Wednesday, 2015-11-25

*** tellesnobrega_af is now known as tellesnobrega00:02
*** EinstCrazy has quit IRC00:04
openstackgerritSteve Martinelli proposed openstack/keystone: WIP: Remove eventlet support
stevemarnotmorgan: in case you are interested ;),n,z00:09
kfox1111lbragstad: so dropping out the .xxx subsecond stuff should be a fine workaround then.00:11
*** gildub has joined #openstack-keystone00:16
*** markvoelker has quit IRC00:26
openstackgerritDavid Stanek proposed openstack/python-keystoneclient: Removes py26 support
*** dims has joined #openstack-keystone00:30
*** dims_ has quit IRC00:31
*** aginwala has quit IRC00:32
*** aginwala has joined #openstack-keystone00:36
*** mylu_ has quit IRC00:37
*** miyagishi_t has joined #openstack-keystone00:38
*** mylu has joined #openstack-keystone00:39
*** shaleh|away has quit IRC00:42
*** lhcheng_ has quit IRC00:42
*** lhcheng has joined #openstack-keystone00:42
*** ChanServ sets mode: +v lhcheng00:42
*** jerrygb has quit IRC00:45
*** lhcheng has quit IRC00:46
*** jerrygb has joined #openstack-keystone00:46
*** tellesnobrega is now known as tellesnobrega_af00:49
*** jerrygb has quit IRC00:50
*** bknudson has quit IRC00:56
*** bknudson has joined #openstack-keystone00:58
*** ChanServ sets mode: +v bknudson00:58
*** EinstCrazy has joined #openstack-keystone01:05
*** doug-fish has joined #openstack-keystone01:07
*** doug-fish has quit IRC01:12
*** swebb has quit IRC01:14
*** josecastroleon has joined #openstack-keystone01:17
lbragstadkfox1111 the only issue with that and fernet tokens is if you get a token, revoke it and get a new token *all* within the same second. If you do that, the newest token will still be considered invalid by keystone because the revocation event's 'issued_before' time is the same as the token creation time (both are truncated to .000000Z in some cases because SQL does truncation on datetime objects depending on the01:17
lbragstad version you're working with).01:17
lbragstadin that case, keystone will err on the side of security and return a 404 i believe01:18
lbragstadgetting a new token within the realm of the *next* second mitigates the problem01:18
lbragstadtechnically, that problem should be a lot harder to recreate once we have subsecond precision in keystone's backend (involves removing datetime sql formats from the keystone schema) and getting the fernet spec to have sub-second precision01:19
lbragstadkfox1111 we're actively working towards both of those goals [0] [1]01:20
kfox1111its taking like 30min to rebuild ceph, but I should have a patched version in a few minutes I hope. if that works, I'll try that first. if not, then I'll try and patch keystone.01:20
*** aginwala has quit IRC01:21
openstackgerritSean Perry proposed openstack/keystone: Use subprocess.check_output instead of Popen
kfox1111lbragstad: cool. thanks. I'll have a look.01:21
*** aginwala has joined #openstack-keystone01:21
lbragstadkfox1111 no problem, more details here if you care to read -
kfox1111ah. right.01:24
kfox1111I remember that conversation at the summit.01:24
kfox1111there we go.01:26
kfox1111yeah, between the 'WSGIChunkedRequest On' and the patched radosgw, its working now.01:26
*** markvoelker has joined #openstack-keystone01:27
*** darrenc is now known as darrenc_afk01:27
*** markvoelker has quit IRC01:31
*** swebb has joined #openstack-keystone01:33
openstackgerritSean Perry proposed openstack/keystone: Cleanup region refs
openstackgerritSean Perry proposed openstack/keystone: Use subprocess.check_output instead of Popen
openstackgerritSean Perry proposed openstack/keystone: Cleanup region refs
*** josecastroleon has quit IRC01:46
*** mylu has quit IRC01:47
*** gildub has quit IRC01:49
*** btully has quit IRC01:52
*** csoukup has joined #openstack-keystone01:53
*** mylu has joined #openstack-keystone01:53
*** aginwala has quit IRC01:53
*** aginwala has joined #openstack-keystone01:58
*** jerrygb has joined #openstack-keystone01:59
*** aginwala_ has joined #openstack-keystone02:02
*** aginwala_ has quit IRC02:03
*** aginwala_ has joined #openstack-keystone02:03
*** darrenc_afk is now known as darrenc02:05
*** aginwala has quit IRC02:05
*** jbell8 has joined #openstack-keystone02:12
*** jbell8 has quit IRC02:14
openstackgerritDiane Fleming proposed openstack/keystone-specs: missing new attribute about Token
*** markvoelker has joined #openstack-keystone02:28
*** jerrygb has quit IRC02:32
*** markvoelker has quit IRC02:33
*** jerrygb has joined #openstack-keystone02:33
*** jerrygb has quit IRC02:37
jamielennoxlbragstad: how do i use openstack-ansible to make custom scenarios02:37
*** dims has quit IRC02:39
openstackgerritSteve Martinelli proposed openstack/keystone: Add release notes for removed-as-of-mitaka
*** jerrygb has joined #openstack-keystone02:40
openstackgerritSteve Martinelli proposed openstack/keystone: Remove `extras` from token data
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends
lbragstadjamielennox custom scenarios?02:44
lbragstadjamielennox custom deployments?02:44
lbragstadjamielennox there are a lot of keystone knobs available for tuning/tampering here -
stevemari just realzied we didn't deprecate the role backend for ldap:
stevemarwe deprecated the assignment and resource backends02:54
stevemarthat sucks02:54
*** spandhe has quit IRC02:54
jamielennoxlbragstad: i guess i'm looking for a way to write my own playbook, i want to just deploy keystone and tweak a bunch of knobs02:54
jamielennoxbut i don't necessarily want to write them in openstack-ansible directory or anythin02:55
jamielennoxideally i want to write a yml file with a deployment scenario and then pretty much at execution time tell it the hosts file to use02:55
*** aginwala_ has quit IRC02:55
jamielennoxi've done this before by a script that essentially runs ansible-playbook -i "user@host," playbook.yml02:56
lbragstadjamielennox hmmm, like keystone knobs or apache knobs?02:57
lbragstador both02:57
lbragstadyou could fork and play with
jamielennoxlbragstad: i'm trying to figure out if i can use openstack-ansible as i'm half way through rewriting my own ansible scripts and want to not waste the time02:58
lbragstadjamielennox keystone-deploy sets up keystone from source02:58
lbragstadand a more "development environment" fashion02:58
lbragstadit doesn't install from wheels, like OSA does02:58
*** aginwala has joined #openstack-keystone02:59
jamielennoxlbragstad: that's almost the same as what i'm writing02:59
lbragstadjamielennox it's what I used to create the federation playbacks that I used =
lbragstadit's also what I used to deploy a 34 node globally distributed keystone/galera cluster ;)
jamielennoxlbragstad: yea, so i have a very similar ansible environment03:01
lbragstadjamielennox nice03:01
jamielennoxwhat i don't see with ansible is a nice way to share this stuff03:02
*** jmccrory has quit IRC03:02
jamielennoxeveryone has a very specific environment that works for them03:02
lbragstadjamielennox yeah... dolphm and i went back and forth trying to consolidate stuff and share it03:02
jamielennoxi was looking to see if i could just import the os_keystone role and customize it as required03:02
notmorganjamielennox: ping (re ksa things when you're done with this chat)03:02
lbragstadjamielennox we wanted to leveraged the keystone-deploy project to have common stuff that just does simple keystone stuff and then configure keystone a bunch of different ways to test against.03:03
jamielennoxlbragstad: right, so i've currently got a base keystone role and i was going to add like a federation role, and a shib role etc03:03
lbragstadjamielennox i'm not 100% sure if you can suck in the os_keystone role and override... maybe?03:03
jamielennoxbut because they're all editing the same conf files it's becoming super messy03:03
lbragstadactually... you might be able to so, but you'd have to have the osa repo as a module within your project03:04
jamielennoxthe other option seems to be just stick everything in the same role and have a whole bunch of options03:04
lbragstadjamielennox yeah, it's hard to be DRY with ansible when you're doing complex things like federation03:04
*** jmccrory has joined #openstack-keystone03:04
jamielennoxthe openstack-ansible stuff has lots of cool federation stuff i would like to reuse, but it seems like you need to install it globally03:05
jamielennoxlike it's looking for handlers and things in /etc03:05
jamielennoxwhich probably makes sense for production deploys, but isn't useful for me03:05
jamielennoxbut again, no way i can see to share this03:06
lbragstadjamielennox I would maybe try and run it by the osa guys?03:06
lbragstadcloudnull are you around? ^^03:06
jamielennoxi find ansible makes the initial stuff easy, but the more i play with it it's missing some development tools03:07
*** breitz has quit IRC03:09
*** breitz has joined #openstack-keystone03:09
jamielennoxlbragstad: ok, i think i'm going to have to finish writing my own. i'll try cloudnull and others later but it's not their priority03:10
jamielennoxi'll just lump everything into the same keystone role03:10
lbragstadjamielennox sounds good, let me know what you come up with03:13
jamielennoxnotmorgan: whats up with you?03:14
*** RA has joined #openstack-keystone03:14
*** RA is now known as Guest3076203:14
*** Guest30762 is now known as RA_03:16
*** jerrygb has quit IRC03:16
*** jerrygb has joined #openstack-keystone03:16
*** jerrygb has quit IRC03:21
*** markvoelker has joined #openstack-keystone03:29
stevemarnotmorgan: the fact that the ldap role backend hasn't been deprecated makes me sad03:29
notmorganjamielennox: just wanted to see what your response to mordred's comment on the KSA thing03:30
*** darrenc is now known as darrenc_afk03:33
*** markvoelker has quit IRC03:34
*** markvoelker has joined #openstack-keystone03:35
*** harshs has quit IRC03:36
*** richm has quit IRC03:38
*** boris-42 has quit IRC03:38
*** john5223 is now known as zz_john522303:41
*** aginwala has quit IRC03:41
*** LZ has joined #openstack-keystone03:45
*** darrenc_afk is now known as darrenc03:59
*** gildub has joined #openstack-keystone04:05
*** zz_john5223 is now known as john522304:20
*** chenli has joined #openstack-keystone04:26
chenlihello, I just installed a devstack, and I want to check the "tenants" created by devstack. I noticed that keystone client is not being used anymore. But when I run "openstack project list", I get " The resource could not be found. (HTTP 404)"04:29
chenlianyone can help me here ?04:30
*** diazjf has joined #openstack-keystone04:30
stevemarchenli: use `openstack project list --debug` and copy your output here:
*** diazjf1 has joined #openstack-keystone04:32
chenliI'm using user " source ~/devstack/accrc/demo/admin"04:32
stevemarchenli: try adding /v2.0 to OS_AUTH_URL04:34
stevemar`export OS_AUTH_URL=
*** diazjf has quit IRC04:34
chenlistevemar:  error : Failed to parse:
stevemarchenli: add a slash before v2.0, that's a typo04:35
chenlistevemar: o~ it works!04:37
chenlistevemar: thanks !04:38
*** roxanaghe has quit IRC04:38
chenlistevemar:  is this a bug for devstack ?04:38
*** doug-fish has joined #openstack-keystone04:42
*** nkinder has joined #openstack-keystone04:44
*** zao has joined #openstack-keystone04:44
*** zao has left #openstack-keystone04:46
*** doug-fish has quit IRC04:46
stevemarchenli: maybe, i'm surprised it didn't work, it should auto-negotiate for either v2.0 or v305:05
*** aginwala has joined #openstack-keystone05:06
chenlistevemar: command "nova list" can work05:07
chenlistevemar: but not openstackclient05:07
stevemarchenli: there is decent support for VMs and servers in openstackclient, we are encouraging folks to try it out05:08
chenlistevemar:  ? sorry, can you elaborate a little more ?05:09
stevemarchenli: try `openstack server list`05:09
stevemaror `openstack server create`05:10
chenlistevemar: o~ it do not work if there is no v2.0 in OS_AUTH_URL05:11
*** btully has joined #openstack-keystone05:20
*** doug-fish has joined #openstack-keystone05:23
*** doug-fish has quit IRC05:27
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends
*** aginwala has quit IRC05:34
*** harshs has joined #openstack-keystone05:42
*** aginwala has joined #openstack-keystone05:46
openstackgerritSean Perry proposed openstack/keystone: Cleanup region refs
*** Nirupama has joined #openstack-keystone06:00
*** jaosorior has joined #openstack-keystone06:02
*** jasonsb has joined #openstack-keystone06:09
*** ajayaa has joined #openstack-keystone06:12
openstackgerritli,chen proposed openstack/python-keystoneclient: Add v2.0 check on auth_url
*** jaosorior has quit IRC06:17
*** jaosorior has joined #openstack-keystone06:18
*** rcernin has joined #openstack-keystone06:20
*** jaosorior has quit IRC06:28
*** lhcheng has joined #openstack-keystone06:31
*** ChanServ sets mode: +v lhcheng06:31
*** spandhe has joined #openstack-keystone06:35
openstackgerritSteve Martinelli proposed openstack/keystone: Remove LDAP Resource and LDAP Assignment backends
*** jasonsb has quit IRC06:35
*** jasonsb has joined #openstack-keystone06:37
*** josecastroleon has joined #openstack-keystone06:39
*** lhcheng has quit IRC06:46
*** aginwala has quit IRC06:56
*** gildub has quit IRC06:56
chenlistevemar: hi, I filed a bug for this:, and submit a change :
openstackLaunchpad bug 1519624 in python-keystoneclient "v2.0 is missing in OS_AUTH_URL " [Undecided,In progress] - Assigned to li,chen (chen-li)06:57
*** aginwala has joined #openstack-keystone06:59
*** mylu has quit IRC07:03
*** mylu has joined #openstack-keystone07:04
*** mylu has quit IRC07:08
*** jasonsb has quit IRC07:10
*** lhcheng has joined #openstack-keystone07:15
*** ChanServ sets mode: +v lhcheng07:15
*** spandhe has quit IRC07:18
*** harshs has quit IRC07:21
*** spandhe has joined #openstack-keystone07:22
*** doug-fish has joined #openstack-keystone07:30
*** harshs has joined #openstack-keystone07:33
*** dims has joined #openstack-keystone07:35
*** doug-fish has quit IRC07:35
*** jaosorior has joined #openstack-keystone07:36
*** aginwala has quit IRC07:36
*** toddnni has quit IRC07:38
*** dims_ has joined #openstack-keystone07:39
*** dims has quit IRC07:40
*** gildub has joined #openstack-keystone07:45
*** rcernin_ has joined #openstack-keystone07:47
*** henrynash has joined #openstack-keystone07:51
*** ChanServ sets mode: +v henrynash07:51
*** diazjf1 has quit IRC08:01
*** RA_ has quit IRC08:06
*** e0ne has joined #openstack-keystone08:07
*** e0ne has quit IRC08:12
*** spandhe has quit IRC08:13
*** e0ne has joined #openstack-keystone08:16
*** e0ne has quit IRC08:28
*** e0ne has joined #openstack-keystone08:33
*** aginwala has joined #openstack-keystone08:37
*** fhubik has joined #openstack-keystone08:39
*** aginwala has quit IRC08:41
*** e0ne has quit IRC08:44
*** lhcheng has quit IRC08:52
openstackgerritMerged openstack/keystone: Correct docstring warnings
*** mkoderer_ is now known as mkoderer09:11
*** lhcheng has joined #openstack-keystone09:14
*** ChanServ sets mode: +v lhcheng09:14
openstackgerrithenry-nash proposed openstack/keystone-specs: Allow url-safe project and domain names to be optionally enforced
marekdopilotte: hey09:16
marekdyou here?09:16
*** lhcheng has quit IRC09:19
odyssey4mejamielennox I'm sure that we can help you get what you want done. Ping me when you're back online. cc lbragstad cloudnull09:27
jamielennoxodyssey4me: hey, i was just giving up :)09:28
odyssey4mejamielennox ah, can you describe what you're hoping to achieve?09:28
jamielennoxi was copying the bits i need out09:28
jamielennoxodyssey4me: i can - are you going to be around in an hour or so?09:28
odyssey4mejamielennox yep, for sure09:29
jamielennoxgreat, i'll chat with you then09:29
*** dims_ has quit IRC09:34
*** jistr has joined #openstack-keystone09:35
*** chenli has quit IRC09:37
*** fhubik is now known as fhubik_brb09:40
*** fhubik_brb is now known as fhubik09:41
*** fhubik is now known as fhubik_brb09:51
*** bapalm has quit IRC09:53
*** sshen_ has joined #openstack-keystone09:54
*** sshen has quit IRC09:55
*** bapalm has joined #openstack-keystone09:55
*** e0ne has joined #openstack-keystone10:01
*** mhickey has joined #openstack-keystone10:02
*** miyagishi_t has quit IRC10:02
*** rcernin_ has quit IRC10:06
*** RA_ has joined #openstack-keystone10:07
*** fhubik_brb is now known as fhubik10:13
*** EinstCrazy has quit IRC10:13
*** harshs has quit IRC10:18
*** RA_ has quit IRC10:34
*** RA_ has joined #openstack-keystone10:47
*** LZ has quit IRC10:49
*** RA_ has quit IRC11:00
marekdsamueldmq: hey, so you claim endpoint filtering will not work with service providers as per your comment on line 62?11:06
marekdsee, we needed you yesterday but you went away :/11:06
samueldmqmarekd: oh sorry, after the meeting :(11:09
samueldmqmarekd: I didn't see any ping11:09
samueldmqmarekd: so, was that comment clear, any agreement, disagreement you'd like to discuss ?11:10
marekdand my question11:10
marekdsamueldmq: therre was no ping as i couldnt locate your nickname on openstack-meeting :-)11:10
samueldmqmarekd: interesting, I was there o/11:11
samueldmqmarekd: anyways ... you refer to the comment in L6 2?11:11
*** NM has joined #openstack-keystone11:14
samueldmqmarekd: if so, yes, we will need new APIs to assign the endpoints (or gorups of them) to SPs or whatever else we want11:14
*** RA_ has joined #openstack-keystone11:15
marekdsamueldmq: but extending endpoint filtering or completely separate from them ?11:20
marekdsamueldmq: ping11:25
*** fhubik is now known as fhubik_brb11:26
*** tellesnobrega_af is now known as tellesnobrega11:28
*** wuhg has quit IRC11:31
samueldmqsamueldmq: I think extending endpoint filtering11:31
samueldmqmarekd: oh that was for you, not to myself11:31
marekdsamueldmq: i will need to dive into the code11:32
samueldmqmarekd: it's still endpoint filtering (it still filters endpoints and create groups)11:32
marekdwhat would be the workflow for that?11:32
samueldmqmarekd: but assign to a different entity11:32
marekdsamueldmq: can you walk me through?11:32
samueldmqmarekd: sure, let me get the code11:32
notmorganhmm.. it is morning isn't it?11:33
samueldmqnotmorgan: here it is :)11:33
notmorgansamueldmq: it is also morning here11:34
samueldmqnotmorgan: in lovely Portland ?11:34
marekdnotmorgan: so as usuall, the answer is 'depends'11:34
notmorgansamueldmq: NYC11:34
notmorganhey can either of you get to ?11:34
* samueldmq forgets notmorgan travels a lot11:34
notmorgansamueldmq: holday travel11:34
marekdnotmorgan: i cannot get through11:35
samueldmqnotmorgan: great, enjoy11:35
notmorganmarekd: ok cool, just making sure it wasn't just me11:35
samueldmqnotmorgan: me neither, loading infinitely11:35
marekdnotmorgan: yes, europe is cut off too.11:35
marekdsamueldmq: anyway, can we get back to it in ~1h ?11:36
marekdi need to eat something.11:36
marekdhardy had a breakfast today11:36
samueldmqmarekd: sure, go11:36
samueldmqmarekd: bon apetit11:37
samueldmqappetit* (my French is bad now) :/11:37
*** jamielennox is now known as jamielennox|away11:42
*** EinstCrazy has joined #openstack-keystone11:47
*** EinstCrazy has quit IRC11:49
*** EinstCrazy has joined #openstack-keystone11:50
*** NM has quit IRC11:58
*** jamielennox|away is now known as jamielennox12:01
*** jmccrory has quit IRC12:12
*** fhubik_brb is now known as fhubik12:19
*** Nirupama has quit IRC12:19
*** jmccrory has joined #openstack-keystone12:20
*** NM has joined #openstack-keystone12:20
marekdsamueldmq: ok, i am here.12:21
marekdsamueldmq: teach me, master :-)12:21
samueldmqmarekd: nah, let me see what I can do :)12:23
*** raildo-afk is now known as raildo12:23
samueldmqmarekd: so, the entity in question may be an endpoint (single) or a group of them12:23
samueldmqmarekd: which is assigned to something (project for now, but we want to add SP and domain)12:24
marekdsamueldmq: not really12:24
marekdsamueldmq: SP would be a endpoint replacement.12:24
marekdso for each project i would filter available SPs12:25
marekdjust like we do with endpoints today12:25
marekdmakes sense?12:25
samueldmqmarekd: so I propose a completely new API12:26
samueldmqmarekd: inside federation: sp_filter12:26
samueldmqmarekd: becayse that's endpoint_filter, and now it has nothing to do with endpoint anymore12:26
marekdsamueldmq: stevemar and the rest voted for extending the existing endpoint filtering API12:27
samueldmqmarekd: because you said "SP would be a endpoint replacement"12:27
marekdwell, we would specif sp_id instead of endpoint id.12:27
samueldmqmarekd: just a moment, let me recap the spec12:27
marekdsamueldmq: sure12:27
marekdwhere is the docs for endpoint filtering api  ?12:28
samueldmqmarekd: so it actually is a SP (or a group of it) that is returned for a project or domain12:29
marekdsamueldmq: yes12:29
marekdand i don't want to limit them all12:29
marekdi don't want to always list them all.12:30
samueldmqmarekd: so that has nothing to do with endpoints and the actual catalog12:30
samueldmqmarekd: for me, endpoint_filter has similar behavior, but for endpoints12:30
marekdok, i am trying to extend todas api, as agreed and recommended on the meeting yesterday12:31
samueldmqmarekd: so it should be a separate API (perhaps re-using the same logic internally would be pssible)12:31
marekdi am asking if you see any constraints that will make it impossible.12:31
samueldmqmarekd: nothing is impossible :p12:32
marekdyes, but in openstack it may take infinity12:32
samueldmqmarekd: if you re-use, perhaps we will need to identify when a filter is actually trying to filter SPs, and apply that using the federation manager?12:32
samueldmqmarekd: let me find a pointer to it12:32
samueldmqmarekd:  L410 it starts iterating over the list of endpoints , and will look for those whose satisfy the filters12:34
samueldmqmarekd: however I am still not conviced we should do that inside endpoint_filter (cc stevemar)12:35
samueldmqI will look again at yesterday's irc log12:35
marekdok, let me add alternative12:35
marekdsamueldmq: thanks.12:35
*** NM has quit IRC12:35
samueldmqmarekd: np12:35
*** RA_ has quit IRC12:36
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles
*** gordc has joined #openstack-keystone12:41
*** dims has joined #openstack-keystone12:42
samueldmqhenrynash: hi12:46
samueldmqhenrynash: about 'domain specific roles' spec12:47
*** jerrygb has joined #openstack-keystone12:48
*** e0ne_ has joined #openstack-keystone12:48
*** boris-42 has joined #openstack-keystone12:49
*** e0ne has quit IRC12:51
*** gildub has quit IRC12:54
henrynashsamuedlmq: hi12:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements
samueldmqhenrynash: hi, L102-105
samueldmqhenrynash: just to confirm, because I got a bit confused with the reference to role-groups there12:57
openstackgerritKonstantin Maximov proposed openstack/keystone: Add test for domains list filtering and limiting
samueldmqhenrynash: isn't defining implied roles like defining role-groupS ?12:57
henrynashI thought I’d squashed all references to role-groups!12:57
samueldmqhenrynash: :)12:57
henrynashsorry, I’ll replace with domain specific roles!12:58
samueldmqhenrynash: make sure that paragraph still makes sense when replacing role-groups -> domain specific roles12:59
henrynashyeah, I think i’ll shorten it12:59
samueldmqhenrynash: ++12:59
openstackgerrithenry-nash proposed openstack/keystone-specs: Domain Specific Roles
*** chlong has joined #openstack-keystone13:03
samueldmqhenrynash: +1'ed again, thanks! looks great now13:03
henrynashsamueldmq: thx13:05
*** david-lyle has quit IRC13:09
*** zqfan_AFK has joined #openstack-keystone13:09
marekdsamueldmq: so endpoint group is simply a filter with multiple atributes to filter13:10
samueldmqmarekd: on endpoints13:12
marekdyes yes13:12
marekdok, i also see we need to build it on top of OS-EP-FILTER but with new routes, so kind of new api13:12
marekdsimply not completely new.13:13
*** jerrygb has quit IRC13:13
marekdsamueldmq: i am re-specing it.13:13
marekdsamueldmq: one more q.13:14
samueldmqmarekd: okay, I will look again once you submit13:14
samueldmqmarekd: sure13:14
marekdso when is specify endpoint and associate it with a project it will then show as available in the service catalog. so endpoint filtering filters in (as opposed to filters out) endpoints, right?13:14
samueldmqmarekd: ++13:15
marekdsamueldmq: cool13:15
*** topol has joined #openstack-keystone13:23
*** ChanServ sets mode: +v topol13:23
*** ayoung has joined #openstack-keystone13:28
*** ChanServ sets mode: +v ayoung13:28
*** jerrygb has joined #openstack-keystone13:34
*** jerrygb has quit IRC13:39
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
notmorganbknudson: ^ first pass (start) of the KSM mock fixture13:51
notmorganneeds a little more work but13:51
notmorganit's a start13:51
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
*** ajayaa has quit IRC13:59
*** openstackgerrit has quit IRC14:06
notmorganhm. i wish we had a nice factory for creating dummy/test tokens14:07
*** openstackgerrit has joined #openstack-keystone14:07
notmorganthat i could use.14:07
*** jerrygb has joined #openstack-keystone14:13
*** jaosorior has quit IRC14:17
*** rcernin has quit IRC14:19
*** nkinder has quit IRC14:20
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/python-keystoneclient: Add include_subtree to role_list_assignments call
*** mylu has joined #openstack-keystone14:26
*** urulama has quit IRC14:29
*** urulama has joined #openstack-keystone14:30
opilottedstanek, dolphm, marekd:
*** mylu has quit IRC14:31
marekdopilotte: i pinged you earlier.14:31
marekdnot reading backlog?14:31
opilottewhat backlog?14:32
*** pauloewerton has joined #openstack-keystone14:36
marekd"old logs"14:36
*** mylu has joined #openstack-keystone14:37
*** tellesnobrega is now known as tellesnobrega_af14:38
opilottewell, I can see you asked me: you here?14:38
opilotteso to answer your question, yes, I am14:38
opilottehow are you?14:39
marekdopilotte: so cool! so i have a question : do you happen to expect that those group ids will be in group_ids parameter in the assertion?14:39
opilottemarekd: can you give me more details? which assertion are you refering to?14:40
marekdsaml assertion14:41
marekd line 106214:41
marekddo you expect this value will be issued by an IdP ?14:42
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
marekdopilotte: oups.14:43
marekdopilotte: let's say that my groups are issued in ADFS_GROUP_IDS14:43
marekdand it's org's policy14:44
marekdyour patch will be useless then, right?14:44
marekdbecause it will expect group_ids14:44
*** tellesnobrega_af is now known as tellesnobrega14:44
opilottewell, same thing with any kind of application interface, you have to pass specific arguments if you want the thing to work... right?14:46
marekdopilotte: are you talking now about putting specific arguments to idp or keystone?14:47
dstanekopilotte: that's on the list, but there's a lot on the list14:48
opilottethe mapping does the job of translating the remote attributes to the local attributes14:49
opilottemarekd: are you talking about the remote part?14:49
marekdopilotte: yes, but you just confirmed that group_ids are hardcoded14:49
marekdin the mapping14:49
opilottelocal rules are, remote are not14:49
opilottethat's the role of the mapping, right?14:50
opilottemap the remote attributes to the local ones14:50
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
opilottemarekd: sorry, I didn't understand your question correctly when I said you: yes14:51
marekdopilotte: group_ids in remote are not hardcoded14:51
marekdthey can be whatever14:51
marekdthis is what you meant14:52
opilottemarekd: correct14:52
marekdopilotte: ok14:52
marekdso that's fine.14:52
opilottemarekd: I wrote my own IdP, so I control what I send to keystone. Buf if you don't control the IdP, you can map the attribute differently14:53
marekdopilotte: yes, but you dont need to always want to map it differently, esp to hardocded values. anyway, the tests were kind of misleading.14:54
marekdyou cleared it now.14:54
opilottemarekd: indeed, it's confusing14:54
marekdanyway, i voted on it (+2)14:55
opilottemarekd: thanks! I hope it gets merged this time, It's getting old...14:56
marekdlets hope14:56
marekdit's all in dstanek's hands now :P14:58
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
*** NM has joined #openstack-keystone14:58
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: Add a mock-fixture for keystonemiddleware auth_protocol
*** pumaranikar has joined #openstack-keystone15:00
*** tellesnobrega is now known as tellesnobrega_af15:01
*** mylu has quit IRC15:09
*** e0ne_ has quit IRC15:09
*** nkinder has joined #openstack-keystone15:10
*** mylu has joined #openstack-keystone15:10
*** e0ne has joined #openstack-keystone15:11
*** slberger has joined #openstack-keystone15:13
*** mylu has quit IRC15:15
*** aix has quit IRC15:16
*** NM has quit IRC15:17
*** navid_ has joined #openstack-keystone15:19
*** tellesnobrega_af is now known as tellesnobrega15:21
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin and field for hierarchical models
openstackgerritAlexander Makarov proposed openstack/keystone: Move region configuration to a critical section
*** devl_ has joined #openstack-keystone15:29
*** chlong has quit IRC15:31
*** harshs has joined #openstack-keystone15:32
*** fhubik is now known as fhubik_brb15:34
*** davechen has joined #openstack-keystone15:34
*** navid_ has quit IRC15:36
*** navid_ has joined #openstack-keystone15:36
*** navid__ has joined #openstack-keystone15:38
*** fhubik_brb is now known as fhubik15:38
*** navid__ has left #openstack-keystone15:38
*** fhubik is now known as fhubik_brb15:38
*** urulama has quit IRC15:40
*** urulama has joined #openstack-keystone15:40
*** thiagop has joined #openstack-keystone15:40
*** amakarov has quit IRC15:42
*** fhubik_brb is now known as fhubik15:44
*** ajayaa has joined #openstack-keystone15:45
openstackgerritLance Bragstad proposed openstack/keystone: Deprecate the pki and pkiz token providers.
notmorganlbragstad: oh really?15:48
notmorganlbragstad: wow.15:48
lbragstadnotmorgan is that not the plan?15:49
notmorganlbragstad: no idea15:49
lbragstadnotmorgan :)15:49
notmorganlbragstad: how many keystone meetings have i been to this cycle?15:49
notmorganlbragstad: oh thats right... 115:49
*** aix has joined #openstack-keystone15:49
lbragstadthis is true :)15:49
notmorganalso.. if you have a sec to look over that fluffy middleware review ^^ i'd appreciate it15:50
notmorgani think it's semi-sane15:50
lbragstadnotmorgan link?15:50
notmorganthis is in direct response to the silly ceilometer broke again cause they are mocking internal interfaces of ATM15:51
lbragstadnotmorgan ah, is there a bug open for that?15:51
notmorganno bug afaik15:51
lbragstadthe ceilometer thing?15:51
notmorganit was a stable backport that changed something15:51
notmorganand ceilometer was patching the memcache interface on KSM15:52
notmorganto "return" their tokens15:52
notmorganso it broke them15:52
*** NM has joined #openstack-keystone15:52
notmorganthe bug is "STOP PATCHING INTERNAL INTERFACES <other project>" :P15:52
stevemarnotmorgan: thanks for doing that15:52
stevemarbknudson will appreciate it15:52
notmorganstevemar: it needs tests.. and i haven't *tried* it15:52
notmorganbut ... it's a first stab at the problem15:53
openstackgerritSean Perry proposed openstack/keystone: Cleanup region refs
notmorganat least no syntax errors :P15:53
*** ajayaa has quit IRC15:57
*** boris-42 has quit IRC15:58
openstackgerritMarek Denis proposed openstack/keystone-specs: Expand endpoint filters to service providers
*** dims has quit IRC16:09
*** dims has joined #openstack-keystone16:11
*** harshs has quit IRC16:13
*** tellesnobrega is now known as tellesnobrega_af16:13
*** EinstCrazy has quit IRC16:14
*** navid___ has joined #openstack-keystone16:17
*** navid_ has quit IRC16:21
*** navid_ has joined #openstack-keystone16:22
*** urulama has quit IRC16:23
*** urulama has joined #openstack-keystone16:23
*** navid___ has quit IRC16:25
lbragstadstevemar around?16:28
*** devl_ has quit IRC16:29
*** navid__ has joined #openstack-keystone16:29
lbragstadstevemar do you have any specific wording you want to use to answer this?
*** navid_ has quit IRC16:30
kfox1111so, question... radosgw needs an admin token to verify other tokens with... can you make a restricted admin token if your going multiregion and you want to not give some regions admin access?16:34
notmorgankfox1111: "restricted admin" ?16:35
*** shaleh has joined #openstack-keystone16:35
kfox1111something like an admin token, (something that doesn't expire)16:35
notmorganall tokens expire16:36
kfox1111the admin token doesn't... its hard coded.16:36
stevemarlbragstad: yo16:36
notmorgankfox1111: oh yeah that is a terrible thing that needs to go away16:36
notmorgankfox1111: running with admin_token in production is scaaaaary16:37
stevemarlbragstad: mention that there is a major security bug with PKI and an OSSA/OSSN will be provided16:37
shalehisn't there a spec or review that removes the admin token by default?16:37
kfox1111it seems like its the only way to support radosgw at present. :/16:37
stevemarlbragstad: "details will not be provided until the OSSA is sent out by the vulnerability management team"16:37
*** diazjf has joined #openstack-keystone16:38
notmorgankfox1111: the ceph folks really need to address that because if it is the only way, I'd tell people not to use radosgw16:38
notmorgankfox1111: as a very strong recommendation.16:38
notmorganmy only recommendation would be in that case to use swift if you need s3-like storage.16:39
*** diazjf1 has joined #openstack-keystone16:39
kfox1111swift's a lot of effort. if your running ceph as backend anyway, you can share all your storage.16:40
kfox1111its much preferable. :/16:40
*** devl_ has joined #openstack-keystone16:40
shalehis there consensus on whether the public/private IdP spec is a good thing? The reviews on the spec mostly focus on the sloppy nature of the spec and not the actual meat of it really.16:41
notmorgankfox1111: sure. but i have to fall back to the fact that radosgw isn't really playing nice if it requires admin_token and/or only does v216:41
kfox1111right. :/16:41
kfox1111still, I can't afford to dedicate storage for two seperate systems.16:42
*** diazjf has quit IRC16:42
notmorgankfox1111: now, you *could* still share your resources but front things with swift and rbd volumes behind swift16:42
*** devl_ has quit IRC16:42
kfox1111I'd probably personally have to fix ceph before I'd go to swift.16:42
kfox1111far scarier.16:42
*** devl_ has joined #openstack-keystone16:42
kfox1111really complicated. :/16:42
* notmorgan doesn't particularly like ceph outside of block-device use these days16:42
notmorganand even then... eh16:42
kfox1111what do you use?16:43
kfox1111the self healing16:43
notmorgani don't run a cloud atm :P16:43
kfox1111ness of it is invaluable.16:43
kfox1111ah. ok. ;)16:43
notmorganeh, i was running things that could handle "volume died, make new instance with new volume"16:43
notmorgani didn't need crazy volumes from cinder, just the more ephemeral storage16:43
*** devl_ has quit IRC16:44
notmorganand where more stability was needed, was based on SAN exports.16:44
kfox1111yeah, 9 out of 10 vm's I run don't need volumes. but that 10% really benifits.16:44
*** devl_ has joined #openstack-keystone16:44
kfox1111ceph seems cheeper compared to a san. but if you already had one, that makes sense.16:44
notmorganoperational costs are not low with ceph16:45
* notmorgan shrugs16:45
kfox1111depends on the site. ours seems very low.16:45
kfox1111most of our ceph's are fairly behind though. most of them are still  giant.16:46
*** devl_ has quit IRC16:46
kfox1111gota fix that one of these days.16:46
notmorgananyway, i would personally run swift over radosgw, that is my recommendation for now.16:47
kfox1111yeah, that's not going to happen. :/16:47
kfox1111so I gota fix radosgw.16:47
kfox1111ceph also should help with manilla once that stabilizes a bit.16:48
*** josecastroleon has quit IRC16:48
kfox1111sharing the same storage backend with the three different protocol types (block, file, object) should really help drive down costs. most of the propriatary vendors have done the exact same thing. but its always so expensive. :/16:49
kfox1111finally having a pure opensource solution to the problem is going to be awesome. :)16:50
*** josecastroleon has joined #openstack-keystone16:50
*** amakarov has joined #openstack-keystone16:50
*** roxanaghe has joined #openstack-keystone16:52
*** pumaranikar has quit IRC16:54
*** pumaranikar has joined #openstack-keystone16:54
*** jistr has quit IRC17:02
*** markvoelker has quit IRC17:03
*** diazjf1 has quit IRC17:05
kfox1111notmorgan: looks interesting on the radosgw front.17:08
*** spandhe has joined #openstack-keystone17:08
*** spandhe has quit IRC17:08
*** fhubik has quit IRC17:08
*** e0ne has quit IRC17:09
*** tellesnobrega_af is now known as tellesnobrega17:11
*** urulama has quit IRC17:12
*** davechen1 has joined #openstack-keystone17:12
*** urulama has joined #openstack-keystone17:12
*** davechen has quit IRC17:12
*** EinstCrazy has joined #openstack-keystone17:14
kfox1111notmorgan: it looks like it adds full v3 support with pki and user/password and everything.17:15
*** ajayaa has joined #openstack-keystone17:15
kfox1111it would be cool if someone on the keystone team woudl review it.17:15
*** ohno13 has joined #openstack-keystone17:22
*** jerrygb has quit IRC17:27
*** jerrygb has joined #openstack-keystone17:28
*** jerrygb has quit IRC17:28
*** jerrygb has joined #openstack-keystone17:28
*** EinstCrazy has quit IRC17:29
shalehisnt that deprecated heavily?17:29
*** david-lyle has joined #openstack-keystone17:30
*** mhickey has quit IRC17:33
dstanekanyone know why the ldap identity backend has generates_uuids() == False?17:33
dstanekhenrynash: ^17:33
ohno13Is there any configuration parameter that would prevent you from disabling the hash mapping of IDs when using LDAP as the backend for users?17:36
*** NM has quit IRC17:37
*** raildo is now known as raildo-afk17:38
notmorgandstanek: because it isn't a uuid17:39
*** tellesnobrega has left #openstack-keystone17:39
notmorgandstanek: it's a DN17:39
notmorgandstanek: it *may* use uuid behind the scenes in some cases.17:39
notmorganbut it's not a flat uuid. iirc17:39
*** raildo-afk is now known as raildo17:39
dstaneknotmorgan: but isn't the ID set from the user_id_attribute and friends?17:40
notmorganwell the attribute is17:40
notmorganbut it can also not be UUID17:40
notmorganit can be <string>17:40
dstanekwhat would be the side effect of it being a non-UUID string (assuming that string is URL safe)17:41
*** navid__ has quit IRC17:41
*** jasonsb has joined #openstack-keystone17:42
*** jerrygb has quit IRC17:43
*** spandhe has joined #openstack-keystone17:43
*** davechen1 has quit IRC17:44
notmorgandstanek: it wasn't generateD?17:44
notmorganremember ldap identity also was/is r/o not just r/w mode17:44
dstaneknotmorgan: no, in this case i want to take it from LDAP directly17:44
notmorgandstanek: i am... i'm not sure what you're driving at17:47
*** mylu has joined #openstack-keystone17:47
*** mylu has quit IRC17:48
*** tyagiprince has joined #openstack-keystone17:58
*** david-lyle has quit IRC18:00
tyagiprinceHii.. I have configured my keystone to authenticate from the active directory.. I want to know if I can improve the authentication more by kerberizing keystone or theres some more better way?18:01
stevemartyagiprince: what do you mean improve?18:02
tyagiprincethe current situation is that I am sending my user credentials as clear text is on the network.. Also I am doing the assignment work in mysql.. which I think should be done more easily through GUI, not through CLI..18:06
openstackgerritTom Cocozzello proposed openstack/keystone: WIP List assignments with names
*** e0ne has joined #openstack-keystone18:07
henrynashdstanek: it’s to do with whether we need to create an intermediate mapping of not,18:09
notmorganhenrynash: ah that was it18:09
henrynashdstanek: rather than hard code whether to build an intermediat emapping or not based on driver name, we use that method to determine its capability18:10
dstanekhenrynash: right, but i'm interested to know why we need one for LDAP if the user_id_attribute is being set properly, for instance18:12
shalehis there consensus on whether the public/private IdP spec is a good thing? The reviews on the spec mostly focus on the sloppy nature of the spec and not the actual meat of it really.18:12
tyagiprincestevemar: If I use ldap driver for the assignment, I have to change the schema of my active directory..18:12
notmorganstevemar: do you know why bknudson has as WIP? i'd love to have that land.18:12
notmorgantyagiprince: don't use LDAP driver for assignment18:12
notmorgantyagiprince: that has been deprecated and will not live on too much longer18:13
henrynashdstanek: in multi-domain identity, we don;t trust any given LDAP service to generate a unique (across all other domains) user ID18:13
tyagiprincenotmorgan: but then its too much difficult to manage them on mysql.. what more options do I have?18:13
dstanekhenrynash: ah, ok18:13
notmorgantyagiprince: so ldap assignment has been barely supported/functional for many releases. it never really received the work other backends god18:14
*** urulama has quit IRC18:14
*** slberger has left #openstack-keystone18:14
notmorgantyagiprince: so really the answer is MySQL. you already have to have it for nova, neutron, etc18:14
dstanekhenrynash: but if backward_compatible_ids is set to true then ldap running on the default domain would respect the user_id_attribute right?18:14
stevemarnotmorgan: marekd reported an issue with ADFS18:14
*** urulama has joined #openstack-keystone18:15
*** daemontool has joined #openstack-keystone18:15
*** diazjf has joined #openstack-keystone18:15
notmorganstevemar: doh!18:15
henrynashdstanek: absolutely correct18:15
notmorgantyagiprince: or you can write your own backend. but that is a BIG task18:15
notmorgantyagiprince: theoretically it also works on pgsql and/or db2 ... but that is not as well tested as mysql18:16
*** diazjf has quit IRC18:16
*** harshs has joined #openstack-keystone18:16
dstanekhenrynash: muchas gracias18:16
*** diazjf has joined #openstack-keystone18:16
henrynashdstanek: yw (in spanish)18:17
dstanekhenrynash: on another note. i got an email about renewing our domain so I'll put some of adam's drawings up there this weekend18:17
*** toddnni has joined #openstack-keystone18:17
henrynashdstanek: cool!18:17
henrynashdstanek: happy to pay this time if required!18:17
*** diazjf has quit IRC18:18
tyagiprincenotmorgan stevemar: Will the kerberos or freeipa help me head to better authentication and assignment task using mysql?18:19
tyagiprinceI read many articles by adam and jammie out on there blogs18:20
dstanekhenrynash: nah...i have lots of languishing domains so i get the volume discount :-)18:20
*** david-lyle has joined #openstack-keystone18:20
henrynashdstanek: !!!!!18:20
notmorgantyagiprince: federation might make it easier. however, i am not sure if krb5 is going to solve much more than general federation for you. I'd defer to ayoung or jamielennox to discuss your usecase more in depth18:21
ayoungtyagiprince, really depends on what you are trying to do18:22
* ayoung reads up18:22
ayoungtyagiprince, thing you can try is to enroll your Keystone server (maybe using RealmD) with AD and using Kerberos and SSSD Federation18:23
ayoungYou can do it Via FreeIPA and a Trust.  Current FreeIPA supports one way trusts with AD (or so I've been told, have not tested)18:24
notmorganahhh we have summoned the ayoung !18:24
ayoungand enroll your Keystone server with the FreeIPA server will probably be a little better isolation from the changes you might want to make18:24
*** daemontool has quit IRC18:24
notmorganayoung: seriously, i thought you'd be on break today18:24
ayoungnotmorgan, I have kids.  Work is my break.18:24
notmorganayoung: also have a good thanksgiving :)18:25
ayoungYou too18:25
notmorganayoung: will do. enjoying the NYC weather atm18:25
notmorganand actually hacking on code/cloud things18:25
samueldmqstevemar: finished reviewing (voted and/or commented on) all the specs listed in your gist18:34
samueldmqstevemar: except for #244694, which is marked as blocked by ayoung18:34
stevemarsamueldmq: beautiful18:34
ayoungtyagiprince, I am not a fan of passing passwords across the wire.  Kerberos or Client Certs are the only cryptographically secure means to do web authentication.  OTP is a better approach if you must do Password18:34
samueldmqstevemar: :)18:34
ayoungsamueldmq, you can still review18:35
ayoungsamueldmq, I have yet to get enough feedback to determine if people want it or not18:35
ayoungI'm kindof afrain of it18:35
* notmorgan abstains from all specs until after M1 *shiftyeyes*18:35
ayoungwhat was the stevemar link again?18:35
notmorganayoung: channel topic?18:36
notmorganayoung: np.18:36
openstackgerritLance Bragstad proposed openstack/keystone: Deprecate the pki and pkiz token providers.
openstackgerritLance Bragstad proposed openstack/keystone: Deprecate the pki and pkiz token providers.
ayoungnotmorgan, oh comoen on...push this one over the limit:
ayoungits go two core writing it, whihc makes it harder to get approval18:37
shalehayoung: enforcing that while not supporting escaping existing projects is a bad idea IMHO18:39
notmorganayoung: you have 2x cores +218:39
notmorgandid we change how specs are approved?18:39
notmorgani ... have missed almost every meeting :P18:40
ayoungnotmorgan, I am an author18:40
ayoungnot going to +A it18:40
ayoungshaleh, add that to the review.18:40
notmorgani actually think stevemar should tip it over.18:40
ayoungshaleh, including how you think the escaping should work18:40
notmorganbut i can circle back up on it if really needed18:41
ayoungnotmorgan, a comment alomng the lines of "HAve not reviewed in depth but agree/disagree with direction" would be useful from you18:41
ayoungshaleh, so...I think I can get behind that18:41
ayoungyou are saying that if a domain name is x@y/z  we would allow it like OS_DOMAIN_NAME="x%1234t%9876"18:42
shalehayoung: blocking new projects while allowing existing makes sense. The operator did not name these, their users did. If the op has to arbitrarily rename or discard projects that would not be pretty.18:42
ayoungassuming the oproper unicode18:42
notmorganayoung: ok commented.18:43
ayoungshaleh, there is the miniscule possiblity of conflict with wsomeone being a smartass if we do that18:43
openstackgerritAlexander Makarov proposed openstack/keystone: Materialized path mixin and field for hierarchical models
shalehayoung: true. But that is always an issue. The provided keystone-manage tool would identify the rare cases that happens.18:43
ayoungshaleh, I'd rather that the deconflicting be done manually.18:44
shalehayoung: agreed, I said identify18:45
ayoungshaleh, so what are you proposing?18:45
samueldmqayoung: stevemar: notmorgan: shaleh: so, as I was talking to marekd earlier today18:46
samueldmqsorry I missed this topic in yesterday's meeting, but I really think SP filtering should be a separate API under federation18:46
samueldmqdifferent from endpoint_filter API18:47
shalehsamueldmq: like the IdP filtering proposal, yes?18:47
*** devl_ has joined #openstack-keystone18:47
samueldmqendpoints are under catalog API; thus endpoint_filter lives there18:47
samueldmqSP are under federation; this sp_filter should live there18:47
shalehayoung: as we were discussing yesterday, a URL encoding like the %foo you show above18:47
samueldmqthat's how I see, we should try to re-use a small portion of code (assigning endpoints to projects) and make the API confusing18:48
shalehayoung: it would be NICE if python-keystoneclient handled the encoding18:48
samueldmqboth endpoints and SP will be in the token, but they're different things18:48
shalehsamueldmq: so the code to add the SP list would first attempt to filter it?18:48
shalehsamueldmq: what about the unscoped token case? There is no project yet18:49
samueldmqshaleh: yes the code to add SPs in the token would attemp tofilter them, as we do for endpoints18:49
samueldmqshaleh: we could add an option to specify what to do; in endpoint case, we have: add_all_if_no_filter_specified18:50
samueldmqshaleh: (I don't recall the name exactly)18:50
ayoungDomain specific roles is ready to go18:50
ayoungshaleh, that is not a complete solution18:50
samueldmqayoung: nice18:50
samueldmqayoung: I agree18:50
shalehayoung: what am I missing?18:51
ayoungare you saying that if we enable strict, then all existing conflicting projects, instead of being disabled, are accessable via their escaped names?  And we only allo that?18:51
ayoungAnd we do not allow people  to write ones that are psecifcially escaped?18:51
ayoungor that we automatically port to the escaped version?18:51
samueldmqshaleh: right now I am not arguing about the functionality itself, but where we do put our code; I am arguing for clarity and not mixing things for the sake of re-using a very small portion of code (that can even be put in a common place)18:52
ayoungI think a utility to port is better, but it should be a deliberate choice18:52
ayoungshaleh, going strict is a deliberate choice. If you can't notify your users to update their project names, you can't go strict18:52
ayoungmaking migration possible or eaiser is a follow on, not part of the initial spec18:53
samueldmqshaleh: brb18:53
ayoungwaiting for it to be perfect means we are going to be stuc, and automatically deconflicting is am istake18:53
ayoungso, I disagree on the escaping18:53
ayoungits an easy SQL query to write, and a one time cost18:54
ayoungactually, it is not an easy SQL query, but should be do-able with python+sql18:54
shalehayoung: but it breaks the end user. Not the op18:56
ayoungshaleh, enabling this is going to break a script that uses the name. Period. It will cause pain.  Life is Pain.18:57
ayoungAnyone who says differntly is selling something18:57
shalehayoung: if we update keystoneclient with it then the only ones who will notice are the ones calling the APIs manually or via another programming language18:57
*** e0ne has quit IRC18:58
shalehayoung: a tool to identify names that cannot be used without encoding gets us quite a way there and is in the spec.18:59
shalehayoung: the question is what to do with ops that have a decent number of unusable names19:00
shalehayoung: we can a) provide a way to magically rename them b) provide as much tooling as possible to support them via escaping c) find another choice d) make the ops problems and walk away19:01
shalehI am not fond of D19:01
ayoungshaleh, we need to support names like  A/B/C  for the nesting case that this is building, so automatically escapuing them will defeat the purpose19:02
shalehayoung: that is my opinion as well. I am open to another solution. I proposed escaping because it is the classic solution to this problem and it will be easy to understand as well19:02
ayoungshaleh, walk it through from start to finish.  With finish being "we are going to use the new URLS in the OS_DOMAIN_NAME type env vars for nested domains19:03
ayoungescaping, as I see it, gets in the way of that19:04
ayoungshaleh, I can see the argument that we want a separate option to say "strict for new"19:05
shalehayoung: hmm. I misunderstood. I did not expect the final project name to be "A/B/C". I expected it to be "C", parent "B", parent "C"19:05
ayoungthat gives you some time to migrate the existing19:05
shalehC -> B -> A19:05
ayoungshaleh, yeah, we are trying to get out of our own way here19:06
ayounghenrynash, what do you think of doing this in two steps:19:06
ayounghenrynash, first diable new projects from being non-url safe19:06
ayounghenrynash, second being that we then enforce url safety everywhere19:07
ayoungmaybe make the config option a tri-value19:07
shalehit would be nice if we had a way to query ops and find out how likely this is to be an issue19:08
ayoungshaleh, so then the expected approach would be:19:08
ayoung1. set to new19:08
shalehif we had a tool to query their projects and produce a statistic "X good, Y bad" that they could report19:08
ayoung2. identify problem projects and migrate19:09
ayoung3. set to strict19:09
*** henrynash has quit IRC19:09
* ayoung scared hentry away19:09
openstackgerritMerged openstack/keystoneauth: Updated from global requirements
shalehayoung: that is the only way forward that makes sense to me19:10
ayoungshaleh, OK...I'll update the spec with the ternary19:10
ayoungshaleh, can you -1 it with that comment?19:10
ayoungso we have a record19:10
*** aix has quit IRC19:11
shalehayoung: sure19:11
shalehayoung: what do you think. If we published a tool to make a stat and report it could we get ops to run it in a reasonably quick manner?19:11
*** navid__ has joined #openstack-keystone19:12
*** davechen has joined #openstack-keystone19:12
*** navid__ has quit IRC19:15
*** navid_ has joined #openstack-keystone19:15
shalehayoung: the spec references the URI RFC, which says 'ALPHA'. That usually means A-Za-z, no extended ascii like umlauts or cedilias.19:15
shalehayoung: is that our intent?19:15
ayoungshaleh, I hate cedilias19:16
ayoungand umlauts scare me19:16
shalehayoung: sure, but we have to allow those goose stepping ulauts :-)19:16
ayoungshaleh, we can start of more strict, so long as we have valid URLs19:16
ayoungif people complain and giove us wiggle room to make URLs still, we can be more forgiving19:17
ayoungI'd rather make sure we have somethint we can actually implement19:17
shalehayoung: "valid" is my concern. Technically we have to escape a fair amounf of foreign chars in URLs today19:17
shalehand those chars are very likely to be used on project names19:17
ayounghttp://לברוח זה.com19:18
shalehThat confused the hell out of hexchat :-)19:18
shalehit showed me the correct chracters but it did not perceive it as a link19:18
dstanekso in a multi-domain setup does the default domain driver need to be in a separate config or should it be in the main config?19:20
shalehALPHA          =  %x41-5A / %x61-7A   ; A-Z / a-z <-- the BnF RFC that the URI RFC points at19:20
shalehayoung: is there a reason not to support common EU language symbols?19:21
ayoungshaleh, %x41-5A  will work as the name....think of it as "we will store the post processed" name, not the pre19:22
ayoungdstanek, you mean LDAP?19:23
dstanekayoung:  yes19:23
*** navid_ has quit IRC19:23
ayoungdstanek,  I think it has to be in a separate config, even if it is the default domain19:23
dstanekayoung: how does keystone know it's the default domain then?19:23
ayoungotherwise, the whole CONF.identity.driver would be the LDAP one19:24
ayoungdstanek, default domain ID is a conf value19:24
ayoungshaleh, https://逃離這個.com19:28
ayoungItrs really fun mixing left to right and right to left languages19:29
ayounghttps://الهروب من هذا
openstackgerritSteve Martinelli proposed openstack/keystone: force releasenotes warnings to be treated as errors
*** navid_ has joined #openstack-keystone19:29
lbragstadi have a client side questions for anyone - can the auth endpoint change between login and subsequent requests in the same session?19:30
*** ajayaa has quit IRC19:35
shalehayoung: I added comments19:38
ayoungshaleh, cool19:38
ayounglbragstad, only if your operator hates you19:39
openstackgerritayoung proposed openstack/keystone-specs: Allow url-safe project and domain names to be optionally enforced
*** roxanaghe has quit IRC19:47
*** tyagiprince has quit IRC19:48
*** nkinder has quit IRC19:51
*** navid_ has quit IRC19:51
stevemardstanek: around?19:55
*** gildub has joined #openstack-keystone19:55
dstanekstevemar: sorta19:55
dstanekstevemar: what's up?19:55
stevemardstanek: was wondering if i could get you to look at
stevemardstanek: theres some funniness going on in our test fixtures19:55
dstanekstevemar: sure. i can do it a little later today. banging my head against LDAP :-) right now19:56
stevemardstanek: take it out on LDAP by removing some of it!19:57
dstanekstevemar: quick question. we talked about a multi-domain away ldap driver at some point. will that be a thing?19:57
ayoungdstanek, what's the problem?19:58
stevemaryou can have many domains now, each backed by their own identity ldap19:58
dstanekstevemar: right, which can be the same instance. i was just wondering if we had plans to make a single ldap driver multi-domain aware.19:58
dstanekstevemar: i am thinking no19:59
*** ohno13 has quit IRC20:00
openstackgerritTom Cocozzello proposed openstack/keystone: WIP List assignments with names
*** urulama has quit IRC20:02
stevemardstanek: no plans for that afaik20:02
dstanekstevemar: that's what i thought :-) thx20:02
*** urulama has joined #openstack-keystone20:02
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate the pki and pkiz token providers.
*** csoukup has quit IRC20:15
openstackgerritTom Cocozzello proposed openstack/keystone: WIP List assignments with names
*** john5223 is now known as zz_john522320:27
mordredlbragstad: if that happens, I swear that my face will pop out of the computer screaming20:28
*** NM has joined #openstack-keystone20:30
*** exploreshaifali has joined #openstack-keystone20:35
*** shaleh is now known as shaleh|away20:35
stevemarmordred: now that's a visual20:40
stevemarlbragstad: you and dolphm have a few fernet related patches that are targeted for kilo, still going forward with those?,n,z20:40
shaleh|awaywhen running functional tests is there a way to see the request/response? Is it logged somewhere (or could it be if one set a variable)?20:42
*** jasonsb has quit IRC20:44
shaleh|awayOS_LOG_CAPTURE=1 is the trick for that ^^^ BTW20:45
*** e0ne has joined #openstack-keystone20:58
*** e0ne has quit IRC21:03
*** shaleh|away is now known as shaleh21:07
*** raildo is now known as raildo-afk21:11
*** zz_john5223 is now known as john522321:13
*** urulama has quit IRC21:13
*** urulama has joined #openstack-keystone21:14
*** mylu has joined #openstack-keystone21:15
*** roxanaghe has joined #openstack-keystone21:16
*** exploreshaifali has quit IRC21:20
*** dims_ has joined #openstack-keystone21:21
*** dims has quit IRC21:22
*** pauloewerton has quit IRC21:24
*** dims has joined #openstack-keystone21:26
*** nkinder has joined #openstack-keystone21:27
*** ayoung has quit IRC21:27
*** dims_ has quit IRC21:28
*** openstackgerrit has quit IRC21:36
*** openstackgerrit has joined #openstack-keystone21:37
*** aginwala has joined #openstack-keystone21:38
*** aginwala has quit IRC21:39
*** aginwala has joined #openstack-keystone21:40
stevemarah shaleh is so kind, helping out folks in #openstack with CLI21:44
stevemarpaying your dues, paying your dues21:44
stevemarwe've all been there21:44
shalehstevemar: poor sap destroyed his running system following Internet advice. pip install --upgrade on top of debs21:46
shalehstevemar: so he had half running openstack Ubuntu devs21:46
shalehit was pathetic really. Poor guy is linux savvy but not really admin material21:47
stevemarshaleh: i've been following the conversation21:47
stevemarshaleh: you and sam-i-am have been helping a lot21:47
stevemarthanks for being so patient21:47
shalehI would not be here today if people had not given me the same kindness.21:48
shalehalthough my sysadmin teacher beat it into my head pretty quickly how not to hose boxen :-)21:49
shalehyou only need to hose a box once at work to really learn21:50
*** thiagop has quit IRC21:51
openstackgerritDave Chen proposed openstack/keystone: Ensure endpoints returned is filtered correctly
stevemarshaleh: yep, or you take snapshots21:53
*** dims_ has joined #openstack-keystone21:53
shalehstevemar: I learned before there were snapshots or even sudo21:53
shalehI was taught to type a command, take hands off the keyboard and read it back, then press enter21:54
shalehbut yeah, I love snapshots now. LVM, Virtual Machines, etc.21:54
stevemarshaleh: read it back AND think about it :)21:55
shalehstevemar: yup :-)21:56
*** dims has quit IRC21:56
* shaleh cuts his teeth on a crusty commercial BSD21:56
shalehman I do not miss that pile o' crap21:56
stevemarwe all had to start somewhere i suppose21:56
shalehteach them how to fix it, how to think about the solution. Hopefully they pass it on to others21:57
shalehWhen I was a Debian hacker I used to buy copies of W. Richard Stevens APUE for newbie hackers who had one too many C bugs.21:58
shalehif that book can't make you a decent Unix hacker nothing will21:58
*** aginwala_ has joined #openstack-keystone22:02
*** aginwala_ has quit IRC22:02
*** NM has quit IRC22:03
*** urulama has quit IRC22:03
*** urulama has joined #openstack-keystone22:03
*** aginwala_ has joined #openstack-keystone22:05
*** aginwala has quit IRC22:06
*** aginwala has joined #openstack-keystone22:08
*** aginwala has quit IRC22:08
*** aginwala_ has quit IRC22:08
*** aginwala has joined #openstack-keystone22:08
stevemarshaleh: night time reading for me!
davechenHappy holiday to anyone who celebrates thanksgiving.22:12
shalehstevemar: in all honesty, his books should be every Linux hacker's foundation. His TCP series is still the standard to work from.22:13
shalehadmittedly he was a BSD guy and it shows. But that does not reduce their value.22:13
shalehthese days we work at a higher level but whenever we need to step down into the details this is the deal.22:14
shalehhis section on what makes a daemon is worth it by itself22:14
*** gildub has quit IRC22:20
*** harshs has quit IRC22:22
*** davechen has left #openstack-keystone22:24
stevemarare my replies to the mailing list coming out funny? like the font size increasing?22:27
stevemari think notes is doing something funny, it just started happening22:27
shalehthe one you sent at 1:40pm about the mid cycle looks normal22:30
*** pumaranikar has quit IRC22:34
*** david-lyle has quit IRC22:34
*** pumaranikar has joined #openstack-keystone22:34
*** pumaranikar has quit IRC22:36
*** pumaranikar has joined #openstack-keystone22:36
*** pumaranikar has quit IRC22:48
stevemarshaleh: what about the most recent one about the midcycle22:58
shalehstevemar: you asked about odd fonts22:59
shalehstevemar: the one you sent about the midcycle looks fine22:59
stevemarshaleh: i think it only happens when i reply22:59
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: remove PBR from requirements.txt
shalehno more PBR? Really?23:01
shalehcan I kick it in the shins on the way out23:01
stevemarshaleh: i'm not sure about that one23:02
stevemari just fixed the commit msg23:02
stevemari'd need lifeless to take a look at it ^^23:02
stevemarshaleh: trying to prep ksa/ksm/ksc for mitaka-123:02
stevemarand keystone/liberty - keystone/kilo23:03
stevemarfun times23:03
lifelessstevemar: hmm, whats up ?23:03
stevemarlifeless: can you comment on
lifelessman, we need a faq on this23:04
shalehFAQ: Q: Doesn't PBR suck? A: yes PBR sucks, but we live with it.23:04
lifelessI would -2 but I don't have the bit23:04
*** aginwala has quit IRC23:05
stevemarlifeless: thanks, i figured that was the answer.23:05
stevemarlifeless: normally these changes can be seen across all projects23:05
lifelessif pbr causes problems, we'll fix it23:06
lifelessshaleh: how does it suck?23:06
lifelesswin 7023:06
*** david-lyle has joined #openstack-keystone23:07
shalehlifeless: it is hard to express it without vitriol. Sorry. The hours we have lost dealing with PBR related failures is high.23:07
stevemarmordred: last time i had an issue with pypi you fixed it magically, do you know whats going on here:
shalehoften the real problem is not PBR but PBR gets in the middle and obscures the errors23:07
stevemarmordred: the page only says 1.3.3 is available, but we're at 1.8.1 now23:07
lifelessshaleh: are they pbr problems, or setupt-qrequires problems?23:08
shalehlifeless: usually it has something to do with the monkey patching23:08
lifelessstevemar: is worth a look23:09
lifelessstevemar: and that shows better data, so its worth pinging dstufft in #python-infra or #pypa-dev and asking23:09
*** aginwala has joined #openstack-keystone23:09
lifelessshaleh: pbr doesn't monkey patch anything; it uses the setuptools defined interfaces23:09
stevemarlifeless: danke23:09
lifelessshaleh: if you can file a bug whenever pbr is in the way, so we can improve it, that would be helpful23:09
shalehlifeless: I will try. Like I said, often the culprit is some kind of slight mismatch and PBR just seems to mask the real problem.23:10
lifelessshaleh: sure, but masking the problem is a bug itself23:10
shalehI have fixed many of these at work and when it was over I had no idea what the actual problem was. But it works now.23:11
shalehwhich is where the frustration comes from23:11
lifelessshaleh: I would speculate that setuptools inability to deal with conflicts with setup_requires is a big component23:11
lifelessshaleh: we're working on being able to avoid / fix that upstream in the python packaging ecosystem23:11
shalehlifeless: I'm inclined to agree23:11
lifelessshaleh: its not something we can fix from within pbr23:11
lifelessshaleh: there were some bad hacks to try, but they blew up in their own special ways :)23:11
shalehlifeless: :-)23:12
lifeless[such as recursively invoking pip from within pbr...] aieee23:12
shalehlifeless: at work, PBR is basically a curse you only inflict on your worst enemies23:12
shalehI have helped most of the team unwedge a box at some point in the last 4 months23:13
*** gildub has joined #openstack-keystone23:13
shalehlifeless: I get the defined entrance points. But it is kind of like debugging Python Twisted. The callbacks get insane after a while.23:14
shalehnext time I run into a problem I will try to be more methodical and see if our experience can save other23:14
shalehTBH, I have taken to nuking it from orbit and starting fresh23:15
*** med_ has quit IRC23:17
*** RA has joined #openstack-keystone23:20
*** RA is now known as Guest4352923:20
*** david-lyle has quit IRC23:24
*** med_ has joined #openstack-keystone23:25
lifelessshaleh: where is work ?23:26
shalehlifeless: I am an HPE hacker too :-) I work with Guang at the Sunnyvale office.23:27
shalehthe frustration usually goes something like this: User had a VM they were hacking on a couple of weeks ago but they put it down to work on something else. They wake the VM up, do a git pull or the like and BAM nothing works. The real culprit is often tox or virtualenv or pip not being up to date.23:30
*** csoukup has joined #openstack-keystone23:30
shalehcoupled with user ran the VM at home without the proxy/VPN and now at the office those are needed so first there are random weird network issues23:30
shalehI often walk over when I heard the cursing and gnashing23:31
lifelessshaleh: interesting23:31
lifelessshaleh: ok so - I point people at this often -
shalehgetting everyone on the virtualenv wagon will definitely be a plus23:32
shalehdevstack seems to amplify my dislike of PBR because I fight it there more often than not23:33
shalehfor some reason install stock Ubuntu, run devstack just leads to pain.23:33
shalehI really, really, really want devstack to separate "setup for this machine for devstack's peculiar wants", "setup openstack", and "start all of the processes"23:35
shalehthis way I can easily snapshot machines between the steps23:36
shalehif I had more spare time I have been thinking of just making a series of ansible playbooks that re-implemented devstack and be done with it23:37
lifelessshaleh: that might be nice; the initial setup does change over time though23:37
lifelessshaleh: are you using constraints, or you're still on kilo devstack?23:37
shalehlifeless: sure, but I can easily run 'ensure env is sane' when i want23:37
shalehthe fact that it runs every time is the extra annoying part23:37
shalehlifeless: I need to catch up, I started with a late kilo/early libery version for a project I was hacking on23:38
shalehlifeless: re: your blog post, bindeps sounds interesting23:41
shalehlifeless: something that blows up if the pip installed is the one from apt-get would be nice :-)23:42
shalehif `dpkg -l | grep python-pip`; then die horrible; fi23:42
shalehthe number of lost souls who install that pip, then run --upgrade23:43
shalehit just goes downhill from there23:43
lifelessshaleh: yep23:46
lifelessshaleh: file a bug on bindep, a negative-requirement seems like a plausible thing23:47
lifelessshaleh: (or a patch :))23:47
*** EinstCrazy has joined #openstack-keystone23:48
*** aginwala has quit IRC23:48
shalehlifeless: pull request on github or review on gerrit?23:48
lifelessshaleh: gerrit23:48
shalehlifeless: roger that23:48
shalehSam-I-Am and I rescued a guy's system earlier today. Another admin set it up with Ubuntu packages and left. He was asked to fix a problem. All of the Internet wisdom says 'pip install something' so he tried. Totally wrecked things.23:50
lifelessubuntu's patch to change pip to --user by default -> lots of havoc23:50
shalehcombination of packages versus pip AND kilo versus current23:50
*** aginwala has joined #openstack-keystone23:50
shalehwhen did that go in?23:51
shalehis that active in 14.04?23:51
*** EinstCrazy has quit IRC23:52
*** devl_ has quit IRC23:55

Generated by 2.14.0 by Marius Gedminas - find it at!