Friday, 2015-12-04

*** agireud has quit IRC00:07
*** mhickey has quit IRC00:07
*** agireud has joined #openstack-keystone00:13
*** sileht has quit IRC00:15
*** woodster_ has quit IRC00:16
openstackgerritMerged openstack/python-keystoneclient: Accept v2 params to v3 service create
*** chlong has joined #openstack-keystone00:17
*** agireud has quit IRC00:18
*** jasonsb has joined #openstack-keystone00:18
*** agireud has joined #openstack-keystone00:21
bretongyee: I stopped understanding how domain-specific config works. I expected it to do some funny stuff with CONF, but it seems that it doesn't touch CONF at all and the config values are not overriden, although we end up in the right backend.00:25
gyeebreton, only the driver part is taking into consideration00:26
gyeewe need to save the conf that is being passed in at the driver level and use it00:26
*** sigmavirus24_awa is now known as sigmavirus2400:26
*** sileht has joined #openstack-keystone00:27
openstackgerritMerged openstack/keystone: Update API version info for Liberty
gyeebreton, a few things ...00:28
*** su_zhang_ has quit IRC00:28
gyee1) the domain-specific conf is passed when loading the driver00:29
gyeebut we don't make use of it at the driver level00:29
breton right00:32
gyeewe basically need to make sure the driver save the "conf" arg and use it instead of the global CONF00:32
gyeebreton, exactly!00:32
bretongyee: thank you, that's the part I couldn't figure out.00:33
gyeeso for list_limit, we can just do this00:33
gyeereturn self.conf.identity.list_limit or self.conf.list_limit00:33
bretonis conf always passed, even for default domain?00:34
gyeeyes, or we can do this00:34
gyeeif you want to play safe00:35
bretongot it00:36
bretongyee: have you already started coding that? Because if no, I'd like to do it00:37
gyeebreton, the honor is all yours :)00:37
bretoncool :)00:37
gyeegreat opportunity learn that aspect00:38
gyeethank you!00:38
gyeebreton, gotta warn you, unit testing that stuff will be fun00:38
*** agireud has quit IRC00:42
*** sigmavirus24 is now known as sigmavirus24_awa00:53
*** EinstCrazy has joined #openstack-keystone00:55
*** doug-fish has quit IRC01:08
*** agireud has joined #openstack-keystone01:12
*** gildub has quit IRC01:14
*** agireud has quit IRC01:14
*** browne has quit IRC01:20
*** _zouyee has quit IRC01:23
*** RichardRaseley has quit IRC01:28
*** arunkant_ has quit IRC01:29
*** agireud has joined #openstack-keystone01:30
*** gildub has joined #openstack-keystone01:30
*** agireud has quit IRC01:34
*** agireud has joined #openstack-keystone01:48
*** gyee has quit IRC01:50
*** agireud has quit IRC01:53
*** _zouyee has joined #openstack-keystone02:02
*** agireud has joined #openstack-keystone02:03
*** agireud has quit IRC02:07
*** aginwala has quit IRC02:21
*** darrenc is now known as darrenc_afk02:23
*** topol has joined #openstack-keystone02:31
*** ChanServ sets mode: +v topol02:31
*** adelia has joined #openstack-keystone02:34
*** aginwala has joined #openstack-keystone02:35
*** aginwala has quit IRC02:36
*** fangxu has quit IRC02:39
*** adelia has quit IRC02:39
*** markvoelker has quit IRC02:40
*** adelia has joined #openstack-keystone02:40
*** browne has joined #openstack-keystone02:40
*** adelia has quit IRC02:44
*** darrenc_afk is now known as darrenc02:50
*** adelia has joined #openstack-keystone02:53
*** adelia has quit IRC02:54
*** adelia has joined #openstack-keystone02:54
*** adelia has quit IRC02:59
openstackgerritMerged openstack/keystoneauth: Default for service service type should be empty
*** wangqun has joined #openstack-keystone03:04
*** btully has joined #openstack-keystone03:28
openstackgerritSteve Martinelli proposed openstack/keystone: Deprecate the pki and pkiz token providers.
*** btully has quit IRC03:35
*** btully has joined #openstack-keystone03:36
*** tsymanczyk has quit IRC03:39
*** topol has quit IRC03:40
*** topol has joined #openstack-keystone03:41
*** ChanServ sets mode: +v topol03:41
*** tsymanczyk has joined #openstack-keystone03:44
*** tsymanczyk is now known as Guest1281503:44
*** topol has quit IRC03:45
*** flwang1 has quit IRC03:46
*** btully has quit IRC03:49
*** e0ne_ has joined #openstack-keystone03:52
*** davechen1 has joined #openstack-keystone03:53
*** su_zhang has joined #openstack-keystone03:56
*** btully has joined #openstack-keystone03:58
*** links has joined #openstack-keystone04:00
*** e0ne_ has quit IRC04:00
*** davechen has joined #openstack-keystone04:02
*** davechen1 has quit IRC04:04
*** btully has quit IRC04:05
*** stevemar has quit IRC04:09
*** btully has joined #openstack-keystone04:10
*** e0ne has joined #openstack-keystone04:12
*** stevemar_znc has joined #openstack-keystone04:12
*** e0ne has quit IRC04:16
*** Ephur_ has quit IRC04:22
*** fangxu has joined #openstack-keystone04:22
*** links has quit IRC04:23
*** spandhe has quit IRC04:26
*** fawadkhaliq has joined #openstack-keystone04:28
*** fawadkhaliq has quit IRC04:42
*** btully has quit IRC04:47
*** agireud has joined #openstack-keystone04:51
*** fawadkhaliq has joined #openstack-keystone05:04
*** markvoelker has joined #openstack-keystone05:05
*** links has joined #openstack-keystone05:09
*** markvoelker has quit IRC05:09
*** markvoelker has joined #openstack-keystone05:10
*** btully has joined #openstack-keystone05:15
*** agireud has quit IRC05:23
*** roxanagh_ has joined #openstack-keystone05:24
*** roxanagh_ has quit IRC05:26
*** agireud has joined #openstack-keystone05:26
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make tests run against original client and sessions
*** itlinux has joined #openstack-keystone05:32
*** tyagiprince has joined #openstack-keystone05:33
*** aginwala has joined #openstack-keystone05:34
*** agireud has quit IRC05:35
*** davechen has left #openstack-keystone05:36
*** adelia has joined #openstack-keystone05:37
*** adelia has quit IRC05:42
*** david8hu has quit IRC05:42
*** david8hu has joined #openstack-keystone05:43
*** markvoelker_ has joined #openstack-keystone05:47
*** markvoelker has quit IRC05:50
*** markvoelker_ has quit IRC05:51
*** topol has joined #openstack-keystone05:53
*** ChanServ sets mode: +v topol05:53
*** topol has quit IRC05:58
openstackgerritJamie Lennox proposed openstack/keystone: Perform middleware tests with webtest
*** rcernin has joined #openstack-keystone06:13
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Disable memory caching of tokens
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Don't cache signed tokens
*** david8hu has quit IRC06:21
*** david8hu has joined #openstack-keystone06:21
*** spandhe has joined #openstack-keystone06:26
*** Nirupama has joined #openstack-keystone06:30
*** henrynash has joined #openstack-keystone06:33
*** ChanServ sets mode: +v henrynash06:33
*** aginwala has quit IRC06:35
*** roxanagh_ has joined #openstack-keystone06:37
*** aginwala has joined #openstack-keystone06:37
*** su_zhang has quit IRC06:40
*** roxanagh_ has quit IRC06:41
*** itlinux has quit IRC06:42
*** spandhe_ has joined #openstack-keystone06:43
*** spandhe has quit IRC06:45
*** spandhe_ is now known as spandhe06:45
*** jaosorior has joined #openstack-keystone06:49
*** tjcocozz has quit IRC06:49
*** tjcocozz has joined #openstack-keystone06:50
*** agireud has joined #openstack-keystone06:50
*** gildub has quit IRC06:52
*** agireud has quit IRC06:54
*** rcernin has quit IRC06:59
*** josecastroleon has joined #openstack-keystone07:00
*** agireud has joined #openstack-keystone07:04
*** tyagiprince has quit IRC07:06
*** rcernin has joined #openstack-keystone07:07
*** agireud has quit IRC07:09
*** chlong has quit IRC07:19
*** spandhe has quit IRC07:24
*** btully has quit IRC07:44
*** _zouyee has quit IRC07:47
*** btully has joined #openstack-keystone07:47
*** lhcheng has joined #openstack-keystone08:03
*** ChanServ sets mode: +v lhcheng08:03
*** ctina_ has joined #openstack-keystone08:09
*** ctina_ has quit IRC08:10
*** lhcheng has quit IRC08:16
*** btully has quit IRC08:19
*** pnavarro has joined #openstack-keystone08:20
*** btully has joined #openstack-keystone08:21
*** josecastroleon has quit IRC08:28
*** fawadkhaliq has quit IRC08:31
*** fawadkhaliq has joined #openstack-keystone08:31
*** btully has quit IRC08:32
*** btully has joined #openstack-keystone08:34
*** josecastroleon has joined #openstack-keystone08:34
*** browne has quit IRC08:36
*** btully has quit IRC08:44
*** btully has joined #openstack-keystone08:46
*** fawadkhaliq has quit IRC08:47
*** fawadkhaliq has joined #openstack-keystone08:47
*** lhcheng has joined #openstack-keystone08:48
*** ChanServ sets mode: +v lhcheng08:48
*** henrynash has quit IRC08:57
*** btully has quit IRC08:58
*** btully has joined #openstack-keystone09:00
*** dims_ has quit IRC09:05
*** mhickey has joined #openstack-keystone09:08
*** dims has joined #openstack-keystone09:11
*** Nirupama has quit IRC09:12
*** aginwala has quit IRC09:23
*** dims has quit IRC09:23
*** fhubik has joined #openstack-keystone09:28
-openstackstatus- NOTICE: Tox tests are broken at the moment. From openstack-infra we are working to fix them. Please don't approve changes until we notify that tox tests work again.09:31
*** dims has joined #openstack-keystone09:34
*** Nirupama has joined #openstack-keystone09:35
*** tyagiprince has joined #openstack-keystone09:37
tyagiprinceHey everyone.. I am facing problem in setting up secure connection with the ldap.. I configured everything as described in the keystone configuration guide.. It is giving the following error: CONNECT_ERROR: {'info': '(unknown error code)', 'desc': 'Connect error'}09:39
*** Guest12815 has quit IRC10:09
*** btully has quit IRC10:12
*** btully has joined #openstack-keystone10:16
*** henrynash has joined #openstack-keystone10:19
*** ChanServ sets mode: +v henrynash10:19
*** Nirupama has quit IRC10:22
*** tsymanczyk has joined #openstack-keystone10:24
*** tsymanczyk is now known as Guest3265010:25
*** agireud has joined #openstack-keystone10:29
*** openstackgerrit has quit IRC10:32
*** openstackgerrit has joined #openstack-keystone10:33
*** agireud has quit IRC10:34
*** Guest32650 has quit IRC10:34
*** wangqun has quit IRC10:35
*** tsymancz1k has joined #openstack-keystone10:44
*** aginwala has joined #openstack-keystone10:54
*** aginwala has quit IRC10:58
*** btully has quit IRC11:10
samueldmqmorning keystoners11:13
*** btully has joined #openstack-keystone11:13
*** henrynash has quit IRC11:14
*** pnavarro is now known as pnavarro|lunch11:17
*** fhubik has quit IRC11:17
tyagiprinceHey people.. I am facing problems in setting up LDAPS.. I have already configured LDAP with keystone. however after copying the certificate, it gives me an error: CONNECT_ERROR: {'info': '(unknown error code)', 'desc': 'Connect error'}11:24
tyagiprinceAlso I am doing some changes in the policy.json file... but I am not able to view the changes in the horizon.. What do I need to do? I created a new role and did some policy changes to do anything with all the users.. got nothing..11:25
samueldmqtyagiprince: hi, regarding the roles and policies11:27
samueldmqtyagiprince: did you create role assignments ? that is the way the roles will appear in the users' tokens which in turn will be checked against the policy files11:27
tyagiprinceI created a role project-admin..11:28
tyagiprinceI did assign the role to a user and I am logged in using that user only.11:29
tyagiprinceI made a rule: "role:project-admin and tenant_id:%(tenant_id)s"11:29
samueldmqtyagiprince: try project instead of tenant11:30
samueldmqtyagiprince: "role:project-admin and project_id:%(project_id)s"11:30
tyagiprincesamueldmq: I did not get the tab user on the horizon.. But I tried to open controller/horizon/identity/users and it gives Info: Insufficient privilege level to view user information.11:31
tyagiprincestill the same.. nothing new happened when I changed it to project11:32
samueldmqtyagiprince: I believe you will need admin privilegies to acess user information11:34
samueldmqtyagiprince: in horizon11:34
tyagiprinceI want a project-admin role which when assigned to a user can manage the project members thorigh horizon..11:35
tyagiprinceeach project will have one or more users with project-admin role..11:35
samueldmqtyagiprince: ah; btw horizon keeps copies of policies that are evaluated locally to render the pages11:35
samueldmqtyagiprince: perhaps you need to update them too to see changes reflected in horizon11:36
tyagiprincethe admin is super_admin which is the different role that I'd be needing11:36
samueldmqtyagiprince: you should ask #openstck-horizon for more details on that11:36
samueldmqtyagiprince: and about the superadmin, we are working that out (cc ayoung)11:37
*** btully has quit IRC11:37
samueldmqtyagiprince: the solution will make a user acquire superadmin rights only on the project designed to be the admin project11:37
*** btully has joined #openstack-keystone11:39
*** adelia has joined #openstack-keystone11:42
*** chlong has joined #openstack-keystone11:44
*** adelia has quit IRC11:46
*** fawadkhaliq has quit IRC11:53
*** fhubik has joined #openstack-keystone11:55
*** topol has joined #openstack-keystone11:55
*** ChanServ sets mode: +v topol11:55
*** henrynash has joined #openstack-keystone11:55
*** ChanServ sets mode: +v henrynash11:55
*** fhubik is now known as fhubik_brb11:56
*** noqa_v_g1ovnie is now known as noqa_v_qoovnie11:58
*** tyagiprince has quit IRC11:59
*** topol has quit IRC12:00
*** btully has quit IRC12:03
*** btully has joined #openstack-keystone12:06
*** EinstCrazy has quit IRC12:15
*** henrynash has quit IRC12:19
*** raildo-afk is now known as raildo12:21
*** henrynash has joined #openstack-keystone12:24
*** ChanServ sets mode: +v henrynash12:24
*** raildo is now known as raildo-afk12:24
*** raildo-afk is now known as raildo12:24
*** fhubik_brb is now known as fhubik12:27
*** btully has quit IRC12:28
*** mnaser has quit IRC12:30
*** henrynash has quit IRC12:31
*** btully has joined #openstack-keystone12:33
*** mnaser has joined #openstack-keystone12:34
*** arunkant_ has joined #openstack-keystone12:39
*** EinstCrazy has joined #openstack-keystone12:41
*** adelia has joined #openstack-keystone12:43
*** btully has quit IRC12:46
*** btully has joined #openstack-keystone12:47
*** adelia has quit IRC12:48
*** jaosorior has quit IRC12:49
*** jaosorior has joined #openstack-keystone12:50
*** btully has quit IRC12:58
*** btully has joined #openstack-keystone13:00
*** pauloewerton has joined #openstack-keystone13:02
*** btully has quit IRC13:11
*** fangxu has quit IRC13:11
*** fangxu has joined #openstack-keystone13:12
*** btully has joined #openstack-keystone13:13
*** fhubik has quit IRC13:14
*** fhubik has joined #openstack-keystone13:15
*** jaosorior has quit IRC13:30
*** jaosorior has joined #openstack-keystone13:30
*** btully has quit IRC13:30
*** btully has joined #openstack-keystone13:32
*** fhubik is now known as fhubik_brb13:37
*** fhubik_brb is now known as fhubik13:37
*** david-lyle has quit IRC13:43
*** adelia has joined #openstack-keystone13:45
*** ayoung has quit IRC13:46
*** markvoelker has joined #openstack-keystone13:47
*** adelia has quit IRC13:50
*** csoukup has joined #openstack-keystone13:53
*** pauloewerton has quit IRC13:56
*** iurygregory is now known as iurygregory_lunc13:57
*** iurygregory_lunc is now known as iury_lunch13:57
marekdbknudson: hi, i am not sure what should be a corret json home path in line 700 for instance13:57
*** iury_lunch has quit IRC13:58
*** ayoung has joined #openstack-keystone13:58
*** ChanServ sets mode: +v ayoung13:58
marekdbknudson: can you help me?13:58
*** raildo is now known as raildo-afk13:59
*** links has quit IRC14:02
lbragstaddstanek o/ happy bug day! what can I help with?14:03
lbragstaddstanek do you have an etherpad started/continued from somewhere?14:03
dstaneklbragstad: not a global one. just my personal hit list. feel free to find a bug that's interesting and hack on it or review an existing patch that fixes a bug14:04
*** fhubik has quit IRC14:05
lbragstaddstanek sounds good14:05
lbragstaddstanek we do have this -
lbragstaddstanek I can update it14:05
*** fhubik has joined #openstack-keystone14:05
dstaneki'd love the number here ( to be under 250 by monday!14:06
*** gordc has joined #openstack-keystone14:09
*** ericksonsantos has quit IRC14:10
lbragstadstevemar_znc is this still a valid bug in Keystone or can it be closes since it was fixed upstream?
openstackLaunchpad bug 1521844 in OpenStack Identity (keystone) "pycadf ID validation fails for multi-domain IDs" [High,In progress] - Assigned to Steve Martinelli (stevemar)14:12
*** lhcheng has quit IRC14:15
*** btully has quit IRC14:15
*** btully has joined #openstack-keystone14:16
marekddstanek: lbragstad: any hints on how proper json home relationships should look like? see line 700 for instance14:21
*** lhcheng has joined #openstack-keystone14:21
*** ChanServ sets mode: +v lhcheng14:21
*** markvoelker has quit IRC14:21
*** petertr7_away is now known as petertr714:25
*** lhcheng has quit IRC14:26
*** adelia has joined #openstack-keystone14:27
dstanekmarekd: yours look correct in format, but they are all the same14:32
lbragstaddoes anyone know if we plan to support running keystoneauth on OS X?14:33
marekddstanek: format is fine, but the content isnt14:33
lbragstadi know we removed OS X support from keystone last year14:33
marekdlbragstad: ksc is runnable on osx?14:34
lbragstadmarekd not really, but there is an open bug for it -
openstackLaunchpad bug 1522046 in keystoneauth "TCP defaults not supported on OSX" [Undecided,New]14:34
lbragstadit was just opened this week14:34
marekdlbragstad: aha14:35
marekdif kssc was runnable i'd expect ksa should also be.14:35
lbragstadi know we no longer care about support os x for keystone server.. but i'm not sure about keystoneauth14:35
lbragstadmarekd yeah, that would make sense14:35
lbragstadlooks like we support OSX on ksc -
openstackgerritTom Cocozzello proposed openstack/keystone: WIP List assignments with names
*** bdossant has joined #openstack-keystone14:38
dstaneklbragstad: we don't say we support it
lbragstaddstanek so, we should remove that comment14:41
lbragstadand the code around it that is specific to OS X14:41
lbragstaddstanek looks like we say the same things for ksc -
dstaneklbragstad: i don't know what the official openstack stance is on OS X, but I assume clients should run everywhere14:42
lbragstaddstanek and i assume that would mean ksa, too14:43
dstaneklbragstad: yeah, it would have to because ksc requires ksa14:43
lbragstaddstanek so we should add it to the setup.cfg as a supported system14:43
lbragstadfor ksa and ksc14:44
*** fawadkhaliq has joined #openstack-keystone14:46
dstaneklbragstad: probably, but i think we don't do that because we can't test it14:48
*** henrynash has joined #openstack-keystone14:49
*** ChanServ sets mode: +v henrynash14:49
*** NM has joined #openstack-keystone14:50
lbragstaddstanek hmmm, interesting14:50
samueldmqayoung: hi, you around ?14:52
*** petertr7 is now known as petertr7_away14:52
*** topol has joined #openstack-keystone14:53
*** ChanServ sets mode: +v topol14:53
ayoungsamueldmq, with the holidays here, I'm getting rounder by the week14:54
*** fhubik is now known as fhubik_brb14:54
dstanekmarekd: commented on the review14:54
*** petertr7_away is now known as petertr714:54
*** alex_xu is now known as alexus14:56
samueldmqayoung: just to undertand a comment you left, but we can see this next week14:56
ayoungsamueldmq, which comment?14:56
samueldmqayoung: actually at TODO note, to be accurate14:57
ayoungsamueldmq, pretty sure that the def of those links needs a description field to be right14:57
ayoungsamueldmq, I probably added that during the effort to make each extension register itself14:58
*** Ephur has joined #openstack-keystone14:58
ayounglike 3 years ago?14:58
samueldmqayoung: is the standard described somewhere ?14:58
samueldmqayoung: hehe :)14:58
*** fhubik_brb is now known as fhubik14:58
samueldmqayoung: I am revisiting FIXME and TODO notes, so doing some cleanup, doing/fixing them14:59
ayoungsamueldmq, what do the pthers look like...14:59
samueldmqayoung: the ones I saw don't have either14:59
samueldmqayoung: and there is nothing in the python docs15:00
ayoungsamueldmq, anything on the commit?15:00
samueldmqayoung: hmm, looking15:00
ayoungsamueldmq, look at the commit:15:01
*** fhubik is now known as fhubik_brb15:01
ayoungextension_data is a dictionary.  The expected fields are:15:01
ayoung'description':  text description of the extension15:01
*** spotz_zzz is now known as spotz15:01
marekddstanek: thanks15:02
samueldmqayoung: sure, and there is one15:02
samueldmqayoung: it is outside "links", at the same level of it actually15:02
samueldmqayoung: and your comments are inside "links", as there should be a description tehre15:02
samueldmqperhaps they aren't valid anymore ?15:03
ayoungsamueldmq, so...I think they are15:04
samueldmqayoung: k; thanks sir15:04
ayoungwe should replaces "extension" with "submodules" but the geenral info is a good thing to have15:04
ayoungI'd like to see info like this if you hit /identity /auth /policy ....15:04
*** fhubik_brb is now known as fhubik15:05
ayoungsamueldmq, this is why we should have Keystone render simple HTML.  All this stuff would be very visible15:05
dstaneklbragstad: are you going to submit a real review with that patch?15:07
lbragstaddstanek I just wanted to look at the patch, locally15:07
dstaneklbragstad: if it looks good, go ahead a submit and i'll test on my mac too15:08
dstaneklbragstad: i'm assuming it look very similar to the ksc patch15:08
lbragstaddstanek i got an error from git trying to unpack it15:08
lbragstaddstanek yeah, it did15:08
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Remove invalid TODO in extensions
samueldmqayoung: ^15:08
ayoungsamueldmq, reread what I read...15:09
ayoungI don;t agree15:09
ayoungsamueldmq, let me fix that...15:10
*** csoukup has quit IRC15:10
samueldmqayoung: aren't the TODO comments invalid ?15:10
*** Ephur has quit IRC15:10
samueldmqayoung: not sure I got what you said15:11
*** ir2ivps8 has quit IRC15:12
*** btully has quit IRC15:14
ayoungsamueldmq, hmmm...15:15
*** btully has joined #openstack-keystone15:15
ayoungsamueldmq, OK...I was wrong.  links don't need description.  I'll change my review15:15
*** davechen has joined #openstack-keystone15:16
samueldmqayoung: thanks sir15:16
openstackgerritMarian Horban proposed openstack/python-keystoneclient: Remove lock object from BaseIdentityPlugin
marekddstanek: what are your opinions on stevemar_znc's comment about renaming sp_group to service_providers_group -> shall we also change that in the urls as well?15:20
*** Ephur has joined #openstack-keystone15:22
*** sigmavirus24_awa is now known as sigmavirus2415:24
openstackgerritMarek Denis proposed openstack/keystone-specs: Expand endpoint filters to service providers
*** RichardRaseley has joined #openstack-keystone15:26
*** btully has quit IRC15:26
*** itlinux has joined #openstack-keystone15:27
*** btully has joined #openstack-keystone15:27
*** csoukup has joined #openstack-keystone15:32
*** Ephur has quit IRC15:33
*** btully has quit IRC15:40
*** fawadkhaliq has quit IRC15:41
*** david-lyle has joined #openstack-keystone15:42
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revocation records by removing the revoke events for disable domains and projects.
*** btully has joined #openstack-keystone15:42
*** RichardRaseley has quit IRC15:43
topolbknudson, notmorgan,  henrynash, dstanek, I had a quick question on release notes.  So if lbragstad already created a deprecated-as-of-mitaka release note shouldnt I just add to that one for my deprecation-as-of-mitaka patch as opposed to creating a new one? Or does it not matter?15:45
*** markvoelker has joined #openstack-keystone15:45
*** Ephur has joined #openstack-keystone15:46
*** itlinux has quit IRC15:47
*** jaosorior has quit IRC15:49
*** jerrygb has joined #openstack-keystone15:52
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fix test_crud_user_project_role_grants
samueldmqlbragstad: thanks ^15:53
*** davechen1 has joined #openstack-keystone15:53
lbragstadsamueldmq np!15:53
*** NM has quit IRC15:55
*** itlinux has joined #openstack-keystone15:56
*** davechen has quit IRC15:56
amakarovbknudson, hi! Please review my patch - samueldmq has some concerns about testing15:56
*** csoukup has quit IRC15:57
openstackgerritMerged openstack/keystonemiddleware: Put py34 first in the env order of tox
openstackgerritMerged openstack/python-keystoneclient: Put py34 first in the env order of tox
lbragstadtopol that's a good question, part of me thinks you'd just amend it15:59
lbragstadtopol but I don't know for sure15:59
lbragstadtopol i think stevemar_znc pushed that patch set for me :)15:59
samueldmqamakarov: look at patchset 12, I am refering to that comment from bknudson15:59
topollbragstad, that's what I was thinking.   I'll just add to yours once it merges16:00
lbragstadtopol that sounds good to me16:00
topollbragstad, thanks!16:01
lbragstadtopol no problem!16:01
*** iurygregory has joined #openstack-keystone16:02
*** jerrygb_ has joined #openstack-keystone16:03
*** jbell8 has joined #openstack-keystone16:03
davechen1topol: not sure about that either, since I am the bad guy re-raise the question for that on the your patch.16:04
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revocation records by removing the revoke events for disable domains and projects.
davechen1topol: but there is already one for deprecation -
davechen1topol: basically, it's the same with yours.16:05
topoldavechen1, so linhua also liked the idea of putting all the deprecated as of mitaka items in a single release note.  that makes sense to me since they are all bundeled together in the same blueprint16:06
topoland they are all related16:06
*** jerrygb has quit IRC16:06
*** davechen1 is now known as davechen16:06
davechentopol: make sense, but we need a agreement on this.16:07
*** jerrygb_ has quit IRC16:07
topoldavechen, I'm happy to do it either way.. Just looking for guidance on what is desired16:08
openstackgerritMarian Horban proposed openstack/python-keystoneclient: Remove lock object from BaseIdentityPlugin
davechenI think it's a little bit chaos,  pls just ignore my comments on that if others think it's okay to do that in that way.16:09
*** jerrygb has joined #openstack-keystone16:10
topoldavechen I'll wait for others to chime in.  No rush on this16:10
*** raildo-afk is now known as raildo16:10
davechentopol: okay.16:11
amakarovsamueldmq, ok, so you suggest just remove the _race_condition and that's it, don't you?16:11
*** raildo is now known as raildo-afk16:11
*** pauloewerton has joined #openstack-keystone16:11
*** raildo-afk is now known as raildo16:12
*** pwp has joined #openstack-keystone16:12
openstackgerritAlexander Makarov proposed openstack/keystone: Move region configuration to a critical section
openstackgerritAlexander Makarov proposed openstack/keystone: Move region configuration to a critical section
*** pwp has quit IRC16:18
samueldmqamakarov: yes, that way I think it would be addressing Brant's comment16:21
samueldmqamakarov: do you agree?16:21
amakarovsamueldmq, ok, ^^ ^)16:21
amakarovsamueldmq, ok, ^^ :)16:21
lbragstadhas anyone here tried using voluptuous (
amakarovsamueldmq, as for me, I think we need better testing framework16:22
amakarovthis one doesn't allow exposing such buts16:22
samueldmqamakarov: lgtm, tahnks16:22
samueldmqamakarov: like race conditions ? those aren't easy to demonstrate16:23
samueldmqamakarov: and I don't think that's our framework's fault :)16:23
amakarovsamueldmq, in this case we could use mocks, but it will be completely unreadable16:24
amakarovsamueldmq, I agree, that ours is not the worst in the world :)16:25
davechenlbragstad: looks like a alternative for jsonschema we used for schema validation.16:26
lbragstaddavechen yeah, it's a validation framework, just curious if anyone has played with it16:26
davechenlbragstad: not yet, bookmarked :)16:27
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Update extensions links
openstackgerrithenry-nash proposed openstack/keystone: Create new version of assignment driver interface
*** topol has quit IRC16:33
*** topol has joined #openstack-keystone16:34
*** ChanServ sets mode: +v topol16:34
*** bdossant has quit IRC16:34
*** ericksonsantos has joined #openstack-keystone16:40
*** jerrygb_ has joined #openstack-keystone16:40
dstaneklbragstad: that patch does look incomplete :-(16:41
*** roxanagh_ has joined #openstack-keystone16:41
lbragstadyeah, it does16:42
*** jerrygb has quit IRC16:42
openstackgerrithenry-nash proposed openstack/keystone: Create new version of assignment driver interface
henrynashdtsanek: could i borrow a portion of your brain to look at my next attempt at versioned drivers?16:43
henrynashdstanek: currently blowing up on line 73 of
henrynashdstanek: saying can’t instantiate the new abstarct class with abstract methods <list of all the methos in V9)16:47
dstanekhenrynash: ok, i'll download and give it a try16:48
openstackgerritMerged openstack/keystoneauth: Put py34 first in the env order of tox
*** david-lyle has quit IRC16:48
henrynashdstanek: thx……16:48
*** petertr7 is now known as petertr7_away16:49
openstackgerritMerged openstack/keystoneauth: Updated from global requirements
*** david-lyle has joined #openstack-keystone16:49
dstanekhenrynash: was there a specific test that failed?16:49
henrynashdstanek: run tox -elegacy_drivers16:50
*** jbonjean has joined #openstack-keystone16:50
henrynashdstanek: so the V9 drives work (perhaps not surprisingly), but its when we try and wrap the V8 one we fail to instantiate the wrapper class16:50
*** jbonjean has left #openstack-keystone16:51
lbragstadfor all who are working on the bug day -
henrynashdstanek: I think it’s because it’s expecting us to haev implemented the real methods….maybe the __getattr__ isn;t working/right16:51
lbragstadif you're working on a bug, have a patch up, and want reviews, please add it to the etherpad16:52
dstanekhenrynash: yeah, you subclass the Abstract class, but don't implement the methods at all16:52
*** rcernin has quit IRC16:52
henrynashdtsanek: I assumed that’s what the __getattr__ was an attempt to get round?16:52
*** gyee has joined #openstack-keystone16:53
*** ChanServ sets mode: +v gyee16:53
dstanekhenrynash: nope, because that won't pass the abc check. you actually need the methods16:53
-openstackstatus- NOTICE: The earlier JJB bug which disrupted tox-based job configurations has been reverted and applied; jobs seem to be running successfully for the past two hours.16:53
henrynashdstanek: yep, that’s what I feared….but the point f this was to just wrap the V8 driver!! So not sure how to get round that16:54
dstanekhenrynash: you actually have to have one-line methods that call through16:54
henrynashdtsanek :-(16:54
henrynashdstanek: ok, get it…!16:55
dstanekit's an unfortunate side-effect of wanting to be like Java. you have to code like Java too16:55
henrynashdstanek: at least I can drink it too….oh well, here goes....16:56
henrynashdstanek: thx16:56
*** esp has left #openstack-keystone16:57
*** esp has joined #openstack-keystone16:57
*** josecastroleon has quit IRC16:59
*** rderose has joined #openstack-keystone16:59
*** browne has joined #openstack-keystone16:59
*** tqtran has joined #openstack-keystone17:02
*** petertr7_away is now known as petertr717:06
*** diazjf has joined #openstack-keystone17:12
*** david-lyle has quit IRC17:13
*** RichardRaseley has joined #openstack-keystone17:16
*** adelia has quit IRC17:19
*** tyagiprince has joined #openstack-keystone17:20
*** rderose has quit IRC17:21
*** shaleh has joined #openstack-keystone17:23
*** adelia has joined #openstack-keystone17:24
*** pkarikh has quit IRC17:25
*** tyagiprince has quit IRC17:26
*** amakarov has quit IRC17:27
davechenbknudson: ping?17:27
davechenbknudson: does my reply make sense?  -
*** pkarikh has joined #openstack-keystone17:28
davechenI understand that we can update the schema definition to allow empty request body for creating a region.17:28
*** amakarov has joined #openstack-keystone17:29
davechenbut it requires to change the code to allow empty request body by default, and the exception throw by  jsonschema is not helpful indeed.17:30
*** navid_ has joined #openstack-keystone17:31
davecheni don't think we need to update validated() method that will impact the whole APIs to just address the specific issue against creating region.17:31
davechenany idea?17:31
* notmorgan sighs at OSC17:34
* davechen sighs at bug fixing.17:35
*** davechen is now known as davechen_afk17:35
*** navid_ has quit IRC17:36
*** navid_ has joined #openstack-keystone17:36
*** davechen_afk has left #openstack-keystone17:38
*** davechen has joined #openstack-keystone17:43
*** davechen is now known as davechen_afk17:43
*** adelia has quit IRC17:43
stevemar_zncnotmorgan :(17:46
*** fawadkhaliq has joined #openstack-keystone17:46
openstackgerritMerged openstack/keystone: Put py34 first in the env order of tox
*** stevemar_znc is now known as stevemar17:47
*** ChanServ sets mode: +o stevemar17:47
notmorganso OSC seems to follow links sometimes17:47
notmorganstevemar: ^17:47
notmorganit's... not consistent17:47
stevemarWhat links?17:47
notmorganstevemar: well if keystone doesn't have admin_endpoint public_endpoint even if the catalog specifies another URI OSC strips off stuff it seems17:52
notmorganstevemar: it's a little odd.17:52
* notmorgan shrugs and contiues to setup POC things.17:53
*** adelia has joined #openstack-keystone17:57
*** pwp has joined #openstack-keystone17:58
*** lhcheng has joined #openstack-keystone17:59
*** ChanServ sets mode: +v lhcheng17:59
*** pnavarro|lunch has quit IRC18:00
samueldmqpwp: hey18:04
*** lhcheng has quit IRC18:04
pwpI'm looking at working on
openstackLaunchpad bug 1218682 in python-keystoneclient "User's email format hasn't been checked" [Wishlist,In progress]18:04
*** lxsli has quit IRC18:06
pwpIt says in progress but is not assigned to anyone. Is someone actually working on it?18:07
*** diegows has joined #openstack-keystone18:07
*** petertr7 is now known as petertr7_away18:08
*** fhubik has quit IRC18:08
*** mylu has joined #openstack-keystone18:09
*** aginwala has joined #openstack-keystone18:09
*** davechen has joined #openstack-keystone18:14
*** aginwala has quit IRC18:14
*** davechen_afk has quit IRC18:16
*** pwp has quit IRC18:17
*** lhcheng has joined #openstack-keystone18:17
*** ChanServ sets mode: +v lhcheng18:17
*** browne has quit IRC18:18
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Remove invalid TODO related to bug 1265071
openstackbug 1265071 in OpenStack Identity (keystone) "extra column is required for new models, otherwise unit tests fail" [Low,Fix released] - Assigned to David Stanek (dstanek)18:20
*** lhcheng has quit IRC18:21
*** lxsli has joined #openstack-keystone18:22
openstackgerritBoris Bobrov proposed openstack/keystonemiddleware: a test for memcache_pool
openstackgerritBoris Bobrov proposed openstack/keystonemiddleware: Fix inheritance of memcache client used in pool
openstackgerritBoris Bobrov proposed openstack/keystonemiddleware: Fix usage of memcache_pool as contextmanager
*** diazjf has quit IRC18:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Remove invalid comment about LDAP domain support
*** spandhe has joined #openstack-keystone18:39
*** jbell8 has quit IRC18:41
*** jbell8 has joined #openstack-keystone18:44
*** aginwala has joined #openstack-keystone18:46
*** fangxu has quit IRC18:49
*** aginwala has quit IRC18:52
*** flwang1 has joined #openstack-keystone18:52
dstanekgyee: ! terminology is important18:52
*** aginwala has joined #openstack-keystone18:54
*** browne has joined #openstack-keystone18:58
*** abhiii5459_ has joined #openstack-keystone18:58
*** aginwala has quit IRC18:58
*** petertr7_away is now known as petertr718:59
gyeedstanek, you are talking to an ESL guy :)18:59
*** jbell8 has quit IRC19:00
*** aginwala has joined #openstack-keystone19:01
dstanekgyee: for me refactoring has a very specific meaning19:02
gyeeI hear ya19:03
*** jbell8 has joined #openstack-keystone19:03
*** woodster_ has joined #openstack-keystone19:05
*** diazjf has joined #openstack-keystone19:05
*** david-lyle has joined #openstack-keystone19:06
*** david-ly_ has joined #openstack-keystone19:06
*** mylu has quit IRC19:13
*** petertr7 is now known as petertr7_away19:14
*** jerrygb has joined #openstack-keystone19:16
*** mylu_ has joined #openstack-keystone19:17
*** jerrygb_ has quit IRC19:18
*** petertr7_away is now known as petertr719:19
*** mancdaz has quit IRC19:21
*** mancdaz has joined #openstack-keystone19:22
*** mylu_ has quit IRC19:23
*** mylu has joined #openstack-keystone19:23
*** mylu has quit IRC19:25
*** mylu has joined #openstack-keystone19:26
*** diazjf has quit IRC19:28
*** fawadkhaliq has quit IRC19:29
lbragstadnotmorgan do you think you could revisit your -2 on ?19:29
*** shaleh has quit IRC19:32
*** abhiii5459_ has quit IRC19:33
*** flwang1 has quit IRC19:36
sigmavirus24When listing users through ksc, does the client handle pagination for you? (e.g., a case like )?19:37
*** mylu has quit IRC19:37
*** mylu has joined #openstack-keystone19:38
*** david-lyle has quit IRC19:39
*** david-ly_ is now known as david-lyle19:39
*** gwei3 has joined #openstack-keystone19:39
*** spotz is now known as spotz_zzz19:40
*** spotz_zzz is now known as spotz19:41
*** diazjf has joined #openstack-keystone19:43
notmorganlbragstad: i dunno, whats in it for me?19:43
lbragstadnotmorgan candy bars and beer19:44
*** mylu has quit IRC19:44
notmorgannot really selling it are you?19:44
*** markvoelker has quit IRC19:44
cloudnullsigmavirus24:  i dont think it does based on ""19:45
notmorganlbragstad: done.19:45
notmorganlbragstad: so... can i get your review on something ?19:45
lbragstadnotmorgan sure thing19:45
notmorganlbragstad: :)19:45
lbragstadBetaMax intefaces?19:46
lbragstadnotmorgan what's the short story for this?19:46
cloudnullhowever idk if it simply returns everything or a limited set19:46
notmorganlbragstad: sigmavirus24 wrote an awesome library :)19:46
notmorganlbragstad: it's plan is to be used in consumers of KSA so we can do functional testing based on recordings of the requests for real clouds (aka OCC / Shade)19:46
lbragstadnotmorgan interesting19:47
lbragstadnotmorgan so we can get percentages based on calls, etc... ?19:47
notmorganlbragstad: percentages?19:47
lbragstadnotmorgan or a distribution?19:48
notmorganmarekd: before i press +A on this please 2x check that19:48
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for unscoped token data creep to tests
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for project scoped data creep to tests
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for domain scoped data creep to tests
openstackgerritLance Bragstad proposed openstack/keystone: Reuse project scoped token check for trusts
notmorganlbragstad:  uh.. not sure what you're asking19:48
notmorganlbragstad: the idea is we'd perform action on <Cloud> and record it19:48
notmorganin OCC, for example19:48
lbragstadnotmorgan reading up on it19:48
lbragstadnotmorgan in case you want to review ^19:48
lbragstadnotmorgan that's fixing a bug you opened19:48
notmorganthen if we change OCC we replay that to make sure we don't break a known working system19:48
lbragstadnotmorgan oh19:48
notmorganlbragstad: and if the cloud changes, we re-record19:49
notmorganit's to prevent known working from regressing19:49
notmorganespecially in projects that have specific configs for real-life-clouds19:49
notmorganaka OCC19:49
notmorganlbragstad: /me is busy trying to set up a POC environment for sub-mounted URLs19:50
notmorganlbragstad: so... will be reviewing a bit less today/next week until that is ready19:51
lbragstadnotmorgan no worries19:51
*** mgarza_ has joined #openstack-keystone19:51
notmorganactually wading through "how to setup openstack" is enlightening19:51
notmorganit's ... downright awful in some steps19:51
*** mylu has joined #openstack-keystone19:52
sigmavirus24notmorgan: lol19:52
sigmavirus24now try setting up a project that's brand new with no documentation19:52
*** mgarza_ has quit IRC19:53
notmorgansigmavirus24: oh i'm noticing our "setup rabbit" is not exactly well documented19:53
*** pwp has joined #openstack-keystone19:54
notmorganthe fact that i have to go look at devstack code to find the info is ... not realy that cool.19:54
*** mylu has quit IRC19:54
sigmavirus24par for the course though notmorgan19:55
sigmavirus24so, does keystone paginate user listing?19:55
sigmavirus24okay so users.list(domain='domain_name') in v3 will return everything19:55
sigmavirus24thanks notmorgan19:55
*** mylu has joined #openstack-keystone19:56
sigmavirus24cloudnull: ^19:56
notmorgansigmavirus24: pretty sure19:56
cloudnullnotmorgan: tyvm19:56
notmorganunless you have configured a fixed limit19:57
notmorganwhich case it truncates19:57
cloudnullnotmorgan:  did you get your OSA deployment to go ?19:57
notmorgancloudnull: gave up on it19:57
notmorganlxc was getting in the way19:57
cloudnullsorry about that19:57
cloudnullyou can turn it off19:57
notmorgani've gotten more done hand-configuring the services in the last 2 hrs19:57
notmorganit's not just LXC it's a lot of magic behind the scenes and trying to layer it on top of a virtualized environment19:58
notmorganso now i have a working glance and keystone and haProxy w/ SSL19:58
cloudnullfair enough .19:58
notmorgancloudnull: and
notmorgancloudnull:  :)19:58
notmorgancloudnull: next is rabbit, cinder, nova19:58
notmorganthen neutron and horizon19:58
cloudnullfriends dont let friends neutron, not even once19:59
notmorgancloudnull: also|/v3/auth/tokens) is the auth url19:59
cloudnulland this is using your hap middleware ?19:59
notmorgancloudnull: i expect to have this done by the end of today and hopefully have everything happily running as sub-mounted urls20:00
notmorganthen i have a whole list of fixes to propose to the projects so it can be a real deployment method.20:00
notmorganthen i get to start working on the fun bits - offloading auth to the edge20:00
*** shaleh has joined #openstack-keystone20:03
*** diazjf1 has joined #openstack-keystone20:04
*** diazjf1 has quit IRC20:04
*** diazjf1 has joined #openstack-keystone20:05
*** diazjf has quit IRC20:05
*** pkarikh has quit IRC20:06
*** shaleh_ has joined #openstack-keystone20:07
*** iurygregory has quit IRC20:09
*** ericksonsantos has quit IRC20:09
*** ericksonsantos has joined #openstack-keystone20:09
*** pkarikh has joined #openstack-keystone20:10
*** shaleh has quit IRC20:11
*** aginwala has quit IRC20:13
*** gordc has quit IRC20:13
diazjf1hey stevemar, I was working on setting up notifications on keystone following but it seems I don't get a message when a user is created, just one for authetication20:13
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Multifactor Authentication
*** aginwala has joined #openstack-keystone20:17
kfox1111does keystone_authtoken support passing domains?20:18
kfox1111we'd like to switch fully to v3 and put all the service accounts we can into a seperate domain.20:18
*** dtroyer has quit IRC20:19
ayoungcan someone please +2 this and put me out of 4 years of misery20:20
ayoung2012-03-29  ... 3.75 anyway20:21
ayoungkfox1111, yes it does20:21
kfox1111ayoung: know off hand what the settings are?20:22
ayoungkfox1111, do you read Ansible?20:23
kfox1111ayoung: this patch looks useful. though one question. we're looking at setting up multiple regions, and the patch looks like it fits in nicely with that, but what if you want to have an admin tenant per region, so that different regions have different sets of admins?20:23
kfox1111yeah, I can read ansible.20:23
kfox1111there an example in openstack-ansible/kolla?20:23
ayoungkfox1111, the values are in the vars file...20:24
kfox1111cool. I'll have a look. thanks.20:24
notmorganayoung: -1 (just kidding! don't hurt me...), but you probably don't need the "admin_project_name" option in there, just id? or just name+domain?20:25
notmorganayoung: and no i am not really -1ing on that20:25
ayoungnotmorgan, we need both20:25
ayoungnotmorgan, the idea is to be config-tool friendlty20:25
ayoungso you don't need to know the id prior to setting this...20:25
notmorganwell just domain and name would be sufficient20:25
ayoungsame thing20:26
ayoungneed the domain_name20:26
notmorgandomain_name since that is globally unique (still)20:26
notmorganthat would be config friendly20:26
notmorganoh oh misread20:26
notmorganread that as project_id20:26
ayoungnotmorgan, certain puppet savvy people said they would string me up by my nether regions if I didn20:26
notmorganseriously... i'm looking at rabbit configs... :P20:27
notmorganbrain is not 100% python mode20:27
ayoungnotmorgan, Erlangbrain20:27
*** dtroyer has joined #openstack-keystone20:28
*** aginwala has quit IRC20:28
notmorganayoung: so.. is_admin_project is part of the token?20:29
ayoungnotmorgan, yep20:29
notmorganayoung: what part of the token is this in?20:30
notmorganayoung: just the top level?20:30
ayoungand don't make me rememeber exatly why we couldn;'t put it into the "project" had to be top level for a reason....20:30
kfox1111ayoung: how much do services rely on the admin role these days?20:30 was a practica,l constraint20:30
notmorganayoung: nod.20:30
ayoungkfox1111, a metric ton20:30
henrynashayoung, marekd, topol: rebased could do with a couple of votes20:30
kfox1111trying to figure out if we can share a keystone between two regions where the regions admins are disjoint.20:30
ayoungnotmorgan, putting it deeper in means we would have to wait on updated access info for all the essentially would defeat the effectiveness20:31
ayoungkfox1111, you share a keystone between them?20:31
notmorganayoung: and it's right?20:31
ayoungI mean, do you do that now?20:31
kfox1111thinking about it.20:31
topolhenrynash, Im on it.20:31
kfox1111is it something you can 's/admin/regionX_admin/' over the policy files of a region?20:31
*** aginwala has joined #openstack-keystone20:31
kfox1111or is there deeper magic involved?20:32
notmorganayoung: enjoy20:32
notmorganayoung: that may be my last +2 on keystone server for a long time.20:32
ayoungnotmorgan, that is a good swansong20:32
ayoungnotmorgan, TYVM20:32
henrynashtopol: thx20:32
kfox1111I think ideally the other way to solve it is with a keystone per region, and federate, but horizon doesn't support k2k fully yet. :/20:33
ayounghenrynash, one nice things about specs is diff to earlier version works well.  +220:34
ayoungkfox1111, so, earlier discussion was whether to make admin project tied to the service catalog.  This fix does;nt go that far, but it is something we could entertain in the future20:35
topolayoung +++20:35
kfox1111ah. cause the service catalog is tied to a region? that would work.20:36
kfox1111or maybe have a second, key/value option that ties region to project, and defaults to the other option specified.20:38
ayoungkfox1111, I think we would need to do more logic, though.  We would need to know that  token was targetted at a certain endpoint20:38
ayoungkfox1111, that is in the works, but I think you need it first, and then it would need to be enforced on all endpoints prior to scoping admin to, say a region20:39
ayoungkfox1111, separate Keystone servers is safer, and K2K is probably the way to go for enforcement20:39
kfox1111yeah, seems like a great way to go, if it would work with horizon. :/20:40
kfox1111very few of our users use cli. :/20:40
kfox1111do you know the current state of the k2k horizon stuff?20:41
kfox1111maybe if we run a mitaka 1 horizon?20:41
*** itlinux_ has joined #openstack-keystone20:42
ayoungkfox1111, good question. lin H is our current Keystone/Horizon liason but he's not here  is he...20:43
*** itlinux has quit IRC20:44
ayounghenrynash, +2A...We approved at the meeting this week right?  I'm not overstepping here.20:44
kfox1111k. I'll to catch him later.20:46
openstackgerritMerged openstack/keystone-specs: Domain Specific Roles
kfox1111are there any known issues with K2K with any services? sahara, trove, heat, etc?20:47
*** jasonsb has quit IRC20:49
*** diegows has quit IRC20:51
*** tjcocozz has quit IRC20:53
*** mylu has quit IRC20:53
*** raildo is now known as raildo-afk20:54
*** tjcocozz has joined #openstack-keystone20:56
*** aginwala has quit IRC20:57
kfox1111do trusts work with federation?21:02
kfox1111k2k federation21:02
lbragstaddstanek so i got through fixing bug 1224273 starting here -
openstackbug 1224273 in OpenStack Identity (keystone) "Need a test to verify token's do not get data creep" [Medium,In progress] - Assigned to Lance Bragstad (lbragstad)21:03
lbragstaddstanek do you think i should just reimplement that using jsonschema instead?21:03
*** diegows has joined #openstack-keystone21:03
*** adelia has quit IRC21:04
*** pauloewerton has quit IRC21:04
lbragstaddstanek do you have a strong opinion either way on using voluptuous over jsonschema?21:04
henrynashayoung: gyee had severe reservations (not on the concept, just the API itself)….I had imagined that our PTL would have to make a call….21:05
*** diegows has quit IRC21:05
gyeehenrynash, reusing implied role APIs will cause confusion, we either merge the two concepts or use new APIs21:09
henrynashgyee: I understand your concern (I don’t see it as such an issue), but appreciate anyone fighting for good UX21:10
ayounggyee, you are so wrong21:10
gyeeayoung, wrong in what?21:11
ayounggyee, role-groups as a name would be just as confusing21:11
ayoungthere is nothing wrong with this api21:11
gyeedomain-specific roles don't appear in the token21:11
ayounggyee, exactly21:11
ayoungroles are the things assigned to users21:11
gyeethey are different from implied roles21:11
ayounggyee, better to say that "implication" and "domain specific" are two potential attributes of a role21:12
gyeeon top of that, we put special restrictions to make sure they can't be nested21:12
ayoungactually, my language could be better21:12
ayoung "inference" and "domain specific" are two potential attributes of a role21:12
ayounggyee, ?21:12
gyeewhat is a "role"?21:13
gyeelets agree on that one first21:13
*** navid_ has quit IRC21:13
gyeea "role" appear in token?21:13
*** navid_ has joined #openstack-keystone21:14
ayounggyee, so...a role is a label assigend to user that may be used for access control21:14
ayounggyee, my preferred taxonomy would be:21:14
*** aginwala has joined #openstack-keystone21:14
ayoungrole -> workflow -> priviledge or permission21:14
gyeea role gos onto the token, period21:14
gyeeisn't that so much easier to explain it to people21:15
ayoungwe assign roles to uisers.  assigne workflows top roles and assign permissions to workflows21:15
ayounggyee, roles are assigned to users on a project.  Role inference is used to determine what goes in the token21:15
gyeenow you are confusing me21:16
gyeewhat's the difference between a "role" and "role inference"?21:16
ayoungrole inference is a rule that says one role implies another role21:17
gyeein your implied role spec, both prior and implied roles goes into the token21:17
gyeeso they are all roles21:17
ayounggyee, yes, because that spec did not depend on Henry's21:17
ayounghenry's depends on  this21:17
gyeethey are returned in the "roles" section of the token response21:17
gyeethat's my point, the two concepts are fundamentally different, hence my objection21:18
henrynashfor me, global roles always go in tokens, domain roles never go in tokens.21:18
*** breitz has quit IRC21:18
gyee"global roles"?21:18
henrynashboth can infer other roels21:19
henrynashglobal roles = a non domain specific role21:19
*** breitz has joined #openstack-keystone21:19
gyeeyou scare me there, we used to have "global" roles which have no target association :)21:19
gyeehenrynash, come to think of it, why can't domain-specific roles go onto the token?21:20
ayounggyee, roles are names/  you are refgerering to global role *assignments* which we got rid of21:20
gyeeif we do that, we eliminate all the confusions21:20
ayoungroles have alwyas been global21:20
ayoungwhat we are dfoing here is making it such that a role can be less than global21:21
gyeerole definitions has always been global21:21
gyeerole defintions != global roles21:21
gyeeglobal roles use to cause fears :)21:21
henrynashTHAT is the change I am making….roles can be global (i.e go in tokens and appear in policy files), or they can be domain specific (in which case they never go in tokens and never appear in poly files)….but instead infer those roles that do21:22
kfox1111so, we have one region with keystone configured. we want to use that keystone as the identity provider for k2k, while not breaking the existing region. is that ok?21:22
kfox1111we're going to deprecate that region soon, so eventually that keystone could be a pure idp, but not for a bit at least.21:23
gyeehenrynash, I understand what you are trying to do, all I am arguing is domain-specific *roles* are not roles because they don't end up in the token21:24
gyeeI would hate to have a support person come up to me, time and again, asking why user don't get the role even though its been assigned21:25
gyeeand I have to keep explaining to him they are not really roles21:25
kfox1111+1 for not overloading terms too much.21:26
*** jasonsb has joined #openstack-keystone21:26
*** navid_ has quit IRC21:27
*** boris-42_ has joined #openstack-keystone21:28
gyeekfox1111, on the flip side, consulting business will be booming because only we know the stuff :)21:29
ayounggyee, use the terms correctly.  What you call role definitions are "roles".  THese are global.  Role assignments are scoped to proejcts, but were, in some pre-me-and-you-past global, and that is what is_admin was based on....21:29
ayounghenrynash, is talking about global roles as  definitions21:29
ayoungkfox1111, =1 for requiring a new term where an exiting one is appropriate.  gyee did that to us already with domains.  I'm still bitter, and this is the same thing all over again. The real issue is that what we call groups are in the identity sisde, and not something that keystone can manage.21:31
ayounghenrynash is extending the existing concepts in a sane way to make these things more manageable.  Adding role-group as a concept would make things worse21:32
*** petertr7 is now known as petertr7_away21:32
ayoungand, why don't DSRs go in tokes?  because tokens match on string, not on roel id21:32
ayoungrole id21:32
gyeedomain have specific use, unlike projects21:32
ayounggyee, that use is to break every api acverywhere21:32
kfox1111yeah, I still hate the term project. :/ tenants were much better.21:32
ayoungwe should have made project nestable21:32
kfox1111"project" means too many things to too many users. :/21:33
kfox1111at our site, "project" could be thought of closer to what keystone calls a domain. :/21:33
ayoungkfox1111, we should never have started calling them projects, although tenatnst as a term sucks too, it sucks less than project21:33
openstackgerritMerged openstack/keystone: Remove invalid FIXME note
ayoungkfox1111, I like taskforce myself21:33
kfox1111yeah. I liked tenants because while users would need help to understand, we had the opertunityh to explian. they assume too much about projects.21:34
kfox1111hah. taskforce. yeah. :)21:34
gyeeayoung, how's adding role group make things worst? how about add a special flag, is_group, to users and eliminate user groups? :)21:35
ayoungkfox1111, OTOH, " a project  is a lable used to group remote resources" more closely matches the english than "a tenant is...."21:35
gyeethat's sounds awesome! :D21:35
ayounggyee, can't21:35
ayoungthat stuff is in identity21:35
ayoungidentity is read only21:35
ayoungthis is why dchadwick wanted mapping to be editable by end user admins21:35
kfox1111so, with k2k, do you have to make a mapping for every ldap group you have, if you want to extend it through? or do you just do map groups to roles in the idp, and then roles to roles in the sdp?21:35
*** mhickey has quit IRC21:35
ayoungit allows you to do all this stuff with mapping, but the mapping language is too complicated21:35
ayoungkfox1111, Not a clue21:36
kfox1111kind of dreading if we have to update the rules every time we create a new ldap group. :/21:36
gyeehow about lets eliminate everything and make them generic "entities"21:36
kfox1111we have a group per tenant currently.21:36
ayoungkfox1111, in federation mappingm, you can do general rules, but not sureif K2K inherits all that21:36
gyeejust use special flags for everything21:36
ayounggyee, the term you are looking for is principal21:36
gyeeeverything is a dict!21:37
gyeeno more extras21:37
kfox1111guess I'll just have to try it and see...21:38
ayounggyee the thing is, it is the implied_roles part I care about.  Domain specific is henrynash 's baby.  I don't think they will be nearly as important as he does.  But they will be useful21:38
ayoungbu the implied roles allow us to break down big chunks into little chuncks21:38
gyeeayoung, I have no problem with implied roles21:38
ayoungthe thing we'll need after this is amakarov 's unified delagation ,adn the ability to request a token with a subset of (implied or explicit) roles21:38
*** afazekas has quit IRC21:39
ayounggyee, SO if we renamed  "domain specific roles" to "role groups" the plus would be that people would not expecct to see them in tokens, but the minus would be that we would need to retool all assignment code, including horizon. etc21:40
*** afazekas has joined #openstack-keystone21:40
ayoungWith that trade off, I say that reusing the existing term is far, far more useful21:40
*** petertr7_away is now known as petertr721:40
gyeecall them role groups would be consistent with the rest, like user groups21:40
gyeemuch easier to explain it to people21:41
ayounggyee, before we did that, I think I would say "split identity into user and group" and then allow groups to vary indepentantly from the initial assertion, and reuse the group abstraction21:41
ayoungas I said, the real issue is that we cannot manage groups in keystone if the identity backend is read only21:42
ayoungand we've already made that nasty iwth federation21:42
gyeeayoung, I haven't thought about the implementation, all I care is getting the concept and API right at this point21:42
gyeeAPIs are like a contract, once finalized, its very hard to change21:42
gyeeso we need to try to do it right the first time21:42
kfox1111so, the docs make it look like you can only map groups to groups...21:43
kfox1111so roles would have to be mapped in each sdp keystone. :/21:43
gyeekfox1111, with K2K, you can map it to a specific set of roles21:43
gyeedoesn't have to be a group21:44
kfox1111gyee: have an example?21:44
kfox1111hmm... mentions k2k stuff is a little different, but doesn't have an example of roles or groups.21:46
notmorganayoung: woot:
*** sigmavirus24 is now known as sigmavirus24_awa21:49
*** sigmavirus24_awa is now known as sigmavirus2421:49
*** gwei31 has joined #openstack-keystone21:49
*** aginwala has quit IRC21:49
*** gwei3 has quit IRC21:50
ayoungTempus Frangit, eh?  time breaks.  Sandman reference?21:51
notmorganayoung: yup21:52
*** diazjf1 has quit IRC21:52
notmorganayoung: so the cinder volume backend isn't there yet21:53
notmorganayoung: but glance is fully functional as is keystone21:53
ayoungnotmorgan, so...behind the scenes, I am assuming that keystone is on 35357, but HTTPD?21:53
notmorganayoung: yeah.21:53
*** aginwala has joined #openstack-keystone21:53
notmorganayoung: api.tempusfrangit is HAProxy doing L7 routing21:53
ayoungnotmorgan, what about Horizon?  Just punting that to another server?21:53
notmorganhorizon will be /dashboard21:54
*** diazjf has joined #openstack-keystone21:54
notmorganand if you go to it redirects you to /21:54
ayoungnotmorgan, and some randome port?21:54
notmorganerm /dashboard21:54
notmorganno random port.21:54
notmorganhorizon will run on the same shared internal API node21:54
ayoungnotmorgan, different vhost?21:54
notmorganon port 8021:54
notmorganonce it's all setup i'll be SSLing the internal hosts too21:54
ayoungnotmorgan, so 80 is hidden from view?  Only 443 to the outside world?21:55
notmorganany request to 80 on api.t.o redirects to 44321:55
ayoungnotmorgan, you are doing it right.  Thanks21:55
notmorganand auth URL is auth.tempusfrangit.org21:55
notmorganso you auth there and then catalog is all elsewhere21:55
notmorganalso letsencrypt being public beta = win21:55
*** topol has quit IRC21:57
*** topol has joined #openstack-keystone21:58
*** ChanServ sets mode: +v topol21:58
gyeekfox1111, no direct role mapping, my bad21:59
ayoungI think so, but cautiously optimistic their.  They need to make sure they don't sign for too too much with each cert...hard to do right.  HAve not looked at their implementation22:00
*** topol has quit IRC22:02
*** opilotte has quit IRC22:04
*** opilotte has joined #openstack-keystone22:04
openstackgerritJorge Munoz proposed openstack/keystone: Reduce revoke events for disabled domains and projects.
*** adelia has joined #openstack-keystone22:05
kfox1111is this still true: "Finally, the SP configuration also needs UUID tokens to avoid issues with the default Fernet tokens." ?22:06
*** mylu has joined #openstack-keystone22:08
kfox1111ah. the document mentions it should be fixed in liberty.22:08
kfox1111does openstack cli support k2k yet?22:09
*** navid_ has joined #openstack-keystone22:09
*** adelia has quit IRC22:10
openstackgerrithenry-nash proposed openstack/keystone: Create new version of assignment driver interface
*** navid_ has quit IRC22:14
*** jerrygb has quit IRC22:15
openstackgerrithenry-nash proposed openstack/keystone: Create new version of assignment driver interface
*** henrynash has quit IRC22:16
*** haneef has joined #openstack-keystone22:18
openstackgerritTim Burke proposed openstack/keystoneauth: Fix PyPI badges
*** mylu has quit IRC22:18
*** mylu has joined #openstack-keystone22:19
*** aginwala_ has joined #openstack-keystone22:20
*** aginwala_ has quit IRC22:21
*** aginwala has quit IRC22:22
*** aginwala_ has joined #openstack-keystone22:22
*** diazjf has quit IRC22:24
*** mancdaz has quit IRC22:26
*** jbell8 has quit IRC22:27
*** mancdaz has joined #openstack-keystone22:27
*** gwei3 has joined #openstack-keystone22:27
*** gwei31 has quit IRC22:29
*** david-ly_ has joined #openstack-keystone22:29
*** petertr7 is now known as petertr7_away22:29
*** mylu has quit IRC22:30
*** mylu has joined #openstack-keystone22:30
shaleh_kfox1111: using keystone auth it is theoretically possible. But the UI/UX needs to be worked out22:31
*** david-ly_ is now known as david-lyle_22:31
shaleh_kfox1111: all of the k2k support is now in the libraries22:31
*** david-lyle has quit IRC22:32
kfox1111k, so not at present. :/22:32
kfox1111where is the correct place to pull shibboleth for centos7?22:32
shaleh_kfox1111: but nothing stopping it either22:33
kfox1111shaleh_: thats the "its only a matter of code" response. ;)22:33
kfox1111which is true, but only if your a coder. :)22:33
shaleh_kfox1111: correct. But now that the libs support it the last bit pretty easy22:33
kfox1111for some of my users, that answer means, "not possible"22:33
kfox1111yeah. I might have to take a stab at it...22:33
shaleh_kfox1111: get better users :-)22:34
kfox1111if I can fit it into my 'copious amounts of free time' :)22:34
shaleh_kfox1111: in all serious, though it should happen now22:34
*** mylu has quit IRC22:35
shaleh_kfox1111: I had not yet because last time I had cycles we were waiting on keystoneauth22:36
shaleh_ayoung: could you take a minute and kick my open reviews down the pipe?22:36
ayoungshaleh_, link?22:36
shaleh_ayoung: my unit test cleanups are dangling22:37
shaleh_I get tired of needing to rebase them22:37
kfox1111yeah, k2k looks really awesome, but asking users to only do things via rest api seems a little heavy handed. :/22:37
ayoungkfox1111, we don't control horizon22:37
kfox1111ayoung: is rdo planning on packaging shib?22:37
ayoungand we can't make it seamless22:37
shaleh_kfox1111: agreed. python-keystoneclient and keystoneauth now support it natively22:37
ayoungkfox1111, nope22:37
ayoungkfox1111, we were origianlly going to go with Ipsilon, but not sure now.22:38
shaleh_shaleh_: so from application code perspective it is pretty clean22:38
ayoungIpsilon and Fedora AS merged...22:38
ayoungbut you don;'t need shib for K2K22:38
*** shaleh_ is now known as shaleh22:38
openstackgerritayoung proposed openstack/keystone: Implied Roles
openstackgerritayoung proposed openstack/keystone: Create V9 Role Driver
openstackgerritayoung proposed openstack/keystone: Create new version of assignment driver interface
ayoungrebase hell22:39
ayoungsorry henry22:39
kfox1111ayoung: oh, really? how do you do it without?22:39
shalehayoung:,n,z <-- all of the ones with the Green check22:39
notmorganayoung: just realized i also need to do the crazy thing and use proper auth plugins for KSM for now22:39
ayoungkfox1111, shib is an external Federation provider.  K2K uses py-saml, but not all of Shib22:39
kfox1111shaleh_: so you can use keystone cli to get a token for the SP?22:40
shalehkfox1111: no, but the Python code supports it. so an application can22:40
shalehkfox1111: the keystone CLI is dead22:40
kfox1111ayoung: following the directions here:
kfox1111which mentions installing libapache2-mod-shib2. is that step not needed?22:41
kfox1111I am doing it on centos7+rdo though. so trying to map it somehow.22:41
shalehkfox1111: shib is the easy, supported path22:41
shalehkfox1111: there are other paths22:41
shalehkfox1111: the openstack CLI however needs a think. The code passes an auth plugin to the k2k plugin. So we need a way to say from the CLI --auth-with-plugin X --doing-k2k22:43
shalehkfox1111: locally it would be trivial to make a openstack CLI which only did k2k auth.22:44
*** aginwala_ has quit IRC22:46
shalehayoung: thanks. those have been dangling for a while now22:46
ayoungshaleh, gonna +2 this one,cm  get the add'l cleanup in anther path, ok22:46
shalehayoung: agreed22:47
kfox1111shaleh: or an environ var, so we can stick it in the horizon generated rc files.22:47
shalehkfox1111: right, that is the "think it through" part.22:47
ayoungshaleh,,cm  can probably go away.  I think that is onluy needed for use cases I don;t want to support22:47
shalehkfox1111: in your own local setup or tree you could easily make a OSC that always did k2k22:47
shalehayoung: we have quite a bit of dead wood22:49
*** aginwala has joined #openstack-keystone22:49
ayoungnew_ref generats the uuid.  WHy'd you do that again?22:49
ayoungdid you ahve areason>?22:49
shalehayoung: I think this is part of the mess with rebasing22:50
notmorganayoung: server resize *should* be non-destructive right?22:50
shalehayoung: I can clean that one up22:50
ayoungshaleh, nope22:50
shalehayoung: no, I mean me locally22:50
shalehayoung: I had that right at one point22:50
* notmorgan needs to add more ram to a box in this POC.22:50
notmorganor i guess i could just add another host...22:50
ayoungshaleh, I'm going to go with "just learning the code base" on that one...22:50
* notmorgan goes for the former, it'll be less $ =/22:51
shalehayoung: more like learning how to use git the OpenStack way.22:51
notmorganerm latter22:51
shalehayoung: that one can be dinged -1 if you like22:51
shalehayoung: no harm, no foul22:51
shalehayoung: I did not ask you so it would be rubber stamped :-)22:52
shalehBRB all22:53
kfox1111are the mappings created via the rest api?22:53
ayoungshaleh, on,cm  are service enabled when created now?22:53
shalehkfox1111: yes22:53
kfox1111this is very involved. :/22:53
ayoung  yep22:54
*** jasonsb has quit IRC22:55
ayoungshaleh, +2ed a bunch, -1ed one...should be less of a burden22:55
shalehayoung: thanks22:56
shalehkfox1111: ansible playbooks to setup an arbitrary number of Idp/SP connections between devstacks22:57
shalehkfox1111: there are playbooks documenting all of the connection steps22:57
shalehkfox1111: I did the REST calls by "hand" no Python libs or external depends22:58
*** mylu has joined #openstack-keystone22:59
kfox1111k. I'll give that a try.23:02
shalehkfox1111: that should help explain all the steps. It is a much simpler setup than say OSAD23:02
shalehkfox1111: pull requests and/or issues are welcomed23:03
shalehkfox1111: ignore the bit about the cachier plugin23:04
shalehkfox1111: I found that caused more problems than it solved23:04
notmorgani do have to admit it's kindof nice not grinding my laptop into the ground trying to setup a VM to test this stuff out23:05
shalehnotmorgan: who are you using to host?23:05
notmorganshaleh: Vexxhost23:06
notmorganshaleh: they're pretty fantastic!23:06
notmorganseriously moving all my personal hosting to them too23:06
notmorganshaleh: but this is the super cool part...23:06
shalehlooks like a service catalog....23:08
notmorganbut notice no non-standard ports *and* everything under api.tempusfrangit.org23:08
notmorgan(thats my POC)23:08
* notmorgan should do internal DNS on the thing too... but...23:08
shalehso are you using a mod_rewrite kind of thing to redirect to the services?23:09
*** dims has quit IRC23:10
notmorganshaleh: HAProxy23:14
notmorganshaleh: full L7 routing23:14
*** itlinux has joined #openstack-keystone23:14
*** itlinux_ has quit IRC23:17
*** pwp has quit IRC23:18
*** itlinux_ has joined #openstack-keystone23:19
*** itlinux has quit IRC23:19
*** aix has quit IRC23:19
*** itlinux has joined #openstack-keystone23:22
*** itlinux_ has quit IRC23:24
ayounggyee, please see my coments and, if you can, remove -1.23:25
*** itlinux has quit IRC23:27
*** gwei31 has joined #openstack-keystone23:29
*** spotz is now known as spotz_zzz23:29
*** gwei31 has quit IRC23:30
*** gwei3 has quit IRC23:31
*** lhcheng has joined #openstack-keystone23:32
*** ChanServ sets mode: +v lhcheng23:32
shalehnotmorgan: what is (roughly) your monthly cost?23:32
notmorganshaleh: for this POC, it's going to be about $80 or so23:33
notmorganshaleh: or $9023:33
notmorganshaleh: it's all on top of their public cloud23:33
notmorganshaleh: but i'm running like 7 hosts, a couple networks, and a couple routers [sdn]23:34
*** gwei3 has joined #openstack-keystone23:34
*** itlinux has joined #openstack-keystone23:34
notmorganand my personal host [which runs this IRC bouncer for me]23:34
openstackgerritayoung proposed openstack/keystone: Create new version of assignment driver interface
shalehnotmorgan: i suppose that is decent. Especially considering what that costs to own.23:35
notmorganshaleh: yeah. i mean my goal is <$100/mo23:35
*** openstack has joined #openstack-keystone23:36
notmorgani figure i can afford a couple months of this poc23:36
*** sigmavirus24 is now known as sigmavirus24_awa23:36
openstackgerritayoung proposed openstack/keystone: Create V9 Role Driver
openstackgerritayoung proposed openstack/keystone: Implied Roles
ayoungOK..hopefull I have that right now23:38
*** itlinux has quit IRC23:39
kfox1111do you install shib on both keystones?23:39
kfox1111this one doc says do it to just the SP, but other parts seem to imply it needs to be on both?23:40
shalehkfox1111: the shibboleth daemon runs on the SP23:41
ayoungkfox1111, link?23:41
stevemarlbragstad: i dont think it's fixed yet23:44
stevemarwe should still attempt to make the IDs we pass to pycadf become UUIDs23:44
stevemarso we don't run into the same problem23:45
*** davechen has left #openstack-keystone23:46
*** dims has joined #openstack-keystone23:47
gyeeayoung, your changes will break the existing deployment23:48
gyeeayoung, is_admin_project need not be coupled with the 'admin' role23:49
*** gwei3 has quit IRC23:50
kfox1111I'm getting a 404 from
kfox1111on the idp.23:51

Generated by 2.14.0 by Marius Gedminas - find it at!