Monday, 2016-10-17

*** haplo37_ has quit IRC		00:12
*** haplo37_ has joined #openstack-keystone		00:14
*** _d34dh0r53_ is now known as d34dh0r53		00:18
*** markvoelker_ has quit IRC		00:18
*** hoangcx has joined #openstack-keystone		00:39
*** david_cu has joined #openstack-keystone		00:55
*** guoshan has quit IRC		00:57
openstackgerrit	George Tian proposed openstack/keystone: Code cleanup https://review.openstack.org/384798	01:07
*** guoshan has joined #openstack-keystone		01:22
*** wangqun has joined #openstack-keystone		01:37
*** davechen has joined #openstack-keystone		01:50
*** wangqun_ has joined #openstack-keystone		02:45
*** wangqun has quit IRC		02:47
*** code-R has joined #openstack-keystone		03:06
*** kiran-r has joined #openstack-keystone		03:12
openstackgerrit	Dave Chen proposed openstack/keystone: [api-ref] Fix couple of issues on OS-INHERIT API https://review.openstack.org/387129	03:15
davechen	rodrigods: low handing fruit after reviewing your patch ;)	03:17
*** code-R_ has joined #openstack-keystone		03:17
*** code-R has quit IRC		03:18
*** code-R_ has quit IRC		03:18
*** code-R has joined #openstack-keystone		03:18
*** kiran-r has quit IRC		03:29
*** chlong has joined #openstack-keystone		03:30
*** kiran-r has joined #openstack-keystone		03:39
*** code-R has quit IRC		03:44
*** dave-mccowan has quit IRC		03:51
*** code-R has joined #openstack-keystone		04:04
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/387138	04:06
*** guoshan has quit IRC		04:07
*** TonyXu has joined #openstack-keystone		04:09
*** adriant has quit IRC		04:34
openstackgerrit	ayoung proposed openstack/keystone: Refactor assert_admin move to authorization https://review.openstack.org/387151	04:59
openstackgerrit	ayoung proposed openstack/keystone: Refactor Authorization move _build_policy_check_credentials to authorization.py https://review.openstack.org/387152	04:59
openstackgerrit	ayoung proposed openstack/keystone: Move more authorization functions to authorization.py https://review.openstack.org/387153	04:59
openstackgerrit	ayoung proposed openstack/keystone: Refactor authorization move filterprotected to authorization.py https://review.openstack.org/387154	04:59
openstackgerrit	ayoung proposed openstack/keystone: moved get_token_ref to authorization https://review.openstack.org/387155	04:59
openstackgerrit	ayoung proposed openstack/keystone: Refactoring authorization. Merge logic into check_policy, made decorator functions identical https://review.openstack.org/387156	04:59
openstackgerrit	ayoung proposed openstack/keystone: Refactoring Authorization. Unified decorator functions. https://review.openstack.org/387157	04:59
openstackgerrit	ayoung proposed openstack/keystone: Refactor Authorization: Pep8 cleanup https://review.openstack.org/387158	04:59
*** sheel has joined #openstack-keystone		05:00
openstackgerrit	ayoung proposed openstack/keystone: Refactor Authorziation: https://review.openstack.org/387161	05:03
openstackgerrit	Praveen N proposed openstack/keystone: changed domain id to name in JSON request https://review.openstack.org/387162	05:06
openstackgerrit	ayoung proposed openstack/keystone: Refactor Authorization: https://review.openstack.org/387161	05:06
openstackgerrit	Jamie Lennox proposed openstack/keystone: Allow fetching an expired token https://review.openstack.org/382098	05:15
*** gsilvis has quit IRC		05:17
*** qwertyco has joined #openstack-keystone		05:29
*** gsilvis has joined #openstack-keystone		05:35
*** jaosorior has joined #openstack-keystone		05:48
*** rcernin has joined #openstack-keystone		06:06
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/387138	06:19
breton	morning, keystone	06:33
*** LiYuenan has joined #openstack-keystone		06:37
LiYuenan	Hello everyone! I am Yuenan Li. I have a question about keystone fernet key. When I deploy keystone, did I need initialize Fernet key repositories in all controller nodes? And how about bootstrap the Identity service?	06:40
breton	you need to initialize fernet key repo on 1 controller node and then copy the keys to all other nodes.	06:44
breton	i don't understand the question about bootstrap :)	06:44
LiYuenan	did i need bootstrap in a controller node or in every controller nodes?	06:46
odyssey4me	LiYuenan just one - all the bootstrap does it setup the initial admin role, service, etc so that you can from then on interact with the API	06:53
*** aloga has joined #openstack-keystone		06:57
LiYuenan	Oh. When I deploy openstack newton keystone, I find that mitaka only need initialize Fernet key repositories once:# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone But newton need twice	06:58
LiYuenan	# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone	06:59
LiYuenan	# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone	06:59
*** tesseract has joined #openstack-keystone		07:03
*** tesseract is now known as Guest21077		07:04
davechen	LiYuenan: since in newton we use fernet key for credential encryption, the second command you list above.	07:04
LiYuenan	I appreciate your help :)	07:06
*** amoralej\|off is now known as amoralej		07:16
*** kiran-r has quit IRC		07:27
*** openstackgerrit has quit IRC		07:34
*** openstackgerrit has joined #openstack-keystone		07:34
LiYuenan	davechen: When I run #keystone-manage credential_setup --keystone-user keystone --keystone-group keystone	07:47
LiYuenan	usage: keystone-manage [bootstrap\|db_sync\|db_version\|domain_config_upload\|fernet_rotate\|fernet_setup\|mapping_purge\|mapping_engine\|pki_setup\|saml_idp_metadata\|ssl_setup\|token_flush]	07:47
LiYuenan	keystone-manage: error: argument command: invalid choice: 'credential_setup' (choose from 'bootstrap', 'db_sync', 'db_version', 'domain_config_upload', 'fernet_rotate', 'fernet_setup', 'mapping_purge', 'mapping_engine', 'pki_setup', 'saml_idp_metadata', 'ssl_setup', 'token_flush')	07:47
davechen	LiYuenan: update your code base.	07:51
*** rvba has quit IRC		07:54
LiYuenan	I	07:54
LiYuenan	davechen: I will try in a docker	07:55
LiYuenan	davechen: I should copy /etc/keystone/fernet-keys to other controller nodes?	07:56
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** qwertyco has quit IRC		08:10
davechen	LiYuenan: I haven't try it in the doker with multiple controller, but I think you should do that.	08:19
*** TonyXu has quit IRC		08:20
*** TonyXu has joined #openstack-keystone		08:22
*** mkoshiya has joined #openstack-keystone		08:29
*** pnavarro has joined #openstack-keystone		08:30
*** davechen has left #openstack-keystone		08:31
*** voelzmo has joined #openstack-keystone		08:31
*** voelzmo has quit IRC		08:32
*** pjm6 has joined #openstack-keystone		08:33
mkoshiya	Hi, all. Could you please review bp/return-request-id-to-caller - https://review.openstack.org/#/c/261188/ , and bp/log-request-id - https://review.openstack.org/#/c/352858/ .	08:48
mkoshiya	https://review.openstack.org/#/c/261188/ has already got a Code-Review +1 in the previous Patch Set.	08:50
*** code-R has quit IRC		08:52
*** pcaruana has joined #openstack-keystone		09:08
*** flwang1 has joined #openstack-keystone		09:15
*** mkoshiya has quit IRC		09:15
flwang1	hi there, any idea for error "keystoneauth1.exceptions.auth.AuthorizationFailure: Authorization failed: You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-3a6495b2-664d-4c35-9154-5d4c9b8f1eba)" ?	09:16
*** chlong has quit IRC		09:26
*** nishaYadav has joined #openstack-keystone		09:29
nishaYadav	hey all!	09:30
nishaYadav	hey samueldmq	09:39
*** jaosorior has quit IRC		09:41
*** jaosorior has joined #openstack-keystone		09:42
samueldmq	nishaYadav: hi	09:42
samueldmq	hi keystone	09:42
*** code-R has joined #openstack-keystone		09:45
*** code-R_ has joined #openstack-keystone		09:46
*** wangqun_ has quit IRC		09:49
*** code-R has quit IRC		09:49
*** asettle has joined #openstack-keystone		09:58
*** asettle has quit IRC		10:05
*** hoangcx has quit IRC		10:27
*** asettle has joined #openstack-keystone		10:30
*** haplo37_ has quit IRC		10:44
*** guoshan has joined #openstack-keystone		10:45
*** nishaYadav has quit IRC		10:46
*** haplo37_ has joined #openstack-keystone		10:46
*** nishaYadav has joined #openstack-keystone		10:48
*** nishaYadav is now known as Guest45438		10:49
*** Guest45438 is now known as nishaYadav_		10:49
*** voelzmo has joined #openstack-keystone		10:52
*** voelzmo has quit IRC		11:02
*** voelzmo has joined #openstack-keystone		11:06
*** nicolasbock has joined #openstack-keystone		11:09
*** asettle has quit IRC		11:11
*** asettle has joined #openstack-keystone		11:16
*** asettle has quit IRC		11:23
*** dave-mccowan has joined #openstack-keystone		11:30
*** GB21 has joined #openstack-keystone		11:35
*** guoshan has quit IRC		11:47
*** twouters has left #openstack-keystone		11:56
*** nishaYadav_ has quit IRC		12:01
*** pece has joined #openstack-keystone		12:02
*** edmondsw has joined #openstack-keystone		12:06
*** amoralej is now known as amoralej\|lunch		12:11
*** raildo has joined #openstack-keystone		12:11
*** maticue has joined #openstack-keystone		12:16
*** Guest23990 is now known as zigo		12:21
*** admin0 has joined #openstack-keystone		12:22
admin0	hey all .. what does “BadRequest: Expecting to find domain in user - the server could not comply with the request since it is either malformed or otherwise incorrect” mean ?	12:22
*** asettle has joined #openstack-keystone		12:38
*** sileht has quit IRC		12:42
*** sileht has joined #openstack-keystone		12:50
*** GB21 has quit IRC		12:58
*** voelzmo has quit IRC		13:04
*** voelzmo has joined #openstack-keystone		13:05
*** pcaruana has quit IRC		13:18
*** jperry has joined #openstack-keystone		13:23
lbragstad	LiYuenan by default, both fernet repositories are kept separate	13:30
lbragstad	LiYuenan on is used for token encryption and decryption, while the other is used for credential encryption and decryption.	13:31
lbragstad	LiYuenan if you haven't made any changes to your `keystone.conf [fernet_tokens] key_repository` value, `keystone-manage fernet_setup` will automatically populate `/etc/keystone/fernet-keys/` with keys - https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L888-L909	13:34
lbragstad	LiYuenan it will do the same thing with `keystone-manage credential-setup` but it will use `/etc/keystone/credential-keys/`	13:34
lbragstad	LiYuenan both of these repositories will need to be securely copied to all keystone nodes in your deployment. LiYuenan	13:35
*** agireud has quit IRC		13:35
*** agireud has joined #openstack-keystone		13:39
*** guoshan has joined #openstack-keystone		13:46
*** voelzmo has quit IRC		13:50
dolphm	stevemar: this requires PTL acknowledgement https://review.openstack.org/#/c/387447/	13:51
*** voelzmo has joined #openstack-keystone		13:51
*** voelzmo has quit IRC		13:53
*** voelzmo has joined #openstack-keystone		13:53
*** asettle has quit IRC		14:02
*** haplo37_ has quit IRC		14:02
*** gagehugo has joined #openstack-keystone		14:03
*** amoralej\|lunch is now known as amoralej		14:03
*** hogepodge has quit IRC		14:04
openstackgerrit	abdul nizamuddin proposed openstack/pycadf: Changed the home-page link https://review.openstack.org/387455	14:04
*** haplo37_ has joined #openstack-keystone		14:05
lbragstad	LiYuenan I did short write up of key management for credential encryption - https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#encrypted-credential-key-management	14:06
*** sc68cal_ is now known as sc68cal		14:10
*** sheel has quit IRC		14:10
*** chris_hultin\|AWA is now known as chris_hultin		14:19
*** guoshan has quit IRC		14:26
*** mfisch` is now known as mfisch		14:30
*** mfisch is now known as Guest56218		14:30
*** michauds has joined #openstack-keystone		14:31
*** richm has joined #openstack-keystone		14:31
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	14:34
*** guoshan has joined #openstack-keystone		14:35
*** nkinder has joined #openstack-keystone		14:35
openstackgerrit	Lance Bragstad proposed openstack/keystone: Use issue_v3_token instead of issue_v2_token https://review.openstack.org/386665	14:37
openstackgerrit	Lance Bragstad proposed openstack/keystone: refactor the token controller https://review.openstack.org/386726	14:37
*** asettle has joined #openstack-keystone		14:37
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v2_token https://review.openstack.org/386762	14:38
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove issue_v3_token in favor of issue_token https://review.openstack.org/386837	14:42
*** asettle has quit IRC		14:44
*** ravelar has joined #openstack-keystone		14:46
knikolla_	o/	14:51
*** Ephur has joined #openstack-keystone		14:53
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystone-specs: OpenID Connect improved support https://review.openstack.org/373983	14:54
openstackgerrit	Gage Hugo proposed openstack/keystone-specs: PCI-DSS Expired Password Users https://review.openstack.org/383832	14:58
*** guoshan has quit IRC		15:01
*** pcaruana has joined #openstack-keystone		15:03
*** voelzmo has quit IRC		15:03
*** jlwhite has quit IRC		15:03
*** antwash has quit IRC		15:04
*** knikolla_ has quit IRC		15:09
*** mvk has quit IRC		15:09
*** knikolla has joined #openstack-keystone		15:11
*** jlwhite has joined #openstack-keystone		15:12
*** antwash has joined #openstack-keystone		15:13
bknudson	odd thing in v2 tokens:	15:18
bknudson	"expires": "2016-10-17T16:17:56Z",	15:18
bknudson	"issued_at": "2016-10-17T15:17:56.000000Z",	15:18
*** code-R_ has quit IRC		15:26
*** rcernin has quit IRC		15:26
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	15:31
*** ravelar has quit IRC		15:33
openstackgerrit	Tin Lam proposed openstack/keystone-specs: PCI-DSS Expired Password Users https://review.openstack.org/383832	15:36
*** lamt has joined #openstack-keystone		15:39
*** ravelar has joined #openstack-keystone		15:40
*** agrebennikov has joined #openstack-keystone		15:40
*** agrebennikov has quit IRC		15:40
*** agrebennikov has joined #openstack-keystone		15:41
*** agrebennikov has quit IRC		15:41
*** agrebennikov has joined #openstack-keystone		15:41
*** agrebennikov has quit IRC		15:42
*** agrebennikov has joined #openstack-keystone		15:42
*** agrebennikov has quit IRC		15:42
*** agrebennikov has joined #openstack-keystone		15:44
*** jistr is now known as jistr\|biab		15:46
*** agrebennikov has quit IRC		15:46
*** code-R has joined #openstack-keystone		15:46
openstackgerrit	Merged openstack/keystone: Code cleanup https://review.openstack.org/384798	15:47
*** agrebennikov has joined #openstack-keystone		15:48
*** code-R_ has joined #openstack-keystone		15:50
*** david-lyle_ has joined #openstack-keystone		15:52
*** david-lyle has quit IRC		15:53
*** hogepodge has joined #openstack-keystone		15:53
*** code-R has quit IRC		15:53
*** gagehugo has quit IRC		15:53
openstackgerrit	Merged openstack/pycadf: Changed the home-page link https://review.openstack.org/387455	15:54
openstackgerrit	ayoung proposed openstack/keystone: Refactor Authorization: https://review.openstack.org/387161	15:54
*** code-R_ has quit IRC		16:00
*** code-R has joined #openstack-keystone		16:01
knikolla	rodrigods, hi	16:05
*** Guest56218 is now known as mfisch		16:06
*** mfisch is now known as Guest8770		16:06
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	16:07
*** admin0 has quit IRC		16:08
*** rcernin has joined #openstack-keystone		16:10
*** Guest8770 is now known as mfisch		16:10
*** mfisch has quit IRC		16:10
*** mfisch has joined #openstack-keystone		16:10
maticue	Hi everyone, one simple question for Kilo nova compute service that involves keystone authentication.... when I delete a VM, nova-compute service tries to de-allocate the network port from the VM. To run this action, nova-compute service needs to ask authorization. This authorization request is using [keystone_authtoken] section or [neutron] section?	16:14
*** Zer0Byte__ has joined #openstack-keystone		16:20
*** jistr\|biab is now known as jistr		16:22
*** gyee has joined #openstack-keystone		16:22
*** david-lyle_ is now known as david-lyle		16:24
*** code-R has quit IRC		16:41
*** ravelar has quit IRC		16:42
*** ravelar has joined #openstack-keystone		16:42
*** browne has joined #openstack-keystone		16:43
*** markvoelker has joined #openstack-keystone		16:46
*** voelzmo has joined #openstack-keystone		16:46
*** markvoelker_ has joined #openstack-keystone		16:49
*** voelzmo has quit IRC		16:50
*** voelzmo has joined #openstack-keystone		16:50
*** markvoelker has quit IRC		16:51
openstackgerrit	Merged openstack/keystone: Optimize remove unused variable https://review.openstack.org/384369	16:54
*** voelzmo has quit IRC		16:55
*** jaosorior has quit IRC		16:57
lbragstad	stevemar quick question - if we've removed (or are going to remove) something in Ocata, but a bug comes through saying there is an issue with it in a stable branch, how do we triage that?	16:57
*** amoralej is now known as amoralej\|off		16:57
*** lamt has quit IRC		17:00
*** kiran-r has joined #openstack-keystone		17:01
*** ravelar has quit IRC		17:05
*** jaosorior has joined #openstack-keystone		17:06
lbragstad	cc dolphm or dstanek ^	17:11
*** pece has quit IRC		17:12
*** Ephur has quit IRC		17:17
*** tqtran has joined #openstack-keystone		17:21
*** gagehugo has joined #openstack-keystone		17:21
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove backend dependencies from token provider https://review.openstack.org/386136	17:23
*** ravelar has joined #openstack-keystone		17:29
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove backend dependencies from token provider https://review.openstack.org/386136	17:31
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	17:32
*** sheel has joined #openstack-keystone		17:36
*** admin0 has joined #openstack-keystone		17:36
*** admin0 has left #openstack-keystone		17:38
*** haplo37_ has quit IRC		17:40
*** jaosorior has quit IRC		17:41
*** jaosorior has joined #openstack-keystone		17:41
*** dave-mccowan has quit IRC		17:42
*** haplo37_ has joined #openstack-keystone		17:42
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	17:43
*** dave-mccowan has joined #openstack-keystone		17:43
*** ayoung has joined #openstack-keystone		17:45
*** ChanServ sets mode: +v ayoung		17:45
*** spzala has joined #openstack-keystone		17:46
*** jaosorior has quit IRC		17:51
*** pnavarro has quit IRC		17:51
*** ravelar1 has joined #openstack-keystone		17:54
*** ravelar has quit IRC		17:56
*** kiran-r has quit IRC		18:00
*** ravelar1 has quit IRC		18:00
*** lamt has joined #openstack-keystone		18:01
*** lamt has quit IRC		18:03
*** markvoelker_ has quit IRC		18:03
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	18:09
*** lamt has joined #openstack-keystone		18:12
*** code-R has joined #openstack-keystone		18:16
*** code-R_ has joined #openstack-keystone		18:23
*** tran has joined #openstack-keystone		18:24
*** code-R has quit IRC		18:26
*** ravelar1 has joined #openstack-keystone		18:28
*** Guest21077 has quit IRC		18:29
*** ravelar1 has quit IRC		18:29
*** ravelar has joined #openstack-keystone		18:36
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	18:41
*** ravelar has quit IRC		18:51
*** med_` is now known as medberry		19:03
*** medberry has joined #openstack-keystone		19:03
*** thiagolib has joined #openstack-keystone		19:05
*** tran has quit IRC		19:10
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	19:12
*** ravelar has joined #openstack-keystone		19:12
*** kiran-r has joined #openstack-keystone		19:16
stevemar	dolphm: ack	19:20
*** asettle has joined #openstack-keystone		19:24
* lbragstad sets http://lists.openstack.org/pipermail/openstack-dev/2016-October/105844.html on ayoung's desk		19:24
*** ravelar has quit IRC		19:28
*** ravelar has joined #openstack-keystone		19:29
stevemar	lbragstad: i thought the same thing :)	19:30
lbragstad	stevemar sounds like fun	19:32
*** gyee has quit IRC		19:37
*** ravelar has quit IRC		19:42
*** jperry has quit IRC		19:45
*** sheel has quit IRC		19:50
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	19:56
*** spzala has quit IRC		19:58
*** spzala has joined #openstack-keystone		19:59
*** spzala has quit IRC		19:59
*** spzala has joined #openstack-keystone		19:59
*** brad[] has quit IRC		20:00
*** mfisch has quit IRC		20:00
*** medberry has quit IRC		20:00
*** med_ has joined #openstack-keystone		20:00
*** mfisch has joined #openstack-keystone		20:00
*** mfisch has quit IRC		20:01
*** mfisch has joined #openstack-keystone		20:01
*** med_ is now known as Guest62846		20:01
*** tqtran has quit IRC		20:02
*** code-R_ has quit IRC		20:12
Zer0Byte__	hey guys	20:21
*** brad[] has joined #openstack-keystone		20:21
*** flwang1 has quit IRC		20:21
*** pcaruana has quit IRC		20:25
*** tqtran has joined #openstack-keystone		20:33
*** asettle has quit IRC		20:33
*** markvoelker has joined #openstack-keystone		20:34
*** code-R has joined #openstack-keystone		20:35
*** jperry has joined #openstack-keystone		20:37
*** markvoelker_ has joined #openstack-keystone		20:37
openstackgerrit	Steve Martinelli proposed openstack/keystone: changed domain id to name in JSON request https://review.openstack.org/387162	20:37
openstackgerrit	Steve Martinelli proposed openstack/keystone: changed domain id to name in JSON request https://review.openstack.org/387162	20:38
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove backend dependencies from token provider https://review.openstack.org/386136	20:39
*** markvoelker has quit IRC		20:41
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove backend dependencies from token provider https://review.openstack.org/386136	20:42
ayoung	lbragstad, TYVM	20:43
ayoung	henrynash, lbragstad, jamielennox BTW whomever is interested in reviewing https://review.openstack.org/#/c/387161/ that is a squash of the other patches all listed in the same topic.	20:44
ayoung	rderose, && for you as well. I left the step by step refactoring in Gerrit to explain it, but bit sure if that is the best approach	20:46
stevemar	browne: why not include keystone in https://review.openstack.org/#/c/387670/1//COMMIT_MSG ?	20:47
stevemar	browne: duh cause it's already voting	20:49
*** adriant has joined #openstack-keystone		20:51
openstackgerrit	Ron De Rose proposed openstack/keystone: Remove backend dependencies from token provider https://review.openstack.org/386136	20:51
browne	stevemar: :)	20:55
*** Ephur has joined #openstack-keystone		20:58
*** haplo37_ has quit IRC		21:01
*** haplo37_ has joined #openstack-keystone		21:03
*** gagehugo has quit IRC		21:04
*** mvk has joined #openstack-keystone		21:05
*** raildo has quit IRC		21:08
*** edmondsw has quit IRC		21:10
*** nicolasbock has quit IRC		21:10
lbragstad	dstanek I think https://review.openstack.org/#/c/386136/8 is ready	21:10
stevemar	lbragstad: i'm looking at that now :D	21:16
lbragstad	stevemar sweet	21:16
stevemar	well, not now now, but soon	21:16
lbragstad	stevemar can we take the 'do not merge' off of this? https://review.openstack.org/#/c/367052/	21:17
jamielennox	ayoung: i had a bit of a look through that yesterday - what's the end goal there?	21:17
stevemar	lbragstad: sure, feel free to change it	21:17
*** spzala has quit IRC		21:18
stevemar	lbragstad: should it depend-on something?	21:18
*** chris_hultin is now known as chris_hultin\|AWA		21:19
lbragstad	stevemar this depends on your patch - https://review.openstack.org/#/c/345688/	21:19
*** spzala has joined #openstack-keystone		21:19
lbragstad	stevemar which also has a dependency on https://review.openstack.org/#/q/I7208bf6cb9329d6ca1f49409da44b0537c74aea9,n,z	21:19
stevemar	lbragstad: so is the game plan to make it the default in devstack and see what breaks?	21:20
stevemar	then make it the default in keystone?	21:20
lbragstad	nope - nothing should break this time	21:20
stevemar	well yes, that's what i mean -- change it and see/hope nothing breaks -- we should have all the things fixed	21:21
lbragstad	approval order should be https://review.openstack.org/#/c/376526/ -> https://review.openstack.org/#/c/367595/ -> https://review.openstack.org/#/c/367384/ -> https://review.openstack.org/#/c/367052/ -> https://review.openstack.org/#/c/345688/ (being last)	21:21
lbragstad	dansmith and sdague have approved the grenade change	21:21
lbragstad	but that is dependent on us merging a release note	21:22
lbragstad	then it's just the change to tempest and devstack	21:22
lbragstad	after that we're home free to make it the default	21:22
*** asettle has joined #openstack-keystone		21:33
*** asettle has quit IRC		21:39
openstackgerrit	Lance Bragstad proposed openstack/keystone: Switch fernet to be the default token provider. https://review.openstack.org/345688	21:39
ayoung	jamielennox, so the whole thing started with me trying to get is_admin_project support, and realizing that the trusts code did an end run around the rest of our enforcement	21:39
ayoung	so the goal is to get a single path for building the auth structure to pass to policy, and to reduce things like you were complaaining about "flatten_dict"	21:40
ayoung	jamielennox, If you look at the original implementation, the decorators were not even calling check_policy, although they were essentially copie and pasted gode from ti	21:40
ayoung	it	21:40
ayoung	so I also consier this a paydown of technical debt "removing cut and paste code"	21:41
ayoung	jamielennox, the Keystone path to policy enforcement is tangled and overgrown. Just trying to take a machete to it without chopping off my own foot	21:42
*** flwang1 has joined #openstack-keystone		21:46
stevemar	ayoung: is tripleo the same thing as RDO? whats an rdo manager / rdo director?	21:47
ayoung	stevemar, sort of...RDO is the packages	21:48
jamielennox	ayoung: so i've hit a similar problem with the allow_expired patch, https://review.openstack.org/#/c/382098/ that fetches the subject token twice	21:48
ayoung	tripleo is hte installer, so it used the RDO packages	21:48
jamielennox	ayoung: but my intention here was not to do one decorator to rule them all - but get rid of the decorator and put enforce calls into the controllers	21:48
ayoung	director is not an RDO piece, it is the downstream RH supported installer, based on Tripleo	21:48
ayoung	jamielennox, yep, and this goes a long way toward that	21:48
ayoung	jamielennox, so look at all the ones that have callbacks	21:49
ayoung	those are basically wrapping check_policy anywah	21:49
jamielennox	ayoung: right, anything passing a callback is because you just can't provide enough control from the decorator to do what you want, so if we could inline the protected call that would go away	21:50
ayoung	jamielennox, so you could probably inline the @controller.protected calls after this patch	21:50
ayoung	the filterprotected need a little more support, but should be pretty easy to reverse from what is done now	21:50
ayoung	jamielennox, but even if we left the decorators, for now, it should be more supportable.	21:51
jamielennox	ayoung: ok, i just saw it and thought you were running in a completely opposite direction	21:52
*** code-R has quit IRC		21:54
ayoung	jamielennox, Nope, I 'm with you on this.	21:57
*** code-R has joined #openstack-keystone		21:57
ayoung	jamielennox, the tricky part of this patch was dealing with how the parameters are built for the decorators. I tried to get all that into a single function, but it really is two distince mechanisms: protecte4d vs filterprotected both make use of both args and *kwargs in different and non-compatible ways	21:59
*** Ephur has quit IRC		22:03
*** rcernin has quit IRC		22:06
*** code-R has quit IRC		22:07
openstackgerrit	Merged openstack/keystone: Drop MANIFEST.in - it's not needed by pbr https://review.openstack.org/386384	22:10
*** spzala has quit IRC		22:17
jamielennox	ayoung: right - i'm hoping the key to simplify that will be not actually doing that in the decorator	22:18
*** gyee has joined #openstack-keystone		22:19
ayoung	jamielennox, TBH, th thing I like about the decorator right now is the easy of grepping for it, but that is only because I am refactoring. I'd like to make sure that when we do replace it, we make the replacement one line, and no cut/paste boilerplate	22:19
*** jperry has quit IRC		22:27
*** lamt has quit IRC		22:41
openstackgerrit	Adrian Turjak proposed openstack/keystone: adding combined password and totp auth plugin https://review.openstack.org/343422	22:55
*** michauds has quit IRC		23:00
*** markvoelker_ has quit IRC		23:01
openstackgerrit	Merged openstack/keystone: Fix a docstring typo in test_v3_resource.py https://review.openstack.org/377618	23:10
openstackgerrit	Eric Brown proposed openstack/keystone: Updates to the architecture doc https://review.openstack.org/387709	23:11
openstackgerrit	ayoung proposed openstack/keystone: Refactor is_admin https://review.openstack.org/387710	23:16
*** haplo37_ has quit IRC		23:29
*** haplo37_ has joined #openstack-keystone		23:30
*** lamt has joined #openstack-keystone		23:31
openstackgerrit	ayoung proposed openstack/keystone: Add is_admin_project check to policy.json https://review.openstack.org/257636	23:39
ayoung	jamielennox, ^^ is where I was going with that	23:40
*** chlong has joined #openstack-keystone		23:40
*** agrebennikov has quit IRC		23:46
jamielennox	ayoung: how would you feel about putting some of that on the request object?	23:46
jamielennox	or does it make sense?	23:46
ayoung	jamielennox, what specifically do you want to move?	23:47
ayoung	jamielennox, I guess I'd be in favor. It is stuff that is common to requests, so that would be a logical place to find it, as opposed to on the controllers.	23:47
ayoung	I hadn't really mapped out a full object model of how the policy check should look. I guess I'd need to diagram that up before I voiced any strong opinions	23:49
jamielennox	ayoung: i was just thinknig what i would want the interface to look like at the end - because that's currently not it	23:50
jamielennox	and what we would need to refactor to get there	23:50
ayoung	++	23:50
jamielennox	ideally we want to get to using to_policy_values which i think is currently at request.context.to_policy_values	23:50
jamielennox	the enforce signature is def enforce(self, rule, target, creds, do_raise=False, ..)	23:51
*** guoshan has joined #openstack-keystone		23:51
jamielennox	creds is from request.context, do_raise doesn't change	23:51
jamielennox	so i was thinking like	23:52
*** kiran-r has quit IRC		23:52
jamielennox	request.policy_check(rule, target_dict)	23:52
jamielennox	responsibility for loading the target is in the controller - like it always should have been	23:52
jamielennox	rule becomes a manually entered string - which means no more messing around with function names	23:53
*** LiYuenan has quit IRC		23:54
jamielennox	i would need to check where request params end up in policy to see how they play in, but i don't think that's hard	23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!