Wednesday, 2015-08-19

gyeedstanek, ++00:00
gyeesamueldmq, hi!00:00
gyeesamueldmq, looks like there are people out there customize their policy.json!00:00
samueldmqgyee, do you have some news ? had the opportunity to talk to them for the policy stuff ?00:01
gyeeand they seem to be OK for the policy to out-of-sync during upgrade00:01
samueldmqgyee, hmm..00:01
gyeefor a little while till upgrade is completed00:01
samueldmqgyee, upgrade = update ?00:01
samueldmqgyee, when updating the policies ?00:01
samueldmqgyee, how long is a little?00:01
samueldmqgyee, that's the question hehe00:02
gyeeupdate policies is CMS right now00:02
samueldmqgyee, yes00:02
gyeesamueldmq, it depends00:03
samueldmqgyee, 5 min inconsistency ? 1 min ? just a few seconds?00:03
gyeeeverybody have different risk management00:03
dstanekgyee: the Compatibilizer basically allows you fix an older version of an api00:03
dstanekgyee: see first test here:,cm00:04
gyeedstanek, oh, its like retrofitting00:06
samueldmqgyee, yes I agree, we have develped a solution that presents 0 inconsistency .. however it could pontentially cause the herd problem, depending on the number of real endpoint using a single keystone endpoint id00:06
samueldmqgyee, since we have no control on that ... could we say 5k nova nodes using the same endpoint id ?00:06
*** geoffarnold has quit IRC00:06
dstaneksamueldmq: it *will* cause the thundering herd. the question is how big00:06
gyeesamueldmq, dstanek, right, it will, depending on deployment00:07
samueldmqdstanek, ++ yes, I was talking about hte herd as a big one00:07
gyeebut its a choice for the deployers00:07
*** geoffarnold has joined #openstack-keystone00:07
gyeedepending on their risk tolerance00:07
samueldmqdstanek, but sure, it is always the herd, even if small00:07
samueldmqgyee, what if we documented that well, saying the number of requests that will hit keystone, etc00:08
samueldmqdstanek, ^00:08
gyeedstanek, I still don't get the compatibilizer design, if it needs retrofitting, why can't we bump up the version instead?00:08
samueldmqgyee, dstanek and that would be bad for deployments where there are too many real endpoints for a single keystone endpoing00:08
dstaneksamueldmq: since this is experimental i don't think we should build the big CMS system00:09
dstanekgyee: you need to support current verison -100:10
*** jasonsb has quit IRC00:10
samueldmqdstanek, without that, we should expect (in the worst case) an inconsistency of {policy_timeout} seconds00:10
dstaneksamueldmq: yep00:11
samueldmqdstanek, that can normally be high, like 5 minutes00:11
samueldmqdstanek, but that looks to be too long, doesn't it ? cc gyee00:11
dstaneksamueldmq: i highly doubt anyone will use this in a real productjion deployment so i'm not too worried00:11
samueldmqdstanek, maybe we can find a good timeout which is acceptable for now00:11
*** geoffarnold has quit IRC00:11
*** jasonsb has joined #openstack-keystone00:11
samueldmqdstanek, gyee isn't going to use it ? I thought he was not kidding last week :)00:12
dstaneksamueldmq: my guess is that gyee isn't going to have HP public cloud use it00:12
samueldmqdstanek, about using it in a part of hpcloud00:12
dstanekin my mind the only people using it will be tinkering00:12
gyeedstanek, if it works, why not00:13
dstanekthere's too much risk and almost no value; i don't see how you could make a convincing argument for it00:13
samueldmqas we stated a lot of times, that's just opening the door for other things, like hierarchical roles, etc00:14
samueldmqgoing big now isn't necessarily wrong00:14
gyeeanything have risks :)00:15
dstaneksamueldmq: i'm just saying, from a risk management perspective i don't know how you can make the argument for it00:15
dstaneksamueldmq: i realize that it enables things in the future, but those things are in the future :-)00:15
samueldmqgyee, ++ I'd be able to create a large test for it .. like 1k nodes using the same endpoint_id ? but I am not sure I have the infrastructure for it00:16
samueldmqbtw, benchmarking tests are planned, as stated in the spec :)00:16
dstaneksamueldmq: so no matter what you do it will be possible for the policies to be out of sync for up to that timeout00:16
samueldmqdstanek, yeah, but for now it buys the policy update/distribution thing00:16
dstaneksamueldmq: not that starts getting into race condition territory, but will likely happen00:17
samueldmqdstanek, if people want  it, they will use it, if not, they will use it anyway (in the future)00:17
samueldmqdstanek, but in the approach we are reducing the risk as much as we can00:17
dstaneksamueldmq: all you need is 1 node and ab to see what'll happen on the keystone side00:17
samueldmqdstanek, ab?00:18
dstanekapache bench00:18
dstaneksamueldmq: we are basically making a pull based CMS, which is unfortunate00:18
dstanekif being in sync really matters then the timeout should be much lower than 5 minutes00:19
gyeehow about we pull smarter? like tell the clients to fetch new policy on token validation?00:20
gyeeinstead of pulling at an interval00:21
gyeefixed interval00:21
samueldmqgyee, it isn't a fixed interval, middleware only pulls when a request hits it00:21
samueldmqgyee, if that makes sense to what you just said ..00:21
gyeelike have a special header on token validation which telling middleware its time to fetch new policy00:22
*** shadower has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
dstanekthere is just so many things that can go wrong :-(  i'm not trying to stop this - i have done lots of caching in the past and it's a hard problem00:23
gyeebut still can't avoid DB hit00:23
gyeethe DB hit worries me00:23
samueldmqdstanek, what would be the alternative to what we are proposing ?00:26
samueldmqdstanek, keystone wouldn't control the policy freshness ? just the middleware knows when its time to fetch?00:26
gyeehis alternative is CMS :)00:28
gyeestatus quote00:28
dstaneksamueldmq: not entirely sure - i haven't thought about the problem enough00:28
dstanekgyee: my off the cuff would be to lower the policy freshness to the longer a deployment can live with it being out of sync and deal with the extra hits using an intermediary00:29
samueldmqso I see 2 alternatives: 1) we do the best we can and document well in what cases issues can be hit00:29
samueldmq2) don't to anything at all = CMS00:29
jasonsbbreton: i made some progress00:30
gyeeif we can figure out how to avoid DB hits and found a way to notify the Keystone instances on new policy update, that would be awesomer00:30
dstaneksamueldmq: in you current code where do you make a new cache DB record?00:31
jasonsbbreton: i don't know the minimal set of changes to make things work but i can whittle it down00:31
samueldmqdstanek, just a sec00:31
jasonsbbreton: nova and manila are still giving problems but glance, neutron, designate, and i think heat are ok00:31
dstanekgyee: to avoid DB hits you could write the cached files to disk instead of a table00:31
gyeedstanek, you kidding right?00:32
dstanekgyee: but you need a second copy in samueldmq's paradihm00:32
samueldmqdstanek, gyee L 237 - 250
dstanekgyee: nope, you need two copies00:32
gyeedstanek, I have multiple Keystone instance behind an LB00:32
samueldmqdstanek, there are 2 entities : one where the updates occur i nthemeantime ii) the other that is delivered, and which is consistent in the time between timeouts00:33
dstaneksamueldmq: doesn't that mean that if someone hits the endpoint at the exact time it expires then they'll get a max-age 0?00:33
samueldmqgyee, ^00:33
*** btully has quit IRC00:34
*** roxanaghe has quit IRC00:34
dstanekgyee: does that make sense?00:34
samueldmqdstanek, if so just need to change the < 0 comparisons to <= 000:35
samueldmqdstanek, but basically yes; if someone hits keystone when only 10 seconds left00:35
samueldmqdstanek, the policy will be valid for only 10 seconds00:35
*** shoutm has quit IRC00:36
dstaneksamueldmq: 1 corner case of many00:36
samueldmqdstanek, the 0 freshness ?00:36
*** shoutm has joined #openstack-keystone00:37
samueldmqdstanek, I don't see too many of them .. the time comparison is simple there :/00:37
dstaneksamueldmq: actually i have the best idea ever00:37
samueldmqdstanek, tell me00:37
dstanekwe can treat the .json file just like you do with images - let apache serve it up00:37
dstanekapache can do 1000s of requests per second on static files without blinking an eye00:38
gyeebut keystone is running in apache00:39
*** _cjones_ has quit IRC00:39
dstanekgyee: yep00:39
dstanekgyee: this is how you run any website using a dynamic framework. you have apache serve anything in /images, for instance00:40
gyeeare the files live in NFS?00:40
gyeeshared across all instances?00:41
dstanekgyee: nope you'd have keystones drop it to disk when they need to00:41
gyeenot sure if I get it, each instance will have to drop the file to disk no?00:43
*** jasonsb has quit IRC00:43
dstanekgyee: right, at the same point where they are currently adding to the database00:43
*** jasonsb has joined #openstack-keystone00:44
* samueldmq isn't getting that .. maybe the lack of understanding on how cinder works :/00:44
gyeebut the file is *local* to an instance, and the database transaction can happen at any instance00:44
gyeehow does the others get notified?00:44
samueldmqso we basically put in a shared storage ? and delegate te task o f distribution00:45
* gyee needs to read cinder code too00:45
*** dims has joined #openstack-keystone00:46
dstanekwhat does cinder have to do with anything?00:46
gyeeI thought you mentioned it works just like cinder00:46
gyeeso I didn't know it manage images in an HA environment00:47
dstanekgyee: no images as in logo.png00:47
*** dims_ has quit IRC00:47
samueldmqdstanek, me too, I though you said images ..00:47
samueldmqdstanek, gyee oh that's glance00:48
dstaneki did. i mentioned websites!00:48
*** jasonsb has quit IRC00:48
dstaneksamueldmq: i don't get,cm00:48
dstanekyou look for the policy first before looking in the cache?00:49
samueldmqdstanek, the manager uses driver.get_policy_cache()00:49
samueldmqdstanek, if that is a not found, maybe the policy was never cached before, then cache it and return, using driver.cache_policy()00:50
samueldmqwhen calling the cache_policy(); if the policy doesn't exist in the main table: not found00:50
dstaneksamueldmq: in cache_policy it looks up the policy and if it doesn't find it it looks in the cache. i don't understand why00:51
samueldmqdstanek, in that method it will only get a policy from the main table, and put a copy in the cache table00:52
samueldmqdstanek, adding the valid_to field00:52
dstanekgyee: right now the way this works is that each thread on each keystone instance that is hit at exactly the time of expiration will try to update the cache in the database00:52
dstanekgyee: i was just saying that each instance could just use the disk instead of DB00:52
dstanekgyee: then apache could serve it up00:52
samueldmqdstanek, in the except, I get the cached policy to delete it (in the case the main policy doesn't exist anymore)00:53
gyeedstanek, I see00:53
gyeedstanek, good idea!00:53
dstaneksamueldmq: ah, i see00:53
dstaneki'll make sure i never say images around you guys again :-)00:53
samueldmqdstanek, :) that code is cool00:53
dstanekmaybe just web assets00:53
gyeedstanek, I was think Sports Illustrated Swimmer edition00:54
gyeethose images00:54
gyeek man, gotta run before trouble catches me :)00:55
*** gyee has quit IRC00:55
samueldmqdstanek, hehe00:56
*** dims has quit IRC00:56
*** dims has joined #openstack-keystone00:56
*** piyanai has joined #openstack-keystone00:57
*** shaleh has quit IRC00:59
*** piyanai has quit IRC01:02
*** darrenc is now known as darrenc_afk01:07
*** hideme has joined #openstack-keystone01:10
*** ankita_w_ has quit IRC01:12
*** _hrou_ has joined #openstack-keystone01:13
*** hrou has quit IRC01:14
*** davechen has joined #openstack-keystone01:16
*** browne has quit IRC01:18
*** darrenc_afk is now known as darrenc01:21
*** dave-mccowan has quit IRC01:36
*** haneef_ has quit IRC01:43
*** dsirrine has quit IRC01:45
*** ankita_wagh has joined #openstack-keystone01:48
openstackgerritHenrique Truta proposed openstack/keystone: Unit tests for is_domain field in project's table
*** piyanai has joined #openstack-keystone02:14
openstackgerritBrant Knudson proposed openstack/keystone: Enable bandit check for password_config_option_not_marked_secret
openstackgerritBrant Knudson proposed openstack/keystone: Bandit config updates
*** dsirrine has joined #openstack-keystone02:18
*** ankita_wagh has quit IRC02:22
*** topol has joined #openstack-keystone02:23
*** ChanServ sets mode: +v topol02:23
*** dsirrine has quit IRC02:24
*** jasonsb has joined #openstack-keystone02:28
*** samueldmq has quit IRC02:29
openstackgerritHaneef Ali proposed openstack/keystone: Return correct URL in /v3 version response
*** topol has quit IRC02:32
*** geoffarnold has joined #openstack-keystone02:35
*** geoffarnold has quit IRC02:36
*** geoffarnold has joined #openstack-keystone02:38
*** narengan has joined #openstack-keystone02:43
*** piyanai has quit IRC02:47
*** fangzhou has quit IRC02:47
*** hakimo_ has joined #openstack-keystone02:52
*** mylu has joined #openstack-keystone02:54
*** hakimo has quit IRC02:54
*** piyanai has joined #openstack-keystone02:55
*** _hrou_ is now known as hrou02:55
*** dims has quit IRC02:55
*** tiny-hands has quit IRC02:59
*** dave-mccowan has joined #openstack-keystone03:00
*** narengan has quit IRC03:04
*** narengan_ has joined #openstack-keystone03:04
*** narengan_ has quit IRC03:09
*** browne has joined #openstack-keystone03:10
openstackgerritRen Qiaowei proposed openstack/keystone: Add necessary executable permission
*** topol has joined #openstack-keystone03:12
*** ChanServ sets mode: +v topol03:12
*** narengan has joined #openstack-keystone03:14
*** tiny-hands has joined #openstack-keystone03:16
*** topol has quit IRC03:16
*** rodrigods has quit IRC03:16
*** tellesnobrega has quit IRC03:17
openstackgerritHenrique Truta proposed openstack/keystone: Manager support for projects acting as domains
*** piyanai has quit IRC03:17
*** rodrigods has joined #openstack-keystone03:19
*** tellesnobrega has joined #openstack-keystone03:20
*** annasort has quit IRC03:24
*** dikonoor has joined #openstack-keystone03:26
*** raginbajin has quit IRC03:27
*** tellesnobrega has quit IRC03:28
*** boltR has quit IRC03:28
*** boltR has joined #openstack-keystone03:29
*** raginbajin has joined #openstack-keystone03:29
*** tellesnobrega has joined #openstack-keystone03:30
*** kiran-r has joined #openstack-keystone03:36
*** kiran-r has quit IRC03:36
*** Navid_ has joined #openstack-keystone03:45
*** ankita_wagh has joined #openstack-keystone03:45
*** shoutm has quit IRC03:45
*** Navid_ has quit IRC03:51
openstackgerritHenrique Truta proposed openstack/keystone: Change project name constraints
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name
*** mylu has quit IRC03:54
*** ankita_wagh has quit IRC03:55
*** shoutm has joined #openstack-keystone03:56
*** ankita_wagh has joined #openstack-keystone03:56
*** lhcheng has joined #openstack-keystone03:57
*** ChanServ sets mode: +v lhcheng03:57
openstackgerritSteve Martinelli proposed openstack/keystone: update links in http-api to point to specs repo
*** ayoung has quit IRC04:05
*** dave-mccowan has quit IRC04:07
*** raginbajin has quit IRC04:10
*** narengan has quit IRC04:11
*** narengan has joined #openstack-keystone04:11
*** narengan has quit IRC04:16
*** tellesnobrega has quit IRC04:19
*** dikonoor has quit IRC04:24
*** mylu has joined #openstack-keystone04:24
*** hafe has joined #openstack-keystone04:25
*** raginbajin has joined #openstack-keystone04:28
*** tellesnobrega has joined #openstack-keystone04:28
*** hafe has quit IRC04:51
*** hafe has joined #openstack-keystone04:54
*** hrou has quit IRC04:55
*** vivekd has joined #openstack-keystone05:01
*** topol has joined #openstack-keystone05:04
*** ChanServ sets mode: +v topol05:04
*** topol has quit IRC05:15
*** boltR has quit IRC05:17
*** mylu has quit IRC05:18
*** boris-42 has quit IRC05:20
*** lhcheng_ has joined #openstack-keystone05:24
*** mylu has joined #openstack-keystone05:25
*** lhcheng has quit IRC05:27
*** vivekd has quit IRC05:28
*** vivekd_ has joined #openstack-keystone05:28
*** vivekd_ is now known as vivekd05:28
*** mylu has quit IRC05:29
*** boltR has joined #openstack-keystone05:30
*** ankita_w_ has joined #openstack-keystone05:41
lhcheng_jamielennox: I just catched up with the meeting log, about the websso BP, do you think we can get that a week before end of L3?  (1 week from now)05:45
*** ankita_wagh has quit IRC05:45
lhcheng_jamielennox: to make that feature complete, have to make changes on django_openstack_auth and horizon too05:45
lhcheng_and doa needs to get released too before we can push the horizon changes :(05:46
lhcheng_it is going to be really tight..05:47
jamielennoxlhcheng_: it is going to be really tight05:48
jamielennoxi think if it's not ready for +a by next meeting it won't happen05:48
jamielennoxand i spent most of the day working on the environment rather than the code, hoping i'll get some more done later05:49
lhcheng_okay, once we have some patch up in keystone, can probably start working on doa in parallel.05:51
jamielennoxlhcheng_: i'll let you know, but we'll probably have to do DOA patches at the same time just to ensure it works05:55
*** claudiub has joined #openstack-keystone05:56
*** afazkas has joined #openstack-keystone06:06
*** mylu has joined #openstack-keystone06:12
*** geoffarnold has quit IRC06:15
*** mylu has quit IRC06:16
*** geoffarnold has joined #openstack-keystone06:16
*** vivekd has quit IRC06:17
*** urulama has quit IRC06:17
*** urulama has joined #openstack-keystone06:18
*** lsmola has joined #openstack-keystone06:21
*** Qlawy has joined #openstack-keystone06:31
*** lhcheng_ has quit IRC06:40
bretongood morning, keystone!06:41
*** browne has quit IRC06:48
*** woodster_ has quit IRC06:49
*** jlvillal has quit IRC06:58
*** jlvillal has joined #openstack-keystone06:58
*** kiran-r has joined #openstack-keystone07:06
*** Nirupama has joined #openstack-keystone07:08
*** ajayaa has joined #openstack-keystone07:10
*** urulama has quit IRC07:12
*** urulama has joined #openstack-keystone07:13
*** sileht has joined #openstack-keystone07:15
*** mylu has joined #openstack-keystone07:16
*** yottatsa has joined #openstack-keystone07:19
*** mylu has quit IRC07:21
*** henrynash has joined #openstack-keystone07:22
*** ChanServ sets mode: +v henrynash07:22
*** belmoreira has joined #openstack-keystone07:28
*** kiran-r has quit IRC07:29
*** kiran-r has joined #openstack-keystone07:33
*** ankita_w_ has quit IRC07:41
*** fhubik has joined #openstack-keystone07:58
*** boris-42 has joined #openstack-keystone07:58
*** tsubic has joined #openstack-keystone07:59
openstackgerritSean Perry proposed openstack/keystone: Fix exception within exception handler for xmlsec1
*** yottatsa has quit IRC08:09
*** yottatsa has joined #openstack-keystone08:19
*** markvoelker has quit IRC08:22
*** lhcheng has joined #openstack-keystone08:23
*** ChanServ sets mode: +v lhcheng08:23
*** fhubik_ has joined #openstack-keystone08:33
*** jistr has joined #openstack-keystone08:34
*** fhubik_ has quit IRC08:35
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** fhubik has quit IRC08:37
*** shoutm has quit IRC08:40
*** fhubik has joined #openstack-keystone08:41
*** fhubik is now known as fhubik_brb08:46
*** kiran-r has quit IRC08:49
*** fhubik_brb is now known as fhubik08:52
*** fhubik is now known as fhubik_brb08:52
*** aix has joined #openstack-keystone08:54
*** yottatsa has quit IRC09:05
*** vivekd has joined #openstack-keystone09:11
*** fhubik_brb is now known as fhubik09:13
*** markvoelker has joined #openstack-keystone09:23
*** lhcheng has quit IRC09:26
*** markvoelker has quit IRC09:28
*** kiran-r has joined #openstack-keystone09:34
*** pnavarro has joined #openstack-keystone09:34
*** _kiran_ has joined #openstack-keystone09:40
*** fangzhou has joined #openstack-keystone09:41
*** kiran-r has quit IRC09:41
*** davechen has left #openstack-keystone09:43
*** _kiran_ is now known as kiran-r09:53
*** kiran-r has quit IRC09:53
*** kiran-r has joined #openstack-keystone09:54
*** mylu has joined #openstack-keystone09:58
*** mylu has quit IRC10:02
*** piyanai has joined #openstack-keystone10:05
*** dolphm has quit IRC10:05
*** sigmavirus24_awa has quit IRC10:06
*** eglute has quit IRC10:06
*** miguelgrinberg has quit IRC10:07
*** d34dh0r53 has quit IRC10:07
*** miguelgrinberg has joined #openstack-keystone10:08
*** eglute has joined #openstack-keystone10:08
*** belmoreira has quit IRC10:08
*** d34dh0r53 has joined #openstack-keystone10:08
*** dolphm has joined #openstack-keystone10:09
*** fhubik is now known as fhubik_brb10:09
*** belmoreira has joined #openstack-keystone10:09
*** sigmavirus24_awa has joined #openstack-keystone10:10
*** Guest62465 has quit IRC10:12
*** jacorob has quit IRC10:12
*** jacorob has joined #openstack-keystone10:14
*** blewis has joined #openstack-keystone10:14
*** blewis is now known as Guest777010:14
*** belmoreira has quit IRC10:14
*** belmoreira has joined #openstack-keystone10:15
*** asselin_ has quit IRC10:16
*** shoutm has joined #openstack-keystone10:18
*** _kiran_ has joined #openstack-keystone10:23
*** kiran-r has quit IRC10:24
openstackgerritNikita Konovalov proposed openstack/python-keystoneclient: Fix logging of binary contentent in request
*** _kiran_ has quit IRC10:29
*** yottatsa has joined #openstack-keystone10:38
*** kiran-r has joined #openstack-keystone10:43
*** _kiran_ has joined #openstack-keystone10:45
*** _kiran_ has quit IRC10:45
*** _kiran_ has joined #openstack-keystone10:45
*** _kiran_ has quit IRC10:46
*** _kiran_ has joined #openstack-keystone10:47
*** belmoreira has quit IRC10:48
*** kiran-r has quit IRC10:48
*** _kiran_ has quit IRC10:48
*** kiran-r has joined #openstack-keystone10:49
*** dims has joined #openstack-keystone10:56
openstackgerrithenry-nash proposed openstack/keystone: Rationalize unfiltered list role assignment test
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
*** shoutm has quit IRC11:01
*** dims_ has joined #openstack-keystone11:03
*** urulama has quit IRC11:05
*** urulama has joined #openstack-keystone11:05
*** doug-fish has joined #openstack-keystone11:07
*** dims has quit IRC11:07
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
*** hafe has quit IRC11:10
*** lhcheng has joined #openstack-keystone11:15
*** ChanServ sets mode: +v lhcheng11:15
*** lhcheng has quit IRC11:19
*** boris-42 has quit IRC11:20
*** markvoelker has joined #openstack-keystone11:24
*** shoutm has joined #openstack-keystone11:26
*** hafe has joined #openstack-keystone11:27
*** markvoelker has quit IRC11:28
*** dims has joined #openstack-keystone11:29
*** tiny-hands has quit IRC11:29
*** dims_ has quit IRC11:31
*** dims_ has joined #openstack-keystone11:31
*** gordc has joined #openstack-keystone11:33
*** dims has quit IRC11:34
*** Kiall_ is now known as Kiall11:34
*** hafe has quit IRC11:35
*** fhubik_brb is now known as fhubik11:36
*** doug-fish has quit IRC11:54
*** sbezverk has quit IRC11:58
*** mylu has joined #openstack-keystone11:59
*** mylu has quit IRC12:03
*** afazkas has quit IRC12:04
*** doug-fish has joined #openstack-keystone12:05
*** dave-mccowan has joined #openstack-keystone12:06
*** samueldmq has joined #openstack-keystone12:12
*** raildo-afk is now known as raildo12:14
*** belmoreira has joined #openstack-keystone12:19
*** belmoreira has quit IRC12:19
*** chlong has joined #openstack-keystone12:26
*** piyanai has quit IRC12:27
*** edmondsw has joined #openstack-keystone12:27
*** piyanai has joined #openstack-keystone12:31
*** markvoelker has joined #openstack-keystone12:40
*** dsirrine has joined #openstack-keystone12:43
*** fhubik is now known as fhubik_brb12:52
*** fhubik_brb is now known as fhubik12:58
*** topol has joined #openstack-keystone12:58
*** ChanServ sets mode: +v topol12:58
*** tiny-hands has joined #openstack-keystone13:01
*** Nirupama has quit IRC13:04
*** lhcheng has joined #openstack-keystone13:04
*** ChanServ sets mode: +v lhcheng13:04
*** doug-fish has quit IRC13:06
*** lhcheng has quit IRC13:08
*** petertr7_away is now known as petertr713:11
*** hrou has joined #openstack-keystone13:11
*** hafe has joined #openstack-keystone13:19
*** doug-fish has joined #openstack-keystone13:21
*** doug-fish has quit IRC13:21
*** doug-fish has joined #openstack-keystone13:22
*** doug-fish has quit IRC13:22
*** doug-fish has joined #openstack-keystone13:23
*** topol_ has joined #openstack-keystone13:23
*** ChanServ sets mode: +v topol_13:23
*** doug-fis_ has joined #openstack-keystone13:24
*** yottatsa has quit IRC13:26
*** topol has quit IRC13:26
*** urulama has quit IRC13:27
*** doug-fish has quit IRC13:28
*** urulama has joined #openstack-keystone13:28
*** lhcheng has joined #openstack-keystone13:28
*** ChanServ sets mode: +v lhcheng13:28
*** dims_ has quit IRC13:29
*** vivekd has quit IRC13:29
*** dims has joined #openstack-keystone13:29
*** lhcheng has quit IRC13:33
*** hafe has quit IRC13:34
*** jecarey has joined #openstack-keystone13:42
*** topol_ has quit IRC13:42
*** topol has joined #openstack-keystone13:42
*** ChanServ sets mode: +v topol13:42
*** kiran-r has quit IRC13:42
henrynashwhat’s with the adding of these dependencies in tox.ini….my VM sizes keep getting blown…up 16Gb in the last week or so....13:47
*** HT_sergio has joined #openstack-keystone13:52
*** fhubik has quit IRC13:56
*** fhubik has joined #openstack-keystone13:56
*** ngupta has joined #openstack-keystone13:58
*** doug-fish has joined #openstack-keystone14:00
samueldmqanyone up for a random policy thought ?14:00
*** ChanServ sets mode: +o dolphm14:00
samueldmqhenrynash, you mean your .tox dir taking up to 16Gb ?14:01
*** ngupta has quit IRC14:02
*** doug-fis_ has quit IRC14:03
*** ngupta has joined #openstack-keystone14:04
*** piyanai has quit IRC14:04
dstanekhenrynash: you there?14:05
henrynashdtsanek: just on phone, brb14:06
dstanekhenrynash: np14:06
samueldmqdstanek, henrynash
samueldmqdstanek, henrynash this is how I see the policy format to fit our needs .. including endpoint_constraint enforcement, scoping everything, global admin (backwards compat)14:07
*** ajayaa has quit IRC14:08
henrynashdstanek: hi14:08
dstanekhenrynash: quick question.. in why do you need to override the test methods?14:09
dstanekhenrynash: i would test it now, but i need to finish this change in my working dir14:09
*** shoutm has quit IRC14:10
*** petertr7 is now known as petertr7_away14:10
henrynashdtstanek: so if the assignment engine is LDAP, then domain roles are not supported…but some of the classes in are for LDAP Identity with SQL Assignment…hence for those I re-nable the test14:10
dstanekhenrynash: i can see why you have to do that for the one where you catch notimplemented. did you do the others for consistency?14:11
henrynashdtsanek: well, for those they DON’T throw the execption…so if you don’t override the override, it would rail (since it was expecting an exception)14:12
*** boris-42 has joined #openstack-keystone14:15
*** doug-fish has quit IRC14:17
*** doug-fish has joined #openstack-keystone14:19
*** jecarey has quit IRC14:21
*** edmondsw has quit IRC14:22
dstanekhenrynash: i think i have to try this out locally. since it's only calling the parent i wouldn't expect it to be needed14:22
*** sigmavirus24_awa is now known as sigmavirus2414:22
*** afaranha has joined #openstack-keystone14:23
*** afaranha has left #openstack-keystone14:23
*** dave-mccowan has quit IRC14:24
henrynashdstaneK: I did struggle a bit with it - so great if you can find an easier way14:25
dolphmwe really need a couple reviews on this -- it's testing for a reported security vulnerability that i wasn't able to reproduce
*** csoukup has joined #openstack-keystone14:27
*** doug-fish has quit IRC14:28
*** doug-fish has joined #openstack-keystone14:29
*** browne has joined #openstack-keystone14:29
dstanekdolphm: lgtm14:32
*** doug-fish has quit IRC14:32
*** doug-fish has joined #openstack-keystone14:32
*** mflobo has joined #openstack-keystone14:33
mflobohi there, question, is openstack-keystone ready for project metadata deletion?14:34
samueldmqdolphm, since admin and public APIs are different in v2, would it be worth it to test the tenant list in both ?14:35
*** edmondsw has joined #openstack-keystone14:37
*** doug-fish has quit IRC14:37
*** fhubik has quit IRC14:37
*** dave-mccowan has joined #openstack-keystone14:38
dolphmsamueldmq: doubtful; the contents of the tenant list isn't important, it's just an arbitrary call to make to trigger the authorization check14:38
*** doug-fish has joined #openstack-keystone14:38
*** petertr7_away is now known as petertr714:40
*** narengan has joined #openstack-keystone14:43
*** zzzeek has joined #openstack-keystone14:43
*** jecarey has joined #openstack-keystone14:48
*** jorge_munoz has joined #openstack-keystone14:48
*** ngupta has quit IRC14:48
*** mylu has joined #openstack-keystone14:49
*** terrylhowe has joined #openstack-keystone14:59
*** terrylhowe has left #openstack-keystone15:00
*** geoffarnold has quit IRC15:01
*** dims has quit IRC15:01
*** dims has joined #openstack-keystone15:01
samueldmqdolphm, yes, makes sense. I made some other tests and your change looks good15:01
dolphmsamueldmq: cool15:01
*** ngupta has joined #openstack-keystone15:01
samueldmqdolphm, if the request is stopped by the policy, do we return 401 as well ?15:02
dolphmlbragstad: "Rackspace Cloud Support Update to: Announcing Authenticated Encrypted Tokens" i see that no one contacted marketing on that one15:02
dolphmsamueldmq: that should be a 403, i believe15:02
*** dims_ has joined #openstack-keystone15:05
*** dims has quit IRC15:06
henrynashbknudson: ping15:09
bknudsonhenrynash: what's up?15:09
henrynashbknudson: so these extras being added to tox.ini....15:10
samueldmqdolphm, yes it is 403, however I didn't know we didn't apply policy checks for v2.0 API15:10
samueldmqdolphm, that's expected, right ?15:10
bknudsonhenrynash: they were moved from test-requirements.txt to tox.ini15:10
dolphmsamueldmq: only for "is_admin"15:10
henrynashbknduson: the result is my disk space is exploding….up 16GB with the ldap, memchache and mongo changes…15:10
*** bdossant has joined #openstack-keystone15:10
henrynashbknduson: is that expected?15:10
bknudsonhenrynash: no, that's not expected.15:11
bknudsonhenrynash: in your /opt/stack/keystone directory?15:11
bknudson411M    .tox15:11
dolphmbknudson: henrynash: i think i'm seeing that too... it's taking forever to tox -r right now15:12
henrynashbknudson: i’m not actually sure- I’ll have to try and work out where the extra usage is comeing from…but me development VMs were 35GB …teh LDAP thing added 5G-10G and I had to rebuild them all to 50GB …not that has blown with memcahce/mongo changes15:12
dstanekhenrynash: nothing actually changed - the deps were just moved to a new location15:13
bknudsonthere shouldn't be any difference in the packages required... they were all required before.15:13
dstanekmy .tox is 853M15:13
henrynashbknduson: will all teh dependencies that get installed how up inside the .tox dir?  I assume tehy should…15:14
dstanekdolphm: i think your problem is that tox is now stupid15:14
dstanekhenrynash:  this is my "du -sh .tox/*" what does yours look like?15:15
dolphmi'm actually upgrading to tox 2.1.1 from 2.0.215:15
dolphmbecause 2.0.2 just failed to -r -e py2715:15
dstaneki'm on 2.1.1 currently15:15
henrynashdstanek: unfirtuantely I totally ran out of space and am in the middle to resizing my disk…so need to let that finish..then I’ll get it for you15:15
dstanekhenrynash: k15:16
bknudsonhenrynash: your .tox isn't even 1 GB15:17
henrynashdolphm: yeah, I thinl you may need the 2.1.1 version…I had earlier problems with older verions15:17
bknudsonmaybe it's the pip cache?15:17
bknudsonor .testrepository?15:18
henrynashbknduson: so I can’t look until I finish the dsik resize…..teh pip cache is a possibility…15:18
samueldmqdolphm, k got it, +1'd15:19
bknudson194M    /home/bknudson/.cache/pip15:19
bknudsonso that's not very big on my system either15:19
*** dims_ has quit IRC15:19
*** dims has joined #openstack-keystone15:19
dolphmhenrynash: my disk is full :(15:20
henrynashdolphm: sounds familiar….15:21
dolphmhenrynash: i have 3-4 GB directories in /tmp/pip-*-build/15:21
henrynashdolpm: as soon as i get my disk back, I’ll check!15:22
bknudson571M    /tmp/pip-zcmpuoeo-build/15:22
*** pnavarro has quit IRC15:22
bknudsonI've got one of those15:22
bknudsonpip 7.1.0 from /usr/local/lib/python2.7/dist-packages (python 2.7)15:22
dstaneki don't have anything like that15:23
henrynashi’m gonna guess mine will look simialr15:24
*** doug-fish has quit IRC15:24
dolphmbknudson: what version of tox are you using?15:24
dstaneki'm also running pip 7.1.015:24
bknudson2.0.1 imported from /usr/local/lib/python2.7/dist-packages/tox/__init__.pyc15:24
*** doug-fish has joined #openstack-keystone15:24
dstanekdolphm: what is you venv build failing on? you may need the updated pbr15:25
*** Ephur has quit IRC15:25
dolphmdstanek: out of disk space15:25
bknudsonpbr 1.2.115:25
dstanekthat'll do it15:25
*** yottatsa has joined #openstack-keystone15:25
dolphmif it's succeeding at all, tox -r is also *very* slow now15:25
dolphmeven after nuking /tmp15:26
*** petertr7 is now known as petertr7_away15:26
bknudsonwhat tox are you running?15:26
bknudsonoh, 2.0.215:26
dolphmbknudson: i was using tox 2.0.2, but trying again with tox 2.1.1 after clearing /tmp15:26
dstanektox -r has always been pretty slow for me - but now it's just slow ingeneral15:26
dolphmdstanek: yeah, but this a magnitude slower for me, at least (although i haven't seen it succeed yet either)15:27
*** petertr7_away is now known as petertr715:27
*** vivekd has joined #openstack-keystone15:27
dstanekdolphm: how long does it take to build a venv?15:27
openstackgerritMehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF
bknudsonI upgraded to tox 2.1.1 and no tmp files left around and it was also not slow15:29
*** phalmos has joined #openstack-keystone15:31
dolphmdstanek: when i build one, i'll let you know..15:31
dstaneklol, ok15:31
dolphmi'm thinking about going to the grocery store while i wait15:31
dolphmthe internet at castle went offline a bit ago too15:32
bknudsontox -e pep8 took 0m57.425s on my system15:32
dstanekdolphm: is castle in a timeout?15:32
dolphmdstanek: yep! they're sending support rackers home immediately to VPN in, because that's working15:33
henrynashdolphm: ouch!15:34
dolphmdstanek: and they can't change the incident management lights in the building to red because those are apparently networked to a downed network15:34
*** mylu has quit IRC15:34
bknudsoncode red!15:36
bknudsonaction stations!15:36
dstanekhaha, sounds like trouble15:37
*** bdossant has quit IRC15:38
*** yottatsa has quit IRC15:44
*** ankita_wagh has joined #openstack-keystone15:45
*** yottatsa has joined #openstack-keystone15:46
*** dims has quit IRC15:49
*** petertr7 is now known as petertr7_away15:49
*** dims has joined #openstack-keystone15:49
henrynashbknduson, dstanek: so I’m build the py27 venc…and the /tmp/pip is 12G an climbing15:50
dolphmdstanek: finally rebuilt two tox environments successfully, and i rebuilt one from 2 weeks ago... it's 25x slower now.15:50
henrynashbknudson, dstanek: it was zero before the build started15:50
henrynashbknudson, dstanek: 18Gb now…wil have to kill it if gets above 20G to avoud disk full again15:52
dstanekhenrynash: what is it in /tmp that's growing?15:53
*** dims_ has joined #openstack-keystone15:53
bknudsonI get a few pip-0PpwV2-build directories in /tmp when building venv but they go away15:53
*** mylu has joined #openstack-keystone15:53
bknudsonalso the size is only 182M15:53
dstanekhenrynash: can you see what's in there?15:54
*** dims has quit IRC15:54
dstanekbknudson: i just built and got a 1.5g tmp dir, but it went away after the build completed15:54
*** yottatsa has quit IRC15:55
bknudsonmy /tmp/pip-W9XnNg-build looks like it contains /opt/stack/keystone...15:55
dstanekbknudson: contains the dir?15:56
dstanektox is installing our code similar to the deps15:56
bknudsondstanek: y, it looks like a copy of /opt/stack/keystone/*15:56
*** yottatsa has joined #openstack-keystone15:57
bknudsonthat's weird.15:57
dolphmhenrynash: with pip 7.1.0 and tox 2.1.1 i'm not seeing any ridiculous disk space utilization15:58
morgan_2549dolphm: my phone won't let me run Python or tox :(15:58
dolphmdstanek: maybe those /tmp directories hang around when builds fail?15:58
* morgan_2549 stops being silly15:58
dolphmmorgan_2549: upgrade your ssh client?15:59
dstanekdolphm: that wouldn't surprise me15:59
henrynashdstanek: inside the /tmp/pip-blablah appears to be a copy of my /opt/stack/keystone15:59
morgan_2549dolphm: hehe15:59
bknudsondolphm: do you get a copy of keystone in /tmp when building venv?15:59
*** phalmos has quit IRC16:00
dolphmdstanek: i assume this is based on cached wheels either way.. but seriously: 28 second build time for -r to ~12 minutes16:00
*** _cjones_ has joined #openstack-keystone16:00
dstanekdolphm: that's odd. mine is only a minute or so16:00
bknudsontox has "-e git://" in the "installed" output16:00
dstaneki think the "extras" change or maybe the newest pbr is the cause for the slowdown when running tests16:01
henrynashI’ve got tox 2.1.1. and pip 7.1.016:01
dolphmbknudson: a few seconds into a build of master as of two weeks ago:
bknudsonhenrynash: what's the size of your /opt/stack/keystone?16:02
henrynashbknduson: ahhhh!   18G (what a surprise!)16:02
dstanekhenrynash: what do you have in there?16:02
henrynashbknudson: bl**dy good question… off to find out what the hell is going on….!16:03
*** kiran-r has joined #openstack-keystone16:03
dstanekhenrynash: check your .testrepository and .tox dirs16:03
*** geoffarnold has joined #openstack-keystone16:03
dstanekdolphm: takes me 58 seconds to build a new env16:04
bknudsonhenrynash: du -h -d 116:04
henrynashdtsanek: you got in one, sir… my .testrepositary is 17.5G16:04
henrynashcd .test*16:04
*** mestery has joined #openstack-keystone16:04
bknudsonthe testr database keeps growing16:04
dstanekjust delete that directory16:05
dolphmlatest master, mid build of -r -e pep8: and
bknudsonnot sure what it's for... I think it allows you to do tox -e py -- --failing16:05
dstanekbknudson: and reporting16:05
dolphmmy .testrepository/ is 3.8 GB too16:05
dolphmbknudson: ++16:05
dstaneki delete mine all of the time since switching between 2.7 and 3.4 is broken16:06
bknudsondstanek: if you to tox -e py34 first then tox -e py27 will work with it16:06
dstanekbknudson: i still had some issues there in the past that were not pickle related16:07
henrynashdstanek. bknudson: I assume i can blow away anything in my .testrepositary ?16:08
bknudsonhenrynash: rm -r it.16:08
bknudsonI usually do that when I rm -r .tox every once in a while16:08
*** jorge_munoz_ has joined #openstack-keystone16:10
henrynashbknduson, dstaneK: ok…that cures the problem for sure…builds happending much faster and not consuming all my disk16:11
*** jorge_munoz has quit IRC16:11
*** jorge_munoz_ is now known as jorge_munoz16:11
*** jorge_munoz has quit IRC16:11
dolphmhenrynash: really? didn't make things faster for me...16:12
henrynashdolphm: ok, well…so I still think it is much slower than before…but a faster than slurping 18Gs around multiple times16:12
*** jorge_munoz has joined #openstack-keystone16:13
*** ayoung has joined #openstack-keystone16:13
*** ChanServ sets mode: +v ayoung16:13
*** mylu has quit IRC16:13
*** vivekd has quit IRC16:14
*** mylu has joined #openstack-keystone16:14
samueldmqayoung, hey16:16
samueldmqayoung, p/16:17
samueldmqayoung, please take a look at this
ayoungI think you are supposed to say "Here I AM"16:17
samueldmqayoung, no need to further explanation, you will get what is there just looking, for sure hehe16:17
samueldmqayoung, ah sorry16:17
samueldmqayoung, Here I AM16:18
*** gyee has joined #openstack-keystone16:20
*** ChanServ sets mode: +v gyee16:20
samueldmqgyee !16:21
*** urulama has quit IRC16:21
ayoungI own rodrigods a review...16:21
*** urulama has joined #openstack-keystone16:22
samueldmqgyee, I was looking at your endpoint constraint change, have something to talk to you, let me know when you have a few minutes16:22
samueldmqayoung, did you get what I was designing in that pad ?16:22
ayoungsamueldmq, yes.  I might want to go even further16:22
samueldmqayoung, sometimes I get convinced that it would be good to have a separate service for policy16:22
samueldmqayoung, we could manipulate all that structure via api's16:22
samueldmqayoung, even further ? hehe :)16:23
ayoungsomething like :  the role has to have an entry, and in there is a set of rule names.16:23
ayoungMake it so there needs to be something that does it like thisL:16:23
gyeesamueldmq, hi!16:23
gyeesamueldmq, I need to rebase16:23
samueldmqgyee, yes16:23
ayoungrole:admin:  "user_create,  user_delete...."16:24
*** petertr7_away is now known as petertr716:24
samueldmqayoung, that's basically inverting the way we define policies, right ?16:24
ayoungthen the policy check makes sure the rule is in one of the role entries.  Then compute:create is just the scope match16:24
samueldmqayoung, role -> api instead of api -> roles16:24
gyeeayoung, at the operators midcycle, seem like read-only role is most desire16:24
gyeesamueldmq ^^^16:25
ayoungsamueldmq, right, but then the role sections can be auto generated with out touching the other rules16:25
samueldmqgyee, what does that mean ?16:25
ayounggyee, yeah, for audit etc16:25
* samueldmq didn't get it16:25
gyeesamueldmq, like observor16:25
gyeewhich have read-only access to the resources16:25
samueldmqgyee, can roles be updated today ?16:26
gyeeright now they have to use the super admin role, which they are not comfortable at all16:26
ayoungsamueldmq, yeah, but not policy files...16:26
samueldmqayoung, in the past I thought about having all the system capabilities registered into keystone automatically by services16:26
samueldmqayoung, them those capabilities (apis) could be added to roles (like you said)16:27
*** _kiran_ has joined #openstack-keystone16:27
samueldmqayoung, and we could generate the policies automatically, on the fly16:27
ayoungsamueldmq, it is the right way to go.16:27
samueldmqayoung, I had synchronized this thoguht with henrynash , he also things this way16:28
samueldmq(at least at the time hehe )16:28
*** ankita_wagh has quit IRC16:28
gyeeright now, defining a new role, and make it effective across services is PITA16:28
samueldmqgyee, pita ?16:28
gyeeits a combination of API and configuration management16:28
samueldmqgyee, sorry .. hehe but you guys use a ton of abbreviations16:28
henrynashsamueldmq: I do agree with that as a long term vision16:28
ayoungsamueldmq, so, the one thing to keep in mind is that we want to be able to vary policy per endpoint.  If we go too far, like buy actually putting the rule_names as rolesinto the token, we can;'t do that16:29
samueldmqhenrynash, ++ :)16:29
*** tsymanczyk has quit IRC16:29
ayoungthe endpoint mapping needs to be where we say this role has these permissions,  but obviously with a simple default16:29
samueldmqayoung,  yes I know, token blob16:29
gyeesamueldmq, PITA is type of food, but also stands for the feeling after certain doctor's visit :D16:29
samueldmqayoung, the idea could be to generate the policy effectively from the role -> api association16:29
*** jistr has quit IRC16:30
lbragstadjamielennox: working on the idp specific stuff now, running tests locally. I should be ready to push soon16:30
*** topol has quit IRC16:30
samueldmqgyee, like bad news .. something hard to do ?16:30
gyeesomethin like that16:30
samueldmqgyee, I see that openstakc need some more integration between services16:30
samueldmqgyee, like roles are consistent16:30
*** kiran-r has quit IRC16:31
samueldmqgyee, like authorization is consistent, that means you need to be able to get an image to then create an instance16:31
*** vivekd has joined #openstack-keystone16:31
samueldmqand so on16:31
samueldmqayoung,  ^16:31
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests
*** ankita_wagh has joined #openstack-keystone16:31
ayounglbragstad, he better be asleep now16:31
lbragstadayoung: I'd hope so, but figured I'd leave him a message for him to find later16:32
*** phalmos has joined #openstack-keystone16:32
*** phalmos has quit IRC16:32
gyeesumueldmq, operators also ask for better auditing mechanism, like who changed the role assignment and the time stamp16:32
samueldmqI think we are a bit faulty on that front, we need somehting to sew the services in the regard of pre- and post- conditions16:32
gyeeI told them to look at CADF16:32
ayoungsamueldmq, gyee I'd like us to have a 3 tier system.  roles.  workflows, permissions16:32
gyeesurprisingly, not many aware of CADF16:33
gyeestevemar, ^^^16:33
gyeewe need better marketing of CADF!16:33
samueldmqgyee, yes I thought about that as well once .. like be able to see what happened with someone who just lost access to the cloud, etc16:33
samueldmqgyee, who did remove his access ?16:33
samueldmqgyee, like magic16:33
*** phalmos has joined #openstack-keystone16:33
gyeeayoung, yeah, agree16:34
*** petertr7 is now known as petertr7_away16:34
samueldmqgyee, yeah , I will bring some posters with me to the summit16:34
samueldmqgyee, CADF everywhere (that was the spec's title)16:34
gyeesamueldmq, yeah, we need to market it better :)16:34
samueldmqt-shirts maybe16:34
samueldmqayoung, gyee ok so looks like I am having some sane thoughts, we need to write all that somewhere ;)16:35
samueldmqs/I am having/we are having16:35
*** browne has quit IRC16:36
samueldmqgyee, look at this :
samueldmqgyee, you'll see how I see your global check in the policy (in the future, we can't do that right now)16:36
*** lhcheng has joined #openstack-keystone16:37
*** ChanServ sets mode: +v lhcheng16:37
gyeeoperators still chasing log files for auditing and security events16:37
samueldmqgyee, that's just .. pfffff16:37
*** dims_ has quit IRC16:39
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests
gyeesamueldmq, how's that backward compatible?16:39
*** dims has joined #openstack-keystone16:39
samueldmqgyee, see the third rule in the example16:40
samueldmqgyee, that's a rule as it's defined today16:40
gyeeoh i c16:40
samueldmqgyee, 'In the last rule, 'field:subnetpools:shared=True' is taken as the 'rule' portion.16:40
samueldmqThe other values take the default, i.e 'scope' is 'local' and 'requirement' is 'database', meaning it will only be enforced at service level.16:40
samueldmqgyee, :-)16:40
dstanekjust for future reference... why are we afraid on configuration settings in the paste.ini?16:40
samueldmqgyee, that covers the need for global/local checks, middleware/service level checks16:41
samueldmqgyee, and so16:41
samueldmqdstanek, i.e changing the pipelines ?16:41
*** ankita_wagh has quit IRC16:42
*** shaleh has joined #openstack-keystone16:42
gyeedstanek, I've got one word for you, grenade16:42
dstaneksamueldmq: yes, well that and configuring middleware in there16:42
dstanekgyee: what about grenade?16:42
gyeechanging stuff in paste.ini, if not careful, will likely fail the grenade (upgrade) gate16:43
dstanekgyee: are they pulling the latest each time?16:44
gyeedstanek, see the theory of upgrade
dstanekgyee: sure, i agree with that. but having config values in the ini vs. in the conf don't make that any different16:45
ayoungsamueldmq, no need for a PM16:47
ayoungroles and RBAC all belong in keystone.  Policy is part of that16:47
samueldmqayoung, sure, rbac + roles should be together , I agree now16:48
samueldmqgyee, ayoung did you like that policy model ? does it deserve a spec ?16:49
gyeedstanek, my understanding is that paste.ini shouldn't change much because its is considered *code*16:49
samueldmqin the backlog ..16:49
dolphmdstanek: i cannot explain why, but rebooting my VM seems to have helped with tox -r build times16:50
dstanekgyee: yeah, i don't get why :-(16:50
dstanekdolphm: really?16:50
*** HT_sergio has quit IRC16:50
ayoungsamueldmq, depends on what we do about the explicit enumeration of rules per role.  I think we need to solve that.  It really calls for a unified policy file, but people just don;'t seem to get the connection16:50
gyeedstanek, the pipelines?16:51
samueldmqayoung, if we have "role:admin" : [identity:list_users, identity:list_domains, compute:boot, compute:delete]16:51
samueldmqayoung, we could easily generate the 'rbac policy' for nova, and another for keystone16:52
dolphmgyee: that's completely absurd, and AFAICT, is based on deployers being unwilling to read the paste docs to understand configuration file they've never seen before16:52
ayoungsamueldmq, it really is just spliiting up the policy file like we said.  One part to be modified by end user,m one for the scope and modifiable only by the coders16:52
dstanekgyee: in an ecosystem where we don't have everything in tree the pipeline is how you add middleware16:52
dolphmgyee: the same logic applies to policy.json16:52
samueldmqayoung, yes, and I don't see the need of unified policy file in this case, we can generate different policies based on the namespace (compute: identity:) instead of an unified16:53
samueldmqayoung, it would work as well16:53
gyeedstanek, dolphm, take a look at this one as an example,
ayoungsamueldmq, we need the unified to have an inventory16:54
gyeepipeline and code changes has to be coordinated in some cases so maybe that's why they consider paste.ini as *code*?16:55
gyeethat's just my guess16:55
ayoungwe do too much in paste.  And it is not a good format16:55
dstanekgyee: that's true of keystone.conf too16:55
ayoungdstanek, yep...which is why henrynash is pushing to do as much as possible in the database16:55
ayoungconfig files are not your friend16:55
gyeeayoung, no, we need to clearly draw a line between administration and configuration16:56
*** doug-fish has quit IRC16:56
gyeethat's a different argument16:56
*** doug-fish has joined #openstack-keystone16:56
dolphmayoung: can you defend that opinion? "paste is not a good format"16:57
gyeedstanek, why's keystone.conf changes require code changes?16:57
ayoungdolphm, yes I can16:57
ayoungdolphm, I tried working with it a while back.  What it lacks is the ability to clean up16:57
dstanekgyee: right, paste.ini is more like the XML that set's up a tomcat service16:57
ayoungit is half of a inversion of control framework in a adomain specific language16:57
samueldmqayoung, I believe we need an inventory that is consistent with the union of all the services, not necessarily the inventory is unique16:57
ayoungmost of what we do in paste should be done in python16:58
ayoungbeyond that, what we can't do in paste is define reusable filters composed of other filters16:58
dstanekgyee:  not changes in config that need code changes....change in code that force config changes16:58
ayoungso we end up with huge duplicates of the pipelines instead of putting /auth under a separate pipeline from the rest of the v3 api16:58
gyeedstanek, nope, Theory of Grenade :)16:59
* gyee is a messenger here16:59
*** _kiran_ has quit IRC16:59
dstanekgyee: as we moved code around that required a config change. we've had our share of issues there. better now that code paths are no longer in the config17:00
*** samleon has joined #openstack-keystone17:01
gyeedstanek, my understanding is that config and code upgrade must be able to be done separately17:01
morgan_2549ayoung: I'd support dropping everything into one entry in the pipeline17:01
*** ankita_wagh has joined #openstack-keystone17:01
morgan_2549Only because paste isn't awful for people who add their own middleware. But nothing keystone should do needs to be separated out at this point17:01
*** vivekd has quit IRC17:02
morgan_2549Entry should be "keystone" and that's it17:02
gyeeis there an email thread on ini versus conf?17:02
* gyee needs to read his emails more often17:02
dstanekmorgan_2549: i was just thinking that i'll create a patch that no longer uses paste for filters since we don't actaully do it right anyway17:02
morgan_2549dstanek: even ++17:03
dstanekgyee: nope, i saw a comment in a review and wondered why there is such fear around this17:03
morgan_2549also fwiw I got some feedback on "db config" vs file config17:03
dstanekgyee: i actually made a patch that removes code paths from paste.ini17:03
* dstanek never really tested it though17:03
gyeedstanek, link?17:04
dstanekmorgan_2549: what's the verdict?17:04
dolphmayoung: everything done in paste can be done in python, but paste makes middleware configuration accessible to end-users. and i don't know why you couldn't contribute "reusable-filters" upstream, if so desired. i've never considered trying to DRY a paste file, though.17:04
dstanekgyee: to my patch?17:04
morgan_2549Basically "making an api call to put things in a db as a config" is unfun for many orgs. So we need to support both methods17:04
dstanekgyee: /opt/stack/keyston417:04
dolphmyay, double the complexity, double the fun!17:04
*** vivekd has joined #openstack-keystone17:04
dstanekgood times!17:05
morgan_2549And the operators were luke warm on policy being centrally distributed by keystone. They said they would need to see it working and the benefit but they weren't unhappy with CMS deploying it17:05
gyeedouble the service revenue :)17:05
dolphmgyee: double the maintenance cost17:05
morgan_2549Especially since they control the window17:05
dolphmgyee: it's not funny17:05
morgan_2549dolphm: I have heard strong voices for config files.17:06
dstanekmorgan_2549: since gyee has volunteered to run the experimental "pull from HTTP" code in hp public cloud i'm getting a little more than luke warm17:06
morgan_2549This was the response at the midcycle17:06
dolphmit's a security nightmare and then a maintenance nightmare. morgan_2549, also, you're forgetting the third form of config that is typically broken: args passed from the CLI17:06
morgan_2549It was a sure, might be good17:06
ayoungdolphm, I could contribute it...but I spent way too long trying to get it to work unsuccessfully.  The issue really isn't the paste format, but the assumptions in the code.17:06
*** mpmsimo has joined #openstack-keystone17:07
morgan_2549dolphm: configs in a db are hard to automate / make consistent. We just can't remove config options we had on disk easily. That's my point17:07
*** petertr7_away is now known as petertr717:07
*** phalmos has quit IRC17:07
morgan_2549Not going to say new stuff has to/doesn't have to be in configs17:08
ayoungdolphm, I might revisit the "reusable filters" patch once the pecan transform is done.  I was unsure what belonged where ...17:08
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
ayoungdolphm, so, yeah, the paste format itself is not horrible, but we overuse it. Ideally, the defaults would be in code, and the paste.ini file would be just the overrides17:09
*** samleon has quit IRC17:09
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests
dolphmayoung: ideally the code would not make any assumptions about how it's being deployed17:09
ayoungdolphm, actually, I think the reusable pipeline is the essential thing17:10
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests
*** mpmsimo has quit IRC17:10
dolphmayoung: what value is there beyond DRY config?17:10
ayoungthat is really what you want to have in the paste file, and then  adding in a separate pipeline for an extension would be trivial17:10
morgan_2549ayoung: do we care about extensions? We should let people add them17:10
ayoungdolphm, DRY here is important.  You want to enable disable things like SERVIVE_TOKEN17:10
morgan_2549But I don't see that we as the project should care much.17:11
gyeeforget the pipeline, how about do like what /etc/init.d/ does, just drop the file into a dir17:11 if we are going to use paste, we should use it17:11
*** topol has joined #openstack-keystone17:11
*** ChanServ sets mode: +v topol17:11
ayoungwe just kuindof use it, and it is wierd17:11
ayoungI tried to split /auth out from /v3...and couldn't make it work without major code rewrites17:11
shalehgyee: don't give our users too much sanity now17:11
dstanekayoung: things that we don't indent people to disable need to be in code17:11
ayoungan extension should not be a filter17:11
morgan_2549We should roll everything into a single item in paste and use that. Just avoid having anything that we run outside of the "keystone" entry.17:12
ayoungbut the routing is half  in paste and half in code.17:12
rodrigodsayoung, awesome +A :) thx17:12
morgan_2549Let people still add their middleware17:12
ayoungrodrigods, YW17:12
openstackgerrithenry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments
dolphmayoung: the core concept of an extension is that it is optional17:12
ayoungdolphm, I like that...not complaining,17:12
ayoungjust that it shouldnot abe a filter.  It should be an end node of a pipelie17:12
dstanekmorgan_2549: that is mostly what i was thinking - there are things like debug, profile, rally stuff, that i will leave in the ini17:12
morgan_2549Filters etc. but what we run in keystone should be "keystone" not "identity assignment v3 token" etc17:13
ayoungso, what I was looking to do was make different access control for different portions of the pipelien17:13
ayounglet me see if I can mock up what I was looking to do17:13
morgan_2549dstanek: that would be the path I'd like to see17:13
*** tsymanczyk has joined #openstack-keystone17:13
*** tsymanczyk is now known as Guest583017:14
dstanekgyee: looking at this diff i deleted some comments that i shouldn't have .... jas and i'll push17:14
dolphmayoung: we already support that by exposing authorization data to the pipeline, and allowing each routable element in the pipeline to handle it's own authorization enforcement17:14
*** mestery has quit IRC17:14
gyeedstanek, k17:14
dolphmayoung: each one can load their own policy file today, if they so desire17:14
boris-42dstanek: hi there17:15
*** topol has quit IRC17:15
* dolphm food time17:17
*** claudiub has quit IRC17:18
*** phalmos has joined #openstack-keystone17:19
openstackgerritDavid Stanek proposed openstack/keystone: WIP: use entrypoints for paste middleware and apps
dstanekgyee: ^17:21
*** Guest5830 has quit IRC17:22
samueldmqdstanek, very neat17:23
ayoungdolphm, something along the lines of this
ayoungdolphm, although, much of what I wanted that for is now better handled via Federation17:24
*** tsymancz1k has joined #openstack-keystone17:25
*** mpmsimo has joined #openstack-keystone17:25
*** dave-mcc_ has joined #openstack-keystone17:29
*** dave-mccowan has quit IRC17:30
*** roxanaghe has joined #openstack-keystone17:33
dstaneki got two more emails about the same friggen job that i keep saying no to...and they are from the same recruiting i don't want to move to Plano, TX!17:33
*** tsymancz1k is now known as tsymanczyk17:34
morgan_2549dstanek: but I hear Plano is the place to be >.>17:34
*** mylu has quit IRC17:34
gyeeno country for old man like us17:35
gyeedstanek, do not take the Texans over the Browns!17:35
*** fangzhou has quit IRC17:38
dstanekgyee: looks like plano is by dallas17:38
gyeethat would be the Cowboys17:40
*** browne has joined #openstack-keystone17:41
dstanekgyee: re: that review you linked to.. so how we want to run v3 as an admin API now? /cc dolphm17:50
*** tjcocozz has joined #openstack-keystone17:51
*** roxanaghe has quit IRC17:54
*** afazkas has joined #openstack-keystone17:54
*** aix has quit IRC17:55
*** kiran-r has joined #openstack-keystone17:55
*** mpmsimo has quit IRC17:58
gyeedstanek, yeah, that's proper fix18:03
gyeeespecially if we are moving away from Identity Mangement18:04
gyeewe need to give deployer the option to expose partial API set18:04
dstanekisn't that what we were getting away from?18:04
gyeesome are already doing it, per the bug report18:04
dstanekand this doesn't do that - it just makes sure the links stay on the port from which is was accessed right?18:05
*** kiran-r has quit IRC18:05
gyeedstanek, it offer deployers flexibility by having two separate endpoints18:06
dstanekgyee: so just two different network paths to the service? not functionality subsets?18:08
*** jorge_munoz has quit IRC18:08
dstanekgyee: how would you do that in v3?18:09
gyeeas a deployer, I am obligated to offer APIs that are on defcore18:09
gyeebut others, I need to have the flexibility18:09
gyeedstanek, by having two separate endpoints18:10
gyeesince endpoint_type/interface is configurable at the client side18:10
*** topol has joined #openstack-keystone18:11
*** ChanServ sets mode: +v topol18:11
morgan_2549gyee: use policy to expose partial api not "remove elements from the server"18:12
morgan_2549Yes. 403 forbidden18:13
dstanekgyee: i'd actually rather see the urls generated correct based on the request to solve this bug18:13
morgan_2549Not "oh 404 that whole api isn't there"18:13
morgan_2549Because is that 404 api is disabled? Resource doesn't exist? Or???18:14
dstaneki thought the point of v3 was that we were going down the "here is the v3 API" path instead of the way be have v2 broken in half18:14
gyeetwo different options, 404 I can stop it at the edge18:14
morgan_2549dstanek: that is the point18:14
gyee403 the call goes to the backend18:14
gyeeI have much better tools at the edge18:14
morgan_2549gyee: I am 100% against keeping the split18:14
dstanekgyee: what edge? you'll still need to hit the app to see if the API exists or not18:15
*** ayoung has quit IRC18:15
gyeedstanek, like at the API proxy?18:15
*** topol has quit IRC18:15
morgan_2549You can 403 the Apis at the edge too he same you could 40418:15
morgan_2549It is a pattern18:15
morgan_2549The correct response is a 403 not a 40418:15
dstanekgyee: i just don't like the direction of that review18:15
morgan_2549You are forbidden from using he api not "I don't like this api so it doesn't exist"18:16
morgan_2549dstanek: which review?18:16
gyeemorgan_2549, then why its not on defcore?18:16
gyeebecause deployer can't reasonable support certain APIs18:16
*** roxanaghe has joined #openstack-keystone18:16
gyeewhy forcing them to expose them18:17
morgan_2549Ok. It is not defcore because it isn't meant to be required for trademark. That doesn't mean keystone doesn't lock in it's APIs18:17
gyeepublic cloud can't just support create user API because create user is a workflow18:17
morgan_2549I'm happy to make defcore require all Apis instead if that is what is needed but add a provision for 403 to be used18:17
morgan_2549That is fine. 403 that api. Not 40418:18
morgan_2549It tells the user the correct information18:18
dstanekgyee: this review doesn't do anything like you are talking about - it just deploys the same exact app on two different paths - the only difference is that is knows is admin vs. public18:18
gyeedstanek, you configure the rest at the API proxy18:18
dstanekgyee: right, so from a keystone perspective we just need to generate the correct links18:19
dolphmwhat is the impact of this bug?18:19
gyeedolphm, incorrect link at discovery18:20
dolphmgyee: what is the impact of that?18:20
*** geoffarnold has quit IRC18:20
*** lhcheng has quit IRC18:20
dolphm... the client accidentally switches to an identical endpoint?18:20
dstanekdolphm: yes, possible one is can't access due to routing issues18:21
gyeeno, we can't selectively deploy APIs18:21
morgan_2549You should not be selectively deploying APIs18:21
dolphmdstanek: gyee: it always returns the public endpoint, right?18:22
dstanekdolphm: yes18:22
gyeedolphm, right18:22
dolphmactually, the bug says: "Version discovery is supposed to return the configured endpoint, but it will always return "admin" endpoint."18:22
dolphmif it was always the public endpoint, then it'd be problem solved18:22
dolphmno routing issues18:22
dolphmso invert the behavior of the "bug," and skip the extra complexity18:23
dstanekdolphm: i was thinking we just need to generate our links correctly18:23
dstanekdolphm: i definitely don't want two v3 pipelines18:23
dolphmthere isn't a "public" and an "admin" v3 API, so there's no point in deploying them separately. if you really want that, write your own paste pipeline with one endpoint and it's own policy file, and deploy keystone twice18:24
morgan_2549Yeah don't do 2 v3 pipelines18:24
dolphmdstanek: ++18:24
dstanekif i am reading the code correct it always returns the public URLs
gyeebut aren't we still listening on two ports today?18:25
morgan_2549gyee: only as an artifact of v218:25
dstanekgyee: one applicaition on two ports18:25
morgan_2549But v3 is the same application18:25
morgan_2549Both ports18:25
dstanekor we can just deploy v3 on the public port :-D18:25
morgan_2549dstanek: yeah we should ditch the random high port in general18:26
*** phalmos has quit IRC18:26
dstanekcool! one line fix!18:27
gyeeI don't think its that simple18:27
dolphmi wish the "random high" IANA-assigned port was the public port, not the magic-authz port18:28
gyeeclients still treating them separate, that why we have this bug to begin with18:28
*** stevemar has joined #openstack-keystone18:28
*** ChanServ sets mode: +v stevemar18:28
dolphmgyee: but if they always get an accessible endpoint, who cares?18:29
gyeethere's what we, the devs, think it should happen, then there's the real world :)18:29
dolphmgyee: give them the public endpoint and push them back to one. how it's labeled does not matter.18:29
gyeedolphm, unless we kill off one port, I don't know how to force clients to use one port18:30
morgan_2549We should move to using port 80/44318:30
dstanekgyee: this seems like a "you're doing it wrong" case to me18:30
morgan_2549And not use random ports at all18:30
dolphmgyee: the bug illustrates how -- only point them to one endpoint... the public one.18:30
dstanekmorgan_2549: ++ - port 5000 feels like i'm developing an app and that's my development server18:31
dolphmdstanek: i guarantee that's how port 5000 was "chosen"18:31
morgan_2549dolphm: yah18:31
dolphmit was actually 5000 and 5001 in the diablo release18:31
*** geoffarnold has joined #openstack-keystone18:31
*** bapalm has quit IRC18:31
morgan_2549Port 80/443 is *way* better18:32
* morgan_2549 18:32
openstackgerritHenrique Truta proposed openstack/keystone: Replicate domain info in projects table
* morgan_2549 makes note of go back on devstack18:32
*** bapalm has joined #openstack-keystone18:32
gyeedstanek, if here's an API you don't wish to expose publically but make available internally, how would you do it?18:32
morgan_2549gyee: issue a blind 403 on it18:33
dolphmgyee: or a 404, the choice is yours18:33
gyeewhere? at the edge or let to call go to Keystone18:33
morgan_2549dolphm: I'm arguing you should never issue a 404 on the api18:33
openstackgerritBrant Knudson proposed openstack/keystone: Add user domain info to federated fernet tokens
openstackgerritBrant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context
openstackgerritBrant Knudson proposed openstack/keystone: Fix docstring for common.authorization
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for token_to_auth_context
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext
morgan_2549403 tells the user the right info18:33
gyeeI would rather stop the call at the external VIP18:34
morgan_2549404 doesn't. Difference between "you aren't allowed to do this" vs "doesn't exist"18:34
morgan_2549gyee: 403 it at the edge then. But don't remove part18:34
morgan_2549Of the api from the keystone app18:34
morgan_2549The api is *not* optional18:34
morgan_2549Supporting the use of the api is.18:35
dolphmmorgan_2549: right, i don't care either way, but you just explained why security folks will argue in favor of 40418:35
gyeemorgan_2549, sure, I am fine with either 403 or 40418:35
dolphmmorgan_2549: it reveals less information to attackers than a 40318:35
lbragstaddstanek: i think i got the same recruiter email you did.18:35
dstanekgyee: i agree that a 403 a the edge is probably what you should do ... but this isn't related to the bug anymore18:35
dstaneklbragstad: haha, from which recruiter?18:35
lbragstaddstanek: person or company?18:36
*** rm_work is now known as rm_work|away18:36
morgan_2549dolphm: this is a case where I don't think we reveal anything by 403 over 404 and it tells you not "did I get the resource or irk wrong" but "you can't do this'll18:36
morgan_2549Better for end users consuming the api18:36
dstaneklbragstad: i got it from Senthil and Mohan both from Harman18:36
lbragstaddstanek: yep, same18:36
morgan_2549And I'll argue with the security folks on this one18:36
lbragstadthey're just going down the line!18:36
gyeedstanek, it gives us two separate endpoints to work with18:36
dolphmlbragstad: that's how recruiters work18:37
morgan_2549They can stuff it. A 403 here makes no difference to security and provides a massive ux improvement18:37
dstanekgyee: but your edge would know how a user is coming in right? you could put rules on one port and not another18:37
morgan_2549dstanek: ++18:37
gyeelbragstad, meta data, linkability :)18:37
gyeethat's now NSA recruit :)18:37
dolphmgoogle seems to be the only company that puts an once of care into their recruiter spam18:37
* morgan_2549 goes to propose a change to keystone defcore requiring Apis to 403 for keystone if they are not used18:38
dolphmit's like handcrafted artisanal spam18:38
morgan_2549Or supported. Not "rip the api out/404"18:38
dstaneklbragstad: Ericson must be having a hard time getting people for this. i've seen this same job come through by email for months.18:38
lbragstadwe should start bingo boards18:38
morgan_2549dstanek: OpenStack talent is hard to find18:39
dstanekdolphm: artisanal spam.... love it!18:39
morgan_2549Core on <project-> is a massive target on your back18:39
gyeemorgan_2549, let me see if we can configure netscaler to return 40318:39
gyeeI think it should be possible18:39
*** lhcheng has joined #openstack-keystone18:39
*** ChanServ sets mode: +v lhcheng18:39
morgan_2549gyee: that's fine but if you can't it doesn't change my view.18:40
gyeewhat 403 versus 404? error code is not a big deal to me18:40
dstanekmorgan_2549: you can only ask the same people so many times. i wonder if Ericsson knows they have so many recruiters recruiting the same people over and over again18:41
morgan_2549Yes. That a 40318:41
dolphmgyee: unless you want to argue against 403, 403 wins18:41
gyeedolphm, I don't care about 403 vs 404, I can more about flexibility in deployment18:41
morgan_2549Is more correct snd we shouldnt support ripping part of the api out18:41
*** mpmsimo has joined #openstack-keystone18:41
* morgan_2549 thinks this "flexibility" is just complexity that makes OpenStack harder for the sake of being harder. Fwiw18:42
dolphmi just looked in my recruiter inbox, and good news everyone! HP Cloud Helion is hiring18:42
gyeeso I can spend more resources optimizing the public APIs since their call volume is much higher than the internal ones18:42
dolphmgyee: you mean: auth18:43
morgan_2549None of what you are asking changes your ability to do that18:43
morgan_2549You're asking for a way to make broken deployments18:43
*** jasonsb has quit IRC18:43
morgan_2549Easily and a bad end user experience18:43
morgan_2549You can still focus on improving the other things.18:43
*** fangzhou has joined #openstack-keystone18:43
gyeewhy do we have two ports in v2 to begin with?18:43
*** jasonsb has joined #openstack-keystone18:44
morgan_2549Auth vs crud split18:44
morgan_2549Sort of18:44
morgan_2549Except it was t18:44
morgan_2549It was sort of a split18:44
morgan_2549And v3 doesn't do that anymore.18:44
gyeebut why?18:45
dolphmthe problem was that several calls blurred the lines, and appeared on both APIs... it wasn't a true split at all18:45
morgan_2549It was overly complex18:45
morgan_2549You can split at L7 on uri if you want18:45
dolphmthere was a ton of confusion about which endpoint to call and why, and so the solution for v3 was to merge the two into one and wrap the result with RBAC18:45
morgan_2549But the keystone app should just be a unified app18:45
morgan_2549For ^^ dolphm's highlighted reasons18:46
morgan_2549If auth needs to be it's own service that is fine but it should be really split apart (no let's not do that today)18:47
gyeedolphm, the other reason was we couldn't agree on anything else besides auth, that's what I was told anyway18:48
*** jasonsb has quit IRC18:48
gyeehence the OS- extensions18:48
gyeeI didn't join till Folsom so I missed the earlier histories18:49
dolphmgyee: sort of. it was also to allow experimentation in core without obligating anyone to deploy extensions. the problem came about when no one put any effort into providing discovery mechanisms to enable the clients to show extension-based features only if they were enabled18:49
morgan_2549This is where the experimental stuff and no extensions have stepped in. And so far it is better18:50
*** geoffarnold has quit IRC18:52
*** geoffarnold has joined #openstack-keystone18:54
gyeebut even with the extension mechanism, why do we elect to go with two ports to begin with? In theory, we can still have one app right?18:54
gyeethat's essentially the same argument here18:54
*** topol has joined #openstack-keystone18:55
*** ChanServ sets mode: +v topol18:55
morgan_2549 (<-- dolphm)18:56
*** yottatsa has quit IRC18:57
*** tjcocozz_ has joined #openstack-keystone18:57
dolphmmorgan_2549: +118:57
*** rm_work|away is now known as rm_work18:57
morgan_2549dolphm: just to make it explicitly clear what is expected18:58
dolphmmorgan_2549: although, i'd like to provide a way to remove v2 CRUD from a deployment while maintaining support for v2 auth... i don't *think* that would violate those assertions18:59
morgan_2549dolphm: ah got a solution for that18:59
dolphmmorgan_2549: i do too, but i haven't written it yet. what's yours?19:00
*** tjcocozz has quit IRC19:00
morgan_2549dolphm: there19:01
gyee"All provided K19:02
gyeeeystone APIs are expected to exist on the server even if not designated."19:02
gyeegood luck enforcing that :)19:02
morgan_2549gyee: I am going to be adding a lot of defcore tests19:03
morgan_2549which means... if you result in a 404 instead of a 403 on these19:03
morgan_2549no TM19:03
morgan_2549it's not hard to enforce what we want19:03
morgan_2549dolphm: just say deprecated APIs can be omitted.. really easy that way19:04
dolphmgyee: that just means "run the upstream code"19:04
* gyee is tweaking his VIP to catch all return 40319:04
morgan_2549gyee: fine, that is the net result we *want* for user experience.19:05
morgan_2549gyee: you can game the system how you want. but we're outlining what is needed19:05
morgan_2549but realize the next step is keystone will be a single app in the paste pipeline19:05
morgan_2549not "identity assigmnnt resource ..."19:05
morgan_2549it'll just be "keystone"19:05
dolphmreproducing bugs that require running is booorrinnggg19:07
gyeemorgan_2549, we haven't officially deprecated v2.0 yet right?19:07
*** stevemar has quit IRC19:07
dolphmgyee: only the keystoneclient cli19:07
morgan_2549v2 is not deprecated.19:07
morgan_2549that added line was just to ensure we have a path to allow people to drop v2 down the line without violating defcore19:08
gyeeno argument here19:08
morgan_2549also when v2 is officially deprecated we will update the guidance to not say v2 is required19:08
dolphmmorgan_2549: is there a better place to make the same assertion about deprecated APIs that can apply to all projects?19:08
morgan_2549we can lift it to all projects19:09
dolphmmorgan_2549: or should we start with keystone, and then "promote" that assertion to all projects?19:09
morgan_2549but i'd like to state if here first then work with hogepodge to move it up19:09
morgan_2549this gets is as an accepted thing already19:09
openstackgerritHenrique Truta proposed openstack/keystone: Creating tests for projects acting as domains
morgan_2549then we can assert it elsewhere easily :)19:09
gyeeassert like building tests to make sure it returns 404? :)19:10
gyeek man, food time for the left coast19:11
*** lhinds has joined #openstack-keystone19:12
morgan_2549gyee: no, just add it to the guidance19:13
morgan_2549if someone runs a deprecated API they are not in violation of defcore19:13
morgan_2549afai care19:13
*** afazkas has quit IRC19:13
*** afazekas has joined #openstack-keystone19:14
*** mpmsimo has quit IRC19:18
*** lhcheng has quit IRC19:18
*** geoffarnold has quit IRC19:20
openstackgerritLance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso
*** jasonsb has joined #openstack-keystone19:25
lbragstadjamielennox: FYI ^19:25
*** ngupta has quit IRC19:26
*** ngupta has joined #openstack-keystone19:35
openstackgerritBrant Knudson proposed openstack/keystone: Add user domain info to federated fernet tokens
openstackgerritBrant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context
openstackgerritBrant Knudson proposed openstack/keystone: Fix docstring for common.authorization
openstackgerritBrant Knudson proposed openstack/keystone: Add unit tests for token_to_auth_context
openstackgerritBrant Knudson proposed openstack/keystone: Build oslo.context RequestContext
*** piyanai has joined #openstack-keystone19:38
openstackgerritSteve Martinelli proposed openstack/keystone: move federation extension to core
*** petertr7 is now known as petertr7_away19:41
*** petertr7_away is now known as petertr719:41
*** e0ne has joined #openstack-keystone19:45
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests
*** afazekas has quit IRC19:46
*** raildo is now known as raildo-afk19:47
*** e0ne has quit IRC19:47
*** gyee has quit IRC19:47
*** samueldmq has quit IRC19:49
*** belmoreira has joined #openstack-keystone19:50
openstackgerritNithya Renganathan proposed openstack/keystone: move federation extension to core
*** topol has quit IRC19:51
*** gyee has joined #openstack-keystone19:56
*** ChanServ sets mode: +v gyee19:56
*** geoffarnold has joined #openstack-keystone19:56
*** topol has joined #openstack-keystone19:58
*** ChanServ sets mode: +v topol19:58
*** alejandrito has joined #openstack-keystone19:59
openstackgerritDavid Stanek proposed openstack/keystone: Use entrypoints for paste middleware and apps
*** ngupta_ has joined #openstack-keystone19:59
*** alejandrito_ has joined #openstack-keystone20:00
*** alejandrito has quit IRC20:00
dstanekdolphm: did you get you git issue worked out?20:00
*** ngupta__ has joined #openstack-keystone20:01
*** ngupta has quit IRC20:02
*** e0ne has joined #openstack-keystone20:02
*** topol has quit IRC20:03
*** ngupta_ has quit IRC20:04
openstackgerritLance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso
*** woodster_ has joined #openstack-keystone20:13
*** stevemar has joined #openstack-keystone20:14
*** ChanServ sets mode: +v stevemar20:14
*** lhcheng has joined #openstack-keystone20:15
*** ChanServ sets mode: +v lhcheng20:15
*** e0ne has quit IRC20:18
*** alejandrito_ has quit IRC20:18
dolphmdstanek: not really20:18
dolphmdstanek: i gave up yesterday20:19
dolphmdstanek: got the same issue in two separate clones of keystone20:19
*** roxanaghe has quit IRC20:20
*** _cjones_ has quit IRC20:21
*** piyanai has quit IRC20:22
*** r-daneel has joined #openstack-keystone20:24
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces
*** e0ne has joined #openstack-keystone20:29
stevemarohhh stable driver code20:32
*** mpmsimo has joined #openstack-keystone20:33
*** petertr7 is now known as petertr7_away20:34
*** pnavarro has joined #openstack-keystone20:35
*** e0ne has quit IRC20:35
*** e0ne has joined #openstack-keystone20:36
*** petertr7_away is now known as petertr720:37
dstanekstevemar: yeah, i'm not a fan of the approach20:39
*** geoffarnold has quit IRC20:40
*** belmoreira has quit IRC20:44
*** ngupta__ has quit IRC20:47
openstackgerritDolph Mathews proposed openstack/keystone: Test v2 tokens being deleted by v3
dolphmdstanek: had to post a revision to because it wasn't using a user & project in the default domain when creating the v2 token (copy pasta from another test)20:49
*** Ephur has joined #openstack-keystone20:51
*** mylu has joined #openstack-keystone20:51
vivekddstanek: thanks for your review of my stable driver interfaces patch.20:53
vivekddstanek: by docs, you mean i need to add the DocImpact flag and create documents elsewhere or did you mean code comments and docstrings?20:53
vivekddstanek: and you had said you didn't understand the point.20:53
vivekddstanek: can you please let me know what is that, so that i can explain you.20:53
*** geoffarnold has joined #openstack-keystone20:54
*** ngupta has joined #openstack-keystone20:54
*** Ephur has quit IRC20:56
*** ngupta has quit IRC20:58
*** mpmsimo has quit IRC20:59
*** dave-mcc_ has quit IRC21:01
dstanekvivekd: there is no developer docs so i don't know why i have to make a Compatibilzer, how it works, when I have to do it, etc.21:01
dstanekvivekd: also what does it mean to consumers of the interface. what they they need to do and look out for?21:02
*** piyanai has joined #openstack-keystone21:03
*** breton has quit IRC21:04
*** stevemar has quit IRC21:05
vivekddstanek: sorry about my ignorance but i dont know what you mean by developer docs. is that any URL where i need to document about Compatiblizer? I can do that, if you can point me to it...21:05
*** piyanai has quit IRC21:05
dstanekvivekd: in the docs tree we have a developer.rst or something like that21:05
*** mpmsimo has joined #openstack-keystone21:05
dstanekvivekd: otherwise people won't know how to use this21:06
vivekddstanek: ok i'll document there21:06
dstanekvivekd: is there any tests that show how to delete or add a method?21:07
*** Ephur has joined #openstack-keystone21:07
*** petertr7 is now known as petertr7_away21:07
vivekddstanek: this is the test i'd written -
vivekdif u see the method - "test_driver_interface_with_compatibility"...21:08
vivekddstanek: the driver interface has two methods21:09
vivekddstanek: but the driver implementation has only one method21:09
*** piyanai has joined #openstack-keystone21:10
vivekddstanek: to make that interface compatible with that driver, the missing method is provided by the compatibilizer class21:10
*** _cjones_ has joined #openstack-keystone21:12
dstanekvivekd: i'm not a fan of grafting the two classes together. is there any reason for doing it that way?21:12
dstanekvivekd: i'm struggling a little bit because the third-party developer will have to update their driver anyway once up upgrade driver versions21:15
*** e0ne has quit IRC21:15
vivekddstanek: no specific reason for that approach.  i've just used that approach as a means to fill the missing gaps at runtime when the driver is loaded21:16
dstanekvivekd: for example someone developing the Mongo driver. how do we ensure that the new method we added to the Compatibilizer actually works for them?21:17
vivekddstanek: with the stable driver interfaces, the third party developer can live without upgrading the driver for one additional release21:18
dstanekvivekd: but how can we ensure the method we added won't break them? or will the methods always to nothing?21:18
dstaneklike raise NotImplemented21:18
*** e0ne has joined #openstack-keystone21:19
dstanekalso i think the impl only allows 1 older driver interface21:20
*** hrou has quit IRC21:20
*** mpmsimo has quit IRC21:20
*** mpmsimo has joined #openstack-keystone21:22
*** henrynash has quit IRC21:22
*** geoffarnold has quit IRC21:23
*** geoffarnold has joined #openstack-keystone21:24
vivekddstanek: one example that i can think of is...21:25
vivekdconsider a user table with id, first_name, email.21:25
vivekdand assume there existed a API list_users in version 12.21:25
vivekdnow in interface version 13, a new API say list_users_by_first_name is added.21:25
vivekd version 12 drivers wont have implemented that API.21:25
vivekdso we could add a compatibilizer class method list_users_by_first_name that could internally call version 12 drivers list_users API and do an in-memory filtering based on first name and then return the results back to the caller21:25
vivekddstanek: yes the impl suports 1 older drivers implementation alone21:26
dstanekvivekd: what would happen if first_name was actually a new field?21:26
vivekddstanek: drivers written in L release would work in M release21:27
*** e0ne has quit IRC21:28
*** roxanaghe has joined #openstack-keystone21:28
vivekddstanek: hmmm...thats a schema change. i doubt if schema change incompatibilities could be solved programmatically...21:28
dstanekvivekd: so what do we do?21:29
dstanekis it just a documentation thing?21:29
vivekddstanek: in schema change cases, i think there is no other go. the third party developer should upgrade his driver21:30
dstaneki'm a little worried that we may silently make driver so  slow that you could argue that we broke them21:30
dstanekvivekd: i was thinking that this much go beyond having methods with the same name, but needs to define somewhere the real inputs and outputs21:32
vivekddstanek: i didn't get you. you mean inserting the compatibility layer would slow down the driver performance?21:32
dstanekvivekd: yes, in you example you created a table scan21:32
*** mpmsimo has quit IRC21:33
dstanekor if it were a mongo driver you loaded all documents from a collection and that would be really bad21:33
vivekddstanek: agreed my example was a bad one. i just gave it from the top of my head. there could be better solutions21:35
dstanekvivekd: no, you demonstrated my concern21:35
vivekddstanek: i feel, the stable driver interfaces as such is not the slow-down factor.21:37
vivekddstanek: if a bad performing compatibility method is written, that is what could slow down the driver21:37
vivekdgyee: you had commented that you are "still trying to understand the need for COMPATIBILIZER class"21:40
dstanekvivekd: to me this most important part of the stable driver interface is defining the inputs/outputs21:40
vivekdgyee: may i explain you?21:40
vivekddstanek: sorry i didn;t get u. can you please explain what u mean by 'defining inputs/outputs'?21:41
dstanekwhat gets returned from a list_users?21:42
vivekddstanek: a list of users and based on filter params if any...21:44
dstanekwhat's in a list of users?21:45
dstanekvivekd: that's why the spec talks about redesigning the drivers21:45
dstanekvivekd: the method problem can be solved with very little code, but if we break the semantics of the methods then all is lost21:46
*** lhcheng has quit IRC21:46
dstaneklet's go to the extreme and talk about tokens.... what's in there? what's actually in there on purpose and won't be removed?21:47
*** piyanai has quit IRC21:47
dstanekthat's a super nested, highly complicated structure21:47
*** piyanai has joined #openstack-keystone21:47
*** breton has joined #openstack-keystone21:49
bretonupgraded to jessie21:49
*** piyanai has quit IRC21:49
dstanekbreton: did it work?21:49
*** piyanai has joined #openstack-keystone21:51
dstanekvivekd: actually let me draw up an alternative.....21:51
*** gordc has quit IRC21:52
*** doug-fish has quit IRC21:53
*** tjcocozz_ has quit IRC21:53
vivekddstanek: by method problem u mean method addition/removal problem right?21:53
vivekdby method semantics u mean the method signature undergoes a change in the newer version of the interface?21:53
vivekddstanek: ok21:53
bretonah, it was supposed to go to another channel. But ok.21:53
bretondstanek: yep21:53
dstanekvivekd: yes21:53
*** breton has quit IRC21:54
*** breton has joined #openstack-keystone21:54
*** pnavarro has quit IRC21:57
*** csoukup has quit IRC21:58
gyeevivekd, dstanek, reading back ...22:01
vivekddstanek: what is ur alternative?22:01
vivekddstanek : sorry i'm a bit confused as i'm new to keystone22:01
vivekdgyee: ok22:02
*** dave-mccowan has joined #openstack-keystone22:02
dstanekvivekd: not sure, drawing it up now22:02
gyeevivekd, so for out-of-tree drivers, I would have to implement a compatibilizer in order to upgrade?22:03
*** breton has quit IRC22:03
dstanekgyee: no, we as Keystone do that22:03
*** breton has joined #openstack-keystone22:03
vivekdyes gyee22:03
dstanekthe methods on the campatibilitzer are just added onto the third-party driver22:04
vivekdgyee: drivers dont' need to undergo any changes22:04
*** hrou has joined #openstack-keystone22:04
gyeebut those methods will be result in NotImplemented exception right?22:04
*** geoffarnold has quit IRC22:05
vivekdgyee: u mean methods not overridden by old driver?22:05
dstanekgyee: new methods will have default implementations in the compatibilizer class22:06
*** geoffarnold has joined #openstack-keystone22:06
*** tiny-hands has quit IRC22:07
gyeedstanek, default implementation?22:07
gyeewouldn't they just raise NotImplemented?22:08
dstanekgyee: basically.22:08
gyeevivekd, right22:08
dstanekgyee: i would vote yes on that22:08
gyeeso in that case we don't need that class22:08
gyeejust raise the exception for any methods that are not found in the driver22:09
vivekdgyee: but if a new method added to an interface is found missing in the old driver, then such a driver will not be loaded by keystone and keystone will fail to start because ABCMeta would prevent instantiation of the driver if any of the abstract methods are not overridden in the driver22:12 disconnected22:12
dstanekgyee: that is basically my alternative22:12
*** btully has joined #openstack-keystone22:13
*** csoukup has joined #openstack-keystone22:14
gyeevivekd, if the driver does not have implementation of the new interfaces, the system will likely fail anyway22:15
vivekdgyee: no22:16
vivekdgyee: with my solution, it wont fail, provided, the new method is present in the Compatibilizer class22:16
*** roxanaghe has quit IRC22:17
dstanekvivekd: see i think in many cases it will and the fact that we can't know when means we should assume it will22:17
gyeeI agree with dstanek22:17
dstanekvivekd: you're mistaking finding a method with given name and functionality working22:17
gyeethere is a difference in having name only versus full functionality22:18
*** csoukup has quit IRC22:19
dstanekthat's why this was more about the inputs and outputs than methods22:19
*** narengan has quit IRC22:20
gyeedstanek, difficult to enforce22:21
*** narengan has joined #openstack-keystone22:21
dstanekgotta run for a bit....i'll finish my hack when i get back22:22
vivekddstanek: gyee: ok22:23
vivekdgyee: so my understanding is that, you suggest we can remove the compatibilizer class22:23
*** dave-mccowan has quit IRC22:24
gyeevivekd, yes, I don't think we need it22:24
*** urulama has quit IRC22:25
gyeevivekd, but we need some more thinking on the I/O enforcement22:25
gyeeI don't have a good suggestion on that one right now22:25
*** urulama has joined #openstack-keystone22:25
*** narengan has quit IRC22:25
dstanekvivekd: i don't think you should change anything just yet until there is more feedback22:25
*** narengan has joined #openstack-keystone22:26
vivekdgyee: u mean enforcing that the drivers implement the methods with the same signature as that in the interfaces?22:26
gyeevivekd, yes22:26
vivekdgyee: i thought that was not in the picture at all, given the abandonded strictABC implementation patch by morgan_254922:28
dstanekvivekd: if we can change the signatures then we can break compatibility22:29
dstanekvivekd: i take it one step further that we should enforce a stricture to our complex types (list, dict, objects, etc)22:30
gyeelets rewrite it with a strong type language :)22:31
gyeemaybe it'll have to be just 3rd party CI then22:32
dstanekgyee: Python is strongly typed22:32
gyeefer shure22:33
dstanekgyee: i think you meant a statically typed language22:34
openstackgerritAlberto Murillo proposed openstack/keystone: disable admin_token by default
gyeesomethin like that22:35
*** mpmsimo has joined #openstack-keystone22:39
*** mpmsimo has quit IRC22:40
vivekddstanek: ok22:42
vivekdgyee: if the compatiblizer is removed, then in tha case that the driver version = 11 and interface version = 12, then what do we do?22:42
vivekdgyee: just check if all the methods in interface are implemented in driver and if not raise an exception. that's it?22:42
*** fangzhou_ has joined #openstack-keystone22:42
morgan_2549dstanek: lets go with RustLang!22:42
*** fangzhou has quit IRC22:43
*** fangzhou_ is now known as fangzhou22:43
albertomgyee: can you re review the change to disable admin auth token?22:43
gyeemorgan_2549, Oo22:44
albertomIn the installation guide it is not even mentioned how to disable it from the pipelines22:44
gyeealbertom, k22:44
albertomI was in an installfest last saturday and nobody know that it has to be disabled from paste.ini :P so I must insist a bit more on this22:45
gyeealbertom, I am not disagreeing we need to disable it22:46
gyeejust need to figure out how to do it sanely22:46
vivekdgyee: ??22:47
*** dave-mccowan has joined #openstack-keystone22:47
albertomcool :D22:47
*** r-daneel has quit IRC22:49
gyeevivekd, in that case, just LOG.warn()22:49
gyeeabout the potential disaster22:49
*** mylu has quit IRC22:52
gyeealbertom, just curious, if you don't configure an admin token, you did you manage to bootstrap stuff?22:53
gyeehow did you create the baseline data, via SQL?22:53
*** mylu has joined #openstack-keystone22:53
*** jasonsb has quit IRC22:55
*** zzzeek has quit IRC22:56
*** mylu_ has joined #openstack-keystone22:56
*** geoffarnold has quit IRC22:57
*** mylu has quit IRC22:57
*** shaleh has quit IRC22:57
*** mylu_ has quit IRC22:59
*** jecarey has quit IRC22:59
*** mylu has joined #openstack-keystone22:59
albertomgyee: I configure admin token in /etc/keystone/keystone.conf23:00
albertomthen create the admin users23:00
albertomtenatnst endpoints23:00
albertomand then to disable it, just remove the admin_token var from keystone.conf and restart httpd23:01
albertomno mess with keystone-paste.ini23:01
*** btully has quit IRC23:02
jamielennoxlbragstad: still here?23:03
*** mylu_ has joined #openstack-keystone23:03
jamielennoxthanks for getting that patch up, i put an early review on the URI location, i'm not sure if you put if there was a specific reason to use the URI you did or just trying to match the existing websso path23:04
*** mylu has quit IRC23:04
*** mylu_ has quit IRC23:05
*** mylu has joined #openstack-keystone23:06
*** albertom is now known as albertom-afk23:06
*** mylu has quit IRC23:10
*** mpmsimo1 has joined #openstack-keystone23:10
*** dave-mccowan has quit IRC23:13
*** mylu has joined #openstack-keystone23:14
*** mylu has quit IRC23:17
gyeedims, in which release of oslo.conf we move away from namespaces? oslo.config to oslo_config23:17
*** mylu has joined #openstack-keystone23:17
*** lhinds has quit IRC23:21
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces
vivekdgyee: i've pushed a new patchset addressing ur review comments. pls review...23:25
*** piyanai has quit IRC23:26
*** mylu has quit IRC23:26
*** piyanai has joined #openstack-keystone23:27
*** mylu has joined #openstack-keystone23:27
*** narengan has quit IRC23:27
*** narengan has joined #openstack-keystone23:27
*** chlong has quit IRC23:28
openstackgerritVivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces
*** geoffarnold has joined #openstack-keystone23:29
*** narengan has quit IRC23:32
*** flwang1 has quit IRC23:32
*** dims_ has joined #openstack-keystone23:33
*** geoffarnold has quit IRC23:34
*** geoffarnold has joined #openstack-keystone23:34
*** dims has quit IRC23:36
*** shoutm has joined #openstack-keystone23:37
dims_gyee: 1.0.0 i think23:37
*** dims_ has quit IRC23:39
*** dims has joined #openstack-keystone23:39
*** mpmsimo1 has quit IRC23:40
*** dave-mccowan has joined #openstack-keystone23:40
*** piyanai has quit IRC23:42
*** dims has quit IRC23:44
*** vivekd has quit IRC23:45
*** ankita_wagh has quit IRC23:46
*** ankita_wagh has joined #openstack-keystone23:46
*** ankita_w_ has joined #openstack-keystone23:47
*** ankita_wagh has quit IRC23:47
lbragstadjamielennox: yes sir23:47
lbragstadjamielennox: I was just trying to match the existing websso stuff23:47
lbragstadjamielennox: I was actually *just* about to start respinning the spec, so that we could get the merged23:48
jamielennoxlbragstad: so i'm actually in the middle of a conversation with ayoung about maybe we need to move it to where you suggest23:50
*** mylu has quit IRC23:50
jamielennoxwho is apparently not in channel23:50
*** ayoung has joined #openstack-keystone23:51
*** ChanServ sets mode: +v ayoung23:51
jamielennoxlbragstad: so i'm configuring federation and kerberos at the moment and my apache config looks like
*** ankita_w_ has quit IRC23:51
ayounglbragstad, we just found a little glitch in the matrix related to that, too23:51
jamielennoxlbragstad: and it really bugs me that i need to define two <locations> for kerberos23:52
jamielennoxwith exactly the same configuration but one for CLI and one for websso23:52
ayounglbragstad, it turns out that the URL you use to get a token should not be the same as the URL you use to admin the IdP and mapping23:52
*** piyanai has joined #openstack-keystone23:52
*** lhcheng has joined #openstack-keystone23:52
*** ChanServ sets mode: +v lhcheng23:52
ayoungjamielennox, for CLI could we do /auth/OS-FEDERATION/websso/identity_providers/{idp_id}/protocols/{protocol_id}  and then websso is /auth/OS-FEDERATION/websso/identity_providers/{idp_id}/protocols/{protocol_id}/websso23:52
jamielennoxlbragstad: but the process of creating a idp/protocol does a PUT  /v3/OS-FEDERATION/identity_providers/sssd/protocols/kerberos which triggers my apache module23:53
ayoungthe difference is if we need to do the redirect afterwards23:53
*** mylu_ has joined #openstack-keystone23:53
jamielennoxso i can't configure apache before i configure keystone or it all goes to hell23:53
*** geoffarn_ has joined #openstack-keystone23:53
ayoungjamielennox, also...why did the SAML one not break the same way as the kerberos one?  Did you not finish configuring Apache yet?23:54
*** geoffarnold has quit IRC23:54
jamielennoxayoung: i don't configure saml with CLI in that case23:54
jamielennoxjust websso23:54
lbragstadso, is the current path I have in that patch good or bad?23:54
ayoungjamielennox, for now, can we move the apache stuff after the mapping upload?23:54
lbragstadi believe it's currently under /websso/identity_providers/23:54
ayounglbragstad, its mediocre23:54
lbragstadha perfect23:55
jamielennoxlbragstad: ideally it's better, we should do /auth/... for actually getting tokens and /v3 for doing CRUD23:55
ayounglbragstad, so, when we get an unscoped token, we should go to a URL under /aut23:55
jamielennoxhowever we currently do CLI auth via /v3/OS-...23:55
ayoungunder  /auth23:55
ayoungjamielennox, actually...this would tie in with morgan_2549 's desire to split auth out from the rest of the v3 api23:56
jamielennoxit is becoming obvious ayoung and i just had this converstion, i'll let him finish23:56
ayoungwhat if we drop /v323:56
jamielennoxayoung: i was thinking the same thing23:56
lbragstadjamielennox: I believe morgan_2549 has a spec (currently in the backlog) for making the auth api non-version specific23:56
*** edmondsw has quit IRC23:56
lbragstadayoung: ^23:56
jamielennoxlbragstad: anyway, i'm not sure if we put the /websso route in the proper location and look to move CLI federated auth in future, or we be consistent with the current23:57
jamielennoxbut the current is obviously broken for any sort of automated deployment23:57
*** flwang1 has joined #openstack-keystone23:57
ayounglbragstad, but websso and CLI access should both be under the same URL.  So if I'm doing kerberso, putting websso under /v3/auth/OS-FEDERATION  but putting CLI under /v3/OS-FEDEARTION doesn't allow us to match them correctly23:57
ayounglbragstad, loooking23:57
jamielennoxlbragstad: yea, i've heard about this one a few times, it's a good idea23:58
lbragstadyeah, maybe next cycle we can find some bandwidth to do it23:59
ayounglbragstad, lets do it now23:59
lbragstadlet's do it live!23:59
*** jasonsb has joined #openstack-keystone23:59
ayoungwe can leave the existing stuff, but make your change under /auth  without V323:59
lbragstadI think that if we do that, we should have the rest of the auth API be there, too23:59

Generated by 2.14.0 by Marius Gedminas - find it at!