Monday, 2016-10-31

*** guoshan has quit IRC00:02
*** LiYuenan has joined #openstack-keystone00:03
*** jerrygb has quit IRC00:17
*** haplo37_ has quit IRC00:22
*** haplo37_ has joined #openstack-keystone00:24
*** PsionTheory has joined #openstack-keystone00:33
*** guoshan has joined #openstack-keystone00:58
*** guoshan has quit IRC01:02
*** guoshan has joined #openstack-keystone01:03
*** guoshan has quit IRC01:13
*** guoshan has joined #openstack-keystone01:14
stevemarjamielennox: ah, nice comment01:38
*** anushkrishnamurt has joined #openstack-keystone02:00
*** markvoelker has joined #openstack-keystone02:17
*** PsionTheory has quit IRC02:30
openstackgerritayoung proposed openstack/keystone-specs: Token Verify Role Check
ayoungstevemar, jamielennox, ^^ interested to see what you think of that.  TLDR;  add the role check into the token validation call02:37
*** anushkrishnamurt has quit IRC02:40
*** jdennis1 has joined #openstack-keystone03:07
*** jdennis has quit IRC03:07
guoshanhi all, are there any api to query tokens expire time?03:09
guoshanthe exact time for each token expire time, not the config token expire time03:10
*** jerrygb has joined #openstack-keystone03:33
*** jerrygb has quit IRC03:37
*** guoshan has quit IRC04:24
*** jerrygb has joined #openstack-keystone04:37
*** guoshan has joined #openstack-keystone04:38
*** guoshan has quit IRC04:47
*** guoshan has joined #openstack-keystone04:47
*** links has joined #openstack-keystone04:48
*** jerrygb has quit IRC05:04
*** Nakato has quit IRC05:07
*** kiran-r has quit IRC05:07
*** Nakato has joined #openstack-keystone05:10
openstackgerritXu Ao proposed openstack/oslo.policy: Fix a code logic while doing cyclical reference check to the policy
*** guoshan has quit IRC05:32
bretonaaand he quit05:56
*** hoangcx has joined #openstack-keystone06:01
*** hoangcx has quit IRC06:02
*** hoangcx has joined #openstack-keystone06:03
*** guoshan has joined #openstack-keystone06:08
*** guoshan_ has joined #openstack-keystone06:13
*** guoshan has quit IRC06:14
*** guoshan_ has quit IRC06:37
*** belmoreira has joined #openstack-keystone06:59
*** jerrygb has joined #openstack-keystone07:02
*** kiran-r has joined #openstack-keystone07:08
*** jerrygb has quit IRC07:08
*** kiran-r has quit IRC07:09
*** kiran-r has joined #openstack-keystone07:09
*** kiran-r has quit IRC07:09
*** tesseract has joined #openstack-keystone07:11
*** tesseract is now known as Guest5832407:11
*** jaosorior has joined #openstack-keystone07:11
*** agrebennikov has joined #openstack-keystone07:14
*** agrebennikov has quit IRC07:19
*** guoshan has joined #openstack-keystone07:37
*** guoshan has quit IRC07:42
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** guoshan has joined #openstack-keystone08:09
*** beddari has quit IRC08:28
*** guoshan has quit IRC08:49
*** guoshan has joined #openstack-keystone08:49
*** haplo37_ has quit IRC09:19
*** haplo37_ has joined #openstack-keystone09:21
*** TonyXu has joined #openstack-keystone09:31
*** pjm6 has joined #openstack-keystone09:42
*** jaosorior has quit IRC09:47
*** jaosorior has joined #openstack-keystone09:48
*** pjm6 has quit IRC10:07
*** pjm6 has joined #openstack-keystone10:08
*** LiYuenan has quit IRC10:12
*** guoshan has quit IRC10:16
*** hoangcx has quit IRC10:19
*** rvba has quit IRC10:40
*** rvba has joined #openstack-keystone10:43
*** rvba has quit IRC10:44
*** rvba has joined #openstack-keystone10:44
*** TonyXu has quit IRC10:50
*** nicolasbock has joined #openstack-keystone10:54
*** jerrygb has joined #openstack-keystone10:57
*** clayton has quit IRC11:10
*** rvba has quit IRC11:12
*** clayton has joined #openstack-keystone11:12
*** anushkrishnamurt has joined #openstack-keystone11:14
*** guoshan has joined #openstack-keystone11:17
*** rvba has joined #openstack-keystone11:18
*** rvba has quit IRC11:18
*** rvba has joined #openstack-keystone11:18
*** guoshan has quit IRC11:21
*** anushkrishnamurt has quit IRC11:36
*** chlong has joined #openstack-keystone11:41
*** jerrygb has quit IRC12:01
*** clayton has quit IRC12:06
*** clayton has joined #openstack-keystone12:07
*** ayoung has quit IRC12:28
*** links has quit IRC12:50
stevemar{"url": "", "status": 404, "referer": ""},12:51
stevemar{"url": "", "status": 404, "referer": ""},12:51
stevemardead links!12:51
*** dave-mccowan has joined #openstack-keystone12:53
*** jerrygb has joined #openstack-keystone13:03
*** jerrygb has quit IRC13:07
*** jerrygb has joined #openstack-keystone13:11
*** jerrygb has quit IRC13:11
*** edmondsw has joined #openstack-keystone13:12
dstanekstevemar: :-(13:20
*** amoralej is now known as amoralej|lunch13:22
*** jperry has joined #openstack-keystone13:30
*** jperry has quit IRC13:30
*** jperry has joined #openstack-keystone13:31
openstackgerritMerged openstack/keystone: Pass a request to controllers instead of a context
*** nicolasbock has quit IRC13:40
*** richm has joined #openstack-keystone13:41
*** nicolasbock has joined #openstack-keystone13:43
*** ayoung has joined #openstack-keystone13:56
*** ChanServ sets mode: +v ayoung13:56
*** afred312 has quit IRC14:00
openstackgerritKristi Nikolla proposed openstack/keystone: Add structure for Devstack plugin
stevemarmorning amigos14:06
lbragstadstevemar yo14:06
ayounglbragstad, you were sorely missed last week14:06
ayoungas was dstanek and bknudson14:07
lbragstadayoung :) i look forward to notes14:07
ayounglbragstad, had a summit epiphany, Thursday night, too late to discuss with the other cores, as I flew on Thursday...14:07
stevemarlbragstad: i'll try and get some stuff posted this week14:08
*** jerrygb has joined #openstack-keystone14:08
ayoungLets do the role check for policy as part of the token validation.14:08
lbragstadisn't that what we do with validation already?14:09
lbragstadwe validate a token and the service applies the roles in the policy to the roles in the token validation response14:09
lbragstadstevemar awesome - i can't wait to read them14:10
lbragstadstevemar i spend last week overhauling
ayounglbragstad, nah, no role validation is done inside the Keystone server, only later14:10
ayoungand the only role that is checked now is Admin...except for Keystone with service users14:11
*** amoralej|lunch is now known as amoralej14:11
lbragstadayoung if we wanted to move the policy check into the token validation path within keystone wouldn't that mean keystone would need all the policy information for every service?14:12
ayounglbragstad, nope14:12
ayounglbragstad, we leave the existing check in place14:13
ayoungwe only doi the Role check in keystone14:13
ayoungit is the split I was talking about before:14:13
ayoungscope check is hard coded14:13
ayoungrole check is dynamic, and in middleware14:13
ayoungby moving it to the Keystone server, we don't have to deal with distribution or caching of the policy files14:13
ayoungRole check is addtional to, and prior to, default policy check14:14
ayoungbut both are still needed14:14
*** chris_hultin|AWA is now known as chris_hultin14:14
lbragstadayoung by role check do you mean ensuring the user has a role on the project?14:15
stevemarlbragstad: nice14:15
ayounglbragstad, more like ensureing that the role in the token matches the role required for the API, but yes14:15
stevemarlbragstad: the bot came up as well as the bug reports you automated, and one suggestion was to keep a running tally14:15
stevemargraph it out so we can see the results over time, or something like that14:16
lbragstadayoung so keystone needs to have the policy in order to do that, right?14:16
stevemarsnapshots in data don't help as much as seeing the overall picture14:16
lbragstadstevemar yep - that's what i started doing
ayounglbragstad, sort of.  It needs some policy, but it can be much simpler than the existing policy files14:16
ayoungthe example I put in the spec it14:16
lbragstadstevemar so far i'm keep all data from all runs in source control14:16
ayoung GET /v3/users/{user_id}/projects : role:Reader14:16
stevemarlbragstad: yep, i saw that :)14:16
lbragstadstevemar if people want to graph it differently, they have all the data to do it14:17
ayoungSo policy check is on Verb and a pattern match of the URL, much like the routes.Mapper does in Keystone14:17
ayoungExcuse me, let me be explicit and say the RBAC check14:17
*** edtubill has joined #openstack-keystone14:17
ayoungwe still will have the policy check executed in the code like this:14:17
openstackgerritBoris Bobrov proposed openstack/keystone: Fix broken links in the docs
ayoungbut instead of "admin_required" we make it more forgiving, something that lets an appropriately scoped user in as well.14:19
stevemarayoung: whos the red hat packager / maintainer for openstack bits?14:19
ayoungKeystone ones are actually the worst, as they are mostly domain scoped operations.  But take role assignments14:19
dstanekayoung: i have to say that i was nice not having to travel :-)14:19
*** briancurtin has quit IRC14:19
ayoungstevemar, varies.  But I have a say in the keystone* ones14:20
ayoungdstanek, travel does get tough.  See you in Feb in ATL, though14:20
ayoungI hope...14:20
ayoungstevemar, which package in particular?14:20
stevemarayoung: centos packaging bug reported on the keystone queue:
openstackLaunchpad bug 1637850 in OpenStack Identity (keystone) "newton openstack-keystone service not created on Centos7" [Undecided,New]14:20
ayoungstevemar, not-a-bug14:21
dstanekayoung: i'm assuming so yes14:21
ayoungdstanek, well, I might have a conflict.  My wife has a seminar to give, and we both can't travel at the same time....14:21
*** d0ugal has joined #openstack-keystone14:22
*** briancurtin has joined #openstack-keystone14:22
ayoungstevemar, updated.14:23
ayoungare we still having the team meeting tomorrow?  I assume yes, but want to make sure14:31
dstanekayoung: that's unfortunate14:32
ayoungdstanek, I think I'm clear.  I think she is going the following week14:32
ayoung Feb 20-24, 2017  is the PTG, and I thin hers is later14:33
*** jamielennox is now known as jamielennox|away14:34
lbragstadrderose ping?14:37
lbragstadrderose curious if you or ravelar have seen
openstackLaunchpad bug 1524030 in OpenStack Identity (keystone) "duplicate for #1634746 Reduce revocation events for performance improvement" [Medium,In progress] - Assigned to Ron De Rose (ronald-de-rose)14:38
ayounglbragstad, I just had a thought.  We could do the whole thing with implied roles, and drop the RBAC config files.   Hmmmm14:48
*** ravelar has joined #openstack-keystone14:53
lbragstadayoung how so?15:04
*** jerrygb has quit IRC15:07
*** jerrygb has joined #openstack-keystone15:08
ayounglbragstad, say the rule was:15:09
ayounger, the role was the URL pattern15:09
ayounghmmm...need a way to make a single string with both the Verb and the pattern15:10
ayoungand then we could assign someone exactly that pattern as an assignment, or delegate via trust15:10
ayoungso...we create  role "GET identity /v3/users"15:10
ayoungand Member implies  "GET identity /v3/users"15:11
ayoungso if you have the top level role, you get the lower level role15:11
ayounginstead of having a rule that is "GET identity /v3/users" : role:Member15:11
ayoungit would all be via the inference rules.15:12
*** nkinder has joined #openstack-keystone15:19
*** guoshan has joined #openstack-keystone15:20
ayoungstevemar, dstanek can I get a go-ahead on
ayoungI'm trying to figure out why the backport test failed, but it seems spurious15:24
*** guoshan has quit IRC15:25
*** hyakuhei has quit IRC15:25
*** hyakuhei has joined #openstack-keystone15:25
*** hyakuhei has quit IRC15:25
*** hyakuhei has joined #openstack-keystone15:25
dstanekayoung: looking15:26
openstackgerritRichard Avelar proposed openstack/keystone: Remove unused statements in matches
*** pkoraca has quit IRC15:36
*** pkoraca has joined #openstack-keystone15:36
*** woodburn has quit IRC15:40
stevemarayoung: +W15:51
stevemarayoung: workflow15:52
ayoungAh.  Cool15:52
stevemarsomeone want to approve ?15:52
ayoungstevemar, looking15:53
ayoungstevemar, +W  to use your term15:55
*** browne has joined #openstack-keystone15:55
*** aloga_ has joined #openstack-keystone15:56
ayoungknikolla, +A on your patch.  And that is the first patch I've +Aedthat, in the past would grant ATC access to the summit that will no longer do so :(15:56
*** Guest58324 has quit IRC15:56
*** woodburn has joined #openstack-keystone15:57
*** AlexeyAbashkin has quit IRC16:13
*** AlexeyAbashkin has joined #openstack-keystone16:15
*** guoshan has joined #openstack-keystone16:21
*** kfox1111_ is now known as kfox111116:23
*** guoshan has quit IRC16:25
openstackgerritMerged openstack/keystone: Create default role as a part of bootstrap
*** links has joined #openstack-keystone16:32
*** chlong has quit IRC16:32
*** lamt has joined #openstack-keystone16:40
openstackgerritMerged openstack/keystone: Add structure for Devstack plugin
*** links has quit IRC16:42
*** ravelar has quit IRC16:46
*** richm has quit IRC16:47
*** david-lyle has joined #openstack-keystone16:51
knikollaayoung, thanks for the +A :)16:53
*** d0ugal has quit IRC16:54
*** ravelar has joined #openstack-keystone16:55
*** d0ugal has joined #openstack-keystone16:58
*** d0ugal has quit IRC16:58
*** d0ugal has joined #openstack-keystone16:58
*** belmoreira has quit IRC16:58
*** jaosorior has quit IRC16:59
*** mvk has quit IRC17:01
*** gyee has joined #openstack-keystone17:05
*** aloga_ has quit IRC17:06
*** edtubill has quit IRC17:11
openstackgerritGage Hugo proposed openstack/keystone: WIP: remove LDAP write support
stevemarback in a few hours :(17:22
stevemarhold down the fort keystoners!17:22
*** richm has joined #openstack-keystone17:23
*** gyee has quit IRC17:38
*** dave-mccowan has quit IRC17:49
samueldmqhey keystoners :)17:53
*** lamt has quit IRC17:55
samueldmqlbragstad: stevemar: dstanek: are we holding on anything specific for patch 345688 ?17:55
lbragstadsamueldmq yeah - it's dependent on
samueldmq(other than the depends-on patch on devstack?)17:56
lbragstadsamueldmq nope - that's the only dependency17:57
samueldmqlbragstad: 345688 has a depends-on (in the commit message) to (devstack patch)17:58
lbragstadsamueldmq yep17:58
lbragstadso the devstack patch has to merge first17:58
lbragstadbefore we can merge the release note17:58
lbragstadonce that merges we can approve the switch17:58
samueldmqlbragstad: gotcha17:59
*** asettle has joined #openstack-keystone18:00
samueldmqlbragstad: it is expected that the upgrade Newton -> Ocata is not backwards compat for role creation, right ?18:02
samueldmqlbragstad: I remember we had a discussion about it in the past (apparently we had broken a gate), just can't remember the decision18:02
lbragstadsamueldmq for role creation?18:02
samueldmqmy bad, token creation18:02
lbragstadsamueldmq token creation is backwards incompatible you mean?18:03
samueldmqlbragstad: yes, in the defaults, because of the config change18:03
lbragstadit should be compatible if a deployer wants to keep using UUID, they can, but they just have to explicitly say it18:03
lbragstadin that case, tokens created using newton should be validatable against Ocata18:04
samueldmqlbragstad: sounds fair. the behavior is very well documented in the release notes.18:04
lbragstadsamueldmq yeah - that's what we're aiming for18:04
samueldmqlbragstad: ++18:05
*** haplo37_ has quit IRC18:08
*** haplo37_ has joined #openstack-keystone18:10
*** Zer0Byte__ has joined #openstack-keystone18:18
*** dave-mccowan has joined #openstack-keystone18:19
*** edtubill has joined #openstack-keystone18:29
*** kiran-r has joined #openstack-keystone18:30
ayoungstevemar, a + from you on the bootstrap backport would be much appreciated:
*** lamt has joined #openstack-keystone18:35
*** kiran-r has quit IRC18:40
*** edtubill has quit IRC18:40
stevemarayoung: poke dolphm i suppose18:46
ayoungstevemar, sure, or other stable maints.  I just didn't see your + at first, and wanted to say that other keystoners had looked at it.  THanks18:47
stevemarayoung: rgr18:47
*** asettle has quit IRC18:47
ayoungstevemar, BTW, I think we should call the Keystone Turtle Mascot 'Stoney'18:47
stevemari like that!18:47
*** asettle has joined #openstack-keystone18:48
*** asettle has quit IRC18:48
*** asettle has joined #openstack-keystone18:48
*** edtubill has joined #openstack-keystone18:49
stevemarlbragstad: poke
*** artmr has joined #openstack-keystone18:51
*** asettle has quit IRC18:52
*** asettle has joined #openstack-keystone18:52
*** kiran-r has joined #openstack-keystone18:53
lbragstadstevemar nice - done18:56
*** bezilla has joined #openstack-keystone19:01
lbragstadstevemar do we have an outlook on the removal of pki and pkiz?19:01
stevemarlbragstad: it needs a rebase :\
stevemarlbragstad: it got all messy cause of the whole PKI being used to get revocation lists business19:02
stevemarlbragstad: feel free to pick it up?19:07
stevemarlbragstad: i know breton picked it up at one point19:07
openstackgerritayoung proposed openstack/keystone: Support AD Nested groups
ayoungWhat do we need to do to kill PKI?19:26
*** kiran-r has quit IRC19:31
*** ayoung has quit IRC19:35
openstackgerritMerged openstack/keystone: Clarifying on the remove of `build_auth_context` middleware
stevemarayoung went offline :(19:39
lbragstadI was just about to start responding, too19:39
openstackgerritJesse Keating proposed openstack/keystone: Add healthcheck middleware to pipelines
knikollahard to find a review not previously reviewed by stevemar :P19:45
*** amoralej is now known as amoralej|off19:46
openstackgerritMerged openstack/keystone: Don't deprecate the LDAP property which is still needed
stevemarknikolla: i am the eye of sauron!19:48
stevemarbreton: you may want to check your email :)19:49
*** edtubill has quit IRC19:50
*** edtubill has joined #openstack-keystone19:51
knikollastevemar, can I assume only ubuntu for now for the Devstack plugin, shibboleth is a pain on anything else :(19:53
stevemarknikolla: lets start with that then19:53
knikollastevemar, roger. i'll have an initial review that federated with testshib to ensure that the steps are correct. Then a subsequent patch will install a real idp and i'll switch from testshib to that.19:55
stevemarsounds promising19:56
stevemari'll start poking at the ldap stuff, dtroyer showed me a few things to look at and some suggestions19:56
*** edtubill has quit IRC19:58
lbragstadwas there an outcome regarding horizon revoking a token after a user switches projects and how that effects long running operations?20:03
robcresswelllbragstad: We've removed the token revocation from master20:04
robcresswelllbragstad: There is a patch to remove from stable too.20:04
*** ravelar has quit IRC20:04
lbragstadrobcresswell ah - so now if I switch projects in horizon my token won't be revoked, right?20:05
openstackgerritSteve Martinelli proposed openstack/keystone: Add api-ref /auth/tokens/OS-PKI/revoked (v3)
stevemarlbragstad: this should be ready
robcresswelllbragstad: Right :)20:06
lbragstadrobcresswell awesome!20:07
*** dave-mccowan has quit IRC20:15
*** guoshan has joined #openstack-keystone20:24
*** kiran-r has joined #openstack-keystone20:24
openstackgerritSamuel Pilla proposed openstack/keystone: Document v2 Revoked Token Route
*** ayoung has joined #openstack-keystone20:26
*** ChanServ sets mode: +v ayoung20:26
openstackgerritSamuel Pilla proposed openstack/keystone: Document v2 Revoked Token Route
*** guoshan has quit IRC20:28
*** mvk has joined #openstack-keystone20:31
*** aloga_ has joined #openstack-keystone20:31
*** d0ugal has quit IRC20:40
*** d0ugal has joined #openstack-keystone20:42
*** dave-mccowan has joined #openstack-keystone20:45
*** lamt has quit IRC20:47
*** jerrygb__ has joined #openstack-keystone20:48
*** jerrygb has quit IRC20:49
*** jerrygb__ has quit IRC20:52
bretonlbragstad: there is a serie of action items on removing PKI20:57
bretonlbragstad: morgan had a great plan in that review20:57
bretonstevemar: cool! I'll do my best.20:58
*** chris_hultin is now known as chris_hultin|AWA21:01
lbragstadis morgan_ around?21:02
*** gyee has joined #openstack-keystone21:05
*** jamielennox|away is now known as jamielennox21:06
*** lamt has joined #openstack-keystone21:07
openstackgerritJesse Keating proposed openstack/keystone: Add healthcheck middleware to pipelines
*** openstackgerrit has quit IRC21:18
*** openstackgerrit has joined #openstack-keystone21:18
*** guoshan has joined #openstack-keystone21:24
*** guoshan has quit IRC21:29
*** edtubill has joined #openstack-keystone21:32
*** dave-mccowan has quit IRC21:38
stevemargagehugo: is samuel pilla on irc?21:38
stevemargagehugo: not sure why he -W'ed
*** adriant has joined #openstack-keystone21:42
lamt@stevemar : I think he -W'ed because it has the same selector as the v3 patch21:44
stevemarlamt: eh, just add a v2 and call it a day21:45
openstackgerritSteve Martinelli proposed openstack/keystone: Document v2 Revoked Token Route
stevemarthere we go21:45
lamtstevemar : thanks, this should be fixed: so it doesn't conflict as much in the docs21:46
openstackLaunchpad bug 1583623 in openstack-doc-tools "os-api-ref: duplicate labels for selectors" [Undecided,New]21:46
*** richm has quit IRC21:47
*** aloga_ has quit IRC21:48
stevemarlamt: let's not wait around for it :)21:48
*** jerrygb has joined #openstack-keystone21:59
openstackgerritMerged openstack/keystone: Add api-ref /auth/tokens/OS-PKI/revoked (v3)
*** jerrygb has quit IRC22:04
*** chlong has joined #openstack-keystone22:08
stevemarlbragstad: want to punt this one through?
*** jperry has quit IRC22:19
*** agrebennikov has joined #openstack-keystone22:21
*** agrebennikov has quit IRC22:22
*** agrebennikov has joined #openstack-keystone22:23
*** agrebennikov has quit IRC22:23
lbragstadstevemar yeah i can review it22:23
*** agrebennikov has joined #openstack-keystone22:25
*** guoshan has joined #openstack-keystone22:25
*** lamt has quit IRC22:27
*** gyee has quit IRC22:28
*** agrebennikov has quit IRC22:29
*** guoshan has quit IRC22:30
stevemarthanks lbragstad22:33
*** edmondsw has quit IRC22:39
gagehugostevemar: yeah what lamt said22:41
*** jerrygb has joined #openstack-keystone22:42
*** jerrygb_ has joined #openstack-keystone22:45
*** edtubill has quit IRC22:48
*** jerrygb has quit IRC22:48
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Add reason to notifications for PCI-DSS events
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Target Fernet key store to Ocata
openstackgerritMerged openstack/keystone-specs: Target Fernet key store to Ocata
*** asettle has quit IRC23:11
*** nicolasbock has quit IRC23:13
*** artmr has quit IRC23:13
*** guoshan has joined #openstack-keystone23:26
*** ianw has quit IRC23:30
*** guoshan has quit IRC23:30
*** browne has quit IRC23:36
*** kiran-r has quit IRC23:41
*** ianw has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!