Tuesday, 2015-08-04

*** darrenc_afk is now known as darrenc00:11
*** chlong has joined #openstack-keystone00:26
*** geoffarnold has quit IRC00:38
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20869800:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/20869900:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth-saml2: Updated from global requirements  https://review.openstack.org/20870000:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725400:45
*** edmondsw has quit IRC00:45
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/20871900:48
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements  https://review.openstack.org/20872600:48
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/20873000:48
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/19231900:48
openstackgerritMerged openstack/keystone: Add better user feedback when bind is not implemented  https://review.openstack.org/20378800:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20869800:53
*** topol has joined #openstack-keystone00:55
*** ChanServ sets mode: +v topol00:55
*** topol has quit IRC01:00
*** fangzhou_ has joined #openstack-keystone01:01
*** fangzhou has quit IRC01:02
*** fangzhou_ is now known as fangzhou01:02
dstanekanyone around for a sanity check?01:05
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865201:08
*** jiaxi_ has joined #openstack-keystone01:11
*** browne has quit IRC01:12
*** tqtran has quit IRC01:14
lbragstaddstanek: I have a minute, what's up?01:16
dstaneklbragstad: on a phone, so it's hard to reason about, but i made a comment on the openstack-dev list about the fernet rotate script that was linked01:17
dstaneklbragstad: the script appears to be incorrect or at the very least confusing01:17
lbragstaddstanek: in the keystone/token/providers/fernet/utils.py module?01:17
lbragstadi'll admit, that code it's the most straight-forward01:18
dstaneklbragstad: no, not our cide01:18
lbragstadnot this? https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/utils.py#L153-L22601:18
dstaneksomeone proposed a script to automate that...jas01:19
lbragstadgood link01:19
lbragstadone of my favorites01:19
lbragstadoh, sure01:19
lbragstadfrom the mailing list01:19
lbragstadso that second step isn't going to work01:20
lbragstadbecause it will never actually send the *new* primary key to node-101:20
lbragstadit will only ever send the new staged key, which doesn't actually encrypt anything until it's promoted to primary01:21
dstanekwiell they sync 0 to everything after a rotate - so that should be ok01:21
dstanekbecause the other two nodes will still rotate, but have the 0 key replaced by the rsync01:22
lbragstadoh, sure01:22
dstanekbut sine totate happens on node-1 again it will have extra keys01:22
lbragstadyes, true01:22
dstanekeventually if the limit is hit and thngs pruned you might lose good keys that are on 2 and 3 right?01:23
*** piyanai has joined #openstack-keystone01:23
dstanekok, that's wht i thouht01:23
*** davechen has joined #openstack-keystone01:25
lbragstaddstanek: is the second key rotation necessary?01:25
dstanekso the argument that the script *isn't* overly complex is stupid because it's wrong in a hard to debug way!01:25
lbragstadI guess it is necessary01:25
dstanekthey seem to to it to get 0 -> max and to prune01:25
dstanekinstead of rsyncc01:25
lbragstadbut if you're using rsync,01:25
lbragstadjust rsync the entire key repository01:25
lbragstadand perform the rotation once01:25
lbragstadinstead of using "half" of it to do a promotion?01:26
lbragstadwell, actually01:26
lbragstadnode-1 will rotate keys once, which means that it will have a different 0 key from node-2 and node-301:26
lbragstadah, I get it... yeah that's confusing01:27
dstanekand broken!01:27
dstanekok, so i'm not crazy. i thought that i was just reading it incorrectly01:27
*** davechen1 has joined #openstack-keystone01:30
lbragstaddstanek: so, something like this would work? http://cdn.pasteraw.com/4s9nt4h64dpm06mhkg4yb1lakl62rpx01:31
*** davechen has quit IRC01:31
dstaneklbragstad: yep01:33
*** davechen has joined #openstack-keystone01:37
dstanekhmmm....for some reason i get a bunch of test failures for test_list_group_role_assignment01:37
*** davechen1 has quit IRC01:39
*** jiaxi_ has quit IRC01:43
*** tobe_ has joined #openstack-keystone01:46
*** davechen1 has joined #openstack-keystone01:46
*** davechen has quit IRC01:48
*** davechen1 is now known as davechen02:01
*** piyanai has quit IRC02:03
*** gyee has quit IRC02:11
*** zzzeek has quit IRC02:12
*** spandhe has quit IRC02:33
*** browne has joined #openstack-keystone02:41
*** kiran-r has joined #openstack-keystone02:52
*** hakimo has joined #openstack-keystone02:52
*** tobe_ has quit IRC02:54
*** dims has joined #openstack-keystone02:54
*** hakimo_ has quit IRC02:55
*** lhcheng has quit IRC03:10
*** spandhe has joined #openstack-keystone03:11
*** spandhe_ has joined #openstack-keystone03:14
*** dims has quit IRC03:15
*** spandhe has quit IRC03:16
*** spandhe_ is now known as spandhe03:16
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725403:17
*** lhcheng has joined #openstack-keystone03:19
*** ChanServ sets mode: +v lhcheng03:19
*** btully has quit IRC03:20
*** lhcheng has quit IRC03:20
*** lhcheng has joined #openstack-keystone03:20
*** ChanServ sets mode: +v lhcheng03:20
*** fangzhou has quit IRC03:28
*** ayoung has quit IRC03:30
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided  https://review.openstack.org/19590303:42
*** lhcheng has quit IRC03:47
*** afazekas has joined #openstack-keystone03:54
openstackgerritHenrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418003:55
*** lhcheng has joined #openstack-keystone04:06
*** ChanServ sets mode: +v lhcheng04:06
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/20871904:09
*** vivekd has joined #openstack-keystone04:14
*** _kiran_ has joined #openstack-keystone04:16
*** kiran-r has quit IRC04:18
*** kiran-r has joined #openstack-keystone04:25
*** _kiran_ has quit IRC04:29
*** jdandrea has quit IRC04:30
*** richm has quit IRC04:32
*** kiran-r has quit IRC04:48
*** arunkant has quit IRC04:49
*** hrou has quit IRC04:49
*** btully has joined #openstack-keystone04:56
*** Nirupama has joined #openstack-keystone05:08
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/20865205:12
*** yottatsa has joined #openstack-keystone05:17
*** vivekd has quit IRC05:27
*** tobe_ has joined #openstack-keystone05:36
*** josecastroleon has joined #openstack-keystone05:43
*** zzzeek has joined #openstack-keystone05:48
openstackgerritAndrey Pavlov proposed openstack/keystonemiddleware: Adding parse of protocol v4 of AWS auth to ec2_token  https://review.openstack.org/20544005:49
*** afazekas has quit IRC05:50
*** tobe_ has quit IRC05:50
*** vivekd has joined #openstack-keystone05:51
*** tobe_ has joined #openstack-keystone05:53
*** tobe_ has quit IRC05:58
*** topol has joined #openstack-keystone05:58
*** ChanServ sets mode: +v topol05:58
*** kiran-r has joined #openstack-keystone06:00
openstackgerritDave Chen proposed openstack/keystone: Show helpful message when request body is not provided  https://review.openstack.org/19590306:02
*** Guest72363 has quit IRC06:02
*** topol has quit IRC06:02
*** ParsectiX has joined #openstack-keystone06:14
*** spandhe_ has joined #openstack-keystone06:17
*** kiran-r has quit IRC06:17
*** spandhe has quit IRC06:18
*** spandhe_ is now known as spandhe06:18
*** fangzhou has joined #openstack-keystone06:18
*** fangzhou has quit IRC06:23
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/20882306:23
bretonwow, my script is being discussed06:28
*** woodster_ has quit IRC06:30
*** belmoreira has joined #openstack-keystone06:31
*** josecastroleon has quit IRC06:56
*** josecastroleon has joined #openstack-keystone07:00
*** h00327910__ has joined #openstack-keystone07:01
*** josecastroleon has quit IRC07:02
*** lhcheng has quit IRC07:11
*** ParsectiX has quit IRC07:12
*** josecastroleon has joined #openstack-keystone07:15
*** ParsectiX has joined #openstack-keystone07:24
*** vivekd has quit IRC07:24
*** kafka_ has joined #openstack-keystone07:25
*** fhubik has joined #openstack-keystone07:25
*** fhubik is now known as fhubik_afk07:25
kafka_anybody have see the bug https://bugs.launchpad.net/python-openstackclient/+bug/1479837 ??07:25
openstackLaunchpad bug 1479837 in Keystone "improper handling non existing identity providers " [Medium,Triaged] - Assigned to kafka (guowang)07:25
kafka_need someone to join the discuss07:26
*** fhubik_afk is now known as fhubik07:28
*** spandhe has quit IRC07:30
*** browne has quit IRC07:36
*** ParsectiX has quit IRC07:40
*** lsmola has joined #openstack-keystone07:42
*** btully has quit IRC07:44
*** vivekd has joined #openstack-keystone07:46
*** chlong has quit IRC07:47
openstackgerritjaveme proposed openstack/keystone: Fix typos of RoleAssignmentV3._format_entity doc  https://review.openstack.org/20886407:49
*** fhubik is now known as fhubik_afk07:58
*** fhubik_afk is now known as fhubik08:02
*** jistr has joined #openstack-keystone08:08
*** ParsectiX has joined #openstack-keystone08:09
openstackgerritMarek Denis proposed openstack/keystone: Fernet payloads for federated scoped tokens.  https://review.openstack.org/20217608:11
yottatsamarekd morganfainberg could you please look at https://review.openstack.org/#/c/206921/08:14
*** bdossant has joined #openstack-keystone08:14
openstackgerritMarek Denis proposed openstack/keystone: Refactor: Provider._rebuild_federated_info()  https://review.openstack.org/20887208:17
*** tobe_ has joined #openstack-keystone08:17
*** aix has joined #openstack-keystone08:18
openstackgerritMerged openstack/keystone: Cleanup use of iteritems  https://review.openstack.org/20678508:24
openstackgerritMerged openstack/keystone: Use dict.items() rather than six.iteritems()  https://review.openstack.org/20076208:24
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/20869908:25
*** vince_ has joined #openstack-keystone08:33
*** hogepodge has quit IRC08:35
*** crinkle has quit IRC08:35
*** _fortis has quit IRC08:35
*** Kiall has quit IRC08:35
*** timburke has quit IRC08:35
*** devananda has quit IRC08:35
*** rmstar has quit IRC08:35
*** bdossant has quit IRC08:36
*** hogepodge has joined #openstack-keystone08:37
*** crinkle has joined #openstack-keystone08:37
*** _fortis has joined #openstack-keystone08:37
*** Kiall has joined #openstack-keystone08:37
*** timburke has joined #openstack-keystone08:37
*** devananda has joined #openstack-keystone08:37
*** rmstar has joined #openstack-keystone08:37
*** bdossant has joined #openstack-keystone08:37
marekdyottatsa: ok08:39
*** bdossant has quit IRC08:43
*** rm_work is now known as rm_work|away08:43
*** bdossant has joined #openstack-keystone08:44
*** e0ne has joined #openstack-keystone08:44
vince_hi guys, I have federated an openstack installation with google, so if I hit the right URI I get redirected to google accounts login to authenitcate there. The point is that I would like to use the CLI instead of the browser to do e.g., "openstack container list". Is this supported?08:44
marekdvince_: yep.08:45
marekdbacically stevemar (who is asleep now) did some work with regards on implementing openid connect support in keystoneclient/keystoneauth08:45
marekdvince_: let me find the code for a08:45
vince_marekd thank you!!08:46
marekdvince_ https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/oidc.py#L2008:46
openstackgerritMarek Denis proposed openstack/keystone: Add metods for checking scoped tokens  https://review.openstack.org/20888508:51
marekdyottatsa: i voted.08:56
yottatsamarekd thanks!08:56
*** ParsectiX has quit IRC08:57
*** ParsectiX has joined #openstack-keystone08:57
*** urulama has quit IRC08:58
*** urulama_ has joined #openstack-keystone08:58
yottatsamarekd, about your comment, I have no ideas about the hint, do you?08:59
marekdyottatsa: i'd probably get a little bit frustrated if i saw such message and rather thought: "okkk, so i know something is wrong with my token, but what?"08:59
*** lhcheng has joined #openstack-keystone09:00
*** ChanServ sets mode: +v lhcheng09:00
yottatsaokay, then I'll check token for none and for text and add some more validations09:00
marekdyottatsa: so how about adding a msg like "Token format is not recognized. Expected 'text'" (or something like that)09:00
marekdit's like i know the code base, you know it and you know what the token looks like, but most of the people don't know that and don't care whether it's text, pure binary or oranges and bananas mixed in the blender.09:01
kafka_hi ,guys,   anybody have see the bug https://bugs.launchpad.net/python-openstackclient/+bug/1479837 ??  need more discuss09:01
openstackLaunchpad bug 1479837 in Keystone "improper handling non existing identity providers " [Medium,Triaged] - Assigned to kafka (guowang)09:01
*** fhubik is now known as fhubik_afk09:02
*** fhubik_afk is now known as fhubik09:02
marekdkafka_: your question is inappropriate09:02
marekd(in the bug)09:02
marekdand the answet is PUT was used becase you basically add a new identity provider, so you PUT it to the keystone.09:02
*** lhcheng has quit IRC09:05
vince_marekd: the oidc plugin is not integrated yet with the client module right (e.g., in get_raw_token_from_identity_service())?09:11
marekdvince_: i posted code to the client09:12
marekdyou are probably talking about cli ?09:12
vince_what I mean is that I don't see OidcPassword instantiated anywhere in the current master branch, other than the unit tests09:13
marekdkeystoneclient is a library09:14
marekdso you don't call it directly from  your shell09:14
marekdwhat you call is openstackclient09:14
marekdby typing $ openstack09:14
marekdfor instance09:14
kafka_@mareked:  i refer to the api docs that PUT is used for register a new identity provider ,09:14
vince_marekd: right, sorry for the confusion :)09:15
marekdkafka_: and?09:15
marekdkafka_: what's wrong and how is that related with the bug?09:15
marekdvince_: no problem :-)09:16
marekdvince_: use openstack, make sure you use IDENTITY API v309:16
marekdvince_: i recommend looking at options in $ openstack --help09:17
marekdvince_: try with that plugin https://github.com/openstack/python-keystoneclient/blob/master/setup.cfg#L37 (name v3oidcpassword)09:17
marekdvince_: here you have a blog post about oidc09:18
*** marzif_ has joined #openstack-keystone09:18
marekdyou may want to start with "Testing it all out!"09:19
vince_marekd: yes, I was reading there :)!09:20
vince_thank you so much, this is very helpful09:20
marekdvince_: so, you should know everything by now :-)09:20
marekdvince_: you are welcome.09:20
kafka_marekd : not much related, just see that and feel wired that use PUT to create a new resource09:20
marekdkafka_: i am sorry for that :(09:20
kafka_marekd: and what about your views about the bug??09:21
marekdkafka_: i still think it's osc that does build wrong url09:21
marekdkeystone simply discards ?name query_string and responds properly - with the list of identity providers09:22
marekdidp's id is a user defined name.09:24
kafka_but see another example  'openstack user show admin ' works well,   /users/?name=admin  respond properly;09:25
kafka_yeah ,  the backend store a user defined name ad idp's id   .. that's reallly the problem..  only change server side can fix that, isn't it?09:27
*** boris-42 has quit IRC09:30
*** kafka_ has quit IRC09:35
*** kafka_ has joined #openstack-keystone09:37
*** fhubik is now known as fhubik_afk09:37
marekdkafka_: can you explain me why OSC is not building a /identity_providers/<name> link in a first place?09:38
marekdkafka_: apparently you did some research on that.09:38
*** marzif_ has quit IRC09:43
*** marzif_ has joined #openstack-keystone09:43
kafka_@marekd  when excute 'openstack <cmd> show <name_id>' ,  the function  openstack.common.utils.find_resources  actually inplement09:47
marekdkafka_: ok, so the name is not int so it will call https://github.com/openstack/python-openstackclient/blob/master/openstackclient/common/utils.py#L6509:50
marekdwhat next?09:50
marekdwhere is get(_ implementation ?09:51
marekdkafka_: can you help me with that?09:51
*** davechen has left #openstack-keystone09:52
kafka_and then build kwargs = {'name': 'itsaname'}  ,  remember that the key is name ,09:53
marekdkafka_: where does it come from ?09:53
kafka_the use kwargs as query parameter09:53
*** openstackgerrit_ has joined #openstack-keystone09:53
marekdcan you post the link ?09:53
kafka_build /identity_provider?name=itaname      but  the backend store itsaname as ID  , so can't query something name=itsname, and return all09:54
*** dims has joined #openstack-keystone09:55
marekdkafka_: can you walk me through the flow of how the kwargs are being built and post links for appropriate methods ?09:55
kafka_the link https://github.com/openstack/python-openstackclient/blob/master/openstackclient/common/utils.py#L7909:55
kafka_and the docsting of function https://github.com/openstack/python-openstackclient/blob/master/openstackclient/common/utils.py#L4509:55
marekdkafka_: but i am asking where is that kwargs built09:56
openstackgerritRoman Bogorodskiy proposed openstack/keystone: Fix unbound error in federation _sign_assertion  https://review.openstack.org/20816310:01
*** fhubik_afk is now known as fhubik10:01
kafka_oh, sorry, i;m late  . that's all in   manager.find(**kwargs)   and   track to https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/base.py#L41910:10
*** lxsli has quit IRC10:10
kafka_you can see that find() use kwargs to build query parameters10:11
*** fhubik is now known as fhubik_afk10:11
kafka_and actually excute _list()  https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/base.py#L108  because not have body ,  got a GET request with query parameter10:13
*** bjornar has quit IRC10:14
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF  https://review.openstack.org/20896510:20
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF  https://review.openstack.org/20896510:27
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF  https://review.openstack.org/20896510:29
*** zzzeek has quit IRC10:33
*** jaosorior has joined #openstack-keystone10:48
*** lhcheng has joined #openstack-keystone10:49
*** ChanServ sets mode: +v lhcheng10:49
*** urulama_ has quit IRC10:51
*** urulama has joined #openstack-keystone10:51
*** kafka_ has quit IRC10:51
*** lhcheng has quit IRC10:53
*** fhubik_afk is now known as fhubik10:54
*** topol has joined #openstack-keystone11:00
*** ChanServ sets mode: +v topol11:00
*** topol has quit IRC11:05
odyssey4mefrom today's sha update I'm seeing the following errors in the keystone apache error log - is this a known issue with a known solution? http://paste.openstack.org/show/u3mIrPjsUWANe8ZJ0ksy/11:24
*** bdossant_ has joined #openstack-keystone11:27
bretonodyssey4me: what's sha?11:29
bretonalso, the error is weird.11:29
*** bdossant has quit IRC11:29
odyssey4mebreton the keystone sha is 970c9ad7d444edeb922afd34874f0c48647fd53e11:29
*** bdossant_ has quit IRC11:30
odyssey4menote that I'm doing an integrated build, but all sha's have been bumped to today's latest sha's11:30
odyssey4methe error is weird11:30
bretondims: ^11:30
*** openstackgerrit has quit IRC11:31
*** openstackgerrit_ is now known as openstackgerrit11:31
*** openstackgerrit has quit IRC11:32
*** gsilvis has quit IRC11:32
*** openstackgerrit_ has joined #openstack-keystone11:32
*** openstackgerrit_ is now known as openstackgerrit11:32
odyssey4mebreton interestingly I get the same issue with the main projects set to liberty-2... I'm working on two build simultaneously to try and figure out the root cause here11:32
*** openstackgerrit_ has joined #openstack-keystone11:33
odyssey4mebreton it appears that dispacher was last in oslo.messaging in 2.0.011:33
odyssey4meyeah, it looks like this is in oslo - lemme go bug them11:37
samueldmqmorning guys11:39
samueldmqI am gonna warm up for the dynamic policy battle later today :)11:40
marekdsamueldmq: wow, so exciting11:44
samueldmqmarekd: :)11:44
*** amakarov_away is now known as amakarov11:46
*** ParsectiX has quit IRC11:52
*** tobe_ has quit IRC11:56
*** gordc has joined #openstack-keystone11:58
*** topol has joined #openstack-keystone11:58
*** ChanServ sets mode: +v topol11:58
*** tobe_ has joined #openstack-keystone11:59
*** tobe_ has quit IRC12:01
*** raildo has joined #openstack-keystone12:15
*** openstackgerrit has quit IRC12:16
*** fhubik is now known as fhubik_afk12:17
*** openstackgerrit has joined #openstack-keystone12:17
*** ParsectiX has joined #openstack-keystone12:18
bretonwhat, again?12:19
*** Nirupama has quit IRC12:27
*** edmondsw has joined #openstack-keystone12:27
*** piyanai has joined #openstack-keystone12:29
*** bapalm_ has joined #openstack-keystone12:34
*** lhcheng has joined #openstack-keystone12:38
*** ChanServ sets mode: +v lhcheng12:38
*** chlong has joined #openstack-keystone12:41
*** lhcheng has quit IRC12:42
*** nicodemos has joined #openstack-keystone12:43
*** nicodemos has quit IRC12:46
*** bknudson has joined #openstack-keystone12:57
*** ChanServ sets mode: +v bknudson12:57
*** dims_ has joined #openstack-keystone13:00
*** abhishekk has joined #openstack-keystone13:01
abhishekkhi all, can any core reviewer review this patch13:02
*** jdandrea has joined #openstack-keystone13:02
*** dims has quit IRC13:02
abhishekkhttps://review.openstack.org/#/c/177686/, submitted stable/juno branch13:02
abhishekkthank you13:02
*** tjcocozz has joined #openstack-keystone13:02
lbragstadmarekd: couple quick questions for you, if you have a minute. The metadata transaction/exchange between the idp and the sp is what builds the trust, right?13:02
*** jsavak has joined #openstack-keystone13:03
*** dims has joined #openstack-keystone13:04
marekdlbragstad: yes, for instance this is the place where public keysare published.13:05
marekd+ some endpoints13:06
*** dims_ has quit IRC13:06
lbragstadmarekd: so the metadata of the idp contains the public key of the idp?13:06
lbragstadand the same with the sp/13:06
marekdlbragstad: yes and yes.13:07
*** vivekd has quit IRC13:07
marekdlbragstad: well, not always. usually it's the sp who wants to know all the idp's13:07
*** browne has joined #openstack-keystone13:07
marekdlbragstad: note that we don't keep public keys and metadata of trusted SPs when it comes to Keystone-IdP13:08
lbragstadah, so the idp is what signs requests with it's private key, and then the sp is able to verify it because it has the idp's metadata13:08
marekdlbragstad: yes.13:08
lbragstad"we don't keep" as in the idp doesn't keep metadata from trusted service providers?13:08
marekdlbragstad: yes.13:08
lbragstadok, why is that, I'm curious13:09
marekdlbragstad: in fact we probably should, but i'd then just say loudly that keystone becomes a fully fledged SAML2 IdP.13:09
marekdlbragstad: why we don't keep SPs keys/metadata?13:09
*** abhishekk has left #openstack-keystone13:09
openstackgerritMerged openstack/keystoneauth-saml2: Updated from global requirements  https://review.openstack.org/20870013:09
lbragstadmarekd: right13:09
*** petertr7_away is now known as petertr713:09
marekdlbragstad: a) Kestone-IdP is not a IdP b) it's not necessary, as it's us who initiate full workflow.13:10
lbragstadus as in the sp?13:10
marekdlbragstad: look, normally you go to the SP first, and it's SP that creates a request and redirect to the IdP. Now, IdP want's to make sure the request comes from a known SP - hence it checks whether the message was signed by a trusted SP. In K2K case, you login with your password, and you are somehow authenticated and you simply go to a trusted SP as it's in your token, so it had been configured13:12
marekdby admin.13:12
marekdlbragstad: makes sense?13:13
lbragstadso the metadata trust part should always (at least) go from idp to sp13:13
lbragstadthe service provider will *always* need metadata from the identity provider13:13
marekdlbragstad: pretty much yes. you can probably disable it somewhere but i'd say it's super unlikely.13:13
marekdlbragstad: ideally both peers should have trustee's metadata13:14
lbragstadright, I don't think we'd want that because that would open you up for mitm attachs13:14
*** TheIntern has joined #openstack-keystone13:14
marekdlbragstad: it'd be like saying "i am using SSH but simply disabled transmission encryption and keys validation" :-)13:15
lbragstadyep, that makes sense13:15
marekdi will be back in 5 minutes13:15
lbragstadso, in summary, the public keys live in the metadata, which can be fetched from the IDP using https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#retrieve-metadata-properties13:15
*** marzif_ has quit IRC13:18
*** marzif_ has joined #openstack-keystone13:18
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Fix nits from Project Tree Deletion spec  https://review.openstack.org/20905713:20
marekdlbragstad: yes13:25
marekdthe key would be valud <ns1:X509Certificate> </>13:26
marekdlbragstad: is there something wrong with that?13:26
lbragstadmarekd: nope, just wanted to understand where that trust was established13:26
marekdlbragstad: ok!13:27
marekdhope i helped!13:27
lbragstadabsolutely! thank yu13:27
*** piyanai has quit IRC13:28
lbragstadmarekd: the public key that is available in the metadata of the idp is the same public key that is used to SSL on the keystone-idp, right?13:29
*** piyanai has joined #openstack-keystone13:30
marekdlbragstad: in k2k ?13:30
*** browne has quit IRC13:30
lbragstadmarekd: well, what happens in each case?13:30
lbragstad(k2k, and non-k2k)13:30
marekdlbragstad: i don't understand13:30
marekdlbragstad: ah13:31
*** chlong has quit IRC13:31
marekdso, in K2K case where Keystone is an IdP we set same keys by default: https://github.com/openstack/keystone/blob/master/keystone/common/config.py#L97213:31
*** ayoung has joined #openstack-keystone13:32
*** ChanServ sets mode: +v ayoung13:32
marekdwhen IdP is something else then who cares/knows :-)13:32
marekdin terms of Keystone-SP it's managed by mod_shib/mod_mellon and it's again up to you.13:32
*** dims_ has joined #openstack-keystone13:36
dims_bknudson: this look good now? (boris' ldap patch) https://review.openstack.org/#/c/207960/ - please let us know. we need a backport for it as well if it is good13:37
*** dims has quit IRC13:37
*** mestery_afk is now known as mestery13:38
lbragstadmarekd: last noob question, when a federated user presents their information to a keystone service provider (with a protocol), that redirect happens to the IdP.13:46
lbragstaddoes the IdP return the SAML assertion to the service provider, then the service provider validates the saml assertion and exchanges it for an unscoped token?13:47
lbragstad(how many trips to the IdP in that case?)13:47
lbragstador does the user need the SAML assertion prior to that step?13:48
*** fhubik_afk is now known as fhubik13:48
*** doug-fish has quit IRC13:56
marekdin a normal flow it's: client -> sp -> (HTTP 302) client -> IdP -> (HTTP 302) client -> SP -> back to the client with unscped token -> scope the token.13:57
marekdlbragstad: in k2k: auth with user/pass, get Oopenstack Token, request SAML2 from your token, get assertion, send to SP, get unscoped token13:58
lbragstadperfect, that makes sense13:59
marekdi hope so :-)13:59
*** sigmavirus24_awa is now known as sigmavirus2414:00
*** opilotte has joined #openstack-keystone14:05
*** ParsectiX has quit IRC14:07
*** TheIntern has quit IRC14:08
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/20873014:12
*** hrou has joined #openstack-keystone14:15
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/20869814:15
*** henrynash has quit IRC14:15
*** phalmos has joined #openstack-keystone14:20
*** piyanai has quit IRC14:22
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20909114:22
*** urulama has quit IRC14:22
*** urulama has joined #openstack-keystone14:23
*** TheIntern has joined #openstack-keystone14:24
*** mylu has joined #openstack-keystone14:28
*** phalmos has quit IRC14:30
*** doug-fish has joined #openstack-keystone14:32
*** TheIntern has quit IRC14:32
*** jecarey has joined #openstack-keystone14:33
*** TheIntern has joined #openstack-keystone14:37
dstanekbreton: that script was more complex than you thought :-)14:38
*** phalmos has joined #openstack-keystone14:40
*** dims_ has quit IRC14:41
*** dims has joined #openstack-keystone14:41
*** zzzeek has joined #openstack-keystone14:45
openstackgerritBoris Bobrov proposed openstack/keystone: Prevent exception due to missing id of LDAP entity  https://review.openstack.org/20796014:51
lbragstadmarekd: if you have a service provider with multiple idps tied to it, and they all talk saml, how does horizon know where to send the request to based on the protocol?14:53
bretondstanek: not as complex as people suggested in the thread14:53
doug-fishlbragstad: unless somebody is doing something more complex than I've been working on, Horizon recognizes only one idp14:54
doug-fish(well, one day soon it will)14:54
*** bradjones has joined #openstack-keystone14:54
*** bradjones has quit IRC14:54
*** bradjones has joined #openstack-keystone14:54
lbragstaddoug-fish: ahh, interesting14:54
lbragstaddoug-fish: so, all 'saml2' protocol requests get mapped to a single idp endpoint.14:54
dstanekbreton: i think that clint was right about what he said.14:55
dstanekbreton: it was complex enough that there were hard to see bugs lurking14:55
doug-fishlbragstad: at the Horizon layer that's going to be hidden - the saml assertion exchange is hidden in the auth plugin14:55
doug-fishthe outside client programming perspective is that the idp token can be used to get an unscoped token from a sp14:56
bretondstanek: you suggest just to rsync?14:56
bretondstanek: the whole directory with keys?14:57
dstanekbreton: yeah, i like the idea of having 1 node to the rotation and sync keys out from there14:57
dstanekbreton: yes14:57
lbragstadbreton: dstanek I just responded to the thread with a modified version of the script.14:57
lbragstaddstanek: the one we worked through last night14:57
*** yottatsa has quit IRC14:57
dstaneklbragstad: nice, thx14:58
bretonnah, you have a bug there too :p14:59
bretonping node-$c14:59
bretonwhich should be node-$c15:01
*** belmoreira has quit IRC15:01
*** opilotte has quit IRC15:01
*** kiran-r has joined #openstack-keystone15:01
*** btully has joined #openstack-keystone15:02
bretonanyway, I didn't expect that a script I quickly sketched will be so discussed.15:02
lbragstadbreton: well, it does serve as a good place to discuss the flow of rotation and distribution,15:02
lbragstadbreton: so, ++15:03
bretonbreton@bbobrov-pc:~$ failed=true15:03
bretonbreton@bbobrov-pc:~$ if [ ( $failed ) ]; then echo 'asdf'; fi15:03
bretonbash: syntax error near unexpected token `$failed'15:03
gordcfor v3, are the requirements (project_id OR project_name) AND (user_domain_name OR user_domain_id) or (project_id OR (project_name AND (user_domain_name OR user_domain_id)))15:05
openstackgerritDavid Stanek proposed openstack/keystone: Hardens the validated decorator's implementation  https://review.openstack.org/20911415:06
*** piyanai has joined #openstack-keystone15:10
*** e0ne has quit IRC15:10
*** e0ne has joined #openstack-keystone15:11
*** lhcheng has joined #openstack-keystone15:12
*** ChanServ sets mode: +v lhcheng15:12
*** phalmos has quit IRC15:14
dstanekbreton: i was drawn to it by the argument of its simplicity and the fact that it took my a while to see what was actually happening15:20
*** phalmos has joined #openstack-keystone15:22
*** geoffarnold has joined #openstack-keystone15:22
dstaneklbragstad: breton: oh, and the rollback can't work as implemented15:24
*** mylu has quit IRC15:24
*** petertr7 is now known as petertr7_away15:25
*** edmondsw has quit IRC15:26
*** petertr7_away is now known as petertr715:27
*** browne has joined #openstack-keystone15:27
*** joe___ has joined #openstack-keystone15:29
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376315:30
openstackgerritRodrigo Duarte proposed openstack/keystone: Limit subtree and parents queries  https://review.openstack.org/20913215:30
joe___Could anyone help on using keystonemiddleware?15:30
*** mylu has joined #openstack-keystone15:31
*** yottatsa has joined #openstack-keystone15:31
*** piyanai has quit IRC15:31
*** fhubik is now known as fhubik_afk15:32
joe___I'm trying to build a WSGI service using paste and would like to add keystonemiddleware as authentication middleware. If not implement oslo config, how should I pass keystone_authtoken info from my api-paste.ini to keystonemiddleware?15:33
*** mylu has quit IRC15:33
bknudsonjoe___: there's no way to do that today as far as I know.15:34
openstackgerritRodrigo Duarte proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418015:34
bknudsonif you come up with a way to do it then submit the change so everyone can use it.15:34
*** mylu has joined #openstack-keystone15:38
*** stevemar has joined #openstack-keystone15:39
*** ChanServ sets mode: +v stevemar15:39
dstanekstevemar: what are you bumping sir?15:42
*** joe___ has quit IRC15:42
stevemardstanek: myself, i've been away too long15:42
*** mylu has quit IRC15:43
*** vince_ has quit IRC15:43
bknudsonstevemar: you've been binging on the jays.15:43
stevemarbknudson: true, but last week i was helping bring noobies up to speed with an openstack bootcamp15:44
bknudsonstevemar: there's more noobies... this could be your full-time job15:45
bknudsonI hope you recorded it15:45
dstanekhas anyone else been getting test failure recently for test_list_group_role_assignment?15:45
stevemari did not record it :(15:45
bknudsondstanek: works for me.15:46
*** piyanai has joined #openstack-keystone15:48
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for HTTPClient.tenant_id|name  https://review.openstack.org/20571015:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for HTTPClient.request methods  https://review.openstack.org/20571115:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Update deprecation text for Session properties  https://review.openstack.org/19151115:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for HTTPClient session and adapter properties  https://review.openstack.org/20580615:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for HTTPClient tenant_id, tenant_name parameters  https://review.openstack.org/20570115:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for httpclient.USER_AGENT  https://review.openstack.org/20583315:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for Session.get_token()  https://review.openstack.org/20581715:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create HTTPClient without session  https://review.openstack.org/20583215:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create v2_0 Client without session  https://review.openstack.org/20582015:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create v3 Client without session  https://review.openstack.org/20582215:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate ServiceCatalog(region_name)  https://review.openstack.org/20580915:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for CredentialManager data argument  https://review.openstack.org/20582515:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for UserManager project argument  https://review.openstack.org/20582615:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate ServiceCatalog.get_urls() with no attr  https://review.openstack.org/20581015:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate create Discover without session  https://review.openstack.org/20582915:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Deprecate use of cert and key  https://review.openstack.org/20581315:49
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Proper deprecation for Session.construct()  https://review.openstack.org/20581215:49
*** HenryG has quit IRC15:51
dstanekbknudson: i keep getting http://paste.openstack.org/show/406903/ - looks like i'll actually have to debug this today15:51
stevemardstanek: remove it all and try again?15:52
dstanekstevemar: it showed up on my new devstack vm too15:52
stevemardstanek: ruh roh15:52
dstaneki thought it was an issue with maybe something i was running like memcached, but that doesn't appear to be it15:52
bknudsondstanek: do you have a local /etc/keystone.conf ?15:53
bknudsontry removing it15:53
bknudsonthat was something I've been meaning to look into... tests are affected by /etc/keystone.conf15:53
dstanekbknudson: no, only a /etc/keystone/keystone.conf.old15:53
*** phalmos has quit IRC15:54
*** vivekd has joined #openstack-keystone15:55
*** petertr7 is now known as petertr7_away15:56
*** jamiec has quit IRC16:00
*** cinerama has quit IRC16:00
*** _cjones_ has joined #openstack-keystone16:00
*** HenryG has joined #openstack-keystone16:01
*** jamiec has joined #openstack-keystone16:01
*** cinerama has joined #openstack-keystone16:02
*** gyee has joined #openstack-keystone16:02
*** ChanServ sets mode: +v gyee16:02
*** phalmos has joined #openstack-keystone16:02
dstanekhmmm....it looks like my assignments are coming back in a different order than what the tests expect16:04
samueldmqdstanek: role assignments ?16:04
bknudsonI think there's an assertItemsEqual16:04
dstaneksamueldmq: yes16:04
samueldmqdstanek: should the order matter ?16:05
samueldmqin that case ...16:05
dstaneksamueldmq: not entirely sure, but i don't think we actually enforce a sort order on the query16:06
*** gyee has quit IRC16:06
*** HenryG has quit IRC16:08
*** jistr has quit IRC16:09
*** vivekd has quit IRC16:10
*** woodster_ has joined #openstack-keystone16:10
*** elmiko has quit IRC16:13
*** hrou has quit IRC16:15
*** e0ne has quit IRC16:17
*** kiran-r has quit IRC16:18
*** HenryG has joined #openstack-keystone16:18
*** urulama has quit IRC16:23
*** urulama has joined #openstack-keystone16:24
*** tjcocozz has quit IRC16:25
*** yottatsa has quit IRC16:26
*** yottatsa has joined #openstack-keystone16:27
*** bapalm_ has quit IRC16:27
*** kiran-r has joined #openstack-keystone16:27
*** openstackgerrit_ has quit IRC16:29
dolphmlbragstad: this might address several of the open bugs against fernet https://review.openstack.org/#/c/208021/16:32
lbragstaddolphm: sweet, I'll review it today16:33
lbragstaddolphm: thanks!16:33
dolphmlbragstad: including that tempest failure - i'm going to test that today16:33
*** gyee has joined #openstack-keystone16:33
*** ChanServ sets mode: +v gyee16:33
*** henrynash has joined #openstack-keystone16:35
*** ChanServ sets mode: +v henrynash16:35
*** fhubik_afk is now known as fhubik16:36
*** henrynash has quit IRC16:37
*** henrynash has joined #openstack-keystone16:39
*** ChanServ sets mode: +v henrynash16:39
*** HenryG has quit IRC16:39
stevemarraildo: samueldmq you guys okay to talk about https://review.openstack.org/#/c/208620/ ?16:42
stevemarat the meeting?16:42
*** edmondsw has joined #openstack-keystone16:42
raildostevemar: sure, no problem16:43
samueldmqstevemar: sure, I think tellesnobrega may be interested on talking about it16:43
stevemari'll change my name on the meeting to you guys https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Main_Agenda16:43
stevemarjust need to double check if it needs a spec or not16:44
*** piyanai has quit IRC16:44
*** _kiran_ has joined #openstack-keystone16:47
*** TheIntern has quit IRC16:48
*** henrynash has quit IRC16:48
*** kiran-r has quit IRC16:51
*** piyanai has joined #openstack-keystone16:53
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376316:55
openstackgerritRodrigo Duarte proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418016:55
*** petertr7_away is now known as petertr716:55
*** cinerama has quit IRC16:57
*** spandhe has joined #openstack-keystone16:59
*** piyanai has quit IRC17:00
*** phalmos has quit IRC17:01
*** _kiran_ has quit IRC17:02
*** piyanai has joined #openstack-keystone17:04
*** e0ne has joined #openstack-keystone17:05
*** jsavak has quit IRC17:05
*** jsavak has joined #openstack-keystone17:06
*** samleon has joined #openstack-keystone17:07
*** roxanaghe has joined #openstack-keystone17:09
*** HenryG has joined #openstack-keystone17:10
*** samleon has quit IRC17:11
*** jasonsb has quit IRC17:12
*** jasonsb has joined #openstack-keystone17:16
*** jasonsb has quit IRC17:19
*** HenryG has quit IRC17:20
*** mylu has joined #openstack-keystone17:24
*** piyanai has quit IRC17:24
*** e0ne has quit IRC17:26
*** piyanai has joined #openstack-keystone17:26
*** fhubik has quit IRC17:26
*** HT_sergio has joined #openstack-keystone17:30
*** e0ne has joined #openstack-keystone17:32
*** samleon has joined #openstack-keystone17:33
*** kiran-r has joined #openstack-keystone17:34
*** mylu has quit IRC17:36
*** piyanai_ has joined #openstack-keystone17:36
*** piyanai has quit IRC17:39
*** piyanai_ is now known as piyanai17:39
*** kiran-r has quit IRC17:40
openstackgerritMerged openstack/keystone: Better error message when unable to map user  https://review.openstack.org/20698717:41
*** marzif_ has quit IRC17:41
openstackgerritMarianne Linhares Monteiro proposed openstack/keystone: List credentials by type  https://review.openstack.org/20862017:41
*** mylu has joined #openstack-keystone17:46
*** tsymanczyk has joined #openstack-keystone17:46
*** vivekd has joined #openstack-keystone17:47
*** david-lyle has quit IRC17:48
*** marianneLinhares has joined #openstack-keystone17:52
*** henrynash has joined #openstack-keystone17:52
*** ChanServ sets mode: +v henrynash17:52
marekdlbragstad: based on the protocol?17:54
lbragstadmarekd: yeah,17:54
openstackgerritayoung proposed openstack/python-keystoneclient-kerberos: Federated Kerberos plugin  https://review.openstack.org/17355817:54
lbragstadwhen a use logs in using horizon, they have to select a protocol id, right?17:54
*** diegoadolfo has joined #openstack-keystone17:54
marekdlbragstad: so you should configure your modules to protect something like /v3/OS-FEDERATION/identity_providers/*/protocols/saml2 for saml2 (for instance) nad /v3/OS-FEDERATION/identity_providers/*/protocols/oidc for OIDC17:55
*** yottatsa has quit IRC17:55
ayoungI'll be at the meeting, but a little late today17:56
*** ayoung has quit IRC17:56
lbragstadmarekd: protocol ids must be unique right? so you can only have one idp that uses saml2, right?17:57
marekdthat's why * in the URL17:57
lbragstadso, are all the idps listed in the service providers drop down in horizon?17:58
henrynashdstanek: hi…thanks for the +1 on https://review.openstack.org/#/c/200624/ - was there a reason not to +2/A ?17:59
dstanekhenrynash: i saw that bknudson gave an earlier rev -1 and didn't get a chance to see if his stuff was addressed18:01
marekdlbragstad: no.18:01
*** marianneLinhares has quit IRC18:01
*** qwebirc1001759 has joined #openstack-keystone18:01
*** aix has quit IRC18:03
*** jsavak has quit IRC18:03
*** piyanai has quit IRC18:04
*** TheIntern has joined #openstack-keystone18:05
*** jasonsb has joined #openstack-keystone18:05
marekdlbragstad: uh, it's more complicated...18:05
marekdlbragstad: first of all horizon doesn't do any saml bits...18:05
*** haneef_ has joined #openstack-keystone18:05
lbragstadmarekd: horizon just has the WEBSSO_CHOICES stuff18:06
marekdyou dont configure saml for horizon box/vhost.18:06
marekdlbragstad: it doesn't18:06
marekdlbragstad: jamielennox|away would like to have it and it's easy to implement18:06
marekdbut since we use apache modules that acually do protocol specific stuff we may want to use something that's called Discovery Service18:06
marekdfor choosing IdP18:07
*** jsavak has joined #openstack-keystone18:07
*** piyanai has joined #openstack-keystone18:07
*** stevemar has quit IRC18:08
*** mylu has quit IRC18:08
lbragstadmarekd: ok, I think the part that I'm missing is how the user specifies *which* idp they are apart of, and how we (as the keystone service provider) make that redirect18:09
*** mylu has joined #openstack-keystone18:09
lhchenghenrynash: quick question related to https://bugs.launchpad.net/keystone/+bug/146684618:09
openstackLaunchpad bug 1466846 in Keystone "the function _config_to_list is not working well" [Medium,New] - Assigned to Lin Hua Cheng (lin-hua-cheng)18:09
*** dan_ has joined #openstack-keystone18:09
*** dan_ is now known as Guest4157418:10
lhchenghenrynash: wanted to run by you if it is valid bug, I looked at the looked and indeed whitelisted/sensitive are always empty.  https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L914-L91518:10
marekdlbragstad: in CLI it's you who has to know which IdP you are going to use18:10
henrynashlhcheng: i need to look at it….I’ll do that18:10
marekdyou need to know the name of IdP configured in keystone18:10
marekdand you need to know the url of the idp ...18:10
*** Guest41574 is now known as dank_18:12
*** qwebirc1001759 has quit IRC18:12
lbragstadmarekd: how is that information typically relayed to service provider horizon? typing it in?18:12
*** phalmos has joined #openstack-keystone18:13
marekdlbragstad: i will confuse you even more - websso has a separate endpoint - /v3/OS-FEDERATION/webbso/<protocol> (or something like that)18:14
marekdit's an endpoint for all the idp's of the federation (speaking same protocol)18:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20909118:15
lbragstadoh, so horizon will talk to that endpoint (/v3/OS-FEDERATION/webbso/<protocol>) after the user logging in says I want to federate with saml2?18:15
marekdjamielennox|away would like horizon to redirect to old links /identity_providers/<idp>/protocols/<proto>/auth and WEBSSO_CHOICES would be hardcoded to the names, and that name would be used to fill <idp> part in the link.18:16
*** mylu has quit IRC18:16
*** tjcocozz has joined #openstack-keystone18:17
lbragstadso, it'd be pretty similar to the main david chadwick sent out?18:17
marekdi don't know what he had sent.18:17
marekdand where.18:18
lbragstadmarekd: ^18:18
lhchenglbragstad: yeah, it is similar :)18:18
*** mylu has joined #openstack-keystone18:18
lbragstadok, cool18:18
marekdyeah, so probably similar.18:18
marekdi only don't know what Type Ahead is.18:18
marekdi can guess18:19
lhchengI've responded to that email, we kinda already have what they're proposing18:19
lhchengmarekd: fancier term for auto-complete :P18:19
marekdlhcheng: so i wonder how is he going to do that.18:20
marekdesp since lots of info can sit in IdP. not in Keystone.18:20
*** woodster_ has quit IRC18:20
lhchengI think he expects horizon to query keystone for the IdP. thought we don't want that?18:21
*** hrou has joined #openstack-keystone18:22
*** yottatsa has joined #openstack-keystone18:24
*** mylu has quit IRC18:24
*** mylu has joined #openstack-keystone18:26
*** ayoung has joined #openstack-keystone18:26
*** ChanServ sets mode: +v ayoung18:26
*** rm_work|away is now known as rm_work18:28
*** mylu has quit IRC18:28
doug-fishI was under the impression that you could only have 1 3rd party idp for each protocol, and this was a retriction of keystone. Was that true for Kilo?18:28
*** lhcheng is now known as lhcheng_away18:29
lhcheng_awaydoug-fish: it is the restriction specifically on how websso is implemented in keystone.  it should get better with : https://review.openstack.org/#/c/199339/18:31
*** HenryG has joined #openstack-keystone18:31
lhcheng_awayyou can still setup multiple idp/protocol in keystone, but not exposed all through websso18:32
doug-fishlhcheng_away: cool thx - though I think we've mirrored that restriction with our Horizon implementation18:32
doug-fishoh I see18:32
*** HenryG has quit IRC18:32
*** HenryG has joined #openstack-keystone18:35
*** rm_work is now known as rm_work|away18:38
*** rm_work|away is now known as rm_work18:40
*** bapalm_ has joined #openstack-keystone18:41
*** HenryG_ has joined #openstack-keystone18:46
*** mylu has joined #openstack-keystone18:46
*** urulama has quit IRC18:47
*** urulama has joined #openstack-keystone18:47
*** HenryG has quit IRC18:48
*** phalmos has quit IRC18:50
*** boris-42 has joined #openstack-keystone18:53
*** yottatsa has quit IRC18:57
*** jsavak has quit IRC19:01
samueldmqdolphm: we get the specs approved, then I come with thte sfe request19:02
samueldmqdolphm: next meeting we analyze the request19:02
samueldmqsoudns a good plan ?19:02
dstaneksamueldmq: just propose against backlog19:02
gyeeops midcycle is three weeks away btw19:02
dstanekit doesn't sound like there is a lot of interest to get this in L19:02
samueldmqdstanek: they are against the backlog already19:02
gyeeso we will be long past any FFE date19:03
samueldmqgyee: yes we spent the whole L2 and didnt reach a decision on sfe19:03
samueldmqgyee: it should be ffe now :(19:03
dstaneksamueldmq: i think you should work with gyee so he understands the vision and see if it's something HP really wants19:03
*** jsavak has joined #openstack-keystone19:03
samueldmqgyee: the 2 specs are 197980 and 13465519:04
samueldmqgyee: your view on them is important, please take a look :)19:04
samueldmqgyee: anyway we are just enabling the fetch (we already allow the policy creation + association)19:04
gyeesamueldmq, yes absolutely19:04
samueldmqgyee: as I demonstrated in the midcycle19:05
*** ayoung has quit IRC19:05
*** phalmos has joined #openstack-keystone19:05
*** henrynash has quit IRC19:06
*** mylu has quit IRC19:06
*** stevemar has joined #openstack-keystone19:08
*** ChanServ sets mode: +v stevemar19:08
raildodolphm: https://blueprints.launchpad.net/keystone/+spec/list-credentials-by-type and in a few minutes, i'll send the spec19:09
gyeebknudson, which patch is failing about missing publicURL for alarm service?19:10
*** piyanai has quit IRC19:10
*** vivekd has quit IRC19:10
bknudsongyee: https://review.openstack.org/#/c/208583/19:10
bknudsongyee: the gate-tempest-dsvm-neutron-src-python-keystoneclient logs have it19:11
bknudsongyee: also https://review.openstack.org/#/c/207267/19:11
gyeebknudson, got it19:11
*** mylu has joined #openstack-keystone19:12
*** stevemar has quit IRC19:12
*** henrynash has joined #openstack-keystone19:16
*** ChanServ sets mode: +v henrynash19:16
openstackgerritDiego Adolfo proposed openstack/keystone: NotificationsTestCase running in isolation  https://review.openstack.org/20473919:18
*** TheIntern has quit IRC19:18
*** tqtran has joined #openstack-keystone19:19
*** henrynash has quit IRC19:19
*** piyanai has joined #openstack-keystone19:20
*** TheIntern has joined #openstack-keystone19:20
openstackgerritTom Cocozzello proposed openstack/keystoneauth-saml2: Activate pep8 check that _ is imported  https://review.openstack.org/20922719:24
*** phalmos has quit IRC19:24
*** piyanai has quit IRC19:25
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: List credentials by type  https://review.openstack.org/20922819:27
*** gyee has quit IRC19:29
*** vivekd has joined #openstack-keystone19:32
*** ayoung has joined #openstack-keystone19:32
*** ChanServ sets mode: +v ayoung19:32
*** phalmos has joined #openstack-keystone19:32
*** petertr7 is now known as petertr7_away19:33
ayoungdolphm, BTW, that last comment was not meant as criticsm.  I tjhink it as aactually a good idea, just wonder if we should codify it:19:33
ayoungdolphm, so, would you say we should have a general policy of "no  features are going to go in upstream until they are in active deployment somewhere?"19:34
dolphmayoung: i believe i said "no" to that in the meeting already19:34
*** vivekd has quit IRC19:34
dolphmthat's not what i meant at all19:34
ayoungdolphm, you might have, I had to drop off and missed it19:34
ayoungdolphm, No, I know that is not what you meant. You wanted to know if there was buy in outside of just our team.19:35
ayoungAnd it is a fair question19:35
dolphmstakeholder interest != deploying random patches to prod19:35
ayoungdolphm, so...I'm still thinkng how to answer the question.  It all stems from requests that I've had from amny different people, so from that perspective, yes?19:35
ayoungBut...no one person has put together all the dynamic policy stuff and said "I need this"19:35
ayoungwhich is why I've mostly limited myself to presentations and specs on it, to try and build consensus on the direction19:36
ayoungI mean, sure, bug 968696 started the design process19:36
openstackbug 968696 in OpenStack Compute (nova) ""admin"-ness not properly scoped" [High,Confirmed] https://launchpad.net/bugs/96869619:36
ayoungand, I don;t really think we can close that withou the dynamic policy approach19:36
ayoungso, there are stakeholders there19:36
ayoungdolphm,  but I can see the argument that, especially for a significant feature like dynamic policy, the  upstream approach should be "prove it works in a deployment somehwere first."  We are seeing that with Fernet, really, right?19:39
ayoungI mean, we are still shaking out issues with it.19:40
ayoungActually, we are not seeing it with Fernet, but we are  seeing people tryuing it and shaking out the issues before it becomes default.19:40
ayoungPKI tokens missed that;  I'd like to avoid putting so much effort in to something only to find a critical flaw like those had19:41
openstackgerritBrant Knudson proposed openstack/keystone: Documentation for other services  https://review.openstack.org/20480119:42
*** petertr7_away is now known as petertr719:44
*** piyanai has joined #openstack-keystone19:44
*** lsmola has quit IRC19:46
*** samueldmq has quit IRC19:46
*** samueldmq has joined #openstack-keystone19:47
*** mylu has quit IRC19:47
*** mylu has joined #openstack-keystone19:48
samueldmqayoung: so I have a plan ..19:55
ayoungsamueldmq, did you ever watch the TVshow the A Team?19:55
samueldmqayoung: spec merged as agreement in the direction, that doesn't mean granting ffe19:55
samueldmqayoung: no :(19:55
dstanek"i love it when a plan comes together"19:55
*** ekarlso has quit IRC19:55
*** tjcocozz has quit IRC19:55
samueldmqayoung: then I am going to work with gyee + email in the operators list to see people raising their hands and saying 'yes, we want it'19:56
samueldmqayoung: that will decide whether accept it as ffe or not19:56
samueldmqayoung: by the time, I will have all the patches ready for review (I am working on the last one now, the one in the server)19:56
*** tsymanczyk has quit IRC19:57
*** ekarlso has joined #openstack-keystone19:57
samueldmqayoung: aiming to do so until next meeting19:57
samueldmqthat's my plan19:57
samueldmqthe plan A19:57
samueldmqthe B is to defer to M, which I don't like, and I suspect you don't as well19:58
*** jsavak has quit IRC20:04
ayoungsamueldmq, sounds good20:04
*** jsavak has joined #openstack-keystone20:04
samueldmqayoung: nice, I am gonna breathe a bit, brb20:05
ayoungsamueldmq, I am just done tilting at windmills...for the time being.  If we can't get some understanding from people that this is valuable, we'll find another approach.  So, yeah, full support from me.20:05
morganfainbergdolphm: thanks for running the meeting20:05
* morganfainberg just woke up.20:05
morganfainbergThis timezone shift is brutal20:05
samueldmqayoung: ++ thanks20:06
*** tsymanczyk has joined #openstack-keystone20:07
*** tsymanczyk is now known as Guest7191220:07
*** mylu has quit IRC20:10
*** lhcheng_away is now known as lhcheng20:11
*** marzif_ has joined #openstack-keystone20:12
*** dims_ has joined #openstack-keystone20:21
*** dims has quit IRC20:22
*** mylu has joined #openstack-keystone20:24
*** mylu has quit IRC20:29
*** urulama has quit IRC20:30
*** urulama has joined #openstack-keystone20:31
*** amakarov is now known as amakarov_away20:36
ayoungmorganfainberg, dolphm is Icehouse stable still open for backports?20:44
bknudsonayoung: stable/icehouse branch was deleted a few weeks ago20:45
*** diegoadolfo has quit IRC20:45
*** tsymancz1k has joined #openstack-keystone20:47
*** Guest71912 has quit IRC20:47
morganfainbergayoung: icehouse is EOL20:48
*** henrynash has joined #openstack-keystone20:49
*** ChanServ sets mode: +v henrynash20:49
morganfainberghenrynash: isn't it super late for you?20:52
henrynashmorganfainberg: tis true, tis true20:52
*** mylu has joined #openstack-keystone20:52
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for HTTPClient tenant_id, tenant_name parameters  https://review.openstack.org/20570120:53
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for HTTPClient.tenant_id|name  https://review.openstack.org/20571020:54
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for HTTPClient.request methods  https://review.openstack.org/20571120:54
*** jsavak has quit IRC20:57
*** gyee has joined #openstack-keystone21:00
*** ChanServ sets mode: +v gyee21:00
*** tqtran is now known as tqtran-afk21:03
*** raildo has quit IRC21:04
*** david-lyle has joined #openstack-keystone21:07
*** bapalm_ has quit IRC21:07
*** petertr7 is now known as petertr7_away21:08
*** josecastroleon has quit IRC21:08
*** mylu has quit IRC21:09
*** josecastroleon has joined #openstack-keystone21:09
*** gyee has quit IRC21:09
*** gyee has joined #openstack-keystone21:15
*** ChanServ sets mode: +v gyee21:15
*** mylu has joined #openstack-keystone21:15
*** mylu has quit IRC21:16
*** HenryG_ is now known as HenryG21:17
*** henrynash has quit IRC21:20
*** samleon has quit IRC21:20
*** samleon has joined #openstack-keystone21:21
mtreinishmorganfainberg, bknudson: did anyone ever start looking at logging the request ids from the context in the keystone logs?21:22
mtreinishbecause when I was looking at debugging something yesterday finding my call in the keystone logs was a bit tricky21:23
openstackgerritBoris Bobrov proposed openstack/keystone: Prevent exception due to missing id of LDAP entity  https://review.openstack.org/20796021:25
mtreinishmorganfainberg, bknudson: IIRC what was needed for that was to switch to using oslo.context and then oslo.log would pick it up automagically21:35
morganfainbergmtreinish: yes and we need to restructure our stuff to make that viable21:36
morganfainbergsince authcontext is a special beast21:36
mtreinishmorganfainberg: I thought it was just a dict? Although it's been a few months since I looked :)21:38
morganfainbergauthcontext has other stuff.21:38
morganfainbergit's not just dict it was "make sure this all works"21:38
morganfainbergwe did odd things21:38
morganfainbergit's not a drop in but not tons of work just work21:39
mtreinishheh, ok. Yeah I realized it wasn't just drop in, it didn't really work when I tried that :)21:40
*** jagter has quit IRC21:43
*** e0ne has quit IRC21:44
morganfainbergmtreinish: oh so.. question for you...21:44
morganfainbergmtreinish: how angry would you be if i tried to switch keystone over to uwsgi from mod_wsgi in devstack (or not in your feild of caring)21:45
*** tsymancz1k has quit IRC21:45
*** tsymanczyk has joined #openstack-keystone21:45
*** tsymanczyk is now known as Guest8350121:46
mtreinishmorganfainberg: I'm not sure that I'd care too much one way or the other21:46
mtreinishas long as you made a decent argument for why changing it would be good21:46
morganfainbergsquashing the "apache cant' stop" bug21:46
morganfainbergthat still lurks around21:46
morganfainbergand uwsgi is generally better since it can support venvs [operator focus]21:47
mtreinishalthough I do think there were other efforts to move things to mod_wsgi so it might be good to comment on those too21:47
mtreinishoh, yeah venvs are nice :)21:47
morganfainbergmtreinish: i plan on catching thingee and talking about it21:47
ayoungbknudson, https://review.openstack.org/#/c/188329/2  can you re-review, as I suspect no one else will touch it until you do, and it blocks https://review.openstack.org/#/c/173558/721:47
*** jagter has joined #openstack-keystone21:47
morganfainbergi'd like to make uwsgi the default - but mod_wsgi -> uwsgi is easy21:47
mtreinishmorganfainberg: I also remember dims patches for nova things too21:47
morganfainbergmtreinish: great i'll poke dims_21:48
morganfainberguwsgi is also ini-style config21:48
morganfainbergwhich makes it super easy to manage in devstack [less subst in apache confs]21:48
morganfainbergwe'd still use apache21:48
morganfainbergjust less in-process ick21:48
bknudsonayoung: will do.21:48
mtreinishmorganfainberg: ok cool, that sounds like a good thing21:49
mtreinishyeah I guess the big model change is to running under apache instead of as a standalone thing21:49
morganfainbergmtreinish: and that doesn't really change here21:49
morganfainbergit's just what wsgi impl we use.21:49
morganfainbergand really uwsgi took me ~15mins to setup compared to the apache keystone model21:49
morganfainbergand that was by-hand21:50
*** jasonsb has quit IRC21:50
mtreinishok, cool21:50
*** phalmos has quit IRC21:51
mtreinishare we going to have those strange ragnarok evoked log messages if we use it though?21:51
*** jasonsb has joined #openstack-keystone21:51
mtreinishI can't remember where I saw that but something already uses uwsgi21:52
gyeebknudson, the feature/keystoneauth_integration branch for python-keystoneclient seem broken as is21:52
bknudsongyee: how did it get that way?21:53
gyeebkundson, just did git clone and tox -e py2721:53
bknudsonmaster is working fine21:53
*** doug-fish has left #openstack-keystone21:53
gyeemaster is working fine21:53
gyeebut not keystoneauth_integration21:53
gyeebknudson, and the reason for the Ceilometer failure was that it was expecting the EndpointNotFound exception from keystoneclient.openstack.common.apiclient.exceptions21:57
gyeewith keystoneauth1, that exception got redefined21:57
gyeeso its not backward compatible21:57
gyeeso we have two choices: 1) fix keystoneauth1 exceptions; 2) fix everywhere else21:59
bknudsongyee: ahh, neat.22:01
morganfainbergwe aren't accepting that change22:01
bknudsongyee: sounds like 1 is the only option22:02
*** edmondsw has quit IRC22:02
gyeebknudson, yes, I agree22:02
bknudsonbecause we're not going to be able to pass tempest22:02
morganfainbergso there is other work to be done there22:02
morganfainbergkeystoneauth1 isn't going to get that change22:02
bknudsonI still wonder how it got past tempest to begin with22:02
gyeewhat are we redefining those exceptions anyway22:02
*** mylu has joined #openstack-keystone22:03
morganfainbergwe will put minor compat into keystoneclient22:03
morganfainbergnot into keystoneauth22:03
morganfainbergif anywhere22:03
bknudsonkeystoneclient needs a compat change now22:03
morganfainbergthe integration branch22:03
morganfainbergnot the master22:03
morganfainbergjust was pointing out putting compat changes into keystoneauth1 is a no-go22:04
bknudsonmorganfainberg: remember when I was complaining about apiclient in the x-project meeting?22:04
morganfainbergbknudson: yep.22:04
morganfainbergbknudson: can we just break everyone and the gate and force everyone to fix it rapidly22:04
morganfainbergsarcasm of course22:04
morganfainbergin all honesty we should just fix it everywhere and break it in keystoneclient22:05
morganfainbergbut it's a lot of work22:05
morganfainbergeverywhere = things in gate22:05
morganfainberg2.x of keystoneclient will not be adhering to the same apis etc22:05
gyeehey, if it ain't making a lot of noise, you ain't doing nothing yet22:05
*** TheIntern has quit IRC22:05
morganfainbergwe're already remving cli from ksc 2.x22:06
morganfainbergbut if we are doing *any* compat work, we're doing it in keystoneclient not in keystoneauth22:06
bknudsonso we've got http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/exceptions.py?h=feature/keystoneauth_integration22:07
*** chlong has joined #openstack-keystone22:07
bknudsonand I'm guessing this isn't right since EndpointNotFound = new_exceptions.EndpointNotFound22:07
bknudsonand that needs to be using apiclient still22:08
gyeebecause other places are catching it from apiclient22:08
*** rm_work is now known as rm_work|away22:08
bknudsonthat is really f'd up.22:09
gyeeya thing? :)22:09
bknudsonmaybe we could use some kind of dual-inheritance22:09
* morganfainberg marks another line in the sand of why oslo-incubator is bad.22:09
morganfainbergbknudson: might work.22:09
morganfainberghaven't tried catching a dual inherited exception before22:10
* gyee pees on that line to make sure its really visible22:10
bknudsonalternatively, we mess with our oslo-incubator copy22:12
*** henrynash has joined #openstack-keystone22:12
*** ChanServ sets mode: +v henrynash22:12
bknudsonsince we hate it so much, make apiclient use new exceptions, too.22:12
bknudsonand forget about syncing22:12
morganfainbergbknudson: is there anything we benefit from in keeping oslo-incubator anything22:14
*** jasonsb_ has joined #openstack-keystone22:14
bknudsonmorganfainberg: backwards-compat22:14
morganfainbergno i mean break it and never sync again22:14
morganfainbergwasn't clear22:14
morganfainbergfor keystoneclient22:14
bknudsonall this stuff is deprecated already22:14
morganfainbergok so lets just break it, never sync it again - and work hard to make it disappear22:15
morganfainbergbreak = local changes22:15
bknudsonI'll take a look at it.22:15
morganfainbergas needed.22:15
morganfainbergbknudson: sounds good22:16
*** jasonsb has quit IRC22:16
*** haneef_ has quit IRC22:16
*** mylu has quit IRC22:16
*** mylu has joined #openstack-keystone22:17
gyeeyou mean like fix it anywhere else?22:18
bknudsongyee: everywhere else will have to fix eventually, since it's deprecated22:18
bknudsongyee: but for now, what I'll do is make keystoneclient/openstack/common/apiclient/exceptions.py point to keystoneclient.exceptions instead of the other way around22:19
gyeebknudson, k, but do we need to file a bug for ceilometer to make then aware?22:20
*** jecarey has quit IRC22:20
bknudsongyee: a bug makes sense. they're using deprecated function and need to change sometime.22:20
*** HT_sergio has quit IRC22:21
*** gordc has quit IRC22:22
morganfainbergbknudson: ++22:22
*** spandhe_ has joined #openstack-keystone22:23
*** spandhe has quit IRC22:23
*** spandhe_ is now known as spandhe22:23
*** stevemar has joined #openstack-keystone22:24
*** ChanServ sets mode: +v stevemar22:24
*** sigmavirus24 is now known as sigmavirus24_awa22:25
*** Guest83501 has quit IRC22:36
*** tsymancz1k has joined #openstack-keystone22:36
*** roxanaghe has quit IRC22:39
*** stevemar has quit IRC22:39
*** boris-42 has quit IRC22:40
*** bknudson has quit IRC22:44
*** mylu has quit IRC22:46
*** mylu has joined #openstack-keystone22:47
*** henrynash has quit IRC22:56
*** zzzeek has quit IRC23:02
*** mylu has quit IRC23:11
*** jaosorior has quit IRC23:14
*** rm_work|away is now known as rm_work23:16
*** david-lyle has quit IRC23:18
*** piyanai has quit IRC23:19
*** dims_ has quit IRC23:23
*** piyanai has joined #openstack-keystone23:26
openstackgerritMerged openstack/python-keystoneclient: Proper deprecation for HTTPClient session and adapter properties  https://review.openstack.org/20580623:27
*** piyanai has quit IRC23:32
*** boris-42 has joined #openstack-keystone23:37
*** topol has quit IRC23:39
*** dims has joined #openstack-keystone23:47
*** jamielennox|away is now known as jamielennox23:50
*** zzzeek has joined #openstack-keystone23:51
openstackgerritguang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint  https://review.openstack.org/17766123:52
*** zzzeek has quit IRC23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!