Wednesday, 2016-09-28

*** guoshan has quit IRC		00:02
*** roxanaghe has quit IRC		00:02
*** spzala_ has quit IRC		00:04
*** lujinluo has joined #openstack-keystone		00:04
*** agrebennikov has quit IRC		00:08
*** nicolasbock has quit IRC		00:09
*** edmondsw has quit IRC		00:11
*** ddieterly has quit IRC		00:13
*** aloga has quit IRC		00:15
*** guoshan has joined #openstack-keystone		00:16
*** markvoelker has joined #openstack-keystone		00:20
*** aloga has joined #openstack-keystone		00:23
*** markvoelker has quit IRC		00:25
*** adrian_otto has quit IRC		00:30
*** tqtran has quit IRC		00:31
*** ravelar1 has joined #openstack-keystone		00:32
*** markvoelker has joined #openstack-keystone		00:34
*** adrian_otto has joined #openstack-keystone		00:42
*** gyee has quit IRC		00:43
*** ddieterly has joined #openstack-keystone		00:46
*** adrian_otto has quit IRC		00:46
*** adrian_otto has joined #openstack-keystone		00:47
*** topol__ is now known as topol		00:55
*** ChanServ sets mode: +v topol		00:55
*** guoshan has quit IRC		01:00
*** ddieterly has quit IRC		01:01
*** adrian_otto1 has joined #openstack-keystone		01:06
*** adrian_otto has quit IRC		01:08
*** rvba` has quit IRC		01:10
*** rvba has joined #openstack-keystone		01:12
*** rvba has quit IRC		01:12
*** rvba has joined #openstack-keystone		01:12
*** davechen has joined #openstack-keystone		01:12
*** asettle has joined #openstack-keystone		01:14
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	01:17
*** asettle has quit IRC		01:19
*** guoshan has joined #openstack-keystone		01:20
*** ngupta has joined #openstack-keystone		01:26
*** lamt has joined #openstack-keystone		01:27
*** guoshan has quit IRC		01:29
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	01:29
*** lamt has quit IRC		01:31
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Validate project exists and enabled directly https://review.openstack.org/378047	01:32
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	01:32
*** EinstCrazy has joined #openstack-keystone		01:35
*** haplo37_ has quit IRC		01:38
*** tonytan4ever has joined #openstack-keystone		01:46
*** ddieterly has joined #openstack-keystone		01:49
*** tonytan4ever has quit IRC		01:50
*** browne has quit IRC		01:51
*** ddieterly has quit IRC		01:52
openstackgerrit	Qiming Teng proposed openstack/keystone: Reorder APIs in api-ref doc for v3 users https://review.openstack.org/373660	01:56
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation project event table https://review.openstack.org/378142	01:57
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation project event table https://review.openstack.org/378142	01:58
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	02:02
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	02:04
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	02:09
*** ddieterly has joined #openstack-keystone		02:21
*** ddieterly has quit IRC		02:25
*** adrian_otto1 has quit IRC		02:25
openstackgerrit	Steve Martinelli proposed openstack/keystone: Tweak api-ref for v3 groups status codes https://review.openstack.org/367793	02:26
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation project event table https://review.openstack.org/378142	02:28
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	02:29
openstackgerrit	Ron De Rose proposed openstack/keystone: Move revocation logic to SQL https://review.openstack.org/359371	02:31
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	02:40
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	02:41
*** browne has joined #openstack-keystone		02:42
*** ngupta has quit IRC		02:52
*** ngupta has joined #openstack-keystone		02:52
*** gagehugo has quit IRC		02:53
*** browne has quit IRC		02:53
*** david-lyle has quit IRC		03:04
*** spzala has joined #openstack-keystone		03:05
*** spzala has quit IRC		03:05
*** adrian_otto has joined #openstack-keystone		03:13
*** sdake_ has quit IRC		03:17
*** iurygregory_ has quit IRC		03:18
*** aswadr_ has joined #openstack-keystone		03:21
*** adrian_otto has quit IRC		03:26
*** adrian_otto has joined #openstack-keystone		03:26
*** tqtran has joined #openstack-keystone		03:30
*** tqtran has quit IRC		03:36
*** ravelar1 has quit IRC		03:37
*** roxanaghe has joined #openstack-keystone		03:38
*** sdake has joined #openstack-keystone		03:39
*** namnh has joined #openstack-keystone		03:41
*** ngupta has quit IRC		03:46
*** ngupta has joined #openstack-keystone		03:47
openstackgerrit	Ron De Rose proposed openstack/keystone: Move revocation logic to SQL https://review.openstack.org/359371	03:49
*** sdake_ has joined #openstack-keystone		03:50
*** ngupta has quit IRC		03:51
*** sdake has quit IRC		03:51
*** roxanaghe has quit IRC		03:52
*** adrian_otto has quit IRC		03:53
openstackgerrit	Nam Nguyen Hoai proposed openstack/keystone: Fix typo in docstring https://review.openstack.org/378218	03:58
*** roxanaghe has joined #openstack-keystone		03:59
*** dikonoo has joined #openstack-keystone		04:00
*** roxanaghe has quit IRC		04:23
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation event indexes https://review.openstack.org/376523	04:23
openstackgerrit	Ron De Rose proposed openstack/keystone: Move revocation logic to SQL https://review.openstack.org/359371	04:24
openstackgerrit	Ron De Rose proposed openstack/keystone: Add revocation project event table https://review.openstack.org/378142	04:26
*** haplo37- has quit IRC		05:00
*** vaishali has joined #openstack-keystone		05:02
*** haplo37_ has joined #openstack-keystone		05:02
*** links has joined #openstack-keystone		05:09
*** links has quit IRC		05:15
*** links has joined #openstack-keystone		05:17
*** woodster_ has quit IRC		05:30
*** sdake_ has quit IRC		05:30
*** richm has quit IRC		05:40
*** jaosorior has joined #openstack-keystone		05:46
openstackgerrit	Dave Chen proposed openstack/keystone: Deprecate `endpoint_filter.sql` backend https://review.openstack.org/375931	06:13
*** rcernin has joined #openstack-keystone		06:14
openstackgerrit	Nam Nguyen Hoai proposed openstack/keystone: Fix typo in docstring https://review.openstack.org/378218	06:26
*** crinkle_ is now known as crinkle		06:33
*** pcaruana has joined #openstack-keystone		06:37
*** mrsoul has quit IRC		06:47
*** mrsoul has joined #openstack-keystone		06:48
*** jrist has joined #openstack-keystone		06:54
*** jrist has quit IRC		07:04
*** amoralej\|off is now known as amoralej		07:04
*** links has quit IRC		07:16
*** links has joined #openstack-keystone		07:45
*** ktychkova has joined #openstack-keystone		07:47
openstackgerrit	zhangyanxian proposed openstack/python-keystoneclient: Fix typos inconsistent with the guide lines https://review.openstack.org/378319	07:50
openstackgerrit	zhangyanxian proposed openstack/python-keystoneclient: Fix docstrings inconsistent with the guide lines https://review.openstack.org/378319	07:53
openstackgerrit	zhangyanxian proposed openstack/python-keystoneclient: Fix docstrings inconsistent with the guide lines https://review.openstack.org/378319	07:54
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** sc68cal_ has joined #openstack-keystone		08:02
*** sc68cal has quit IRC		08:03
openstackgerrit	Dave Chen proposed openstack/keystone: Deprecate `endpoint_filter.sql` backend https://review.openstack.org/375931	08:08
*** links has quit IRC		08:21
*** pnavarro has joined #openstack-keystone		08:28
*** code-R has joined #openstack-keystone		08:29
*** code-R_ has joined #openstack-keystone		08:31
*** code-R has quit IRC		08:33
*** tqtran has joined #openstack-keystone		08:34
*** code-R_ has quit IRC		08:36
*** links has joined #openstack-keystone		08:37
*** tqtran has quit IRC		08:38
*** sdake has joined #openstack-keystone		08:41
*** sdake has quit IRC		08:42
*** jed56 has joined #openstack-keystone		08:45
*** openstackgerrit has quit IRC		08:48
*** openstackgerrit has joined #openstack-keystone		08:48
*** jamielennox is now known as jamielennox\|away		08:59
*** jorge_munoz has joined #openstack-keystone		09:00
*** dmellado_ is now known as dmellado		09:18
*** code-R has joined #openstack-keystone		09:38
*** amoralej is now known as amoralej\|out		09:40
openstackgerrit	Stephen Finucane proposed openstack/oslo.policy: Add sphinx extension to build sample policy https://review.openstack.org/376544	09:40
*** aswadr_ has quit IRC		09:42
*** haplo37_ has quit IRC		09:44
*** haplo37_ has joined #openstack-keystone		09:47
*** code-R_ has joined #openstack-keystone		09:49
*** code-R has quit IRC		09:52
openstackgerrit	Stephen Finucane proposed openstack/oslo.policy: doc: Add introduction to index page https://review.openstack.org/378490	09:57
openstackgerrit	Stephen Finucane proposed openstack/oslo.policy: Add sphinx extension to build sample policy https://review.openstack.org/376544	09:59
openstackgerrit	Boris Bobrov proposed openstack/keystone: Remove support for PKI and PKIz tokens https://review.openstack.org/374479	10:07
*** EinstCrazy has quit IRC		10:08
*** EinstCrazy has joined #openstack-keystone		10:08
*** richm has joined #openstack-keystone		10:10
*** lujinluo has quit IRC		10:13
*** EinstCrazy has quit IRC		10:13
*** davechen has left #openstack-keystone		10:20
*** nicolasbock has joined #openstack-keystone		10:38
*** links has quit IRC		10:53
*** links has joined #openstack-keystone		11:02
*** asettle has joined #openstack-keystone		11:17
*** namnh has quit IRC		11:31
openstackgerrit	Merged openstack/keystone: Reorder APIs in api-ref doc for v3 users https://review.openstack.org/373660	11:32
*** pnavarro has quit IRC		11:46
*** jrist has joined #openstack-keystone		11:49
*** markvoelker has quit IRC		11:53
*** sdake has joined #openstack-keystone		12:02
*** haplo37_ has quit IRC		12:05
*** haplo37_ has joined #openstack-keystone		12:07
*** edmondsw has joined #openstack-keystone		12:09
samueldmq	morning keystone	12:23
*** jamielennox\|away is now known as jamielennox		12:29
openstackgerrit	Dave Chen proposed openstack/keystone: Remove the check for admin token in build_auth_context middleware https://review.openstack.org/378588	12:40
*** amoralej\|out is now known as amoralej		12:46
*** rodrigods has quit IRC		12:47
*** rodrigods has joined #openstack-keystone		12:47
*** pnavarro has joined #openstack-keystone		12:52
openstackgerrit	Dave Chen proposed openstack/keystone: Remove the check for admin token in build_auth_context middleware https://review.openstack.org/378588	12:54
*** markvoelker has joined #openstack-keystone		12:55
*** vaishali has quit IRC		12:56
*** david-lyle has joined #openstack-keystone		12:57
stevemar	o/	13:03
openstackgerrit	Qiming Teng proposed openstack/keystone: Tweak api-ref for v3 groups status codes https://review.openstack.org/367793	13:05
*** woodster_ has joined #openstack-keystone		13:13
openstackgerrit	Qiming Teng proposed openstack/keystone: Tweak api-ref for v3 groups status codes https://review.openstack.org/367793	13:16
*** aswadr_ has joined #openstack-keystone		13:18
*** jaosorior has quit IRC		13:20
*** jaosorior has joined #openstack-keystone		13:21
*** agrebennikov has joined #openstack-keystone		13:36
*** links has quit IRC		13:38
*** tonytan4ever has joined #openstack-keystone		13:40
*** roxanaghe has joined #openstack-keystone		13:43
*** roxanaghe has quit IRC		13:45
*** ngupta has joined #openstack-keystone		13:45
*** ngupta has quit IRC		13:45
*** ngupta has joined #openstack-keystone		13:45
*** vkramskikh has joined #openstack-keystone		13:47
*** asettle has quit IRC		13:48
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove deprecated code from core https://review.openstack.org/378637	13:52
*** ddieterly has joined #openstack-keystone		13:52
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove deprecated code from core https://review.openstack.org/378637	13:52
openstackgerrit	Lance Bragstad proposed openstack/keystone: Ensure all v2.0 tokens are validated the same way https://review.openstack.org/372655	13:55
*** woodburn has quit IRC		13:57
*** woodburn has joined #openstack-keystone		13:59
*** gagehugo has joined #openstack-keystone		14:01
dstanek	morning stevemar	14:03
*** gagehugo has quit IRC		14:06
*** adrian_otto has joined #openstack-keystone		14:09
*** haplo37_ has quit IRC		14:10
openstackgerrit	Merged openstack/keystonemiddleware: Use method constant_time_compare from oslo.utils https://review.openstack.org/376235	14:10
*** gsilvis has quit IRC		14:11
*** haplo37_ has joined #openstack-keystone		14:13
*** gagehugo has joined #openstack-keystone		14:13
*** pnavarro has quit IRC		14:14
*** chris_hultin\|AWA is now known as chris_hultin		14:18
stevemar	dstanek: you coming to barcelona right?	14:21
*** raildo has joined #openstack-keystone		14:21
*** marekd2 has joined #openstack-keystone		14:22
stevemar	rderose: i put up https://review.openstack.org/#/c/375928/ earlier	14:25
stevemar	rderose: as an FYI, since you just put up https://review.openstack.org/#/c/378637/2 :)	14:25
*** gsilvis has joined #openstack-keystone		14:28
dstanek	stevemar: sadly i am not	14:35
dstanek	...errr. sadly may not be the correct word :-)	14:35
*** ravelar has joined #openstack-keystone		14:35
rderose	stevemar: ah, you beat me to it	14:36
rderose	stevemar: cool, I'll abandon mine	14:37
dstanek	stevemar: that's actually the main reason i didn't run for PTL again this cycle	14:37
*** AlexeyAbashkin has joined #openstack-keystone		14:38
*** spzala has joined #openstack-keystone		14:38
*** dikonoo has quit IRC		14:39
*** jorge_munoz_ has joined #openstack-keystone		14:39
*** jorge_munoz has quit IRC		14:41
*** jorge_munoz_ is now known as jorge_munoz		14:41
*** mah has left #openstack-keystone		14:42
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove deprecated code from core https://review.openstack.org/378637	14:44
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove deprecated auth core https://review.openstack.org/378637	14:45
*** adrian_otto has quit IRC		14:50
openstackgerrit	Lance Bragstad proposed openstack/keystone: Make test_v3_auth exercise the whole API https://review.openstack.org/378681	14:55
*** ddieterly has quit IRC		14:56
*** ddieterly has joined #openstack-keystone		14:56
*** Guest78091 is now known as redrobot		14:59
*** adrian_otto has joined #openstack-keystone		15:01
rodrigods	rderose, so... for the password uniqueness requirement, if it is set to 2, and i try to update using the current password, should it work?	15:01
rderose	rodrigods: it you try to change it to the current password, then no, it should fail	15:04
*** rcernin has quit IRC		15:04
rderose	rodrigods: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/identity/test_backend_sql.py#L168	15:06
stevemar	rderose: i left a few questions in the review :\	15:06
*** tonytan_brb has joined #openstack-keystone		15:06
openstackgerrit	Steve Martinelli proposed openstack/keystone: remove stable driver interfaces https://review.openstack.org/375928	15:07
rderose	stevemar: which patch?	15:07
stevemar	rderose: ^ the stable driver one, check the n-1 patch set	15:08
*** ayoung_ has joined #openstack-keystone		15:09
*** tonytan4ever has quit IRC		15:09
*** ayoung_ is now known as ayoung		15:11
stevemar	going to update to sierra	15:11
stevemar	!!	15:11
openstack	stevemar: Error: "!" is not a valid command.	15:11
*** ashyoung has joined #openstack-keystone		15:12
rderose	stevemar: responded to your comments	15:14
rderose	stevemar: if you are removing the other versions (v8, v9), then the base version should contain all of the method signatures	15:15
rodrigods	rderose, hmm i have a test where i don't change to a new one, it try to change using the current one	15:19
rodrigods	and it updates	15:19
rodrigods	just don't know if should be the expected behavior, or not	15:19
rodrigods	rderose, see line 88: https://review.openstack.org/#/c/378624/1/tempest/scenario/test_security_compliance.py	15:20
*** dikonoo has joined #openstack-keystone		15:22
*** xek__ has joined #openstack-keystone		15:23
rderose	rodrigods: where is CONF.identity.user_unique_last_passwords_count getting set?	15:23
rderose	and are you sure it's greater than 1 when it hits this test?	15:23
*** xek_ has quit IRC		15:25
*** nk2527 has quit IRC		15:55
stevemar	rderose: cool, i'll update	15:58
stevemar	rderose: or you can, if you're feeling eager :P	15:58
stevemar	yay upgrading to sierra didn't blow things up	15:59
knikolla	mac upgrades are boring	15:59
stevemar	considering i was at n-2, i was a bit worried :P	15:59
stevemar	knikolla: not like openstack upgrades :P	15:59
*** tonytan_brb is now known as tonytan4ever		15:59
rderose	:)	16:00
knikolla	still better than android phones	16:00
rderose	stevemar: yeah, I'll update it	16:01
*** lamt has joined #openstack-keystone		16:03
*** ashyoung has quit IRC		16:03
*** gyee has joined #openstack-keystone		16:07
stevemar	rderose: coolio	16:08
*** browne has joined #openstack-keystone		16:11
rodrigods	rderose, yes, it is set in tempest.conf (same value as in keystone.conf) and the call is made	16:11
*** roxanaghe has joined #openstack-keystone		16:11
rodrigods	and succeeds	16:12
rodrigods	let me try to modify the test you sent so i can confirm the behavior	16:12
rderose	okay	16:12
*** nk2527 has joined #openstack-keystone		16:14
*** ddieterly is now known as ddieterly[away]		16:18
*** jamielennox is now known as jamielennox\|away		16:21
*** Guest46101 is now known as mgagne		16:21
*** mgagne has quit IRC		16:21
*** mgagne has joined #openstack-keystone		16:21
*** ddieterly[away] is now known as ddieterly		16:22
*** jaosorior has quit IRC		16:27
*** jrist has quit IRC		16:28
*** haplo37_ has quit IRC		16:29
*** haplo37_ has joined #openstack-keystone		16:31
lbragstad	stevemar dstanek question for you	16:35
*** ravelar has quit IRC		16:37
*** frontrunner has quit IRC		16:41
lbragstad	stevemar dstanek we seem to have test_v2.py and test_auth.py - the tests in test_v2.py seem to be restful and the tests in test_auth.py call directly into specific provider methods	16:42
lbragstad	they both do a bunch of testing against the v2.0 token API	16:42
lbragstad	do we want to consolidate them into a single module?	16:43
lbragstad	I'd like to remove as much of the self.token_provider_api calls from the tests as I can	16:43
*** code-R_ has quit IRC		16:45
*** richm has quit IRC		16:50
*** adrian_otto has quit IRC		16:54
lbragstad	lunch!	16:55
*** code-R has joined #openstack-keystone		16:56
*** adrian_otto has joined #openstack-keystone		16:59
openstackgerrit	OpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements https://review.openstack.org/378880	17:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/378887	17:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/373686	17:00
*** richm has joined #openstack-keystone		17:01
openstackgerrit	Ron De Rose proposed openstack/keystone: remove stable driver interfaces https://review.openstack.org/375928	17:04
*** slberger has joined #openstack-keystone		17:08
*** ddieterly is now known as ddieterly[away]		17:15
*** slberger has quit IRC		17:18
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove stable driver interfaces https://review.openstack.org/375928	17:18
rderose	stevemar: done ^	17:20
rderose	too much work to break it up, but fixed the abstract base class problems	17:25
*** sc68cal_ is now known as sc68cal		17:27
*** aswadr_ has quit IRC		17:42
dstanek	lbragstad: i wouldn't - i'd leave REST in one module and the other tests in another	17:43
dstanek	maybe a rename would make it clearer though	17:43
dstanek	test_v2.py is actually v2 API testing right? not v2 tokens	17:44
*** dikonoo has quit IRC		17:45
stevemar	lbragstad: i agree with dstanek, it's not uncommon for us to test the REST call as a whole, and the provider / backend	17:49
bknudson	yes, let's have "functional" tests going through the API and component tests for each of the components	17:50
*** gagehugo has quit IRC		17:50
bknudson	that will make it easier to maintain the tests since hopefully the reason for failure will be more obvious since they're testing less code	17:50
*** marekd2 has quit IRC		17:50
*** marekd2 has joined #openstack-keystone		17:51
stevemar	ayoung: jamielennox\|away is it time to retire python-keystoneclient-kerberos? are you satisfied with the move to keystoneauth now?	17:53
*** adrian_otto has quit IRC		17:54
*** adrian_otto has joined #openstack-keystone		17:55
*** marekd2 has quit IRC		17:55
openstackgerrit	Andrew Laski proposed openstack/oslo.policy: Update docs on policy sample generator https://review.openstack.org/374232	17:55
*** adrian_otto has quit IRC		17:55
ayoung	stevemar, kill it when we end support for the last version of Keystone that still requires it	17:56
ayoung	I think that is Mitaka?	17:56
lbragstad	stevemar dstanek makes sense	17:58
*** adrian_otto has joined #openstack-keystone		17:59
lbragstad	dstanek stevemar so we will leave test_v2.py as the API tests	18:00
lbragstad	dstanek stevemar and leave test_auth.py as the provider tests	18:00
lbragstad	dstanek stevemar I would love to rename these...	18:01
stevemar	lbragstad: rename them then	18:01
lbragstad	stevemar cool	18:01
bknudson	provider tests should be in http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/token/test_provider.py	18:01
lbragstad	what about v2 provider tests versus v3 provider tests?	18:01
lbragstad	should they all be in test_provider.py?	18:02
*** asettle has joined #openstack-keystone		18:02
bknudson	there's no separate code files for v2 providers vs v3 providers so they should be in the same unit test file	18:02
openstackgerrit	Merged openstack/ldappool: Updated from global requirements https://review.openstack.org/378835	18:02
stevemar	ayoung: no version of keystone required it... let me see	18:04
ayoung	stevemar, let me rephrase	18:04
*** gagehugo has joined #openstack-keystone		18:04
ayoung	support it as long as there are versions of nova, etc shipped with versions of kc code that requires it	18:04
stevemar	ayoung: i think only horizon had support for it, specifically doa-kerb	18:06
stevemar	ayoung: and that project looks unmaintained	18:07
stevemar	ayoung: and no one updated django_openstack_auth to use keystoneauth	18:07
ayoung	stevemar, Nah, you have to assume that nova calling keystone and using it, or some other path. But it can got with Mitaka, I think	18:07
*** asettle__ has joined #openstack-keystone		18:09
*** asettle has quit IRC		18:10
*** ddieterly[away] is now known as ddieterly		18:12
*** tqtran has joined #openstack-keystone		18:14
*** chris_hultin is now known as chris_hultin\|AWA		18:14
*** amoralej is now known as amoralej\|off		18:15
*** chris_hultin\|AWA is now known as chris_hultin		18:18
*** tqtran has quit IRC		18:18
stevemar	henrynash: if you would be so kind to review https://review.openstack.org/#/c/375928/7	18:20
stevemar	ayoung: i will send a note	18:20
stevemar	ayoung: i want to retire both doa-kerb and ksc-kerb, or at least have a plan for that	18:21
stevemar	ksc-kerb has been integrated into ksa	18:21
stevemar	doa uses keystoneauth	18:21
stevemar	but i don't know if it knows how to load kerberos specific bits	18:21
stevemar	at which point, we should properly deprecate doa-kerb, as it's not	18:22
*** asettle has joined #openstack-keystone		18:22
stevemar	then remove both repos	18:22
*** asettle__ has quit IRC		18:25
*** spilla has joined #openstack-keystone		18:26
ayoung	stevemar, yes, doakerb should probably go away. Anyone doing Kerb should probably go with a Federation based solution	18:28
ayoung	Especially for Horizon	18:28
*** ddieterly is now known as ddieterly[away]		18:33
stevemar	ayoung: i lack the history on why doakerb was created in the first place	18:34
ayoung	stevemar, http://adam.younglogic.com/2014/05/keystoneclient-s4u2proxy/	18:35
ayoung	I have all the history	18:35
*** ravelar has joined #openstack-keystone		18:35
ayoung	http://adam.younglogic.com/2014/05/s4u2proxy-horizon/ is alittle bit more on the history	18:36
*** woodster_ has quit IRC		18:40
*** chris_hultin is now known as chris_hultin\|AWA		18:43
*** sdake has quit IRC		18:46
*** asettle__ has joined #openstack-keystone		18:49
*** slberger has joined #openstack-keystone		18:49
*** asettle has quit IRC		18:50
*** slberger has quit IRC		19:01
*** hogepodge has quit IRC		19:01
*** spzala has quit IRC		19:01
*** tqtran has joined #openstack-keystone		19:06
rodrigods	rderose, around?	19:11
*** spilla has quit IRC		19:13
*** hoonetorg has quit IRC		19:14
*** ddieterly[away] is now known as ddieterly		19:14
openstackgerrit	Merged openstack/keystoneauth: Updated from global requirements https://review.openstack.org/378827	19:14
*** gyee has quit IRC		19:16
rodrigods	rderose, can you try to reproduce this http://paste.openstack.org/show/583366/ ?	19:16
*** slberger has joined #openstack-keystone		19:18
*** tqtran has quit IRC		19:26
*** nk2527 has quit IRC		19:26
*** xenogear has quit IRC		19:26
*** tqtran has joined #openstack-keystone		19:31
*** nk2527 has joined #openstack-keystone		19:31
*** hoonetorg has joined #openstack-keystone		19:31
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Improve password change req tests https://review.openstack.org/378933	19:31
*** xenogear has joined #openstack-keystone		19:32
*** sdake has joined #openstack-keystone		19:34
openstackgerrit	Merged openstack/pycadf: Updated from global requirements https://review.openstack.org/378880	19:48
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/378825	19:54
*** code-R has quit IRC		19:59
*** spzala has joined #openstack-keystone		20:01
stevemar	rderose: about the stable patch, why don't those methods need to go into base?	20:01
*** chris_hultin\|AWA is now known as chris_hultin		20:04
*** spzala has quit IRC		20:07
*** ddieterly is now known as ddieterly[away]		20:09
rderose	stevemar: responded to your comments, none of the v8 methods need to come over	20:10
rderose	should be good	20:10
*** asettle__ has quit IRC		20:15
*** ddieterly[away] is now known as ddieterly		20:17
stevemar	rderose: i see the comment, but why don't they need to come over :)	20:18
rderose	stevemar: they were either replaced or removed in v9	20:21
rderose	both v8 and v9 inherit from the base class	20:22
rderose	or did anyway	20:22
*** roxanaghe has quit IRC		20:22
*** tonytan4ever has quit IRC		20:23
rderose	stevemar: and the sql.py backend implemented v9	20:23
openstackgerrit	Lance Bragstad proposed openstack/keystone: Make test_v3_auth exercise the whole API https://review.openstack.org/378681	20:23
rderose	stevemar: so v8 was only there to support driver versioning	20:24
*** ddieterly is now known as ddieterly[away]		20:34
*** ddieterly[away] is now known as ddieterly		20:34
*** jorge_munoz has quit IRC		20:34
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/378887	20:34
*** jorge_munoz has joined #openstack-keystone		20:35
openstackgerrit	Merged openstack/oslo.policy: Updated from global requirements https://review.openstack.org/378875	20:37
*** adrian_otto has quit IRC		20:37
*** ddieterly is now known as ddieterly[away]		20:43
*** jamielennox\|away is now known as jamielennox		20:45
*** slberger has quit IRC		20:48
*** spzala has joined #openstack-keystone		20:49
*** spzala has quit IRC		20:53
*** jlopezgu has left #openstack-keystone		20:57
*** ngupta has quit IRC		20:57
*** tqtran_ has joined #openstack-keystone		20:57
*** ngupta has joined #openstack-keystone		20:57
*** slberger has joined #openstack-keystone		20:58
*** raildo has quit IRC		20:58
*** tqtran has quit IRC		20:59
*** tqtran_ has quit IRC		21:04
*** spzala has joined #openstack-keystone		21:04
*** ngupta has quit IRC		21:04
*** ngupta has joined #openstack-keystone		21:04
openstackgerrit	ayoung proposed openstack/keystone-specs: Fetch Policy by Tag https://review.openstack.org/298788	21:05
ayoung	OK...I should have thought of ^^ years ago	21:05
*** ddieterly[away] is now known as ddieterly		21:06
*** tqtran has joined #openstack-keystone		21:06
*** ravelar has quit IRC		21:09
*** slberger has quit IRC		21:12
rodrigods	stevemar, rderose https://bugs.launchpad.net/keystone/+bug/1628692	21:14
openstack	Launchpad bug 1628692 in OpenStack Identity (keystone) "Password history constraints not enforced via /v3/users/<user_id>/password path" [Undecided,New]	21:14
rderose	rodrigods: just so I'm understanding...	21:17
rderose	rodrigods: you created a user with 12345 password and then changed it to qwerty, correct?	21:18
rodrigods	rderose, right	21:18
rodrigods	and them back to 12345	21:18
rodrigods	then*	21:18
rderose	rodrigods: that should be okay	21:18
rderose	hmm...	21:19
rodrigods	rderose, the "change_password" backend method doesn't call the _validate_password_history()	21:19
rderose	rodrigods: ahhhhhhhhhhhhhhhhhhhhh	21:21
rderose	rodrigods: darn, my bad	21:21
rodrigods	rderose, i wonder why we don't have a common method to change password	21:21
rderose	rodrigods: yeah, nice catch	21:22
rderose	I added change_password to the backend; missed this	21:22
*** roxanaghe has joined #openstack-keystone		21:22
rderose	while they both change passwords (change_password, update_user), they have different business logic	21:22
rderose	rodrigods: change_password is intended to be self-service	21:23
rderose	whereas update_user is admin reset	21:23
rderose	but yeah, need a common method here	21:23
rodrigods	rderose, ++	21:23
rderose	rodrigods: anyway, nice catch	21:23
*** tonytan4ever has joined #openstack-keystone		21:23
*** edmondsw has quit IRC		21:25
rodrigods	rderose, would be nice to start requiring functional/integration tests for new features	21:25
rodrigods	maybe it is something for us to bring in barcelona since ocata won't be a "feature heavy" cycle	21:25
*** slberger has joined #openstack-keystone		21:26
*** tonytan4ever has quit IRC		21:28
*** hogepodge has joined #openstack-keystone		21:28
*** chris_hultin is now known as chris_hultin\|AWA		21:31
rderose	rodrigods: yeah	21:32
*** slberger has left #openstack-keystone		21:36
*** ngupta_ has joined #openstack-keystone		21:37
*** ngupta has quit IRC		21:40
*** ngupta_ has quit IRC		21:42
lbragstad	interesting - apparently our token provider api has a revoke_token() method, which accepts a revoke_chain kwarg - but it doesn't look like we use it in either the v2.0 or v3 token controllers	21:43
*** spzala has quit IRC		21:44
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate password history for self service password changes https://review.openstack.org/379018	21:59
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate password history for self-service password changes https://review.openstack.org/379018	22:00
*** lamt has quit IRC		22:09
*** tqtran has quit IRC		22:09
*** tqtran has joined #openstack-keystone		22:11
*** tonytan4ever has joined #openstack-keystone		22:23
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate password history for self-service password changes https://review.openstack.org/379018	22:24
*** agrebennikov has quit IRC		22:26
*** markvoelker has quit IRC		22:36
morgan	lbragstad: we didn't implement it because of issues with long running tasks	22:50
morgan	lbragstad: it was added more for future proofing and/or internal chain revokes	22:50
*** tonytan4ever has quit IRC		22:51
morgan	lbragstad: at one point we did use it internally but i can't remember when	22:51
morgan	rderose: to be honest, admin set of password should be exempt from password restrictions	22:52
morgan	rderose: most cases if an admin is setting the password, you don't validate history etc.	22:52
morgan	rderose: so I'd say it shouldn't have a common password set method that does all the same business logic	22:52
rderose	morgan: hmm... good point	22:52
morgan	in fact, i am near certain we discussed this	22:53
morgan	and why it isn't checking history there ;)	22:53
rderose	morgan: it is checking password history for admin reset; wasn't checking for self-service	22:53
morgan	we should invert that	22:53
rderose	morgan: I'll throw up a patch to do that	22:54
rderose	morgan: makes sense	22:54
morgan	++	22:54
jamielennox	stevemar, dolphm, ayoung: for fetching an expired token we said that we would want to only do it when a X-Service-Token was also specified	22:54
morgan	yeah admin reset is a special case. it does mean admins can set their own passwords to whatever --- ignoring the rules. but that is a people problem not a tech problem	22:54
jamielennox	does this (X-Service-Token) seem like something we would actually want to enforce at the keystone level	22:55
jamielennox	or is it sufficient to pass a ?expired=True flag to keystone and enforce the service token in middleware?	22:55
morgan	jamielennox: i'd say it's fine for anyone who is allowed to validate a token to ask for expiry exception	22:55
jamielennox	i'm not sure i see a problem with people asking for an expired token if they flag it	22:55
rderose	morgan: yeah	22:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Improve password history constraint tests https://review.openstack.org/378933	22:56
*** sdake has quit IRC		22:56
jamielennox	morgan: yea, so long as we don't break compat i'm not sure i see any security issues to this	22:56
morgan	jamielennox: if someone wants to restrict it, let them restrict validation to x-service-token. but there is no reason you cannot validate a token that is expired	22:56
morgan	jamielennox: exactly	22:56
morgan	jamielennox: just make sure it's documented clearly	22:56
jamielennox	morgan: well it's a matter of whether we send x-service-token from auth_token -> keystone	22:56
morgan	jamielennox: don't add the restriction in keystone	22:57
morgan	let it be a policy thing and let KSM send x-service-token (iirc we can do that today)	22:57
morgan	but it shouldn't be a hard requirment to have x-service-token	22:57
jamielennox	so auth_token will validate the service token, and we can say that you only add the ?expired flag if the service token is valid	22:58
jamielennox	that has to be in place at the auth_token level	22:58
jamielennox	but we don't submit the X-Service-token to keystone when validating the X-Subject-Token	22:58
morgan	we probably should make it so KSM can always submit an x-service-token	22:59
morgan	but we should not require it for expired tokens	22:59
*** ddieterly has quit IRC		22:59
jamielennox	morgan: we might be talking cross purposes	22:59
morgan	jamielennox: nope.	22:59
jamielennox	if you submit an x-service-token to auth_token middleware it will validate it	22:59
morgan	jamielennox: right now, don't require it	22:59
morgan	just don't require for expired tokens	22:59
morgan	at all	22:59
jamielennox	however it does that as a normal token vlaidation	22:59
morgan	look at options if we need to lock it down in the future	23:00
jamielennox	it does not send the X-Service-Token to keystone along with the X-Auth-Token	23:00
morgan	but i don't think we need to	23:00
jamielennox	if we added the restriction in keystone then we would have to make it send both, but i think you're right (and it was the way i was going) that there's no reason to add that to keystone level	23:01
morgan	if we need to add teh ability for that restriction later... we can explore the options	23:01
morgan	i highly doubt it will ever come up outside of this conversation ;)	23:02
jamielennox	so the restriction has to exist, we just have to decide where to enforce it	23:02
jamielennox	heh, yea, no one cares	23:02
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate password history for self-service password changes https://review.openstack.org/379018	23:04
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove password history validation from admin password resets https://review.openstack.org/379030	23:06
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Remove password history validation from admin password resets https://review.openstack.org/379030	23:07
openstackgerrit	Merged openstack/oslo.policy: Update docs on policy sample generator https://review.openstack.org/374232	23:07
*** tqtran_ has joined #openstack-keystone		23:13
*** tqtran has quit IRC		23:14
*** nicolasbock has quit IRC		23:17
*** tqtran_ has quit IRC		23:18
jamielennox	stevemar: realistically the only thing that should override the auth_token implementation is keystone, so if i fix the keystone side first can i just make a slight API change to auth_token?	23:24
jamielennox	or do i need to do a whole API workaroudn thign	23:24
*** sdake has joined #openstack-keystone		23:32
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Specify that unknown arguments can be passed to fetch_token https://review.openstack.org/379034	23:33
openstackgerrit	Jamie Lennox proposed openstack/keystone: Ignore unknown arguments to fetch_token https://review.openstack.org/379035	23:34
*** sdake_ has joined #openstack-keystone		23:35
*** markvoelker has joined #openstack-keystone		23:37
*** sdake has quit IRC		23:38
*** markvoelker has quit IRC		23:41
*** marekd2_ has joined #openstack-keystone		23:53
*** marekd2_ has quit IRC		23:57
*** roxanaghe has quit IRC		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!