Monday, 2016-04-04

« Sunday, 2016-04-03 Index Tuesday, 2016-04-05 »
*** timcline has joined #openstack-keystone00:13
*** timcline has quit IRC00:17
*** darrenc is now known as darrenc_afk00:26
*** sdake has joined #openstack-keystone00:31
*** sdake_ has quit IRC00:34
*** markvoelker has joined #openstack-keystone00:47
*** rk4n has joined #openstack-keystone00:50
*** darrenc_afk is now known as darrenc00:53
*** rk4n has quit IRC00:55
*** timcline has joined #openstack-keystone01:14
*** sdake_ has joined #openstack-keystone01:17
*** sdake has quit IRC01:18
*** timcline has quit IRC01:18
*** mylu has quit IRC01:21
*** naresht has quit IRC01:22
*** mylu has joined #openstack-keystone01:29
*** mylu has quit IRC01:30
*** mylu has joined #openstack-keystone01:32
*** zqfan has joined #openstack-keystone01:44
*** furface has quit IRC01:44
*** furface has joined #openstack-keystone01:45
*** bapalm has joined #openstack-keystone01:51
*** dan_nguyen has joined #openstack-keystone01:51
*** rk4n has joined #openstack-keystone01:52
*** sdake has joined #openstack-keystone01:53
*** sdake_ has quit IRC01:54
*** rk4n has quit IRC01:57
*** mylu has quit IRC02:02
*** mylu has joined #openstack-keystone02:03
*** sdake has quit IRC02:03
*** mylu has quit IRC02:05
*** sdake has joined #openstack-keystone02:06
*** mylu has joined #openstack-keystone02:06
*** timcline has joined #openstack-keystone02:15
*** timcline has quit IRC02:19
*** roxanaghe has joined #openstack-keystone02:27
*** roxanaghe has quit IRC02:31
*** links has joined #openstack-keystone02:46
*** dan_nguyen has quit IRC02:54
*** markvoelker has quit IRC03:14
*** timcline has joined #openstack-keystone03:15
*** timcline has quit IRC03:20
*** jamielennox is now known as jamielennox|away03:27
*** sdake_ has joined #openstack-keystone03:29
*** sdake has quit IRC03:32
*** jamielennox|away is now known as jamielennox03:37
*** dan_nguyen has joined #openstack-keystone03:37
*** dave-mcc_ has quit IRC03:49
*** furface has quit IRC03:52
*** rk4n has joined #openstack-keystone03:54
*** mylu has quit IRC03:56
jamielennoxayoung, dolphm, stevemar, bknudson: Updated the cross-project policy spec: https://review.openstack.org/#/c/245629/03:57
patchbotjamielennox: patch 245629 - openstack-specs - A common policy scenario across all projects03:57
*** rk4n has quit IRC03:59
*** mylu has joined #openstack-keystone04:05
*** roxanaghe has joined #openstack-keystone04:08
*** sdake_ is now known as sdake04:12
*** roxanaghe has quit IRC04:12
*** markvoelker has joined #openstack-keystone04:15
*** timcline has joined #openstack-keystone04:16
stevemarjamielennox: nice04:17
jamielennoxstevemar: it's a reasonably big change from the last revision - i mostly want to know they still make sense04:18
*** timcline has quit IRC04:21
*** markvoelker has quit IRC04:21
*** Nirupama has joined #openstack-keystone04:23
*** mylu_ has joined #openstack-keystone04:25
*** mylu has quit IRC04:27
*** jasonsb has joined #openstack-keystone04:36
*** dan_nguyen has quit IRC04:39
morganjamielennox: woot04:47
*** furface has joined #openstack-keystone04:52
*** rk4n has joined #openstack-keystone04:57
*** xek has quit IRC04:59
*** xek has joined #openstack-keystone05:01
*** GB21 has joined #openstack-keystone05:01
*** rk4n has quit IRC05:01
*** jasonsb has quit IRC05:09
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744905:10
*** jasonsb has joined #openstack-keystone05:13
*** timcline has joined #openstack-keystone05:17
*** mylu_ has quit IRC05:19
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Handle cache invalidate outside cache object  https://review.openstack.org/26866205:21
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use oslo_config in auth_token middleware  https://review.openstack.org/26866405:21
*** timcline has quit IRC05:22
*** jasonsb has quit IRC05:24
*** jasonsb has joined #openstack-keystone05:27
*** furface has quit IRC05:34
*** furface has joined #openstack-keystone05:38
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745605:40
jamielennoxmorgan: i know it must be late, but do you know anything about the memcachepool implementation in oslo.cache?05:45
morganuhmm...05:45
morganits' the same as we had in our code i think05:45
morganand just as bad05:46
jamielennoxmorgan: so long as it just as bad05:46
jamielennoxyour name is co-author on the review05:46
morganyeah05:46
morganit was ok when we started05:46
morganit got worse as we went on05:46
jamielennoxdoes dogpile not have something of it's own it could use05:46
morgansomewhat05:47
morgandogpile is meant to be a lib that provides a framework05:47
morganso pool is something that most likely would be implemented in oslo.cache05:48
morganand never in dogpile05:48
jamielennoxok05:49
jamielennoxi'm just looking to see if i can remove the implementation from keystonemiddleware05:49
morganyes05:49
morganif we use oslo.cache05:50
jamielennoxmorgan: https://review.openstack.org/26866405:50
* morgan nods05:51
jamielennoxit's not going to pass jenkins05:51
jamielennoxbut still, at the moment i've got a check if you've configured oslo.cache then use that, otherwise use the existing code05:51
stevemargerrit is super slow right now05:51
morganstevemar: yeah it is05:51
morganbackup time i think?05:51
jamielennoxbut if the oslo.cache stuff is ok then i can figure out something better and like translate the options or something05:51
stevemarjamielennox: you've written oslo.config everywhere instead of oslo.cache (in the commit msg)05:52
morganjamielennox: yeah05:52
jamielennoxbah - muscle memory05:52
stevemar:)05:52
jamielennoxoslo.cache doesn't do the security_strategy stuff, so we might be stuck doing our own anyway05:56
*** roxanaghe has joined #openstack-keystone05:56
morganjamielennox: we will need to do that ourselves05:56
morganwe'll do that as a dogpile proxy05:56
morganrather than in the driver itself05:56
jamielennoxok05:57
jamielennoxthat makes sense05:57
morgancommented05:57
*** roxanaghe has quit IRC06:01
jamielennoxmorgan: replied, but not major - is there a way i can configure oslo_cache without using the CONF06:03
morgandon't think so really atm06:03
morganwell.. maybe?06:03
morganthe security strategy is the important bits to cover06:03
morganbefore we convert to using oslo.cache06:03
morganmy other comments were either "is this needed?" or "future looking"06:04
jamielennoxso i don't know how the proxy works exactly but the concept there is easy and i've seen some stuff in testing that would apply06:05
morganit should be easy to add06:05
morganlook at the local cache stuff in keystone06:05
morganthat makes use of it06:05
jamielennoxthe bit i'm looking at now is if the old memcache_servers options are set how do i pass the old option names to dogpile06:05
morganyou can construct a dict of config values06:06
morganand then pass that to .configure i think06:06
morgan*thinkg*06:06
morgani'll need to look at it again06:06
morganwhen it's not almost midnight06:06
morganand i have a flight in like 7 hrs :P06:06
morgani need to pack for06:06
jamielennoxmorgan: yea, i wasn't meaning to grab you about it right now06:06
jamielennoxmorgan: just looking through it and you answered the ping06:06
* morgan nods.06:06
jamielennoxbut no, from reading it's expecting a oslo_config object06:07
stevemarmorgan: where you off to? :O06:12
morganstevemar: SF06:12
*** timcline has joined #openstack-keystone06:18
*** timcline has quit IRC06:23
*** daemontool has joined #openstack-keystone06:24
*** GB21 has quit IRC06:30
*** ankur has joined #openstack-keystone06:30
*** shoutm has joined #openstack-keystone06:37
*** shoutm_ has joined #openstack-keystone06:46
*** shoutm has quit IRC06:47
*** shoutm__ has joined #openstack-keystone06:47
*** sdake has quit IRC06:48
*** sdake has joined #openstack-keystone06:50
*** shoutm_ has quit IRC06:51
*** sdake_ has joined #openstack-keystone06:54
*** sdake has quit IRC06:56
jamielennoxis there any reason someone woulud not want the use_advanced_pool set in auth_token middleware?06:58
*** rk4n has joined #openstack-keystone06:59
*** sdake has joined #openstack-keystone06:59
*** sdake_ has quit IRC07:00
*** shoutm__ has quit IRC07:04
*** rk4n has quit IRC07:04
*** shoutm has joined #openstack-keystone07:06
*** shoutm has quit IRC07:11
*** prometheanfire has left #openstack-keystone07:13
-openstackstatus- NOTICE: Gerrit is going to be restarted due to bad performance07:14
*** browne has quit IRC07:17
*** timcline has joined #openstack-keystone07:18
*** timcline has quit IRC07:23
*** GB21 has joined #openstack-keystone07:32
*** samueldmq has quit IRC07:37
*** samueldmq has joined #openstack-keystone07:37
*** charz has quit IRC07:37
*** agireud has quit IRC07:40
*** bigjools has quit IRC07:43
*** rcernin has joined #openstack-keystone07:43
*** agireud has joined #openstack-keystone07:43
*** charz has joined #openstack-keystone07:43
*** bigjools has joined #openstack-keystone07:43
*** bigjools has quit IRC07:43
*** bigjools has joined #openstack-keystone07:43
*** sdake has quit IRC07:53
*** fawadkhaliq has joined #openstack-keystone07:54
*** rk4n has joined #openstack-keystone07:56
*** jamielennox is now known as jamielennox|away08:01
*** rk4n has quit IRC08:01
*** e0ne has joined #openstack-keystone08:02
*** jed56 has joined #openstack-keystone08:06
bretonjamielennox|away: does it work?08:07
*** fawadkhaliq has quit IRC08:10
*** zqfan has quit IRC08:12
*** daemontool_ has joined #openstack-keystone08:13
*** jaosorior has joined #openstack-keystone08:14
*** daemontool has quit IRC08:17
*** jistr has joined #openstack-keystone08:19
*** rdo has joined #openstack-keystone08:19
*** timcline has joined #openstack-keystone08:19
*** timcline has quit IRC08:24
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/26800308:24
openstackgerritMaho Koshiya proposed openstack/python-keystoneclient: Add release notes for return-request-id-to-caller  https://review.openstack.org/27664408:32
*** mdavidson has quit IRC08:39
*** rk4n has joined #openstack-keystone08:57
*** jaosorior has quit IRC08:57
*** GB21 has quit IRC09:01
*** EinstCrazy has joined #openstack-keystone09:01
*** jaosorior has joined #openstack-keystone09:05
*** timcline has joined #openstack-keystone09:20
*** GB21 has joined #openstack-keystone09:20
*** timcline has quit IRC09:24
*** roxanaghe has joined #openstack-keystone09:32
*** henrynash has quit IRC09:35
*** mdavidson has joined #openstack-keystone09:35
*** roxanaghe has quit IRC09:36
*** links has quit IRC09:53
*** links has joined #openstack-keystone09:54
*** nisha has joined #openstack-keystone09:59
*** nisha_ has joined #openstack-keystone10:08
*** nisha has quit IRC10:12
*** jdennis has joined #openstack-keystone10:13
*** jdennis1 has quit IRC10:15
*** timcline has joined #openstack-keystone10:21
*** timcline has quit IRC10:26
*** sheel has joined #openstack-keystone10:27
*** openstackgerrit has quit IRC10:48
*** openstackgerrit has joined #openstack-keystone10:48
*** rodrigods has quit IRC10:50
*** rodrigods has joined #openstack-keystone10:50
*** tellesnobrega is now known as tellesnobrega_af10:56
*** nisha_ has quit IRC11:00
openstackgerritThomas Goirand proposed openstack/keystoneauth: fix OrderedDict mutated during iteration  https://review.openstack.org/30104911:10
*** krotscheck_vaca is now known as krotscheck11:13
*** roxanaghe has joined #openstack-keystone11:20
*** timcline has joined #openstack-keystone11:22
*** roxanaghe has quit IRC11:25
*** timcline has quit IRC11:26
*** sdake has joined #openstack-keystone11:34
*** sdake_ has joined #openstack-keystone11:36
*** gordc has joined #openstack-keystone11:36
*** sdake has quit IRC11:38
*** GB21 has quit IRC11:46
*** henrynash has joined #openstack-keystone11:49
*** ChanServ sets mode: +v henrynash11:49
*** EinstCrazy has quit IRC11:50
*** henrynash has quit IRC11:52
*** tellesnobrega_af is now known as tellesnobrega11:54
*** mvk_ has joined #openstack-keystone11:57
*** raildo-afk is now known as raildo11:58
*** mvk has quit IRC12:00
*** mvk_ has quit IRC12:03
*** zqfan has joined #openstack-keystone12:13
*** ChanServ sets mode: +v samueldmq12:14
*** markvoelker has joined #openstack-keystone12:15
*** GB21 has joined #openstack-keystone12:15
*** tellesnobrega is now known as tellesnobrega_af12:17
*** timcline has joined #openstack-keystone12:22
*** edmondsw has joined #openstack-keystone12:24
*** timcline has quit IRC12:27
*** GB21 has quit IRC12:28
*** sdake_ has quit IRC12:30
*** josecastroleon has joined #openstack-keystone12:32
*** sdake has joined #openstack-keystone12:34
*** Kalaswan has joined #openstack-keystone12:38
*** mvk_ has joined #openstack-keystone12:39
dstanekgood morning keystone12:45
*** sheel has quit IRC12:47
bretono/12:47
rodrigodsdstanek, o/12:48
*** tellesnobrega_af is now known as tellesnobrega12:48
rodrigodsdid you see https://github.com/openstack/keystone/tree/master/keystone_tempest_plugin ?12:49
samueldmqdstanek: howdy12:49
dstanekrodrigods: i didn't, but i'll take a look today12:50
rodrigodsdstanek, it is just the base, no tests yet... here is the change to add the tests job: https://review.openstack.org/#/c/298696/12:51
patchbotrodrigods: patch 298696 - openstack-infra/project-config - Enable non-voting keystone tempest plugin tests12:51
*** lamt has joined #openstack-keystone12:52
dstanekrodrigods: nice, looking forward to catching up12:54
*** tjcocozz has joined #openstack-keystone13:01
*** diazjf has joined #openstack-keystone13:02
*** diazjf has quit IRC13:02
*** dgonzalez has joined #openstack-keystone13:05
*** roxanaghe has joined #openstack-keystone13:08
*** jdennis1 has joined #openstack-keystone13:13
*** roxanaghe has quit IRC13:13
lbragstaddstanek o/13:14
*** jaosorior has quit IRC13:14
*** jaosorior has joined #openstack-keystone13:14
*** jdennis has quit IRC13:16
*** jaosorior has quit IRC13:17
*** jaosorior has joined #openstack-keystone13:18
*** ankur has quit IRC13:21
*** links has quit IRC13:21
*** timcline has joined #openstack-keystone13:23
*** jsavak has joined #openstack-keystone13:28
*** timcline has quit IRC13:28
morgandstanek: it is in fact morning!13:28
*** bizarrodan is now known as dansmith13:35
*** woodster_ has joined #openstack-keystone13:36
dstanekmorgan: i hope a good one13:36
amakarovmorgan, hi! Is the idea to introduce driver connectors still alive?13:42
*** josecastroleon has quit IRC13:59
*** rk4n_ has joined #openstack-keystone14:03
*** Kalaswan has quit IRC14:04
*** woodburn has joined #openstack-keystone14:05
raildostevemar: ping, we created the topic (number 26) about v3 on devstack: https://etherpad.openstack.org/p/newton-cross-project-sessions14:05
*** rk4n__ has joined #openstack-keystone14:05
*** rk4n has quit IRC14:05
*** rk4n_ has quit IRC14:08
*** sigmavirus24_awa is now known as sigmavirus2414:09
*** knikolla has joined #openstack-keystone14:09
*** pushkaru has joined #openstack-keystone14:13
*** doug-fish has joined #openstack-keystone14:15
*** Nirupama has quit IRC14:15
*** pauloewerton has joined #openstack-keystone14:21
*** timcline has joined #openstack-keystone14:24
*** jasonsb has quit IRC14:25
*** jasonsb has joined #openstack-keystone14:26
*** edmondsw has quit IRC14:27
*** spzala has joined #openstack-keystone14:28
*** EinstCrazy has joined #openstack-keystone14:28
*** timcline has quit IRC14:29
*** slberger has joined #openstack-keystone14:29
*** phalmos has joined #openstack-keystone14:32
*** browne has joined #openstack-keystone14:48
*** rderose has joined #openstack-keystone14:48
*** timcline has joined #openstack-keystone14:49
*** timcline has quit IRC14:49
*** david_cu has joined #openstack-keystone14:50
*** timcline has joined #openstack-keystone14:50
*** edmondsw has joined #openstack-keystone15:02
*** diazjf has joined #openstack-keystone15:04
*** sigmavirus24 is now known as sigmavirus24_awa15:04
*** sigmavirus24_awa is now known as sigmavirus2415:04
*** jsavak has quit IRC15:04
*** mhickey has joined #openstack-keystone15:05
*** jsavak has joined #openstack-keystone15:08
*** EinstCrazy has quit IRC15:10
*** pushkaru has quit IRC15:16
stevemarraildo: ++15:16
stevemarhowdy mister dstanek15:16
*** pushkaru has joined #openstack-keystone15:16
rderosebknudson: just saw your comment re: abstract base class.  If you are creating a custom driver, how is this line being used then:15:22
rderoseDriver = manager.create_legacy_driver(identity_interface.IdentityDriverV8)15:22
bknudsonrderose: that line isn't being used15:22
rderosebknudson: not by us, but isn't there for custom drivers?15:23
morganamakarov: hmm?15:23
morgandstanek: it was OK. Was on an airplane and back in California for the day.15:23
bknudsonrderose: oops, I was wrong, a custom driver might be using Driver.15:23
morganstevemar: pushed the py3.5 change for ksa zigo proposed.15:24
rderosebknudson: shouldn't they be using the Driver and not the abstract base class15:24
morganProb should be backported15:24
bknudsonrderose: Driver is deprecated. They shouldn't be using it15:24
bknudsonbut they still can15:24
bknudsonwe can remove it next release.15:24
rderosebknudson: when I discussed with morgan, I thought he mentioned that client would not be using the abstract base class, only the Drivers15:25
bknudsonrderose: that's odd. We need to support developers implementing their own drivers using the abstract base class.15:26
*** mylu has joined #openstack-keystone15:26
bknudsonthey should be able to develop a driver without using the abstract base class (duck typing)15:26
morganbknudson: I think what you requested on that review was my initial recommendation15:27
stevemarmorgan: we can wait til someone hits it, possibly... it is only a fixture15:27
*** nkinder has joined #openstack-keystone15:27
rderosebknudson morgan: okay, so if not moving the Driver line, do we have any issues?15:28
morganstevemar: well it is relevant for tests passing for Debian etc. Since its 3.5 specific15:28
morganstevemar: and a minor change. Backport for mitaka. Nothing else.15:28
morganAnd just in the next maintenance/release of.mitaka ksa whenever it happens15:28
morganNo release specifically for it. Def not back further.15:29
openstackgerritMerged openstack/keystoneauth: fix OrderedDict mutated during iteration  https://review.openstack.org/30104915:29
morganTrying to make zigo's life here easier ;)15:29
bknudsonrderose: yes, there needs to be IdentityDriverV8 in identity/core.py15:29
*** tellesnobrega is now known as tellesnobrega_af15:29
stevemarmorgan: nod15:29
bknudsonfor the same reason that there's a Driver in identity/core.py15:30
morganbknudson: +(15:30
morgan++ even.15:30
rderosebknudson morgan: to move them out of the core, I'll keep them in both places for now and add a deprecation warning15:31
stevemarmorgan: https://review.openstack.org/#/c/301186/ (backport)15:31
patchbotstevemar: patch 301186 - keystoneauth (stable/mitaka) - fix OrderedDict mutated during iteration15:31
stevemarmorgan: you should be able to approve now, we won't cut anything from there15:31
bknudsonrderose: ok15:32
rderosebknudson morgan: remove in O?15:32
morganstevemar: will do in a sec.15:32
bknudsonrderose: I'm ok with saying it can be removed in O, although I think we usually go with +215:32
rderosebknudson: okay, cool15:33
rderosebknudson: thx15:33
morganrderose bknudson for internal interfaces 1 cycle should be OK. But 2 is safer15:33
rderosecool15:33
*** jaugustine has joined #openstack-keystone15:34
*** jsavak has quit IRC15:35
*** jsavak has joined #openstack-keystone15:35
openstackgerritJuan Antonio Osorio Robles proposed openstack/keystone: Use messaging notifications transport instead of default  https://review.openstack.org/30119315:36
*** roxanaghe has joined #openstack-keystone15:37
amakarovmorgan, the idea to make driver interface a special class, that can be used as a proxy transforming python function calls to http requests on the client side, and as a router+controller+whatever on the server side15:41
*** jistr has quit IRC15:41
morganamakarov: hmm. I don't remember this convo.15:41
morganThat sounds interesting.15:41
amakarovmorgan, this way we can allow anybody implement any backend without the need to merge it into the keystone codebase15:42
bknudsondrivers don't need to be in the keystone codebase already15:43
morganbknudson: ++15:43
morganamakarov: not sure of the win there. But open to the convo. In Austin?15:43
*** nisha has joined #openstack-keystone15:43
amakarovbknudson, yes, though we still need to restart the keystone to change the driver15:43
bknudsonfor some reason it seems like anytime someone implements a driver or external auth they always stick it in keystone. I don't get it.15:43
dstanekbknudson: ++15:44
dstanekbknudson: we didn't when we made capstone15:44
bknudsonprobably so we get blamed if there's a bug in it15:44
morganbknudson: probably15:44
morgandstanek: clearly you're slacking :P15:44
bknudsonamakarov: you are correct about having to restart keystone... not sure why restarting a keystone is that big of a deal.15:45
dstanekmorgan: :-)15:45
bknudsoncapstone?15:45
dstanekbknudson: yessir15:45
morganbknudson: I don't either. But people seem to care a lot about restarts.15:45
*** gagehugo has joined #openstack-keystone15:46
amakarovbknudson, that very argument people tell me why do we need to store policies in keystone rather than in files :)15:46
*** jaosorior has quit IRC15:46
morganamakarov: I also generally disagree with keystone being authoritative for policy files.15:46
dstanekamakarov: i'm intested to see your proposal. not sure i understand the benefits15:46
amakarovmorgan, yes, HA is an issue15:46
bknudsonamakarov: keystone reloads policy files on every request so you don't need to restart for that.15:46
morganamakarov: in db that is.15:47
*** jaosorior has joined #openstack-keystone15:47
*** harlowja_at_home has joined #openstack-keystone15:47
morganShoving everything in the db is not nessicarily good design15:47
morganUsing db as IPC leads to bad patterns.15:47
*** jaosorior has quit IRC15:48
*** lhcheng has joined #openstack-keystone15:48
*** ChanServ sets mode: +v lhcheng15:48
*** david-lyle_ has quit IRC15:48
*** jaosorior has joined #openstack-keystone15:48
morganUnrelated: the Bart going to Oakland airport is nice. No bus needed.15:48
*** david-lyle has joined #openstack-keystone15:48
amakarovmorgan, ++ I don't like extreme measures too, but horizon folks seem keen to have it as is simplifies policy management.15:49
amakarovAnd there is yet another thing in my idea: we don't bother about client-server API match15:49
bknudsonhorizon needs something better than policy files15:49
amakarovas it's serverd automatically15:49
bknudsonpolicy files are one way to accomplish what they want but I doubt it's the best way15:50
amakarovbknudson, right now they are ok if we let them store json15:50
bknudsonwouldn't they rather have an api that returns what the user can do?15:50
bknudsonamakarov: what about yaml?15:51
* amakarov asks horizon guys15:51
*** josecastroleon has joined #openstack-keystone15:51
amakarovlooks like not only horizon people want that but it will be like moving entire openstack to v3 now :)15:53
amakarovbknudson, I think they'll be ok with yaml too15:54
david-lylebknudson: a list of what a user can do can be large, and we would have to store/cache it per user15:55
david-lyleservice catalog issue x N services15:55
amakarovdavid-lyle, I think that's tbd15:56
david-lylethat would be my primary concern15:56
*** browne has quit IRC15:56
david-lyleamakarov: what is?15:56
david-lyleI just referring to the option to provide a list of all actions a user is authorized to do15:57
amakarovdavid-lyle, the concept: either to get all the user rights or just ask for particular ones15:57
david-lyleadditionally, target information can effect the result15:57
amakarovor limit them somehow15:57
amakarovor filter :)15:57
bknudsonI don't want us to get tied into a specific implementation... we've already got proposals for changing to a different way to do policy15:57
*** tellesnobrega_af is now known as tellesnobrega16:03
openstackgerritTom Cocozzello (tjcocozz) proposed openstack/keystone: Test list project hierarchy is correct for a large tree  https://review.openstack.org/27751216:05
*** e0ne has quit IRC16:07
*** mhickey has quit IRC16:10
*** dan_nguyen has joined #openstack-keystone16:14
*** dflorea has joined #openstack-keystone16:17
*** josecastroleon has quit IRC16:23
*** mylu has quit IRC16:25
stevemarknikolla: navidp -- next keystoneauth release is in 1 week: next keystoneauth release should be in 1 week: https://review.openstack.org/#/c/300965/16:25
patchbotstevemar: patch 300965 - releases - release keystoneauth 2.5.016:25
stevemarmaybe earlier if mitaka is finalized ...16:25
stevemarbut for now the release time is concentrating on actually releasing mitaka and not libraries for newton :)16:26
*** rk4n__ has quit IRC16:26
*** mylu has joined #openstack-keystone16:27
*** josecastroleon has joined #openstack-keystone16:29
knikollastevemar, i see. thanks!16:31
*** dflorea has quit IRC16:38
openstackgerritBoris Bobrov proposed openstack/keystone-specs: Assignments in Apache Fortress  https://review.openstack.org/25478216:39
*** harlowja_at_home has quit IRC16:39
*** jsavak has quit IRC16:40
*** jsavak has joined #openstack-keystone16:41
nishahey all :)16:43
*** rcernin has quit IRC16:48
*** dflorea has joined #openstack-keystone16:49
*** dflorea has quit IRC16:55
*** tellesnobrega is now known as tellesnobrega_af16:56
*** mylu has quit IRC16:57
*** josecastroleon has quit IRC16:59
*** mylu has joined #openstack-keystone17:01
*** dflorea has joined #openstack-keystone17:02
*** jasonsb has quit IRC17:04
*** tqtran has joined #openstack-keystone17:06
*** mylu has quit IRC17:07
*** mylu has joined #openstack-keystone17:08
*** mylu has quit IRC17:10
*** josecastroleon has joined #openstack-keystone17:15
*** nisha has quit IRC17:18
*** nisha has joined #openstack-keystone17:18
*** trown is now known as trown|lunch17:20
*** zqfan has quit IRC17:22
*** jdennis1 has quit IRC17:23
ayoungIts still snowing. I am going out Cross Country Skiing.17:24
rderosenice :)17:24
*** sheel has joined #openstack-keystone17:25
ayoungHello New England. It is Spring....APRIL FOOLS!17:25
roxanagheknikolla, any other setup that I need for using the ldap3 driver with your patch https://review.openstack.org/#/c/296090/13?17:29
patchbotroxanaghe: patch 296090 - keystone - WIP - ldap3 Identity Driver17:29
roxanagheknikolla, I did choose ldap_identity driver in keystone.conf17:29
roxanagheknikolla, but I'm getting No driver found, so I'm windering if I'm missing anything17:30
roxanaghe*wondering17:30
stevemarayoung: we got rocked too17:32
*** dflorea has quit IRC17:34
*** dflorea has joined #openstack-keystone17:39
*** mylu has joined #openstack-keystone17:40
*** mvk_ has quit IRC17:42
*** josecastroleon has quit IRC17:45
*** rderose has quit IRC17:47
*** rderose has joined #openstack-keystone17:49
*** dave-mccowan has joined #openstack-keystone17:50
ayoungroxanaghe,  No driver found  might be due to a v couple things18:00
ayoungroxanaghe, it might be that the entry point is not registered18:00
ayoungroxanaghe, or it might be due to the driver not being able to pull in a dependency18:00
roxanagheayoung, so I did register it in setup.cfg18:01
ayoungroxanaghe, try running python from the command line and importing the driver18:01
ayoungif it is a dependency issue, you will get a complaint there18:01
*** doug-fish has quit IRC18:03
*** doug-fish has joined #openstack-keystone18:03
*** doug-fish has quit IRC18:03
*** jsavak has quit IRC18:04
*** diazjf has quit IRC18:05
*** jsavak has joined #openstack-keystone18:05
openstackgerritRon De Rose proposed openstack/keystone: Remove backend interface and common code out of identity.core  https://review.openstack.org/29614018:06
*** e0ne has joined #openstack-keystone18:06
harlowjaayoung morgan u guys got a sec, a question around project_metadata for some godaddy folks (we/godaddy carry a local patch to retain a project_metadata table) and it appears that said table used to be in keystone, but got removed and godaddy still uses it, and ..., <therefore local patch>18:07
harlowjawas wondering if u guys had any recommendations for where to store this kind of data18:07
harlowjaexample of data stored:18:07
harlowjametadata:  {18:08
harlowja         owning_group: (i.e. cloud, for on_call)18:08
harlowja         envionment_type: (prod, dev)18:08
harlowja         budget_code: ?? (for chargebacks)18:08
harlowja}18:08
ayoungharlowja, metadata?18:08
harlowjaya, like things about a project18:08
ayoungyou mean the stuff that Nova reads when booting an instance, or the stuff that used to be in the v2 tokens?18:08
ayoungharlowja, that's nova, not Keystone18:09
ayoung budget_code?18:09
ayoungI've never seen that18:09
harlowjathis was an example of some metadata :-P18:09
harlowja*from what godaddy is say using it for18:10
harlowjabasically data stored on a project18:10
*** jsavak has quit IRC18:10
harlowjais there a recommended place to store such tenant specific info in keystone?18:11
*** jsavak has joined #openstack-keystone18:11
harlowjanova doesn't seem like the right place18:11
harlowjabasically at godaddy, that information is stored in a keystone table that is associated to the tenant/project (that information would be different depending on company...)18:12
harlowjadoes that make sense so far ;)18:14
bknudsonwhy call it metadata and not just data?18:14
harlowjasure, the table in the patch here is called project_metadata18:15
harlowjabut ya, just data18:15
harlowjaeither/or18:15
harlowjalol18:15
bknudsonthe sql driver allows you to set whatever extra properties you want to on a project.18:16
harlowjanice18:16
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/V8_backends/sql.py#n25418:17
harlowjaextra = sql.Column(sql.JsonBlob())18:17
harlowjanice18:17
harlowjathat might just do it18:17
bknudsonit's not nice, but deployers want it.18:17
harlowjaya, not nice for some aspects/defintion of nice18:17
harlowjalol18:17
*** mdorman has joined #openstack-keystone18:17
harlowjathat is staying (for now?)18:18
*** spzala has quit IRC18:18
harlowjaforever...18:19
harlowjalol18:19
bknudsonit's not even deprecated18:19
*** spzala has joined #openstack-keystone18:19
harlowjacool, (for some version of cool)18:19
harlowjalol18:19
*** daemontool_ has quit IRC18:20
*** wwriverrat has joined #openstack-keystone18:21
*** e0ne has quit IRC18:22
*** trown|lunch is now known as trown18:23
*** spzala has quit IRC18:24
*** klindgren has joined #openstack-keystone18:24
openstackgerritRon De Rose proposed openstack/keystone: Remove backend interface out of assignment.core  https://review.openstack.org/29963518:25
knikollaroxanaghe, for now I've always imported it from command line, that's why there's a lot of stuff in __init__18:27
*** timcline has quit IRC18:27
*** timcline has joined #openstack-keystone18:28
knikollastuff which will eventually be coming from CONF instead of being hardcoded18:28
*** timcline has quit IRC18:33
*** Ephur has joined #openstack-keystone18:34
*** mylu has quit IRC18:40
roxanagheayoung, knikolla it worked after I added the new driver entrypoint in my keystone's egg-info entry_points.txt18:42
roxanagheI was using an already setup devstack..18:43
*** mylu has joined #openstack-keystone18:43
*** e0ne has joined #openstack-keystone18:43
*** henrynash has joined #openstack-keystone18:45
*** ChanServ sets mode: +v henrynash18:45
ayoungroxanaghe, cool, glad it was a simple solution.  How are things looking?18:45
*** henrynash has quit IRC18:45
*** mylu has quit IRC18:46
*** spzala has joined #openstack-keystone18:50
*** timcline has joined #openstack-keystone18:51
roxanagheayoung, I'm still having doubts which level of mocking do we want, something that just mocks very specific ldap responses, or something more generic that can be used in the already existing tests.18:52
*** dflorea has quit IRC18:52
roxanagheayoung, so I'm just gonna start with something and see where it goes18:52
*** mylu has joined #openstack-keystone18:52
*** timcline_ has joined #openstack-keystone18:52
ayoungroxanaghe, yes, better to try *something* than suffer analysis paralysis18:52
*** timcline_ has quit IRC18:52
*** henrynash has joined #openstack-keystone18:53
*** ChanServ sets mode: +v henrynash18:53
*** timcline has quit IRC18:53
*** mylu has quit IRC18:53
*** timcline has joined #openstack-keystone18:53
*** mylu has joined #openstack-keystone18:53
*** henrynash has quit IRC18:54
*** mylu has quit IRC18:55
bknudsonroxanaghe: I think you should test the new driver with https://review.openstack.org/#/c/291950/ . expand on those where needed.18:55
patchbotbknudson: patch 291950 - keystone - Define identity interface - easy cases18:55
roxanagheayoung, I'm learning that rapidly :)18:55
*** dflorea has joined #openstack-keystone18:55
roxanaghebknudson, yeah, that's what I was thinking18:55
roxanaghebknudson, but do we want to have these tests: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_backend_ldap.py running for the new driver as well?18:56
bknudsonroxanaghe: yes, that was the intention18:56
bknudsonroxanaghe: oh, you were asking about different tests18:56
bknudsonmy opinion is no18:56
bknudsonbut others might have their own opinions.18:57
bknudsonI'm against these level-crossing tests18:57
bknudsonthe tests take way too long to run because we run a bunch of tests 6 times.18:57
*** sigmavirus24 is now known as sigmavirus24_awa18:58
*** pushkaru has quit IRC18:58
bknudsonso if we're going to multiply that by another driver now they'll be running 8 times, I guess.18:58
bknudsonoops, 9 times.18:58
*** sigmavirus24_awa is now known as sigmavirus2418:58
bknudsonyou'll have to put a skip on probably 75% of them like they are already anyways18:59
roxanaghebknudson, level-crossing means tests that involve other drivers as well, right?18:59
*** diazjf has joined #openstack-keystone19:00
bknudsonroxanaghe: well, they do involve multiple drivers in our tests, but level-crossing means that they test multiple components in the stack (in this case manager and driver)19:00
*** pushkaru has joined #openstack-keystone19:00
roxanaghebknudson, I see19:00
bknudsonwe wind up having a bunch of tests that verify manager behavior, and tests that test verify driver behavior, and we don't know which is which.19:01
*** rderose has quit IRC19:03
roxanaghebknudson, I agree - it's very hard to follow those tests in test_backend_ldap, so I agree with the approach you started by testing each driver independently19:03
*** mylu has joined #openstack-keystone19:03
roxanaghebknudson, so I'm gonna start use your patch and be able to run your tests for the new ldap driver and go from there19:06
roxanaghebknudson, thanks for the clarifications19:06
*** agrebennikov has joined #openstack-keystone19:06
bknudsonroxanaghe: great, thanks. There will be changes required to the tests, you'll probably have to override create_user to do ldap ops to create the user in the live case...19:06
bknudsonfor the fake case will probably set up a mock or something?19:07
bknudsonroxanaghe: live tests are in a follow-on https://review.openstack.org/#/c/300237/19:07
patchbotbknudson: patch 300237 - keystone - Opportunistic LDAP testing19:07
nishahey, I need to upgrade my tox version from 2.1.1 to atleast 2.3.119:08
nishaI tried doing sudo apt-get update and upgrade19:09
nishaand ran tox command too19:09
*** gagehugo has quit IRC19:10
nishaBut I am unable to upgrade the tox version. I need it for running ./stack.sh as I am installing devstack19:10
nishaCan anyone please help me ?19:10
roxanaghebknudson, right, we'll use mocking for the fake case19:11
*** dflorea has quit IRC19:11
roxanaghebknudson, when are the live tests running, and against which ldap server?19:11
*** jaugustine has quit IRC19:11
bknudsonroxanaghe: they're not running in the gate. Someone needs to work on that (probably me)19:11
*** sdake_ has joined #openstack-keystone19:12
bknudsonto make it easier I made it run on my devstack install locally19:12
roxanaghebknudson, ok - so it's for when we'll have a gate using an ldap server installed19:12
bknudsony, in the py27 and py34 job19:13
bknudsonwe could have a ldap tempest gate any time.19:13
bknudsonnot sure why we don't have one already19:14
*** sdake has quit IRC19:15
roxanaghebknudson, agreed - I'd like to help fix that at one point19:15
ayoungroxanaghe, ++++19:16
*** dflorea has joined #openstack-keystone19:16
bknudsonroxanaghe: that would be great.19:16
bknudsonfor the new ldap driver we'll have to figure out how to change devstack to go directly to ldap to create users19:17
roxanaghebknudson, ahh yeah good point, since it's read-only now19:19
bknudsonshouldn't be hard if creating users is in a function, but you never know19:19
*** mdorman has left #openstack-keystone19:19
*** sigmavirus24 is now known as sigmavirus24_awa19:21
*** dflorea has quit IRC19:22
*** rk4n has joined #openstack-keystone19:22
*** dflorea has joined #openstack-keystone19:25
*** sheel has quit IRC19:27
*** arunkant has quit IRC19:28
*** mylu has quit IRC19:28
*** jdennis has joined #openstack-keystone19:29
*** rk4n has quit IRC19:29
openstackgerritRon De Rose proposed openstack/keystone: Remove backend interface and common code out of identity.core  https://review.openstack.org/29614019:30
*** mylu has joined #openstack-keystone19:34
*** dflorea has quit IRC19:37
*** dflorea has joined #openstack-keystone19:39
openstackgerritRon De Rose proposed openstack/keystone: Remove backend interface out of assignment.core  https://review.openstack.org/29963519:42
*** dflorea has quit IRC19:44
*** mylu has quit IRC19:44
*** rderose has joined #openstack-keystone19:46
*** mylu has joined #openstack-keystone19:48
*** arunkant has joined #openstack-keystone19:49
*** mylu has quit IRC19:49
*** tellesnobrega_af is now known as tellesnobrega19:54
openstackgerritTom Cocozzello (tjcocozz) proposed openstack/keystone: WIP Allow Python 3 testing for `test_fernet_provider`  https://review.openstack.org/29776819:55
*** jaosorior has quit IRC19:57
*** jsavak has quit IRC19:57
*** mylu has joined #openstack-keystone19:59
*** tqtran is now known as tqtran-afk20:00
*** nisha_ has joined #openstack-keystone20:00
*** rk4n has joined #openstack-keystone20:03
*** nisha has quit IRC20:04
*** nisha__ has joined #openstack-keystone20:05
*** nisha_ has quit IRC20:07
*** jsavak has joined #openstack-keystone20:10
*** e0ne has quit IRC20:11
*** nisha__ is now known as nisha20:13
*** sdake_ is now known as sdake20:14
*** nisha has quit IRC20:16
zigomorgan: Thanks! :)20:16
*** sigmavirus24_awa is now known as sigmavirus2420:17
*** maxabidi has joined #openstack-keystone20:17
zigomorgan: FYI, the fix idea was lamely copied from Corey Bryant from one of his patch in keystoneclient ... ;P20:18
samueldmqayoung: hi, re: patch 27926320:18
patchbotsamueldmq: https://review.openstack.org/#/c/279263/ - keystone - Extract enforcement logic to its own method20:18
samueldmqayoung: do you still think it's worth it to extract that from common/controller?20:18
zigoI hope we soon have a Py35 gate.20:18
*** rk4n has quit IRC20:19
*** rderose has quit IRC20:20
*** rk4n has joined #openstack-keystone20:23
ayoungsamueldmq, always have20:25
samueldmqayoung: tricky part is that it needs self (controller)20:26
*** edmondsw has quit IRC20:26
samueldmqayoung: so a bit hard to decloupe (maybe it needs a bigger refactorin)20:26
ayoungsamueldmq, what does it need out of self...20:27
*** maxabidi has quit IRC20:28
samueldmqayoung: callback, for exampel20:28
ayoungsamueldmq, so there is token_data=self.token_provider_api.validate_token(20:28
ayoung                context['token_id']))20:28
ayoungyeah, callback needs to be there, but that is the odd one20:29
ayoungsamueldmq, ok the tricky one is  if (hasattr(self, 'get_member_from_driver') and20:30
ayoung                        self.get_member_from_driver is not None):20:30
ayoungthat is where it needs to fetch something from the database first20:30
samueldmqayoung: yeah, very hard .. maybe it should be extracted somewhere else20:30
samueldmqayoung: like when you call enforce, you pass everything needed in20:31
samueldmqayoung: and enforce only des the enforcement logic itself20:31
ayoungsamueldmq, want me to give it another hack, or are you on it?20:32
samueldmqayoung: go for it20:32
*** notmyname has joined #openstack-keystone20:32
ayoungOK....20:33
notmynamethe admin pipeline is supposed to not be on a public interface, right? what happens if it is?20:33
bretonnotmyname: for v2 or v3?20:34
notmynameeither, really20:34
bretonnotmyname: for v3 there is no difference at all20:34
*** sdake_ has joined #openstack-keystone20:34
*** sdake has quit IRC20:34
notmynameok20:34
bretonnotmyname: for v2... the result of some list operations might be different as far as i remember20:35
bretonlist of tenants iirc20:35
notmynameI mean, is it a bad idea as a general practice to have the admin pipeline listening on a publicly routable IP?20:36
*** tqtran-afk is now known as tqtran20:36
ayoungsamueldmq, off the top of your head, you know which unit tests I can run to test that?20:37
samueldmqayoung: test_v3_protection I think20:37
ayoungsamueldmq, looks like test_V3_auth is enough to show my typos20:38
agrebennikovhi folks, is there anybody who successfully implemented CLI clients working with federated keystone?20:40
notmynameanother question...20:41
notmynameis the s3 endpoint and the s3_token middleware still maintained going forward?20:42
*** mylu has quit IRC20:43
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494320:44
*** mylu has joined #openstack-keystone20:44
*** dflorea has joined #openstack-keystone20:45
ayoungagrebennikov, yep20:48
ayoungnotmyname, you want it to be?  I can assigne the bugs to you.  :)20:48
agrebennikovayoung, is there any publicly available guide for it? I mean the part of obtaining the saml token from the external idp, if it is actually possible20:49
ayoungagrebennikov, ECP support is tricky but people got it to work.20:49
*** dflorea has quit IRC20:49
ayoungI think you need a special auth plugin.20:50
ayoungagrebennikov, you asked me about 24 hours too early20:50
ayoungI have to look in to that tonight anyway20:50
rodrigodsayoung, we have all kinds of plugins alreayd20:50
rodrigodsnot sure if we have support in openstackclient20:50
ayoungrodrigods, yeah, and ECP doesn't need anything too wacky...I just forget.  jamielennox|away knows that stuff off the top of his head.  Let me see if I documented in rippowam when we tried it20:51
rodrigodsi *think* we have ECP support there20:51
rodrigodsin OSC, i mean20:51
rodrigodsnot K2K, though (because it is a plugin inside another plugin)20:52
ayoungagrebennikov, try an rc file like this20:52
ayounghttp://paste.openstack.org/show/492928/20:52
ayoungrodrigods, yeah, post deploy it ends up in ~/.ossipee/deployments/ayoung.oslab/fed-accrc  for example20:52
rodrigodsnic20:52
rodrigodsnice20:52
ayoungrodrigods, I was supposed to try and get Keycloak working that way, but have not started on it yet....task for tonight20:53
notmynameayoung: since I hear lots of requests for "s3 support", and since ostensibly there's some openstack deployments that use keystone (;-)), then yeah. I was wondering if it was an out-of-site/mind thing in keystone, or if it was goingt o be actively deprecated, or actively improved20:53
*** dflorea has joined #openstack-keystone20:53
rodrigodsayoung, ++20:54
ayoungnotmyname, its still supported and required.  I had some question about whether we ever made ec2 work with V3 Keystone API20:54
ayoungand it does not look like it20:54
agrebennikovayoung, who in this case plays the role of idp?20:54
agrebennikovI mean is it another keystoner?20:54
ayoungs3 I have not looked at yesterday20:54
stevemarknikolla: poke20:54
ayoungagrebennikov, so our Proof of concept was using FreeIPA and Ipsilon20:54
timburkeayoung: i'll go with "no" for s3: https://github.com/openstack/keystonemiddleware/blob/4.4.0/keystonemiddleware/s3_token.py#L15220:54
agrebennikovayoung, kind of an external software, right?20:55
*** slberger has quit IRC20:55
stevemarknikolla: you going to the summit?20:55
notmynameayoung: yeah, it seems to be hard-coded to v2 endpoints20:55
ayoungtimburke, there you go jumping to conclusions again....20:55
ayoungstevemar, bknudson is there any reason why s3 and ec2 does not need to work with V3 in middleware?20:56
ayoungagrebennikov, yeah, a non-shibboleth SAML implementation20:56
stevemarayoung: probably cause no one has done it yet, no real reason i assume?20:56
stevemarayoung: the ec2 and s3 middleware is not exactly well maintained :(20:57
ayoungstevemar, so these guys shoud open bugs on that if they care?20:57
ayoungstevemar, yep20:57
agrebennikovayoung, what does it mean "non shibboleth"? from what I understand shibboleth is sitting on the side of SP20:57
ayoungagrebennikov, shib is 2 things20:57
knikollastevemar, yeah20:57
agrebennikovtogether with keystone20:57
ayoung1 it is a remote server kicking out SAML20:57
ayoung2 it is module that runs in apache that understands saml20:57
knikollalet me catch up on the convo20:57
*** mvk_ has joined #openstack-keystone20:57
ayoungat Red Hat we don't like SHib20:58
ayoungWe like pizza20:58
ayoungand we like mod_mellon20:58
agrebennikovayoung, ah, yeah, I see20:58
ayoungand we like welll20:58
*** dflorea has quit IRC20:58
ayoungwe were liking Ipsilon, which was a nice, lite, python base SAML provider20:58
ayoungbut...well, it looks like we are being told that we need to like Keycloak these days.20:58
ayoungAnd, to be fair, Keycloak is a much more full featured APp20:59
ayoungbut it means that my Proof of concept from last summer on Ipsilon is not going to be what we use20:59
ayoungwhich does not make me that happy20:59
agrebennikovayoung, but still, those additional parameters like OS_AUTH_TYPE=v3unscopedsaml and OS_IDENTITY_PRO*20:59
ayoungaH20:59
agrebennikovayoung, are they all who do the magic?20:59
ayoungok so the OS_AUTH_TYPE=v3unscopedsaml  is the auth plugin21:00
ayoungthat tells the client to use the saml plugin for initial authentication21:00
ayoungand the other one tells the client to use V3 version of the Keystone APIK21:00
ayoungAPI21:00
ayoungso you want both of those values for SAML Federation anyway21:00
agrebennikovayoung, and what it is supposed to be with shib?21:00
ayoungsame things21:01
agrebennikovis it what I create in keystone catalog?21:01
*** jsavak has quit IRC21:01
stevemarknikolla: no other questions from me, just wanted to make sure you were at the summit - wanted to show folks your OSC work (with sp-url)21:01
*** jsavak has joined #openstack-keystone21:01
*** dflorea has joined #openstack-keystone21:02
knikollastevemar, yeah i'll be there. sp-id*21:02
agrebennikovayoung, and then, in case I specify all those spells as well as os_username and os_password your idp just gives you the token?21:02
ayoungagrebennikov, yep. Assuming your IDP is set up for ECP.21:03
*** vgridnev has joined #openstack-keystone21:03
ayoungagrebennikov, I was not involved in any of the Shibboleth work, so I can't speak to those docs21:03
*** slberger has joined #openstack-keystone21:03
*** raildo is now known as raildo-afk21:03
knikollaagrebennikov, i have an ansible playbook for setting up k2k, if interested.21:03
*** rk4n has quit IRC21:04
agrebennikovknikolla, ah, thanks a lot, but on the one hand I'm not familiar with ansible at all, as well as my goal at this point is okta acting as idp21:04
agrebennikovso I'm mostly interested in SP side part21:05
agrebennikovas well as the clients21:05
agrebennikovbut in addition, how you guys deal with groups mapping?21:05
knikollaagrebennikov, i see. well in that case it won't help, as it just sets up apache/mod_shib on the sp side.21:05
knikollaand normal keystone as idp21:05
agrebennikovdo I really need to always create local groups on the SP keystone side?21:05
agrebennikovsince otherwise no way to create proper assignments21:06
knikollahmm... now that we have shadow users, what has changed?21:06
*** rk4n has joined #openstack-keystone21:06
*** daemontool has joined #openstack-keystone21:13
*** sdake_ has quit IRC21:14
*** dflorea has quit IRC21:16
*** trown is now known as trown|outtypewww21:16
*** dflorea has joined #openstack-keystone21:19
*** pauloewerton has quit IRC21:20
*** jdennis has quit IRC21:21
*** dflorea has quit IRC21:23
*** pushkaru has quit IRC21:24
agrebennikovknikolla, I don't think this is ideal way to go21:24
agrebennikovI just wanted to hear from you guys knikolla and ayoung how you deal with it21:24
*** jdennis has joined #openstack-keystone21:25
*** rderose has joined #openstack-keystone21:29
ayoungagrebennikov, I agree it is a PITA.  I lost that battle.21:30
agrebennikovayoung, PITA?))21:31
agrebennikovwhat is that21:31
ayoungPain in the Gluteaus Maximus21:31
rodrigodslol21:32
stevemarbknudson: around still?21:32
agrebennikovayoung, lol)) gotcha.....21:32
bknudsonstevemar: I'm around. setting up a new pc21:32
bknudsonubuntu21:32
stevemarbknudson: get another tp?21:33
agrebennikovayoung, but still, if you guys has the semi-prod deployment21:33
bknudsonstevemar: yes21:33
stevemarhad questions about https://review.openstack.org/#/c/291817/1121:33
patchbotstevemar: patch 291817 - openstack-dev/devstack - Deploy keystone running in uwsgi proxy by apache21:33
bknudsonstevemar: what's the q?21:33
agrebennikovit should work somehow, not just "I make it working im my VM as a PoC"21:33
stevemarbknudson: y remove the 'setup_colorized_logging' bits?21:33
bknudsonstevemar: I haven't figured out how to do colorized logging with uwsgi + apache21:34
bknudsonwe never had colorized logging with mod_wsgi21:34
bknudsononly eventlet did it21:34
bknudsonand the uwsgi process had it21:34
stevemarokay, so leftover from the eventlet patch21:34
bknudsonbut now we've got logging config for both apache and uwsgi...21:34
bknudsonthere'll still be some work to figure out what we want from logging in this brave new world21:35
bknudsonapache is good at access logging, so we do that21:36
bknudsonthen we've got logging for the uwsgi processes21:36
bknudsonwhich is the keystone debug log21:36
stevemarbknudson: so now the only 2 options for keystone_deploy are mod_wsgi and uwsgi?21:36
bknudsonthen there's other logging for apache, like whether it started or not21:36
*** vgridnev has quit IRC21:36
bknudsonstevemar: right, there's only 2 deploys, mod_wsgi and uwsgi (proxy)21:36
bknudsonAt first I was going to have a new deploy option for wsgi proxy but this is taking long enough as it is.21:37
stevemarbknudson: right, that is what i was confused about21:37
*** jsavak has quit IRC21:37
stevemarbknudson: we are going to hijack the straight uwsgi deploy with uwsgi proxy?21:37
bknudsony, I don't think there's any advantage to the wsgi deploy21:38
stevemaragreed21:38
*** richm has joined #openstack-keystone21:38
stevemarokay cool21:38
bknudsonI was just going to get rid of it if the proxy deploy worked21:38
stevemaryeah, uwsgi itself is pointless21:38
*** jsavak has joined #openstack-keystone21:38
stevemarso now we have apache or apache with mod_proxy and uwsgi21:39
*** alex_xu has quit IRC21:39
stevemarwe should make the latter the default21:39
bknudsonI agree the default gate should be uwsgi_proxy and our non-voting job should be mod_proxy21:39
bknudsonoops, the non-voting job should be mod_wsgi21:40
bknudsonnot sure how to get there...21:40
*** dflorea has joined #openstack-keystone21:41
stevemarwe can figure out the details later i guess21:41
stevemarmay have to make our jobs non-voting or something for a hot minute21:42
bknudsonprobably add the  non-voting job to keystone and then make the default switch in devstack21:42
bknudsonthen we can remove our uwsgi non-voting job21:42
stevemaraye21:44
*** Raildo has joined #openstack-keystone21:44
*** daemontool has quit IRC21:45
bknudsonrain delay :(21:46
*** alex_xu has joined #openstack-keystone21:47
openstackgerritDolph Mathews proposed openstack/keystone: Introduce an identity_admin role to policy.json  https://review.openstack.org/27414321:48
stevemarbknudson: womp womp :(21:48
stevemarbknudson: play in a dome!21:49
stevemarno home opener until 11th21:49
bknudsonmaybe the weather will be better by then21:49
bknudsontwins are in baltimore you'd think they'd be safe21:50
stevemarThe Twins have lost seven straight season openers dating back to 2009 — the only MLB team to lose all seven openers during that stretch.21:50
bknudsonyou are like an encyclopedia21:50
stevemaror an espn artile21:51
stevemararticle*21:52
*** Raildo_ has joined #openstack-keystone21:53
*** sdake has joined #openstack-keystone21:54
*** Raildo has quit IRC21:57
*** Raildo_ is now known as raildo21:58
*** david_cu has quit IRC21:59
*** pushkaru has joined #openstack-keystone21:59
openstackgerritBoris Pavlovic proposed openstack/keystone: [do not merge] Testing Rally & Keysotne  https://review.openstack.org/30136721:59
*** lamt has quit IRC22:00
*** david-lyle_ has joined #openstack-keystone22:02
*** david-lyle has quit IRC22:03
*** david-lyle_ is now known as david-lyle22:03
*** pumarani__ has joined #openstack-keystone22:04
*** jsavak has quit IRC22:04
*** pushkaru has quit IRC22:07
*** rderose has quit IRC22:07
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove comment from D202 rule  https://review.openstack.org/30137022:08
*** sigmavirus24 is now known as sigmavirus24_awa22:20
kfox1111know why neutron might be updating /var/lib/neutron/keystone-signing/revoked.pem multiple times a second?22:20
*** diazjf has quit IRC22:22
*** gordc has quit IRC22:29
*** knikolla has quit IRC22:30
*** timcline has quit IRC22:30
agrebennikovayoung, let me try to bug you once again - so I assume you guys should have federated keystone working in production, and you probably already resolved the groups. Could you help me to understand it?22:33
agrebennikovayoung, I don't believe you are creating local groups every single time when you are creating new tenant22:33
*** sdake has quit IRC22:36
*** markvoelker has quit IRC22:37
*** rk4n has quit IRC22:37
*** zqfan has joined #openstack-keystone22:38
*** spandhe has joined #openstack-keystone22:39
openstackgerritBoris Pavlovic proposed openstack/keystone: [do not merge] Testing Rally & Keysotne  https://review.openstack.org/30136722:39
*** pumarani__ has quit IRC22:40
*** david-lyle has quit IRC22:44
*** david-lyle has joined #openstack-keystone22:47
*** henrynash has joined #openstack-keystone22:50
*** ChanServ sets mode: +v henrynash22:50
*** dflorea has quit IRC22:51
*** slberger has left #openstack-keystone22:51
*** mylu has quit IRC22:58
*** alex_xu has quit IRC23:09
*** alex_xu has joined #openstack-keystone23:11
*** pushkaru has joined #openstack-keystone23:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30062623:17
*** chlong has joined #openstack-keystone23:18
openstackgerritBoris Pavlovic proposed openstack/keystone: [do not merge] Testing Rally & Keysotne  https://review.openstack.org/30136723:19
*** mylu has joined #openstack-keystone23:19
openstackgerritRodrigo Duarte proposed openstack/keystone: Migrate tempest tests into keystone tree  https://review.openstack.org/30139823:27
*** mylu has quit IRC23:31
*** mylu has joined #openstack-keystone23:31
*** markvoelker has joined #openstack-keystone23:37
ayoungagrebennikov, sorry, was in family mode.23:43
agrebennikovayoung, that's no problem))23:44
ayoungI can't say that I am running Federation in production23:44
ayoungI'm in an engineering shop23:44
agrebennikovayoung, selling something? ;)23:44
ayoungwe've had limited call for Federation. I'm doing some work with it now23:44
ayoungagrebennikov, I work For Red Hat, so, yeah, we sell a distribution, but most of our customers are using LDAP23:45
*** mylu has quit IRC23:45
agrebennikovayoung, are you aware about Any production deployment of federated keystone (except cern)?23:45
agrebennikov*of23:45
morganstevemar: back port for py3.5 pushed23:45
ayoungagrebennikov, I'm sure that it is in production.23:45
*** mylu has joined #openstack-keystone23:45
* morgan is now on bart to the south bay...23:45
agrebennikovayoung, even in CERN?? seriously?23:46
ayoungmorgan, um, BART goes to the southbay now?23:46
agrebennikovand unfortunately marek doesn't want to tell me more about it ;(23:46
ayoungagrebennikov, I am sure that it is in production, yes, even at CERN23:46
ayoungheh23:47
ayoungagrebennikov, so the create a group thing is annoying23:47
ayoung I wanted it that it was passed through from the front end only23:47
*** mylu has quit IRC23:47
ayoungI'm not certain what other people are doing to make it scale.23:47
agrebennikovayoung, I was thinking about the entire assignment story in case of federation23:47
ayoungI think CERN does some part of auto-provisioning.  But that would require some other listener23:48
agrebennikovand seems all stuff works only "per-user"23:48
morganOK no it doesn't. But with traffic this to Fremont then uber is faster than Oakland to SFO to caltrain23:48
ayoungagrebennikov, even there it is some short comings23:48
agrebennikovayoung, since usually all manuals are saying "go create one local group and assign it to 1 tenant. voilla"23:48
ayoungas you don;t actually have a user ID in the system before the federated user visits23:48
ayoungagrebennikov, so, how would you like it to work?23:49
*** mylu has joined #openstack-keystone23:49
agrebennikovayoung, I'd like to somehow be able to utilize remote groups (of course)23:49
agrebennikovlike I'm doing it with straight ldap23:49
agrebennikovI don't need to assign each user, when I can assign remote group to the tenant23:50
agrebennikovwanted to have something similar here23:50
agrebennikovayoung, but since they don't exist..... don't know23:50
ayoungagrebennikov, could you do a one time sync, or do you really need groups created on the fly?23:50
agrebennikovayoung, I have at least 3 customers at this moment who really want all federation to be implemented23:51
agrebennikovayoung, well23:51
agrebennikovhow I see it - every time you create a tenant you will need a new group23:51
*** pushkaru has quit IRC23:51
agrebennikovsince how otherwise you'll restrict anybody?23:51
ayoungagrebennikov, do you want the groups from Federation, or new groups managed by Keystone?23:52
morganayoung: the groups are managed by keystone anyway. Iirc.23:52
ayoungmorgan, "new" groups managed by Keystone23:52
morganSince you need to assign roles to the groups pre shadow users.23:53
morganOr map to an existing user.23:53
agrebennikovayoung, ideally, if I made cli working, I could do auto-sync of the remote groups (just get the list), and then create same ones locally23:53
morganagrebennikov I think is right, we need a group per permission set for the tenant/project.23:53
agrebennikovayoung, struggling with cli right now))23:54
agrebennikovmorgan, this reminds me the paradox of the egg and hen a little bit))23:54
agrebennikovI mean - the groups are remote.... I want to get them somehow, but for doing that I have to first create them locally23:55
*** mylu has quit IRC23:55
agrebennikovayoung, so per cli problem: export OS_IDENTITY_PROVIDER_URL=https://ipa.ayoung.oslab.test/idp/saml2/SSO/SOAP23:56
agrebennikovthis is the pure link to the remote idp, right23:56
agrebennikov?23:56
ayoungThat? No23:56
agrebennikovem23:56
ayoungah23:56
ayoungsorry, misread it23:56
agrebennikovexport OS_AUTH_URL=https://openstack.ayoung.oslab.test:5000/v323:57
agrebennikovthis is your keystone23:57
ayoungagrebennikov, so yea, that is for ECP23:57
ayoungand the link is the remote URL.  I think that with ECP you need to pre-auth somehow23:57
agrebennikovbut why do you need to specify that ^^ if ideally it should be worked out by keystone's apache23:57
ayoungagrebennikov, what is the Federated provider you need to talk to?  It might not support ECP23:57
*** mylu has joined #openstack-keystone23:58
agrebennikovayoung, they are - pingfederate and okta23:58
agrebennikovjust checked ping23:58
ayoungagrebennikov, damned if I know.  I keep talking hoping that someone that actually knows this jumps in an rescues me23:58
ayounghint stevemar hint23:58
« Sunday, 2016-04-03 Index Tuesday, 2016-04-05 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!