Friday, 2016-04-01

« Thursday, 2016-03-31 Index Saturday, 2016-04-02 »
*** timcline has joined #openstack-keystone00:04
*** spzala has joined #openstack-keystone00:04
*** fawadkhaliq has quit IRC00:07
*** fawadkhaliq has joined #openstack-keystone00:07
*** gyee has quit IRC00:08
*** timcline has quit IRC00:08
*** jasonsb has joined #openstack-keystone00:08
*** ayoung has joined #openstack-keystone00:11
*** ChanServ sets mode: +v ayoung00:11
*** jasonsb has quit IRC00:12
*** browne has quit IRC00:12
*** mylu has joined #openstack-keystone00:14
*** mylu has quit IRC00:15
*** browne has joined #openstack-keystone00:17
*** tellesnobrega is now known as tellesnobrega_af00:28
*** richm has quit IRC00:33
*** dflorea has quit IRC00:38
*** mylu has joined #openstack-keystone00:39
*** mylu has quit IRC00:41
*** tqtran has quit IRC00:41
*** mylu has joined #openstack-keystone00:42
*** mylu has quit IRC00:44
*** mylu has joined #openstack-keystone00:44
*** jasonsb has joined #openstack-keystone00:45
*** jasonsb has quit IRC00:47
*** jasonsb has joined #openstack-keystone00:47
*** jasonsb has quit IRC00:48
*** mylu has quit IRC00:50
*** mylu has joined #openstack-keystone00:52
*** markvoelker_ has quit IRC00:53
*** bjornar has quit IRC00:54
*** edmondsw has joined #openstack-keystone00:54
*** tqtran has joined #openstack-keystone01:03
*** mylu has quit IRC01:03
samueldmqmorgan: stevemar_: what's happening in our master gates ? :(01:04
*** agrebennikov__ has quit IRC01:04
samueldmqI just saw 298402 hasn't merged yet01:04
*** mylu has joined #openstack-keystone01:04
*** timcline has joined #openstack-keystone01:04
*** jasonsb has joined #openstack-keystone01:05
*** tqtran has quit IRC01:07
*** mylu has quit IRC01:09
*** timcline has quit IRC01:09
*** jasonsb has quit IRC01:10
*** jasonsb has joined #openstack-keystone01:11
*** browne has quit IRC01:12
*** spzala has quit IRC01:14
*** spzala has joined #openstack-keystone01:14
*** mylu has joined #openstack-keystone01:15
*** EinstCrazy has joined #openstack-keystone01:16
*** spzala has quit IRC01:19
*** EinstCra_ has joined #openstack-keystone01:19
*** spandhe has quit IRC01:20
*** dan_nguyen has quit IRC01:21
*** mylu has quit IRC01:22
*** EinstCrazy has quit IRC01:22
*** mylu has joined #openstack-keystone01:24
*** knikolla has quit IRC01:25
*** woodster_ has quit IRC01:27
*** edmondsw has quit IRC01:30
*** fawadkhaliq has quit IRC01:40
*** mylu has quit IRC01:50
*** fawadkhaliq has joined #openstack-keystone01:54
*** topol_ is now known as topol01:57
*** ChanServ sets mode: +v topol01:57
*** topol_ has joined #openstack-keystone01:58
*** ChanServ sets mode: +v topol_01:58
*** topol_ has quit IRC02:02
*** tellesnobrega_af is now known as tellesnobrega02:03
*** tqtran has joined #openstack-keystone02:04
*** timcline has joined #openstack-keystone02:05
*** tqtran has quit IRC02:08
*** timcline has quit IRC02:10
*** spzala has joined #openstack-keystone02:14
*** akanksha_ has quit IRC02:17
*** mylu has joined #openstack-keystone02:19
*** spzala has quit IRC02:20
*** jasonsb has quit IRC02:30
*** fawadkhaliq has quit IRC02:33
*** spzala has joined #openstack-keystone02:36
*** fawadkhaliq has joined #openstack-keystone02:42
*** fawadkhaliq has quit IRC02:43
*** fawadkhaliq has joined #openstack-keystone02:45
*** fawadkhaliq has quit IRC02:53
*** fawadkhaliq has joined #openstack-keystone02:53
*** timcline has joined #openstack-keystone03:06
*** mylu has quit IRC03:08
*** fawadkhaliq has quit IRC03:08
*** mylu has joined #openstack-keystone03:09
openstackgerritMerged openstack/keystone: Correct `role_name` constraint dropping  https://review.openstack.org/29840203:10
prometheanfirestevemar_: woooo03:10
*** timcline has quit IRC03:10
prometheanfiresamueldmq: you were saying?03:10
*** fawadkhaliq has joined #openstack-keystone03:10
*** mylu has quit IRC03:11
*** mylu has joined #openstack-keystone03:11
*** fawadkhaliq has quit IRC03:12
*** jasonsb has joined #openstack-keystone03:13
*** dan_nguyen has joined #openstack-keystone03:20
*** krotscheck is now known as krotscheck_vaca03:20
morganprometheanfire: and we hope stable/mitaka lands sooon.03:26
prometheanfireof course :D03:29
*** spandhe has joined #openstack-keystone03:30
*** fawadkhaliq has joined #openstack-keystone03:32
*** spandhe_ has joined #openstack-keystone03:33
*** spandhe has quit IRC03:34
*** spandhe_ is now known as spandhe03:34
*** links has joined #openstack-keystone03:41
stevemar_soon soon03:47
*** markvoelker has joined #openstack-keystone03:47
morgansoon (tm)03:47
*** dan_nguyen has quit IRC03:52
*** mylu has quit IRC03:54
*** dflorea has joined #openstack-keystone03:55
*** markvoelker_ has joined #openstack-keystone03:56
*** markvoelker has quit IRC03:56
stevemar_morgan: https://review.openstack.org/#/c/300230/ if you're interested03:57
patchbotstevemar_: patch 300230 - releases - release keystone mitaka-rc203:57
morgannice.03:57
morgani assume that includes the role thing03:57
morgan?03:57
morganstevemar_: yep.. nice03:58
morganstevemar_: also... what happened to your bouncer?03:58
morgan:)03:58
prometheanfirewooo03:59
stevemar_morgan: its back online now03:59
stevemar_bluemix issues03:59
morganwelcome back03:59
stevemar_they deployed a bunch of new stuff and the load balancer fell over04:00
morganwhat host you using?04:00
* morgan continues to be happy w/ Vexxhost04:00
stevemar_bluemix.net :P04:01
stevemar_morgan: the VM service is still beta, so bugs are expected04:01
*** timcline has joined #openstack-keystone04:07
*** mylu has joined #openstack-keystone04:10
*** dan_nguyen has joined #openstack-keystone04:10
morganstevemar_: that stevemar_ dude is shady, what happened to stevemar?04:10
morgan:P04:10
*** mylu has quit IRC04:10
*** agrebennikov__ has joined #openstack-keystone04:11
*** timcline has quit IRC04:11
*** mylu has joined #openstack-keystone04:13
*** topol_ has joined #openstack-keystone04:14
*** ChanServ sets mode: +v topol_04:14
*** dan_nguyen has quit IRC04:17
*** topol_ has quit IRC04:19
*** harlowja_at_home has joined #openstack-keystone04:19
*** spzala has quit IRC04:24
*** spzala has joined #openstack-keystone04:24
*** fawadkhaliq has quit IRC04:26
*** sdake has joined #openstack-keystone04:29
*** spzala has quit IRC04:29
*** markvoelker_ has quit IRC04:33
*** markvoelker has joined #openstack-keystone04:33
*** lhcheng has joined #openstack-keystone04:37
*** ChanServ sets mode: +v lhcheng04:37
*** markvoelker has quit IRC04:38
*** timcline has joined #openstack-keystone04:40
*** mylu has quit IRC04:41
*** lhcheng_ has joined #openstack-keystone04:44
*** mtreinish has quit IRC04:44
*** timcline has quit IRC04:44
*** mylu has joined #openstack-keystone04:46
*** lhcheng has quit IRC04:47
*** dflorea has quit IRC04:51
openstackgerritSteve Martinelli proposed openstack/keystone: create a new `advanced topics` section in the docs  https://review.openstack.org/29222704:52
openstackgerritSteve Martinelli proposed openstack/keystone: group federated identity docs together  https://review.openstack.org/29222804:52
stevemar_morgan: hmm let me see what's going on in my config settings04:53
*** GB21 has joined #openstack-keystone04:54
*** mylu has quit IRC04:57
openstackgerritSteve Martinelli proposed openstack/keystone: create a new `advanced topics` section in the docs  https://review.openstack.org/29222704:57
openstackgerritSteve Martinelli proposed openstack/keystone: group federated identity docs together  https://review.openstack.org/29222804:57
*** rcernin has joined #openstack-keystone04:57
*** fawadkhaliq has joined #openstack-keystone04:57
*** stevemar_ has quit IRC05:02
*** stevemar has joined #openstack-keystone05:02
*** ChanServ sets mode: +o stevemar05:03
stevemarmorgan: \o/05:03
stevemarmorgan: you can trust me again, not like evil stevemar_05:03
*** mylu has joined #openstack-keystone05:05
*** GB21 has quit IRC05:07
*** harlowja_at_home has quit IRC05:19
*** GB21 has joined #openstack-keystone05:20
*** tpeoples is now known as tpeoples_vacatio05:23
*** tpeoples_vacatio is now known as tpeoplesvacation05:24
*** spzala has joined #openstack-keystone05:25
*** jaosorior has joined #openstack-keystone05:25
*** markvoelker has joined #openstack-keystone05:29
*** spzala has quit IRC05:30
*** sdake_ has joined #openstack-keystone05:30
*** sdake_ has quit IRC05:31
*** sdake has quit IRC05:32
*** markvoelker has quit IRC05:37
*** timcline has joined #openstack-keystone05:41
*** mylu has quit IRC05:43
*** Nirupama has joined #openstack-keystone05:44
*** timcline has quit IRC05:45
*** mylu has joined #openstack-keystone05:48
*** mylu has quit IRC05:48
*** mtreinish has joined #openstack-keystone05:52
*** spandhe has quit IRC06:04
*** roxanaghe has quit IRC06:04
*** tqtran has joined #openstack-keystone06:06
stevemarsamueldmq: raildo morgan jamielennox rodrigods htruta not sure if you all are interested in putting a "lets get to v3 in the gate" topic for the cross-project sessions: https://etherpad.openstack.org/p/newton-cross-project-sessions06:06
*** spandhe has joined #openstack-keystone06:10
*** tqtran has quit IRC06:10
*** spandhe_ has joined #openstack-keystone06:16
*** spandhe has quit IRC06:17
*** spandhe_ is now known as spandhe06:17
*** spandhe_ has joined #openstack-keystone06:21
*** spandhe has quit IRC06:21
*** spandhe_ is now known as spandhe06:21
*** GB21 has quit IRC06:25
*** spzala has joined #openstack-keystone06:26
*** browne has joined #openstack-keystone06:27
jamielennoxstevemar: my concern is everyone just says - yep - because everyone wants it to happen06:31
*** spzala has quit IRC06:31
*** browne has quit IRC06:32
*** sdake has joined #openstack-keystone06:36
*** fawadkhaliq has quit IRC06:38
*** furface has quit IRC06:38
*** fawadkhaliq has joined #openstack-keystone06:38
*** browne has joined #openstack-keystone06:39
*** timcline has joined #openstack-keystone06:42
*** browne has quit IRC06:44
*** GB21 has joined #openstack-keystone06:44
*** browne has joined #openstack-keystone06:45
prometheanfireyesplease to v3, glance not supporting it is annoying (along with glance-scrubber not supporting https...)06:45
*** lhcheng_ has quit IRC06:46
*** timcline has quit IRC06:47
*** browne has quit IRC06:49
*** agrebennikov__ has quit IRC06:55
*** spandhe has quit IRC07:04
*** e0ne has joined #openstack-keystone07:07
*** browne has joined #openstack-keystone07:08
stevemarjamielennox: yeah, that's what i'm afraid of07:10
stevemarjamielennox:07:10
stevemarjamielennox: "ok, great, make it happen"07:10
*** browne has quit IRC07:13
*** jamielennox is now known as jamielennox|away07:17
*** markvoelker has joined #openstack-keystone07:19
*** pcaruana has joined #openstack-keystone07:25
*** markvoelker has quit IRC07:25
*** spzala has joined #openstack-keystone07:27
openstackgerritKalaswan Datta proposed openstack/keystone: Clear the project ID from user information  https://review.openstack.org/27770707:31
*** spzala has quit IRC07:32
*** e0ne has quit IRC07:35
*** e0ne has joined #openstack-keystone07:35
*** GB21 has quit IRC07:40
*** e0ne has quit IRC07:40
*** timcline has joined #openstack-keystone07:42
*** e0ne has joined #openstack-keystone07:45
*** jaosorior has quit IRC07:46
*** jaosorior has joined #openstack-keystone07:46
*** timcline has quit IRC07:47
*** e0ne has quit IRC07:54
*** tesseract has joined #openstack-keystone07:56
*** fawadkhaliq has quit IRC07:56
*** tesseract is now known as Guest9087707:56
*** e0ne has joined #openstack-keystone07:57
*** fhubik has joined #openstack-keystone07:58
*** jistr has joined #openstack-keystone08:07
*** e0ne has quit IRC08:10
*** zqfan has joined #openstack-keystone08:12
*** e0ne has joined #openstack-keystone08:13
*** fhubik has quit IRC08:16
*** e0ne has quit IRC08:16
*** e0ne has joined #openstack-keystone08:20
*** e0ne has quit IRC08:26
*** spzala has joined #openstack-keystone08:28
*** e0ne has joined #openstack-keystone08:29
*** GB21 has joined #openstack-keystone08:29
*** e0ne_ has joined #openstack-keystone08:31
*** e0ne has quit IRC08:32
*** e0ne_ has quit IRC08:33
*** spzala has quit IRC08:33
*** timcline has joined #openstack-keystone08:43
openstackgerritTim Kelsey proposed openstack/keystone: Bandit test results  https://review.openstack.org/29937308:44
*** timcline has quit IRC08:48
*** e0ne has joined #openstack-keystone08:48
*** ktychkova has quit IRC08:49
*** amit213 has quit IRC08:49
*** ktychkova has joined #openstack-keystone08:51
*** e0ne has quit IRC08:53
*** e0ne has joined #openstack-keystone08:58
*** EinstCrazy has joined #openstack-keystone09:06
*** EinstCra_ has quit IRC09:07
*** markvoelker has joined #openstack-keystone09:11
*** GB21 has quit IRC09:13
*** sdake has quit IRC09:13
*** markvoelker has quit IRC09:16
*** arunkant has quit IRC09:21
*** jaosorior has quit IRC09:21
*** arunkant has joined #openstack-keystone09:26
*** spzala has joined #openstack-keystone09:29
*** spzala has quit IRC09:35
*** e0ne has quit IRC09:36
*** timcline has joined #openstack-keystone09:44
*** mvk has joined #openstack-keystone09:46
*** e0ne has joined #openstack-keystone09:47
*** timcline has quit IRC09:48
*** daemontool has joined #openstack-keystone09:57
*** markvoelker has joined #openstack-keystone10:06
*** e0ne has quit IRC10:08
*** EinstCrazy has quit IRC10:11
*** markvoelker has quit IRC10:12
*** e0ne has joined #openstack-keystone10:12
*** bjornar has joined #openstack-keystone10:15
*** daemontool_ has joined #openstack-keystone10:24
*** daemontool has quit IRC10:27
*** GB21 has joined #openstack-keystone10:27
*** spzala has joined #openstack-keystone10:31
*** spzala has quit IRC10:36
*** fundcor has left #openstack-keystone10:41
*** GB21 has quit IRC10:41
*** GB21 has joined #openstack-keystone10:42
openstackgerritDina Belova proposed openstack/keystone: Add DB operations tracing  https://review.openstack.org/29453510:43
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336810:43
*** timcline has joined #openstack-keystone10:45
*** e0ne has quit IRC10:47
*** timcline has quit IRC10:50
*** tellesnobrega is now known as tellesnobrega_af10:50
*** e0ne has joined #openstack-keystone10:52
*** GB21 has quit IRC10:56
*** GB21 has joined #openstack-keystone10:56
*** trown|outtypewww is now known as trown10:59
*** markvoelker has joined #openstack-keystone11:02
*** e0ne has quit IRC11:04
*** markvoelker has quit IRC11:06
*** e0ne has joined #openstack-keystone11:08
*** rudolfvriend has joined #openstack-keystone11:09
*** rudolfvriend has quit IRC11:09
*** rudolfvriend_ has joined #openstack-keystone11:09
*** e0ne has quit IRC11:11
*** rudolfvriend_ has quit IRC11:22
*** rudolfvriend has joined #openstack-keystone11:23
*** GB21 has quit IRC11:29
*** GB21 has joined #openstack-keystone11:29
*** e0ne has joined #openstack-keystone11:33
*** spzala has joined #openstack-keystone11:33
*** daemontool_ is now known as daemontool11:37
*** spzala has quit IRC11:38
*** rk4n has joined #openstack-keystone11:38
*** GB21 has quit IRC11:45
*** GB21 has joined #openstack-keystone11:45
*** timcline has joined #openstack-keystone11:45
*** e0ne has quit IRC11:50
*** timcline has quit IRC11:50
*** e0ne has joined #openstack-keystone11:54
*** e0ne has quit IRC11:57
*** mvk_ has joined #openstack-keystone12:03
*** mvk has quit IRC12:07
*** ninag has joined #openstack-keystone12:08
*** e0ne has joined #openstack-keystone12:09
*** naresht has joined #openstack-keystone12:11
*** Nirupama has quit IRC12:13
*** mvk_ has quit IRC12:17
*** rderose has joined #openstack-keystone12:24
*** gordc has joined #openstack-keystone12:24
*** dave-mccowan has joined #openstack-keystone12:32
*** spzala has joined #openstack-keystone12:34
*** GB21 has quit IRC12:35
htrutastevemar: I am totally interested!12:37
*** GB21 has joined #openstack-keystone12:38
*** spzala has quit IRC12:39
*** henrynash has joined #openstack-keystone12:43
*** ChanServ sets mode: +v henrynash12:43
*** GB21 has quit IRC12:46
*** timcline has joined #openstack-keystone12:46
*** dims_ has quit IRC12:49
*** dims has joined #openstack-keystone12:49
*** mvk_ has joined #openstack-keystone12:50
*** timcline has quit IRC12:51
*** edmondsw has joined #openstack-keystone12:53
*** e0ne has quit IRC12:57
*** henrynash has quit IRC13:02
*** EinstCrazy has joined #openstack-keystone13:09
*** links has quit IRC13:12
*** e0ne has joined #openstack-keystone13:15
*** spzala has joined #openstack-keystone13:16
samueldmqstevemar: that'd be good13:19
samueldmqmorgan: we could also add something related to that conversation on services trusting services, resulting in a token only needing to be validated once for a workflow (eg create instance)13:20
*** topol_ has joined #openstack-keystone13:22
*** ChanServ sets mode: +v topol_13:22
*** pauloewerton has joined #openstack-keystone13:23
*** dansmith is now known as bizarroman13:25
*** bizarroman is now known as bizarrodan13:25
*** clenimar has joined #openstack-keystone13:27
*** dims_ has joined #openstack-keystone13:27
*** topol_ has quit IRC13:27
*** e0ne has quit IRC13:29
*** EinstCrazy has quit IRC13:30
*** richm has joined #openstack-keystone13:32
*** jistr has quit IRC13:32
*** openstackgerrit has quit IRC13:33
*** openstackgerrit has joined #openstack-keystone13:33
*** spzala has quit IRC13:36
*** spzala has joined #openstack-keystone13:36
*** jsavak has joined #openstack-keystone13:39
*** rodrigods has quit IRC13:39
*** rodrigods has joined #openstack-keystone13:39
*** markvoelker has joined #openstack-keystone13:47
*** timcline has joined #openstack-keystone13:47
*** EinstCrazy has joined #openstack-keystone13:50
*** e0ne has joined #openstack-keystone13:51
*** markvoelker has quit IRC13:51
*** timcline has quit IRC13:51
*** jaugustine has joined #openstack-keystone13:58
*** openstack has quit IRC13:58
*** openstack has joined #openstack-keystone13:58
*** dan_nguyen has quit IRC13:58
*** daemontool_ has joined #openstack-keystone13:59
*** daemontool has quit IRC13:59
*** daemontool_ is now known as daemontool14:01
stevemarsamueldmq: htruta sure, feel free to add it to the list of topics to see if it gets picked up, i'd be happy to back you both up14:04
*** pushkaru has joined #openstack-keystone14:06
*** sdake has joined #openstack-keystone14:06
htrutastevemar: what exactly do we want? to have a single v3 only gate or to make all gates run v3 only?14:07
*** e0ne has quit IRC14:07
htrutastevemar: we already have a v3 only gate in glance and neutron14:07
*** sigmavirus24_awa is now known as sigmavirus2414:08
stevemarhtruta: i guess we want to talk about how every time we make a change in devstack that tries to push the ball forward we end up breaking everything14:08
stevemarso, what do we envision are things to do, and why do we want to pull in other teams/projects?14:09
*** jsavak has quit IRC14:09
stevemarmaybe the discussion is over and there's no need for a session, just a matter of fixing things, i'm not sure14:09
*** jsavak has joined #openstack-keystone14:10
htrutastevemar: there isn't exactly a discussion... what we actually need is to gather every kind of problem on that14:11
htrutais the session the better place for it?14:11
morgansamueldmq: that is something we can mostly do once everything uses ksa14:18
morganWith config changes mostly.14:18
morganOr with minor changes to the other services to allow config for service to service14:18
*** tellesnobrega_af is now known as tellesnobrega14:18
stevemarmorgan: there's still a ton of gate jobs that are gonna be bust14:20
morganGetting to v3 is important independent of the trust thing. The trust thing is something I've been trying to address with as little code as possible.14:21
morganThat won't break as much. It should be almost doable in devstack once ksa is there14:22
stevemardolphm: lbragstad nonameentername any way we can get a spec for MFA up before the summit? :)14:22
*** henrynash has joined #openstack-keystone14:28
*** ChanServ sets mode: +v henrynash14:28
*** rderose_ has joined #openstack-keystone14:29
*** dan_nguyen has joined #openstack-keystone14:29
*** knikolla has joined #openstack-keystone14:31
lbragstadstevemar I thought there was one up?14:32
lbragstadstevemar https://review.openstack.org/#/c/272287/14:32
patchbotlbragstad: patch 272287 - keystone-specs - Add spec for multifactor authentication14:32
stevemarwhoaaaa14:33
*** slberger has joined #openstack-keystone14:33
stevemarwhy we we not reviewing it!?14:33
stevemar:)14:33
stevemarprobably cause i forgot about it14:33
*** lamt has joined #openstack-keystone14:36
*** phalmos has joined #openstack-keystone14:37
*** markvoelker has joined #openstack-keystone14:41
*** ametts has joined #openstack-keystone14:42
*** sigmavirus24 is now known as sigmavirus24_awa14:44
*** sigmavirus24_awa is now known as sigmavirus2414:45
*** jistr has joined #openstack-keystone14:46
*** markvoelker has quit IRC14:47
stevemarlbragstad: btw, i fixed up https://review.openstack.org/#/c/292227/3 according to your comments14:47
patchbotstevemar: patch 292227 - keystone - create a new `advanced topics` section in the docs14:47
*** timcline has joined #openstack-keystone14:48
*** bjornar has quit IRC14:49
*** henrynash has quit IRC14:49
*** spzala has quit IRC14:50
stevemarlbragstad: also for newton, if you're doing reviews: https://review.openstack.org/#/c/294816/ :)14:50
patchbotstevemar: patch 294816 - keystone - remove endpoint_policy from contrib14:50
*** timcline has quit IRC14:52
*** mylu has joined #openstack-keystone14:53
*** woodster_ has joined #openstack-keystone14:54
*** e0ne has joined #openstack-keystone14:57
*** GB21 has joined #openstack-keystone14:57
*** jsavak has quit IRC15:02
*** jsavak has joined #openstack-keystone15:03
*** EinstCrazy has quit IRC15:05
*** markvoelker has joined #openstack-keystone15:05
*** links has joined #openstack-keystone15:07
*** josecastroleon has quit IRC15:07
*** timcline has joined #openstack-keystone15:16
*** tellesnobrega is now known as tellesnobrega_af15:17
*** browne has joined #openstack-keystone15:20
*** mylu has quit IRC15:24
stevemarlow hanging fruit: https://bugs.launchpad.net/keystone/+bug/156496115:27
openstackLaunchpad bug 1564961 in OpenStack Identity (keystone) "provide a deprecation reason for "domain_id_immutable" config option" [Low,Triaged]15:27
*** naresht has quit IRC15:27
*** mylu has joined #openstack-keystone15:28
*** jsavak has quit IRC15:29
*** spzala has joined #openstack-keystone15:31
*** david_cu has joined #openstack-keystone15:31
*** e0ne has quit IRC15:31
edmondswstevemar, fyi, someone added a comment in https://review.openstack.org/#/c/282080/ asking if it could be backported to liberty.15:31
patchbotedmondsw: patch 282080 - keystone - Allow user list without specifying domain (MERGED)15:31
*** jsavak has joined #openstack-keystone15:33
*** mylu has quit IRC15:38
*** mylu has joined #openstack-keystone15:40
*** fawadkhaliq has joined #openstack-keystone15:42
stevemaredmondsw: i dont see why not15:42
*** GB21 has quit IRC15:43
stevemaredmondsw: hit that cherry pick button!15:43
*** bjornar has joined #openstack-keystone15:43
*** david_cu has quit IRC15:43
edmondswstevemar cool. I've never backported something before, so that could be an interesting exercise15:43
stevemarclick cherry-pick and type in "stable/liberty"15:44
*** Guest90877 has quit IRC15:44
*** roxanaghe has joined #openstack-keystone15:46
*** david_cu has joined #openstack-keystone15:50
*** links has quit IRC15:55
bknudsonclassic april fools commit -- https://review.openstack.org/#/c/97838/15:56
patchbotbknudson: patch 97838 - keystone - replace domains & projects with unicorns & ponies (ABANDONED)15:56
knikollahaha15:58
openstackgerritBrant Knudson proposed openstack/keystone: Define identity interface - easy cases  https://review.openstack.org/29195016:02
openstackgerritBrant Knudson proposed openstack/keystone: Opportunistic LDAP testing  https://review.openstack.org/30023716:02
*** rudolfvriend has quit IRC16:04
*** naresht has joined #openstack-keystone16:06
*** trown is now known as trown|lunch16:06
openstackgerritTom Cocozzello (tjcocozz) proposed openstack/keystone: Run federation tests under Python 3  https://review.openstack.org/29479716:07
*** roxanaghe has quit IRC16:08
*** lhcheng has joined #openstack-keystone16:09
*** ChanServ sets mode: +v lhcheng16:09
*** bjornar has quit IRC16:12
*** zzzeek has quit IRC16:13
*** zzzeek has joined #openstack-keystone16:14
*** mylu has quit IRC16:15
openstackgerritBrant Knudson proposed openstack/keystone: Define identity interface - easy cases  https://review.openstack.org/29195016:15
openstackgerritBrant Knudson proposed openstack/keystone: Opportunistic LDAP testing  https://review.openstack.org/30023716:15
*** roxanaghe has joined #openstack-keystone16:21
*** rderose_ has quit IRC16:23
openstackgerritBrant Knudson proposed openstack/keystone: Opportunistic LDAP testing  https://review.openstack.org/30023716:24
*** e0ne has joined #openstack-keystone16:24
*** e0ne has quit IRC16:29
*** roxanaghe has quit IRC16:29
*** e0ne has joined #openstack-keystone16:29
*** openstackgerrit has quit IRC16:31
*** rcernin has quit IRC16:32
*** jsavak has quit IRC16:35
morganstevemar: hehe16:36
morganedmondsw: oh hai16:36
*** jsavak has joined #openstack-keystone16:36
edmondswmorgan hi16:36
edmondsw?16:36
morganjust sayin hi16:36
morgancause why not16:36
edmondswit's a Friday :)16:36
edmondswwhy not16:36
morgan0936... almost beer oclock16:37
morganoh wait...16:37
morgan:P16:37
morganbut it's def friday and gorgeous out in Portland!16:37
edmondswalready past noon here...16:37
*** gyee has joined #openstack-keystone16:37
*** ChanServ sets mode: +v gyee16:37
morgandude. i got billed $0.05 this month by linode =/16:37
morgan:P16:37
*** henrynash has joined #openstack-keystone16:37
*** ChanServ sets mode: +v henrynash16:37
*** naresht has quit IRC16:37
edmondsw:)16:38
morganoh sigh... it's Aril 116:38
morganapril*16:38
*** e0ne has quit IRC16:39
morganthis means today is a useless day on the internets16:39
*** rk4n has quit IRC16:40
*** dflorea has joined #openstack-keystone16:40
*** pushkaru has quit IRC16:41
*** pushkaru has joined #openstack-keystone16:41
*** dflorea has quit IRC16:41
*** henrynash has quit IRC16:42
*** zqfan has quit IRC16:42
*** pcaruana has quit IRC16:44
*** openstackgerrit has joined #openstack-keystone16:45
*** david_cu has quit IRC16:47
*** dflorea has joined #openstack-keystone16:48
*** roxanaghe has joined #openstack-keystone16:50
*** david_cu has joined #openstack-keystone16:50
*** fawadkhaliq has quit IRC16:50
*** edmondsw has quit IRC16:50
*** dflorea has quit IRC16:50
*** fawadkhaliq has joined #openstack-keystone16:50
*** dflorea has joined #openstack-keystone16:51
*** lamt has quit IRC16:51
*** clenimar has quit IRC16:54
*** e0ne has joined #openstack-keystone16:55
*** jsavak has quit IRC16:55
*** jsavak has joined #openstack-keystone16:56
*** tqtran has joined #openstack-keystone16:57
*** jsavak has quit IRC17:01
*** fhubik has joined #openstack-keystone17:02
*** jsavak has joined #openstack-keystone17:02
*** trown|lunch is now known as trown17:09
stevemarha17:11
stevemartotally useless internet day17:11
*** e0ne has quit IRC17:15
*** fhubik has quit IRC17:16
*** rderose_ has joined #openstack-keystone17:24
samueldmqbknudson: ahha17:25
raildostevemar: like the Google Cardboard Plastic17:25
samueldmqdolphm: that was a good one :)17:25
samueldmqin preparation for hierarchical multiponency17:26
samueldmq:-)17:26
morgandid you see google mic drop?17:29
morganbefore they turned it off17:29
samueldmqmorgan: how did it work ?17:31
morgangoogle it17:31
samueldmqmorgan: I remember to see something in gmail, but haven't tried17:31
morganit'll describe it better17:31
morganthan i will17:31
samueldmqD:17:32
samueldmqactually I was affraid of googling17:32
samueldmqand reading another april fool's day joke :-)17:32
samueldmqanyways17:33
*** rderose_ has quit IRC17:40
*** dflorea has quit IRC17:44
*** fawadkhaliq has quit IRC17:52
*** fawadkhaliq has joined #openstack-keystone17:52
*** markvoelker has quit IRC17:52
*** markvoelker has joined #openstack-keystone17:56
*** jistr has quit IRC17:58
*** dflorea has joined #openstack-keystone17:59
*** dflorea has quit IRC18:02
*** harlowja has quit IRC18:02
*** jed56 has quit IRC18:03
*** dflorea has joined #openstack-keystone18:04
*** tellesnobrega_af is now known as tellesnobrega18:07
*** jsavak has quit IRC18:08
*** jsavak has joined #openstack-keystone18:08
*** gordc has quit IRC18:09
*** daemontool has quit IRC18:18
*** dflorea has quit IRC18:18
*** mvk_ has quit IRC18:19
*** dflorea has joined #openstack-keystone18:20
*** dflorea has quit IRC18:23
*** markvoelker has quit IRC18:31
*** edmondsw has joined #openstack-keystone18:32
*** dflorea has joined #openstack-keystone18:43
*** dflorea has joined #openstack-keystone18:43
*** gordc has joined #openstack-keystone18:47
*** bjornar has joined #openstack-keystone18:50
*** jaugustine has quit IRC18:52
*** david-lyle has quit IRC18:53
*** markvoelker has joined #openstack-keystone18:53
*** markvoelker has quit IRC18:53
*** markvoelker has joined #openstack-keystone18:54
*** markvoelker has quit IRC18:54
*** markvoelker has joined #openstack-keystone18:54
*** dflorea has quit IRC18:57
*** david-lyle has joined #openstack-keystone18:59
*** dflorea has joined #openstack-keystone19:01
*** timcline has quit IRC19:02
*** timcline has joined #openstack-keystone19:03
*** fawadkhaliq has quit IRC19:05
*** lhcheng has quit IRC19:06
*** fawadkhaliq has joined #openstack-keystone19:06
*** fawadkhaliq has quit IRC19:07
*** timcline has quit IRC19:07
*** ebalduf has joined #openstack-keystone19:11
*** jsavak has quit IRC19:11
*** jsavak has joined #openstack-keystone19:13
*** fawadkhaliq has joined #openstack-keystone19:13
*** rderose_ has joined #openstack-keystone19:18
*** rk4n has joined #openstack-keystone19:19
openstackgerritColleen Murphy proposed openstack/keystone: Add logging to cli if keystone.conf is not found  https://review.openstack.org/30013119:21
openstackgerritKristi Nikolla proposed openstack/keystone: WIP - ldap3 Identity Driver  https://review.openstack.org/29609019:22
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30062619:29
*** roxanaghe has quit IRC19:34
*** harlowja has joined #openstack-keystone19:37
openstackgerritKristi Nikolla proposed openstack/keystone: WIP - ldap3 Identity Driver  https://review.openstack.org/29609019:39
*** jsavak has quit IRC19:39
*** dflorea has quit IRC19:39
*** sudorandom has quit IRC19:39
*** dflorea has joined #openstack-keystone19:41
*** sudorandom has joined #openstack-keystone19:41
*** dflorea has quit IRC19:42
*** fawadkhaliq has quit IRC19:43
*** mvk_ has joined #openstack-keystone19:43
*** fawadkhaliq has joined #openstack-keystone19:44
*** fawadkhaliq has quit IRC19:45
*** fawadkhaliq has joined #openstack-keystone19:46
lbragstaddolphm thoughts on https://review.openstack.org/#/c/222042/419:46
patchbotlbragstad: patch 222042 - keystonemiddleware - Return default value for pkg_version if missing19:46
stevemarlbragstad: meh to that one19:49
*** dflorea_ has joined #openstack-keystone19:49
stevemari'm pretty sure jamielennox installed a broken package once19:49
stevemar(according to the bug report anyway)19:50
stevemarbut it's harmless19:50
lbragstadstevemar should we abandon and mark the bug as imcomplete?19:51
stevemarlbragstad: that or merge the fix, no one else is hitting the bug19:51
*** jsavak has joined #openstack-keystone19:54
lbragstadcrinkle thanks for the quick turnaround on https://review.openstack.org/#/c/300131/319:54
patchbotlbragstad: patch 300131 - keystone - Add logging to cli if keystone.conf is not found19:54
crinklelbragstad: thanks for the comments, looking now19:55
bjornarCan someone please push a quick fix to --keystone-user and --keystone-group to make get_user_group just return with int(argument) if argument is numeric?19:56
bjornar..this to allow passing uid/gid to it19:56
stevemarbjornar: not really sure what you're referring to? is this ansible/puppet related?19:57
*** ebalduf has quit IRC19:58
stevemarbjornar: i don't think the keystone code base has anything --keystone-user related... this sounds like a tool that is calling keystone19:58
stevemarohh... maybe the PKI setup command?19:59
stevemaror fernet setup?19:59
*** rk4n has quit IRC20:00
lbragstadbjornar what's the issue you're hitting?20:00
lbragstadstevemar yeah - that's exactly what we do for fernet_setup20:01
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L407-L42520:02
lbragstadbut we use that same logic in PKISetup20:02
lbragstadand SSLSetup20:02
stevemarlbragstad: sounds like he wants to use the uid of a user (or gid of a group), which is an ints, instead of the user name / group name20:02
stevemar$ id -u <username> -- should print your uid20:03
*** timcline has joined #openstack-keystone20:03
bjornarstevemar, yeah, fernet setup/rotate20:03
stevemarbjornar: unfortunately it'll go into the newton release at this point :(20:04
*** fawadkhaliq has quit IRC20:04
bjornarsince a user is never a int, it can safely just if int then return int(arg)20:04
morganstevemar: well. it might be backportable to mitaka 1'st maint release?20:04
*** dflorea_ has quit IRC20:04
bjornarits so simple, you should be able to merge it now ;)20:04
morganif it's a legit bug20:04
*** fawadkhaliq has joined #openstack-keystone20:05
stevemarmorgan: yeah, we can backport to the first maint release20:05
*** dflorea has joined #openstack-keystone20:05
morganbjornar: it can't go in mitaka release though, it's not a big enough bug (it's a behavior we've had for a while) - for RC blocking20:05
morganstevemar: yeah i think that sounds like a solid plan20:05
stevemarbjornar: unfortunately everything is frozen, we are only fixing security / release critical bugs at this point for mitaka20:05
morganhit it in master, plan it [if it's not crazypants icky] into the 1st maint release of mitaka20:05
*** rk4n has joined #openstack-keystone20:05
morganso it can land as soon as mitaka-final is cut20:05
lbragstadbjornar stevemar morgan this looks like it supports ints interpretted as uids https://github.com/openstack/keystone/blob/master/keystone/common/utils.py#L27420:06
bjornarmorgan, yeah, ok, fine, but would be nice if you could just push it to some branch or however you do it, so I dont need to go throuh this insane pull request cycle for 10 chars of code ;)20:06
morganlbragstad: yeah looks like it does.20:06
morganbjornar: well. uhm.. gerrit is the workflow ;)20:06
morganbjornar: we can handle the backport part once it's submitted20:06
morganor we can handle writing the code/bug smashing as long as the bug is clearly filed20:06
lbragstadand it doesn't look like any of the fernet cli stuff prevents the use of ints in that comment20:07
lbragstadcommand*20:07
stevemarbjornar: do you have a fix already? you can write a bug report and attach it20:07
lbragstadbjornar do you have a trace of this failing?20:07
bjornarit does, does not accept ints20:07
*** jsavak has quit IRC20:07
morganbjornar: so file us a bug, include repro steps/trace of the fail, if you have a fix, feel free to submit it20:07
morganbjornar: we can take it from there :)20:07
morganstevemar: also jclouds email, just making sure you saw it20:08
bjornaryeah, ok20:08
morganbjornar: def. ping us in the channel once the bug is filed20:08
*** timcline has quit IRC20:08
morganwith the number20:08
*** jsavak has joined #openstack-keystone20:08
*** roxanaghe has joined #openstack-keystone20:09
bjornar2016-04-01 20:09:16.799 9 ERROR keystone ValueError: Unknown user '1000' in --keystone-user20:09
*** rk4n has quit IRC20:10
bjornar#256420:11
*** pushkaru has quit IRC20:11
bjornarmorgan, PING20:12
morganlbragstad: ^ [mind helping to get this filed as a bug, i need to run for a few (sorry)]20:12
lbragstadmorgan sure20:13
lbragstadbjornar what command are you running?20:13
bjornarsays in #256420:13
lbragstadwhat is 2564?20:13
lbragstaddo you have a link?20:13
bjornarhttps://github.com/keystonejs/keystone/issues/256420:14
*** dflorea has quit IRC20:14
bjornarI have made this nice tshirt for Austin with the sql queries keystone runs to get a token issues with fernet.. hard to fit on the tshirt tho..20:14
bjornar;)20:14
morgankeystonejs?20:15
morganwhat is that?20:15
lbragstadbjornar I think you've got the wrong project - for OpenStack Keystone we file bugs against https://bugs.launchpad.net/keystone20:15
bjornaroh, heck.. hehe20:15
lbragstadalso - the source for the keystone project is in https://github.com/openstack/keystone20:15
lbragstadand http://git.openstack.org/cgit/openstack/keystone20:15
bjornarjust url competion, and did not notice, anyway.. there's the bug..20:15
bjornarhehe20:15
lbragstadbjornar I can't seem to reproduce with the command you have20:17
lbragstadbjornar here is what I get20:17
lbragstadbjornar http://cdn.pasteraw.com/hu80dcj1kmz2hf0l7jzsr242bxj4cf020:17
lbragstadwhich looks like it's picking up the uid as an integer20:17
*** sdake has quit IRC20:17
bjornarwhat is your --version ?20:18
lbragstadbecause I'm getting the expected output from those comments (operation not permitted)20:18
lbragstadbjornar I created on master20:18
lbragstadbjornar what version of keystone are you using?20:18
bjornarhmm.. I believe I am on stable/mitaka branch20:19
bjornaryeah, I am20:19
*** rderose_ has quit IRC20:20
lbragstadbjornar ok - let me try that20:21
*** pushkaru has joined #openstack-keystone20:21
lbragstadbjornar I get the same output from stable/mitaka as I do with master20:24
bjornarThis is odd20:24
lbragstadbjornar is there another user ID/group ID you can try with?20:25
*** roxanaghe has quit IRC20:26
lbragstadbjornar I get the expected output when I provide a group or user id that doesn't exist on my system - http://cdn.pasteraw.com/bywgqnkh6crud25cvksrcloc4ryiny520:26
bjornarsure.. but perhaps you have the user defined, I dont know, try 99999 9999920:26
bjornaryeah, exactly20:26
lbragstadbjornar yes - it's the ubuntu user/group on my system20:26
lbragstadwhich is why it works20:26
bjornarexactly, so it is for sure a bug20:27
lbragstadhow?20:27
bjornara uid does not need to have something defined in /etc/passwd to be used20:27
morganlbragstad: he's correct20:27
morganchown can set arbitrary uid20:27
morganthis is used in some cases.20:27
bjornarand in the container case, it is useful not having to generate a passwd file20:28
bjornarSo I mean the getuid/gid is simply if(/^%d$/ return int(arg)20:28
bjornarsince numeric usernames are not supported20:29
lbragstadhmm20:29
bjornarno hmm, yes20:29
*** cdcasey has joined #openstack-keystone20:29
*** cdcasey has left #openstack-keystone20:29
*** timcline has joined #openstack-keystone20:30
bjornar%d+ even20:30
bjornaror is_numeric or whatever way20:30
*** sdake has joined #openstack-keystone20:33
*** roxanaghe has joined #openstack-keystone20:35
lbragstadbjornar is the problem the fact that you can't specify some integer and have the command succeed?20:36
bjornaryeah20:36
bjornarbecause I do not have a user I can resolve to the number20:37
*** markvoelker has quit IRC20:37
lbragstadbjornar it appears we rely on pwd to do this checking for us20:38
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/utils.py#L31720:38
lbragstadbjornar are you proposing that we remove the logic in place of just returning whatever is supplied (in the integer case)?20:39
bjornarYes, or return null as name from get_unix_* .. but that might be dangerous20:39
morganlbragstad: i think he's saying if it's an int, it may not need to do the userlookup20:40
morganbut if it is a string it's worth looking up for the id20:40
morganbjornar: ^ ?20:40
bjornarso I would say dont even call the get_unix_* when input is numeric20:40
ayoungbjornar, want a better approach?20:40
lbragstadmorgan will that ever be dangerous?20:40
morganeh, you can do it with apache and the like20:40
ayounghttps://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/20:40
morgani'm going to go out on a limb and say not needed20:40
morganayoung: that isn't what he's asking for, he's asking for a container case where no posix user is needed.20:41
*** browne has quit IRC20:41
*** jsavak has quit IRC20:41
bjornarthis is easy, why complicate it20:41
bjornarif is_numeric(arg) return int(arg)20:41
bjornardone20:41
morganayoung: system users for running keystone (fernet posix permissions)20:41
*** jsavak has joined #openstack-keystone20:41
morgannot the keystone api users.20:41
morganerm s/not needed/ not insecure20:41
morganlbragstad: ^ bjornar cc20:42
*** raildo is now known as raildo-afk20:42
ayoungmorgan, non HTTPD?20:42
bjornarmorgan, yeah, was getting afraid there.20:42
morganayoung: doesn't matter if it's apache, uwsgi, whatever20:42
ayoungmorgan, where did all that crap come from?20:42
morganit's the system accounts that run the daemons.20:42
bjornarcome on guys.. have a basic understanding here20:42
bjornarhehe20:42
morganso what user is running apache or uwsgi20:43
ayoungJohn Dennis20:43
morganand needed access to the fernet key repo20:43
ayoungheh20:43
ayoungGAH... All that crap for PKI20:43
bjornarmorgan, asking me?20:43
ayoungI gues we use it for Fernet now?20:43
morganbjornar: no just was pointing out my statement20:44
ayoungand in the container case, they don't want a posix user?20:44
morganthat it shouldn't be a security concern to not do a user lookup against passwd for running a daemon if the uid specified is an int20:44
bjornaryeah, and to cut the crap and get to the basics, a username or groupname can _never_ be numeric, so if input is numeric, input _IS_ uid/gid.20:44
morganayoung: some containers don't have entries in passwd file20:44
*** mylu has joined #openstack-keystone20:45
morganayoung: because it's more work to update it everytime you deploy a new one.20:45
morganso just like root20:45
ayoungmorgan, that does not mean getent passwd user does not return anything20:45
bjornaryeah20:45
morganayoung: right. it just fails in the python case20:45
*** browne has joined #openstack-keystone20:45
morgansince the user doesn't exist20:45
morgannormal getent may work20:45
morganpython isn't always normal20:45
morganayoung: or according to what bjornar is seeing20:46
morganit fails20:46
bjornargetent passwd 8888 || echo no20:46
bjornarno20:46
* morgan hasn't had a chance to test this yet today20:46
*** roxanaghe has quit IRC20:46
ayoungbjornar, I'm not 100% buying this20:46
ayoungwhy are you using numerics?20:46
bjornarayoung, thats because you are stupid20:46
ayoungbjornar, probably20:46
bjornaryou dont know unix20:46
ayoungNah, not at all20:46
ayoungIsn;'t that what happens when a guy starts singing soprano?20:47
bjornaranswer is: why would you care why I am using uids .. (and it is explained 10 times by me and morgan)20:47
bjornarmorgan, please just do it!20:47
bjornar(and I will give you a tshirt)20:48
bjornar;)20:48
ayoungbjornar, why are you using numerics?20:48
bjornarbecause I dont have a /etc/passwd or /etc/group entry20:48
bjornarnothing resolves to the uid I need20:48
bjornar(in the container)20:49
bjornaroutside container, it resolves to keystone20:49
ayoungbjornar, the container needs to be able to support the standard posix system call.20:49
bjornarno20:49
*** roxanaghe has joined #openstack-keystone20:49
bjornarit supports the system call..20:49
ayoungbjornar, yes20:49
bjornarplease, give me a break here someone!20:50
ayoungbjornar, the apps should not be looking in etc passwd or antyihg20:50
ayoungbjornar, nope20:50
ayoungyou called me stupid20:50
morganyah ayoung pwd.getpwuid(1111)20:50
ayoungnow you need to justify yourself20:50
morganKeyError: 'getpwuid(): uid not found: 1111'20:50
morgani'm staying out of the stupid convo20:50
ayoungmorgan, nsswitch is not properly configured20:50
*** dflorea has joined #openstack-keystone20:50
morganno20:50
stevemarthis is getting weird, i'm out, dinner won't cook itself20:50
morgan1111 is a known non-existent value20:50
morganerm20:50
morganuser20:51
morganpython errors explicitly20:51
morganand break20:51
morgans20:51
*** pauloewerton has quit IRC20:51
morganthe command-line tool exits 1 or reports the value20:51
morganso you can lookup or just pass if needed20:51
bjornarayoung, you have just proved over 100 lines that you truly are stupid, I will frame it and put it on the wall in austin20:51
ayoungbjornar, go for it20:51
morgananyway20:51
morganat a tech level, python throws an error and we don't catch it, shell you could just keep going.20:52
ayoungbjornar, meanwhile, I've kindof worked in this world for a while, so I do, actually, have a sense of what I am talking about20:52
bjornar/save log for_printing.txt20:52
* morgan backs off and lets the rest of the convo continue20:52
bjornarok, I will quit this crap, but its a small obvious case gone wrong. Just understand it, ok20:52
morganbjornar: can we refrain from calling names? adam is not stupid - i know this based on working with him a bit20:53
bjornarsecurity is not about usernames, its about uid's20:53
morganbjornar: your case is, i think, a reasonable request20:53
ayoungbjornar, BTW...I make things happen.  You explain to me why it makes sense for a container to OK an ID and not the string version of a name and I'll  approve.20:53
ayoungYou don't convince me, and it won't.20:53
bjornarmorgan, ok, I will find another word for incompetent20:53
lbragstadbjornar can you shed light on some specific about your containers?20:53
lbragstadspecifics*20:54
morganbjornar: adam is just making sure he knows what you're accomplishing so he isn't worried about carrying code that doesn't make sense. and it's just good practice to have a solid user story20:54
bjornarlbragstad, nothing special about them, they just dont have a /etc/passwd and /etc/group file containing the users.20:54
ayoungbjornar, feel free to insult me all you want.  Do not insult other people in this channel.20:54
morganbjornar: so lets phrase it like this: I have containers, and instead of running a CMS to populate all the password/group entries, i use a known uid for my daemons20:54
bjornarmorgan, can we just agree that it is totally safe and ok to do: if is_numeric(uid_or_gid) return int(uid_or_gid) ?20:54
*** dflorea has quit IRC20:55
bjornarmorgan, exactly what I do20:55
morganayoung: ^ and i think that is a fair statement.20:55
morganso it should be safe to use a uid that isn't in password to run a daemon, right?20:55
morganor is there a reason not to?20:55
ayoungbjornar, I know of exactly one case where it is necessary for the numeric IDs to match.  That is NFS.  In the case where a container does not have a NS to resolve to, I am pretty sure it is an error on the container side, but, hey, I am willing to admin when I am wrong.20:56
ayoungBut I don't see it yet.20:56
bjornarthen you need glasses20:56
ayoungbjornar, I have glasses20:57
ayoungI've had Lasik20:57
openstackgerritCristian Sava proposed openstack/keystone: Customize config file location when run as wsgi app.  https://review.openstack.org/28821620:57
ayoungand I still need glasses.20:57
ayoungBut I  also know how nsswitch is supposed to work, and if that lookup is not working correctly, I want to know why.20:57
ayoungAnd, I can understand if python hads a bug20:57
morganayoung: in this case, nsswitch is correct20:58
morganayoung: there just is no user populated, but he knows he wants to run keystone with uid 1500020:58
morgansince container runs a single process and when the process exits the container exits20:59
morgan(docker style)20:59
ayoungmorgan, that is just black magic20:59
ayoungI understand that20:59
morganayoung: not really, you can run apache with a UID not in passwd20:59
morganand most other daemons20:59
morganyou cant if you use a string name20:59
morganthough20:59
bjornaryeah.. users dont exist in the kernel, uid's do20:59
morganthat needs to be in passwd file20:59
bjornarits like ip vs hostname20:59
*** roxanaghe has quit IRC20:59
bjornaryou should be able to spesify both, right20:59
morganso i want to run with uid 10000 or user "keystone"20:59
bjornarping 10.0.0.1 .. not allowed.. must be a hostname21:00
morganto be clear, I'm not advocating either way, just clarifying the user-story so we can determine if this makes sense21:00
ayoungmorgan, I understand that you *can* but I am not 100 certain you *should*21:00
ayoungand that is what I am pondering21:00
bjornarayoung, I will seriously kill you in austin!21:00
ayoungyeah, it means that ps shows numbers instead of names21:01
ayoungbjornar, that is one.21:01
bjornarand this log should be for laught from _everyone_21:01
ayoungbjornar, calm down.  I have been in this world for a long time, and I am justifiably paranoid21:01
morgani am ok with numbers in ps21:01
morganpersonally21:01
morganespecially in a container world. but i can see why it worries you21:02
ayoungbjornar, you will buy me a beer in Austin, assuming you are old enough to drink, and apologize for your behavior.21:02
morganso does SELinux contexts work well with uid only not in passwd?21:02
ayoungmorgan, ok...let me walk through this....21:02
* morgan hasn't played with that21:02
*** gordc has quit IRC21:02
morganor apparmour21:02
ayounglets say I do try to look up an id from an username...21:02
morganthat would be where i draw the line.21:03
lbragstadmorgan ayoung  what about this? http://cdn.pasteraw.com/j58vmoyzfjfbujby161s6tmeh0ruhr021:03
ayoungI make the python call, and, assuming that makes the right syscall...21:03
morganayoung: right21:03
ayounggetpwnam?21:03
morganlbragstad: that is a uid above the allowed ammount for the kernel21:03
ayoungOr is that the old deprcated one...been long time since I looked at this21:04
morganuse less than short_int21:04
morganayoung: it's getpwnam21:04
morganfor strings21:04
morgangetent is the cli tool21:04
morganin python its pwd module21:04
morganpwd.getuid or something like that21:04
ayounggetpwnam("ayoung")                                                                                                                = 0x7f160f1d9e0021:04
ayoungltrace getent passwd ayoung21:04
morganyeah21:04
morgangetpwnam isn't used for ints though21:05
bjornarwth are you talking about!?21:05
ayoungand that should call into the nss modules21:05
ayoungfor me that is set21:05
bjornarseriously, are you lobotomized, ayoung?21:05
morganlbragstad: so if you use less than 65k it works21:05
openstackgerritKristi Nikolla proposed openstack/keystone: WIP - ldap3 Identity Driver  https://review.openstack.org/29609021:05
morganbjornar: ok21:05
ayoungpasswd:     files sss21:05
morganbjornar: i'm asking you one more time, please calm down and be polite and stop name calling21:05
ayoungso it is going to try in /etc/passwd, then fallback to nss.21:05
ayounger sssd21:05
morganbjornar: we are working through the security implications of uid vs usernmae so the people who are merging code are comfortable. you don't need to stress about it21:06
bjornarfernet_* does is chown uid:gid .. and you refuse to accept I can input uid and gid..21:06
morganbjornar: remember we also need to consider auditability. we are not refusing21:06
morganbjornar: so let this convo go, this is normal for security/audit/etc focused people21:07
bjornarchown 4567890:567890 works fine in unix21:07
ayoungbjornar, that does not mean that Fernet is right.  THere is a reason it is not the default token format.  PArt of that is maturity21:07
morganbjornar: but i am serious, please stop calling names (stupid, incompitent, lobotomized), direct attacks like that are not welcome here.21:07
bjornarayoung, sorry man, you take the first price21:07
openstackgerritColleen Murphy proposed openstack/keystone: Add logging to cli if keystone.conf is not found  https://review.openstack.org/30013121:07
ayoungbjornar, apology accepted, but you still owe me a beer.21:08
morganayoung: ok21:08
bjornarayoung, I wonder what your apology will consist of, must be big21:08
morganayoung: ok back to what we're talking21:09
ayoungheh21:09
bjornarthe container is running on the system, the system has the username/password, selinux security context is enforced by kernel, not container.. and so on and so on.21:09
morganyes, use NSS, and do the lookup- it calls passwd/nis/sssd and falls through to nothing21:09
*** roxanaghe has joined #openstack-keystone21:09
morganso there is no user. but the uid is still usable21:09
morganin most cases except if you ask "is this user in NSSdb"21:10
ayoungmorgan, so, in a container based world, a lot of apps will fail if getpwnam does not work right.  Which means that either you end up copying files into the container, or you need an nss module specifically for the container to talk to the base OS21:10
bjornarayoung, you could buy me a brewery for example. micro is ok.. they should have good ipa's21:10
morganayoung: i don't think NSS ever talks to the base os21:10
morganin general21:10
morganfor containers21:10
bjornarnope21:10
bjornarcant be done21:10
morganthat could be considered a breach of security context21:10
morganbjornar: it can be done, but it would be like NIS or SSSD21:11
morganbjornar: it's not done with files21:11
bjornarsure, but then not directlyu21:11
morganright21:11
ayoungmorgan, I think it depends on if they are using Kernel user namespaces.  I think that is the default now.  It would have to be a deliberate decision.21:11
bjornarand also, I dont want to expose my system user to the contaner.. so21:11
*** trown is now known as trown|outtypewww21:11
morganayoung: fair enough, but in almost any normal case you wouldn't fall through21:11
morganat least not in docker21:11
morgani haven't tried kubernetes21:11
ayoungmorgan, Kubernets doesn't do anything that docker does in this case.21:12
bjornardoes not matter, a chown in a container is "containerized"21:12
morganbut i am sure docker, lxc, and lxd are the same by default21:12
morganbjornar: correct21:12
bjornarit is clone_newns mount... pivot_root21:12
bjornareverything is21:13
morganayoung: i don't see a huge security gap to use an id over a name - unless we care (and are opinionated) that keystone must be run by a posix user21:13
ayoungactually, I am not certain that it is using Kernel user namespaces...actually, I am pretty sure that it is not21:13
morgani don't think that is a needed requirement21:13
bjornarthe name becomes a id anyway21:13
bjornarso its no different21:13
bjornaryou dont chown with a name, with a int21:13
ayoungwhich means that uid 2112 in the container has the same privs as uid 2112 outsid the container.21:14
bjornarthink dns21:14
morganayoung: openstack-puppet may require a username, but that is the CMS being opinionated21:14
bjornarits same mol21:14
morganayoung: only if the user can break out of the container21:14
bjornarayoung, if you know what dns is?21:14
morganayoung: which is as serious as a hypervisor breakout21:14
ayoungmorgan, I don't think we use puppet inside the container anyway.  THe containers tend to be immutable for the most part, so you redeploy for an uptade...I guess you could use puppet to manage the contiaer image outside, but that would bu ugh21:15
bjornarbut then you are compromised anyway, and its not because you used a skipped the username -> uid step21:15
bjornarseriously21:15
morganayoung: you may use puppet to build the container you then store in the docker repo though21:15
bjornar..and its not like anyone can run fernet_rotate21:15
morganayoung: which case puppet would dictate the requirements21:15
ayoungmorgan, but, if you are in a container, and the continer is immutable...should you even do a key rotation without a container redeploy?21:15
*** david_cu has quit IRC21:16
morganayoung: not sure.21:16
bjornarayoung, you keep surprising me21:16
bjornarand thats amazing21:16
ayoungmorgan, I know when we were discussin redepoloying policy, the answer was that an update should be a redeploy21:16
ayoungthat was from Kolla21:16
morganayoung: ok cool container is redeploy21:17
morganlets step back from that21:17
morgando you need the uid when making your new container?21:17
morganerm username21:17
morganthe argument is still roughtly the same21:17
morganyou run "rotate" on the new base container21:17
morgandoes that rotate need a username? or is a uid sufficient21:18
bjornarkeep in mind, the username is never used for anything else than to resolve to a uid21:18
bjornarthink: ping 127.0.0.1 .. not allowed21:19
morganayoung: i think uid is sufficient. unless your tool uses username (aka piuppet, or ansible) which are more opinionated than "posix permissions" are21:19
ayoungmorgan, so, if it is a redeploy, everything is done in a script called at deploy time, if not done in the container compose step.  I would think not.21:19
ayoungEverything should be done as the user running, in this case HTTPD21:19
bjornarhttpd?!21:19
bjornarwhat planet are you from?21:19
bjornarnothing is done as a USER! understand that, everything is done as a UID21:20
ayoungbjornar, this one.  http://www.westpoint.edu/SitePages/Home.aspx21:20
morganbjornar: chill.21:20
*** jsavak has quit IRC21:21
morganayoung: sure. but i'm pretty sure we don't to enforce it in our code21:22
morganwe're uid agnostic21:22
*** slberger1 has joined #openstack-keystone21:22
*** dflorea has joined #openstack-keystone21:22
morganjust like running apache with uid 10000 (no user in the passwd file) works21:23
ayoungmorgan, right, but then there should be no need for that to bleed over into the container.21:23
*** slberger has quit IRC21:23
morganit may be not best practice, but do we enforce that? or does the "deplopy script" do it21:23
ayoungIts a leaky abstraction, and I don;t like those21:23
morganand i don't mean keystone-manage21:23
morgani mean ansible/puppet/pick-your-poison21:23
lbragstadmorgan checking21:24
morgani fully expect those things to enforce that21:24
lbragstadmorgan https://github.com/openstack/openstack-ansible-os_keystone/blob/master/defaults/main.yml#L48-L4921:24
ayoungmorgan, I have to go.21:24
lbragstadmorgan that is OSA approach21:24
lbragstadmorgan not sure what the others do21:24
morganlbragstad: yep21:24
ayoungbjornar, let me make one thing clear.  We are all professionals here.  You've picked on the most mellow of people to insult, which is why you have gotten away with it. The rest of the core developers here are getting very antsy at your attitude.  I am willing to help,. but if you keep this up, it will be a kickban, and I do have perms in this room to enforce that.  Have I made myself clear?21:25
*** ayoung is now known as ayoung-afk21:25
morganlbragstad: i fully expect OSA, puppet to require that21:25
lbragstadmorgan and that's the variable that we use https://github.com/openstack/openstack-ansible-os_keystone/blob/master/tasks/keystone_post_install.yml#L20-L2121:25
bjornarayoung: I started insulting after ~50 lines of explaining the obvious with a spatula21:27
*** dflorea has quit IRC21:28
bknudsonhttps://www.openstack.org/legal/community-code-of-conduct/21:29
*** ayoung-afk is now known as ayoung21:30
*** ayoung is now known as ayoung_afk21:30
*** dflorea has joined #openstack-keystone21:31
bjornarOk, this got too far, sorry about some of the insults, but I hope you will think about this and do the (obvious) right thing here. In the meantime, I will step back.21:33
morganbjornar: thanks.21:36
*** bjornar has quit IRC21:36
morganlbragstad: yeah.21:36
morganlbragstad: yep so i think we can relax our side, but expect other tools to still require it21:37
*** bjornar has joined #openstack-keystone21:38
morgani'll go ahead and file a bug on this [unless you want to]21:38
lbragstadmorgan it's all yours21:38
morganit's really easy code (low hanging fruit)21:38
morganand we can get a new contributor familiar with this stuff in keystone (or someone can contribute for their workflow)21:39
morganwill file the bug when i'm done with the needing to plugin/get lunch/etc21:39
morgan:)21:39
*** lhcheng has joined #openstack-keystone21:41
*** ChanServ sets mode: +v lhcheng21:41
*** timcline has quit IRC21:41
*** daemontool has joined #openstack-keystone21:44
*** ayoung_afk is now known as ayoung21:49
*** pushkaru has quit IRC21:49
ayoungmorgan, aside from Key rotation and Policy are there any other cases where we need to modify files in a container post deploy?21:50
morganarguably not21:51
ayounglbragstad, ^^ same question?21:51
morganbut that is just a quick gut check response21:51
lbragstadayoung config changes?21:51
ayoungmorgan, ok...so, how painful is a redeploy?  Is doing a redeploy at key rotation time viable?21:51
morgannot really21:52
morganayoung: not painful at all21:52
ayounglbragstad, yeah, but the typical answer on config changes is that those should be immutable in the container and it should be a container redeploy.  For keys and policy, we don't have to restart the web container, for config changes we do21:52
morganayoung: but you may have different uids in the container than in the base os21:52
ayoungI'm tempted to say that we treat all of those as immutable21:52
morganayoung: so even if it's all immutable, maybe you just cat </etc/passwd> and use the id regardless of the base os passwd file21:53
morganif that makes sense?21:53
morganwhich case if rotate happens on /path/to/containerthing/etc/keystone/fernet you might need non-pwnam lookupable user21:53
morganselinux, apparmor, etc all should still work (uid/gid based)21:54
ayoungmorgan, so, our policy discussion leads me to think that all of this multi system sync really should not be managed by Keystone itslef21:54
lbragstadalright - i'm out for the night21:54
lbragstado/21:54
morganlbragstad: cheers21:54
morganayoung: yep21:54
morganayoung: agreed there21:54
ayoungif we say that puppet or Ansible manages policy, I would be tempted to say the same is true for fernet keys21:54
ayoungand...then getting the uids right is the deployers responsibility21:55
ayoungnot something that should be called from keystone.21:55
morganthat is already pretty much the case21:55
ayoungor even callable21:55
morgankeystone-manage is a CLI/admin tool21:55
morganwhich is where this all lives21:55
morganit's administrative/might be used by ansible21:55
morganor puppet21:55
morganor directly21:55
ayoungmorgan, right, but not in the container21:55
knikollaayoung, morgan, need a bit of help with ldap if you have time.21:55
morgani classify that as independant of keystone itself21:55
ayoungknikolla, if it is fast21:56
morganknikolla: i need to step out for a bit (haven't had a chance to change/cleanup/lunch yet)21:56
knikollaayoung, it should be very fast.21:56
knikollait's mostly a dn question21:56
morganknikolla: then ask away21:56
morganayoung: in the container, out of the contianer, the case is mostly the same21:56
knikollai'm using the freeipa ldap sandbox for my testing21:56
ayoungmorgan, so, assume that the webserver runs as apache user in the container, whatever the uuid is, the perms on the key file, the policy file, etc should be group apache, and readable by the webserver....ignoring SELInux for now21:56
morganayoung: it's a utility cli tool, - regardless of where it is run.21:56
knikollaand DN of users looks like this. DN: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org21:56
ayoungknikolla, OK21:57
morganayoung: anyway i'll file a bug on this - we can continue there.21:57
morganayoung: lets help knikolla21:57
morganknikolla: yes that is a DN ;)21:57
knikollawhen i try to create (for unit testing purposes)21:57
knikollait doesn't allow uid as part of the DN21:57
knikollaNone - attribute "uid" not allowed21:57
ayoungknikolla, ah.21:57
morganayoung: i defer to you. i know it but you'll describe it better21:57
ayoungknikolla, FreeIPA is opinionated21:58
morgani'm sure21:58
morgan:)21:58
ayoungyou can;'t  create users from outside, unless it is in the compat tree...21:58
ayoungugh21:58
knikollaayoung, i see.21:58
ayoungknikolla, I don't have a good, quick answer for you, undfortunately21:58
ayoungyou could use the WebAPI to create a user, but that would be IPA specific21:59
knikollaayoung, no worries. that helped.21:59
ayoungknikolla, I think the compat tree makes sense for testing, though21:59
knikollaayoung, well, i got the read only functions to work, so i need to graduate to unit tests.21:59
ayoungknikolla, the  idea is that the compat tree lets ldap tools create the stub of a user and then an admin would move them into the real tree later21:59
ayoungknikolla, I have to go get my son, but I'll get you al ink this weekend22:00
ayoungknikolla, http://www.freeipa.org/page/Directory_Server22:00
ayoungSchema Compatibility: publishes an alternate trees containing a computed different view on objects in the DS. For instance, as FreeIPA stores users using RFC 2307bis schema, it publishes alternate tree cn=users,cn=compat,dc=example,dc=com with users in a RFC 2307 schema. It is also used by Trusts feature to allow Active Directory users access legacy system without a recent SSSD version.22:00
ayoungMaybe22:00
*** markvoelker_ has joined #openstack-keystone22:01
ayounggotta run22:01
*** slberger1 has left #openstack-keystone22:02
knikollaayoung, thanks!22:02
*** daemontool has quit IRC22:03
*** dflorea has quit IRC22:04
*** fawadkhaliq has quit IRC22:05
*** fawadkhaliq has joined #openstack-keystone22:05
*** dflorea has joined #openstack-keystone22:11
*** timcline has joined #openstack-keystone22:12
*** sigmavirus24 is now known as sigmavirus24_awa22:13
*** sdake_ has joined #openstack-keystone22:13
*** sdake has quit IRC22:13
*** dflorea has quit IRC22:13
*** edmondsw has quit IRC22:15
*** dflorea has joined #openstack-keystone22:15
*** ninag has quit IRC22:16
*** timcline has quit IRC22:17
*** sdake has joined #openstack-keystone22:19
*** sdake_ has quit IRC22:21
openstackgerritDolph Mathews proposed openstack/keystone: Supersede the "admin" role with "global_admin"  https://review.openstack.org/30068322:23
stevemarayoung: thank you for handling that with more than enough patience22:25
*** fungi has joined #openstack-keystone22:25
*** sheel has quit IRC22:27
*** browne has quit IRC22:28
*** ametts has quit IRC22:28
*** mylu has quit IRC22:32
*** mylu has joined #openstack-keystone22:33
*** markvoelker_ has quit IRC22:39
*** phalmos has quit IRC22:44
*** fawadkhaliq has quit IRC22:44
*** fawadkhaliq has joined #openstack-keystone22:45
openstackgerritKristi Nikolla proposed openstack/keystone: WIP - ldap3 Identity Driver  https://review.openstack.org/29609022:50
*** daemontool has joined #openstack-keystone22:51
knikollaso it takes 500 lines for a review to have the 'size' colored in red. interesting.22:51
*** knikolla has quit IRC22:53
*** mylu has quit IRC23:03
*** fawadkhaliq has quit IRC23:04
*** fawadkhaliq has joined #openstack-keystone23:04
*** blogan has quit IRC23:09
*** roxanaghe has quit IRC23:10
*** roxanaghe has joined #openstack-keystone23:10
*** dflorea has quit IRC23:11
*** dflorea has joined #openstack-keystone23:12
*** timcline has joined #openstack-keystone23:13
*** dflorea has quit IRC23:17
*** daemontool has quit IRC23:17
*** timcline has quit IRC23:17
*** daemontool has joined #openstack-keystone23:18
*** trown|outtypewww is now known as trown23:21
*** knikolla has joined #openstack-keystone23:22
bjornarmorgan, is it plans to support putting fernet keys in db?23:23
morganwe have discussed it before, it is unknown [possibly a summit topic] if we plan to.23:23
bjornarbecause key rotation would benefit from this when you have multiple machines running keystone23:24
bjornarone could still have a local cache on filesystem or memcache or mem23:24
bjornarbut transaction logic would help with key rotation23:24
bjornarI am thinking all workers could periodially try to rotate, only one would succed, the rest would pick up the new key(s)23:25
bjornaratm, I think its just a pain to set up the "infrastructure" around key rotation/distribution with synchronizing and ha and yeah23:26
bjornarSo my vote is for sure to place this logic in keystone, and have keystone itself rotate23:27
*** spzala has quit IRC23:35
*** spzala has joined #openstack-keystone23:35
*** harlowja has quit IRC23:36
*** dflorea has joined #openstack-keystone23:37
*** dflorea has quit IRC23:37
*** daemontool has quit IRC23:38
*** dflorea has joined #openstack-keystone23:38
*** spzala has quit IRC23:40
*** dflorea has quit IRC23:40
*** dflorea has joined #openstack-keystone23:52
*** dflorea has quit IRC23:53
*** dflorea has joined #openstack-keystone23:53
« Thursday, 2016-03-31 Index Saturday, 2016-04-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!