Wednesday, 2015-08-19

gyee	dstanek, ++	00:00
gyee	samueldmq, hi!	00:00
gyee	samueldmq, looks like there are people out there customize their policy.json!	00:00
samueldmq	gyee, do you have some news ? had the opportunity to talk to them for the policy stuff ?	00:01
gyee	and they seem to be OK for the policy to out-of-sync during upgrade	00:01
samueldmq	gyee, hmm..	00:01
gyee	for a little while till upgrade is completed	00:01
samueldmq	gyee, upgrade = update ?	00:01
samueldmq	gyee, when updating the policies ?	00:01
gyee	update	00:01
gyee	right	00:01
samueldmq	gyee, how long is a little?	00:01
samueldmq	gyee, that's the question hehe	00:02
gyee	update policies is CMS right now	00:02
samueldmq	gyee, yes	00:02
gyee	samueldmq, it depends	00:03
samueldmq	gyee, 5 min inconsistency ? 1 min ? just a few seconds?	00:03
gyee	everybody have different risk management	00:03
dstanek	gyee: the Compatibilizer basically allows you fix an older version of an api	00:03
dstanek	gyee: see first test here: https://review.openstack.org/#/c/209524/5/keystone/tests/unit/common/test_stable_driver_interface.py,cm	00:04
gyee	dstanek, oh, its like retrofitting	00:06
gyee	interesting	00:06
samueldmq	gyee, yes I agree, we have develped a solution that presents 0 inconsistency .. however it could pontentially cause the herd problem, depending on the number of real endpoint using a single keystone endpoint id	00:06
samueldmq	gyee, since we have no control on that ... could we say 5k nova nodes using the same endpoint id ?	00:06
*** geoffarnold has quit IRC		00:06
dstanek	samueldmq: it will cause the thundering herd. the question is how big	00:06
gyee	samueldmq, dstanek, right, it will, depending on deployment	00:07
samueldmq	dstanek, ++ yes, I was talking about hte herd as a big one	00:07
gyee	but its a choice for the deployers	00:07
*** geoffarnold has joined #openstack-keystone		00:07
gyee	depending on their risk tolerance	00:07
samueldmq	dstanek, but sure, it is always the herd, even if small	00:07
samueldmq	gyee, what if we documented that well, saying the number of requests that will hit keystone, etc	00:08
samueldmq	dstanek, ^	00:08
gyee	dstanek, I still don't get the compatibilizer design, if it needs retrofitting, why can't we bump up the version instead?	00:08
samueldmq	gyee, dstanek and that would be bad for deployments where there are too many real endpoints for a single keystone endpoing	00:08
dstanek	samueldmq: since this is experimental i don't think we should build the big CMS system	00:09
dstanek	gyee: you need to support current verison -1	00:10
*** jasonsb has quit IRC		00:10
samueldmq	dstanek, without that, we should expect (in the worst case) an inconsistency of {policy_timeout} seconds	00:10
dstanek	samueldmq: yep	00:11
samueldmq	dstanek, that can normally be high, like 5 minutes	00:11
samueldmq	dstanek, but that looks to be too long, doesn't it ? cc gyee	00:11
dstanek	samueldmq: i highly doubt anyone will use this in a real productjion deployment so i'm not too worried	00:11
samueldmq	dstanek, maybe we can find a good timeout which is acceptable for now	00:11
*** geoffarnold has quit IRC		00:11
*** jasonsb has joined #openstack-keystone		00:11
samueldmq	dstanek, gyee isn't going to use it ? I thought he was not kidding last week :)	00:12
dstanek	samueldmq: my guess is that gyee isn't going to have HP public cloud use it	00:12
samueldmq	dstanek, about using it in a part of hpcloud	00:12
dstanek	in my mind the only people using it will be tinkering	00:12
gyee	dstanek, if it works, why not	00:13
dstanek	there's too much risk and almost no value; i don't see how you could make a convincing argument for it	00:13
samueldmq	as we stated a lot of times, that's just opening the door for other things, like hierarchical roles, etc	00:14
samueldmq	going big now isn't necessarily wrong	00:14
gyee	anything have risks :)	00:15
dstanek	samueldmq: i'm just saying, from a risk management perspective i don't know how you can make the argument for it	00:15
dstanek	samueldmq: i realize that it enables things in the future, but those things are in the future :-)	00:15
samueldmq	gyee, ++ I'd be able to create a large test for it .. like 1k nodes using the same endpoint_id ? but I am not sure I have the infrastructure for it	00:16
samueldmq	btw, benchmarking tests are planned, as stated in the spec :)	00:16
dstanek	samueldmq: so no matter what you do it will be possible for the policies to be out of sync for up to that timeout	00:16
samueldmq	dstanek, yeah, but for now it buys the policy update/distribution thing	00:16
dstanek	samueldmq: not that starts getting into race condition territory, but will likely happen	00:17
samueldmq	dstanek, if people want it, they will use it, if not, they will use it anyway (in the future)	00:17
samueldmq	dstanek, but in the approach we are reducing the risk as much as we can	00:17
dstanek	samueldmq: all you need is 1 node and ab to see what'll happen on the keystone side	00:17
samueldmq	dstanek, ab?	00:18
dstanek	apache bench	00:18
dstanek	samueldmq: we are basically making a pull based CMS, which is unfortunate	00:18
dstanek	if being in sync really matters then the timeout should be much lower than 5 minutes	00:19
gyee	how about we pull smarter? like tell the clients to fetch new policy on token validation?	00:20
gyee	instead of pulling at an interval	00:21
gyee	fixed interval	00:21
samueldmq	gyee, it isn't a fixed interval, middleware only pulls when a request hits it	00:21
samueldmq	gyee, if that makes sense to what you just said ..	00:21
gyee	like have a special header on token validation which telling middleware its time to fetch new policy	00:22
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
dstanek	there is just so many things that can go wrong :-( i'm not trying to stop this - i have done lots of caching in the past and it's a hard problem	00:23
gyee	but still can't avoid DB hit	00:23
gyee	the DB hit worries me	00:23
samueldmq	dstanek, what would be the alternative to what we are proposing ?	00:26
samueldmq	dstanek, keystone wouldn't control the policy freshness ? just the middleware knows when its time to fetch?	00:26
gyee	his alternative is CMS :)	00:28
gyee	status quote	00:28
dstanek	samueldmq: not entirely sure - i haven't thought about the problem enough	00:28
dstanek	gyee: my off the cuff would be to lower the policy freshness to the longer a deployment can live with it being out of sync and deal with the extra hits using an intermediary	00:29
samueldmq	so I see 2 alternatives: 1) we do the best we can and document well in what cases issues can be hit	00:29
samueldmq	2) don't to anything at all = CMS	00:29
jasonsb	breton: i made some progress	00:30
gyee	if we can figure out how to avoid DB hits and found a way to notify the Keystone instances on new policy update, that would be awesomer	00:30
dstanek	samueldmq: in you current code where do you make a new cache DB record?	00:31
jasonsb	breton: i don't know the minimal set of changes to make things work but i can whittle it down	00:31
samueldmq	dstanek, just a sec	00:31
jasonsb	breton: nova and manila are still giving problems but glance, neutron, designate, and i think heat are ok	00:31
dstanek	gyee: to avoid DB hits you could write the cached files to disk instead of a table	00:31
gyee	dstanek, you kidding right?	00:32
dstanek	gyee: but you need a second copy in samueldmq's paradihm	00:32
samueldmq	dstanek, gyee L 237 - 250 https://review.openstack.org/#/c/209695/10/keystone/endpoint_policy/core.py	00:32
dstanek	gyee: nope, you need two copies	00:32
gyee	dstanek, I have multiple Keystone instance behind an LB	00:32
samueldmq	dstanek, there are 2 entities : one where the updates occur i nthemeantime ii) the other that is delivered, and which is consistent in the time between timeouts	00:33
dstanek	samueldmq: doesn't that mean that if someone hits the endpoint at the exact time it expires then they'll get a max-age 0?	00:33
samueldmq	gyee, ^	00:33
*** btully has quit IRC		00:34
*** roxanaghe has quit IRC		00:34
dstanek	gyee: does that make sense?	00:34
samueldmq	dstanek, if so just need to change the < 0 comparisons to <= 0	00:35
samueldmq	dstanek, but basically yes; if someone hits keystone when only 10 seconds left	00:35
samueldmq	dstanek, the policy will be valid for only 10 seconds	00:35
gyee	sure	00:35
*** shoutm has quit IRC		00:36
dstanek	samueldmq: 1 corner case of many	00:36
samueldmq	dstanek, the 0 freshness ?	00:36
*** shoutm has joined #openstack-keystone		00:37
samueldmq	dstanek, I don't see too many of them .. the time comparison is simple there :/	00:37
dstanek	samueldmq: actually i have the best idea ever	00:37
samueldmq	dstanek, tell me	00:37
dstanek	we can treat the .json file just like you do with images - let apache serve it up	00:37
dstanek	apache can do 1000s of requests per second on static files without blinking an eye	00:38
gyee	but keystone is running in apache	00:39
*** _cjones_ has quit IRC		00:39
dstanek	gyee: yep	00:39
dstanek	gyee: this is how you run any website using a dynamic framework. you have apache serve anything in /images, for instance	00:40
gyee	are the files live in NFS?	00:40
gyee	shared across all instances?	00:41
dstanek	gyee: nope you'd have keystones drop it to disk when they need to	00:41
gyee	not sure if I get it, each instance will have to drop the file to disk no?	00:43
*** jasonsb has quit IRC		00:43
dstanek	gyee: right, at the same point where they are currently adding to the database	00:43
*** jasonsb has joined #openstack-keystone		00:44
* samueldmq isn't getting that .. maybe the lack of understanding on how cinder works :/		00:44
gyee	but the file is local to an instance, and the database transaction can happen at any instance	00:44
gyee	how does the others get notified?	00:44
samueldmq	so we basically put in a shared storage ? and delegate te task o f distribution	00:45
* gyee needs to read cinder code too		00:45
*** dims has joined #openstack-keystone		00:46
dstanek	what does cinder have to do with anything?	00:46
gyee	I thought you mentioned it works just like cinder	00:46
gyee	so I didn't know it manage images in an HA environment	00:47
dstanek	gyee: no images as in logo.png	00:47
*** dims_ has quit IRC		00:47
samueldmq	dstanek, me too, I though you said images ..	00:47
samueldmq	dstanek, gyee oh that's glance	00:48
samueldmq	hehe	00:48
dstanek	i did. i mentioned websites!	00:48
*** jasonsb has quit IRC		00:48
gyee	:)	00:48
dstanek	samueldmq: i don't get https://review.openstack.org/#/c/212959/3/keystone/policy/backends/sql.py,cm	00:48
dstanek	you look for the policy first before looking in the cache?	00:49
samueldmq	dstanek, the manager uses driver.get_policy_cache()	00:49
samueldmq	dstanek, if that is a not found, maybe the policy was never cached before, then cache it and return, using driver.cache_policy()	00:50
samueldmq	when calling the cache_policy(); if the policy doesn't exist in the main table: not found	00:50
dstanek	samueldmq: in cache_policy it looks up the policy and if it doesn't find it it looks in the cache. i don't understand why	00:51
samueldmq	dstanek, in that method it will only get a policy from the main table, and put a copy in the cache table	00:52
samueldmq	dstanek, adding the valid_to field	00:52
dstanek	gyee: right now the way this works is that each thread on each keystone instance that is hit at exactly the time of expiration will try to update the cache in the database	00:52
dstanek	gyee: i was just saying that each instance could just use the disk instead of DB	00:52
dstanek	gyee: then apache could serve it up	00:52
samueldmq	dstanek, in the except, I get the cached policy to delete it (in the case the main policy doesn't exist anymore)	00:53
gyee	dstanek, I see	00:53
gyee	dstanek, good idea!	00:53
dstanek	samueldmq: ah, i see	00:53
dstanek	i'll make sure i never say images around you guys again :-)	00:53
samueldmq	dstanek, :) that code is cool	00:53
dstanek	maybe just web assets	00:53
gyee	dstanek, I was think Sports Illustrated Swimmer edition	00:54
gyee	thinking	00:54
gyee	those images	00:54
gyee	k man, gotta run before trouble catches me :)	00:55
*** gyee has quit IRC		00:55
samueldmq	dstanek, hehe	00:56
*** dims has quit IRC		00:56
*** dims has joined #openstack-keystone		00:56
*** piyanai has joined #openstack-keystone		00:57
*** shaleh has quit IRC		00:59
*** piyanai has quit IRC		01:02
*** darrenc is now known as darrenc_afk		01:07
*** hideme has joined #openstack-keystone		01:10
*** ankita_w_ has quit IRC		01:12
*** _hrou_ has joined #openstack-keystone		01:13
*** hrou has quit IRC		01:14
*** davechen has joined #openstack-keystone		01:16
*** browne has quit IRC		01:18
*** darrenc_afk is now known as darrenc		01:21
*** dave-mccowan has quit IRC		01:36
*** haneef_ has quit IRC		01:43
*** dsirrine has quit IRC		01:45
*** ankita_wagh has joined #openstack-keystone		01:48
openstackgerrit	Henrique Truta proposed openstack/keystone: Unit tests for is_domain field in project's table https://review.openstack.org/212045	02:12
*** piyanai has joined #openstack-keystone		02:14
openstackgerrit	Brant Knudson proposed openstack/keystone: Enable bandit check for password_config_option_not_marked_secret https://review.openstack.org/194420	02:15
openstackgerrit	Brant Knudson proposed openstack/keystone: Bandit config updates https://review.openstack.org/194417	02:15
*** dsirrine has joined #openstack-keystone		02:18
*** ankita_wagh has quit IRC		02:22
*** topol has joined #openstack-keystone		02:23
*** ChanServ sets mode: +v topol		02:23
*** dsirrine has quit IRC		02:24
*** jasonsb has joined #openstack-keystone		02:28
*** samueldmq has quit IRC		02:29
openstackgerrit	Haneef Ali proposed openstack/keystone: Return correct URL in /v3 version response https://review.openstack.org/213379	02:29
*** topol has quit IRC		02:32
*** geoffarnold has joined #openstack-keystone		02:35
*** geoffarnold has quit IRC		02:36
*** geoffarnold has joined #openstack-keystone		02:38
*** narengan has joined #openstack-keystone		02:43
*** piyanai has quit IRC		02:47
*** fangzhou has quit IRC		02:47
*** hakimo_ has joined #openstack-keystone		02:52
*** mylu has joined #openstack-keystone		02:54
*** hakimo has quit IRC		02:54
*** piyanai has joined #openstack-keystone		02:55
*** _hrou_ is now known as hrou		02:55
*** dims has quit IRC		02:55
*** tiny-hands has quit IRC		02:59
*** dave-mccowan has joined #openstack-keystone		03:00
*** narengan has quit IRC		03:04
*** narengan_ has joined #openstack-keystone		03:04
*** narengan_ has quit IRC		03:09
*** browne has joined #openstack-keystone		03:10
openstackgerrit	Ren Qiaowei proposed openstack/keystone: Add necessary executable permission https://review.openstack.org/203966	03:11
*** topol has joined #openstack-keystone		03:12
*** ChanServ sets mode: +v topol		03:12
*** narengan has joined #openstack-keystone		03:14
*** tiny-hands has joined #openstack-keystone		03:16
*** topol has quit IRC		03:16
*** rodrigods has quit IRC		03:16
*** tellesnobrega has quit IRC		03:17
openstackgerrit	Henrique Truta proposed openstack/keystone: Manager support for projects acting as domains https://review.openstack.org/213448	03:17
*** piyanai has quit IRC		03:17
*** rodrigods has joined #openstack-keystone		03:19
*** tellesnobrega has joined #openstack-keystone		03:20
*** annasort has quit IRC		03:24
*** dikonoor has joined #openstack-keystone		03:26
*** raginbajin has quit IRC		03:27
*** tellesnobrega has quit IRC		03:28
*** boltR has quit IRC		03:28
*** boltR has joined #openstack-keystone		03:29
*** raginbajin has joined #openstack-keystone		03:29
*** tellesnobrega has joined #openstack-keystone		03:30
*** kiran-r has joined #openstack-keystone		03:36
*** kiran-r has quit IRC		03:36
*** Navid_ has joined #openstack-keystone		03:45
*** ankita_wagh has joined #openstack-keystone		03:45
*** shoutm has quit IRC		03:45
*** Navid_ has quit IRC		03:51
openstackgerrit	Henrique Truta proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	03:52
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain parameter to get_project_by_name https://review.openstack.org/210600	03:52
*** mylu has quit IRC		03:54
*** ankita_wagh has quit IRC		03:55
*** shoutm has joined #openstack-keystone		03:56
*** ankita_wagh has joined #openstack-keystone		03:56
*** lhcheng has joined #openstack-keystone		03:57
*** ChanServ sets mode: +v lhcheng		03:57
openstackgerrit	Steve Martinelli proposed openstack/keystone: update links in http-api to point to specs repo https://review.openstack.org/214441	04:01
*** ayoung has quit IRC		04:05
*** dave-mccowan has quit IRC		04:07
*** raginbajin has quit IRC		04:10
*** narengan has quit IRC		04:11
*** narengan has joined #openstack-keystone		04:11
*** narengan has quit IRC		04:16
*** tellesnobrega has quit IRC		04:19
*** dikonoor has quit IRC		04:24
*** mylu has joined #openstack-keystone		04:24
*** hafe has joined #openstack-keystone		04:25
*** raginbajin has joined #openstack-keystone		04:28
*** tellesnobrega has joined #openstack-keystone		04:28
*** hafe has quit IRC		04:51
*** hafe has joined #openstack-keystone		04:54
*** hrou has quit IRC		04:55
*** vivekd has joined #openstack-keystone		05:01
*** topol has joined #openstack-keystone		05:04
*** ChanServ sets mode: +v topol		05:04
*** topol has quit IRC		05:15
*** boltR has quit IRC		05:17
*** mylu has quit IRC		05:18
*** boris-42 has quit IRC		05:20
*** lhcheng_ has joined #openstack-keystone		05:24
*** mylu has joined #openstack-keystone		05:25
*** lhcheng has quit IRC		05:27
*** vivekd has quit IRC		05:28
*** vivekd_ has joined #openstack-keystone		05:28
*** vivekd_ is now known as vivekd		05:28
*** mylu has quit IRC		05:29
*** boltR has joined #openstack-keystone		05:30
*** ankita_w_ has joined #openstack-keystone		05:41
lhcheng_	jamielennox: I just catched up with the meeting log, about the websso BP, do you think we can get that a week before end of L3? (1 week from now)	05:45
*** ankita_wagh has quit IRC		05:45
lhcheng_	jamielennox: to make that feature complete, have to make changes on django_openstack_auth and horizon too	05:45
lhcheng_	and doa needs to get released too before we can push the horizon changes :(	05:46
lhcheng_	it is going to be really tight..	05:47
jamielennox	lhcheng_: it is going to be really tight	05:48
jamielennox	i think if it's not ready for +a by next meeting it won't happen	05:48
jamielennox	and i spent most of the day working on the environment rather than the code, hoping i'll get some more done later	05:49
lhcheng_	okay, once we have some patch up in keystone, can probably start working on doa in parallel.	05:51
jamielennox	lhcheng_: i'll let you know, but we'll probably have to do DOA patches at the same time just to ensure it works	05:55
*** claudiub has joined #openstack-keystone		05:56
*** afazkas has joined #openstack-keystone		06:06
*** mylu has joined #openstack-keystone		06:12
*** geoffarnold has quit IRC		06:15
*** mylu has quit IRC		06:16
*** geoffarnold has joined #openstack-keystone		06:16
*** vivekd has quit IRC		06:17
*** urulama has quit IRC		06:17
*** urulama has joined #openstack-keystone		06:18
*** lsmola has joined #openstack-keystone		06:21
*** Qlawy has joined #openstack-keystone		06:31
*** lhcheng_ has quit IRC		06:40
breton	good morning, keystone!	06:41
*** browne has quit IRC		06:48
*** woodster_ has quit IRC		06:49
*** jlvillal has quit IRC		06:58
*** jlvillal has joined #openstack-keystone		06:58
*** kiran-r has joined #openstack-keystone		07:06
*** Nirupama has joined #openstack-keystone		07:08
*** ajayaa has joined #openstack-keystone		07:10
*** urulama has quit IRC		07:12
*** urulama has joined #openstack-keystone		07:13
*** sileht has joined #openstack-keystone		07:15
*** mylu has joined #openstack-keystone		07:16
*** yottatsa has joined #openstack-keystone		07:19
*** mylu has quit IRC		07:21
*** henrynash has joined #openstack-keystone		07:22
*** ChanServ sets mode: +v henrynash		07:22
*** belmoreira has joined #openstack-keystone		07:28
*** kiran-r has quit IRC		07:29
*** kiran-r has joined #openstack-keystone		07:33
*** ankita_w_ has quit IRC		07:41
*** fhubik has joined #openstack-keystone		07:58
*** boris-42 has joined #openstack-keystone		07:58
*** tsubic has joined #openstack-keystone		07:59
openstackgerrit	Sean Perry proposed openstack/keystone: Fix exception within exception handler for xmlsec1 https://review.openstack.org/214502	08:06
*** yottatsa has quit IRC		08:09
*** yottatsa has joined #openstack-keystone		08:19
*** markvoelker has quit IRC		08:22
*** lhcheng has joined #openstack-keystone		08:23
*** ChanServ sets mode: +v lhcheng		08:23
*** fhubik_ has joined #openstack-keystone		08:33
*** jistr has joined #openstack-keystone		08:34
*** fhubik_ has quit IRC		08:35
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/214509	08:35
*** fhubik has quit IRC		08:37
*** shoutm has quit IRC		08:40
*** fhubik has joined #openstack-keystone		08:41
*** fhubik is now known as fhubik_brb		08:46
*** kiran-r has quit IRC		08:49
*** fhubik_brb is now known as fhubik		08:52
*** fhubik is now known as fhubik_brb		08:52
*** aix has joined #openstack-keystone		08:54
*** yottatsa has quit IRC		09:05
*** vivekd has joined #openstack-keystone		09:11
*** fhubik_brb is now known as fhubik		09:13
*** markvoelker has joined #openstack-keystone		09:23
*** lhcheng has quit IRC		09:26
*** markvoelker has quit IRC		09:28
*** kiran-r has joined #openstack-keystone		09:34
*** pnavarro has joined #openstack-keystone		09:34
*** _kiran_ has joined #openstack-keystone		09:40
*** fangzhou has joined #openstack-keystone		09:41
*** kiran-r has quit IRC		09:41
*** davechen has left #openstack-keystone		09:43
*** _kiran_ is now known as kiran-r		09:53
*** kiran-r has quit IRC		09:53
*** kiran-r has joined #openstack-keystone		09:54
*** mylu has joined #openstack-keystone		09:58
*** mylu has quit IRC		10:02
*** piyanai has joined #openstack-keystone		10:05
*** dolphm has quit IRC		10:05
*** sigmavirus24_awa has quit IRC		10:06
*** eglute has quit IRC		10:06
*** miguelgrinberg has quit IRC		10:07
*** d34dh0r53 has quit IRC		10:07
*** miguelgrinberg has joined #openstack-keystone		10:08
*** eglute has joined #openstack-keystone		10:08
*** belmoreira has quit IRC		10:08
*** d34dh0r53 has joined #openstack-keystone		10:08
*** dolphm has joined #openstack-keystone		10:09
*** fhubik is now known as fhubik_brb		10:09
*** belmoreira has joined #openstack-keystone		10:09
*** sigmavirus24_awa has joined #openstack-keystone		10:10
*** Guest62465 has quit IRC		10:12
*** jacorob has quit IRC		10:12
*** jacorob has joined #openstack-keystone		10:14
*** blewis has joined #openstack-keystone		10:14
*** blewis is now known as Guest7770		10:14
*** belmoreira has quit IRC		10:14
*** belmoreira has joined #openstack-keystone		10:15
*** asselin_ has quit IRC		10:16
*** shoutm has joined #openstack-keystone		10:18
*** _kiran_ has joined #openstack-keystone		10:23
*** kiran-r has quit IRC		10:24
openstackgerrit	Nikita Konovalov proposed openstack/python-keystoneclient: Fix logging of binary contentent in request https://review.openstack.org/183514	10:28
*** _kiran_ has quit IRC		10:29
*** yottatsa has joined #openstack-keystone		10:38
*** kiran-r has joined #openstack-keystone		10:43
*** _kiran_ has joined #openstack-keystone		10:45
*** _kiran_ has quit IRC		10:45
*** _kiran_ has joined #openstack-keystone		10:45
*** _kiran_ has quit IRC		10:46
*** _kiran_ has joined #openstack-keystone		10:47
*** belmoreira has quit IRC		10:48
*** kiran-r has quit IRC		10:48
*** _kiran_ has quit IRC		10:48
*** kiran-r has joined #openstack-keystone		10:49
*** dims has joined #openstack-keystone		10:56
openstackgerrit	henry-nash proposed openstack/keystone: Rationalize unfiltered list role assignment test https://review.openstack.org/213820	10:59
openstackgerrit	henry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing https://review.openstack.org/149178	11:00
*** shoutm has quit IRC		11:01
*** dims_ has joined #openstack-keystone		11:03
*** urulama has quit IRC		11:05
*** urulama has joined #openstack-keystone		11:05
*** doug-fish has joined #openstack-keystone		11:07
*** dims has quit IRC		11:07
openstackgerrit	henry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing https://review.openstack.org/149178	11:08
*** hafe has quit IRC		11:10
*** lhcheng has joined #openstack-keystone		11:15
*** ChanServ sets mode: +v lhcheng		11:15
*** lhcheng has quit IRC		11:19
*** boris-42 has quit IRC		11:20
*** markvoelker has joined #openstack-keystone		11:24
*** shoutm has joined #openstack-keystone		11:26
*** hafe has joined #openstack-keystone		11:27
*** markvoelker has quit IRC		11:28
*** dims has joined #openstack-keystone		11:29
*** tiny-hands has quit IRC		11:29
*** dims_ has quit IRC		11:31
*** dims_ has joined #openstack-keystone		11:31
*** gordc has joined #openstack-keystone		11:33
*** dims has quit IRC		11:34
*** Kiall_ is now known as Kiall		11:34
*** hafe has quit IRC		11:35
*** fhubik_brb is now known as fhubik		11:36
*** doug-fish has quit IRC		11:54
*** sbezverk has quit IRC		11:58
*** mylu has joined #openstack-keystone		11:59
*** mylu has quit IRC		12:03
*** afazkas has quit IRC		12:04
*** doug-fish has joined #openstack-keystone		12:05
*** dave-mccowan has joined #openstack-keystone		12:06
*** samueldmq has joined #openstack-keystone		12:12
samueldmq	morning	12:12
*** raildo-afk is now known as raildo		12:14
*** belmoreira has joined #openstack-keystone		12:19
*** belmoreira has quit IRC		12:19
*** chlong has joined #openstack-keystone		12:26
*** piyanai has quit IRC		12:27
*** edmondsw has joined #openstack-keystone		12:27
*** piyanai has joined #openstack-keystone		12:31
*** markvoelker has joined #openstack-keystone		12:40
*** dsirrine has joined #openstack-keystone		12:43
*** fhubik is now known as fhubik_brb		12:52
*** fhubik_brb is now known as fhubik		12:58
*** topol has joined #openstack-keystone		12:58
*** ChanServ sets mode: +v topol		12:58
*** tiny-hands has joined #openstack-keystone		13:01
*** Nirupama has quit IRC		13:04
*** lhcheng has joined #openstack-keystone		13:04
*** ChanServ sets mode: +v lhcheng		13:04
*** doug-fish has quit IRC		13:06
*** lhcheng has quit IRC		13:08
*** petertr7_away is now known as petertr7		13:11
*** hrou has joined #openstack-keystone		13:11
*** hafe has joined #openstack-keystone		13:19
*** doug-fish has joined #openstack-keystone		13:21
*** doug-fish has quit IRC		13:21
*** doug-fish has joined #openstack-keystone		13:22
*** doug-fish has quit IRC		13:22
*** doug-fish has joined #openstack-keystone		13:23
*** topol_ has joined #openstack-keystone		13:23
*** ChanServ sets mode: +v topol_		13:23
*** doug-fis_ has joined #openstack-keystone		13:24
*** yottatsa has quit IRC		13:26
*** topol has quit IRC		13:26
*** urulama has quit IRC		13:27
*** doug-fish has quit IRC		13:28
*** urulama has joined #openstack-keystone		13:28
*** lhcheng has joined #openstack-keystone		13:28
*** ChanServ sets mode: +v lhcheng		13:28
*** dims_ has quit IRC		13:29
*** vivekd has quit IRC		13:29
*** dims has joined #openstack-keystone		13:29
*** lhcheng has quit IRC		13:33
*** hafe has quit IRC		13:34
*** jecarey has joined #openstack-keystone		13:42
*** topol_ has quit IRC		13:42
*** topol has joined #openstack-keystone		13:42
*** ChanServ sets mode: +v topol		13:42
*** kiran-r has quit IRC		13:42
henrynash	what’s with the adding of these dependencies in tox.ini….my VM sizes keep getting blown…up 16Gb in the last week or so....	13:47
*** HT_sergio has joined #openstack-keystone		13:52
*** fhubik has quit IRC		13:56
*** fhubik has joined #openstack-keystone		13:56
*** ngupta has joined #openstack-keystone		13:58
*** doug-fish has joined #openstack-keystone		14:00
samueldmq	anyone up for a random policy thought ?	14:00
*** ChanServ sets mode: +o dolphm		14:00
samueldmq	henrynash, you mean your .tox dir taking up to 16Gb ?	14:01
*** ngupta has quit IRC		14:02
*** doug-fis_ has quit IRC		14:03
*** ngupta has joined #openstack-keystone		14:04
*** piyanai has quit IRC		14:04
dstanek	henrynash: you there?	14:05
henrynash	dtsanek: just on phone, brb	14:06
dstanek	henrynash: np	14:06
samueldmq	dstanek, henrynash https://etherpad.openstack.org/p/policy-format	14:07
samueldmq	dstanek, henrynash this is how I see the policy format to fit our needs .. including endpoint_constraint enforcement, scoping everything, global admin (backwards compat)	14:07
*** ajayaa has quit IRC		14:08
henrynash	dstanek: hi	14:08
dstanek	henrynash: quick question.. in https://review.openstack.org/#/c/213820/4/keystone/tests/unit/test_backend_ldap.py why do you need to override the test methods?	14:09
dstanek	henrynash: i would test it now, but i need to finish this change in my working dir	14:09
*** shoutm has quit IRC		14:10
*** petertr7 is now known as petertr7_away		14:10
henrynash	dtstanek: so if the assignment engine is LDAP, then domain roles are not supported…but some of the classes in test_backend_ldap.py are for LDAP Identity with SQL Assignment…hence for those I re-nable the test	14:10
dstanek	henrynash: i can see why you have to do that for the one where you catch notimplemented. did you do the others for consistency?	14:11
henrynash	dtsanek: well, for those they DON’T throw the execption…so if you don’t override the override, it would rail (since it was expecting an exception)	14:12
*** boris-42 has joined #openstack-keystone		14:15
*** doug-fish has quit IRC		14:17
*** doug-fish has joined #openstack-keystone		14:19
*** jecarey has quit IRC		14:21
*** edmondsw has quit IRC		14:22
dstanek	henrynash: i think i have to try this out locally. since it's only calling the parent i wouldn't expect it to be needed	14:22
*** sigmavirus24_awa is now known as sigmavirus24		14:22
*** afaranha has joined #openstack-keystone		14:23
*** afaranha has left #openstack-keystone		14:23
*** dave-mccowan has quit IRC		14:24
henrynash	dstaneK: I did struggle a bit with it - so great if you can find an easier way	14:25
dolphm	we really need a couple reviews on this -- it's testing for a reported security vulnerability that i wasn't able to reproduce https://review.openstack.org/#/c/201738/	14:27
*** csoukup has joined #openstack-keystone		14:27
*** doug-fish has quit IRC		14:28
*** doug-fish has joined #openstack-keystone		14:29
*** browne has joined #openstack-keystone		14:29
dstanek	dolphm: lgtm	14:32
*** doug-fish has quit IRC		14:32
*** doug-fish has joined #openstack-keystone		14:32
*** mflobo has joined #openstack-keystone		14:33
mflobo	hi there, question, is openstack-keystone ready for project metadata deletion?	14:34
samueldmq	dolphm, since admin and public APIs are different in v2, would it be worth it to test the tenant list in both ?	14:35
*** edmondsw has joined #openstack-keystone		14:37
*** doug-fish has quit IRC		14:37
*** fhubik has quit IRC		14:37
*** dave-mccowan has joined #openstack-keystone		14:38
dolphm	samueldmq: doubtful; the contents of the tenant list isn't important, it's just an arbitrary call to make to trigger the authorization check	14:38
*** doug-fish has joined #openstack-keystone		14:38
*** petertr7_away is now known as petertr7		14:40
*** narengan has joined #openstack-keystone		14:43
*** zzzeek has joined #openstack-keystone		14:43
*** jecarey has joined #openstack-keystone		14:48
*** jorge_munoz has joined #openstack-keystone		14:48
*** ngupta has quit IRC		14:48
*** mylu has joined #openstack-keystone		14:49
*** terrylhowe has joined #openstack-keystone		14:59
*** terrylhowe has left #openstack-keystone		15:00
*** geoffarnold has quit IRC		15:01
*** dims has quit IRC		15:01
*** dims has joined #openstack-keystone		15:01
samueldmq	dolphm, yes, makes sense. I made some other tests and your change looks good	15:01
dolphm	samueldmq: cool	15:01
*** ngupta has joined #openstack-keystone		15:01
samueldmq	dolphm, if the request is stopped by the policy, do we return 401 as well ?	15:02
dolphm	lbragstad: "Rackspace Cloud Support Update to: Announcing Authenticated Encrypted Tokens" i see that no one contacted marketing on that one	15:02
dolphm	samueldmq: that should be a 403, i believe	15:02
*** dims_ has joined #openstack-keystone		15:05
*** dims has quit IRC		15:06
henrynash	bknudson: ping	15:09
bknudson	henrynash: what's up?	15:09
henrynash	bknudson: so these extras being added to tox.ini....	15:10
samueldmq	dolphm, yes it is 403, however I didn't know we didn't apply policy checks for v2.0 API	15:10
samueldmq	dolphm, that's expected, right ?	15:10
bknudson	henrynash: they were moved from test-requirements.txt to tox.ini	15:10
dolphm	samueldmq: only for "is_admin"	15:10
henrynash	bknduson: the result is my disk space is exploding….up 16GB with the ldap, memchache and mongo changes…	15:10
*** bdossant has joined #openstack-keystone		15:10
henrynash	bknduson: is that expected?	15:10
bknudson	henrynash: no, that's not expected.	15:11
bknudson	henrynash: in your /opt/stack/keystone directory?	15:11
bknudson	411M .tox	15:11
dolphm	bknudson: henrynash: i think i'm seeing that too... it's taking forever to tox -r right now	15:12
henrynash	bknudson: i’m not actually sure- I’ll have to try and work out where the extra usage is comeing from…but me development VMs were 35GB …teh LDAP thing added 5G-10G and I had to rebuild them all to 50GB …not that has blown with memcahce/mongo changes	15:12
dstanek	henrynash: nothing actually changed - the deps were just moved to a new location	15:13
bknudson	there shouldn't be any difference in the packages required... they were all required before.	15:13
dstanek	my .tox is 853M	15:13
henrynash	bknduson: will all teh dependencies that get installed how up inside the .tox dir? I assume tehy should…	15:14
dstanek	dolphm: i think your problem is that tox is now stupid	15:14
dstanek	henrynash: this is my "du -sh .tox/*" http://paste.openstack.org/show/421961/ what does yours look like?	15:15
dolphm	i'm actually upgrading to tox 2.1.1 from 2.0.2	15:15
dolphm	because 2.0.2 just failed to -r -e py27	15:15
dstanek	i'm on 2.1.1 currently	15:15
henrynash	dstanek: unfirtuantely I totally ran out of space and am in the middle to resizing my disk…so need to let that finish..then I’ll get it for you	15:15
dstanek	henrynash: k	15:16
bknudson	henrynash: your .tox isn't even 1 GB	15:17
henrynash	dolphm: yeah, I thinl you may need the 2.1.1 version…I had earlier problems with older verions	15:17
bknudson	maybe it's the pip cache?	15:17
bknudson	or .testrepository?	15:18
henrynash	bknduson: so I can’t look until I finish the dsik resize…..teh pip cache is a possibility…	15:18
samueldmq	dolphm, k got it, +1'd	15:19
bknudson	194M /home/bknudson/.cache/pip	15:19
bknudson	so that's not very big on my system either	15:19
*** dims_ has quit IRC		15:19
*** dims has joined #openstack-keystone		15:19
dolphm	henrynash: my disk is full :(	15:20
henrynash	dolphm: sounds familiar….	15:21
dolphm	henrynash: i have 3-4 GB directories in /tmp/pip-*-build/	15:21
henrynash	dolpm: as soon as i get my disk back, I’ll check!	15:22
bknudson	571M /tmp/pip-zcmpuoeo-build/	15:22
*** pnavarro has quit IRC		15:22
bknudson	I've got one of those	15:22
bknudson	pip 7.1.0 from /usr/local/lib/python2.7/dist-packages (python 2.7)	15:22
dolphm	http://cdn.pasteraw.com/i48o30vwrvtzgr76pgyreyqebw1blx7	15:23
bknudson	yikes	15:23
dstanek	wow	15:23
dstanek	i don't have anything like that	15:23
henrynash	i’m gonna guess mine will look simialr	15:24
*** doug-fish has quit IRC		15:24
dolphm	bknudson: what version of tox are you using?	15:24
dstanek	i'm also running pip 7.1.0	15:24
bknudson	2.0.1 imported from /usr/local/lib/python2.7/dist-packages/tox/__init__.pyc	15:24
*** doug-fish has joined #openstack-keystone		15:24
dstanek	dolphm: what is you venv build failing on? you may need the updated pbr	15:25
*** Ephur has quit IRC		15:25
dolphm	dstanek: out of disk space	15:25
bknudson	pbr 1.2.1	15:25
dstanek	that'll do it	15:25
*** yottatsa has joined #openstack-keystone		15:25
dolphm	if it's succeeding at all, tox -r is also very slow now	15:25
dolphm	even after nuking /tmp	15:26
*** petertr7 is now known as petertr7_away		15:26
bknudson	what tox are you running?	15:26
bknudson	oh, 2.0.2	15:26
dolphm	bknudson: i was using tox 2.0.2, but trying again with tox 2.1.1 after clearing /tmp	15:26
dstanek	tox -r has always been pretty slow for me - but now it's just slow ingeneral	15:26
dolphm	dstanek: yeah, but this a magnitude slower for me, at least (although i haven't seen it succeed yet either)	15:27
*** petertr7_away is now known as petertr7		15:27
*** vivekd has joined #openstack-keystone		15:27
dstanek	dolphm: how long does it take to build a venv?	15:27
openstackgerrit	Mehdi Abaakouk (sileht) proposed openstack/keystonemiddleware: Allow to use oslo.config without global CONF https://review.openstack.org/208965	15:28
bknudson	I upgraded to tox 2.1.1 and no tmp files left around and it was also not slow	15:29
*** phalmos has joined #openstack-keystone		15:31
dolphm	dstanek: when i build one, i'll let you know..	15:31
dstanek	lol, ok	15:31
dolphm	i'm thinking about going to the grocery store while i wait	15:31
dolphm	the internet at castle went offline a bit ago too	15:32
bknudson	tox -e pep8 took 0m57.425s on my system	15:32
dstanek	dolphm: is castle in a timeout?	15:32
dolphm	dstanek: yep! they're sending support rackers home immediately to VPN in, because that's working	15:33
henrynash	dolphm: ouch!	15:34
dolphm	dstanek: and they can't change the incident management lights in the building to red because those are apparently networked to a downed network	15:34
*** mylu has quit IRC		15:34
bknudson	code red!	15:36
bknudson	action stations!	15:36
dstanek	haha, sounds like trouble	15:37
*** bdossant has quit IRC		15:38
*** yottatsa has quit IRC		15:44
*** ankita_wagh has joined #openstack-keystone		15:45
*** yottatsa has joined #openstack-keystone		15:46
*** dims has quit IRC		15:49
*** petertr7 is now known as petertr7_away		15:49
*** dims has joined #openstack-keystone		15:49
henrynash	bknduson, dstanek: so I’m build the py27 venc…and the /tmp/pip is 12G an climbing	15:50
dolphm	dstanek: finally rebuilt two tox environments successfully, and i rebuilt one from 2 weeks ago... it's 25x slower now.	15:50
henrynash	bknudson, dstanek: it was zero before the build started	15:50
henrynash	bknudson, dstanek: 18Gb now…wil have to kill it if gets above 20G to avoud disk full again	15:52
dstanek	henrynash: what is it in /tmp that's growing?	15:53
*** dims_ has joined #openstack-keystone		15:53
bknudson	I get a few pip-0PpwV2-build directories in /tmp when building venv but they go away	15:53
*** mylu has joined #openstack-keystone		15:53
henrynash	17G/tmp/pip-O3FYoG-build	15:53
bknudson	also the size is only 182M	15:53
dstanek	henrynash: can you see what's in there?	15:54
*** dims has quit IRC		15:54
dstanek	bknudson: i just built and got a 1.5g tmp dir, but it went away after the build completed	15:54
*** yottatsa has quit IRC		15:55
bknudson	my /tmp/pip-W9XnNg-build looks like it contains /opt/stack/keystone...	15:55
bknudson	weird	15:55
dstanek	bknudson: contains the dir?	15:56
dstanek	tox is installing our code similar to the deps	15:56
bknudson	dstanek: y, it looks like a copy of /opt/stack/keystone/*	15:56
*** yottatsa has joined #openstack-keystone		15:57
bknudson	that's weird.	15:57
dolphm	henrynash: with pip 7.1.0 and tox 2.1.1 i'm not seeing any ridiculous disk space utilization	15:58
morgan_2549	dolphm: my phone won't let me run Python or tox :(	15:58
dolphm	dstanek: maybe those /tmp directories hang around when builds fail?	15:58
* morgan_2549 stops being silly		15:58
dolphm	morgan_2549: upgrade your ssh client?	15:59
dstanek	dolphm: that wouldn't surprise me	15:59
henrynash	dstanek: inside the /tmp/pip-blablah appears to be a copy of my /opt/stack/keystone	15:59
morgan_2549	dolphm: hehe	15:59
bknudson	dolphm: do you get a copy of keystone in /tmp when building venv?	15:59
*** phalmos has quit IRC		16:00
dolphm	dstanek: i assume this is based on cached wheels either way.. but seriously: 28 second build time for -r to ~12 minutes	16:00
*** _cjones_ has joined #openstack-keystone		16:00
dstanek	dolphm: that's odd. mine is only a minute or so	16:00
bknudson	tox has "-e git://git.openstack.org/openstack/keystone.git@23d881254a25066f055cf921d42a7cf139f6516d#egg=keystone-dev" in the "installed" output	16:00
dstanek	i think the "extras" change or maybe the newest pbr is the cause for the slowdown when running tests	16:01
henrynash	I’ve got tox 2.1.1. and pip 7.1.0	16:01
dolphm	bknudson: a few seconds into a build of master as of two weeks ago: http://cdn.pasteraw.com/kf2k2rt822idnwon1cgf0zn180ia586	16:01
bknudson	henrynash: what's the size of your /opt/stack/keystone?	16:02
henrynash	bknduson: ahhhh! 18G (what a surprise!)	16:02
dstanek	henrynash: what do you have in there?	16:02
henrynash	bknudson: bl**dy good question… off to find out what the hell is going on….!	16:03
*** kiran-r has joined #openstack-keystone		16:03
dstanek	henrynash: check your .testrepository and .tox dirs	16:03
*** geoffarnold has joined #openstack-keystone		16:03
dstanek	dolphm: takes me 58 seconds to build a new env	16:04
bknudson	henrynash: du -h -d 1	16:04
henrynash	dtsanek: you got in one, sir… my .testrepositary is 17.5G	16:04
henrynash	cd .test*	16:04
henrynash	oops	16:04
*** mestery has joined #openstack-keystone		16:04
bknudson	the testr database keeps growing	16:04
dstanek	just delete that directory	16:05
dolphm	latest master, mid build of -r -e pep8: http://cdn.pasteraw.com/ogmb4yatlnltoo7utn1rkjrxnirw20u and http://cdn.pasteraw.com/8clglfr7pa07udxq8h3qthck4phku94	16:05
bknudson	not sure what it's for... I think it allows you to do tox -e py -- --failing	16:05
dstanek	bknudson: and reporting	16:05
dolphm	my .testrepository/ is 3.8 GB too	16:05
dolphm	bknudson: ++	16:05
dstanek	i delete mine all of the time since switching between 2.7 and 3.4 is broken	16:06
bknudson	dstanek: if you to tox -e py34 first then tox -e py27 will work with it	16:06
dstanek	bknudson: i still had some issues there in the past that were not pickle related	16:07
henrynash	dstanek. bknudson: I assume i can blow away anything in my .testrepositary ?	16:08
bknudson	henrynash: rm -r it.	16:08
bknudson	I usually do that when I rm -r .tox every once in a while	16:08
*** jorge_munoz_ has joined #openstack-keystone		16:10
henrynash	bknduson, dstaneK: ok…that cures the problem for sure…builds happending much faster and not consuming all my disk	16:11
*** jorge_munoz has quit IRC		16:11
*** jorge_munoz_ is now known as jorge_munoz		16:11
*** jorge_munoz has quit IRC		16:11
dolphm	henrynash: really? didn't make things faster for me...	16:12
henrynash	dolphm: ok, well…so I still think it is much slower than before…but a faster than slurping 18Gs around multiple times	16:12
*** jorge_munoz has joined #openstack-keystone		16:13
*** ayoung has joined #openstack-keystone		16:13
*** ChanServ sets mode: +v ayoung		16:13
*** mylu has quit IRC		16:13
*** vivekd has quit IRC		16:14
*** mylu has joined #openstack-keystone		16:14
samueldmq	ayoung, hey	16:16
ayoung	SHMOOOEL!	16:17
samueldmq	ayoung, p/	16:17
samueldmq	o/	16:17
samueldmq	ayoung, please take a look at this https://etherpad.openstack.org/p/policy-format	16:17
ayoung	I think you are supposed to say "Here I AM"	16:17
samueldmq	ayoung, no need to further explanation, you will get what is there just looking, for sure hehe	16:17
samueldmq	ayoung, ah sorry	16:17
samueldmq	ayoung, Here I AM	16:18
*** gyee has joined #openstack-keystone		16:20
*** ChanServ sets mode: +v gyee		16:20
samueldmq	gyee !	16:21
*** urulama has quit IRC		16:21
ayoung	I own rodrigods a review...	16:21
*** urulama has joined #openstack-keystone		16:22
samueldmq	gyee, I was looking at your endpoint constraint change, have something to talk to you, let me know when you have a few minutes	16:22
samueldmq	ayoung, did you get what I was designing in that pad ?	16:22
ayoung	samueldmq, yes. I might want to go even further	16:22
samueldmq	ayoung, sometimes I get convinced that it would be good to have a separate service for policy	16:22
samueldmq	ayoung, we could manipulate all that structure via api's	16:22
samueldmq	ayoung, even further ? hehe :)	16:23
ayoung	something like : the role has to have an entry, and in there is a set of rule names.	16:23
ayoung	Make it so there needs to be something that does it like thisL:	16:23
gyee	samueldmq, hi!	16:23
gyee	samueldmq, I need to rebase	16:23
samueldmq	gyee, yes	16:23
ayoung	role:admin: "user_create, user_delete...."	16:24
*** petertr7_away is now known as petertr7		16:24
samueldmq	ayoung, that's basically inverting the way we define policies, right ?	16:24
ayoung	then the policy check makes sure the rule is in one of the role entries. Then compute:create is just the scope match	16:24
samueldmq	ayoung, role -> api instead of api -> roles	16:24
gyee	ayoung, at the operators midcycle, seem like read-only role is most desire	16:24
gyee	samueldmq ^^^	16:25
ayoung	samueldmq, right, but then the role sections can be auto generated with out touching the other rules	16:25
samueldmq	gyee, what does that mean ?	16:25
ayoung	gyee, yeah, for audit etc	16:25
gyee	right	16:25
* samueldmq didn't get it		16:25
gyee	samueldmq, like observor	16:25
ayoung	JAFO	16:25
gyee	which have read-only access to the resources	16:25
samueldmq	gyee, can roles be updated today ?	16:26
gyee	right now they have to use the super admin role, which they are not comfortable at all	16:26
ayoung	samueldmq, yeah, but not policy files...	16:26
samueldmq	ayoung, in the past I thought about having all the system capabilities registered into keystone automatically by services	16:26
samueldmq	ayoung, them those capabilities (apis) could be added to roles (like you said)	16:27
*** _kiran_ has joined #openstack-keystone		16:27
samueldmq	ayoung, and we could generate the policies automatically, on the fly	16:27
ayoung	samueldmq, it is the right way to go.	16:27
samueldmq	ayoung, I had synchronized this thoguht with henrynash , he also things this way	16:28
samueldmq	(at least at the time hehe )	16:28
*** ankita_wagh has quit IRC		16:28
gyee	right now, defining a new role, and make it effective across services is PITA	16:28
samueldmq	gyee, pita ?	16:28
gyee	its a combination of API and configuration management	16:28
samueldmq	gyee, sorry .. hehe but you guys use a ton of abbreviations	16:28
henrynash	samueldmq: I do agree with that as a long term vision	16:28
ayoung	samueldmq, so, the one thing to keep in mind is that we want to be able to vary policy per endpoint. If we go too far, like buy actually putting the rule_names as rolesinto the token, we can;'t do that	16:29
samueldmq	henrynash, ++ :)	16:29
*** tsymanczyk has quit IRC		16:29
ayoung	the endpoint mapping needs to be where we say this role has these permissions, but obviously with a simple default	16:29
samueldmq	ayoung, yes I know, token blob	16:29
ayoung	cool	16:29
gyee	samueldmq, PITA is type of food, but also stands for the feeling after certain doctor's visit :D	16:29
samueldmq	ayoung, the idea could be to generate the policy effectively from the role -> api association	16:29
*** jistr has quit IRC		16:30
lbragstad	jamielennox: working on the idp specific stuff now, running tests locally. I should be ready to push soon	16:30
*** topol has quit IRC		16:30
samueldmq	gyee, like bad news .. something hard to do ?	16:30
gyee	somethin like that	16:30
samueldmq	gyee, I see that openstakc need some more integration between services	16:30
samueldmq	gyee, like roles are consistent	16:30
*** kiran-r has quit IRC		16:31
samueldmq	gyee, like authorization is consistent, that means you need to be able to get an image to then create an instance	16:31
*** vivekd has joined #openstack-keystone		16:31
samueldmq	and so on	16:31
samueldmq	ayoung, ^	16:31
openstackgerrit	henry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests https://review.openstack.org/151623	16:31
*** ankita_wagh has joined #openstack-keystone		16:31
ayoung	lbragstad, he better be asleep now	16:31
lbragstad	ayoung: I'd hope so, but figured I'd leave him a message for him to find later	16:32
*** phalmos has joined #openstack-keystone		16:32
ayoung	++	16:32
*** phalmos has quit IRC		16:32
gyee	sumueldmq, operators also ask for better auditing mechanism, like who changed the role assignment and the time stamp	16:32
samueldmq	I think we are a bit faulty on that front, we need somehting to sew the services in the regard of pre- and post- conditions	16:32
gyee	I told them to look at CADF	16:32
ayoung	samueldmq, gyee I'd like us to have a 3 tier system. roles. workflows, permissions	16:32
gyee	surprisingly, not many aware of CADF	16:33
gyee	stevemar, ^^^	16:33
gyee	we need better marketing of CADF!	16:33
samueldmq	gyee, yes I thought about that as well once .. like be able to see what happened with someone who just lost access to the cloud, etc	16:33
samueldmq	gyee, who did remove his access ?	16:33
samueldmq	gyee, like magic	16:33
*** phalmos has joined #openstack-keystone		16:33
gyee	ayoung, yeah, agree	16:34
*** petertr7 is now known as petertr7_away		16:34
samueldmq	gyee, yeah , I will bring some posters with me to the summit	16:34
samueldmq	gyee, CADF everywhere (that was the spec's title)	16:34
gyee	samueldmq, yeah, we need to market it better :)	16:34
samueldmq	t-shirts maybe	16:34
gyee	sure	16:35
samueldmq	ayoung, gyee ok so looks like I am having some sane thoughts, we need to write all that somewhere ;)	16:35
samueldmq	s/I am having/we are having	16:35
*** browne has quit IRC		16:36
samueldmq	gyee, look at this : https://etherpad.openstack.org/p/policy-format	16:36
samueldmq	gyee, you'll see how I see your global check in the policy (in the future, we can't do that right now)	16:36
*** lhcheng has joined #openstack-keystone		16:37
*** ChanServ sets mode: +v lhcheng		16:37
gyee	operators still chasing log files for auditing and security events	16:37
samueldmq	gyee, that's just .. pfffff	16:37
*** dims_ has quit IRC		16:39
openstackgerrit	henry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests https://review.openstack.org/151962	16:39
gyee	samueldmq, how's that backward compatible?	16:39
*** dims has joined #openstack-keystone		16:39
samueldmq	gyee, see the third rule in the example	16:40
samueldmq	gyee, that's a rule as it's defined today	16:40
gyee	oh i c	16:40
samueldmq	gyee, 'In the last rule, 'field:subnetpools:shared=True' is taken as the 'rule' portion.	16:40
samueldmq	The other values take the default, i.e 'scope' is 'local' and 'requirement' is 'database', meaning it will only be enforced at service level.	16:40
samueldmq	'	16:40
samueldmq	gyee, :-)	16:40
dstanek	just for future reference... why are we afraid on configuration settings in the paste.ini?	16:40
samueldmq	gyee, that covers the need for global/local checks, middleware/service level checks	16:41
samueldmq	gyee, and so	16:41
samueldmq	dstanek, i.e changing the pipelines ?	16:41
*** ankita_wagh has quit IRC		16:42
*** shaleh has joined #openstack-keystone		16:42
gyee	dstanek, I've got one word for you, grenade	16:42
dstanek	samueldmq: yes, well that and configuring middleware in there	16:42
dstanek	gyee: what about grenade?	16:42
gyee	changing stuff in paste.ini, if not careful, will likely fail the grenade (upgrade) gate	16:43
dstanek	gyee: are they pulling the latest each time?	16:44
gyee	dstanek, see the theory of upgrade https://github.com/openstack-dev/grenade	16:44
dstanek	gyee: sure, i agree with that. but having config values in the ini vs. in the conf don't make that any different	16:45
ayoung	samueldmq, no need for a PM	16:47
ayoung	roles and RBAC all belong in keystone. Policy is part of that	16:47
samueldmq	ayoung, sure, rbac + roles should be together , I agree now	16:48
samueldmq	gyee, ayoung did you like that policy model ? does it deserve a spec ?	16:49
gyee	dstanek, my understanding is that paste.ini shouldn't change much because its is considered code	16:49
samueldmq	in the backlog ..	16:49
dolphm	dstanek: i cannot explain why, but rebooting my VM seems to have helped with tox -r build times	16:50
dstanek	gyee: yeah, i don't get why :-(	16:50
dstanek	dolphm: really?	16:50
*** HT_sergio has quit IRC		16:50
ayoung	samueldmq, depends on what we do about the explicit enumeration of rules per role. I think we need to solve that. It really calls for a unified policy file, but people just don;'t seem to get the connection	16:50
gyee	dstanek, the pipelines?	16:51
samueldmq	ayoung, if we have "role:admin" : [identity:list_users, identity:list_domains, compute:boot, compute:delete]	16:51
samueldmq	ayoung, we could easily generate the 'rbac policy' for nova, and another for keystone	16:52
dolphm	gyee: that's completely absurd, and AFAICT, is based on deployers being unwilling to read the paste docs to understand configuration file they've never seen before	16:52
ayoung	samueldmq, it really is just spliiting up the policy file like we said. One part to be modified by end user,m one for the scope and modifiable only by the coders	16:52
dstanek	gyee: in an ecosystem where we don't have everything in tree the pipeline is how you add middleware	16:52
dolphm	gyee: the same logic applies to policy.json	16:52
samueldmq	ayoung, yes, and I don't see the need of unified policy file in this case, we can generate different policies based on the namespace (compute: identity:) instead of an unified	16:53
samueldmq	ayoung, it would work as well	16:53
gyee	dstanek, dolphm, take a look at this one as an example, https://review.openstack.org/#/c/213379/	16:54
ayoung	samueldmq, we need the unified to have an inventory	16:54
gyee	pipeline and code changes has to be coordinated in some cases so maybe that's why they consider paste.ini as code?	16:55
gyee	that's just my guess	16:55
ayoung	we do too much in paste. And it is not a good format	16:55
dstanek	gyee: that's true of keystone.conf too	16:55
ayoung	dstanek, yep...which is why henrynash is pushing to do as much as possible in the database	16:55
ayoung	config files are not your friend	16:55
gyee	ayoung, no, we need to clearly draw a line between administration and configuration	16:56
*** doug-fish has quit IRC		16:56
gyee	that's a different argument	16:56
*** doug-fish has joined #openstack-keystone		16:56
dolphm	ayoung: can you defend that opinion? "paste is not a good format"	16:57
gyee	dstanek, why's keystone.conf changes require code changes?	16:57
ayoung	dolphm, yes I can	16:57
ayoung	dolphm, I tried working with it a while back. What it lacks is the ability to clean up	16:57
dstanek	gyee: right, paste.ini is more like the XML that set's up a tomcat service	16:57
ayoung	it is half of a inversion of control framework in a adomain specific language	16:57
samueldmq	ayoung, I believe we need an inventory that is consistent with the union of all the services, not necessarily the inventory is unique	16:57
ayoung	most of what we do in paste should be done in python	16:58
ayoung	beyond that, what we can't do in paste is define reusable filters composed of other filters	16:58
dstanek	gyee: not changes in config that need code changes....change in code that force config changes	16:58
ayoung	so we end up with huge duplicates of the pipelines instead of putting /auth under a separate pipeline from the rest of the v3 api	16:58
gyee	dstanek, nope, Theory of Grenade :)	16:59
* gyee is a messenger here		16:59
*** _kiran_ has quit IRC		16:59
dstanek	gyee: as we moved code around that required a config change. we've had our share of issues there. better now that code paths are no longer in the config	17:00
*** samleon has joined #openstack-keystone		17:01
gyee	dstanek, my understanding is that config and code upgrade must be able to be done separately	17:01
morgan_2549	ayoung: I'd support dropping everything into one entry in the pipeline	17:01
*** ankita_wagh has joined #openstack-keystone		17:01
morgan_2549	Only because paste isn't awful for people who add their own middleware. But nothing keystone should do needs to be separated out at this point	17:01
*** vivekd has quit IRC		17:02
morgan_2549	Entry should be "keystone" and that's it	17:02
gyee	is there an email thread on ini versus conf?	17:02
* gyee needs to read his emails more often		17:02
dstanek	morgan_2549: i was just thinking that i'll create a patch that no longer uses paste for filters since we don't actaully do it right anyway	17:02
morgan_2549	Ds++	17:02
morgan_2549	dstanek: even ++	17:03
dstanek	gyee: nope, i saw a comment in a review and wondered why there is such fear around this	17:03
morgan_2549	also fwiw I got some feedback on "db config" vs file config	17:03
dstanek	gyee: i actually made a patch that removes code paths from paste.ini	17:03
* dstanek never really tested it though		17:03
gyee	dstanek, link?	17:04
dstanek	morgan_2549: what's the verdict?	17:04
dolphm	ayoung: everything done in paste can be done in python, but paste makes middleware configuration accessible to end-users. and i don't know why you couldn't contribute "reusable-filters" upstream, if so desired. i've never considered trying to DRY a paste file, though.	17:04
dstanek	gyee: to my patch?	17:04
gyee	yes	17:04
morgan_2549	Basically "making an api call to put things in a db as a config" is unfun for many orgs. So we need to support both methods	17:04
dstanek	gyee: /opt/stack/keyston4	17:04
dolphm	yay, double the complexity, double the fun!	17:04
*** vivekd has joined #openstack-keystone		17:04
dstanek	good times!	17:05
morgan_2549	And the operators were luke warm on policy being centrally distributed by keystone. They said they would need to see it working and the benefit but they weren't unhappy with CMS deploying it	17:05
gyee	double the service revenue :)	17:05
dolphm	gyee: double the maintenance cost	17:05
morgan_2549	Especially since they control the window	17:05
gyee	lmao	17:05
dolphm	gyee: it's not funny	17:05
morgan_2549	dolphm: I have heard strong voices for config files.	17:06
dstanek	morgan_2549: since gyee has volunteered to run the experimental "pull from HTTP" code in hp public cloud i'm getting a little more than luke warm	17:06
morgan_2549	This was the response at the midcycle	17:06
dolphm	it's a security nightmare and then a maintenance nightmare. morgan_2549, also, you're forgetting the third form of config that is typically broken: args passed from the CLI	17:06
morgan_2549	It was a sure, might be good	17:06
ayoung	dolphm, I could contribute it...but I spent way too long trying to get it to work unsuccessfully. The issue really isn't the paste format, but the assumptions in the code.	17:06
*** mpmsimo has joined #openstack-keystone		17:07
morgan_2549	dolphm: configs in a db are hard to automate / make consistent. We just can't remove config options we had on disk easily. That's my point	17:07
*** petertr7_away is now known as petertr7		17:07
*** phalmos has quit IRC		17:07
morgan_2549	Not going to say new stuff has to/doesn't have to be in configs	17:08
ayoung	dolphm, I might revisit the "reusable filters" patch once the pecan transform is done. I was unsure what belonged where ...	17:08
openstackgerrit	henry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing https://review.openstack.org/149178	17:08
ayoung	dolphm, so, yeah, the paste format itself is not horrible, but we overuse it. Ideally, the defaults would be in code, and the paste.ini file would be just the overrides	17:09
*** samleon has quit IRC		17:09
openstackgerrit	henry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests https://review.openstack.org/151623	17:09
dolphm	ayoung: ideally the code would not make any assumptions about how it's being deployed	17:09
ayoung	dolphm, actually, I think the reusable pipeline is the essential thing	17:10
openstackgerrit	henry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests https://review.openstack.org/151962	17:10
*** mpmsimo has quit IRC		17:10
dolphm	ayoung: what value is there beyond DRY config?	17:10
ayoung	that is really what you want to have in the paste file, and then adding in a separate pipeline for an extension would be trivial	17:10
morgan_2549	ayoung: do we care about extensions? We should let people add them	17:10
ayoung	dolphm, DRY here is important. You want to enable disable things like SERVIVE_TOKEN	17:10
morgan_2549	But I don't see that we as the project should care much.	17:11
gyee	forget the pipeline, how about do like what /etc/init.d/ does, just drop the file into a dir	17:11
ayoung	OK...so if we are going to use paste, we should use it	17:11
*** topol has joined #openstack-keystone		17:11
*** ChanServ sets mode: +v topol		17:11
ayoung	we just kuindof use it, and it is wierd	17:11
ayoung	I tried to split /auth out from /v3...and couldn't make it work without major code rewrites	17:11
shaleh	gyee: don't give our users too much sanity now	17:11
dstanek	ayoung: things that we don't indent people to disable need to be in code	17:11
ayoung	an extension should not be a filter	17:11
morgan_2549	We should roll everything into a single item in paste and use that. Just avoid having anything that we run outside of the "keystone" entry.	17:12
ayoung	but the routing is half in paste and half in code.	17:12
rodrigods	ayoung, awesome +A :) thx	17:12
morgan_2549	Let people still add their middleware	17:12
ayoung	rodrigods, YW	17:12
openstackgerrit	henry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments https://review.openstack.org/154302	17:12
dolphm	ayoung: the core concept of an extension is that it is optional	17:12
ayoung	dolphm, I like that...not complaining,	17:12
ayoung	just that it shouldnot abe a filter. It should be an end node of a pipelie	17:12
ayoung	line	17:12
dstanek	morgan_2549: that is mostly what i was thinking - there are things like debug, profile, rally stuff, that i will leave in the ini	17:12
morgan_2549	Filters etc. but what we run in keystone should be "keystone" not "identity assignment v3 token" etc	17:13
ayoung	so, what I was looking to do was make different access control for different portions of the pipelien	17:13
ayoung	let me see if I can mock up what I was looking to do	17:13
morgan_2549	dstanek: that would be the path I'd like to see	17:13
*** tsymanczyk has joined #openstack-keystone		17:13
*** tsymanczyk is now known as Guest5830		17:14
dstanek	gyee: looking at this diff i deleted some comments that i shouldn't have .... jas and i'll push	17:14
dolphm	ayoung: we already support that by exposing authorization data to the pipeline, and allowing each routable element in the pipeline to handle it's own authorization enforcement	17:14
*** mestery has quit IRC		17:14
gyee	dstanek, k	17:14
dolphm	ayoung: each one can load their own policy file today, if they so desire	17:14
boris-42	dstanek: hi there	17:15
*** topol has quit IRC		17:15
* dolphm food time		17:17
*** claudiub has quit IRC		17:18
*** phalmos has joined #openstack-keystone		17:19
openstackgerrit	David Stanek proposed openstack/keystone: WIP: use entrypoints for paste middleware and apps https://review.openstack.org/214720	17:21
dstanek	gyee: ^	17:21
*** Guest5830 has quit IRC		17:22
samueldmq	dstanek, very neat	17:23
ayoung	dolphm, something along the lines of this http://paste.openstack.org/show/421995/	17:23
ayoung	dolphm, although, much of what I wanted that for is now better handled via Federation	17:24
*** tsymancz1k has joined #openstack-keystone		17:25
*** mpmsimo has joined #openstack-keystone		17:25
*** dave-mcc_ has joined #openstack-keystone		17:29
*** dave-mccowan has quit IRC		17:30
*** roxanaghe has joined #openstack-keystone		17:33
dstanek	i got two more emails about the same friggen job that i keep saying no to...and they are from the same recruiting company...no i don't want to move to Plano, TX!	17:33
*** tsymancz1k is now known as tsymanczyk		17:34
morgan_2549	dstanek: but I hear Plano is the place to be >.>	17:34
*** mylu has quit IRC		17:34
gyee	no country for old man like us	17:35
gyee	dstanek, do not take the Texans over the Browns!	17:35
*** fangzhou has quit IRC		17:38
dstanek	gyee: looks like plano is by dallas	17:38
gyee	that would be the Cowboys	17:40
*** browne has joined #openstack-keystone		17:41
dstanek	gyee: re: that review you linked to.. so how we want to run v3 as an admin API now? /cc dolphm	17:50
*** tjcocozz has joined #openstack-keystone		17:51
*** roxanaghe has quit IRC		17:54
*** afazkas has joined #openstack-keystone		17:54
*** aix has quit IRC		17:55
*** kiran-r has joined #openstack-keystone		17:55
*** mpmsimo has quit IRC		17:58
gyee	dstanek, yeah, that's proper fix	18:03
gyee	especially if we are moving away from Identity Mangement	18:04
gyee	we need to give deployer the option to expose partial API set	18:04
dstanek	isn't that what we were getting away from?	18:04
gyee	some are already doing it, per the bug report	18:04
dstanek	and this doesn't do that - it just makes sure the links stay on the port from which is was accessed right?	18:05
*** kiran-r has quit IRC		18:05
gyee	dstanek, it offer deployers flexibility by having two separate endpoints	18:06
dstanek	gyee: so just two different network paths to the service? not functionality subsets?	18:08
gyee	both	18:08
*** jorge_munoz has quit IRC		18:08
dstanek	gyee: how would you do that in v3?	18:09
gyee	as a deployer, I am obligated to offer APIs that are on defcore	18:09
gyee	but others, I need to have the flexibility	18:09
gyee	dstanek, by having two separate endpoints	18:10
gyee	since endpoint_type/interface is configurable at the client side	18:10
*** topol has joined #openstack-keystone		18:11
*** ChanServ sets mode: +v topol		18:11
morgan_2549	gyee: use policy to expose partial api not "remove elements from the server"	18:12
gyee	policy?	18:12
morgan_2549	Yes. 403 forbidden	18:13
dstanek	gyee: i'd actually rather see the urls generated correct based on the request to solve this bug	18:13
morgan_2549	Not "oh 404 that whole api isn't there"	18:13
morgan_2549	Because is that 404 api is disabled? Resource doesn't exist? Or???	18:14
dstanek	i thought the point of v3 was that we were going down the "here is the v3 API" path instead of the way be have v2 broken in half	18:14
gyee	two different options, 404 I can stop it at the edge	18:14
morgan_2549	dstanek: that is the point	18:14
gyee	403 the call goes to the backend	18:14
gyee	I have much better tools at the edge	18:14
morgan_2549	gyee: I am 100% against keeping the split	18:14
dstanek	gyee: what edge? you'll still need to hit the app to see if the API exists or not	18:15
*** ayoung has quit IRC		18:15
gyee	dstanek, like at the API proxy?	18:15
*** topol has quit IRC		18:15
morgan_2549	You can 403 the Apis at the edge too he same you could 404	18:15
morgan_2549	It is a pattern	18:15
morgan_2549	The correct response is a 403 not a 404	18:15
dstanek	gyee: i just don't like the direction of that review	18:15
morgan_2549	You are forbidden from using he api not "I don't like this api so it doesn't exist"	18:16
morgan_2549	dstanek: which review?	18:16
gyee	morgan_2549, then why its not on defcore?	18:16
gyee	because deployer can't reasonable support certain APIs	18:16
dstanek	https://review.openstack.org/#/c/213379/8	18:16
*** roxanaghe has joined #openstack-keystone		18:16
gyee	why forcing them to expose them	18:17
morgan_2549	Ok. It is not defcore because it isn't meant to be required for trademark. That doesn't mean keystone doesn't lock in it's APIs	18:17
gyee	public cloud can't just support create user API because create user is a workflow	18:17
morgan_2549	I'm happy to make defcore require all Apis instead if that is what is needed but add a provision for 403 to be used	18:17
morgan_2549	That is fine. 403 that api. Not 404	18:18
morgan_2549	It tells the user the correct information	18:18
dstanek	gyee: this review doesn't do anything like you are talking about - it just deploys the same exact app on two different paths - the only difference is that is knows is admin vs. public	18:18
gyee	dstanek, you configure the rest at the API proxy	18:18
dstanek	gyee: right, so from a keystone perspective we just need to generate the correct links	18:19
dolphm	what is the impact of this bug?	18:19
gyee	dolphm, incorrect link at discovery	18:20
dolphm	gyee: what is the impact of that?	18:20
*** geoffarnold has quit IRC		18:20
*** lhcheng has quit IRC		18:20
dolphm	... the client accidentally switches to an identical endpoint?	18:20
dstanek	dolphm: yes, possible one is can't access due to routing issues	18:21
gyee	no, we can't selectively deploy APIs	18:21
morgan_2549	You should not be selectively deploying APIs	18:21
dolphm	dstanek: gyee: it always returns the public endpoint, right?	18:22
dstanek	dolphm: yes	18:22
gyee	dolphm, right	18:22
dolphm	actually, the bug says: "Version discovery is supposed to return the configured endpoint, but it will always return "admin" endpoint."	18:22
dolphm	if it was always the public endpoint, then it'd be problem solved	18:22
dolphm	no routing issues	18:22
dolphm	so invert the behavior of the "bug," and skip the extra complexity	18:23
dstanek	dolphm: i was thinking we just need to generate our links correctly	18:23
dstanek	dolphm: i definitely don't want two v3 pipelines	18:23
dolphm	there isn't a "public" and an "admin" v3 API, so there's no point in deploying them separately. if you really want that, write your own paste pipeline with one endpoint and it's own policy file, and deploy keystone twice	18:24
morgan_2549	Yeah don't do 2 v3 pipelines	18:24
dolphm	dstanek: ++	18:24
dstanek	if i am reading the code correct it always returns the public URLs http://git.openstack.org/cgit/openstack/keystone/tree/keystone/service.py#n130	18:24
gyee	but aren't we still listening on two ports today?	18:25
morgan_2549	gyee: only as an artifact of v2	18:25
dstanek	gyee: one applicaition on two ports	18:25
morgan_2549	But v3 is the same application	18:25
morgan_2549	Both ports	18:25
dstanek	or we can just deploy v3 on the public port :-D	18:25
morgan_2549	dstanek: yeah we should ditch the random high port in general	18:26
*** phalmos has quit IRC		18:26
dstanek	cool! one line fix!	18:27
gyee	I don't think its that simple	18:27
dolphm	i wish the "random high" IANA-assigned port was the public port, not the magic-authz port	18:28
gyee	clients still treating them separate, that why we have this bug to begin with	18:28
*** stevemar has joined #openstack-keystone		18:28
*** ChanServ sets mode: +v stevemar		18:28
dolphm	gyee: but if they always get an accessible endpoint, who cares?	18:29
gyee	there's what we, the devs, think it should happen, then there's the real world :)	18:29
dolphm	gyee: give them the public endpoint and push them back to one. how it's labeled does not matter.	18:29
gyee	dolphm, unless we kill off one port, I don't know how to force clients to use one port	18:30
morgan_2549	We should move to using port 80/443	18:30
dstanek	gyee: this seems like a "you're doing it wrong" case to me	18:30
morgan_2549	And not use random ports at all	18:30
dolphm	gyee: the bug illustrates how -- only point them to one endpoint... the public one.	18:30
dstanek	morgan_2549: ++ - port 5000 feels like i'm developing an app and that's my development server	18:31
dolphm	dstanek: i guarantee that's how port 5000 was "chosen"	18:31
morgan_2549	dolphm: yah	18:31
dolphm	it was actually 5000 and 5001 in the diablo release	18:31
*** geoffarnold has joined #openstack-keystone		18:31
*** bapalm has quit IRC		18:31
morgan_2549	Yep	18:31
morgan_2549	Port 80/443 is way better	18:32
* morgan_2549		18:32
openstackgerrit	Henrique Truta proposed openstack/keystone: Replicate domain info in projects table https://review.openstack.org/211170	18:32
* morgan_2549 makes note of go back on devstack		18:32
*** bapalm has joined #openstack-keystone		18:32
gyee	dstanek, if here's an API you don't wish to expose publically but make available internally, how would you do it?	18:32
morgan_2549	gyee: issue a blind 403 on it	18:33
dolphm	gyee: or a 404, the choice is yours	18:33
gyee	where? at the edge or let to call go to Keystone	18:33
morgan_2549	dolphm: I'm arguing you should never issue a 404 on the api	18:33
openstackgerrit	Brant Knudson proposed openstack/keystone: Add user domain info to federated fernet tokens https://review.openstack.org/213742	18:33
openstackgerrit	Brant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context https://review.openstack.org/213792	18:33
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix docstring for common.authorization https://review.openstack.org/213752	18:33
openstackgerrit	Brant Knudson proposed openstack/keystone: Add unit tests for token_to_auth_context https://review.openstack.org/213797	18:33
openstackgerrit	Brant Knudson proposed openstack/keystone: Build oslo.context RequestContext https://review.openstack.org/213595	18:33
morgan_2549	403 tells the user the right info	18:33
gyee	I would rather stop the call at the external VIP	18:34
morgan_2549	404 doesn't. Difference between "you aren't allowed to do this" vs "doesn't exist"	18:34
morgan_2549	gyee: 403 it at the edge then. But don't remove part	18:34
morgan_2549	Of the api from the keystone app	18:34
morgan_2549	The api is not optional	18:34
morgan_2549	Supporting the use of the api is.	18:35
dolphm	morgan_2549: right, i don't care either way, but you just explained why security folks will argue in favor of 404	18:35
gyee	morgan_2549, sure, I am fine with either 403 or 404	18:35
dolphm	morgan_2549: it reveals less information to attackers than a 403	18:35
lbragstad	dstanek: i think i got the same recruiter email you did.	18:35
dstanek	gyee: i agree that a 403 a the edge is probably what you should do ... but this isn't related to the bug anymore	18:35
dstanek	lbragstad: haha, from which recruiter?	18:35
lbragstad	dstanek: person or company?	18:36
*** rm_work is now known as rm_work\|away		18:36
morgan_2549	dolphm: this is a case where I don't think we reveal anything by 403 over 404 and it tells you not "did I get the resource or irk wrong" but "you can't do this'll	18:36
morgan_2549	Better for end users consuming the api	18:36
dstanek	lbragstad: i got it from Senthil and Mohan both from Harman	18:36
lbragstad	dstanek: yep, same	18:36
morgan_2549	And I'll argue with the security folks on this one	18:36
lbragstad	they're just going down the line!	18:36
gyee	dstanek, it gives us two separate endpoints to work with	18:36
dolphm	lbragstad: that's how recruiters work	18:37
morgan_2549	They can stuff it. A 403 here makes no difference to security and provides a massive ux improvement	18:37
dstanek	gyee: but your edge would know how a user is coming in right? you could put rules on one port and not another	18:37
morgan_2549	dstanek: ++	18:37
gyee	lbragstad, meta data, linkability :)	18:37
bknudson	https://review.openstack.org/#/c/195766/	18:37
gyee	that's now NSA recruit :)	18:37
dolphm	google seems to be the only company that puts an once of care into their recruiter spam	18:37
* morgan_2549 goes to propose a change to keystone defcore requiring Apis to 403 for keystone if they are not used		18:38
dolphm	it's like handcrafted artisanal spam	18:38
morgan_2549	Or supported. Not "rip the api out/404"	18:38
dstanek	lbragstad: Ericson must be having a hard time getting people for this. i've seen this same job come through by email for months.	18:38
lbragstad	we should start bingo boards	18:38
morgan_2549	dstanek: OpenStack talent is hard to find	18:39
dstanek	dolphm: artisanal spam.... love it!	18:39
morgan_2549	Core on <project-> is a massive target on your back	18:39
gyee	morgan_2549, let me see if we can configure netscaler to return 403	18:39
gyee	I think it should be possible	18:39
*** lhcheng has joined #openstack-keystone		18:39
*** ChanServ sets mode: +v lhcheng		18:39
morgan_2549	gyee: that's fine but if you can't it doesn't change my view.	18:40
gyee	what 403 versus 404? error code is not a big deal to me	18:40
dstanek	morgan_2549: you can only ask the same people so many times. i wonder if Ericsson knows they have so many recruiters recruiting the same people over and over again	18:41
morgan_2549	Yes. That a 403	18:41
dolphm	gyee: unless you want to argue against 403, 403 wins	18:41
gyee	dolphm, I don't care about 403 vs 404, I can more about flexibility in deployment	18:41
morgan_2549	Is more correct snd we shouldnt support ripping part of the api out	18:41
*** mpmsimo has joined #openstack-keystone		18:41
* morgan_2549 thinks this "flexibility" is just complexity that makes OpenStack harder for the sake of being harder. Fwiw		18:42
dolphm	i just looked in my recruiter inbox, and good news everyone! HP Cloud Helion is hiring	18:42
gyee	so I can spend more resources optimizing the public APIs since their call volume is much higher than the internal ones	18:42
dolphm	gyee: you mean: auth	18:43
gyee	sure	18:43
morgan_2549	None of what you are asking changes your ability to do that	18:43
morgan_2549	You're asking for a way to make broken deployments	18:43
morgan_2549	More	18:43
*** jasonsb has quit IRC		18:43
morgan_2549	Easily and a bad end user experience	18:43
morgan_2549	You can still focus on improving the other things.	18:43
*** fangzhou has joined #openstack-keystone		18:43
gyee	why do we have two ports in v2 to begin with?	18:43
*** jasonsb has joined #openstack-keystone		18:44
morgan_2549	Auth vs crud split	18:44
gyee	right	18:44
morgan_2549	Sort of	18:44
morgan_2549	Except it was t	18:44
morgan_2549	Wasn't	18:44
morgan_2549	It was sort of a split	18:44
morgan_2549	And v3 doesn't do that anymore.	18:44
gyee	but why?	18:45
dolphm	the problem was that several calls blurred the lines, and appeared on both APIs... it wasn't a true split at all	18:45
morgan_2549	It was overly complex	18:45
morgan_2549	You can split at L7 on uri if you want	18:45
dolphm	there was a ton of confusion about which endpoint to call and why, and so the solution for v3 was to merge the two into one and wrap the result with RBAC	18:45
morgan_2549	But the keystone app should just be a unified app	18:45
morgan_2549	For ^^ dolphm's highlighted reasons	18:46
morgan_2549	If auth needs to be it's own service that is fine but it should be really split apart (no let's not do that today)	18:47
gyee	dolphm, the other reason was we couldn't agree on anything else besides auth, that's what I was told anyway	18:48
*** jasonsb has quit IRC		18:48
gyee	hence the OS- extensions	18:48
gyee	I didn't join till Folsom so I missed the earlier histories	18:49
dolphm	gyee: sort of. it was also to allow experimentation in core without obligating anyone to deploy extensions. the problem came about when no one put any effort into providing discovery mechanisms to enable the clients to show extension-based features only if they were enabled	18:49
morgan_2549	This is where the experimental stuff and no extensions have stepped in. And so far it is better	18:50
*** geoffarnold has quit IRC		18:52
*** geoffarnold has joined #openstack-keystone		18:54
gyee	but even with the extension mechanism, why do we elect to go with two ports to begin with? In theory, we can still have one app right?	18:54
gyee	that's essentially the same argument here	18:54
*** topol has joined #openstack-keystone		18:55
*** ChanServ sets mode: +v topol		18:55
morgan_2549	https://review.openstack.org/#/c/214756/1 (<-- dolphm)	18:56
*** yottatsa has quit IRC		18:57
*** tjcocozz_ has joined #openstack-keystone		18:57
dolphm	morgan_2549: +1	18:57
*** rm_work\|away is now known as rm_work		18:57
morgan_2549	dolphm: just to make it explicitly clear what is expected	18:58
dolphm	morgan_2549: although, i'd like to provide a way to remove v2 CRUD from a deployment while maintaining support for v2 auth... i don't think that would violate those assertions	18:59
morgan_2549	dolphm: ah got a solution for that	18:59
morgan_2549	easy	18:59
dolphm	morgan_2549: i do too, but i haven't written it yet. what's yours?	19:00
*** tjcocozz has quit IRC		19:00
morgan_2549	dolphm: there	19:01
morgan_2549	refresh	19:02
gyee	"All provided K	19:02
gyee	eystone APIs are expected to exist on the server even if not designated."	19:02
gyee	good luck enforcing that :)	19:02
morgan_2549	gyee: I am going to be adding a lot of defcore tests	19:03
morgan_2549	which means... if you result in a 404 instead of a 403 on these	19:03
morgan_2549	no TM	19:03
morgan_2549	it's not hard to enforce what we want	19:03
morgan_2549	dolphm: just say deprecated APIs can be omitted.. really easy that way	19:04
dolphm	gyee: that just means "run the upstream code"	19:04
* gyee is tweaking his VIP to catch all return 403		19:04
morgan_2549	gyee: fine, that is the net result we want for user experience.	19:05
morgan_2549	gyee: you can game the system how you want. but we're outlining what is needed	19:05
morgan_2549	but realize the next step is keystone will be a single app in the paste pipeline	19:05
morgan_2549	not "identity assigmnnt resource ..."	19:05
morgan_2549	it'll just be "keystone"	19:05
dolphm	reproducing bugs that require running stack.sh is booorrinnggg	19:07
gyee	morgan_2549, we haven't officially deprecated v2.0 yet right?	19:07
*** stevemar has quit IRC		19:07
morgan_2549	bo	19:07
dolphm	gyee: only the keystoneclient cli	19:07
morgan_2549	no*	19:07
morgan_2549	v2 is not deprecated.	19:07
morgan_2549	that added line was just to ensure we have a path to allow people to drop v2 down the line without violating defcore	19:08
gyee	no argument here	19:08
morgan_2549	also when v2 is officially deprecated we will update the guidance to not say v2 is required	19:08
dolphm	morgan_2549: is there a better place to make the same assertion about deprecated APIs that can apply to all projects?	19:08
morgan_2549	possibly	19:09
morgan_2549	we can lift it to all projects	19:09
dolphm	morgan_2549: or should we start with keystone, and then "promote" that assertion to all projects?	19:09
morgan_2549	but i'd like to state if here first then work with hogepodge to move it up	19:09
morgan_2549	yeah	19:09
dolphm	k	19:09
morgan_2549	this gets is as an accepted thing already	19:09
openstackgerrit	Henrique Truta proposed openstack/keystone: Creating tests for projects acting as domains https://review.openstack.org/211219	19:09
morgan_2549	then we can assert it elsewhere easily :)	19:09
gyee	assert like building tests to make sure it returns 404? :)	19:10
gyee	k man, food time for the left coast	19:11
*** lhinds has joined #openstack-keystone		19:12
morgan_2549	gyee: no, just add it to the guidance	19:13
morgan_2549	if someone runs a deprecated API they are not in violation of defcore	19:13
morgan_2549	afai care	19:13
*** afazkas has quit IRC		19:13
*** afazekas has joined #openstack-keystone		19:14
*** mpmsimo has quit IRC		19:18
*** lhcheng has quit IRC		19:18
*** geoffarnold has quit IRC		19:20
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso https://review.openstack.org/214766	19:22
*** jasonsb has joined #openstack-keystone		19:25
lbragstad	jamielennox: FYI ^	19:25
*** ngupta has quit IRC		19:26
*** ngupta has joined #openstack-keystone		19:35
openstackgerrit	Brant Knudson proposed openstack/keystone: Add user domain info to federated fernet tokens https://review.openstack.org/213742	19:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Add user_domain_id, project_domain_id to auth context https://review.openstack.org/213792	19:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Fix docstring for common.authorization https://review.openstack.org/213752	19:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Add unit tests for token_to_auth_context https://review.openstack.org/213797	19:38
openstackgerrit	Brant Knudson proposed openstack/keystone: Build oslo.context RequestContext https://review.openstack.org/213595	19:38
*** piyanai has joined #openstack-keystone		19:38
openstackgerrit	Steve Martinelli proposed openstack/keystone: move federation extension to core https://review.openstack.org/214775	19:39
*** petertr7 is now known as petertr7_away		19:41
*** petertr7_away is now known as petertr7		19:41
*** e0ne has joined #openstack-keystone		19:45
openstackgerrit	henry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests https://review.openstack.org/153897	19:45
*** afazekas has quit IRC		19:46
*** raildo is now known as raildo-afk		19:47
*** e0ne has quit IRC		19:47
*** gyee has quit IRC		19:47
*** samueldmq has quit IRC		19:49
*** belmoreira has joined #openstack-keystone		19:50
openstackgerrit	Nithya Renganathan proposed openstack/keystone: move federation extension to core https://review.openstack.org/214775	19:50
*** topol has quit IRC		19:51
*** gyee has joined #openstack-keystone		19:56
*** ChanServ sets mode: +v gyee		19:56
*** geoffarnold has joined #openstack-keystone		19:56
*** topol has joined #openstack-keystone		19:58
*** ChanServ sets mode: +v topol		19:58
*** alejandrito has joined #openstack-keystone		19:59
openstackgerrit	David Stanek proposed openstack/keystone: Use entrypoints for paste middleware and apps https://review.openstack.org/214720	19:59
*** ngupta_ has joined #openstack-keystone		19:59
*** alejandrito_ has joined #openstack-keystone		20:00
*** alejandrito has quit IRC		20:00
dstanek	dolphm: did you get you git issue worked out?	20:00
*** ngupta__ has joined #openstack-keystone		20:01
*** ngupta has quit IRC		20:02
*** e0ne has joined #openstack-keystone		20:02
*** topol has quit IRC		20:03
*** ngupta_ has quit IRC		20:04
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add federated auth for idp specific websso https://review.openstack.org/214766	20:11
*** woodster_ has joined #openstack-keystone		20:13
*** stevemar has joined #openstack-keystone		20:14
*** ChanServ sets mode: +v stevemar		20:14
*** lhcheng has joined #openstack-keystone		20:15
*** ChanServ sets mode: +v lhcheng		20:15
*** e0ne has quit IRC		20:18
*** alejandrito_ has quit IRC		20:18
dolphm	dstanek: not really	20:18
dolphm	dstanek: i gave up yesterday	20:19
dolphm	dstanek: got the same issue in two separate clones of keystone	20:19
*** roxanaghe has quit IRC		20:20
*** _cjones_ has quit IRC		20:21
*** piyanai has quit IRC		20:22
*** r-daneel has joined #openstack-keystone		20:24
openstackgerrit	Vivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces https://review.openstack.org/209524	20:24
*** e0ne has joined #openstack-keystone		20:29
stevemar	ohhh stable driver code	20:32
*** mpmsimo has joined #openstack-keystone		20:33
*** petertr7 is now known as petertr7_away		20:34
*** pnavarro has joined #openstack-keystone		20:35
*** e0ne has quit IRC		20:35
*** e0ne has joined #openstack-keystone		20:36
*** petertr7_away is now known as petertr7		20:37
dstanek	stevemar: yeah, i'm not a fan of the approach	20:39
*** geoffarnold has quit IRC		20:40
*** belmoreira has quit IRC		20:44
*** ngupta__ has quit IRC		20:47
openstackgerrit	Dolph Mathews proposed openstack/keystone: Test v2 tokens being deleted by v3 https://review.openstack.org/201738	20:48
dolphm	dstanek: had to post a revision to https://review.openstack.org/#/c/201738/ because it wasn't using a user & project in the default domain when creating the v2 token (copy pasta from another test)	20:49
*** Ephur has joined #openstack-keystone		20:51
*** mylu has joined #openstack-keystone		20:51
vivekd	dstanek: thanks for your review of my stable driver interfaces patch.	20:53
vivekd	dstanek: by docs, you mean i need to add the DocImpact flag and create documents elsewhere or did you mean code comments and docstrings?	20:53
vivekd	dstanek: and you had said you didn't understand the point.	20:53
vivekd	dstanek: can you please let me know what is that, so that i can explain you.	20:53
*** geoffarnold has joined #openstack-keystone		20:54
*** ngupta has joined #openstack-keystone		20:54
*** Ephur has quit IRC		20:56
*** ngupta has quit IRC		20:58
*** mpmsimo has quit IRC		20:59
*** dave-mcc_ has quit IRC		21:01
dstanek	vivekd: there is no developer docs so i don't know why i have to make a Compatibilzer, how it works, when I have to do it, etc.	21:01
dstanek	vivekd: also what does it mean to consumers of the interface. what they they need to do and look out for?	21:02
*** piyanai has joined #openstack-keystone		21:03
*** breton has quit IRC		21:04
*** stevemar has quit IRC		21:05
vivekd	dstanek: sorry about my ignorance but i dont know what you mean by developer docs. is that any URL where i need to document about Compatiblizer? I can do that, if you can point me to it...	21:05
*** piyanai has quit IRC		21:05
dstanek	vivekd: in the docs tree we have a developer.rst or something like that	21:05
*** mpmsimo has joined #openstack-keystone		21:05
dstanek	vivekd: otherwise people won't know how to use this	21:06
vivekd	dstanek: ok i'll document there	21:06
dstanek	vivekd: is there any tests that show how to delete or add a method?	21:07
*** Ephur has joined #openstack-keystone		21:07
*** petertr7 is now known as petertr7_away		21:07
vivekd	dstanek: this is the test i'd written - https://review.openstack.org/#/c/209524/6/keystone/tests/unit/common/test_stable_driver_interface.py	21:08
vivekd	if u see the method - "test_driver_interface_with_compatibility"...	21:08
vivekd	dstanek: the driver interface has two methods	21:09
vivekd	dstanek: but the driver implementation has only one method	21:09
*** piyanai has joined #openstack-keystone		21:10
vivekd	dstanek: to make that interface compatible with that driver, the missing method is provided by the compatibilizer class	21:10
*** _cjones_ has joined #openstack-keystone		21:12
dstanek	vivekd: i'm not a fan of grafting the two classes together. is there any reason for doing it that way?	21:12
dstanek	vivekd: i'm struggling a little bit because the third-party developer will have to update their driver anyway once up upgrade driver versions	21:15
*** e0ne has quit IRC		21:15
vivekd	dstanek: no specific reason for that approach. i've just used that approach as a means to fill the missing gaps at runtime when the driver is loaded	21:16
dstanek	vivekd: for example someone developing the Mongo driver. how do we ensure that the new method we added to the Compatibilizer actually works for them?	21:17
vivekd	dstanek: with the stable driver interfaces, the third party developer can live without upgrading the driver for one additional release	21:18
dstanek	vivekd: but how can we ensure the method we added won't break them? or will the methods always to nothing?	21:18
dstanek	like raise NotImplemented	21:18
*** e0ne has joined #openstack-keystone		21:19
dstanek	also i think the impl only allows 1 older driver interface	21:20
*** hrou has quit IRC		21:20
*** mpmsimo has quit IRC		21:20
*** mpmsimo has joined #openstack-keystone		21:22
*** henrynash has quit IRC		21:22
*** geoffarnold has quit IRC		21:23
*** geoffarnold has joined #openstack-keystone		21:24
vivekd	dstanek: one example that i can think of is...	21:25
vivekd	consider a user table with id, first_name, email.	21:25
vivekd	and assume there existed a API list_users in version 12.	21:25
vivekd	now in interface version 13, a new API say list_users_by_first_name is added.	21:25
vivekd	version 12 drivers wont have implemented that API.	21:25
vivekd	so we could add a compatibilizer class method list_users_by_first_name that could internally call version 12 drivers list_users API and do an in-memory filtering based on first name and then return the results back to the caller	21:25
vivekd	dstanek: yes the impl suports 1 older drivers implementation alone	21:26
dstanek	vivekd: what would happen if first_name was actually a new field?	21:26
vivekd	dstanek: drivers written in L release would work in M release	21:27
*** e0ne has quit IRC		21:28
*** roxanaghe has joined #openstack-keystone		21:28
vivekd	dstanek: hmmm...thats a schema change. i doubt if schema change incompatibilities could be solved programmatically...	21:28
dstanek	vivekd: so what do we do?	21:29
dstanek	is it just a documentation thing?	21:29
vivekd	dstanek: in schema change cases, i think there is no other go. the third party developer should upgrade his driver	21:30
dstanek	i'm a little worried that we may silently make driver so slow that you could argue that we broke them	21:30
dstanek	vivekd: i was thinking that this much go beyond having methods with the same name, but needs to define somewhere the real inputs and outputs	21:32
vivekd	dstanek: i didn't get you. you mean inserting the compatibility layer would slow down the driver performance?	21:32
dstanek	vivekd: yes, in you example you created a table scan	21:32
*** mpmsimo has quit IRC		21:33
dstanek	or if it were a mongo driver you loaded all documents from a collection and that would be really bad	21:33
vivekd	dstanek: agreed my example was a bad one. i just gave it from the top of my head. there could be better solutions	21:35
dstanek	vivekd: no, you demonstrated my concern	21:35
vivekd	dstanek: i feel, the stable driver interfaces as such is not the slow-down factor.	21:37
vivekd	dstanek: if a bad performing compatibility method is written, that is what could slow down the driver	21:37
vivekd	gyee: you had commented that you are "still trying to understand the need for COMPATIBILIZER class"	21:40
dstanek	vivekd: to me this most important part of the stable driver interface is defining the inputs/outputs	21:40
vivekd	gyee: may i explain you?	21:40
vivekd	dstanek: sorry i didn;t get u. can you please explain what u mean by 'defining inputs/outputs'?	21:41
dstanek	what gets returned from a list_users?	21:42
vivekd	dstanek: a list of users and based on filter params if any...	21:44
dstanek	what's in a list of users?	21:45
dstanek	vivekd: that's why the spec talks about redesigning the drivers	21:45
dstanek	vivekd: the method problem can be solved with very little code, but if we break the semantics of the methods then all is lost	21:46
*** lhcheng has quit IRC		21:46
dstanek	let's go to the extreme and talk about tokens.... what's in there? what's actually in there on purpose and won't be removed?	21:47
*** piyanai has quit IRC		21:47
dstanek	that's a super nested, highly complicated structure	21:47
*** piyanai has joined #openstack-keystone		21:47
*** breton has joined #openstack-keystone		21:49
breton	upgraded to jessie	21:49
*** piyanai has quit IRC		21:49
dstanek	breton: did it work?	21:49
*** piyanai has joined #openstack-keystone		21:51
dstanek	vivekd: actually let me draw up an alternative.....	21:51
*** gordc has quit IRC		21:52
*** doug-fish has quit IRC		21:53
*** tjcocozz_ has quit IRC		21:53
vivekd	dstanek: by method problem u mean method addition/removal problem right?	21:53
vivekd	by method semantics u mean the method signature undergoes a change in the newer version of the interface?	21:53
vivekd	dstanek: ok	21:53
breton	ah, it was supposed to go to another channel. But ok.	21:53
breton	dstanek: yep	21:53
dstanek	vivekd: yes	21:53
*** breton has quit IRC		21:54
*** breton has joined #openstack-keystone		21:54
*** pnavarro has quit IRC		21:57
*** csoukup has quit IRC		21:58
gyee	vivekd, dstanek, reading back ...	22:01
vivekd	dstanek: what is ur alternative?	22:01
vivekd	dstanek : sorry i'm a bit confused as i'm new to keystone	22:01
vivekd	gyee: ok	22:02
*** dave-mccowan has joined #openstack-keystone		22:02
dstanek	vivekd: not sure, drawing it up now	22:02
gyee	vivekd, so for out-of-tree drivers, I would have to implement a compatibilizer in order to upgrade?	22:03
*** breton has quit IRC		22:03
dstanek	gyee: no, we as Keystone do that	22:03
*** breton has joined #openstack-keystone		22:03
vivekd	yes gyee	22:03
dstanek	the methods on the campatibilitzer are just added onto the third-party driver	22:04
vivekd	gyee: drivers dont' need to undergo any changes	22:04
*** hrou has joined #openstack-keystone		22:04
gyee	but those methods will be result in NotImplemented exception right?	22:04
*** geoffarnold has quit IRC		22:05
vivekd	gyee: u mean methods not overridden by old driver?	22:05
dstanek	gyee: new methods will have default implementations in the compatibilizer class	22:06
*** geoffarnold has joined #openstack-keystone		22:06
*** tiny-hands has quit IRC		22:07
gyee	dstanek, default implementation?	22:07
gyee	wouldn't they just raise NotImplemented?	22:08
dstanek	gyee: basically.	22:08
gyee	vivekd, right	22:08
dstanek	gyee: i would vote yes on that	22:08
gyee	so in that case we don't need that class	22:08
gyee	just raise the exception for any methods that are not found in the driver	22:09
vivekd	gyee: but if a new method added to an interface is found missing in the old driver, then such a driver will not be loaded by keystone and keystone will fail to start because ABCMeta would prevent instantiation of the driver if any of the abstract methods are not overridden in the driver	22:12
dstanek	ugg....got disconnected	22:12
dstanek	gyee: that is basically my alternative	22:12
*** btully has joined #openstack-keystone		22:13
*** csoukup has joined #openstack-keystone		22:14
gyee	vivekd, if the driver does not have implementation of the new interfaces, the system will likely fail anyway	22:15
vivekd	gyee: no	22:16
vivekd	gyee: with my solution, it wont fail, provided, the new method is present in the Compatibilizer class	22:16
*** roxanaghe has quit IRC		22:17
dstanek	vivekd: see i think in many cases it will and the fact that we can't know when means we should assume it will	22:17
gyee	I agree with dstanek	22:17
dstanek	vivekd: you're mistaking finding a method with given name and functionality working	22:17
gyee	there is a difference in having name only versus full functionality	22:18
*** csoukup has quit IRC		22:19
dstanek	that's why this was more about the inputs and outputs than methods	22:19
*** narengan has quit IRC		22:20
gyee	dstanek, difficult to enforce	22:21
*** narengan has joined #openstack-keystone		22:21
dstanek	gotta run for a bit....i'll finish my hack when i get back	22:22
vivekd	dstanek: gyee: ok	22:23
vivekd	gyee: so my understanding is that, you suggest we can remove the compatibilizer class	22:23
*** dave-mccowan has quit IRC		22:24
gyee	vivekd, yes, I don't think we need it	22:24
*** urulama has quit IRC		22:25
gyee	vivekd, but we need some more thinking on the I/O enforcement	22:25
gyee	I don't have a good suggestion on that one right now	22:25
*** urulama has joined #openstack-keystone		22:25
*** narengan has quit IRC		22:25
dstanek	vivekd: i don't think you should change anything just yet until there is more feedback	22:25
*** narengan has joined #openstack-keystone		22:26
vivekd	gyee: u mean enforcing that the drivers implement the methods with the same signature as that in the interfaces?	22:26
gyee	vivekd, yes	22:26
vivekd	gyee: i thought that was not in the picture at all, given the abandonded strictABC implementation patch https://review.openstack.org/#/c/148354/ by morgan_2549	22:28
dstanek	vivekd: if we can change the signatures then we can break compatibility	22:29
dstanek	vivekd: i take it one step further that we should enforce a stricture to our complex types (list, dict, objects, etc)	22:30
gyee	lets rewrite it with a strong type language :)	22:31
gyee	maybe it'll have to be just 3rd party CI then	22:32
dstanek	gyee: Python is strongly typed	22:32
gyee	fer shure	22:33
dstanek	gyee: i think you meant a statically typed language	22:34
openstackgerrit	Alberto Murillo proposed openstack/keystone: disable admin_token by default https://review.openstack.org/185464	22:35
gyee	somethin like that	22:35
*** mpmsimo has joined #openstack-keystone		22:39
*** mpmsimo has quit IRC		22:40
vivekd	dstanek: ok	22:42
vivekd	gyee: if the compatiblizer is removed, then in tha case that the driver version = 11 and interface version = 12, then what do we do?	22:42
vivekd	gyee: just check if all the methods in interface are implemented in driver and if not raise an exception. that's it?	22:42
*** fangzhou_ has joined #openstack-keystone		22:42
morgan_2549	dstanek: lets go with RustLang!	22:42
*** fangzhou has quit IRC		22:43
*** fangzhou_ is now known as fangzhou		22:43
albertom	gyee: can you re review the change to disable admin auth token?	22:43
gyee	morgan_2549, Oo	22:44
albertom	In the installation guide it is not even mentioned how to disable it from the pipelines	22:44
gyee	albertom, k	22:44
albertom	I was in an installfest last saturday and nobody know that it has to be disabled from paste.ini :P so I must insist a bit more on this	22:45
gyee	albertom, I am not disagreeing we need to disable it	22:46
gyee	just need to figure out how to do it sanely	22:46
vivekd	gyee: ??	22:47
*** dave-mccowan has joined #openstack-keystone		22:47
albertom	cool :D	22:47
*** r-daneel has quit IRC		22:49
gyee	vivekd, in that case, just LOG.warn()	22:49
gyee	about the potential disaster	22:49
*** mylu has quit IRC		22:52
gyee	albertom, just curious, if you don't configure an admin token, you did you manage to bootstrap stuff?	22:53
gyee	how did you create the baseline data, via SQL?	22:53
*** mylu has joined #openstack-keystone		22:53
*** jasonsb has quit IRC		22:55
*** zzzeek has quit IRC		22:56
*** mylu_ has joined #openstack-keystone		22:56
*** geoffarnold has quit IRC		22:57
*** mylu has quit IRC		22:57
*** shaleh has quit IRC		22:57
*** mylu_ has quit IRC		22:59
*** jecarey has quit IRC		22:59
*** mylu has joined #openstack-keystone		22:59
albertom	gyee: I configure admin token in /etc/keystone/keystone.conf	23:00
albertom	then create the admin users	23:00
albertom	tenatnst endpoints	23:00
albertom	and then to disable it, just remove the admin_token var from keystone.conf and restart httpd	23:01
albertom	no mess with keystone-paste.ini	23:01
*** btully has quit IRC		23:02
jamielennox	lbragstad: still here?	23:03
*** mylu_ has joined #openstack-keystone		23:03
jamielennox	thanks for getting that patch up, i put an early review on the URI location, i'm not sure if you put if there was a specific reason to use the URI you did or just trying to match the existing websso path	23:04
*** mylu has quit IRC		23:04
*** mylu_ has quit IRC		23:05
*** mylu has joined #openstack-keystone		23:06
*** albertom is now known as albertom-afk		23:06
*** mylu has quit IRC		23:10
*** mpmsimo1 has joined #openstack-keystone		23:10
*** dave-mccowan has quit IRC		23:13
*** mylu has joined #openstack-keystone		23:14
*** mylu has quit IRC		23:17
gyee	dims, in which release of oslo.conf we move away from namespaces? oslo.config to oslo_config	23:17
*** mylu has joined #openstack-keystone		23:17
*** lhinds has quit IRC		23:21
openstackgerrit	Vivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces https://review.openstack.org/209524	23:24
vivekd	gyee: i've pushed a new patchset addressing ur review comments. pls review...	23:25
*** piyanai has quit IRC		23:26
*** mylu has quit IRC		23:26
*** piyanai has joined #openstack-keystone		23:27
*** mylu has joined #openstack-keystone		23:27
*** narengan has quit IRC		23:27
*** narengan has joined #openstack-keystone		23:27
*** chlong has quit IRC		23:28
openstackgerrit	Vivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces https://review.openstack.org/209524	23:28
*** geoffarnold has joined #openstack-keystone		23:29
*** narengan has quit IRC		23:32
*** flwang1 has quit IRC		23:32
*** dims_ has joined #openstack-keystone		23:33
*** geoffarnold has quit IRC		23:34
*** geoffarnold has joined #openstack-keystone		23:34
*** dims has quit IRC		23:36
*** shoutm has joined #openstack-keystone		23:37
dims_	gyee: 1.0.0 i think	23:37
*** dims_ has quit IRC		23:39
*** dims has joined #openstack-keystone		23:39
*** mpmsimo1 has quit IRC		23:40
*** dave-mccowan has joined #openstack-keystone		23:40
*** piyanai has quit IRC		23:42
*** dims has quit IRC		23:44
*** vivekd has quit IRC		23:45
*** ankita_wagh has quit IRC		23:46
*** ankita_wagh has joined #openstack-keystone		23:46
*** ankita_w_ has joined #openstack-keystone		23:47
*** ankita_wagh has quit IRC		23:47
lbragstad	jamielennox: yes sir	23:47
lbragstad	jamielennox: I was just trying to match the existing websso stuff	23:47
lbragstad	jamielennox: I was actually just about to start respinning the spec, so that we could get the merged	23:48
jamielennox	lbragstad: so i'm actually in the middle of a conversation with ayoung about maybe we need to move it to where you suggest	23:50
*** mylu has quit IRC		23:50
jamielennox	who is apparently not in channel	23:50
*** ayoung has joined #openstack-keystone		23:51
*** ChanServ sets mode: +v ayoung		23:51
jamielennox	lbragstad: so i'm configuring federation and kerberos at the moment and my apache config looks like http://fpaste.org/256971/14400280/	23:51
*** ankita_w_ has quit IRC		23:51
ayoung	lbragstad, we just found a little glitch in the matrix related to that, too	23:51
jamielennox	lbragstad: and it really bugs me that i need to define two <locations> for kerberos	23:52
jamielennox	with exactly the same configuration but one for CLI and one for websso	23:52
ayoung	lbragstad, it turns out that the URL you use to get a token should not be the same as the URL you use to admin the IdP and mapping	23:52
*** piyanai has joined #openstack-keystone		23:52
*** lhcheng has joined #openstack-keystone		23:52
*** ChanServ sets mode: +v lhcheng		23:52
ayoung	jamielennox, for CLI could we do /auth/OS-FEDERATION/websso/identity_providers/{idp_id}/protocols/{protocol_id} and then websso is /auth/OS-FEDERATION/websso/identity_providers/{idp_id}/protocols/{protocol_id}/websso	23:52
ayoung	?	23:52
jamielennox	lbragstad: but the process of creating a idp/protocol does a PUT /v3/OS-FEDERATION/identity_providers/sssd/protocols/kerberos which triggers my apache module	23:53
ayoung	the difference is if we need to do the redirect afterwards	23:53
*** mylu_ has joined #openstack-keystone		23:53
jamielennox	so i can't configure apache before i configure keystone or it all goes to hell	23:53
*** geoffarn_ has joined #openstack-keystone		23:53
ayoung	jamielennox, also...why did the SAML one not break the same way as the kerberos one? Did you not finish configuring Apache yet?	23:54
*** geoffarnold has quit IRC		23:54
jamielennox	ayoung: i don't configure saml with CLI in that case	23:54
jamielennox	just websso	23:54
ayoung	ah.	23:54
lbragstad	so, is the current path I have in that patch good or bad?	23:54
ayoung	jamielennox, for now, can we move the apache stuff after the mapping upload?	23:54
lbragstad	i believe it's currently under /websso/identity_providers/	23:54
ayoung	lbragstad, its mediocre	23:54
lbragstad	ha perfect	23:55
jamielennox	lbragstad: ideally it's better, we should do /auth/... for actually getting tokens and /v3 for doing CRUD	23:55
ayoung	lbragstad, so, when we get an unscoped token, we should go to a URL under /aut	23:55
jamielennox	however we currently do CLI auth via /v3/OS-...	23:55
ayoung	under /auth	23:55
ayoung	jamielennox, actually...this would tie in with morgan_2549 's desire to split auth out from the rest of the v3 api	23:56
jamielennox	it is becoming obvious ayoung and i just had this converstion, i'll let him finish	23:56
ayoung	what if we drop /v3	23:56
jamielennox	ayoung: i was thinking the same thing	23:56
lbragstad	jamielennox: I believe morgan_2549 has a spec (currently in the backlog) for making the auth api non-version specific	23:56
*** edmondsw has quit IRC		23:56
lbragstad	ayoung: ^	23:56
jamielennox	lbragstad: anyway, i'm not sure if we put the /websso route in the proper location and look to move CLI federated auth in future, or we be consistent with the current	23:57
jamielennox	but the current is obviously broken for any sort of automated deployment	23:57
*** flwang1 has joined #openstack-keystone		23:57
ayoung	lbragstad, but websso and CLI access should both be under the same URL. So if I'm doing kerberso, putting websso under /v3/auth/OS-FEDERATION but putting CLI under /v3/OS-FEDEARTION doesn't allow us to match them correctly	23:57
ayoung	lbragstad, loooking	23:57
lbragstad	http://specs.openstack.org/openstack/keystone-specs/specs/backlog/decouple-auth-from-api-version.html	23:57
jamielennox	lbragstad: yea, i've heard about this one a few times, it's a good idea	23:58
lbragstad	yeah, maybe next cycle we can find some bandwidth to do it	23:59
ayoung	lbragstad, lets do it now	23:59
lbragstad	let's do it live!	23:59
*** jasonsb has joined #openstack-keystone		23:59
ayoung	we can leave the existing stuff, but make your change under /auth without V3	23:59
lbragstad	I think that if we do that, we should have the rest of the auth API be there, too	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!