	00:45
jamielennox	morganfainberg: yes and no, the way controllers and such are laid out it'd be difficult to get a model based flow in there	00:45
morganfainberg	it also collapses the token data helpers	00:45
jamielennox	having "v3 tokens" at that level is wrong already	00:45
morganfainberg	the stuff with flask - like i said this is below the controllers	00:45
morganfainberg	what it does provide is a simple way to life the model up	00:46
stevemar	morganfainberg: https://review.openstack.org/#/c/196477/	00:46
morganfainberg	since you need a consistent issue token method anywa	00:46
morganfainberg	y	00:46
morganfainberg	jamielennox: aaaannnnd a bunch of this has to be backported to kilo	00:46
morganfainberg	jamielennox: because fernet tokens are broken in kilo in not-so-uncommon edge cases	00:47
jamielennox	oslo.cache? does that mean it's available and we can use it for auth_token and ditch the memcache dependency?	00:47
morganfainberg	jamielennox: well sortof.	00:47
jamielennox	morganfainberg: hmm, need to be careful of what's a patch then and what's a refactor or backporting will be painful	00:47
morganfainberg	jamielennox: you're going to run into memory bloat issues if you use the in-memory one w/o a custom backend	00:47
* jamielennox is not sure why he's stating the obvious		00:47
morganfainberg	jamielennox: thats why i'm doing the refactoring into common pipeline pre-flask	00:48
morganfainberg	at least the code structure is the same this way and i can resolve the conflicts	00:48
morganfainberg	the worst of the bugs is the first in my chain ^^	00:48
morganfainberg	https://review.openstack.org/#/c/196475/	00:48
openstackgerrit	Merged openstack/python-keystoneclient: Remove unused images from docs https://review.openstack.org/196414	00:48
morganfainberg	jamielennox: also interestingly it looks like we can't test "TestAuthWithTrust" in isolation, it can't load policy.json	00:49
morganfainberg	and i have no clue why	00:49
morganfainberg	stevemar: ^ cc	00:49
stevemar	huh	00:50
morganfainberg	well crap	00:56
morganfainberg	it's actually a lot of our tests are failing for me in isolation	00:56
morganfainberg	unable to load policy.json	00:56
morganfainberg	i don't get it	00:56
morganfainberg	someone screwed something up in a weird way	00:57
morganfainberg	stevemar: http://paste.openstack.org/show/323794/	00:58
morganfainberg	ran:	00:58
morganfainberg	tox -epy27 keystone.tests.unit.test_auth	00:58
*** darrenc_afk is now known as darrenc		00:58
*** piyanai has quit IRC		01:03
*** davechen has joined #openstack-keystone		01:09
*** davechen1 has joined #openstack-keystone		01:12
*** davechen has quit IRC		01:15
*** miguelgrinberg has joined #openstack-keystone		01:28
*** ankita_wagh has joined #openstack-keystone		01:29
*** markvoelker has joined #openstack-keystone		01:30
*** markvoelker has quit IRC		01:35
*** vilobhmm has quit IRC		01:35
*** jasondotstar has joined #openstack-keystone		01:40
*** vilobhmm has joined #openstack-keystone		01:49
*** iamjarvo_ has joined #openstack-keystone		02:01
*** stevemar has quit IRC		02:07
*** stevemar has joined #openstack-keystone		02:08
*** piyanai has joined #openstack-keystone		02:12
*** stevemar has quit IRC		02:30
*** stevemar has joined #openstack-keystone		02:31
*** iamjarvo_ has quit IRC		02:43
*** iamjarvo has joined #openstack-keystone		02:44
*** juvenn has joined #openstack-keystone		03:09
*** tobe has joined #openstack-keystone		03:12
juvenn	Hi all, I'm working on keystoneclient bug 1433306, which will support domain config ext in keystoneclient, and later in openstackclient: https://bugs.launchpad.net/python-keystoneclient/+bug/1433306	03:12
openstack	Launchpad bug 1433306 in python-keystoneclient "support domain config ext in keystoneclient" [Undecided,In progress] - Assigned to Juvenn Woo (juvenn)	03:12
jamielennox	juvenn: have you seen https://review.openstack.org/#/c/168089/	03:14
*** sigmavirus24_awa is now known as sigmavirus24		03:15
juvenn	jamielennox: no, I didn't find that, I'll look at it!	03:16
juvenn	thank you	03:17
*** markvoelker has joined #openstack-keystone		03:19
*** markvoelker has quit IRC		03:23
*** piyanai has quit IRC		03:25
juvenn	henrynash: glad to see you're doing it in client as well, I'll see what could I help	03:29
*** jasondotstar has quit IRC		03:32
*** jasondotstar has joined #openstack-keystone		03:33
*** vilobhmm has quit IRC		03:34
*** sigmavirus24 is now known as sigmavirus24_awa		03:38
*** sigmavirus24_awa is now known as sigmavirus24		03:39
*** liusheng has joined #openstack-keystone		03:40
juvenn	jamielennox: shall I re-assign bug 1433306 to henrynash instead?	03:42
openstack	bug 1433306 in python-keystoneclient "support domain config ext in keystoneclient" [Undecided,In progress] https://launchpad.net/bugs/1433306 - Assigned to Juvenn Woo (juvenn)	03:42
*** sigmavirus24 is now known as sigmavirus24_awa		03:49
*** tobe has quit IRC		03:55
*** tobe has joined #openstack-keystone		03:56
*** tobe has quit IRC		03:56
*** rushiagr_away is now known as rushiagr		03:57
*** tobe has joined #openstack-keystone		03:59
*** rushiagr is now known as rushiagr_away		04:03
*** stevemar has quit IRC		04:03
*** stevemar has joined #openstack-keystone		04:04
*** tobe has quit IRC		04:13
*** browne has joined #openstack-keystone		04:22
*** kiran-r has joined #openstack-keystone		04:23
*** ankita_wagh has quit IRC		04:26
*** rm_work\|away is now known as rm_work		04:36
*** juvenn has quit IRC		04:40
*** ankita_wagh has joined #openstack-keystone		05:03
*** kiran-r has quit IRC		05:03
*** markvoelker has joined #openstack-keystone		05:08
*** markvoelker has quit IRC		05:12
*** dramakri has joined #openstack-keystone		05:13
*** spandhe has joined #openstack-keystone		05:36
*** mabrams has joined #openstack-keystone		05:38
*** iamjarvo has quit IRC		05:39
*** jasondotstar has quit IRC		05:53
*** iamjarvo has joined #openstack-keystone		05:54
*** tobe has joined #openstack-keystone		05:56
*** tobe has quit IRC		05:58
*** tobe_ has joined #openstack-keystone		05:58
*** iamjarvo has quit IRC		06:02
*** juvenn has joined #openstack-keystone		06:05
*** arunkant_ has joined #openstack-keystone		06:06
*** arunkant__ has quit IRC		06:10
*** spandhe has quit IRC		06:13
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Convert issue_v2_token to always issue a v3_token and convert https://review.openstack.org/196548	06:16
*** stevemar has quit IRC		06:16
*** stevemar has joined #openstack-keystone		06:16
marekd	morganfainberg: hi. I saw there were some problems with fernet code. IS there already any bug reported so I can get familiar what's wrong?	06:23
morganfainberg	marekd: mostly it's minor things	06:24
marekd	https://bugs.launchpad.net/keystone/+bug/1469563 this?	06:24
openstack	Launchpad bug 1469563 in Keystone liberty "Fernet tokens do not maintain expires time across rescope (V2 tokens)" [High,In progress] - Assigned to Morgan Fainberg (mdrnstm)	06:24
morganfainberg	marekd: yeah	06:24
marekd	that's all or there is more?	06:24
stevemar	morganfainberg: marekd hello and goodnight	06:24
marekd	stevemar: hello and goodnight :-)	06:24
morganfainberg	marekd: but there is a real mess i'm running into because fernet code is totally separate from the rest of the token code	06:24
morganfainberg	marekd: so if you look i'm working on unifyin the issue_token paths - this will eliminate these bugs.	06:25
stevemar	marekd: any last minute patch review requests?	06:25
marekd	stevemar: no at the moment.	06:25
marekd	morganfainberg: the chaing starts here https://review.openstack.org/#/c/196475/1 , right?	06:26
marekd	stevemar: or..	06:26
morganfainberg	yeah	06:26
marekd	you may actually want to take a look at this https://review.openstack.org/#/c/186854/	06:26
morganfainberg	thats the start	06:26
marekd	stevemar: and see if you spot sth suspicius in requirements.txt	06:26
marekd	stevemar: i basically copied the line from jamielennox's patch and it worked for him :(	06:27
stevemar	oh...	06:28
stevemar	morganfainberg: i know you've had a super long day but... https://review.openstack.org/#/c/196468/2	06:28
marekd	if it takes more than 60 secs, just leave it and go to bed.	06:28
marekd	stevemar: ^^	06:28
jamielennox	marekd: hey, i was ignoring your PM as i was on leave and i've lost it	06:28
marekd	jamielennox: no worries.	06:28
jamielennox	marekd: did you get it figured out	06:29
marekd	jamielennox: THB I cannot remember what was it about :(	06:29
marekd	jamielennox: was it this https://review.openstack.org/#/c/186854/6 maybe?	06:29
*** stevemar has quit IRC		06:30
jamielennox	marekd: so it didn't just work for me	06:30
marekd	how come?	06:30
jamielennox	https://review.openstack.org/#/c/186228/	06:30
marekd	hah ...	06:30
marekd	i didn't see that patch, now it makes sense.	06:31
marekd	jamielennox: so you are going to unwind this change after ksa is released?	06:31
jamielennox	we would need to get keystoneauth into requirements before we could merge it back into keystoneclient	06:31
marekd	jamielennox: i am going to push similar change for ksa-saml2	06:33
*** ankita_wagh has quit IRC		06:35
*** ankita_wagh has joined #openstack-keystone		06:35
juvenn	hi all, I'm looking at https://review.openstack.org/#/c/168089/4, where henrynash implemented domain config for keystoneclient. But it seems stuck at Jenkins "Patch in Merge Conflict". Shall I work on it and move forward from there?	06:36
*** lufix has joined #openstack-keystone		06:37
*** ankita_wagh has quit IRC		06:40
*** browne has quit IRC		06:43
*** liusheng has left #openstack-keystone		06:53
*** markvoelker has joined #openstack-keystone		06:56
henrynash	juvenn: Hi, so I’ll be picking that up again and moving it forward in the next few days….although I still have a question on whether i should be using raw mode for the config structure being returned….be happy for you and others to comment on this if you have a view	06:57
juvenn	henrynash: hi, great to see all your work about domain config along the way from blueprints! Regarding config structure response, I may look into it.	07:00
*** rlt_ has joined #openstack-keystone		07:01
*** markvoelker has quit IRC		07:01
juvenn	henrynash: I have a question though about REST API, that why isn't there a LIST operation available?	07:01
henrynash	juvenn: at first glance you think there should be, but I’m not sure it would be very useful…I can’t really imagine a UI that would make use of such a call	07:03
*** spandhe has joined #openstack-keystone		07:06
openstackgerrit	henry-nash proposed openstack/python-keystoneclient: Support domain-specific configuration management https://review.openstack.org/168089	07:08
*** ccard_ has quit IRC		07:09
juvenn	henrynash: hmm, I'll think about it harder :)	07:11
*** dramakri has quit IRC		07:14
*** fhubik has joined #openstack-keystone		07:14
*** dramakri has joined #openstack-keystone		07:17
*** spandhe has quit IRC		07:22
*** lsmola has joined #openstack-keystone		07:26
*** juvenn has quit IRC		07:28
*** stevemar has joined #openstack-keystone		07:30
*** jistr has joined #openstack-keystone		07:32
*** arunkant__ has joined #openstack-keystone		07:32
*** stevemar has quit IRC		07:33
*** juvenn has joined #openstack-keystone		07:34
*** arunkant_ has quit IRC		07:36
openstackgerrit	Merged openstack/keystone: Relax the formats of accepted mapping rules for keystone-manage https://review.openstack.org/195132	07:38
*** kfox1111 has quit IRC		07:40
*** kiran-r has joined #openstack-keystone		07:42
*** juvenn has quit IRC		07:48
*** pnavarro\|off has joined #openstack-keystone		07:50
*** dramakri has quit IRC		07:50
*** pnavarro\|off has quit IRC		07:51
*** pnavarro has joined #openstack-keystone		07:52
*** fhubik has quit IRC		08:07
*** fhubik has joined #openstack-keystone		08:08
*** fhubik_afk has joined #openstack-keystone		08:09
*** juvenn has joined #openstack-keystone		08:14
*** arunkant__ has quit IRC		08:20
*** dguerri` is now known as dguerri		08:23
jamielennox	henrynash: i've meant to ask you about that in the past	08:24
jamielennox	i don't so much mind the domain specific config but it seems weird you need the raw mode stuff	08:24
jamielennox	maybe i need to have a better look at the APIs and see what you're doing	08:25
*** juvenn has quit IRC		08:30
*** markvoelker has joined #openstack-keystone		08:45
*** markvoelker has quit IRC		08:50
*** afazekas_ has joined #openstack-keystone		08:56
*** juvenn has joined #openstack-keystone		08:57
Kennan	hi any keystone cores here online ?	08:57
henrynash	jamielennox: so I don’t like that either	08:58
henrynash	Kennan: hi	08:58
Kennan	hi henrynash:	08:58
Kennan	I hit one question about keystone_authtoken	08:58
Kennan	I think keystone guys know much about it	08:58
Kennan	in some projects	08:58
henrynash	jamielennox: looking for some advice on that….the reason I did it that way was since the stucture being returned is not fixed….i.e. the attributes vary depending on what has been set	08:59
Kennan	like nova. glance. neutron [keystone_authtoken]	08:59
Kennan	have username and password	08:59
henrynash	Kennan: ok	08:59
Kennan	but in some other projects	08:59
Kennan	it is admin_username and admin_password	08:59
Kennan	I am confused by that	08:59
Kennan	what's the difference ?	08:59
Kennan	heanrynash: could you help explain that to me?	09:00
Kennan	here is devstack	09:00
Kennan	http://docs.openstack.org/developer/devstack/lib/keystone.html	09:00
Kennan	configure_auth_token_middleware	09:01
Kennan	iniset $conf_file $section username $admin_user	09:01
Kennan	iniset $conf_file $section password $SERVICE_PASSWORD	09:01
henrynash	Kennan: this is in waht the conf file?	09:01
Kennan	it is /etc/nova/nova.conf	09:01
Kennan	or glance-api.conf	09:01
Kennan	or neutron.conf	09:02
henrynash	well $admin_user is a env variable that has been set I assume?	09:03
henrynash	sorry, I’m a bit unsure about which bit you are confused about	09:04
Kennan	henrynash:	09:05
Kennan	I remembered, in keystone_authtoken section	09:05
Kennan	we usually use admin_user	09:05
Kennan	admin_password	09:05
Kennan	fields	09:05
Kennan	right?	09:05
jamielennox	Kennan: so some of those are deprecated and some services do the wrong things and use those variables	09:06
Kennan	did you notice this before?	09:06
jamielennox	so the way devstack mostly does this is auth_plugin=password	09:06
henrynash	Kennan: So not sure how nova is using that, but I assume that sets the credentias to be used when trying to talek to keystone as admin	09:06
jamielennox	and then username= password= auth_url= and others	09:06
jamielennox	this is the newest way because you can use a different auth_plugin in future to do things like kerberos or SSL auth from auth_token	09:06
jamielennox	the older way only supports keystone v2 api	09:07
jamielennox	and involves admin_user admin_password etc	09:07
jamielennox	if you specify auth_plugin they'll be ignored	09:07
Kennan	jamielennox: you means	09:07
Kennan	admin_user and username can both exist in [keystone_authtoken] ?	09:08
jamielennox	the reason a few services still user the old admin_user etc is because that service is reading those values (they shouldn't) and so we've been unable to move them to the newer options	09:08
*** jaosorior has joined #openstack-keystone		09:08
jamielennox	Kennan: if auth_plugin is set yes it will ignore admin_user	09:08
Kennan	where is auth_plugin?	09:09
Kennan	jamielennox: could you give me a link about that change? like git commit code?	09:10
Kennan	for change from admin_user to username	09:10
*** belmoreira has joined #openstack-keystone		09:10
Kennan	some projects worried about that, because they auth user should have admin role	09:11
jamielennox	http://www.jamielennox.net/blog/2015/02/23/v3-authentication-with-auth-token-middleware/	09:11
Kennan	so they think admin_user is better	09:11
Kennan	jamielennox: like heat did or ironic	09:11
Kennan	I think	09:11
jamielennox	right - this is because those projects use admin_user for there own purposes	09:12
jamielennox	they shouldn't - that's a bug	09:12
Kennan	jamielennox: what do you think the proper change for that ? just rename admin_user to username ?	09:13
Kennan	or some other fix?	09:13
Kennan	for those projects	09:13
*** stevemar has joined #openstack-keystone		09:20
*** stevemar has quit IRC		09:22
*** fhubik has quit IRC		09:24
*** fhubik_afk has quit IRC		09:24
*** fhubik_afk has joined #openstack-keystone		09:24
*** fhubik has joined #openstack-keystone		09:24
*** fhubik_afk has quit IRC		09:24
*** fhubik has quit IRC		09:24
*** fhubik has joined #openstack-keystone		09:25
openstackgerrit	yangxurong proposed openstack/keystone-specs: enable cross-sites KeyStone HA https://review.openstack.org/196591	09:28
*** henrynash has quit IRC		09:30
*** juvenn has quit IRC		09:39
jamielennox	Kennan: no, for those projects if they need their own username and password, firstly - why, and then they manage their own credentials	09:45
jamielennox	otherwise whenever we go and change options in auth_token people get broken	09:45
*** aix has joined #openstack-keystone		09:53
*** openstackgerrit has quit IRC		09:53
*** davechen1 has left #openstack-keystone		09:53
*** openstackgerrit has joined #openstack-keystone		09:54
*** uschreiber_ has joined #openstack-keystone		10:03
*** uschreiber_ has quit IRC		10:05
*** henrynash has joined #openstack-keystone		10:26
*** ChanServ sets mode: +v henrynash		10:26
henrynash	jamielennox: ping	10:32
*** juvenn has joined #openstack-keystone		10:33
*** mabrams has quit IRC		10:34
*** markvoelker has joined #openstack-keystone		10:34
*** lufix has quit IRC		10:35
jamielennox	henrynash: yup	10:36
*** mabrams has joined #openstack-keystone		10:37
henrynash	jamielennox: so wanted to pick up on your (valid) question about the raw mode stuff	10:37
*** dims has joined #openstack-keystone		10:37
*** lufix has joined #openstack-keystone		10:37
jamielennox	henrynash: right - so let me have a look at the API	10:38
jamielennox	i'm just wondering why this is so different a situation	10:38
jamielennox	the resource thing is fairly flawed anyway	10:38
henrynash	jamielennox: the config structure you return is not fixed…i.e. it only contains those attributes that have been set...hence I did the raw mode thing….although would	10:38
*** juvenn has quit IRC		10:39
jamielennox	henrynash: this is the API: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#domain-configuration-management	10:39
*** markvoelker has quit IRC		10:40
henrynash	yes	10:40
jamielennox	hmm, yea that's tough when you can ask for specific option values	10:40
*** henrynash has quit IRC		10:42
*** fhubik is now known as fhubik_afk		10:45
*** henrynash has joined #openstack-keystone		10:47
*** ChanServ sets mode: +v henrynash		10:47
*** jistr_ has joined #openstack-keystone		10:49
*** afazekas__ has joined #openstack-keystone		10:49
*** fhubik_lunch has joined #openstack-keystone		10:49
*** jistr has quit IRC		10:51
*** fhubik_afk has quit IRC		10:52
*** afazekas_ has quit IRC		10:53
jamielennox	henrynash: god i hate that resource class	10:53
jamielennox	is there a known list of things that may be returned there?	10:53
henrynash	jamielennix: :-)	10:53
*** freerunner has joined #openstack-keystone		10:53
*** fhubik_meeting has joined #openstack-keystone		10:54
*** fhubik_meeting is now known as fhubik_afk		10:54
*** jistr_ has quit IRC		10:54
*** fhubik_lunch has quit IRC		10:54
henrynash	jamielennox: so yes, there is a known set, this is controlled by code in the server (for security reasons, so someone doesn’t exposes somethig without being deliberate)	10:54
*** afazekas__ has quit IRC		10:54
henrynash	jamielennox: it’s a big set (like 55 items)	10:55
jamielennox	henrynash: at top level?	10:55
jamielennox	henrynash: like "identity" and "ldap"	10:55
jamielennox	i assume sql is also valid	10:55
henrynash	jamielennox: of which I would say 95% of the time will never be included, while maybe 3 or 4 of the options will be the ones taht will be set	10:55
henrynash	jamielennox: identity and ldap are the only two top levels we support right now	10:56
henrynash	jammielennox: since you can’t (yet) have more than one sql driver, we don’t support settings its detailed params yet via this API	10:56
henrynash	jammielennox: the “identity” top level item will only ever have one attribute within it, the “ldap” has 5 or so items thet could be set	10:57
jamielennox	ok, so we can do a resource fairly easily that way and just {'identity': {}, 'ldap': {}}.merge(resp.json()) because the attributes will only be top level	10:57
jamielennox	but that doesn't help us do the inner levels	10:58
*** hogepodge has quit IRC		10:58
henrynash	jammelennox: agreed	10:58
henrynash	jamielennox: correction to my earlier statement: the “identity” top level item will only ever have one attribute within it, the “ldap” has 55 or so items thet could be set	10:59
*** hogepodge has joined #openstack-keystone		11:00
jamielennox	henrynash: yea, i was thinking of it from like top level, not being able to drill down to individual values	11:00
jamielennox	henrynash: is there any way we could end up with a depth of more than two?	11:00
jamielennox	group=None, option=None	11:00
jamielennox	that *args might be useful	11:00
henrynash	jamielennox: so I don’t think we support multiple group levels do we in oslo.config?	11:01
jamielennox	henrynash: screw it - keep it with dictionaries, skip the return_raw path and go direct to the self.client	11:01
jamielennox	if you're not building resource_class objects then the helpers don't do anything useful	11:02
henrynash	jamielennox: ok, that will mean I kill the patch that enable raw mode for the other http methods	11:03
jamielennox	henrynash: yea - i think that's just kinda messy and you don't really use any of the helper parts of the functions	11:04
henrynash	jamielennox: will mull on it for a day or so more, before implementing in case we change our minds…but it felt like I was pushing a square peg into the infamous round hole	11:04
jamielennox	i guess you could have a resource_class for if option and group are None - but i don't mind either way	11:04
jamielennox	henrynash: no worries - let me know	11:05
jamielennox	i'm out for the night	11:05
jamielennox	cya	11:05
henrynash	jamielennox: will do, thanks….go!	11:05
*** samueldmq has joined #openstack-keystone		11:05
*** jistr_ has joined #openstack-keystone		11:06
samueldmq	good morning! :)	11:07
*** afazekas__ has joined #openstack-keystone		11:07
samueldmq	morganfainberg: samueldmq: there are 2 hard things in computer science, cache coherency and naming things.	11:18
samueldmq	http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2015-06-17.log.html#t2015-06-17T19:26:21	11:18
*** henrynash has quit IRC		11:18
samueldmq	I am trying to find a good name for the oslo.policy spec/blueprint for policy overlay :)	11:18
*** dguerri is now known as dguerri`		11:28
*** Kiall has quit IRC		11:35
*** Kiall has joined #openstack-keystone		11:35
*** markvoelker has joined #openstack-keystone		11:35
samueldmq	I think dynamic-policy-overlay sounds good	11:36
samueldmq	mordred: ^	11:36
samueldmq	mordred: oh, I meant morganfainberg, sorry :)	11:36
samueldmq	mordred: morning	11:37
*** markvoelker has quit IRC		11:40
*** iamjarvo has joined #openstack-keystone		11:40
*** fhubik_afk is now known as fhubik_meeting		11:41
*** dguerri` is now known as dguerri		11:48
*** tobe_ has quit IRC		11:49
*** markvoelker has joined #openstack-keystone		11:55
*** hogepodge has quit IRC		11:56
*** fhubik_meeting is now known as fhubik_afk		12:00
*** hogepodge has joined #openstack-keystone		12:02
*** iurygregory has joined #openstack-keystone		12:07
*** iurygregory has quit IRC		12:13
*** iurygregory has joined #openstack-keystone		12:15
*** bknudson has quit IRC		12:16
*** g2` has quit IRC		12:17
*** raildo has joined #openstack-keystone		12:25
*** edmondsw has joined #openstack-keystone		12:27
*** dguerri is now known as dguerri`		12:28
openstackgerrit	Henrique Truta proposed openstack/keystone-specs: API changes for Reseller https://review.openstack.org/153007	12:29
*** tellesnobrega has joined #openstack-keystone		12:30
*** dguerri` is now known as dguerri		12:32
*** csoukup has joined #openstack-keystone		12:34
*** bknudson has joined #openstack-keystone		12:36
*** ChanServ sets mode: +v bknudson		12:36
*** mtreinish has quit IRC		12:40
*** mtreinish has joined #openstack-keystone		12:40
*** kiran-r has quit IRC		12:44
*** iamjarvo has quit IRC		12:52
*** piyanai has joined #openstack-keystone		12:52
*** jsavak has joined #openstack-keystone		12:53
*** ajayaa has joined #openstack-keystone		12:56
*** henrynash has joined #openstack-keystone		12:56
*** ChanServ sets mode: +v henrynash		12:56
*** stevemar has joined #openstack-keystone		12:57
ajayaa	Hi guys. What does this rule mean? "domain_admin_for_grants": "role:admin and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",	12:57
*** radez_g0n3 is now known as radez		12:57
*** josecastroleon has quit IRC		12:57
ajayaa	"domain_admin_for_grants": "role:admin and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",	12:57
ajayaa	Does this mean I should be able to use a domain scoped token to list role assignments in a project owned by that domain?	12:58
*** blewis has joined #openstack-keystone		12:59
*** jasondotstar has joined #openstack-keystone		13:00
*** hogepodge has quit IRC		13:00
*** stevemar has quit IRC		13:00
*** iamjarvo has joined #openstack-keystone		13:00
*** iamjarvo has quit IRC		13:01
*** hogepodge has joined #openstack-keystone		13:02
*** dsirrine has joined #openstack-keystone		13:02
*** fhubik_afk is now known as fhubik_meeting		13:05
*** fifieldt has joined #openstack-keystone		13:06
*** hogepodge has quit IRC		13:11
*** hogepodge has joined #openstack-keystone		13:12
*** gordc_ is now known as gordc		13:14
*** jasondotstar has quit IRC		13:20
*** henrynash has quit IRC		13:21
*** jasondotstar has joined #openstack-keystone		13:27
*** josecastroleon has joined #openstack-keystone		13:28
*** richm has joined #openstack-keystone		13:29
samueldmq	ajayaa: hello, this is a rule defined into the v3 cloud sample policy, right ?	13:29
ajayaa	samueldmq, yes	13:29
samueldmq	ajayaa: where is this rule used ? which API ?	13:29
ajayaa	list_grants	13:30
ajayaa	https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L-88	13:31
samueldmq	ajayaa: ok, so ... to list grants, you must have either	13:31
samueldmq	ajayaa: i) "role:admin and domain_id:%(domain_id)s": admin role in the domain you are listing grants	13:32
ajayaa	and?	13:32
*** iamjarvo has joined #openstack-keystone		13:33
*** edmondsw has quit IRC		13:33
samueldmq	ajayaa: ii) "role:admin and domain_id:%(target.project.domain_id)s": admin role in the domain of the user's project you are trying to list grants for	13:33
samueldmq	ajayaa: I think target there means users...	13:33
samueldmq	ajayaa: however I don't know what project target.project maps to .. since a user may have access to multiple projects ?	13:34
ajayaa	What is an 'user's project'?	13:34
samueldmq	ajayaa: so that's the part I wonder as well :-)	13:34
ajayaa	Currently in my setup, I am trying to use a domain scoped token to list the assignments for a project in that domain.	13:34
ajayaa	But the above mentioned rule does not work.	13:35
samueldmq	ajayaa: what api are you using to list assignments ?	13:35
ajayaa	one sec. I had suspended my vm already. I am brining it up.	13:35
samueldmq	ajayaa: you can list assignments with https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L94	13:36
samueldmq	ajayaa: that list_grants api will only give you back a list of roles	13:36
samueldmq	ajayaa: list role asssignments api will give you the associations (target, actor, role)	13:37
samueldmq	ajayaa: where target can be (project, domain) and actor can be (user,group) :-)	13:37
ajayaa	GET /v3/role_assignments?scope.project.id=ac1bcdb76b0e4aa696bd373e7a38f0d4	13:37
ajayaa	my bad. it's list_role_assignment.	13:38
samueldmq	ajayaa: great so the rule protectign this api is list_role_assignment	13:38
ajayaa	WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:list_role_assignments.	13:38
*** afazekas__ has quit IRC		13:38
samueldmq	ajayaa: so you were customizing in the wrong place ?	13:38
ajayaa	It seems so. :)	13:39
ajayaa	samueldmq, Thanks.	13:39
ajayaa	Let me change list_role_assignments and see	13:39
*** hogepodge has quit IRC		13:39
samueldmq	ajayaa: np, please come back whenever you have questions	13:39
ajayaa	I am wondering though, what is list_grants then?	13:39
samueldmq	ajayaa: sure ..	13:39
ajayaa	These two are very similar in functionality.	13:40
samueldmq	ajayaa: list_grants will only return the roles, and list_role_assignments will return assignment entities, as I described above	13:40
samueldmq	ajayaa: yes they're very similiar in functionality	13:40
ajayaa	samueldmq, got it. missed your earlier comments.	13:40
ajayaa	Thanks for your help.	13:41
*** hogepodge has joined #openstack-keystone		13:41
*** jasondotstar has quit IRC		13:41
samueldmq	ajayaa: we introduced list_role_assignments later as a separate API because we didn't want to break backwards compability	13:41
samueldmq	ajayaa: np, glad to help	13:41
*** jasondotstar has joined #openstack-keystone		13:42
*** edmondsw has joined #openstack-keystone		13:44
openstackgerrit	Merged openstack/oslo.policy: Add tox target to find missing requirements https://review.openstack.org/195842	13:44
ajayaa	samueldq, nah, it still does not work.	13:51
ajayaa	samueldmq, ^^	13:51
ajayaa	I think domain_id of the project is not available to the policy engine.	13:51
ajayaa	Need to debug it and see though.	13:51
samueldmq	ajayaa: what do you want to be able to do ?	13:53
ajayaa	I want to be able to use a domain scoped token to list assignments for a project that lies in that domain.	13:54
ajayaa	seems fair?	13:54
ajayaa	samueldmq ^^	13:55
samueldmq	ajayaa: why not use a project scoped token to list assignments on that specific project ?	13:55
samueldmq	ajayaa: I mean, a token scoped to projects for project-specific worflows	13:55
samueldmq	ajayaa: you should be able to do so with what you have defined there (https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L93-L94)	13:56
ajayaa	Since a domain is a customer for us and usually there is a single admin for a domain. I want him to be able to list assignments for projects inside his domain.	13:56
samueldmq	ajayaa: however ... to do what you want, we should be able to define something like : rule:admin_required and domain_id:%(scope.project.domain_id)s	13:57
ajayaa	Otherwise if he has 100 projects in a domain, he needs to assign himself role on 100 projects.	13:57
samueldmq	ajayaa: hehe do you know inherited role assignments ?	13:57
ajayaa	94 "domain_admin_for_grants": "rule:tenant_admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s or domain_id:%(scope.project.domain_id)s)",	13:58
*** sigmavirus24_awa is now known as sigmavirus24		13:58
ajayaa	This is how my rule looks like now.	13:58
ajayaa	But still no luck.	13:58
*** jasondotstar has quit IRC		13:58
samueldmq	ajayaa: if you assign an inherited role assignment in a domain, and that role will be applied to all projects in that domain instead	13:58
samueldmq	ajayaa: what is rule:tenant_admin_required ?	13:58
*** boris-42 has joined #openstack-keystone		13:59
ajayaa	samueldmq, role:admin	13:59
ajayaa	We are using Kilo and the api was experimental in Kilo afaik.	13:59
samueldmq	ajayaa: hmm	13:59
*** jsavak has quit IRC		14:00
ajayaa	But if there is no other option we might be inclined to use it though.	14:00
samueldmq	ajayaa: try : "admin_on_project_filter" : "rule:admin_required and (project_id:%(scope.project.domain_id)s or project_id:%(scope.project.domain.id)s)"	14:01
*** jsavak has joined #openstack-keystone		14:02
samueldmq	ajayaa: I am assumming you are providing scope.project.id filter in your request	14:02
samueldmq	ajayaa: I defined two possible ways to get the domain id from the project ... scope.project.domain_id and scope.project.domain.id	14:02
ajayaa	samueldmq, Tried with both, but didn't work.	14:03
samueldmq	ajayaa: so I guess we can't get to the project's domain that way	14:04
ajayaa	samueldmq, Yes.	14:04
samueldmq	ajayaa: when you provide the filter scope.project.id in the request, we still haven't access to its domain at this level	14:05
ajayaa	samueldmq, Yes. That seems to be the case.	14:05
dims	cores, fyi 1.1.1 pythonkeystoneclient on its way from stable/juno based on request from fungi (https://bugs.launchpad.net/python-keystoneclient/+bug/1468395)	14:05
openstack	Launchpad bug 1468395 in python-keystoneclient "Versions of oslo.i18n higher than 1.17.0 cause ImportError" [Undecided,Confirmed]	14:05
samueldmq	ajayaa: however consider assigning an inherited role assignment in the domain	14:06
samueldmq	ajayaa: and getting project scoped tokens when listing assignments on that domain	14:06
samueldmq	ajayaa: that's one possiblity, however I think we should provide enough flexibitity to allow you to do the other way	14:07
*** blewis` has joined #openstack-keystone		14:08
ajayaa	samueldmq, Yes. Even I think the same way. We should be able to do this without using work-around. By work-around I mean different feature altogether. I am not trying to undermine the inherited role assignment feature in any way.	14:09
ajayaa	maybe I will file a bug report in launchpad.	14:09
*** nkinder has joined #openstack-keystone		14:09
ajayaa	What do you think, samueldmq?	14:10
*** fhubik_meeting is now known as fhubik_afk		14:10
samueldmq	ajayaa: just found this : bug #1437407	14:10
openstack	bug 1437407 in Keystone "With using V3 cloud admin policy, domain admin unable to list role assignment for projects in his domain" [Medium,In progress] https://launchpad.net/bugs/1437407 - Assigned to Guang Yee (guang-yee)	14:10
samueldmq	ajayaa: looks to be exactly what you want ..	14:10
*** blewis has quit IRC		14:11
ajayaa	samueldmq, Thanks for digging that out.	14:14
samueldmq	ajayaa: np	14:14
ajayaa	From the gerrit patches it seems that this feature will land in L cycle and may not go to Kilo.	14:15
ajayaa	samueldmq ^^	14:16
samueldmq	ajayaa: yes, if we merge that, it will certainly land in L	14:16
ajayaa	https://review.openstack.org/#/c/187045/6/specs/liberty/list-assignment-tree.rst	14:16
*** g2` has joined #openstack-keystone		14:16
ajayaa	The graph led me to the above spec.	14:16
ajayaa	samueldmq ^^	14:16
samueldmq	ajayaa: yes, I agree that spec will be bringing the solution for you requirement :-)	14:18
*** stevemar has joined #openstack-keystone		14:19
*** r-daneel has joined #openstack-keystone		14:19
*** dims has quit IRC		14:21
*** henrynash has joined #openstack-keystone		14:23
*** ChanServ sets mode: +v henrynash		14:23
ajayaa	samueldmq, The weird thing is, this discussed rule works while doing create_grant. But not in list_role_assignments.	14:24
*** dims has joined #openstack-keystone		14:24
*** jasondotstar has joined #openstack-keystone		14:24
samueldmq	ajayaa: the spec talks about list_role_assignemtns	14:25
*** fhubik_afk is now known as fhubik_meeting		14:25
ajayaa	samueldmq, agreed. But from a user's POV this thing is very very weird. There could be hundred reasons for this feature not working.	14:26
ajayaa	If you ask someone who doesn't have experience working in Openstack, he will consider it a bug.	14:27
samueldmq	ajayaa: yes we recognize this as being a lack in keystone	14:29
*** fhubik_meeting is now known as fhubik_afk		14:29
samueldmq	ajayaa: that's the reason we are addressing that, as a spec, since we are adding a new capability	14:29
ajayaa	backports? samueldmq	14:30
samueldmq	ajayaa: the way we're addressing that we can't backport	14:30
ajayaa	I mean, what about people who are not running master?	14:30
samueldmq	ajayaa: they'll get it in the next release	14:31
ajayaa	samueldmq, :(	14:31
samueldmq	ajayaa: backporting it would be addressed if we allowed to do so with the existing domain_id checks	14:31
samueldmq	ajayaa: (as described in the Alternatives seciton of that spec)	14:31
samueldmq	s/would be/could be	14:32
*** henrynash has quit IRC		14:32
samueldmq	ajayaa: well, you can talk to other people and see what the possibilities are .. to have a backportable solution	14:32
samueldmq	ajayaa: henrynash is the right guy .. I didn't see he was here (just left) :(	14:33
samueldmq	ajayaa: he's the one proposing that spec	14:33
ajayaa	samueldmq, I will just put it on the next meeting agenda and see what everyone has to say.	14:33
samueldmq	ajayaa: sounds good .. get familiar to that spec to understand what is being proposed though :)	14:34
ajayaa	samueldmq, agrees. That's the first thing on my todo list.	14:34
ajayaa	s/agrees/agreed	14:34
samueldmq	ajayaa: nice :)	14:35
*** ayoung has joined #openstack-keystone		14:38
*** ChanServ sets mode: +v ayoung		14:38
*** piyanai has quit IRC		14:42
*** jasondotstar has quit IRC		14:42
*** amakarov_away is now known as amakarov		14:43
*** mabrams has left #openstack-keystone		14:46
*** HT_sergio has joined #openstack-keystone		14:46
*** piyanai has joined #openstack-keystone		14:47
*** piyanai has quit IRC		14:47
*** jasondotstar has joined #openstack-keystone		14:47
*** piyanai has joined #openstack-keystone		14:47
*** jasondotstar has quit IRC		14:48
*** ajayaa has quit IRC		14:49
*** timsim has left #openstack-keystone		14:49
*** piyanai has quit IRC		14:52
*** piyanai has joined #openstack-keystone		14:52
*** piyanai has quit IRC		14:52
dstanek	simple review anyone? https://review.openstack.org/#/c/193619	14:53
marekd	dstanek: done.	14:55
dstanek	marekd: thx	14:55
*** diazjf has joined #openstack-keystone		14:58
samueldmq	dstanek: just took a look, and learned about %r :_	14:59
samueldmq	:)	15:00
*** kiran-r has joined #openstack-keystone		15:01
*** henrynash has joined #openstack-keystone		15:01
*** ChanServ sets mode: +v henrynash		15:01
*** jecarey has joined #openstack-keystone		15:01
*** jasondotstar has joined #openstack-keystone		15:04
*** zzzeek has joined #openstack-keystone		15:07
*** fhubik_afk is now known as fhubik_meeting		15:09
openstackgerrit	Steve Martinelli proposed openstack/keystone: Generate new config options for oslo.cache https://review.openstack.org/196700	15:11
dstanek	stevemar: that oslo.cache unicode error is quite strange	15:20
dims	dstanek: without that the py34 tox target fails	15:20
ayoung	amakarov, do you still need the invitation letter?	15:22
*** kiran-r has quit IRC		15:22
dstanek	dims: is that new behavior in olso.cache?	15:23
amakarov	ayoung, hi! Thanks, I've already received it and even brought to the embassy :)	15:23
ayoung	amakarov, excellent. Looking forward to seing you	15:23
dims	dstanek: the code was never run with py34 is what i remember	15:23
*** e0ne has joined #openstack-keystone		15:23
dstanek	stevemar: dims: oh, is this what you are currently discussing in #openstack-oslo?	15:23
stevemar	dstanek: yep :)	15:24
stevemar	dstanek: join the club	15:24
dims	ack :)	15:24
amakarov	ayoung, btw, about unified delegations: it has to include OAuth, right?	15:24
*** e0ne is now known as e0ne_		15:25
ayoung	amakarov, to be clear, it should include the existing OAUTH1 extension, not OAUTH as a federation protocol. But yes.	15:25
*** e0ne_ is now known as e0ne		15:25
amakarov	ayoung, is it needed to be convertible to SAML assertion then?	15:25
amakarov	or it will be done by some other module?	15:26
*** kfox1111 has joined #openstack-keystone		15:26
*** david-ly_ is now known as david-lyle		15:27
ayoung	amakarov, I don't think it needs to be convertd to a SAML module. SAML means two things	15:27
ayoung	either Federation or K2K	15:27
ayoung	unified delegation is more internal	15:27
ayoung	it is unifying the following: role assignments, trusts, OAUTH1	15:28
*** rlt__ has joined #openstack-keystone		15:28
*** geoffarnold has quit IRC		15:28
ayoung	amakarov, So, While Federation would use it, and while K2K would use it, neither are integral to the effort. Unless I am missing something?	15:28
*** rlt_ has quit IRC		15:29
*** belmoreira has quit IRC		15:29
amakarov	ayoung, shall we have revocation events?	15:31
ayoung	amakarov, um...again, orthoganal concern, I think, to unified delegation.	15:31
ayoung	amakarov, why do you ask that...I hear gears grinding away...	15:32
*** jsavak has quit IRC		15:32
amakarov	ayoung, I think delegations will be connected to revocation engine if the latter persist	15:32
ayoung	amakarov, ah, yes.	15:32
*** thedodd has joined #openstack-keystone		15:32
amakarov	ayoung, and it heve to be taken into account	15:32
ayoung	amakarov, so, yeah, changes in the delegation agreements would trigger revocations	15:32
amakarov	s/heve/have/	15:32
ayoung	I don't think it would be radically diffeent from what we have today, but, yeah, any changes in the overall structure could affect new classes of revocations, or at least trigger existing ones in new ways	15:33
amakarov	ayoung, and speaking of revocation engine: what are you planning to do with this: https://review.openstack.org/#/c/81166	15:34
ayoung	dolphm, speaking of revocations...you were pushing for groups in the tokens, and you were saying you had never seen groups from LDAP. Do you see a need for User groups as a reusable resource inside of Keystone?	15:34
ayoung	amakarov, Ha	15:35
amakarov	ayoung, yes? :)	15:35
ayoung	amakarov, I don't know...I have enough stuff I am juggling, and I kindof feel like other people care more about revocation events than I do. I don't want to hold people up.	15:35
ayoung	amakarov, for the moment, I think there is little reason to push revocatin events into the middleware check	15:36
*** ajayaa has joined #openstack-keystone		15:36
ayoung	if we did, it would mean that people could keep using PKI tokens, but I suspect that the number of people that want that is quite small	15:36
ayoung	I was thinking that before we did any more work this way, we would let the issues with Fernet shake out, then look again at doing something with PKI if we felt there was sufficient justification	15:37
amakarov	ayoung, just today I had a call from the people who use actually them (planing to migrate to Fernet though)	15:37
ayoung	amakarov, However, K2K removed one of the biggest reasons I was pushing PKI, so I am kindof willing at this point to let it go	15:37
*** kiran-r has joined #openstack-keystone		15:38
*** lufix has quit IRC		15:38
* dstanek pictures ayoung dancing to the theme song of Frozen		15:39
ayoung	amakarov, I'm guessing that Fernet is good enough for the foreseeable future. I'd like to work through unified delegation before ever looking at different token formats. But, before that, I think the highest priority is straightening out policy enforcement	15:39
*** jasondotstar has quit IRC		15:40
amakarov	ayoung,	15:40
morganfainberg	amakarov: I have a chain of patches in active development that is addressing some oddities in fernet.	15:41
morganfainberg	amakarov: FYI.	15:41
amakarov	ayoung, I wonder if we need delegations at all if policies will be flexible enough...	15:41
morganfainberg	There is one relatively large bug. Expiry is not maintained over rescope	15:41
kfox1111	morganfainberg: A thought. For x509 instance users, we need an authentication error besides 401 or 403. We need a, go get a new cert, your current one's no longer valid?	15:42
amakarov	morganfainberg, so any token given away may be maintained to be eternal?	15:42
morganfainberg	kfox1111: that should be CRL or look at the certs attributes. Not something keystone needs to communicate differently than http (we can add extra data to the error I guess but 401/403 is correct)	15:43
morganfainberg	amakarov: yes. Rescope changes expiration now with fernet.	15:44
kfox1111	so the instance would try and talk to keystone, get a 401 or 403, then have to fetch the crl, check that it indeed is bad, then go back to phase 1?	15:44
morganfainberg	amakarov: https://review.openstack.org/#/c/196475/	15:45
kfox1111	I do like the extra data idea. makes it simpler to handle.	15:45
morganfainberg	kfox1111: you might want to check CRL to start.	15:45
morganfainberg	If there is a CRL to check (may not be)	15:45
kfox1111	more http requests that way. would scale better to just try and on the error case, then recover since that should be much less common.	15:46
morganfainberg	kfox1111: most clients check the CRL if they care.	15:46
morganfainberg	I don't really care which way you cut that ;)	15:46
*** e0ne has quit IRC		15:46
kfox1111	I was kind of wondering about the CRL bits... It might get quite large if we don't expire frequently?	15:47
*** kiran-r has quit IRC		15:47
morganfainberg	kfox1111: I suggest reading up on PKI in general	15:47
kfox1111	I know most of it. I have'nt studied CRL's though.	15:47
kfox1111	I'll have a look.	15:48
*** e0ne has joined #openstack-keystone		15:48
*** dsirrine_ has joined #openstack-keystone		15:48
morganfainberg	Look into CRLs they've been around for a loooong time.	15:48
kfox1111	with instances coming and going, It may become a scalability issue.	15:48
amakarov	morganfainberg, thanks, I'll see it	15:49
morganfainberg	Only if you explicitly revoke a cert	15:49
*** jasondotstar has joined #openstack-keystone		15:49
morganfainberg	Vs short lived certs	15:49
kfox1111	which I think you'd want to do when a vm gets deleted?	15:49
morganfainberg	Short-ish lived.	15:49
morganfainberg	Up to you. I'm not designing that part. ;)	15:49
morganfainberg	I'm just pointing out how these things work.	15:49
kfox1111	yeah. so the tradeoff is, lengh of cert lifetime vs crl length?	15:50
morganfainberg	Yep.	15:50
morganfainberg	Of if you care about revoking certs at all	15:50
*** dsirrine has quit IRC		15:50
*** jasondotstar has quit IRC		15:50
*** browne has joined #openstack-keystone		15:51
kfox1111	if you make lifetime short enough you don't care, your almost in the realm of just using keystone tokens as the mechansim somehow... ;)	15:51
*** jasondotstar has joined #openstack-keystone		15:51
*** e0ne is now known as e0ne_		15:53
amakarov	morganfainberg, looks like we don't have regression for token expiration at all if such behaviour is possible.	15:54
amakarov	regression tests	15:54
morganfainberg	amakarov: we don't. It is very hard to test that without significant test increases.	15:55
*** e0ne_ is now known as e0ne		15:55
morganfainberg	The real issue is fernet tokens are a totally separate code path from other token issuance	15:55
morganfainberg	And such display a number of bad edge cases.	15:56
morganfainberg	If you look at that chain, the next few patches will solve that and make the fernet tokens issue the same way as normal tokens.	15:56
morganfainberg	I'm very disappointed that fernet tokens were developed like this.	15:56
* morganfainberg is playing janitor.		15:56
lbragstad	morganfainberg: for this https://bugs.launchpad.net/keystone/+bug/1469563	15:57
openstack	Launchpad bug 1469563 in Keystone liberty "Fernet tokens do not maintain expires time across rescope (V2 tokens)" [High,In progress] - Assigned to Morgan Fainberg (mdrnstm)	15:57
lbragstad	morganfainberg: do you have a link to an existing patch? OpenStack Infra assigned it to you and marked it as "in progess" but didn't link the review	15:57
morganfainberg	lbragstad: if you read scroll back. But sec.	15:58
amakarov	morganfainberg, "it already glitches" - is just a stage in software lifecycle :)	15:58
morganfainberg	lbragstad: https://review.openstack.org/#/c/196475/	15:58
lbragstad	morganfainberg: awesome	15:58
morganfainberg	amakarov: no. This was because fernet created a separate code path that was largely untested.	15:58
morganfainberg	amakarov: instead of working to keep it in line with the other providers.	15:59
kfox1111	the issues around the crl are ... unfortunate...	15:59
*** jistr_ has quit IRC		15:59
kfox1111	we maybe solving one issue to turn around and create another. :/	15:59
morganfainberg	amakarov: and this causes all sorts of edge cases.	16:00
*** Akshay00 has joined #openstack-keystone		16:00
* amakarov goes to the corner		16:00
bknudson	kfox1111: check out anchor -- https://wiki.openstack.org/wiki/Security/Projects/Anchor	16:00
kfox1111	the crl doesn't look to be very scalable? outside of having multiple? then keystone would need to check multiple.	16:00
*** gyee has joined #openstack-keystone		16:00
*** ChanServ sets mode: +v gyee		16:00
*** topol has joined #openstack-keystone		16:00
*** ChanServ sets mode: +v topol		16:00
morganfainberg	amakarov: it is far from anyone's fault. I part I'm having issue with is that there hasn't been an effort to continue the cleanup.	16:01
kfox1111	bknudson: thakns. any archetectural documentation? that page is rather sparse on detail.	16:02
kfox1111	it claims to have solved the issue, but not how.	16:02
bknudson	kfox1111: there must have been a presentation at the summit, which would have been recorded.	16:02
kfox1111	does it simply keep certificate lifetime really really short?	16:02
bknudson	kfox1111: yes, that's it's trick	16:03
kfox1111	k. so for instance users, keeping the cert really really short doesn't have much advantage I think over just getting keystone tokens through some other mechanism, since keystone tokens also are very very short lived?	16:04
amakarov	morganfainberg, I'll check the rest of your chain then )	16:04
morganfainberg	lbragstad: if you have some cycles I could use some help solving the last bugs or so in that chain.	16:04
morganfainberg	lbragstad: still seeing ~6 failures around trusts.	16:04
lbragstad	morganfainberg: sure thing, I'm digging into ^ that one now	16:05
morganfainberg	lbragstad: and the next step is to make it so fernet uses the common provider, just does the Id generation in .get_id	16:05
morganfainberg	Or whatever that method is.	16:05
morganfainberg	Then same thing for v3 fernet.	16:05
*** ajayaa has quit IRC		16:05
lbragstad	morganfainberg: you want to build the fernet.provider into the common.provider?	16:06
morganfainberg	We will still need the issue_v*_token method to punt out binds	16:06
kfox1111	hmm.... wikipedia's crl article metions OCSP as an alternate.	16:06
kfox1111	has anyone looked at that?	16:06
morganfainberg	No, I just want fernet to not reimplement issue_v_token and validate_v_token uselessly	16:06
*** kiran-r has joined #openstack-keystone		16:07
morganfainberg	It makes it hard to maintain the code since you have two distinct code paths.	16:07
morganfainberg	lbragstad: the goal is to make fernet' logic not need to re-implement it. (Ok the v2 token part, yes we're merging most of that over)	16:07
*** tqtran has joined #openstack-keystone		16:07
lbragstad	morganfainberg: makes sense	16:08
*** rwsu has joined #openstack-keystone		16:08
morganfainberg	Mostly fernet can just implement the ID logic in the ._get_token_id method	16:08
morganfainberg	The formatters and all that should still be in the fernet only provider	16:08
bknudson	kfox1111: https://www.openstack.org/summit/vancouver-2015/summit-videos/presentation/secure-ephemeral-pki-with-the-anchor-project	16:09
morganfainberg	bknudson: anchor looks like a cool project.	16:09
*** iamjarvo has quit IRC		16:09
*** fhubik_meeting has quit IRC		16:09
kfox1111	ah... interesting... so nova could provide an OCSP responder as part of the solution. it would simply check against if the vm is marked deleted in the nova db. keystone could then ask nova is the cert valid on request.	16:09
kfox1111	bknudson: Thanks, I'll take a look.	16:10
*** geoffarnold has joined #openstack-keystone		16:10
kfox1111	then there is no crl or scaling issue. keystone and nova api's would scale together.	16:10
kfox1111	details here: https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol	16:11
*** kiran-r has quit IRC		16:11
dims	morganfainberg: can you please bless https://review.openstack.org/#/c/196175/ as otherwise keystone will break with a oslo.service release this afternoon?	16:14
morganfainberg	dims: sec	16:14
morganfainberg	dims: then I'd need to ask you to unpush the release. And we don't want that... +a	16:15
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Refactor: expand_ref() in resource/controllers.py https://review.openstack.org/196729	16:16
*** henrynash has quit IRC		16:17
*** dramakri has joined #openstack-keystone		16:17
*** jasondotstar has quit IRC		16:17
*** dramakri has left #openstack-keystone		16:17
dims	thanks morganfainberg!	16:18
*** henrynash has joined #openstack-keystone		16:19
*** ChanServ sets mode: +v henrynash		16:19
bknudson	stevemar: morganfainberg: what do you think about a feature branch for https://review.openstack.org/#/c/195873/ (oslo.cache use)	16:21
bknudson	the oslo.cache interface isn't going to be stable until 1.0	16:21
morganfainberg	bknudson: if you think it'll make things easier, 100% for it.	16:21
bknudson	also, probably should have done the same for oslo.service. although I don't expect the interface to change as much	16:21
morganfainberg	bknudson: if you think it'll be not a big win, I'm fine with it staying WIP	16:22
bknudson	WIP is probably easier then we don't have to do merges to keep it in sync	16:22
bknudson	I'm just not sure how long it's going to take to get to 1.0	16:23
*** slberger has joined #openstack-keystone		16:23
bknudson	and I'd like to see the smaller commits in keystone.	16:23
*** kiran-r has joined #openstack-keystone		16:25
*** packet has joined #openstack-keystone		16:25
stevemar	bknudson: i dont think its necessary tbh, i'm okay with maintaining that patch while oslo.cache sorts itself out	16:26
kfox1111	is keystone using m2crypto or some other library?	16:26
*** jsavak has joined #openstack-keystone		16:28
*** kiran-r has quit IRC		16:30
*** kiran-r has joined #openstack-keystone		16:30
*** _cjones_ has joined #openstack-keystone		16:32
morganfainberg	kfox1111: not m2crypto. That library is pretty much dead	16:34
morganfainberg	bknudson: let's keep it WIP then.	16:34
morganfainberg	stevemar: ^ cc	16:34
bknudson	ok. if it gets too annoying we can create a feature branch.	16:35
*** _kiran_ has joined #openstack-keystone		16:35
bknudson	there's going to be a lot of changes to the oslo.cache api	16:35
*** henrynash has quit IRC		16:35
*** solomondg has joined #openstack-keystone		16:36
*** kiran-r has quit IRC		16:36
dims	bknudson: the only people working on the api will be the folks here :)	16:36
dims	so that should help	16:37
*** henrynash has joined #openstack-keystone		16:39
*** ChanServ sets mode: +v henrynash		16:39
*** dguerri is now known as dguerri`		16:40
*** _cjones_ has quit IRC		16:43
*** _cjones_ has joined #openstack-keystone		16:43
*** woodster_ has joined #openstack-keystone		16:44
*** henrynash has quit IRC		16:45
*** jasondotstar has joined #openstack-keystone		16:46
kfox1111	morganfainberg: What's being used then? openssl cli?	16:46
morganfainberg	In PKI tokens, yes	16:46
*** csoukup has quit IRC		16:47
openstackgerrit	Lance Bragstad proposed openstack/keystone: Maintain the expiry of v2 fernet tokens https://review.openstack.org/196475	16:47
*** henrynash has joined #openstack-keystone		16:47
*** ChanServ sets mode: +v henrynash		16:47
*** jasondotstar has quit IRC		16:47
*** _kiran_ has quit IRC		16:47
morganfainberg	There are many reasons - this is the least	16:47
morganfainberg	Of the bad ideas for when pki tokens started out	16:47
morganfainberg	lbragstad: fwiw, we already have a test for that. Just didn't hit fernet tokens	16:48
morganfainberg	lbragstad: because fernet tokens use a different code path.	16:48
morganfainberg	The fact that we need a new test	16:49
morganfainberg	Classe for fernet makes me sad :(	16:49
kfox1111	ok. cause I wasn't seeing any OCSP code in m2crypto, but the cli seems to support it.	16:49
morganfainberg	kfox1111: yeah assume m2crypto is dead.	16:49
lbragstad	morganfainberg: dolphm and I were looking to consolidating some of the	16:50
lbragstad	so that we have a single test class that describes the token bahvior	16:50
lbragstad	behavior*	16:50
morganfainberg	lbragstad: well keep chasing my chain and you'll see its headed that way	16:50
kfox1111	did the validation example I gave make sense? I realized I was asking in the wrong channel, so you might not have sen it.	16:50
kfox1111	seen	16:50
morganfainberg	Since you won't need to have custom tests for "is basic token stuff working"	16:51
lbragstad	morganfainberg: here is what I was doing https://review.openstack.org/#/c/167832/	16:51
morganfainberg	lbragstad: I'd DRY the token provider code first.	16:51
morganfainberg	It'll make your drying up the test code easier m	16:52
lbragstad	morganfainberg: that's the first stab at trying to consolidate all the test functionality into a single class (DRYing the test code)	16:52
*** spandhe has joined #openstack-keystone		16:57
*** kfox1111 is now known as kfox1111_away		16:58
openstackgerrit	Alberto Murillo proposed openstack/keystone: disable admin_token by default https://review.openstack.org/185464	16:58
samueldmq	morganfainberg, ayoung : I am writing the oslo.policy spec and I've a question ..	16:59
ayoung	fire away as always samueldmq	16:59
*** eandersson has joined #openstack-keystone		16:59
*** e0ne has quit IRC		16:59
samueldmq	depending on our cache strategy, if (from Keystone) we say to Middleware: 'this is the policy you asked for, but only use it in X seconds'	16:59
eandersson	Anyone using Ansible and Keystone V3 here?	16:59
stevemar	eandersson: everyone from rax?	17:00
eandersson	Heh	17:00
samueldmq	it is Middleware job to know the right time to call oslo.policy to do the overlay, right ?	17:00
dstanek	eandersson: i've been playing with a module do to V3, but not much else	17:00
eandersson	We are looking at using it, but it does not look like V3 is supported yet.	17:00
samueldmq	and then write to the file	17:00
samueldmq	ayoung: morganfainberg ^	17:00
stevemar	eandersson: go to #openstack-ansible - and ping sigmavirus24 dolphm and lbragstad	17:01
eandersson	Awh, dstanek. I was thinking of implementing it, but didnt' want to re-invent the wheel if possible.	17:01
samueldmq	ayoung: morganfainberg in other words, oslo.policy only offers the call to overlay and then write to policy.json	17:01
stevemar	they have a ton of playbooks available	17:01
dstanek	eandersson: you are correct.	17:01
eandersson	Awesome! Thanks	17:01
*** fangzhou has joined #openstack-keystone		17:01
sigmavirus24	we're on our way there at least	17:01
sigmavirus24	I'm working on it specifically right now	17:01
dstanek	i think sigmavirus24 was talking abouit it this morning	17:01
dstanek	yay!	17:01
sigmavirus24	Yep	17:01
eandersson	Been looking for some information on this for hours.	17:01
sigmavirus24	Our current library module for ansible that adds users and such is on v2	17:01
ayoung	eandersson, I don't tihnk the stock playbooks support v3 across the board yet	17:01
eandersson	Join openstack-keystone and bam!	17:01
lbragstad	eandersson: what are you looking to accomplish?	17:01
sigmavirus24	But we're adding federation bits so we're converting to v3	17:02
lbragstad	eandersson: playbooks fo days!	17:02
stevemar	we are here but to serve	17:02
sigmavirus24	stevemar: identify and serve ;)	17:02
stevemar	zing	17:02
sigmavirus24	rimshot	17:02
ayoung	samueldmq, processsing....	17:02
* lbragstad thinks that should be on a shirt		17:02
* sigmavirus24 was heading off to lunch though		17:02
ayoung	samueldmq, I think that is right.	17:02
eandersson	We are looking into using it for orchestration (creating new vms etc)	17:03
eandersson	but we are using domain-tokens, so V2 won't cut it :p	17:03
ayoung	samueldmq, I really thinkg we are going to need to prototype this out. I think we are doing things backwards by writing the specs first...and I know how weird it sounds to say that	17:03
ayoung	eandersson, wanna see something cool?	17:03
samueldmq	ayoung: great, I will be submitting the spec in a bit	17:03
ayoung	https://github.com/admiyo/ossipee/blob/master/ossipee.py	17:04
samueldmq	ayoung: I will update the other 2 specs as well (policy fetch and catch + policy by URL)	17:04
samueldmq	ayoung: before sending the FFE email for Dynamci Policies	17:04
ayoung	eandersson, ^^ is my code fro building dev environments. I got it to run as an ansible module...its very much a WIP	17:04
samueldmq	ayoung: sounds good ?	17:04
ayoung	samueldmq, sounds good	17:04
eandersson	awesomwe	17:05
*** spandhe has quit IRC		17:05
*** lhcheng has joined #openstack-keystone		17:07
*** ChanServ sets mode: +v lhcheng		17:07
*** lhcheng_ has joined #openstack-keystone		17:08
*** lsmola has quit IRC		17:09
*** Akshay00 has quit IRC		17:10
lbragstad	eandersson: there is also setup stuff here https://github.com/dolph/keystone-deploy	17:11
*** lhcheng has quit IRC		17:11
*** RichardRaseley has joined #openstack-keystone		17:12
*** Akshay00 has joined #openstack-keystone		17:13
eandersson	Nice thanks lbragstad	17:13
*** ankita_wagh has joined #openstack-keystone		17:14
*** jasondotstar has joined #openstack-keystone		17:15
*** sigmavirus24 is now known as sigmavirus24_awa		17:15
*** HT_sergio has quit IRC		17:17
*** afaranha has joined #openstack-keystone		17:20
*** afaranha has left #openstack-keystone		17:21
openstackgerrit	Merged openstack/keystone: Use oslo.service ServiceBase when loading from eventlet https://review.openstack.org/196175	17:23
*** Akshay00 has quit IRC		17:24
*** hogepodge has quit IRC		17:26
david8hu	ayoung, samueldmg, we got to look at this from user and service perspective.	17:26
samueldmq	david8hu: hey	17:27
*** hogepodge has joined #openstack-keystone		17:27
samueldmq	david8hu: at where to put the caching logic ?	17:27
*** browne has quit IRC		17:28
ayoung	david8hu, from the user perspective, it should be invisible	17:28
samueldmq	david8hu: so .. from user perspective it doesn't matter, the feature works the same at the end	17:28
samueldmq	ayoung: ++	17:28
ayoung	from the service standpoint, it should be fetch and cache	17:28
david8hu	samueldmq, Let me look at the diagram. It's been couple of days.	17:29
ayoung	samueldmq, david8hu my thought was we make a pattern of "fetch before we need it"	17:29
ayoung	I would love it if fetching the new ... whatever (in this case policy file) is done by a dedicated process, and then put into a tempt file	17:29
ayoung	then, activating the new one is done as an atomic rename	17:30
samueldmq	ayoung: yeah, that's where the middleware wait with the policy in hands ("don't use it before X seconds") and calls oslo.policy in the right time	17:30
david8hu	ayoung, samueldmq, Fetch it before it initializes the policy enforcer.	17:30
*** WormMan has joined #openstack-keystone		17:30
samueldmq	ayoung: that's synchronized with our solution for multiple processes behind an HAprox	17:30
samueldmq	y	17:30
samueldmq	david8hu: sure, what we're talking about is the mechanism to, based on a dict of custom rules	17:31
ayoung	I could see a cache-sync process over time that does: 1 write lock file. 2. fetch policy. 3. write policy to temp dire. 4. remove lock file	17:31
samueldmq	david8hu: overlay the policy.json	17:32
*** dontalton has joined #openstack-keystone		17:32
samueldmq	david8hu: this processing is done by oslo.policy	17:32
*** ajayaa has joined #openstack-keystone		17:32
ayoung	then, if a second process gets kicked off, it sees the lock file and just exists	17:32
ayoung	exits	17:32
WormMan	sigh, ok, I've convinced keystone to auth to ldap. And I think I put one of my ldap users as a member of a project in the default(sql) domain. Now, how on earth do I tell the openstack command line that I want to do a 'server list' with my ldap user for that other project/domain	17:32
ayoung	WormMan, V2 or V3?	17:32
samueldmq	ayoung: multiple middlewares for the same service process ?	17:32
WormMan	ayoung: v3	17:32
ayoung	WormMan, and...try using the openstack common CLI	17:33
WormMan	ayoung: exactly.	17:33
ayoung	ah, you are...ok/	17:33
ayoung	WormMan, OK, so I typically havea V3 file. You need to specify domain for both identity (user) and for assignemtn (project)	17:33
ayoung	I'll paste a sterilized on... one sec	17:33
david8hu	samueldmq, so, it is the oslo.policy changes you were refering to last Friday.	17:33
ayoung	WormMan, http://paste.openstack.org/show/325455/	17:35
ayoung	WormMan, also, if yoiu were using the Service token before, make sure you unset...	17:35
david8hu	ayoung, samueldmq, Why not treat it like how Samba does it. Opportunistic locking.	17:35
samueldmq	david8hu: exactly	17:35
samueldmq	david8hu: ayoung just a sec	17:36
ayoung	OS_SERVICE_PROVIDER_ENDPOINT	17:36
*** jasondotstar has quit IRC		17:37
ayoung	WormMan, and unset OS_SERVICE_TOKEN	17:37
ayoung	david8hu, yep, something like that	17:37
WormMan	ayoung: thanks, obviously I was using the wrong mix of command line options that didn't quite match that	17:37
WormMan	ayoung: I'll also point out just how intuitive this whole thing is :)	17:37
ayoung	WormMan, I tend to put those unset calls right into the .rc	17:37
WormMan	I won't even mention how annoying it is that it seems that the service token can't simply 'do everything' when a v3 policy.json is in place	17:38
WormMan	(expected, but annoying)	17:39
WormMan	now, of course, I need to get this whole set of setup into puppet so I can actually replicate it	17:41
samueldmq	ayoung: david8hu morganfainberg 'policy: Dynamic Policies Overlay' (https://review.openstack.org/#/c/196753/)	17:42
samueldmq	^ first version of the oslo.policy spec	17:42
samueldmq	containing trailing spaces btw :(	17:43
ayoung	samueldmq, cool. You do have some whitespace	17:43
samueldmq	ayoung: done!	17:43
ayoung	samueldmq, OK, so we need this to explicitly sate how the overlay is going to work: the stock policy will be left in polace, but rules that are defined in both stock and overlay will get the overlay version	17:45
ayoung	suspect we'll want a flag for leaving the default in place or not, but that can be a different spec	17:45
samueldmq	ayoung: I said that in the task in 'Work Items'	17:45
samueldmq	ayoung: maybe I need to make that explicit earlier	17:45
ayoung	samueldmq, looking	17:45
*** jaosorior has quit IRC		17:46
ayoung	yeah, I think in the proposed change portion	17:46
samueldmq	ayoung: ++	17:46
samueldmq	ayoung: please leave a review with any other comments you have, if any :)	17:46
samueldmq	ayoung: so I can fix at once	17:47
ayoung	wilco	17:47
*** Ephur has joined #openstack-keystone		17:47
*** jaosorior has joined #openstack-keystone		17:47
samueldmq	ayoung: always need to google when you guys use abbreviations :-)	17:47
david8hu	samueldmq, I assume the interface to policy will remain the same?	17:48
samueldmq	david8hu: for customizing policies ?	17:48
samueldmq	david8hu: for now yes, we are putting the dynamic fetch/cache in place	17:48
david8hu	samueldmq, yes, I am trying to figure the impact to services like nova.	17:48
samueldmq	david8hu: later we'll improve the way we customize: granularly, hierarchical roles, and so on	17:49
samueldmq	david8hu: nova won't know anything about dynamic policies, it will find the policy.json file there as it does today	17:49
samueldmq	david8hu: we might have updated that when the request came to middleware, i.e ealier in the pipeline :)	17:50
*** HT_sergio has joined #openstack-keystone		17:52
samueldmq	ayoung: thanks	17:52
david8hu	samueldmq, I think I understands it now. The overlay spec is simply to support customized policy on top of stack policy?	17:54
david8hu	samueldmq, I meant s/stack/stock.	17:54
samueldmq	david8hu: yes, it is just how we overlay it :)	17:54
samueldmq	david8hu: and this work is done by oslo.policy	17:54
samueldmq	david8hu: oslo.policy.overlay({'compute:create_server': ''})	17:55
samueldmq	david8hu: oslo.policy knows where the stock policy file is (it's in its configs) :)	17:55
david8hu	samueldmq, There is going to be a lib function or 2 to support this.	17:56
samueldmq	david8hu: yeah, just a single one I think, very simple	17:56
samueldmq	david8hu: isn't it ?	17:56
*** jasondotstar has joined #openstack-keystone		17:57
*** csoukup has joined #openstack-keystone		17:57
david8hu	samueldmq, How will it know that there is an update to this customized policy?	17:57
samueldmq	ayoung: in the problem description I will introduce what Stock and Dynamic Policies are, just to contextualize	17:58
samueldmq	david8hu: oslo.policy doesn't know, and it doesn't need to	17:58
ayoung	samueldmq, thanks. I think that will be most useful	17:58
samueldmq	david8hu: middleware knows that, and just asks oslo.policy to do the overlay job	17:58
samueldmq	david8hu: basically middleware knows the endpoint_url, and asks keystone for custom policy for that url	17:59
david8hu	samueldmq, It's the caller's job.	17:59
samueldmq	david8hu: very precise sentence man	17:59
samueldmq	david8hu: it's just the code that lives in oslo.policy, as a library that it is	18:00
david8hu	samueldmq, ...and we are not talking about unified policy file...correct? :)	18:00
samueldmq	david8hu: no we aren't, unified would be stored on keystone server, at middleware/oslo.policy we don't care about that at all	18:01
*** eandersson has quit IRC		18:01
samueldmq	david8hu: we ask keystone if there is custom rules, it doesn't matter how they're calculated, added, CRUDed, we just want the response	18:01
samueldmq	david8hu: how they're CRUDed is to keystone to know/provide APIs :)	18:02
samueldmq	david8hu: for now our solution doesn't include unified, if that's what you specifically want to know	18:02
*** Ephur has quit IRC		18:03
*** c_soukup has joined #openstack-keystone		18:03
*** janonymous_ has joined #openstack-keystone		18:03
*** eandersson has joined #openstack-keystone		18:03
*** sigmavirus24_awa is now known as sigmavirus24		18:03
janonymous_	https://review.openstack.org/#/c/193866/	18:04
dstanek	janonymous_: lots of things happening - don't be surprised if it takes a little while to get reviews through	18:05
janonymous_	:) sure	18:06
david8hu	samueldmq, I think we need a spec for something like say I am a Nova admin, I want to inject a customized policy. What is the interface for that.	18:06
*** _nonameentername is now known as nonameentername		18:06
*** jsavak has quit IRC		18:06
*** jsavak has joined #openstack-keystone		18:07
samueldmq	david8hu: so you create a policy in Keystone server, and associate it to them endpoint_urls corresponding to your nova service	18:07
samueldmq	david8hu: that's basically the main workflow, which is described by the wiki (previously overview spec)	18:07
*** piyanai has joined #openstack-keystone		18:07
*** csoukup has quit IRC		18:07
*** mylu has joined #openstack-keystone		18:07
samueldmq	ayoung: should we call it Dynamic Policy or Override Policy, as we called it last week	18:09
samueldmq	?	18:09
samueldmq	ayoung: we need to choose the best naming , to avoid confusing people (still more) about htis	18:10
ayoung	Sounds like a band name	18:10
ayoung	Oooh	18:10
david8hu	samueldmq, Dyanmic policy customization overlay (DPCO)	18:10
samueldmq	Custom Policy ?	18:10
ayoung	Dynamic Policy OVERDRIVE!	18:10
samueldmq	overdrive? oO	18:11
samueldmq	I think Custom Policy is simple and direct to what it means	18:11
david8hu	samueldmq, Is it a keystone API call from user perspective? I don't think there is a spec for that.	18:11
samueldmq	david8hu: there is a policy CRUD on keystone already	18:12
samueldmq	david8hu: http://developer.openstack.org/api-ref-identity-v3.html#policies-v3	18:13
*** jasondotstar has quit IRC		18:13
*** arunkant has joined #openstack-keystone		18:14
*** pnavarro has quit IRC		18:14
david8hu	samueldmq, Levereage /v3/policies/{policy_id} for customize policy?	18:15
*** piyanai has quit IRC		18:15
*** crc32 has joined #openstack-keystone		18:15
david8hu	samueldmq, But the current interface does not know which stock policy user is overriding.	18:17
*** piyanai has joined #openstack-keystone		18:17
samueldmq	david8hu: I agree	18:18
samueldmq	david8hu: that's where policy endpoint association comes	18:18
samueldmq	david8hu: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-endpoint-policy.html	18:18
samueldmq	david8hu: however we need a way to assign based on endpoint_url	18:18
samueldmq	david8hu: which is what ayoung started at 'Policy by URL' (https://review.openstack.org/#/c/192422)	18:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet token provider. https://review.openstack.org/196774	18:20
*** chrisshattuck has joined #openstack-keystone		18:22
*** browne has joined #openstack-keystone		18:26
david8hu	samueldmq, Thx. I posted a comment for "policy by url"	18:29
*** ajayaa has quit IRC		18:29
samueldmq	david8hu: sure, thanks	18:29
samueldmq	david8hu: I will be updating that spec today/tomorrow	18:30
*** openstackgerrit has quit IRC		18:30
*** openstackgerrit has joined #openstack-keystone		18:30
*** amakarov is now known as amakarov_away		18:31
*** jasondotstar has joined #openstack-keystone		18:32
openstackgerrit	guang-yee proposed openstack/keystone: Fix for LDAP filter on group search by name https://review.openstack.org/194733	18:32
*** mylu has quit IRC		18:35
samueldmq	ayoung: just updated the spec (https://review.openstack.org/196753)	18:36
samueldmq	ayoung: I called it 'Dynamic Policy' vs 'Stock Policy' as you suggested	18:36
samueldmq	ayoung: we can change the naming if someone comes with a better suggestion :)	18:37
samueldmq	ayoung: that was a quick +1, thanks !	18:40
ayoung	samueldmq, looks good. I added the oslo.policy core group to the spec...lets see the storm that kicks up	18:40
samueldmq	ayoung: yeah, I was about to ask how a thousand people were added to that	18:40
samueldmq	ayoung: I got scared when I did F5	18:41
ayoung	you can add people or groups to a review. I added oso-policy-core	18:41
samueldmq	:)	18:41
openstackgerrit	Brant Knudson proposed openstack/keystone: Remove unused setUp for RevokeTests https://review.openstack.org/179259	18:41
samueldmq	ayoung: I didn't know about adding groups, thanks	18:41
*** afazekas_ has joined #openstack-keystone		18:41
*** mylu has joined #openstack-keystone		18:42
*** stevemar has quit IRC		18:43
*** stevemar has joined #openstack-keystone		18:44
david8hu	samueldmq, ayoung, I think we can simplify policy enforcement https://review.openstack.org/#/c/133480 a bit. Once we have the policy overlay, services will not need to call keysteon middleware for policy enforcement. It will be more of keeping oslo policy updated with the latest customize policy.	18:44
*** jsavak has quit IRC		18:46
*** jsavak has joined #openstack-keystone		18:46
*** RichardRaseley has quit IRC		18:49
samueldmq	david8hu: that spec is not for services calling middleware at all	18:50
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable bandit check for password_config_option_not_marked_secret https://review.openstack.org/194420	18:50
openstackgerrit	Brant Knudson proposed openstack/keystone: Bandit config updates https://review.openstack.org/194417	18:50
samueldmq	david8hu: the idea is that we could do a part of rule enforcement in the middleware, before the request goes to the service	18:50
samueldmq	david8hu: that part would be the role check	18:50
david8hu	Did I use the wrong url?	18:50
*** markvoelker_ has joined #openstack-keystone		18:51
samueldmq	david8hu: we don't have the association between url/policy call outside the service	18:51
samueldmq	david8hu: we would need to expose that somehow	18:51
david8hu	samueldmq, c&p, 1. Nova makes call to enforce policy. API is identical to the66	18:51
david8hu	oslo.policy API, but will be implemented by middleware.	18:51
samueldmq	david8hu: like enforcing policy based on the called /url	18:51
samueldmq	david8hu: that is out-of-date, and is not scoped to L	18:51
*** markvoelker has quit IRC		18:52
david8hu	samueldmq, Good to know since it is out-dated.	18:52
samueldmq	david8hu: https://wiki.openstack.org/wiki/DynamicPolicies#Tasks_targetted_for_Liberty	18:52
samueldmq	david8hu: those 3 tasks require 3 specs, oslo.policy one above, fetch and cache in middleware + policy by URL	18:53
samueldmq	david8hu: I will be updating the 2 others until tomorrow, and the wiki as well	18:54
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	18:54
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	18:54
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	18:54
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	18:54
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change project name constraint https://review.openstack.org/158372	18:54
samueldmq	david8hu: before sending the FFE request on dynamic policies to the ML	18:54
*** Rockyg has joined #openstack-keystone		18:55
david8hu	samueldmq, do you have "fetch and cache in middleware" already?	18:55
david8hu	samueldmq, I mean the draft of the spec itself	18:55
samueldmq	david8hu: yes, just need to update, to reflect a first solution for cache strategy I was discussing with morgan and adam last week	18:56
samueldmq	david8hu: to solve the issue where multiple nova processes may be running behind a HAProxy, for example	18:56
david8hu	samueldmq, I can help review and comment :)	18:56
*** markvoelker_ has quit IRC		18:57
samueldmq	david8hu: sure, I will be posting updates today/tomorrow (https://review.openstack.org/#/c/134655/)	18:57
samueldmq	david8hu: and https://review.openstack.org/#/c/192422/	18:57
*** markvoelker has joined #openstack-keystone		18:57
david8hu	samueldmq, sounds good. thx	18:57
samueldmq	david8hu: feel free to review the oslo.policy one I jsut submitted (https://review.openstack.org/#/c/196753/)	18:58
samueldmq	david8hu: no, thank you for reviewing that work :)	18:58
david8hu	samueldmq, just trying to tied everything together in my brain too see if anything make sense :)	18:59
samueldmq	david8hu: :)	19:00
*** hogepodge has quit IRC		19:02
*** hogepodge has joined #openstack-keystone		19:03
*** blewis` has quit IRC		19:04
*** dramakri has joined #openstack-keystone		19:10
*** boris-42 has quit IRC		19:12
*** afazekas_ has quit IRC		19:15
*** dguerri` is now known as dguerri		19:18
*** tqtran has quit IRC		19:19
*** dguerri is now known as dguerri`		19:20
*** HT_sergio has quit IRC		19:23
*** piyanai has quit IRC		19:25
*** piyanai has joined #openstack-keystone		19:26
*** piyanai has quit IRC		19:26
*** albertom has joined #openstack-keystone		19:34
*** ankita_wagh has quit IRC		19:34
*** jasondotstar has quit IRC		19:36
*** mylu has quit IRC		19:40
*** mylu has joined #openstack-keystone		19:40
samueldmq	ayoung: what would be the relationship between associating a policy to an URL and endpoint groups	19:40
samueldmq	ayoung: URL would be representing the same as an endpoint group containing the URL filter	19:40
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller https://review.openstack.org/153007	19:40
ayoung	samueldmq, so, all endpoints in a group that share an URL should get that same policy...goal is to make the URL == the endpoint	19:41
samueldmq	ayoung: I want to make sure we go to something consistent in that aspect as well	19:41
*** arunkant_ has joined #openstack-keystone		19:41
samueldmq	ayoung: sure, however I wonder if we could make that consistent with the existing APIs for endpoint groups	19:42
samueldmq	ayoung: that can be used in the endpoint filter extension	19:42
ayoung	samueldmq, we'll do the best we can.	19:42
samueldmq	ayoung: or if the endpoint filter extension could be simplified to URLs	19:42
*** arunkant_ has quit IRC		19:42
samueldmq	ayoung: of course, that's part of this plan :)	19:43
ayoung	if setting by ID is ambiguous, those endpoints that share an endpoint URL are all updatred	19:43
*** arunkant_ has joined #openstack-keystone		19:43
*** piyanai has joined #openstack-keystone		19:44
*** arunkant_ has quit IRC		19:44
*** arunkant has quit IRC		19:44
*** arunkant has joined #openstack-keystone		19:45
freerunner	@morganfainberg: Heya! Are u here? ;)	19:46
*** slberger1 has joined #openstack-keystone		19:47
*** dguerri` is now known as dguerri		19:47
*** jasondotstar has joined #openstack-keystone		19:48
openstackgerrit	Merged openstack/python-keystoneclient: Update README.rst and remove ancient reference https://review.openstack.org/178759	19:50
*** pnavarro has joined #openstack-keystone		19:51
morganfainberg	freerunner: at lunch but here-ish	19:52
morganfainberg	...	19:52
morganfainberg	freerunner: here ish but at lunch	19:52
*** nonameentername has left #openstack-keystone		19:53
*** nonameentername has joined #openstack-keystone		19:53
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable bandit check for password_config_option_not_marked_secret https://review.openstack.org/194420	19:54
openstackgerrit	Brant Knudson proposed openstack/keystone: Bandit config updates https://review.openstack.org/194417	19:54
freerunner	morganfainberg: Bon Appetit =) Can u, please, review this? https://review.openstack.org/#/c/173833/ . This is really needs..	19:55
*** jaosorior has quit IRC		19:56
*** pnavarro has quit IRC		19:56
morganfainberg	Ah that one is unblocked now? Sure.	19:56
*** stevemar has quit IRC		19:56
morganfainberg	+A	19:56
openstackgerrit	guang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint https://review.openstack.org/177661	19:57
*** stevemar has joined #openstack-keystone		19:57
*** jsavak has quit IRC		19:57
*** jsavak has joined #openstack-keystone		19:58
*** jsavak has quit IRC		19:58
samueldmq	what is the relationship between services and regions ?	19:58
*** jsavak has joined #openstack-keystone		19:59
freerunner	morganfainberg: Thank you, very much. And the last question. Looks like we have the same situation like in s/juno branch. Can u release the latest code for python-keystoneclient for stable/kilo? There is a problem with oslo.i18n, but this problem is going to be fixed by your +A.	19:59
samueldmq	I see endpoint have region_id and service_id, but I don't see any direct relation between service and region	19:59
samueldmq	regions -> services -> endpoints ?	20:00
morganfainberg	freerunner: I cannot. You'll need to ask dhellman or a release manager.	20:00
samueldmq	or services -> regions -> endpoints ?	20:00
morganfainberg	freerunner: I'll circle up with them later today / tomorrow.	20:00
*** jaosorior has joined #openstack-keystone		20:00
freerunner	morganfainberg: Whew. Thank you one more time ;) I think I can ask him tomorrow.	20:01
*** ankita_wagh has joined #openstack-keystone		20:03
bknudson	looks like keystone unit tests are busted again with the release of oslo.utils -- some function we're using is deprecated.	20:05
dims	bknudson: which one this time?	20:05
bknudson	oslo_utils.timeutils.strtime()	20:05
dims	bknudson: straightforward replacement?	20:07
bknudson	it was isotime last time.	20:07
bknudson	I'll look at using the alternative mentioned	20:07
bknudson	Using function/method 'oslo_utils.timeutils.strtime()' is deprecated in version '1.6' and will be removed in a future version: use either datetime.datetime.isoformat() or datetime.datetime.strftime() instead	20:07
*** jasondotstar has quit IRC		20:08
*** stevemar has quit IRC		20:08
*** RichardRaseley has joined #openstack-keystone		20:09
*** RichardRaseley has quit IRC		20:11
*** RichardRaseley has joined #openstack-keystone		20:11
*** stevemar has joined #openstack-keystone		20:15
* morganfainberg points out that minor releases should probably not remove interfaces.		20:16
morganfainberg	I'd say that is a 2.x thing... But that is my opinion.	20:16
bknudson	morganfainberg: it's not removed, it's deprecated	20:17
bknudson	so we've got time to stop using it.	20:17
morganfainberg	bknudson: it says removal in 1.6?	20:17
morganfainberg	Oh	20:17
morganfainberg	Misread	20:17
bknudson	deprecated in 1.6, removal in ?	20:17
*** solomondg has quit IRC		20:19
*** slberger has quit IRC		20:22
openstackgerrit	Brant Knudson proposed openstack/keystone: Switch from deprecated oslo_utils.timeutils.strtime https://review.openstack.org/196842	20:23
bknudson	not much to the fix	20:24
*** dontalton has quit IRC		20:26
*** jsavak has quit IRC		20:26
openstackgerrit	Brant Knudson proposed openstack/keystone: Switch from deprecated oslo_utils.timeutils.strtime https://review.openstack.org/196842	20:27
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/196485	20:28
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet token provider. https://review.openstack.org/196774	20:30
*** jsavak has joined #openstack-keystone		20:30
*** boris-42 has joined #openstack-keystone		20:31
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet token provider. https://review.openstack.org/196774	20:31
openstackgerrit	Alberto Murillo proposed openstack/keystone: disable admin_token by default https://review.openstack.org/185464	20:32
*** blewis has joined #openstack-keystone		20:35
openstackgerrit	Merged openstack/oslo.policy: Add six and oslo.utils to requirements https://review.openstack.org/195846	20:36
*** blewis` has joined #openstack-keystone		20:37
*** thedodd has quit IRC		20:38
*** blewis has quit IRC		20:41
*** browne has quit IRC		20:41
*** edmondsw has quit IRC		20:43
*** marzif_ has joined #openstack-keystone		20:43
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Unit tests catch deprecated function usage https://review.openstack.org/189145	20:48
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Switch from deprecated isotime https://review.openstack.org/189147	20:48
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Switch from deprecated oslo_utils.timeutils.strtime https://review.openstack.org/196853	20:48
*** arunkant_ has joined #openstack-keystone		20:49
*** stevemar has quit IRC		20:49
*** arunkant_ has quit IRC		20:50
mordred	morganfainberg: (or other people) - should lissting a domain be a thing I should expect to be able to do?	20:50
mordred	even as an end user?	20:50
bknudson	mordred: listing users in a domain?	20:50
*** stevemar has joined #openstack-keystone		20:50
mordred	nope. listing domains	20:51
mordred	so - let me step back 1 sec	20:51
*** arunkant_ has joined #openstack-keystone		20:51
mordred	I have some things in keystone which take {'domain': $somethign}	20:51
*** arunkant_ has quit IRC		20:51
bknudson	I think that would give away info that deployments would want to keep secret in the general case.	20:51
mordred	as one of the arguments	20:51
bknudson	although other deployments would be fine with it	20:51
mordred	bknudson: any chance you know off the top of your head if that wants a domain id or a domain name - or if maybe it takes both?	20:52
*** arunkant_ has joined #openstack-keystone		20:52
mordred	and if it takes an id, and I have a name, any chance there is a way to get the id?	20:52
bknudson	like the token auth request?	20:52
*** arunkant_ has quit IRC		20:52
bknudson	auth request takes either id or name.	20:52
mordred	well, for instance, create_project takes a domain argumetn	20:52
*** arunkant has quit IRC		20:52
mordred	or, projects.create() to use your api	20:53
bknudson	those are all by id	20:53
mordred	k	20:53
mordred	so - should I just expect that a user will somehow know their domain id?	20:53
bknudson	as far as I know	20:53
bknudson	the client APIs typically take an object for those parameters	20:53
mordred	meh. object doesn't help me - I'm trying to figure out what information I can reasonably expect an end user to know	20:54
mordred	and what information I can figure out for them	20:54
bknudson	to get a token the user needed to provide their domain name... not sure how they would know their id	20:54
mordred	but I have no clouds with keystone v3 - so I have to ask obtuse questions :)	20:54
mordred	bknudson: I was _hoping_ that list_domains would work and would only show domains that the token the user has is scoped to see	20:54
bknudson	there might be an API for that	20:55
bknudson	mordred: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#get-available-domain-scopes	20:55
bknudson	/v3/auth/domains	20:55
*** stevemar has quit IRC		20:55
bknudson	there's also v3/auth/projects that one can use to get the projects they have auth to	20:56
bknudson	which has the domain of the project	20:56
mordred	fascinating	20:56
mordred	ok	20:56
mordred	any chance that's exposed in ksc?	20:56
* mordred goes to look		20:56
*** marzif_ has quit IRC		20:58
mordred	bknudson: best I can tell that is not exposed in keystoneclietn	21:01
bknudson	mordred: I don't remember it's ever being added.	21:02
mordred	bknudson: however, thank you for showing it to me - it's the thing I've always wanted	21:02
mordred	bknudson: like, basically, _every_ operation I do on projects or domains from my POV only ever wants lists of them that are related to the scope of the current token	21:02
bknudson	y, and as I said I don't think a deployment would want to expose the list of all domains.	21:03
*** jsavak has quit IRC		21:03
*** jsavak has joined #openstack-keystone		21:03
mordred	yah	21:04
mordred	but - a user saying "what is my domain" or "what domains am I allowed to see" - seems TOTALLY sane	21:04
mordred	bknudson: I'm not 100% how exposing those scoped things in ksc might look ... should I make a keystoneclient/v3/auth.py with an Auth manager that has domains() and projects() methods?	21:05
bknudson	mordred: I like it	21:05
mordred	kk	21:05
bknudson	although maybe jamielennox would say to put it on the session?	21:05
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Switch from deprecated oslo_utils.timeutils.strtime https://review.openstack.org/196862	21:06
*** Rockyg has quit IRC		21:09
mordred	bknudson: so - we had a conversation a little while ago with him and ayoung about just pulling the domain off of the session	21:11
mordred	but the suggestion then was that not making the user pass one in would be to much magic and could lead to mistakenly doing things to the wrong domain	21:12
mordred	which I can buy	21:12
*** gordc is now known as gordc_		21:17
*** gordc_ is now known as gordc_afk		21:17
bknudson	mordred: I like having low-level apis, so putting providing the function on keystoneclient makes sense to me.	21:22
*** r-daneel has quit IRC		21:23
ayoung	mordred, so, list domains and list projects should totally be things a user can do with an unscoped token. jamielennox and I have even discussed whether those things should be returned in the unsoped token response	21:24
bknudson	i think these apis were designed for use with unscoped tokens (for federation)	21:24
ayoung	and the domains are the "list of domains for which a user explicitly has a role assignment"	21:24
*** tqtran_ has joined #openstack-keystone		21:24
*** browne has joined #openstack-keystone		21:25
*** packet has quit IRC		21:26
*** piyanai has quit IRC		21:27
*** mylu has quit IRC		21:30
*** mylu has joined #openstack-keystone		21:31
*** topol has quit IRC		21:31
*** jsavak has quit IRC		21:35
*** mylu has quit IRC		21:35
*** jsavak has joined #openstack-keystone		21:35
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet token provider. https://review.openstack.org/196877	21:41
gyee	bknudson, did have fix this sometime ago? DeprecationWarning: Using function/method 'oslo_utils.timeutils.strtime()' is deprecated in version '1.6' and will be removed in a future version: use either datetime.datetime.isoformat() or datetime.datetime.strftime() instead	21:41
gyee	looks like its coming back for some reason	21:42
*** crc32 has quit IRC		21:42
bknudson	gyee: it's a different api. it was isotime last time.	21:42
bknudson	gyee: see https://review.openstack.org/#/c/196842/	21:43
gyee	oh my	21:43
bknudson	gyee: it was isoformat() last release of oslo.utils, now it's strtime.	21:44
gyee	bknudson, lets get that patch merge fast	21:45
gyee	the gates are not happy right now	21:45
bknudson	here's for keystonemiddleware: https://review.openstack.org/#/c/196862/	21:46
gyee	bknudson, thank you for saving humanity!	21:46
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877	21:50
openstackgerrit	Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v3_token() https://review.openstack.org/196774	21:50
SpamapS	jamielennox: around? I'm a bit stumped on how to use the auth_plugin option in nova.conf .. I seem to recall you being an auth plugin expert	21:51
kfox1111_away	SpamapS: I tried to lay out the problems in the newest review. Does it explain the situation better?	21:52
*** kfox1111_away is now known as kfox1111		21:52
lbragstad	morganfainberg: took a couple stabs at consolidating the fernet provider if you want to put eyes on it https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:consolidate-fernet-provider,n,z	21:52
SpamapS	kfox1111: there's a newest review?	21:53
kfox1111	yeah.	21:53
kfox1111	submitted it sunday.	21:53
SpamapS	kfox1111: I'm looking at the sample nova conf in kilo.. and it says not using auth_plugin is deprecated.. but the docs give no indiciation of _how_ one should use auth_plugin.	21:53
kfox1111	oh. the stuff in the spec would be totally differnt then that.	21:54
kfox1111	it would be "instance user auth plugins"	21:54
SpamapS	kfox1111: I'm not talking about that. :)	21:54
kfox1111	oh.	21:54
SpamapS	kfox1111: sorry, you confused me entireyl. :)	21:54
kfox1111	mixing two conversations... instance users review here: https://review.openstack.org/#/c/186617	21:55
openstackgerrit	Theodore Ilie proposed openstack/keystone: Add test case for deleting endpoint with space in url https://review.openstack.org/196883	21:55
kfox1111	SpamapS: I'm not seeing an auth_plugin reference on any of my clouds either. guessing its defaulted to the right values these days?	21:56
*** diazjf has left #openstack-keystone		21:56
SpamapS	kfox1111: I think it comes from keystonemiddleware, which is why it isn't in nova's docs	21:58
bknudson	https://review.openstack.org/#/c/196842/ passed jenkins (fixes py27 tests with latest oslo.utils)	21:59
kfox1111	hmm.. but keystonemiddleware is the auth_plugin I thought.	22:00
gyee	keystonemiddleware uses auth plugins	22:03
kfox1111	oh, really? is for different token types maybe?	22:03
gyee	kfox1111, they are corresponding to --os-auth-type in common CLI	22:04
samueldmq	bknudson: ayoung what if : asking a project scoped token without specifying the project, get the default project for that user	22:05
samueldmq	bknudson: ayoung asking a domain scoped token without specifying the domain, assume the user's domain	22:05
samueldmq	bknudson: ayoung do those defaults make sense to you?	22:06
ayoung	samueldmq, list-projects-for-user works that way	22:06
ayoung	so...yes?	22:06
samueldmq	ayoung: didn't get it, I am talking about token scoping in the token request	22:07
gyee	samueldmq, can't, not every have a role on the domain	22:07
samueldmq	ayoung: list-projects-for-user is about listing the projects a user has access, before asking for a token right?	22:07
*** slberger1 has left #openstack-keystone		22:07
*** chrisshattuck has quit IRC		22:08
samueldmq	gyee: sure, but it would assume that as default, and fail if there is no role on the domain	22:08
samueldmq	gyee: as it would do if you specified the domain explicitly	22:08
gyee	samueldmq, right now the only domain role is the domain admin role	22:08
gyee	so it will fail for most users	22:09
*** piyanai has joined #openstack-keystone		22:09
samueldmq	gyee: so most of users can't get a domain scoped token anyway	22:09
gyee	correct	22:09
*** chrisshattuck has joined #openstack-keystone		22:09
bknudson	gyee: did you add some code to make it so that a user without a role on their default project gets unscoped token?	22:09
samueldmq	gyee: I just want to have a default, if one does not specify it	22:09
*** Rockyg has joined #openstack-keystone		22:09
gyee	bknudson, yes	22:09
samueldmq	gyee: that's all, just a good default, that makes a lot of sense for small/medium ? deployments	22:10
gyee	samueldmq, well, we decided on "explicit scoping" long time ago :)	22:10
gyee	its coming back full circle	22:11
gyee	same reason we gotten rid of "global roles"	22:11
gyee	problem is do we want default project scope or default doman scope?	22:12
*** Rockyg has quit IRC		22:12
gyee	s/doman/domain/	22:12
*** Rockyg has joined #openstack-keystone		22:13
gyee	unless we intend to support something like "user profile"	22:13
*** ayoung has quit IRC		22:14
samueldmq	gyee: yes need to mull it a bit more, and see if we have need of that	22:16
samueldmq	gyee: got it on the explicit scoping	22:16
gyee	security folks like explicit unambiguous scope	22:17
gyee	UX people, not so much :)	22:17
*** bknudson has quit IRC		22:20
openstackgerrit	Victor Morales proposed openstack/keystone: Integrate OSprofiler in Keystone https://review.openstack.org/103368	22:23
samueldmq	gyee: yes I was looking from an UX pov	22:24
*** zzzeek has quit IRC		22:26
*** slberger1 has joined #openstack-keystone		22:29
morganfainberg	User profile shouldn't be in keystone.	22:29
*** slberger1 has left #openstack-keystone		22:30
*** slberger1 has joined #openstack-keystone		22:30
*** slberger1 has left #openstack-keystone		22:30
gyee	morganfainberg, isn't "default project" sorta like user profile?	22:33
*** jaosorior has quit IRC		22:36
miguelgrinberg	anybody with knowledge of shibboleth federation that can answer a couple of questions?	22:38
*** piyanai has quit IRC		22:39
morganfainberg	dstanek: ping	22:42
morganfainberg	dstanek: need some help chasing down a weird bug	22:42
morganfainberg	in testing	22:42
morganfainberg	gyee: "default project" should die a horrible death	22:43
albertom	does someone knows if there is a fix in progress for	22:46
albertom	DeprecationWarning: Using function/method 'oslo_utils.timeutils.strtime()' is deprecated in version '1.6' and will be removed in a future version: use either datetime.datetime.isoformat() or datetime.datetime.strftime() instead	22:46
albertom	?	22:46
albertom	./run_tests.sh is passing but tox fails	22:47
jamielennox	mordred: like https://review.openstack.org/#/c/168792/ ?	22:47
jamielennox	i actually thought that had merged it was a while back	22:47
jamielennox	gyee: picking on you, can you have a look at https://review.openstack.org/#/c/180816/14	22:48
gyee	jamielennox, yes sir	22:51
dstanek	morganfainberg: pong	22:51
gyee	morganfainberg, sure, not disagreeing if we want to keep it consistent with default projects :)	22:52
morganfainberg	dstanek: so running into this issue	22:52
morganfainberg	dstanek: http://paste.openstack.org/show/326200/	22:52
morganfainberg	dstanek: on a clean master (with oslo_utils <= 1.5 for the strftime deprecation issue)	22:53
gyee	albertom, https://review.openstack.org/#/c/196842/	22:53
morganfainberg	dstanek: if you run tox -epy27 test_auth	22:53
gyee	morganfainberg, can you A+ this? https://review.openstack.org/#/c/196842/	22:53
gyee	its holding up the gates	22:53
morganfainberg	dstanek: or anything that isolates a test with a pattern	22:53
morganfainberg	dstanek: it's baffling me how we're getting "policy.json" vs the full path	22:54
dstanek	morganfainberg: so this only happens when you specify the test regex?	22:54
morganfainberg	dstanek: this is making running tox -epy27 -- --failing for example	22:54
morganfainberg	breaking	22:54
morganfainberg	dstanek: anything that doesn't do the "full" run of tests afaict, for a number of tests	22:54
morganfainberg	meaning we're clearly not overriding the oslo_config/policy_file option	22:54
morganfainberg	but i thought that was on the base test-class	22:55
morganfainberg	dstanek: so some state is being set somewhere that "fixes" these tests	22:55
albertom	u thanks	22:55
*** dims_ has joined #openstack-keystone		22:55
dstanek	morganfainberg: ok, i'll try to reproduce now	22:56
morganfainberg	dstanek: i did clean checkout, install venv for tox	22:56
morganfainberg	and then downgraded oslo_utils to 1.5	22:57
morganfainberg	just because ^^ that patch that gyee was asking for +A hadn't landed	22:57
morganfainberg	dstanek: then ran tox -epy27 test_auth	22:57
morganfainberg	and boom lots of failures	22:57
gyee	jamielennox, nice, so that class will be shared by both keystonemiddleware and keystone?	22:57
dstanek	morganfainberg: that's odd...i just downgraded and didn't get any errors	22:58
morganfainberg	dstanek: the oslo_utils downgrade is just so the deprecation warnings don't cause explosion	22:58
gyee	if you downgrade you shouldn't get that warning	22:58
jamielennox	gyee: yep, there's a few more in that chain to make it more usable	22:58
morganfainberg	the oslo_policy unable to load policy.json is really worrying me	22:59
jamielennox	gyee: i'm just trying to get things actually merged after bknudson and i have gone through it all	22:59
*** dims has quit IRC		22:59
morganfainberg	dstanek: if i run tox -epy27	22:59
morganfainberg	and the entire test suite, it all works fine	22:59
dstanek	morganfainberg: very strange indeed	22:59
dstanek	morganfainberg: i don't have that issue - my current olso versions - http://paste.openstack.org/show/326202/	23:00
*** dims_ has quit IRC		23:00
dstanek	the policy.json should be set in keystone.tests.unit.core using the ETCDIR variable - and that's relative to the core.py so i shouldn't be wrong	23:01
dstanek	let me rebuild the venv and try again	23:01
dstanek	morganfainberg: you're on the top of master?	23:01
morganfainberg	dstanek: yes	23:02
morganfainberg	clean checkout	23:02
morganfainberg	here is the tox venv	23:02
morganfainberg	pip freese \| grep oslo	23:02
morganfainberg	http://paste.openstack.org/show/326212/	23:02
morganfainberg	you have an older venv	23:02
morganfainberg	this was just built	23:02
*** jecarey has quit IRC		23:02
morganfainberg	looks like some oslo versions have moved forwrd	23:03
*** zzzeek has joined #openstack-keystone		23:03
morganfainberg	and broken something	23:03
* morganfainberg sighs		23:03
morganfainberg	or other dependencies	23:03
samueldmq	list-projects-for-userlist-projects-for-user	23:04
gyee	morganfainberg, I think I know what your problem is	23:04
morganfainberg	gyee: ?	23:04
samueldmq	I am messing up again with weechat + tmux + remote connection :(	23:04
gyee	I ran into the exact problem when testing endpoint constraint stuff	23:04
dstanek	morganfainberg: hmmm...looks like lots of oslo releases today	23:05
gyee	morganfainberg, see https://review.openstack.org/#/c/177661/18/keystonemiddleware/tests/unit/auth_token/test_global_target_enforcer.py	23:05
gyee	line 36	23:05
gyee	you need to initialize the CONF path first	23:05
gyee	it depends on CONF for policy dir discovery	23:06
morganfainberg	gyee: maybe... but that means our test suite is broken	23:06
samueldmq	morganfainberg: not sure if this can help anyhow ... but when handling policy file in my fetch & cache patch	23:06
morganfainberg	gyee: we're not initializing it properly insome cases but we are in others	23:06
samueldmq	morganfainberg: after writting to it, oslo.policy couldn't read it anymore	23:06
gyee	morganfainberg, possibly	23:06
morganfainberg	gyee: since not everything fails that way	23:06
morganfainberg	gyee: and it only fails when i run tests in isolation	23:07
morganfainberg	gyee: e.g. "run that specific test"	23:07
*** jsavak has quit IRC		23:07
morganfainberg	it is definitely a mroe recent occurance	23:07
*** jsavak has joined #openstack-keystone		23:07
gyee	k, could be different than	23:07
dstanek	morganfainberg: this is strange. i don't get a failure at all	23:07
morganfainberg	dstanek: might be a new oslo lib that is doing something different.	23:08
morganfainberg	i could try and downgrade to the same ones you have	23:08
dstanek	morganfainberg: i'll try a clean checkout	23:08
morganfainberg	dstanek: sounds good.	23:08
dstanek	morganfainberg: i just rebuilt so i have the same versions as you	23:08
morganfainberg	dstanek: hm and you're running "tox -epy27 test_auth" or similar	23:08
morganfainberg	?	23:08
dstanek	yep, "tox -epy27 -- test_auth"	23:10
*** pgbridge has joined #openstack-keystone		23:10
morganfainberg	no --	23:10
dstanek	you think that could be the issue?	23:11
morganfainberg	trying it	23:11
morganfainberg	nope	23:11
morganfainberg	still horked for me	23:11
morganfainberg	i don't know how this can be breaking like this	23:11
morganfainberg	it just doesn't make sense	23:11
morganfainberg	what version of tox, do you have?	23:12
morganfainberg	2.0.1 imported from /usr/local/lib/python2.7/dist-packages/tox/__init__.pyc	23:12
morganfainberg	for me	23:12
dstanek	1.9.2 imported from /usr/local/lib/python2.7/dist-packages/tox/__init__.pyc	23:12
morganfainberg	and which version of python? 2.7.9 here	23:13
*** markvoelker has quit IRC		23:13
*** spandhe has joined #openstack-keystone		23:13
dstanek	2.7.5	23:14
morganfainberg	i wonder if something changed in one of those two things	23:14
morganfainberg	:(	23:14
dstanek	just upgraded tox and trying again	23:14
*** dguerri is now known as dguerri`		23:17
dstanek	morganfainberg: can you check and see what is being set a the policy file in you base test class?	23:17
morganfainberg	dirs.etc('polcy.json')	23:17
dstanek	what does that evaluate to?	23:17
morganfainberg	which in this case ends up being /home/mdrnstm/openstack/keystone/etc/policy.json	23:18
morganfainberg	at least when one of the tests is failing	23:18
morganfainberg	or at least that is oslo_config/policy_file	23:18
dstanek	that makes no sense :-(	23:18
dstanek	are you using fixtures==1.3.0?	23:19
morganfainberg	well let me try with python 2.7.5	23:19
morganfainberg	fixtures==1.2.0	23:20
morganfainberg	which is what is automatically installed for me	23:20
morganfainberg	by tox	23:20
dstanek	i can try on a newer vm	23:21
morganfainberg	nad my other one i got 1.3.0	23:21
morganfainberg	same issue	23:21
morganfainberg	newer venv	23:21
morganfainberg	ok i'm installing a 14.04 VM now	23:21
morganfainberg	give me a moment	23:21
morganfainberg	s/vm/container	23:21
morganfainberg	seeing if it's a 15.04 thing	23:22
morganfainberg	whihc would make no sense	23:22
morganfainberg	but...	23:22
dstanek	i was on 12.04...building a 14.04 now	23:24
morganfainberg	dstanek: trying on 14.04 now	23:24
*** edmondsw has joined #openstack-keystone		23:24
morganfainberg	building venv	23:24
morganfainberg	had a docker file almost ready to go	23:24
*** jasondotstar has joined #openstack-keystone		23:31
morganfainberg	dstanek: seeing it on 14.04 (in a docker container)	23:31
morganfainberg	fresh build, apt-get update / etc	23:31
morganfainberg	dstanek: i can try a 12.04 if that helps	23:32
*** boris-42 has quit IRC		23:32
dstanek	maybe...it's building the 14.04 venv now	23:35
openstackgerrit	Merged openstack/keystone: Switch from deprecated oslo_utils.timeutils.strtime https://review.openstack.org/196842	23:41
morganfainberg	dstanek: trying 12.04 now	23:43
morganfainberg	dstanek: i'm getting the same issue on 12.04	23:47
dstanek	morganfainberg: i can reproduce it on 14.04!	23:49
morganfainberg	dstanek: cool. now lets figure out how to resolve it :)	23:49
*** markvoelker has joined #openstack-keystone		23:51
*** edmondsw has quit IRC		23:51
*** tqtran_ is now known as tqtran-afk		23:53
*** topol has joined #openstack-keystone		23:54
*** ChanServ sets mode: +v topol		23:54
*** RichardRaseley has quit IRC		23:55
*** zzzeek has quit IRC		23:56
dstanek	morganfainberg: so i think that keystone.policy.backends.rules creates the oslo_policy stuff at import time - so by the time we use the fixture it's already too late	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!