Tuesday, 2016-04-19

*** dan_nguyen has joined #openstack-keystone		00:03
*** neophy has quit IRC		00:03
*** BjoernT has quit IRC		00:09
openstackgerrit	Merged openstack/keystone: Typo in sysctl command example Edit https://review.openstack.org/307008	00:12
*** dan_nguyen has left #openstack-keystone		00:14
*** dave-mccowan has joined #openstack-keystone		00:14
*** dan_nguyen has joined #openstack-keystone		00:14
*** mylu has joined #openstack-keystone		00:15
*** spzala has quit IRC		00:18
*** spzala has joined #openstack-keystone		00:19
*** spzala has quit IRC		00:24
*** daemontool has quit IRC		00:27
*** raildo is now known as raildo-afk		00:33
*** timonwong has joined #openstack-keystone		00:34
mfisch	morgan: fernet keys in the db?	00:35
mfisch	#whatyoutalkinboutwillis	00:35
morgan	mfisch: as an option to make fernet default	00:36
morgan	since db is shared.	00:36
morgan	i don't like it	00:36
morgan	but we have to consider it	00:36
mfisch	please no	00:36
mfisch	I'll reply to the ml	00:36
morgan	nah	00:36
morgan	come talk at the summit	00:36
morgan	we'll hash out the details of how we make fernet default in keystone	00:36
dstanek	morgan: i'm curious to hear why we'd go down that route	00:37
morgan	dstanek: its a question of how to have "sane"-ish defaults for fernet considering there is an operational overhead to create/sync	00:38
morgan	dstanek: and how does keystone respond when fernet keys don't exist on $host$	00:38
morgan	if it's the default token provider	00:38
morgan	and i think keystone server running fernet_setup and dumping keys on disk is a terribad idea	00:39
* morgan would be ok with fernet_setup being in the DB if it was protected somehow to prevent keystone server from writing		00:39
morgan	but could be synchronised via galera	00:40
dstanek	morgan: have the issues been captured in the etherpad for the session	00:40
morgan	but anywah	00:40
morgan	it's just one thing we can't say "absolutely not" unless we highlight it as an option to solve the problem	00:40
morgan	fwiw, i dislike keys in the db	00:40
morgan	in fact, i am certain as long as uuid and fernet are validated the same way (different is .decrypt() or .query() from DB for the payload) I am content to keep both and keep uuid as the default in keystone	00:41
morgan	but still one path of "validation"	00:41
* mfisch wants morgan to stop moving his cheese		00:43
*** tqtran has quit IRC		00:44
mfisch	will be a good convo at the summit in all seriousness	00:44
*** gyee has quit IRC		00:44
mfisch	okay im going to go play swbf	00:44
*** roxanagh_ has joined #openstack-keystone		00:45
*** roxanagh_ has quit IRC		00:49
*** itlinux has quit IRC		00:55
morgan	mfisch: i expect the answer is going to be very easonable	00:58
morgan	mfisch: also.. YOU NO CAN HAZ CHEESE	00:58
morgan	:P	00:58
morgan	stevemar: BREAK THE WORLD	01:07
morgan	stevemar: WATCH IT BURN!	01:07
morgan	stevemar: no more CLI	01:07
morgan	:O)	01:07
*** ayoung has joined #openstack-keystone		01:12
*** ChanServ sets mode: +v ayoung		01:12
ayoung	bknudson, https://review.openstack.org/#/c/306681/1 should I back off on always testing for UUID? Do we really plan on allowing non-uuid project IDs?	01:14
patchbot	ayoung: patch 306681 - keystone - Make all fixture project_ids into uuids	01:14
*** lhcheng has quit IRC		01:14
morgan	ayoung: i think with ldap assignment dead we can enforce uuids?	01:17
morgan	ayoung: or is there a v2 path to get non uuid in?	01:17
*** spzala has joined #openstack-keystone		01:19
ayoung	morgan, I hear rumors of Zombie LDAP	01:20
morgan	i am fairly certain v3 only allows uuid. but........	01:20
ayoung	morgan, he says that since we allow pluggable drivers, we could have a non uuid project id	01:20
morgan	we can say all ids should be uuid.	01:21
morgan	but we might have legacy to support	01:21
*** edmondsw has quit IRC		01:21
ayoung	morgan, I'm OK if that is the case, just don't want code reviews languishing due to uuid vs non... bknudson often makes many comments in a review, and sometimes I am not sure if they are ones he is holding firm on	01:21
morgan	i'd probably make it explicitly deprecated that we support non-uuid ids	01:21
morgan	for projects	01:21
ayoung	if legacy then no Fernet for you!@	01:21
*** EinstCrazy has joined #openstack-keystone		01:22
morgan	hm.	01:23
*** spzala has quit IRC		01:25
*** alejandrito has joined #openstack-keystone		01:26
*** mylu has quit IRC		01:29
*** csoukup has joined #openstack-keystone		01:29
ayoung	morgan, whadaya say? UUID only? I would say that if we don't do UUID only we are going to have to specify what are leval charaters for a project Id	01:31
ayoung	Damned either way	01:31
*** stingaci has quit IRC		01:32
*** stingaci has joined #openstack-keystone		01:32
*** spzala has joined #openstack-keystone		01:33
morgan	i think we can say non-uuid is deprecated. but ... ick	01:33
*** mylu has joined #openstack-keystone		01:33
morgan	i think we would need a legacy fernet formattr	01:33
morgan	that supports non-uuid project ids..	01:33
*** csoukup has quit IRC		01:33
morgan	because i'd like to move uuid to validate the same way as fernert	01:34
morgan	fernet*	01:34
*** stingaci has quit IRC		01:37
*** stingaci has joined #openstack-keystone		01:37
ayoung	No we don't	01:40
ayoung	non UUID would never have worked with Fernet	01:40
ayoung	morgan, Fernet is coded to only allow UUID based projects. THat is the problem I am trying to work out	01:40
ayoung	its why we can't go to Fernet defautl yet	01:40
ayoung	all of the unit tests do "FOO" and "BAR" type IDs	01:41
*** browne has quit IRC		01:41
ayoung	you mean a non UUID-project-ID uuid token provider	01:41
morgan	fernet formaters can be any data differences	01:42
ayoung	morgan, I'm Not even sure why lbragstad was looking at the project ID specifically.	01:42
ayoung	is it a length thing?	01:42
morgan	because fernet converts to 14bytes binary	01:42
morgan	erm	01:42
morgan	uuid	01:42
morgan	so it is a length issue	01:43
ayoung	Ahh	01:43
ayoung	it might be Fernet is looking at UUID.	01:43
morgan	yeah	01:43
ayoung	er Userid	01:43
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/token_formatters.py#n342	01:43
ayoung	that ain't gonna fly	01:44
ayoung	Breaks LDAP	01:44
morgan	yah	01:44
morgan	so we would need another formatter :(	01:44
morgan	not too terrible	01:44
ayoung	no, I mean I wonder if Fernet works with actualy LDAP today>?	01:44
ayoung	It must...	01:45
ayoung	I think this is the line that was a problem http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/token_formatters.py#n427	01:45
ayoung	morgan, did you see the SAML question on the user list?	01:49
morgan	ayoung: yeah i saw a post	01:49
ayoung	I edited my response.	01:49
morgan	i'd need to read more in depth	01:49
ayoung	It origianally had "Send me your credit card number" in it	01:49
ayoung	They Need ECP	01:50
morgan	yeah	01:50
ayoung	http://lists.openstack.org/pipermail/openstack-dev/2016-April/092576.html	01:50
morgan	ECP is important	01:50
ayoung	morgan, I had An idea that I think you will like.	01:51
ayoung	Its about X509	01:51
ayoung	You know how I was pushing Certmonger?	01:51
morgan	yah	01:51
ayoung	And Certmonger has a self signed, but that doesn't reallly help for multi node?	01:51
morgan	yah	01:51
ayoung	So..we can, I think. hack a script into Certmonger that essentially uses SSH to call to another Certmonger	01:52
ayoung	so, we treat the certmonger on the controller like a CA	01:52
ayoung	the getcert call is 2 parts	01:52
ayoung	1 is all the Database and CSR generation	01:52
ayoung	so compute certmonger still does that	01:52
morgan	i'll need gto think about that	01:52
ayoung	then, where certmonger would usually do a call to a provider like	01:52
ayoung	/usr/libexec/certmonger/local-submit	01:53
*** itlinux has joined #openstack-keystone		01:53
stevemar	morgan: i'm with mfisch on this one :)	01:53
ayoung	instead is would do, in essence ssh user@controller /usr/libexec/certmonger/local-submit	01:54
ayoung	there is a little more to it, it needs to hande some env vars	01:54
*** stingaci has quit IRC		01:54
ayoung	but it means that we could have a consistant interface for cert management, from "selfsigned" through huge real CA	01:54
ayoung	stevemar, what one?	01:55
morgan	no db fernet keys	01:55
ayoung	morgan, does the library care where the keys live?	01:59
morgan	haven't looked	01:59
ayoung	Ideally, keys get generated in a container and never leave the container	01:59
morgan	i don't think so.	01:59
ayoung	I'm sure they don't	01:59
morgan	anyway. it's a convo to be had at the sumit	01:59
ayoung	We have keys on disk	01:59
*** EinstCrazy has quit IRC		02:00
ayoung	Now we have them in a database, it just makes the surface different	02:00
ayoung	larger?	02:00
morgan	differnet reasons	02:00
ayoung	I don't lkike it	02:00
ayoung	like it	02:00
morgan	will discuss at the summit	02:00
ayoung	it means that the key is in something inhernatly remotable	02:00
morgan	it's about steps to make it the default in keystone	02:00
morgan	and i don;t see that as viable	02:00
*** edtubill has joined #openstack-keystone		02:00
morgan	due to ops overhead	02:01
ayoung	DB is not viable?	02:01
ayoung	or stored on disk is not viable?	02:01
morgan	no ferner as ddfault with keys on disk	02:01
ayoung	Tokens are stupid, can we just drop them?	02:01
stevemar	i think saying uuid is default, and fernet is not supported as a default (due to extra setup), is a perfectly fine statement	02:01
ayoung	I feel like I've wasted half a decade trying to polish this particular ....	02:01
morgan	fix the separation of service to service and user to service	02:02
morgan	then we can look at a path away from tokens	02:02
ayoung	stevemar, nah	02:02
morgan	but until we "fix" that we can't	02:02
*** EinstCrazy has joined #openstack-keystone		02:02
ayoung	uuid needs to die	02:02
ayoung	the database.	02:02
ayoung	ugh	02:02
ayoung	look, the Key DB is not that big a deal	02:02
ayoung	is one directory, one set of perms	02:03
morgan	and you make it the default and you break current deployments	02:03
ayoung	shouldn	02:03
ayoung	't	02:03
morgan	yes	02:03
ayoung	shouldn't break anything	02:03
morgan	if fernet keys don't exist	02:03
morgan	and they're using the default	02:03
morgan	which is uuid	02:03
morgan	keystone suddenlyndoesn't work anymore	02:03
ayoung	hmmm	02:03
ayoung	so maybe we go the "create on demand" route	02:04
ayoung	its probably fine	02:04
morgan	now you have an issue	02:04
morgan	i have a cluster of keystones	02:04
morgan	and the disks are disparate	02:04
ayoung	Keystone is acluster...	02:04
morgan	and now each keystone has a different group of keys generated on demand	02:04
*** itlinux has quit IRC		02:04
morgan	and again, broken	02:04
ayoung	I see where you ended up with Database	02:04
morgan	as a path	02:04
morgan	i figure we can disucss the detauls at the summit better than on irc	02:04
morgan	:)	02:04
*** itlinux has joined #openstack-keystone		02:05
lbragstad	yeah - this is going to be an interesting discussion	02:05
morgan	it's a transition from tokens that don't use keys to ones that do	02:05
morgan	it's challenging	02:05
ayoung	So long as no one proposes a custom mechanism for sharing symmetric keys	02:05
morgan	also, like i said moving to where user-> service and service->service is separate	02:05
morgan	we can move away from tokens as the long term pth	02:06
ayoung	3 years later and we finally have a call for Kite	02:06
morgan	path*	02:06
ayoung	https://en.wikipedia.org/wiki/Gumption_trap	02:07
morgan	ayoung: i have an alternative, but i think we can propose it bettr (and pick it apart) while at the summit	02:08
morgan	anyway...	02:08
*** woodster_ has quit IRC		02:08
morgan	it'll be a good convo for sure	02:08
*** stingaci has joined #openstack-keystone		02:09
ayoung	morgan, the more I see these things, the more I realize just how dependent we are going to be on Heat, Tripleo, and Puppet.	02:09
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes incorrect deprecation warning for IdentityDriverV8 https://review.openstack.org/305301	02:11
*** stingaci_ has joined #openstack-keystone		02:12
*** itlinux has quit IRC		02:12
*** itlinux has joined #openstack-keystone		02:13
*** stingaci has quit IRC		02:13
*** itlinux has quit IRC		02:15
ayoung	So rcrit is working on autoregistration of VMs in IPA. I think we are going to link that in to the conversation on VM-Identity/Service Users	02:15
*** rock has joined #openstack-keystone		02:19
*** ninag has quit IRC		02:19
*** phalmos has joined #openstack-keystone		02:20
morgan	\	02:24
*** dan_nguyen has quit IRC		02:30
*** phalmos has quit IRC		02:30
*** edtubill has quit IRC		02:33
*** rock has quit IRC		02:35
*** EinstCrazy has quit IRC		02:37
*** edtubill has joined #openstack-keystone		02:37
*** maxabidi has quit IRC		02:39
*** browne has joined #openstack-keystone		02:39
*** phalmos has joined #openstack-keystone		02:40
*** alejandrito has quit IRC		02:41
*** edtubill has quit IRC		02:42
openstackgerrit	Ron De Rose proposed openstack/keystone: Move the assignment abstract base class out of core https://review.openstack.org/299635	02:42
*** lhcheng has joined #openstack-keystone		02:44
*** ChanServ sets mode: +v lhcheng		02:44
*** lhcheng_ has joined #openstack-keystone		02:45
stevemar	morgan: we need to doc https://review.openstack.org/#/c/288216/10 a bit better	02:46
patchbot	stevemar: patch 288216 - keystone - Customize config file location when run as wsgi app.	02:46
openstackgerrit	Ron De Rose proposed openstack/keystone: Move the resource abstract base class out of core https://review.openstack.org/302826	02:46
morgan	sure	02:46
stevemar	morgan: sorry, that seemed random... i was going to +2 it, but thought that it needed better docs	02:48
morgan	i giot it	02:48
morgan	:)	02:48
*** lhcheng has quit IRC		02:49
stevemar	+2 anyway	02:50
stevemar	as it'll help with the gunicorn case	02:50
morgan	this will break btw.	02:50
morgan	and need rebasing	02:50
morgan	cause it conflicts with eventlet removal	02:51
*** EinstCrazy has joined #openstack-keystone		02:53
morgan	and i think i'd rather rebase tis on eventlet remova because your patch is ...	02:54
*** EinstCra_ has joined #openstack-keystone		02:54
*** EinstCrazy has quit IRC		02:54
*** dave-mccowan has quit IRC		03:00
*** spzala has quit IRC		03:00
*** spzala has joined #openstack-keystone		03:01
*** dan_nguyen has joined #openstack-keystone		03:04
*** spzala has quit IRC		03:05
*** mylu has quit IRC		03:06
*** stingaci_ has quit IRC		03:06
stevemar	morgan: oh i know, my patch is gating, so yeah, it'll need a rebase	03:09
stevemar	morgan: just putting my +2 on the record	03:09
*** rderose has quit IRC		03:16
*** tqtran has joined #openstack-keystone		03:17
*** phalmos has quit IRC		03:18
*** mylu has joined #openstack-keystone		03:22
*** TxGVNN has joined #openstack-keystone		03:23
openstackgerrit	Merged openstack/keystone: Fix confusing naming in ldap EnableEmuMixin. https://review.openstack.org/306838	03:24
*** roxanagh_ has joined #openstack-keystone		03:35
*** hugokuo has quit IRC		03:39
*** charz_ has quit IRC		03:39
*** links has joined #openstack-keystone		03:41
*** itlinux has joined #openstack-keystone		03:41
*** hugokuo has joined #openstack-keystone		03:41
*** charz has joined #openstack-keystone		03:42
*** ianw has quit IRC		03:43
*** itlinux has quit IRC		03:45
*** itlinux has joined #openstack-keystone		03:46
*** richm has quit IRC		03:56
openstackgerrit	Steve Martinelli proposed openstack/keystone: remove fallback to default domain id https://review.openstack.org/294822	04:01
stevemar	morgan: tossed up https://review.openstack.org/#/c/294822/	04:01
patchbot	stevemar: patch 294822 - keystone - remove fallback to default domain id	04:01
morgan	stevemar: looking	04:01
morgan	stevemar: fix commit message: removed-as-of-newton BP?	04:03
morgan	stevemar: but +2	04:03
stevemar	morgan: derp	04:04
openstackgerrit	Steve Martinelli proposed openstack/keystone: update deprecation warning for falling back to default domain https://review.openstack.org/294822	04:06
stevemar	there we go	04:06
*** ianw has joined #openstack-keystone		04:08
*** sheel has joined #openstack-keystone		04:09
*** ayoung has quit IRC		04:11
*** dan_nguyen has quit IRC		04:17
*** tqtran has quit IRC		04:20
morgan	+2	04:26
*** timonwong has quit IRC		04:27
*** ianw has quit IRC		04:27
*** pumarani- has quit IRC		04:31
*** pumaranikar has joined #openstack-keystone		04:32
*** ianw has joined #openstack-keystone		04:33
*** zqfan has joined #openstack-keystone		04:42
*** roxanagh_ has quit IRC		04:44
*** spzala has joined #openstack-keystone		05:01
*** mylu has quit IRC		05:02
*** Nirupama has joined #openstack-keystone		05:03
*** mylu has joined #openstack-keystone		05:05
*** spzala has quit IRC		05:06
*** rcernin has joined #openstack-keystone		05:10
*** chlong has quit IRC		05:16
*** timonwong has joined #openstack-keystone		05:25
*** mylu has quit IRC		05:30
stevemar	jamielennox: do you recall the magic combination of auth_uri/url and identity_uri that was needed in liberty? https://bugs.launchpad.net/nova/+bug/1550449/comments/2	05:45
openstack	Launchpad bug 1550449 in python-keystoneclient "Can not create instance - liberty - centos 7" [Undecided,New]	05:45
*** e0ne has joined #openstack-keystone		05:54
stevemar	morgan: we've got 3 bugs that are somewhat related: https://bugs.launchpad.net/oslo.policy/+bug/1547684 + https://bugs.launchpad.net/oslo.policy/+bug/1459884 + https://bugs.launchpad.net/keystone/+bug/1571875	05:56
openstack	Launchpad bug 1547684 in oslo.policy "Attribute error on Token object when using domain scoped token" [Undecided,New]	05:56
openstack	Launchpad bug 1459884 in oslo.policy "OR rules fail if clause throws and exception" [Undecided,Confirmed]	05:56
openstack	Launchpad bug 1571875 in OpenStack Identity (keystone) "Domain role hidden by project role" [Undecided,New]	05:56
*** furface has quit IRC		05:56
*** spzala has joined #openstack-keystone		06:02
*** e0ne has quit IRC		06:05
*** spzala has quit IRC		06:07
*** e0ne has joined #openstack-keystone		06:10
*** roxanagh_ has joined #openstack-keystone		06:24
*** roxanagh_ has quit IRC		06:29
*** furface has joined #openstack-keystone		06:29
*** e0ne has quit IRC		06:30
*** e0ne has joined #openstack-keystone		06:32
openstackgerrit	Merged openstack/keystone: Default caching to on for request-local caching. https://review.openstack.org/277198	06:33
*** furface has quit IRC		06:36
*** jaosorior has joined #openstack-keystone		06:37
*** lhcheng_ has quit IRC		06:41
*** dmellado_ is now known as dmellado		06:44
*** e0ne has quit IRC		06:47
*** fawadkhaliq has joined #openstack-keystone		06:49
openstackgerrit	Navid Pustchi proposed openstack/keystoneauth: Fixing D301 docstring. https://review.openstack.org/307587	06:49
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata https://review.openstack.org/307589	06:54
*** daemontool has joined #openstack-keystone		06:55
openstackgerrit	Ryosuke Mizuno proposed openstack/keystone: Add migration to make service type unique https://review.openstack.org/307593	06:56
openstackgerrit	Navid Pustchi proposed openstack/keystoneauth: Removing D211 in tox https://review.openstack.org/307597	07:02
*** spzala has joined #openstack-keystone		07:03
*** browne has quit IRC		07:08
*** spzala has quit IRC		07:08
*** jed56 has joined #openstack-keystone		07:12
*** fawadkhaliq has quit IRC		07:12
*** pcaruana has joined #openstack-keystone		07:16
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/307606	07:19
*** pcaruana has quit IRC		07:23
*** tesseract has joined #openstack-keystone		07:24
*** tesseract is now known as Guest22945		07:24
*** roxanagh_ has joined #openstack-keystone		07:26
*** jaosorior has quit IRC		07:27
openstackgerrit	Merged openstack/keystone: Remove eventlet support https://review.openstack.org/249486	07:29
*** roxanagh_ has quit IRC		07:31
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/307606	07:32
*** pnavarro has joined #openstack-keystone		07:41
*** mariusv has quit IRC		07:48
*** jaosorior has joined #openstack-keystone		07:55
*** spzala has joined #openstack-keystone		08:04
*** pumaranikar has quit IRC		08:07
*** spzala has quit IRC		08:09
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/306848	08:10
*** henrynash has quit IRC		08:12
*** pumaranikar has joined #openstack-keystone		08:12
*** e0ne has joined #openstack-keystone		08:13
*** jistr has joined #openstack-keystone		08:16
*** mhickey has joined #openstack-keystone		08:22
openstackgerrit	Navid Pustchi proposed openstack/keystoneauth: Fixing D204, D205, D208, and D211 pep8 https://review.openstack.org/307597	08:36
*** sheel has quit IRC		08:55
*** spzala has joined #openstack-keystone		09:05
*** jaosorior has quit IRC		09:07
*** spzala has quit IRC		09:10
*** roxanagh_ has joined #openstack-keystone		09:13
*** roxanagh_ has quit IRC		09:18
*** henrynash has joined #openstack-keystone		09:18
*** ChanServ sets mode: +v henrynash		09:18
*** timonwong_ has joined #openstack-keystone		09:20
*** hogepodge has joined #openstack-keystone		09:23
*** timonwong has quit IRC		09:23
*** spzala has joined #openstack-keystone		10:07
*** spzala has quit IRC		10:11
*** EinstCrazy has joined #openstack-keystone		10:15
*** EinstCra_ has quit IRC		10:18
*** EinstCrazy has quit IRC		10:20
*** henrynash has quit IRC		10:25
*** pnavarro is now known as pnavarro\|mtg		10:28
*** markvoelker has joined #openstack-keystone		10:37
*** markvoelker has quit IRC		10:42
*** jaosorior has joined #openstack-keystone		10:42
*** timonwong_ has quit IRC		10:44
*** roxanagh_ has joined #openstack-keystone		11:01
*** roxanagh_ has quit IRC		11:06
*** real56 has joined #openstack-keystone		11:07
*** spzala has joined #openstack-keystone		11:08
*** spzala has quit IRC		11:13
*** doug-fish has joined #openstack-keystone		11:30
*** zqfan has quit IRC		11:32
*** aimeeU has joined #openstack-keystone		11:35
*** markvoelker has joined #openstack-keystone		11:38
*** pnavarro\|mtg is now known as pnavarro		11:38
*** markvoelker has quit IRC		11:42
*** gordc has joined #openstack-keystone		11:48
*** Guest22945 is now known as tesseract		11:54
*** tesseract is now known as Guest73397		11:54
*** rodrigods has quit IRC		11:54
*** rodrigods has joined #openstack-keystone		11:55
*** raildo-afk is now known as raildo		11:58
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Remove support for generating ssl certs https://review.openstack.org/306795	11:58
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Remove comments mentioning eventlet https://review.openstack.org/307409	11:59
*** spzala has joined #openstack-keystone		12:09
*** trown\|outtypewww is now known as trown		12:12
*** spzala has quit IRC		12:13
*** EinstCrazy has joined #openstack-keystone		12:13
*** henrynash has joined #openstack-keystone		12:14
*** ChanServ sets mode: +v henrynash		12:14
*** mtreinish has quit IRC		12:18
*** markvoelker has joined #openstack-keystone		12:19
*** spzala has joined #openstack-keystone		12:19
*** mtreinish has joined #openstack-keystone		12:21
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/305187	12:24
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements https://review.openstack.org/307753	12:24
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/307754	12:24
*** henrynash has quit IRC		12:28
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/307771	12:28
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/307772	12:28
*** henrynash has joined #openstack-keystone		12:45
*** ChanServ sets mode: +v henrynash		12:45
*** dave-mccowan has joined #openstack-keystone		12:54
*** richm has joined #openstack-keystone		13:08
*** trown is now known as trown\|brb		13:25
*** mylu has joined #openstack-keystone		13:26
*** BjoernT has joined #openstack-keystone		13:26
openstackgerrit	Steve Martinelli proposed openstack/keystone: add missing deprecation reason for eventlet option https://review.openstack.org/307814	13:29
*** BigWillie has joined #openstack-keystone		13:31
*** trown\|brb is now known as trown		13:34
*** openstackstatus has joined #openstack-keystone		13:37
*** ChanServ sets mode: +v openstackstatus		13:37
-openstackstatus- NOTICE: We have recovered one of our cloud providers, but there is a huge backlog of jobs to process. Please have patience until your jobs are processed		13:40
openstackgerrit	Brant Knudson proposed openstack/keystone: Define identity interface - easy cases https://review.openstack.org/291950	13:42
openstackgerrit	Brant Knudson proposed openstack/keystone: Tests clean up global ldap settings https://review.openstack.org/304337	13:43
openstackgerrit	Brant Knudson proposed openstack/keystone: Opportunistic LDAP testing https://review.openstack.org/300237	13:43
*** ayoung has joined #openstack-keystone		13:50
*** ChanServ sets mode: +v ayoung		13:50
*** Nirupama has quit IRC		13:51
*** pushkaru has joined #openstack-keystone		13:52
*** henrynash has quit IRC		14:00
*** sigmavirus24_awa is now known as sigmavirus24		14:01
*** links has quit IRC		14:03
morgan	stevemar: nice bugs. :(	14:04
*** mylu has quit IRC		14:05
*** mylu has joined #openstack-keystone		14:07
*** gagehugo has joined #openstack-keystone		14:07
*** henrynash has joined #openstack-keystone		14:12
*** ChanServ sets mode: +v henrynash		14:12
ayoung	morgan, lbragstad so, on Fernet, assuming for the moment that we cannot convert the "default" to be Fernet (yet) we need to state that the current level of Fernet testing has not been sufficient ot flush out all of the bugs. How do we close that gap?	14:13
morgan	ayoung: default in devstack is doable	14:14
ayoung	I don't, for now, care that the Fernet is not default. But I do care that things break with Fernet. Need to be able to honestly support it.	14:14
ayoung	morgan, that is a start, but it still does not exercize the broken unit tests	14:14
morgan	ayoung: default in keystone config setting is not because of the open convos.	14:14
ayoung	morgan, accepted	14:15
openstackgerrit	Steve Martinelli proposed openstack/keystone: update deprecation warning for falling back to default domain https://review.openstack.org/294822	14:15
ayoung	I think we need to rework our tests to make sure that Fernet is run through all the tests.	14:15
stevemar	henrynash: better? https://review.openstack.org/#/c/294822/	14:15
patchbot	stevemar: patch 294822 - keystone - update deprecation warning for falling back to def...	14:15
ayoung	And, with UUID also staying as default, we need to continue to test that to the same degree	14:15
morgan	I think we make it so uuid and fernet validate the same way. Hold the same data	14:15
morgan	And then keep talking about the fernet key specific issues.	14:16
lbragstad	ayoung ++	14:16
lbragstad	I also agree with morgan	14:16
morgan	We should reduce validation of tokens to a single code path, regardless of the provider	14:16
lbragstad	we should make it so they use as much of the same code path as possible	14:16
morgan	With the difference being decrypt() or db query	14:16
ayoung	morgan, that, too	14:16
lbragstad	that will make testing easier	14:16
morgan	That will reduce the gap to lookup token	14:17
morgan	And I think that hits your concerns	14:17
morgan	Fernet keys and default in keystone itself is a bigger question set	14:17
ayoung	morgan, excpet that is a lot more work.	14:17
henrynash	stevemar: perfic!	14:17
morgan	ayoung: it is a lot less than you think ;)	14:18
ayoung	Getting Fernet fully supportable in Newton is priority	14:18
lbragstad	++	14:18
morgan	Doable in Newton.	14:18
morgan	Easily	14:18
ayoung	morgan, I've been elbows deep in this code. Do you thin kanyone has a clearer view of what it would take? Maybe lbragstad ....	14:18
*** edtubill has joined #openstack-keystone		14:18
morgan	Sec let me plugin laptop and phone.	14:19
ayoung	morgan, in Newton, yes. My goal was to have the tests passing by the summit and to have it merged in N1	14:19
*** woodster_ has joined #openstack-keystone		14:19
morgan	I think I could put together a patch today.	14:19
ayoung	morgan, heh...	14:19
morgan	If you focus on trust etc tests.	14:19
lbragstad	ayoung do we have a recent run that showcases the latest failures?	14:19
lbragstad	s/failures/gaps/	14:19
ayoung	lbragstad, so I have the tests passing, with code changes, module Python3 and tempest	14:20
ayoung	with Py3 we need to deal with the UUID parsing...as that is meaning to_bytes is not getting called.	14:20
ayoung	https://review.openstack.org/#/c/258650/	14:21
patchbot	ayoung: patch 258650 - keystone - [WIP]Make fernet default token provider	14:21
ayoung	but that currently skips all caching. Validation and caching are going to be problematic until we start invallidating the cache much more aggressively	14:21
morgan	ok ayoung	14:22
ayoung	really need to invalidate on all assignment changes. It might mess with some people's tests	14:22
*** jaugustine has joined #openstack-keystone		14:22
morgan	so, the way to make these work the same is overhauling uuid driver.	14:22
morgan	and making it basically use fernet but instead of encrypt, store the data in the DB.	14:22
morgan	the exact same fernet payload	14:23
ayoung	morgan, morgan yeah...really, we need to chop out all data from the persisted store that would not be in the signed body of the Fernet payload	14:23
morgan	it involves a db migration to fix the token table (ick)	14:23
morgan	ayoung: but i bet that is a 1 day task	14:23
ayoung	morgan, and people store stuff in extras, right?	14:23
morgan	not in tokens	14:23
ayoung	that makes it easier	14:23
morgan	there is no way to store extra garbage in tokens	14:23
ayoung	that was the part I was dreading...whew	14:24
morgan	short of a custom provider	14:24
lbragstad	why can't we just nuke the info when we get it back from the DB?	14:24
ayoung	OK, so here is the behavioral difference	14:24
morgan	and the way i was going to do it is change the entrypoint	14:24
ayoung	lets say a user has 2 roles, and loses one of them	14:24
morgan	leave the old provider in place as a stub deprecated	14:24
morgan	and i actually was going to make a new DB table	14:24
ayoung	but they first got the token when they had both. Now when they validate, instead of the token being invalid, it needs to be valid but only have a single role on it	14:24
morgan	to avoid the issues of touching a giant ball of ick	14:24
ayoung	a lot of that WIP patch is test changes to deal with it	14:24
morgan	and limit migration times.	14:24
morgan	ayoung: fernet supports more than one role	14:25
morgan	if assignments change	14:25
ayoung	morgan, when migratin the token table, we've truncated in thepast.	14:25
morgan	assignments change	14:25
lbragstad	we could technically make it so that when we return the token - we could only return the stuff that fernet would https://github.com/openstack/keystone/blob/23bb657369292cab3203c046a0a186df89fa1576/keystone/token/persistence/backends/sql.py#L93	14:25
ayoung	lbragstad, exactly	14:25
morgan	ayoung: for deprecation purposes, i wouldn't truncate	14:25
morgan	i would maintain uuid-legacy	14:26
ayoung	morgan, your call.	14:26
lbragstad	the common.py provider logic would be forced to dynamically generate everything	14:26
*** csoukup has joined #openstack-keystone		14:26
morgan	for a deprecation cycle	14:26
morgan	thats all	14:26
morgan	just to be as nice as possible to deployers who have custom providers	14:26
ayoung	so we have 3 tokens providres for a cycle. New UUID insists on revocating events.	14:26
morgan	yup	14:26
morgan	and next cycle old UUID-legacy is dropped	14:26
morgan	we then have a single token validation path	14:26
ayoung	OK...the real issue is the testing matric	14:27
ayoung	matrix	14:27
morgan	it hits all your major concerns while leaving us free to work on fernet keys etc and those challenges	14:27
ayoung	we need to ensure that all of the tests are run with each of the providers. We were lax on that up to now	14:27
morgan	basically the old UUID tests are mothballed (left as is)	14:27
morgan	and drop once we drop legacy	14:27
morgan	work on making tests for fernet/uuid-new solid	14:28
morgan	don't be la there	14:28
morgan	but since we reduced down to a single path, we're good.	14:28
*** nbloom has joined #openstack-keystone		14:28
morgan	and it also means performance work/improvements affect both forms.	14:29
ayoung	morgan, can we provide a keystone-manage migrate-tokens call for when we switch from old-uuid to new....or...we'll end up dumping all tokens when we switch the default	14:30
morgan	ayoung: no.	14:30
morgan	well sure	14:30
morgan	but it wont be recommended ever	14:30
ayoung	morgan, that is going to cause operator pain. How can we avoid that	14:30
morgan	token tables tend to be huge	14:30
morgan	but yeah i can add a migrate option	14:31
morgan	with a giant OMG DONT DO THIS	14:31
morgan	warning	14:31
bknudson	seems easy enough to support both formats and new tokens get the new format.	14:31
nbloom	Hi all, I'm trying to run devstack ./stack.sh and it fails. I get "Exception occurred processing WSGI script '/usr/local/bin/keystone-wsgi-admin'" under /opt/stack/logs/.. can anyone help me? thanks	14:32
ayoung	do we really need to dump the old tokens? THe old table will have all the data we need to validate, we just will only use a subset.	14:32
lbragstad	ayoung that's all stuff we can do in code too	14:32
ayoung	morgan, let me take a look at the table format. I think everything is in a serialized JSON blob at the moment	14:33
morgan	ayoung: it isn't	14:33
morgan	ayoung: not really. and the token table has a lot of extra stuff in it.	14:33
morgan	basically, i don't want to have to open the token and guess what the format is	14:33
lbragstad	it's pretty much the entire auth response	14:33
lbragstad	just shoved into the extras column	14:33
morgan	is this a legacy blob, or a fernet payload, or ???	14:33
ayoung	hold on...I'll give a rel answer in a second	14:34
morgan	i also don't want to "fix" the legacy provider to support the new format/ignore it in the case someone swaps back over.	14:34
morgan	basically, keeping them isolated during deprecation is a lot less code/work level of concern	14:35
morgan	less testing to write too.	14:35
*** slberger has joined #openstack-keystone		14:35
*** sheel has joined #openstack-keystone		14:36
morgan	so in short, yes we can just use the current table	14:37
morgan	but we shouldn't	14:38
ayoung	http://paste.openstack.org/show/494649/ OK that is the current table format	14:40
morgan	ay yes	14:40
morgan	ayoung: yes*	14:40
ayoung	if we got to unified dleegation, we could just drop the valid and extra columns	14:40
morgan	except unified delecation isn't landing that soon. i expect N2 or just past N2	14:41
ayoung	morgan, you are an optimist, but yes	14:41
morgan	and guessing at the body of the response means a lot more ick in uuid-legacy	14:41
morgan	and a lot more complexity of code	14:41
*** nbloom is now known as nbloom2		14:42
morgan	if we are looking at the short path to unified token validation code paths	14:42
ayoung	morgan, so the data we want is all in the extra	14:42
morgan	don't try and use the same table in this case.	14:42
*** nbloom2 has left #openstack-keystone		14:42
*** mylu has quit IRC		14:42
morgan	ayoung: yes. it is in "extra" [it was convenient place to store it, not beause users can wedge things into extra here"	14:42
*** pnavarro has quit IRC		14:44
edtubill	Hi, I was wondering if it was possible to use horizon with keystone to keystone federation (keystone Idp with websso)? I've been having troubles trying to make the redirection work (Not sure how the redirection works).	14:45
morgan	ayoung: so the question is... do you want to take the short path to unified token validation? or keep on the path we've been on which is retrofit things into the structures we have (and it's been very slow)	14:45
rodrigods	edtubill, it is not :(	14:45
rodrigods	stevemar, ^ right?	14:45
morgan	rodrigods: it might be... but it probably requires custom code.	14:46
rodrigods	morgan, sure	14:46
rodrigods	i mean, with the upstream merged code	14:46
ayoung	morgan, ok, no new token provider	14:46
morgan	ayoung: i think wedging the payload-formed-uuid into that table is a recipe for disaster.	14:46
ayoung	its going to cause more pain	14:46
ayoung	and we can work with what we have	14:46
morgan	ayoung: i disagree 100%	14:46
ayoung	keep the path the same for now, with the exception of this:	14:47
ayoung	when fetching token data from the peristance driver, only return the fernet payload....	14:47
ayoung	ok, we can do THAT as a new provider	14:47
ayoung	the rest stays the same	14:47
morgan	i aslo think that is a bad idea	14:47
morgan	seriously	14:47
ayoung	we persist the same data that we do now, so that someone can switch back and forth	14:47
rodrigods	edtubill, we need to make possible for horizon to talk with keytoneauth's plugin	14:47
*** e0ne has quit IRC		14:47
ayoung	I don't want to dump the token table. People are annoyed on upgrades already	14:48
edtubill	rodrigods, morgan: thx , and I was also wondering what this line does for configuring apache2: 'WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.?/protocols/.?/auth)$ /var/www/keystone/main/$1' Apache seems to break if I have that line. Do I need this line for Mitaka?	14:48
rodrigods	edtubill, doug-fish was one of the ppl in this front	14:48
morgan	ayoung: so lets hold until the summit	14:48
ayoung	edtubill, that is for federation, and the fact that it is a wildcard looks wrong	14:48
morgan	ayoung: i don't think we're going to come to an agreement here on irc.	14:48
ayoung	morgan, alternatively, we have a fallback from the new UUID provider to the old	14:49
morgan	ayoung: i think we're in for a world of hurt if we try and wedge things into the current model	14:49
edtubill	rodrigods: okay. I guess there's future work for horizon and keystonauth.	14:49
morgan	asking people to re-authenticate if you need to switch providers is not awful	14:49
*** josecastroleon has quit IRC		14:49
morgan	and i'm willing to conceed a migrate option from keystone-manage	14:49
morgan	from old uuid to new	14:50
rodrigods	edtubill, https://review.openstack.org/#/c/159910/	14:50
patchbot	rodrigods: patch 159910 - django_openstack_auth - K2K federation	14:50
morgan	my reasoning for wanting to pivot to a new table really is so we don't need to pull the whole auth response.	14:50
morgan	and we don't need magic to understand the differences	14:50
morgan	and it means when the deprecation cycle goes through we drop code	14:51
morgan	with a large cut (and a drop of the old table)	14:51
*** mylu has joined #openstack-keystone		14:52
ayoung	morgan, all this is to migrate to a new token provider that we don't even want	14:53
morgan	ayoung: uuid is not going to die soon.	14:53
morgan	ayoung: it's a lot less code to pivot, no retrofitting. and it gets us what you asked for a lot sooner.	14:54
morgan	and isolates code paths.	14:54
edtubill	rodrigods: Iooks like an old patch. So is that the k2k code for horizon and the k2k auth plugin?	14:54
morgan	i really am looking at it from a "shortest path to where we want to be in Newton" standpoint	14:55
morgan	and with the easiest to drop old stuff - while not just breaking everything.	14:55
*** phalmos has joined #openstack-keystone		14:55
ayoung	morgan, I hear ya....just the pain of having uuids in two tables	14:56
ayoung	migrating really is going to take a long time.	14:56
morgan	ayoung: so that is why it's a keystone-manage migrate_tokens	14:56
morgan	and is optional	14:56
ayoung	I'm prone to say "try the new UUID, and if that fails, try the old" as a transition	14:56
morgan	or something similar	14:56
ayoung	all writes go to the new table.	14:57
ayoung	The token flush needs to flush both tables	14:57
morgan	ayoung: and the fallback is worth 1 day of validates? or 2?	14:57
morgan	that is a lot of code for a very small window	14:57
*** timcline has joined #openstack-keystone		14:58
morgan	if someone is swapping to fernet - people have to reauth	14:58
ayoung	I hear ya. I don't like it either	14:58
morgan	if someone is swapping from PKI -> uuid, they need to reauth	14:58
ayoung	nope	14:58
ayoung	pki is still persisted	14:58
morgan	yes. in many cases.	14:58
ayoung	that was just a flip of the switch...stop signing	14:58
morgan	because bugs	14:58
morgan	not because bad architecture	14:58
ayoung	bad architect	14:59
ayoung	heh	14:59
morgan	but i'm willing to say swapping to the legacy-uuid is like changing to/from fernet	14:59
morgan	and i'm willing to conceed a migrate from legacy->new if someone wants to	14:59
morgan	but my guess is they'll tell people "dude, reauth"	14:59
mylu	rodrigods: I figured it out, I need to pass the shibboleth session cookie with the request afer 302	15:00
ayoung	so...how oabout this	15:00
*** jaosorior has quit IRC		15:00
ayoung	for a first proof-of-concept, lets write a driver that just extends the existing token drivers return data	15:00
ayoung	does the fernet values only	15:00
ayoung	but pulls it from the existing data	15:00
ayoung	see how bad that is	15:00
ayoung	the rest of the token provider stays the same	15:00
morgan	ayoung: i'll review it, but if you're going to ask me to write it, i'm going further ;)	15:01
ayoung	morgan, I think I can write that fairly quickly	15:01
morgan	ayoung: because i'm going to simply subclass fernet and ignore all the other code.	15:01
ayoung	morgan, hmmm...I don'tthink that will be easier	15:02
morgan	i really don't think you understand how much work it's going to be to figure out what to pull out of the json blob	15:02
ayoung	hah	15:02
morgan	ayoung: because remember fernet has different formats per type	15:02
morgan	is this a trust token?	15:02
morgan	is this scoped?	15:02
*** rderose has joined #openstack-keystone		15:02
ayoung	morgan, so Fernet does signing. Thatis the part we need to bypass.	15:02
morgan	the payload is different	15:02
morgan	that is msgpacked	15:03
morgan	and differs on the types of tokens.	15:03
ayoung	so we are going to keep the msgpacked part...that can't be in the token ID though	15:03
ayoung	not random enough	15:03
morgan	i was going to store the msgpacked part in the db	15:03
ayoung	hmmm	15:03
morgan	and still use uuid.uuid4().hex for the id	15:03
morgan	in the case	15:03
morgan	i really really was serious about the difference being .decrypt() or .get_from_db(id)	15:04
morgan	and 100% of the code is the same otherwise.	15:04
ayoung	yep	15:04
ayoung	ok, so we'll have legacy-uuid, msgpack-uuid, fernet	15:05
morgan	pretty much.	15:05
ayoung	so, how does that makethings better?	15:05
ayoung	I hear you that msgpack is a better UUID format	15:05
morgan	legacy-uuid is deleted in O	15:05
ayoung	but it means that we still have the legacy, and thus all theproblems are still there	15:06
morgan	msgpack-uuid uses 100% the same code path as fernet	15:06
morgan	which means we're testing the code paths equally	15:06
morgan	it gets us to "fernet is being tested" except the cryptography libaray bits	15:06
ayoung	I think I still want to redo legacy uuid	15:06
morgan	right now.	15:06
ayoung	let me think about	15:06
ayoung	how that falls out on the pain balance	15:07
morgan	i think the pain is a reauth.	15:07
*** mylu has quit IRC		15:07
morgan	which is a low amount of pain tbh	15:07
morgan	everything out there has to understand how to reuath anyway	15:07
ayoung	morgan, it means long runing tasks fail	15:07
morgan	they fail when you take keystone down	15:08
morgan	for upgrade anyway	15:08
*** stingaci has joined #openstack-keystone		15:08
morgan	and anyone who says we'll be on 100% rolling upgrades in N is (in my book) crazy	15:08
morgan	we'll be closer	15:08
dstanek	ok, so it looks like something drop it's dep on testresources and now keystone tests fail	15:08
*** josecastroleon has joined #openstack-keystone		15:08
morgan	dstanek: oh wonderful.	15:09
*** trown is now known as trown\|afk		15:09
morgan	dstanek: i am so tired of python requirement resolution :(.	15:09
*** mylu has joined #openstack-keystone		15:10
morgan	ayoung: stew on this convo for a bit. lets circle up at the summit	15:10
morgan	i think we can still hit N1 if we discuss there	15:10
dstanek	morgan: yeah, going to submit a few patches to fix	15:10
ayoung	morgan, will do. One nice thing about this approach is we will tell people "since you are going to have to reauth anyway, you might as well switch to Fernet"	15:11
bknudson	what's failing? py27?	15:11
morgan	ayoung: and the only reason i'm not rage-coding (ok not rage-coding) my proposal right now, is because i have to get my new internet installed today and need breakfast	15:11
morgan	ayoung: ;)	15:11
bknudson	I just ran it 1/2 hour ago	15:11
ayoung	bknudson, in a clean venv?	15:11
bknudson	I rm'ed .tox because I figured deps had changed due to eventlet removal	15:12
morgan	bknudson: sufficient for new venv then	15:12
ayoung	dstanek, what commit is the first broken?	15:12
morgan	ayoung: woot 1GB internet/fiber at home!	15:12
ayoung	morgan, nice	15:12
ayoung	morgan, I'm at Dunkin Donuts on wireless	15:12
morgan	my poor wifi network will be the bottleneck now	15:13
ayoung	not quite as snappy	15:13
*** c_soukup has joined #openstack-keystone		15:13
stevemar	ayoung: maybe DD upgraded, anything can happen	15:13
dstanek	ayoung: it's broken on master for me an apparently on stable branches as well	15:14
*** csoukup has quit IRC		15:16
ayoung	stevemar, DD Wifi actually is pretty good, and fewer people on it here than at the cowork space	15:17
*** stingaci has quit IRC		15:18
ayoung	morgan, if I can get UUID working without the token dump to start, we can do the full msgpack approach without the pressure. Its not either-or. My approach is a change in the validation logic which will need to be there anyway.	15:20
ayoung	I think I'll give it a stab later on today.	15:20
bknudson	dstanek: what's the failure?	15:20
ayoung	we can always chose not to use it.	15:20
*** phalmos has quit IRC		15:20
ayoung	moving locations...back in a bit	15:20
*** ayoung has quit IRC		15:20
dstanek	bknudson: testresources isn't installed. i'm creating a bug for it so that i can track my patch against it.	15:21
bknudson	it's working fine for me.	15:21
bknudson	maybe it's getting a package from local cache or something.	15:21
dstanek	bknudson: really? on master i just 'tox -re py27' and i don't get it installed	15:21
bknudson	pip freeze shows testresources==1.0.0	15:22
bknudson	dstanek: yes, I just ran it and no errors	15:22
dstanek	it also looks like there is an aemail about the stable branch on -dev	15:22
dstanek	bknudson: let me clear all the package caches and try again	15:23
arunkant	stevemar, gordc: Can you review audit middleware change ..https://review.openstack.org/#/c/279828/ ..it has been pending for a while.	15:26
patchbot	arunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...	15:26
*** phalmos has joined #openstack-keystone		15:28
openstackgerrit	David Stanek proposed openstack/keystone: Explicitly require testresources for tests https://review.openstack.org/307878	15:29
dstanek	bknudson: i still get the issue and ^ is that fix that works	15:29
rodrigods	mylu, awesome!	15:29
bknudson	if we use testresources directly then we should include that.	15:30
bknudson	dstanek: can you post your pip freeze and I'll compare with mine	15:30
dstanek	bknudson: we do in a way because we use oslo.db's test base class and it uses testresources	15:30
bknudson	then oslo.db should include testreources?	15:31
dstanek	bknudson: oslo.db only requires testresources for it's tests and now when it is installed	15:31
dstanek	is a gray area because oslo.db doesn't need it to work. the project using oslo.db is what needs it for only tests	15:31
bknudson	you need oslo.db[fixtures]	15:32
dstanek	will that install the right things?	15:32
bknudson	which we've got in keystone test-requirements.txt	15:32
bknudson	dstanek: try .tox/py27/bin/pip install oslo.db[fixtures[	15:32
dstanek	i have that in my test-r.txt as well	15:33
openstackgerrit	Christopher J Schaefer proposed openstack/python-keystoneclient: Removing bandit.yaml in favor of defaults https://review.openstack.org/294597	15:33
openstackgerrit	Christopher J Schaefer proposed openstack/python-keystoneclient: Removing bandit.yaml in favor of defaults https://review.openstack.org/294597	15:35
dstanek	bknudson: here is the output of pip freeze https://gist.github.com/anonymous/e0a6414197dc24a4901a4c1b8cefe318	15:37
*** josecastroleon has quit IRC		15:38
dstanek	bknudson: actually if i explicity pip install oslo.db[fixtures] it works	15:38
bknudson	something strange is going on.	15:38
bknudson	dstanek: is that pip freeze for you whole system or just the .tox/py27?	15:39
dstanek	bknudson: oh, woops that was the wrong venv...jas	15:40
dstanek	bknudson: https://review.openstack.org/#/c/307858/2/global-requirements.txt	15:40
patchbot	dstanek: patch 307858 - requirements (stable/kilo) - Cap testresources<2.0.0	15:40
dstanek	maybe related to my issue...	15:40
*** stingaci has joined #openstack-keystone		15:40
bknudson	my venv gets testresources==1.0.0	15:40
dstanek	my gets 2.0.0 when i run manually. nothing when i don't. you must be using a cache of some sort since testresouces release 2.0.0 the other day	15:41
bknudson	seems to work fine with testresources==2.0.0	15:41
dstanek	bknudson: it's installing that automatically for you?	15:42
bknudson	dstanek: no, I did .tox/py27/bin/pip install -U testresources	15:42
dstanek	bknudson: yeah, it works fine. the issue for me is that it's not installed	15:42
bknudson	dstanek: post your pip freeze	15:42
dstanek	https://gist.github.com/8fcb9bca20edfb4510749f46e1bd0cc0	15:43
bknudson	and I agree it's strange I'm not getting testresources2	15:43
dstanek	bknudson: are you using a custome pypi index or local cache?	15:44
bknudson	dstanek: here's the diff: http://paste.openstack.org/show/494672/	15:44
bknudson	so it's just the oslo.db stuff.	15:45
*** links has joined #openstack-keystone		15:45
bknudson	I think pip caches locally by default.	15:45
bknudson	I'm not doing anything special with pypi indexes or caching.	15:46
bknudson	you're the one with wheel==0.24.0	15:47
dstanek	yeah, i have no idea where that came from	15:48
dstanek	ok, so fun fact. i just updated tox and pip in the system itself and i get testresources 1.0.0	15:49
bknudson	what versions were you running?	15:49
dstanek	not that old...jas	15:50
*** browne has joined #openstack-keystone		15:50
dstanek	bknudson: http://paste.openstack.org/show/494674/	15:51
bknudson	those were old.	15:52
bknudson	cattle not pets.	15:52
*** josecastroleon has joined #openstack-keystone		15:52
*** daemontool has quit IRC		15:52
bknudson	I'm running the same versions. Not sure when this changed.	15:52
*** daemontool has joined #openstack-keystone		15:53
bknudson	we have minversion = 1.6 in tox.ini, maybe that should be upped?	15:53
*** gyee has joined #openstack-keystone		15:54
*** ChanServ sets mode: +v gyee		15:54
*** lhcheng has joined #openstack-keystone		15:55
*** ChanServ sets mode: +v lhcheng		15:55
bknudson	./neutron/tox.ini:minversion = 2.3.1	15:55
bknudson	the rest are 1.6, 1.8, 1.4	15:55
bknudson	./tempest/tox.ini:minversion = 2.3.1	15:55
bknudson	that's probably when I upgraded.	15:55
*** timcline has quit IRC		15:56
*** links has quit IRC		15:57
*** gokrokve has joined #openstack-keystone		15:58
*** doug-fish has quit IRC		16:00
*** Guest73397 has quit IRC		16:00
*** doug-fish has joined #openstack-keystone		16:00
*** zzzeek has quit IRC		16:02
*** zzzeek has joined #openstack-keystone		16:03
*** doug-fish has quit IRC		16:09
*** dan_nguyen has joined #openstack-keystone		16:10
*** ayoung has joined #openstack-keystone		16:11
*** ChanServ sets mode: +v ayoung		16:11
*** manjeets has joined #openstack-keystone		16:14
*** sdake has joined #openstack-keystone		16:14
manjeets	is there any config type option for keystone where you can say use v2 instead of v3 ?	16:14
dstanek	bknudson: i just downgraded tox and pip, but it still works - was hoping to nail down what was the actual cause	16:14
manjeets	i was using devstack but seems like v3 is forced now	16:15
stevemar	dstanek: i'm going to head out now to a court house (gotta defer jury duty), on the odd chance that i'm late, can you run the meeting :)	16:16
dstanek	stevemar: sure	16:16
stevemar	it shouldn't take long, but just in case, i don't want you guys waiting on me to start	16:16
stevemar	awesomeo	16:16
*** samueldmq has quit IRC		16:17
*** anteaya has quit IRC		16:20
*** josecastroleon has quit IRC		16:22
*** pauloewerton has joined #openstack-keystone		16:23
*** phalmos has quit IRC		16:23
*** rderose has quit IRC		16:24
*** rderose has joined #openstack-keystone		16:25
*** sdake_ has joined #openstack-keystone		16:25
*** doug-fish has joined #openstack-keystone		16:27
*** mylu has quit IRC		16:27
*** mylu has joined #openstack-keystone		16:27
*** TxGVNN has quit IRC		16:29
*** phalmos has joined #openstack-keystone		16:29
*** sdake has quit IRC		16:29
*** mylu has quit IRC		16:33
*** gyee has quit IRC		16:34
*** mhickey has quit IRC		16:37
*** jistr has quit IRC		16:39
*** stingaci has quit IRC		16:44
*** fawadkhaliq has joined #openstack-keystone		16:45
openstackgerrit	Merged openstack/keystoneauth: Fixing D301 docstring. https://review.openstack.org/307587	16:46
*** pumarani__ has joined #openstack-keystone		16:47
*** pushkaru has quit IRC		16:50
*** henrynash has quit IRC		16:51
*** timcline has joined #openstack-keystone		16:54
rodrigods	bknudson, dstanek, stevemar https://review.openstack.org/#/c/298696/	16:55
patchbot	rodrigods: patch 298696 - openstack-infra/project-config - Enable non-voting keystone tempest plugin tests	16:55
rodrigods	should be running today! :)	16:55
*** pumarani__ has quit IRC		16:58
*** samueldmq has joined #openstack-keystone		16:59
*** ChanServ sets mode: +v samueldmq		16:59
openstackgerrit	ayoung proposed openstack/keystone: [WIP]Make fernet default token provider https://review.openstack.org/258650	17:00
*** browne has quit IRC		17:02
*** rcernin has quit IRC		17:04
openstackgerrit	Alexander Makarov proposed openstack/keystone: Add set_config_defaults() call to tests https://review.openstack.org/304674	17:06
*** stingaci has joined #openstack-keystone		17:07
*** tqtran has joined #openstack-keystone		17:08
*** josecastroleon has joined #openstack-keystone		17:10
*** EinstCrazy has quit IRC		17:14
openstackgerrit	Merged openstack/keystoneauth: Fixing D204, D205, D208, and D211 pep8 https://review.openstack.org/307597	17:15
*** slberger1 has joined #openstack-keystone		17:15
*** slberger has quit IRC		17:16
openstackgerrit	werner mendizabal proposed openstack/keystone-specs: Credential Encryption https://review.openstack.org/284950	17:33
*** gokrokve has quit IRC		17:37
openstackgerrit	ayoung proposed openstack/keystone: Make all fixture project_ids into uuids https://review.openstack.org/306681	17:37
*** gokrokve has joined #openstack-keystone		17:37
*** gyee has joined #openstack-keystone		17:39
*** ChanServ sets mode: +v gyee		17:39
*** nkinder_ has quit IRC		17:39
openstackgerrit	ayoung proposed openstack/keystone: Make fernet support trust auth against v2.0 https://review.openstack.org/278693	17:39
*** josecastroleon has quit IRC		17:40
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation assignment driver https://review.openstack.org/291318	17:42
*** stingaci has quit IRC		17:43
*** dave-mccowan has quit IRC		17:45
*** stingaci has joined #openstack-keystone		17:47
*** browne has joined #openstack-keystone		17:48
htruta	ayoung: are you around? just a quick doubt. How did access control worked in keystone before policies? Reading the release notes from Essex it looks like it had two apis, one for admin and one for user, right?	17:49
ayoung	htruta, guh....I really don't know	17:50
ayoung	before policies?	17:50
ayoung	I think it was there from the beginning...let me see	17:50
htruta	ayoung: looks like policies were implemented in grizzly	17:51
ayoung	policy was there in Diablo/Essex termie's branch https://github.com/termie/keystonelight/tree/master/keystone/policy	17:51
ayoung	https://github.com/termie/keystonelight/blob/master/keystone/identity/core.py#L257	17:52
ayoung	can_haz	17:52
morgan	so, policy was very very basic	17:53
morgan	v3 has always had policy (ish)	17:53
ayoung	ah...but was not a JSON file	17:53
morgan	v2 was hardcoded mostly	17:53
htruta	ayoung: hm... so, the policies existed, but hardcoded and only admin x user	17:53
morgan	admin/member	17:53
ayoung	htruta, yep	17:53
morgan	(how do you think we inherited that for so long;)	17:53
htruta	morgan: nice!	17:53
htruta	(or not nice, depending on the view point)	17:53
rodrigods	lol	17:53
morgan	ayoung: as someone who's worked in security and security-adjacent fields for a while... https://news.bitcoin.com/looting-fox-sabotage-shapeshift/	17:54
morgan	ayoung: i read this and it's interesting to see folks get bit (again) and re-learn the infosec lessons in this current wave of startup-land	17:55
*** shaleh has joined #openstack-keystone		17:55
htruta	morgan, ayoung: AFAIK first version of keystone api was v2.0, right? The v1, which received only headers as args is from the time nova was still responsible for auth	17:55
htruta	correct me if I'm wrong	17:55
ayoung	htruta, right	17:55
morgan	htruta: so V1 was nova, v2 was keystone-... lite?...	17:55
ayoung	that was internal to RAX, pre me	17:55
morgan	and v3 was "oh god what have we done... no we need to fix that"	17:56
rodrigods	where are the dinosaurs?	17:56
ayoung	I joined the effort in Dec of 2012?	17:56
ayoung	really..	17:56
ayoung	11?	17:56
ayoung	Wow	17:56
ayoung	I've spent my forties doing openstack	17:56
htruta	ayoung: you worked in Essex. That's why I asked you: https://launchpad.net/keystone/essex/2012.1	17:57
ayoung	htruta, oh yeah...I am aware. Just repressed memories	17:57
stevemar	lol	17:57
morgan	i started contributing in Essex (nova)	17:57
htruta	lol	17:57
morgan	and i think i landed patches in keystone in grizzly	17:57
htruta	ayoung, morgan: thanks guys!	17:57
ayoung	I was made core by Joe Heck and dolphm because they need a thrid person to help code review. And termie had disapparated	17:57
raildo	the keystone meeting will be to tell the Keystone history :)	17:57
morgan	oh hey it's meeting time	17:58
morgan	:P	17:58
ayoung	I took the old Nova based LDAP code and corrupted termie's KSL port	17:58
stevemar	morgan: soon :)	17:58
rodrigods	ayoung, third core?	17:58
* morgan just realized it was tuesday		17:58
ayoung	rodrigods, yep	17:58
rodrigods	wow	17:58
morgan	rodrigods: 4th.. technically.	17:58
morgan	rodrigods: cause #termie	17:58
rodrigods	morgan, hmm true	17:58
morgan	but he was MIA	17:58
ayoung	morgan, more than that, there were others, just not active	17:58
ayoung	I was active	17:58
morgan	yeah	17:58
morgan	ayoung: so when are we doing keystone v4? :P	17:59
morgan	duck	17:59
raildo	morgan: lol	17:59
ayoung	morgan, so I thikn we can get to tokenless without a v4	17:59
morgan	ayoung: so do i	17:59
rodrigods	yes	17:59
rodrigods	we can	17:59
rodrigods	obama	17:59
ayoung	and with that	17:59
gyee	tokenless ftw!	17:59
*** henrynash has joined #openstack-keystone		18:00
*** ChanServ sets mode: +v henrynash		18:00
morgan	oh man. the opensrtack css died on specs.openstack.org	18:00
rodrigods	gyee, now we know how to summon you	18:00
gyee	use certs	18:00
morgan	:(	18:00
morgan	gyee: shhh	18:00
*** doug-fis_ has joined #openstack-keystone		18:00
morgan	gyee: also no. OAuth	18:00
gyee	I had a demo of that in the last meetup	18:00
openstackgerrit	Boris Bobrov proposed openstack/keystone-specs: Functional testing setup https://review.openstack.org/307371	18:00
openstackgerrit	Boris Bobrov proposed openstack/keystone-specs: Federation testing setup https://review.openstack.org/307960	18:00
morgan	i think i want to see if we can get https://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/decouple-auth-from-api-version.html in newton	18:01
morgan	anyway...	18:01
*** doug-fi__ has joined #openstack-keystone		18:01
*** mtreinish has quit IRC		18:03
*** doug-fish has quit IRC		18:04
*** doug-fis_ has quit IRC		18:04
*** dave-mccowan has joined #openstack-keystone		18:05
*** mtreinish has joined #openstack-keystone		18:08
*** timcline has quit IRC		18:08
*** timcline has joined #openstack-keystone		18:09
openstackgerrit	Merged openstack/keystone: Updating sample configuration file https://review.openstack.org/307606	18:11
*** henrynash has quit IRC		18:17
*** edtubill has quit IRC		18:19
*** henrynash has joined #openstack-keystone		18:23
*** ChanServ sets mode: +v henrynash		18:23
stevemar	shaleh: i liked your response to OSC's slowness (in regards to rust and go)	18:29
morgan	stevemar, shaleh: the question comes -- how do you force a refresh of the stevedore cache? since that is heavy inspection - on new install?	18:31
shaleh	morgan: --clear-cache	18:35
shaleh	it will live in ~/ or a location specificed	18:35
*** doug-fi__ has quit IRC		18:36
shaleh	the modules only change when a new install is done	18:36
shaleh	why pay for dynamism when we almost never need itr	18:36
shaleh	monty's solution of pure GET/POST is OK if we have to do it. But we all put effort into our *client libs for a reason.	18:37
shaleh	morgan: I do not know if stevedore could be replaced or optimized in this way	18:37
shaleh	morgan: but it seems like an obvious place to experiment	18:37
morgan	shaleh: uhmmmmmmmmmmm i am not sure if that is a good plan --clear-cache.. will need to think about it	18:38
gyee	so stevedore doesn't cache stuff?	18:38
shaleh	gyee: not that I can see	18:38
shaleh	go look in all of the eggs that say "openstack..."	18:38
* dhellmann might be happy to see a patch adding that feature		18:38
gyee	I would think it should, as its based on registration	18:39
gyee	register once	18:39
shaleh	gyee: someone (maybe me) needs to dig into why the module loading is slow	18:39
gyee	dlopen? :-)	18:39
gyee	under the hood I mean	18:39
shaleh	the fellows hack of having a OSC service for devstack is still a good one regardless of what we is done. Why pay for any startup time when we know we are just going to pelt it with requests	18:40
*** dave-mccowan has quit IRC		18:40
*** sdake_ has quit IRC		18:41
*** josecastroleon has joined #openstack-keystone		18:41
shaleh	stevemar: I like Rust over C/C++ and Go. But still, rewriting means bugs, optimizing new issues, etc.	18:41
shaleh	plus getting Rust (which is a moving target) stable enough to put on a system and not touch it for 2 years	18:41
shaleh	Go is a little better in that regards	18:42
*** trown\|afk is now known as trown		18:43
morgan	roxanaghe: i want to put you in touch with cburgess, re: ldap things	18:43
morgan	roxanaghe: since we're re-working the ldap driver. some improvements once we have parity would be good (re filtering, etc)	18:43
*** itlinux has quit IRC		18:45
roxanaghe	morgan, that would be great!	18:46
roxanaghe	morgan, this is my latest version of mockSync: https://github.com/roxanagherle/ldap3/blob/master/ldap3/strategy/mockSync.py I wrote a message to the ldap3 owner, since I wanted to get his opinion if he wants something like that in the ldap3 repo	18:47
*** sdake has joined #openstack-keystone		18:48
morgan	:)	18:48
morgan	roxanaghe: nice	18:48
roxanaghe	morgan, filtering on an ldap query is a beast	18:50
*** KarthikB has joined #openstack-keystone		18:50
roxanaghe	morgan, so I just took whatever they did in mockldap library for python-ldap for now	18:50
morgan	roxanaghe: yeah it is. cburgess is running into issues so i figure we can work on improving it	18:51
roxanaghe	morgan, ok let me know how I can help	18:53
*** henrynash has quit IRC		18:59
bknudson	ayoung: when you push a new version the -1 will go away	19:00
samueldmq	see ya in austin	19:00
samueldmq	:D	19:00
lbragstad	dolphm do you want to go through and add the edits from the talk?	19:00
*** fawadkhaliq has quit IRC		19:00
dolphm	lbragstad: i've been doing some already	19:00
dolphm	lbragstad: i added the 'what is a token' section and 'what is a fernet key'	19:01
lbragstad	dolphm sweet - reviewing	19:01
erhudy	is there an explanation of the PKI token format anywhere? i'm digging into something with the v2.0 API and when i base64-decode a token it looks like mostly JSON but with some byte noise surrounding it	19:03
gyee	erhudy, see PKCS #7	19:04
*** doug-fis_ has joined #openstack-keystone		19:04
erhudy	thanks	19:04
ayoung	https://review.openstack.org/#/c/195780/ bknudson	19:05
patchbot	ayoung: patch 195780 - openstack-dev/devstack - Switch fernet to be the default token provider	19:05
*** sheel has quit IRC		19:05
*** sigmavirus24 is now known as sigmavirus24_awa		19:06
rodrigods	bknudson, samueldmq, rderose https://bugs.launchpad.net/keystone/+bug/1571878 makes sense?	19:07
openstack	Launchpad bug 1571878 in OpenStack Identity (keystone) "Add protocol to identity provider using nonexistent mapping" [Undecided,New] - Assigned to Ron De Rose (ronald-de-rose)	19:07
rodrigods	the last comment	19:07
*** neophy has joined #openstack-keystone		19:08
*** doug-fis_ has quit IRC		19:09
*** KarthikB has quit IRC		19:12
*** KarthikB has joined #openstack-keystone		19:12
*** josecastroleon has quit IRC		19:12
*** doug-fish has joined #openstack-keystone		19:14
morgan	bknudson: positional 1.1.0 with wrapt is now released	19:15
samueldmq	rodrigods: I agree, however not sure about deprecating a workflow	19:17
samueldmq	rodrigods: not sure how that will map to deprecating APIs, but we'll see	19:17
*** KarthikB has quit IRC		19:18
*** real56 has quit IRC		19:21
morgan	ayoung: ok i think i'm gonna hack on token things	19:25
morgan	ayoung: this is bothing me and i want to see how it goes.	19:25
morgan	rodrigods: i'll also look at mocksync in a few minutes.	19:25
*** mylu has joined #openstack-keystone		19:25
morgan	rodrigods: not rodrigods roxanaghe	19:25
ayoung	morgan, go for it. But I hate the idea of dumping the token table. It is the kind of pain I want to no longer propagate.	19:26
morgan	ayoung: i think it'll be easier to transition this way tbh	19:26
ayoung	morgan, also...I don't like the idea of making a table with the msgpack in it for differnt reasons	19:26
morgan	ayoung: i expect we'll discuss @ the summit :)	19:26
ayoung	I am ok with a table that has the columns in it in normal formal	19:26
*** samueldmq has quit IRC		19:26
ayoung	normal form	19:27
morgan	ayoung: i think this is a case where normal form is wrong .	19:27
ayoung	the msgpack is unnecessary overhead	19:27
morgan	unless we want divergent code poaths	19:27
morgan	like i said, my goal is identical validation(s).	19:27
morgan	that expand with forms of tokens in the same way	19:27
ayoung	morgan, the path can join with the data returned post the msgpack processing	19:27
morgan	ayoung: except each column requires a migration if we add	19:28
morgan	where fernet uses a formatter	19:28
morgan	to build the payload	19:28
ayoung	yeah, well that is motivcation not to add more columns	19:28
morgan	so you have divergent code paths	19:28
morgan	again, i am thinking the token payload should be the same.	19:29
morgan	so we have one mechanism for token validation	19:29
morgan	rather than... a few things that kindof work sortof the same	19:29
morgan	if we're good at testing	19:29
ayoung	morgan, "the same" meaning	19:29
morgan	(which is what we have now)	19:29
morgan	meaning, the same code	19:29
morgan	using the fernet formatter(s)	19:29
ayoung	morgan, um...payload meaning what?	19:29
morgan	just not the encryption	19:30
ayoung	for the UUID token? We can't	19:30
morgan	payload is scope, trust, etc	19:30
ayoung	it has to be a uuidgen -r	19:30
morgan	the only thing the new table would encode is "uuid" index	19:30
ayoung	so we persist what you are aclalling payload inthe db,	19:30
morgan	creation time (fernet spec)	19:30
morgan	and payload (the rest)	19:30
morgan	the fernet formatter is tied to the payload	19:30
morgan	FERNET(HMAC(Create_time, AES(PAYLOAD)))	19:31
morgan	is what we end up doing	19:31
*** gyee has quit IRC		19:31
morgan	i am proposing UUID is = UUID-index, Create_time, PAYLOAD	19:31
morgan	store the data the same way. validate the same way	19:31
*** KarthikB has joined #openstack-keystone		19:31
lbragstad	dolphm presentation looks good to me	19:32
morgan	the difference is if the payload is AES w/ HMAC or .query(uuid-index)	19:32
lbragstad	dolphm thanks for fixing up those slides	19:32
ayoung	morgan, meh....I have a feeling this is going to come back to bite me, but go for it	19:33
ayoung	you care far more than I do	19:33
morgan	ayoung: i'm just trying to get us to "fernet is tested as well as other provider(s)"	19:33
morgan	which means we don't have tests that diverge because the code paths are wildly different	19:33
ayoung	morgan, I hear that, but that requires changes of the tests, not a new uuid provider	19:34
morgan	except we suck at having divergent paths tested equally	19:34
ayoung	morgan, no, there were basic code paths in Fernet that were untested	19:34
morgan	look at even PKI and UUID	19:34
ayoung	Python34 was failing on tests that just were not run	19:34
morgan	they were almost the same and the tests still were bad.	19:34
ayoung	I don't want another UUID provider	19:34
morgan	and if we need to maintain uuid, we should not have it validate in a wildly different way than fernet	19:35
morgan	and i don't think we're getting rid of uuid anytime soon	19:35
ayoung	OK...go on and code. We'll deal with the fallout	19:35
morgan	we'll see how it goes.	19:36
morgan	it may be horrific	19:36
morgan	but it looks pretty darn doable	19:36
* morgan is only thinking with a way for folks who may have subclassed current uuid to not be broken, otherwise i'd advocate just changing the current provider		19:36
ayoung	let me just state the things I hate about this approach for the record: 1. Another provider. 2. Dumping the token table, 3. The serialized form in the DB is completely not-readable. Other thanthat...meh	19:37
morgan	1 and 2 are mitigatable if we don't mind changing the current provider out	19:38
morgan	3 - i could just use json. but prefer to keep it the same code as fernet.	19:39
morgan	the only issue with #2 is the migration is brutal.	19:39
*** woodburn has joined #openstack-keystone		19:39
morgan	so shrug.	19:39
ayoung	morgan, or if you do 3, you could avoid 2	19:39
morgan	not really	19:39
ayoung	serialze to JSON you could keep old tokens	19:40
morgan	not really	19:40
ayoung	that was my plan	19:40
morgan	because we then need magic to know what the hell the old token forms are	19:40
morgan	we're in exactly the same place as we are now...or worse	19:40
shaleh	why is coverage not enforced?	19:40
ayoung	morgan, not really, it is the token response that gets serialized. Same data as is in our API	19:40
shaleh	that would solve the missed paths issue	19:40
shaleh	if coverage < SOME_VALUE: boom()	19:41
morgan	ayoung: that is the problem! we are serializing the whole bloody thing and that has a miriad of variations and issues	19:41
ayoung	shaleh, so certain tests assume that the token provider is irrelevant	19:41
*** mtreinish has quit IRC		19:41
morgan	shaleh: there is math that prevents that from working	19:41
ayoung	morgan, we serialize only V3	19:41
morgan	ayoung: wrong.	19:41
shaleh	morgan: oh?	19:41
ayoung	morgan, we do now	19:41
morgan	we serialize v2 if it is requested	19:41
ayoung	and if we don't we can serialize just v3	19:41
*** josecastroleon has joined #openstack-keystone		19:41
morgan	anyway. i am against holding the whole token body for many reasons	19:42
morgan	it's silly	19:42
ayoung	pretty sure a v2 request is serialized as v3 and converted to and fro	19:42
ayoung	I agree.	19:42
morgan	so, we should stop doing that	19:42
ayoung	But then Keystone is silly	19:42
*** mtreinish has joined #openstack-keystone		19:42
morgan	ayoung: this is a case of not being opinionated enough that we have multiple ways of doing something and we have potential to leak impl details	19:42
ayoung	but seriosuly, the only part I really care about is the operator pain.	19:43
morgan	to the end user	19:43
morgan	i'm really trying to not end up there. and operator pain is minimal if you're providing an option of "reauth" or "migrate tokens" and they can pick	19:43
ayoung	morgan, OK, so the Fernet by default is now passing py2 and py3	19:43
morgan	ayoung: however i have to be a hard -1 on making fernet the default in keystone.config due to op overhead of setup and cluster issues	19:44
morgan	ayoung: unfortunately.	19:44
ayoung	morgan, no, that is fine. I think we can do this:	19:44
ayoung	1. Make that test run	19:44
ayoung	2. RE install the caching	19:44
morgan	ayoung: i don't want to block it :( I really don't.	19:44
ayoung	3. make sure we are invalidating cache enough to get test to run again	19:45
ayoung	drop the "Fernet is the default"	19:45
ayoung	that was 4.	19:45
morgan	shaleh: so, if you remove code - enough code, you can actually get coverage % to reduce without losing coverage	19:45
ayoung	and merge the patch	19:45
morgan	shaleh: which is why we can't enforce.	19:45
ayoung	then follow on patch that expands test coverage	19:45
shaleh	morgan: sounds fishy.	19:46
morgan	shaleh: and it's VERY hard to know if code path X is still code path X or code path Y now (it moved?) to check if coverage was gained or lost	19:46
morgan	shaleh: example:	19:46
morgan	shaleh: i delete the eventlet code, and all tests associated to it	19:46
morgan	assume that is 1% of the tests but only 3 lines of code [contrived]	19:46
morgan	shaleh: we would have a net loss of coverage %	19:47
*** raddaoui has quit IRC		19:47
shaleh	morgan: not sure it is as bad as you think	19:47
morgan	or wait.. vice versa.	19:47
morgan	shaleh: we can't enforce.	19:47
shaleh	morgan: so make it advisory and we monitor it.	19:47
morgan	shaleh: burden of proof - prove to me enforcement WONT prevent patches from landing when we delete code that is to be removed. (math)	19:48
shaleh	if you run this group of tests and there is not X coverage for this directory, flag it. not fail, but flag it.	19:48
morgan	shaleh: and i'll support you, but last time we did this, we came up with "can't do it"	19:48
morgan	it's already advisory ;)	19:48
shaleh	morgan: plenty of github and over projects enforce it :-)	19:48
morgan	shaleh: and i think they basically either have 100% coverage or have a small contributor base / code base that just doesn't run into this	19:49
shaleh	but like I said, we could still have a "did the test cover X directory with Y percent? No, flag it." Not fail, flag.	19:49
morgan	we would have failed to remove a number of code paths already.	19:49
morgan	what is "flagging it"?	19:49
morgan	do?	19:49
*** mtreinish has quit IRC		19:49
morgan	don't we already have a non-vote job?	19:49
shaleh	morgan: mark the the test result with "double check, it did not reach expected level"	19:50
morgan	shaleh: uh so a non-vote task that is "fail"	19:50
shaleh	if this is because of an influx of code, it means we need more tests	19:50
morgan	shaleh: its not the influx that matters, its the deprecation/removal that does.	19:50
shaleh	with a little touching now and then I do not see why it could not help.	19:51
morgan	for the reason why we can't block and i guarantee a non-voting job will mostly get ignored	19:51
shaleh	morgan: but there would be data	19:51
morgan	get us to 100% coverage and it's easy to make the math never fail	19:52
shaleh	data that can be used for better planning	19:52
shaleh	100% coverage is almost always silly	19:52
*** neophy has quit IRC		19:52
shaleh	it is about keeping it at a sane level	19:52
morgan	or the reviewers can look at the coverage report	19:52
morgan	and use the data we have	19:52
shaleh	where is the coverage link when a test runs?	19:52
openstackgerrit	Navid Pustchi proposed openstack/keystoneauth: Fix H405, D105, D200, and D203 PEP257 https://review.openstack.org/308016	19:53
morgan	shaleh: to be clear, i am not saying we shouldn't have a check job. i just dislike a job that fails that is non-vote (expectedly)	19:54
morgan	that will never be converted to voting (unless we hit 100% coverage.. )	19:54
morgan	iirc we had at least at one time a job that ran coverage	19:54
shaleh	morgan: it would be interesting to gather info on how often it would fail, what the level of coverage could be, etc.	19:55
morgan	shaleh: also if you move code from path X to path Y, the same "deleting code" math could cause it to fail	19:55
morgan	shaleh: because you could have a net reduction in test coverage in the old path	19:55
shaleh	morgan: COULD happen and DOES happen are two different things	19:55
morgan	shaleh: it will fail at some point in any case where the coverage is not 100% and the failures are in most cases going to be erroneous	19:56
shaleh	on any other project where I have seen coverage tests fail it has been because of an influx of untested code	19:56
shaleh	the number does not have to be 100. It can be 72 if we desire.	19:56
shaleh	the point is consistency.	19:56
morgan	considering the amount of code we've been deleting, there has been at least 5 times in the last cycle	19:56
morgan	we would have had erroneous failures in code duce to reduction in perceived coverage	19:57
shaleh	morgan: out of how many commits?	19:57
shaleh	No reason the review cannot include some way to help it pass coverage once it is clear that is going to happen	19:57
morgan	approx 1000 commits	19:58
morgan	erm 900	19:58
morgan	hold on no	19:58
shaleh	5 - 20 real fails over even 500 commits is not bad	19:58
shaleh	probably twice or three times caught for real failures to maintain coverage	19:59
morgan	less than 600 commits	19:59
morgan	i'm saying i am against a blocking or failing test	19:59
*** navidp has joined #openstack-keystone		19:59
*** gagehugo has quit IRC		19:59
morgan	i am not against a coverage job that presents data	19:59
morgan	the coverage job can even show the % change	20:00
shaleh	I get that. I am only arguing for measure it to find out :-)	20:00
morgan	just do not make it fail	20:00
morgan	ever	20:00
morgan	i want a fail to indicate the coverage job is broken not a number has changed.	20:00
morgan	if that makes sense	20:00
shaleh	Time will tell on whether it ever makes sense.	20:00
morgan	just like the doc job	20:01
shaleh	it might not. Or it might mean the occasional commit needs help passing the job.	20:01
*** nkinder has joined #openstack-keystone		20:01
morgan	it presents the data, but it shouldn't fail unless the doc rendering cannot occur	20:01
morgan	so i'll support a coverage job, i'll support one that shows % change	20:01
morgan	i wont support one that "Fails" based upon %	20:02
shaleh	what I have seen is once a culture of "X percent coverage for all code" exists the breakage rarely happens	20:02
*** aimeeU has quit IRC		20:02
shaleh	I would be happy to see coverage numbers, voting or not	20:02
shaleh	it was one of the things I liked about running the py3 tests	20:02
morgan	shaleh: and like i said, happy to even have to show the delta in coverage	20:02
morgan	just not a test that fails because of delta of coverage	20:03
* morgan has a meeting to run to		20:03
shaleh	morgan: that is the base any conversation should start from. Otherwise it is all conjecture and bikeshedding	20:03
morgan	anyway. meeting time	20:04
ayoung	rodrigods, https://review.openstack.org/#/c/306681/2 seemy reply	20:04
patchbot	ayoung: patch 306681 - keystone - Make all fixture project_ids into uuids	20:04
*** sigmavirus24_awa is now known as sigmavirus24		20:06
*** jaugustine has quit IRC		20:08
*** mylu has quit IRC		20:08
*** mylu has joined #openstack-keystone		20:08
*** KarthikB has quit IRC		20:11
*** josecastroleon has quit IRC		20:11
*** KarthikB has joined #openstack-keystone		20:11
*** henrynash has joined #openstack-keystone		20:12
*** ChanServ sets mode: +v henrynash		20:12
*** daemontool has quit IRC		20:12
*** dave-mccowan has joined #openstack-keystone		20:14
*** fawadkhaliq has joined #openstack-keystone		20:14
*** dave-mcc_ has joined #openstack-keystone		20:15
roxanaghe	morgan, cool thanks let me know if you have any feedback	20:15
*** KarthikB has quit IRC		20:16
*** dave-mccowan has quit IRC		20:18
*** mylu has quit IRC		20:21
*** fawadkhaliq has quit IRC		20:22
*** fawadkhaliq has joined #openstack-keystone		20:22
*** KarthikB has joined #openstack-keystone		20:24
*** doug-fish has quit IRC		20:27
*** mylu has joined #openstack-keystone		20:29
*** josecastroleon has joined #openstack-keystone		20:30
*** KarthikB has quit IRC		20:31
*** rderose has quit IRC		20:32
*** KarthikB has joined #openstack-keystone		20:32
*** tqtran has quit IRC		20:32
*** mylu has quit IRC		20:35
*** doug-fish has joined #openstack-keystone		20:36
*** BigWillie has quit IRC		20:36
*** doug-fish has quit IRC		20:36
*** KarthikB has quit IRC		20:36
*** doug-fish has joined #openstack-keystone		20:36
*** iurygregory has quit IRC		20:42
*** tristanC_ is now known as tristanC		20:54
*** mylu has joined #openstack-keystone		20:55
*** c_soukup has quit IRC		20:57
bknudson	morgan: thanks for the positional release! Now if we can get the debtcollector change merge / released we'll have usable docs for keystoneclient.	20:58
*** josecastroleon has quit IRC		21:00
*** mylu has quit IRC		21:02
*** dims_ has joined #openstack-keystone		21:02
*** dims has quit IRC		21:02
morgan	bknudson: happy to help	21:03
morgan	bknudson: i lost my gpg key :( so had to get a new one to relase that.	21:03
morgan	release*	21:03
*** mylu has joined #openstack-keystone		21:04
bknudson	yikes. How do I know you're still you?	21:04
*** pauloewerton has quit IRC		21:05
openstackgerrit	Steve Martinelli proposed openstack/keystoneauth: Fix H405, D105, D200, and D203 PEP257 https://review.openstack.org/308016	21:05
stevemar	bknudson: considering he is morgan now and not notmorgan, can we really trust him?!	21:06
*** gyee has joined #openstack-keystone		21:07
*** ChanServ sets mode: +v gyee		21:07
morgan	stevemar: you CANT	21:07
morgan	hahaha	21:07
*** dave-mcc_ has quit IRC		21:08
*** mylu has quit IRC		21:08
*** mylu has joined #openstack-keystone		21:09
*** gordc has quit IRC		21:09
*** trown is now known as trown\|outtypewww		21:12
*** BjoernT has quit IRC		21:12
*** mewald has joined #openstack-keystone		21:13
*** dave-mccowan has joined #openstack-keystone		21:15
mewald	I am seeing this during my puppet runs for keystone: https://gist.github.com/mewald1/c7e33a1defb63511e302a0b8c64c5a8e any ideas?	21:16
*** mewald has quit IRC		21:17
morgan	roxanaghe: mocksync is looking good.	21:19
morgan	roxanaghe: i like it a lot actually	21:19
*** tqtran has joined #openstack-keystone		21:19
morgan	the direction looks solid, we just need to get real datasets (obv. and make it easy to do things with them)	21:20
morgan	but i think you're on the right path	21:20
morgan	and it looks like nothing is wildly "private" interface wise...	21:20
morgan	so it could be carried outside of ldap3 tree (mostly)	21:21
roxanaghe	morgan, cool - regarding carrying out of the ldap3 tree - it seems like you can't use an external object for the strategy, so we either have to get this in ldap3 tree or add the capability of an external strategy	21:23
*** fawadkhaliq has quit IRC		21:23
*** fawadkhaliq has joined #openstack-keystone		21:24
roxanaghe	morgan, that's why I'm trying to start a convo with the ldap3 guys	21:24
morgan	roxanaghe: ah. lame.	21:25
morgan	roxanaghe: but all sounds solid.	21:25
morgan	:)	21:25
morgan	and i 100% think it is the right direction to be going	21:25
roxanaghe	morgan, awesome!	21:26
morgan	roxanaghe: do you have a backup strategy if you can't land it/support for it in ldap3?	21:27
roxanaghe	morgan, and thanks for the feedback	21:27
morgan	monkeypatch it in?	21:27
shaleh	fork it on GitHub :-)	21:27
bknudson	fork it and call it ldap4	21:28
shaleh	bknudson: nah, python-ldap3.1	21:28
roxanaghe	morgan, I think it's cleaner this way, but the other way is to make ldap3 accept an external strategy and I'm hoping we should be able to convince the ldap3 guys on that	21:28
*** fawadkhaliq has quit IRC		21:28
morgan	roxanaghe: i mean, think of a backup plan if ldap3 accepts no code. because we will want this type of stuff anyway :)	21:29
morgan	roxanaghe: don't need an answer today fwiw	21:29
morgan	just ponder it in case we need to figure it out	21:29
shaleh	from looking at the code, external strategy provides plenty of good choices. upstream should be able to see that.	21:29
roxanaghe	morgan, right - I'm gonna think about that	21:30
morgan	shaleh: i hope so	21:30
*** sdake_ has joined #openstack-keystone		21:30
morgan	shaleh: but contingencies on contingencies	21:30
morgan	;)	21:30
shaleh	morgan: agreed	21:30
*** mylu has quit IRC		21:32
*** sdake has quit IRC		21:33
*** josecastroleon has joined #openstack-keystone		21:36
*** dave-mccowan has quit IRC		21:37
*** mylu has joined #openstack-keystone		21:39
*** mylu has quit IRC		21:53
*** stingaci has quit IRC		21:53
*** stingaci has joined #openstack-keystone		21:53
*** ametts has quit IRC		21:57
*** gokrokve has quit IRC		21:59
*** sigmavirus24 is now known as sigmavirus24_awa		22:02
*** phalmos has quit IRC		22:04
*** stingaci has quit IRC		22:06
*** stingaci has joined #openstack-keystone		22:06
*** josecastroleon has quit IRC		22:06
*** rderose has joined #openstack-keystone		22:06
*** mylu has joined #openstack-keystone		22:07
*** josecastroleon has joined #openstack-keystone		22:14
*** fawadkhaliq has joined #openstack-keystone		22:14
*** mtreinish has joined #openstack-keystone		22:15
*** ayoung has quit IRC		22:16
*** alex_xu has quit IRC		22:16
*** timcline has quit IRC		22:18
*** alex_xu has joined #openstack-keystone		22:18
*** slberger1 has left #openstack-keystone		22:20
*** ianw has quit IRC		22:22
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/307754	22:23
*** ianw has joined #openstack-keystone		22:24
*** sdake_ is now known as sake		22:26
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/307753	22:37
*** ianw has quit IRC		22:38
openstackgerrit	Navid Pustchi proposed openstack/keystone: Fix D400 PEP257 https://review.openstack.org/308060	22:39
*** rderose has quit IRC		22:40
*** josecastroleon has quit IRC		22:44
*** KarthikB has joined #openstack-keystone		22:49
*** tellesnobrega is now known as tellesnobrega_af		22:52
*** KarthikB has quit IRC		22:53
*** rderose has joined #openstack-keystone		22:58
rderose	rodrigods: sorry for the late response, yes it does make sense	22:59
*** tellesnobrega_af is now known as tellesnobrega		22:59
*** alex_xu has quit IRC		23:05
*** josecastroleon has joined #openstack-keystone		23:06
*** alex_xu has joined #openstack-keystone		23:06
*** tqtran has quit IRC		23:11
openstackgerrit	Morgan Fainberg proposed openstack/keystone: UUIDMsgPack Token Provider Added. https://review.openstack.org/308063	23:11
morgan	stevemar: ^ an example of using fernet code to handle UUID tokens.	23:13
*** ianw_ has joined #openstack-keystone		23:13
*** mylu has quit IRC		23:14
*** david-lyle_ has joined #openstack-keystone		23:14
*** david-lyle has quit IRC		23:14
*** mylu has joined #openstack-keystone		23:15
stevemar	morgan: you have my interest....	23:17
morgan	stevemar: and really really small amounts of code considering	23:17
morgan	stevemar: that could open the door to deprecating UUID provider itself and the entire persistence subsystem	23:18
morgan	estimation in flush, and migrations, and tests, less than 300 lines of code	23:18
morgan	and deprecation warnings.	23:18
morgan	ok ok... less than 400	23:19
*** fawadkhaliq has quit IRC		23:19
morgan	there is some adjustments i'd want to make on the where "pack" is called	23:19
morgan	instead of it living on the formatter, move it to the provider.	23:19
stevemar	it would still need 2 cycles :)	23:19
morgan	nah.	23:19
morgan	1 ;)	23:19
*** fawadkhaliq has joined #openstack-keystone		23:19
morgan	not API impacting	23:19
morgan	:P	23:19
morgan	anyway	23:20
openstackgerrit	Ron De Rose proposed openstack/keystone: Move the assignment abstract base class out of core https://review.openstack.org/299635	23:20
morgan	still most of the work is in those ~100 lines to make a UUID FernetPayload token	23:20
*** navidp has quit IRC		23:20
morgan	also note i opted for uuid.uuid4().int for the token id, because... ints store better/index better in dbs :P	23:21
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/307771	23:21
morgan	anyway.. i told ayoung it would be really small amounts of code.	23:21
morgan	it is.	23:21
*** sake is now known as sdake		23:22
morgan	stevemar: and i think this is an easier way to pivot validation instead of trying to retrofit things into the current uuid validation code paths	23:23
*** fawadkhaliq has quit IRC		23:24
rodrigods	morgan, will take a look in the code	23:24
* rodrigods hopes to understand		23:24
morgan	rodrigods: it is very straightforward code... which is to say fernet's architecture is way better than the old stuff.	23:25
rodrigods	morgan, the architecture i mean :)	23:26
rodrigods	looking	23:26
*** mou has joined #openstack-keystone		23:28
mou	Hello, Openstack community	23:29
mou	i have a tough question	23:29
*** tqtran has joined #openstack-keystone		23:29
mou	what are proposed upgrade path for keystone from kilo to liberty release, without downtime?	23:30
rodrigods	morgan, really simple indeed :P	23:30
rodrigods	got the idea	23:30
gyee	morgan, you have my curiousity	23:30
rderose	stevemar: I know we have a design session scheduled for "Shadowing LDAP users" under new features... but how do I schedule a work session?	23:30
*** stingaci_ has joined #openstack-keystone		23:30
mou	i found very annoying feature which breaks my upgrade procedure	23:30
*** stingaci has quit IRC		23:30
morgan	mou: unfortunately, there will need to be downtime for the keystone upgrade. however, it should be minimal from the keystone side.I can't speak to any othe rproject	23:31
mou	in liberty padding in tokens was removed	23:31
morgan	mou: but in short for keystone: turn off keystone, db_sync, turn on new keystone code.	23:31
mou	so i cant upgrade keystone servers one by one	23:31
openstackgerrit	Tin Lam proposed openstack/keystoneauth: Remove ClientException duplicate message property from BaseException https://review.openstack.org/285757	23:31
morgan	mou: keystone doesn't support no-downtime upgrades at this point - we are examining what we can to do get closer in newton (mitaka also does not support it), sorry	23:32
morgan	gyee: take a look at the patch :)	23:32
*** mylu has quit IRC		23:32
*** mylu has joined #openstack-keystone		23:33
mou	morgan: my original plan was to shutdown one keystone, upgrade, and start, and move to another. i assume this plan due to no schema change (for my particular installation and used features).	23:33
mou	morgan: but changing token format is broke everything :((	23:34
morgan	mou: running keystone on old schemas is never supported, the db schema is meant to be in lock-step	23:34
morgan	mou: for now	23:34
gyee	we taking about fernet? thought we accounted for both padding and no padding	23:35
morgan	mou: which token format are you using?	23:35
morgan	gyee: i thought we handled both cases too.	23:35
mou	morgan: but kilo can run on liberty schema (for my installation)	23:35
morgan	gyee: well wait, OLD keystone can't read no-padding	23:35
gyee	morgan, ahhh, right	23:35
mou	morgan: fernet	23:35
lbragstad	yeah	23:35
morgan	mou: again, i apologize, but what you're doing is simply not supported nor tested	23:35
*** josecastroleon has quit IRC		23:35
mou	Also i wonder why does this patch was abandoned https://review.openstack.org/#/c/221799/ ?	23:36
patchbot	mou: patch 221799 - keystone (stable/kilo) - Remove padding from Fernet tokens (ABANDONED)	23:36
morgan	the liberty keystone can handle both padded and non-padded tokens. the kilo one only understands the padding	23:36
*** mylu has quit IRC		23:36
*** mylu has joined #openstack-keystone		23:36
mou	So looks like i should build my kilo keystone with this patch, and continue	23:37
morgan	mou: you are more than welcome to. I however HIGHLY recommend keeping your schema in lockstep	23:37
morgan	and not running liberty on a kilo schema, no warranties or guarantees data wont be corrupted.	23:37
morgan	mou: i do wish you good luck on it though :)	23:38
mou	morgan: thanks, but we tested kilo on liberty schema	23:38
*** maestro2 has joined #openstack-keystone		23:38
*** cburgess has quit IRC		23:40
*** sudorandom has quit IRC		23:40
mou	morgan: sorry for disturbing you guys	23:41
morgan	mou: you aren't disturbing us at all :)	23:41
mou	just spend 6 hours to figure out root cause of my problem and feeling lil exhauseted :( because i don't understand why this patch wasn't accepted :(	23:41
morgan	mou: i just wish we had better news for you	23:41
mou	morgan: this patch is definitely good news for me :)))	23:42
mou	so i will go now and apply it :)	23:42
*** josecastroleon has joined #openstack-keystone		23:43
*** pleia2 has quit IRC		23:43
*** sudorandom has joined #openstack-keystone		23:43
*** mou has left #openstack-keystone		23:43
*** pleia2 has joined #openstack-keystone		23:43
morgan	dstanek: any experience with Pelican (static web site generator in python... like jekyll but... not)?	23:45
*** cburgess has joined #openstack-keystone		23:45
morgan	dstanek: i want to spin my personal website back up.	23:45
*** dobson has quit IRC		23:46
morgan	gyee: comments/thoughts welcome	23:46
*** trey has quit IRC		23:46
*** woodster_ has quit IRC		23:48
*** dobson has joined #openstack-keystone		23:49
*** trey has joined #openstack-keystone		23:51
gyee	morgan, I see one benefit, which is no service interruption	23:51
gyee	but why deprecate UUID?	23:51
morgan	the goal is to get our token validation to be 100% the same between the supported options	23:51
morgan	and retrofitting old UUID paths with fernet paths is a lot of work	23:52
morgan	easier (much easier) to pivot to hooking into the hard work done to make fernet what it is	23:52
morgan	and much cleaner	23:52
gyee	only difference is always require key management	23:52
morgan	this would be the "UUID" (in-db store) of tokens	23:52
morgan	exactly	23:52
gyee	it may scare people	23:52
morgan	and this can then exersize 100% of the code for fernet w/o keys	23:53
morgan	nah	23:53
morgan	no different than today's UUID for "Scary" wise	23:53
gyee	today's UUID does not require key management	23:53
shaleh	morgan: except for the Fernet is mildly complicatd for distributed keystones	23:53
gyee	key management put us into a whole new different realm, in terms of security and compliance	23:53
morgan	gyee: neither does UUIDMsgPack	23:53
morgan	it doesn't use the fernet keys at all	23:54
morgan	it stores the payload in the db	23:54
gyee	oh?	23:54
gyee	we have to option to not do fernet?	23:54
gyee	sorry I haven't look at the code yet	23:54
shaleh	jamielennox: I plan to play with your os-http tool. I have been using httpie. It almost looks like a baby version of httpie for OpenStack.	23:54
morgan	that is what this patch is :P	23:54
shaleh	morgan: it derives from Fernet though......	23:54
morgan	gyee: go look https://review.openstack.org/#/c/308063/	23:54
patchbot	morgan: patch 308063 - keystone - UUIDMsgPack Token Provider Added.	23:54
gyee	oh, in that case, it's a win	23:54
morgan	shaleh: it does derive all the validation work	23:55
* gyee goes back to RTFC		23:55
morgan	shaleh: it just changes instead of .fernet(payload) to .store_to_db()	23:55
morgan	and .get_from_db() instead of .decrypt()	23:55
*** browne has quit IRC		23:55
*** tqtran has quit IRC		23:56
*** tellesnobrega is now known as tellesnobrega_af		23:56
morgan	shaleh: streamlining and reducing divergent code paths that do (supposed to do) exactly the same thing is good.	23:56
gyee	that part I like	23:56
gyee	most definitely	23:56
gyee	security likes consistency and predictability	23:57
*** david-lyle_ is now known as david-lyle		23:57
* morgan might work on a security-ish project for my day job :P		23:57
lbragstad	rodrigods ping	23:57
morgan	ok... maybe i don't have a day job right now :P	23:57
*** browne has joined #openstack-keystone		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!