*** guoshan has quit IRC | 00:04 | |
openstackgerrit | Merged openstack/keystone: Fixes remaining nits in endpoint_policy tests https://review.openstack.org/397928 | 00:05 |
---|---|---|
*** henrynash has quit IRC | 00:22 | |
*** henrynash has joined #openstack-keystone | 00:24 | |
*** ChanServ sets mode: +v henrynash | 00:24 | |
*** lamt has quit IRC | 00:25 | |
*** lamt has joined #openstack-keystone | 00:30 | |
*** spzala has joined #openstack-keystone | 00:32 | |
*** spzala has quit IRC | 00:37 | |
*** browne has quit IRC | 00:42 | |
*** guoshan has joined #openstack-keystone | 00:53 | |
*** hoangcx has joined #openstack-keystone | 00:54 | |
*** guoshan has quit IRC | 00:58 | |
*** browne has joined #openstack-keystone | 01:33 | |
*** browne has quit IRC | 01:34 | |
*** tqtran has quit IRC | 01:41 | |
*** guoshan has joined #openstack-keystone | 01:42 | |
*** phalmos has quit IRC | 01:44 | |
openstackgerrit | Chuck Short proposed openstack/keystone: Add py35 support https://review.openstack.org/398020 | 01:48 |
*** links has joined #openstack-keystone | 01:55 | |
*** lamt has quit IRC | 01:57 | |
*** zhangjl has joined #openstack-keystone | 01:59 | |
*** annp has joined #openstack-keystone | 02:00 | |
*** tonytan4ever has joined #openstack-keystone | 02:01 | |
*** links has quit IRC | 02:07 | |
*** nkinder has joined #openstack-keystone | 02:43 | |
*** spzala has joined #openstack-keystone | 03:16 | |
*** spzala has quit IRC | 03:20 | |
*** udesale has joined #openstack-keystone | 03:25 | |
*** spzala has joined #openstack-keystone | 03:30 | |
*** adrian_otto has joined #openstack-keystone | 03:50 | |
*** deep_1 has joined #openstack-keystone | 03:59 | |
*** spzala has quit IRC | 04:03 | |
*** guoshan has quit IRC | 04:04 | |
*** spzala has joined #openstack-keystone | 04:04 | |
*** spzala has quit IRC | 04:05 | |
*** guoshan has joined #openstack-keystone | 04:07 | |
*** GB21 has joined #openstack-keystone | 04:12 | |
*** adrian_otto has quit IRC | 04:22 | |
*** tonytan4ever has quit IRC | 04:23 | |
*** tonytan4ever has joined #openstack-keystone | 04:23 | |
*** adrian_otto has joined #openstack-keystone | 04:24 | |
*** adrian_otto has quit IRC | 04:26 | |
*** adrian_otto has joined #openstack-keystone | 04:27 | |
*** tonytan4ever has quit IRC | 04:28 | |
*** nicolasbock has quit IRC | 04:28 | |
*** rdo has quit IRC | 04:34 | |
*** rdo has joined #openstack-keystone | 04:36 | |
*** nkinder has quit IRC | 04:37 | |
*** khamtamtun has joined #openstack-keystone | 04:40 | |
*** khamtamtun has quit IRC | 04:44 | |
*** guoshan has quit IRC | 04:45 | |
*** adrian_otto has quit IRC | 04:47 | |
*** adrian_otto has joined #openstack-keystone | 04:49 | |
*** guoshan has joined #openstack-keystone | 05:15 | |
*** diazjf has joined #openstack-keystone | 05:17 | |
*** darrenc is now known as darrenc_afk | 05:19 | |
*** guoshan has quit IRC | 05:19 | |
*** diazjf has quit IRC | 05:20 | |
*** dims has quit IRC | 05:20 | |
*** adrian_otto has quit IRC | 05:46 | |
*** adrian_otto has joined #openstack-keystone | 05:50 | |
*** harlowja has quit IRC | 05:55 | |
*** darrenc_afk is now known as darrenc | 05:57 | |
*** adrian_otto has quit IRC | 05:58 | |
*** dims has joined #openstack-keystone | 05:59 | |
*** guoshan has joined #openstack-keystone | 06:09 | |
*** guoshan has quit IRC | 06:14 | |
*** guoshan has joined #openstack-keystone | 06:15 | |
*** jaosorior has joined #openstack-keystone | 06:16 | |
*** adriant has quit IRC | 06:28 | |
*** markvoelker has quit IRC | 06:28 | |
*** jaosorior has quit IRC | 06:41 | |
*** jaosorior has joined #openstack-keystone | 06:41 | |
*** richm has quit IRC | 06:41 | |
*** guoshan has quit IRC | 07:01 | |
*** GB21 has quit IRC | 07:16 | |
*** guoshan has joined #openstack-keystone | 07:22 | |
*** GB21 has joined #openstack-keystone | 07:29 | |
*** jaosorior has quit IRC | 07:34 | |
*** pcaruana has joined #openstack-keystone | 07:41 | |
*** rha has joined #openstack-keystone | 07:42 | |
*** jaosorior has joined #openstack-keystone | 07:54 | |
*** amoralej|off is now known as amoralej | 08:20 | |
*** markvoelker has joined #openstack-keystone | 08:29 | |
*** jpich has joined #openstack-keystone | 08:31 | |
*** markvoelker has quit IRC | 08:34 | |
*** GB21 has quit IRC | 08:38 | |
*** GB21 has joined #openstack-keystone | 08:51 | |
*** zzzeek has quit IRC | 09:00 | |
*** zzzeek has joined #openstack-keystone | 09:03 | |
*** henrynash has quit IRC | 09:05 | |
openstackgerrit | howard lee proposed openstack/keystoneauth: Use assertIs(Not)None to check for None https://review.openstack.org/398209 | 09:10 |
*** deep_1 has quit IRC | 09:35 | |
*** henrynash has joined #openstack-keystone | 09:46 | |
*** ChanServ sets mode: +v henrynash | 09:46 | |
*** deep_1 has joined #openstack-keystone | 09:50 | |
*** henrynash has quit IRC | 10:02 | |
*** henrynash has joined #openstack-keystone | 10:04 | |
*** ChanServ sets mode: +v henrynash | 10:04 | |
*** henrynash has quit IRC | 10:07 | |
openstackgerrit | zhangyanxian proposed openstack/python-keystoneclient: Fix typo in access.py https://review.openstack.org/398244 | 10:12 |
openstackgerrit | zhangyanxian proposed openstack/python-keystoneclient: Fix typo in access.py https://review.openstack.org/398244 | 10:13 |
*** henrynash has joined #openstack-keystone | 10:15 | |
*** ChanServ sets mode: +v henrynash | 10:15 | |
*** henrynash has quit IRC | 10:16 | |
*** hoangcx has quit IRC | 10:16 | |
odyssey4me | stevemar dolphm An RFE which I think would be very useful to operators to implement: https://bugs.launchpad.net/keystone/+bug/1642212 | 10:18 |
openstack | Launchpad bug 1642212 in OpenStack Identity (keystone) "RFE: keystone-manage db_sync --check" [Undecided,New] | 10:18 |
odyssey4me | it'd be great if keystone could set the precedent that other projects follow | 10:18 |
*** pnavarro has joined #openstack-keystone | 10:21 | |
*** GB21 has quit IRC | 10:22 | |
*** asettle has joined #openstack-keystone | 10:23 | |
*** udesale has quit IRC | 10:26 | |
*** mvk has quit IRC | 10:30 | |
*** markvoelker has joined #openstack-keystone | 10:30 | |
*** GB21 has joined #openstack-keystone | 10:34 | |
*** markvoelker has quit IRC | 10:35 | |
*** zhangjl has quit IRC | 10:45 | |
*** guoshan has quit IRC | 10:51 | |
*** mvk has joined #openstack-keystone | 10:54 | |
*** richm has joined #openstack-keystone | 11:12 | |
openstackgerrit | howard lee proposed openstack/keystoneauth: Add __ne__ built-in function https://review.openstack.org/398294 | 11:17 |
*** GB21 has quit IRC | 11:18 | |
*** annp has quit IRC | 11:24 | |
*** fmarco76 has joined #openstack-keystone | 11:24 | |
*** fmarco76 has quit IRC | 11:25 | |
*** jaosorior is now known as jaosorior_lunch | 11:25 | |
*** nicolasbock has joined #openstack-keystone | 11:31 | |
*** GB21 has joined #openstack-keystone | 11:31 | |
*** deep_1 has quit IRC | 11:31 | |
*** guoshan has joined #openstack-keystone | 11:35 | |
*** guoshan_ has joined #openstack-keystone | 11:39 | |
*** guoshan has quit IRC | 11:39 | |
*** tqtran has joined #openstack-keystone | 11:41 | |
*** guoshan_ has quit IRC | 11:44 | |
*** tqtran has quit IRC | 11:45 | |
stevemar | odyssey4me: thanks for the tip about oslo validator! | 12:01 |
*** vgridnev has joined #openstack-keystone | 12:03 | |
*** chrisplo has quit IRC | 12:06 | |
*** jaosorior_lunch is now known as jaosorior | 12:09 | |
openstackgerrit | David Stanek proposed openstack/keystone: WIP - Add validation for totp credentials https://review.openstack.org/283522 | 12:13 |
*** vgridnev has left #openstack-keystone | 12:14 | |
odyssey4me | stevemar :) that's the product of many discussions which started at the Tokyo summit - I'm looking forward to see it come to fruition | 12:20 |
openstackgerrit | David Stanek proposed openstack/keystone-specs: Add spec for native SAML2 https://review.openstack.org/397860 | 12:21 |
*** GB21 has quit IRC | 12:22 | |
*** catintheroof has joined #openstack-keystone | 12:23 | |
*** deep_1 has joined #openstack-keystone | 12:29 | |
*** guoshan has joined #openstack-keystone | 12:33 | |
*** guoshan has quit IRC | 12:40 | |
*** deep_1 has quit IRC | 12:46 | |
samueldmq | morning keystone | 12:55 |
samueldmq | dstanek: hi | 12:55 |
dstanek | samueldmq: good morning | 12:58 |
samueldmq | dstanek: hi, good morning | 12:58 |
samueldmq | dstanek: just posted a few comments on your spec | 12:58 |
samueldmq | dstanek: I had a question but left it there | 12:59 |
*** vgridnev has joined #openstack-keystone | 13:02 | |
dstanek | samueldmq: responding now | 13:08 |
dstanek | kk:1 | 13:11 |
dstanek | samueldmq: done | 13:12 |
samueldmq | dstanek: nice, replied again. I'd be okay with the link in the working items section | 13:13 |
samueldmq | dstanek: I do not have a reason to not +2 after that | 13:14 |
samueldmq | dstanek: spec looks pretty clear and simple | 13:14 |
*** asettle__ has joined #openstack-keystone | 13:15 | |
*** asettle has quit IRC | 13:18 | |
*** nk2527 has joined #openstack-keystone | 13:23 | |
*** lamt has joined #openstack-keystone | 13:23 | |
openstackgerrit | David Stanek proposed openstack/keystone-specs: Add spec for native SAML2 https://review.openstack.org/397860 | 13:24 |
*** jamielennox is now known as jamielennox|away | 13:25 | |
*** dave-mccowan has joined #openstack-keystone | 13:25 | |
*** asettle__ is now known as asettle | 13:25 | |
*** GB21 has joined #openstack-keystone | 13:27 | |
*** guoshan has joined #openstack-keystone | 13:28 | |
*** guoshan has quit IRC | 13:32 | |
*** nkinder has joined #openstack-keystone | 13:33 | |
stevemar | o/ | 13:39 |
samueldmq | stevemar: morning | 13:39 |
*** rodrigods has quit IRC | 13:42 | |
*** tqtran has joined #openstack-keystone | 13:42 | |
*** rodrigods has joined #openstack-keystone | 13:42 | |
*** edmondsw has joined #openstack-keystone | 13:43 | |
*** markvoelker has joined #openstack-keystone | 13:44 | |
*** tqtran has quit IRC | 13:47 | |
*** Administrator_ has quit IRC | 13:51 | |
*** Administrator_ has joined #openstack-keystone | 13:52 | |
*** amoralej is now known as amoralej|lunch | 13:52 | |
*** nkinder has quit IRC | 13:53 | |
*** jdennis has joined #openstack-keystone | 13:55 | |
*** udesale has joined #openstack-keystone | 13:56 | |
*** nkinder has joined #openstack-keystone | 13:58 | |
samueldmq | dstanek: have you seen https://review.openstack.org/#/c/373983 ? | 14:10 |
samueldmq | "OpenID Connect improved support" | 14:10 |
*** deep_1 has joined #openstack-keystone | 14:11 | |
*** Administrator_ has quit IRC | 14:13 | |
*** Administrator_ has joined #openstack-keystone | 14:14 | |
samueldmq | dstanek: I've commented on it. I think it's very similar (same idea) to the work you're doing. I suggested him to talk to you | 14:15 |
*** jperry has joined #openstack-keystone | 14:16 | |
dstanek | samueldmq: i haven't, but it looks interesting | 14:17 |
samueldmq | dstanek: ++ | 14:17 |
lbragstad | morning | 14:21 |
samueldmq | ayoung: please reply to https://review.openstack.org/#/c/396331/ and https://review.openstack.org/#/c/396634 whenever you get a chance | 14:21 |
samueldmq | ayoung: the author's replied your comments | 14:21 |
*** vgridnev has quit IRC | 14:22 | |
*** guoshan has joined #openstack-keystone | 14:22 | |
samueldmq | ayoung: I wonder if we could enhance our OAUTH to support the new needs (that would be more than OAUTH though) | 14:22 |
samueldmq | lbragstad: morning | 14:22 |
*** lamt has quit IRC | 14:23 | |
*** guoshan has quit IRC | 14:26 | |
*** dave-mccowan has quit IRC | 14:30 | |
*** amoralej|lunch is now known as amoralej | 14:32 | |
stevemar | rodrigods: you were looking for the ksc functional test failure: http://logs.openstack.org/44/398244/2/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/a23535b/testr_results.html.gz | 14:35 |
stevemar | happens again | 14:35 |
rodrigods | stevemar, sigh | 14:35 |
rodrigods | stevemar, will take a look | 14:35 |
stevemar | rodrigods: :) | 14:36 |
stevemar | rodrigods: you're the functional test guy now! | 14:36 |
dstanek | "not it" | 14:36 |
rodrigods | stevemar, i like it! not sure if i should be scared | 14:37 |
stevemar | rodrigods: be very afraid | 14:38 |
*** jaosorior has quit IRC | 14:41 | |
*** lamt has joined #openstack-keystone | 14:41 | |
*** jaosorior has joined #openstack-keystone | 14:41 | |
*** chris_hultin|AWA is now known as chris_hultin | 14:45 | |
*** jaosorior has quit IRC | 14:47 | |
*** agrebennikov has joined #openstack-keystone | 14:48 | |
rodrigods | rderose, can you take a look at https://review.openstack.org/#/c/378624/ ? tempest ppl didn't review yet, maybe they will feel more confident after some reviews | 14:49 |
*** richm has quit IRC | 14:53 | |
*** GB21 has quit IRC | 14:54 | |
*** ravelar has joined #openstack-keystone | 14:56 | |
*** adrian_otto has joined #openstack-keystone | 14:57 | |
rderose | rodrigods: sure, we'll look at today | 15:03 |
rderose | *will | 15:03 |
rderose | :) | 15:03 |
rodrigods | rderose, thx | 15:03 |
*** pnavarro has quit IRC | 15:05 | |
*** adrian_otto has quit IRC | 15:06 | |
stevemar | lbragstad: oh policy meeting isn't on irc? | 15:09 |
lbragstad | stevemar I didn't schedule it for IRC - but wanted to have face-to-face conversation | 15:09 |
*** richm has joined #openstack-keystone | 15:09 | |
lbragstad | if folks want to have it on IRC - i'll find a time and propose it for next week | 15:09 |
stevemar | lbragstad: do what you intended first, if its working out then keep doing it | 15:10 |
openstackgerrit | Rodrigo Duarte proposed openstack/python-keystoneclient: Refactor test_domain_configs https://review.openstack.org/398407 | 15:10 |
stevemar | lbragstad: i will be unable to join cause at jury duty | 15:10 |
lbragstad | stevemar :( | 15:11 |
rodrigods | stevemar, ^ think it fixes the issue, couldn't run the tests because i'm having a fight with kvm here | 15:11 |
rodrigods | let's see what jenkins says | 15:11 |
stevemar | lbragstad: no worries | 15:14 |
stevemar | lbragstad: let me know who attends and what happens | 15:14 |
lbragstad | stevemar will do | 15:15 |
*** guoshan has joined #openstack-keystone | 15:23 | |
*** guoshan has quit IRC | 15:27 | |
knikolla | o/ | 15:30 |
*** udesale has quit IRC | 15:35 | |
*** phalmos has joined #openstack-keystone | 15:37 | |
*** spzala has joined #openstack-keystone | 15:39 | |
*** diazjf has joined #openstack-keystone | 15:40 | |
*** deep_1 has quit IRC | 15:43 | |
openstackgerrit | Gage Hugo proposed openstack/keystone: Change "Change User Password" request example https://review.openstack.org/398421 | 15:43 |
*** tqtran has joined #openstack-keystone | 15:44 | |
*** diazjf has quit IRC | 15:45 | |
*** tqtran has quit IRC | 15:48 | |
openstackgerrit | Ron De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes https://review.openstack.org/397410 | 15:53 |
openstackgerrit | Rodrigo Duarte proposed openstack/python-keystoneclient: Refactor test_domain_configs https://review.openstack.org/398407 | 15:55 |
*** phalmos has quit IRC | 15:55 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: remove release note about LDAP write removal https://review.openstack.org/398436 | 15:55 |
openstackgerrit | Ron De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes https://review.openstack.org/397410 | 15:56 |
stevemar | lbragstad: dstanek rderose rodrigods can i get this pushed thourgh please: https://review.openstack.org/#/c/398436/ i want to tag ocata-1 today and that's the only piece holding it up | 15:56 |
rodrigods | stevemar, +2ed | 15:57 |
*** phalmos has joined #openstack-keystone | 15:58 | |
dstanek | stevemar: pushed | 15:58 |
*** diazjf has joined #openstack-keystone | 15:59 | |
stevemar | ty ty | 16:00 |
lbragstad | link to hangout for those interested in policy meeting - https://etherpad.openstack.org/p/keystone-policy-meeting | 16:01 |
lbragstad | er... | 16:01 |
lbragstad | https://hangouts.google.com/call/pd36j4qv5zfbldmhxeeatq6f7ae | 16:01 |
*** phalmos has quit IRC | 16:02 | |
*** dave-mccowan has joined #openstack-keystone | 16:04 | |
dolphm | lbragstad: so, the call is full. i can't rejoin :) | 16:06 |
lbragstad | https://hangouts.google.com/hangouts/_/pd36j4qv5zfbldmhxeeatq6f7ae | 16:07 |
lbragstad | dolphm try again? | 16:07 |
dolphm | lbragstad: no really... the limit is 10 people. it's full | 16:07 |
*** phalmos has joined #openstack-keystone | 16:09 | |
*** thinrichs has joined #openstack-keystone | 16:09 | |
gagehugo | boo | 16:10 |
lbragstad | Woo! | 16:10 |
dstanek | woot, policy takeover | 16:10 |
lbragstad | impromptu IRC meeting! | 16:10 |
thinrichs | Hi all | 16:10 |
lbragstad | roll call! | 16:10 |
dolphm | ha | 16:10 |
gagehugo | o/ | 16:10 |
*** ruan_02 has joined #openstack-keystone | 16:10 | |
*** artmr has joined #openstack-keystone | 16:10 | |
knikolla | o/ | 16:10 |
raildo | o/ | 16:11 |
lamt | o/ | 16:11 |
lbragstad | well - looks like google hangouts capped us at 10 people, so.. | 16:11 |
edmondsw | lbragstad, I haven't been able to get into that hangouts... will keep trying | 16:11 |
htruta | o/ | 16:11 |
ktychkova | ο/ | 16:11 |
artmr | o/ | 16:11 |
lbragstad | edmondsw no worries - we are going to scrap the hangouts | 16:11 |
edmondsw | cool | 16:11 |
lbragstad | because we got capped at 10 people | 16:11 |
ruan_02 | o/ | 16:11 |
edmondsw | o/ | 16:11 |
stevemar | we're doing it here eh :P | 16:11 |
*** clenimar has joined #openstack-keystone | 16:11 | |
rderose | o/ | 16:11 |
dstanek | \o/ | 16:12 |
lbragstad | so - we'll do an IRC meeting and if we want to stick with that (or can't find a workaround for face-to-face) I'll propose an official meeting time | 16:12 |
stevemar | room #openstack-meeting-cp is open -- but i'll allow this to happen | 16:12 |
stevemar | i won't ban you all for spamming | 16:12 |
dstanek | stevemar: you didn't want to work in here did you? :-P | 16:12 |
stevemar | :) | 16:12 |
lbragstad | stevemar you're welcome :P | 16:12 |
* stevemar zips his mouth and goes back to work | 16:13 | |
raildo | lbragstad, what about use hangouts air, in the next time? you can have more than 10 people at the same link(at least to watch) | 16:13 |
lbragstad | alright - so for the definitions - do those make sense or does anyone have questions on the ones in the list? (https://etherpad.openstack.org/p/keystone-policy-meeting) | 16:13 |
*** ruan_02 has left #openstack-keystone | 16:13 | |
lbragstad | raildo i was really hoping we'd be able to use it for discussion, i don't want to have folks not be able to speak up if they want to be a part of the discussion | 16:14 |
stevemar | they seem fine | 16:14 |
lbragstad | ok - cool | 16:14 |
raildo | lbragstad, makes sense | 16:14 |
*** ruan_04 has joined #openstack-keystone | 16:14 | |
dolphm | could use a voice only solution like mumble | 16:14 |
lbragstad | dolphm ++ | 16:14 |
gagehugo | ventrilo | 16:15 |
dstanek | dolphm: ++ almost everyone had video off anyway | 16:15 |
edmondsw | only issue I have with the definitions is scope check... policy is one element of a scope check, but not the only one | 16:15 |
edmondsw | s/policy/project/ | 16:16 |
*** jaypipes has joined #openstack-keystone | 16:16 | |
edmondsw | not sure what my fingers were thinking there... | 16:16 |
thinrichs | Defs look fine, though I'd probably put the Role check and Scope check under the Openstack part since there's no notion of a 'project' or 'rule' in pure RBAC or ABAC | 16:16 |
lbragstad | thinrichs true - i thought of that just before the meeting | 16:16 |
rderose | Where did the defs come from? | 16:17 |
lbragstad | rderose google :) | 16:17 |
stevemar | :) | 16:17 |
lbragstad | I can't remember where i pulled that from | 16:18 |
rderose | lbragstad: I've seen PAP, PDP, PEP... from an IBM talk, but not sure where this design originated | 16:18 |
thinrichs | PAP/PDP/PEP/PIP are all standard XACML terms, though they may have originated elsewhere | 16:18 |
rderose | ah ha, thx | 16:18 |
ruan_04 | PIP, PDP... come from the standard XACML | 16:18 |
lbragstad | I can try and find the source I used | 16:18 |
lbragstad | under the definitions I tried to highlight where those particular systems apply in the openstack world | 16:19 |
*** asettle has quit IRC | 16:20 | |
edmondsw | PIP is not just keystone... the service endpoints also add things | 16:20 |
lbragstad | PDP and PEP is handled by oslo.policy, keystone just supplies information to oslo.policy, and the policy administration part is essentially a PIP and PAP | 16:20 |
*** asettle has joined #openstack-keystone | 16:20 | |
lbragstad | edmondsw ++ | 16:21 |
ktychkova | RBAC defs: http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf | 16:21 |
rderose | but we're starting from scratch; not necessarily following the xacml architecture, right? | 16:21 |
dstanek | edmondsw: as in the polic-in-code discussions? | 16:21 |
ruan_04 | XACML doesn't conform to cloud | 16:21 |
edmondsw | dstanek not exactly, no | 16:21 |
dstanek | edmondsw: other things too? | 16:22 |
edmondsw | e.g. context_is_admin | 16:22 |
edmondsw | used to set isadmin:True | 16:22 |
dstanek | ah | 16:22 |
edmondsw | and information about the target resource | 16:22 |
dstanek | rderose: it's a good base to understand and start from | 16:22 |
lbragstad | the nova folks were working on codifying their policy into oslo.policy (making it backwards-compat by allowing policy.json files to override the default policy in oslo) | 16:22 |
dstanek | not sure i'd want to try to invent something completely new here | 16:23 |
edmondsw | lbragstad, they did that in newton | 16:23 |
edmondsw | except it's not in oslo.policy, it's in nova/policies | 16:23 |
rderose | dstanek: good point | 16:23 |
*** stlbigdog has joined #openstack-keystone | 16:23 | |
lbragstad | edmondsw ah - so is nova/policies a hook into oslo.policy somehow? | 16:23 |
*** guoshan has joined #openstack-keystone | 16:24 | |
*** erhudy has joined #openstack-keystone | 16:24 | |
edmondsw | lbragstad the first thing they do is load the policies defined in nova/policies, then they allow you to override from policy.json | 16:24 |
stevemar | lbragstad: yes, the defaults are in code | 16:25 |
*** deep_1 has joined #openstack-keystone | 16:25 | |
edmondsw | I think there was some oslo.policy work to make that possible but I don't recall the details | 16:25 |
lbragstad | oslo.policy loads nova/policies? | 16:25 |
edmondsw | I think nova does, actually | 16:25 |
edmondsw | let me find it | 16:25 |
lbragstad | got it | 16:25 |
lbragstad | that makes sense | 16:25 |
*** adrian_otto has joined #openstack-keystone | 16:26 | |
*** henrynash has joined #openstack-keystone | 16:26 | |
*** ChanServ sets mode: +v henrynash | 16:26 | |
edmondsw | https://github.com/openstack/nova/blob/master/nova/policy.py#L206 | 16:27 |
*** henrynash has quit IRC | 16:27 | |
edmondsw | called from https://github.com/openstack/nova/blob/master/nova/policy.py#L74 | 16:27 |
lbragstad | edmondsw ah - interesting | 16:28 |
*** guoshan has quit IRC | 16:28 | |
lbragstad | ok - so given the existing system and the list of existing painpoints, does anyone have anything else to add? | 16:28 |
ruan_04 | dynamic policy configuration and enforcement | 16:29 |
lbragstad | ruan_04 so administration of the policy | 16:30 |
lbragstad | right? | 16:30 |
ruan_04 | yes | 16:30 |
thinrichs | Biggest pain points I've heard are around Administration and Fine-grained policies, both of which we have. People don't want to touch the policies and they want more control over who can do what. | 16:30 |
lbragstad | from an operator perspective (not that I'm an operator) but that seems to be the big one | 16:30 |
ruan_04 | yes, I confirm you from the operator perspective | 16:31 |
lbragstad | thinrichs fine grained policies, meaning being able to define specific roles for specific things (not fine grained in the sense of resources, right?) | 16:31 |
ruan_04 | fine grain means control at the resources level but not at the API level | 16:32 |
edmondsw | I can also confirm that | 16:32 |
thinrichs | Okay maybe I should say "richness" then. Example from summit: "never open port 25 on any server" | 16:33 |
edmondsw | a lot (most?) of the problems we have with policy are things that need to be fixed in the individual service endpoints. like too many places that hardcode that you have to be admin, or something like that (I think this is what dstanek was referring to earlier) | 16:33 |
lbragstad | we can't create policies for specific resources today, can we? | 16:33 |
raildo | another point is the policy validation/customization (maybe included in the administration of the policy point) it's hard for operators to validate their changes in the default policies | 16:33 |
edmondsw | lbragstad no | 16:33 |
edmondsw | but you can refer to resource properties in policy.json | 16:33 |
lbragstad | edmondsw right | 16:34 |
thinrichs | edmondsw: what kind of properties? | 16:34 |
lbragstad | thinrichs https://github.com/openstack/keystone/blob/3f92a97b5a16b0877cba815d8dff966da18792a4/etc/policy.v3cloudsample.json#L37 | 16:34 |
lbragstad | like ^ there we are looking at the target's project domain id in the policy check | 16:35 |
ruan_04 | in policy admnistration, also centrialized management instead of eacho policy.json files | 16:35 |
edmondsw | thinrichs e.g. user_id https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L68 | 16:35 |
*** diazjf has quit IRC | 16:35 | |
ayoung | samueldmq, in the words of the late Leonard Cohen: "i've been here before | 16:35 |
ayoung | i've seen this room and i've walked this floor | 16:35 |
ayoung | i used to live (work on this) alone before i knew you " | 16:35 |
thinrichs | So properties of (a) request that comes in (e.g. user id) | 16:36 |
edmondsw | ayoung, and you couldn't solve it alone, so we'd better work on it together :) | 16:36 |
edmondsw | thinrichs, also properties of the target resource | 16:36 |
edmondsw | e.g. target.role.domain_id https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L111 | 16:37 |
thinrichs | edmondsw: that's the one I'm puzzling over. If it were Nova, could we write policy about the number of CPUs on the VM? | 16:37 |
edmondsw | depends on what the service_endpoint loads (back to my earlier point) | 16:37 |
lbragstad | so that allows you the ability to apply attributes of a resource to the policy check | 16:37 |
edmondsw | yes | 16:37 |
thinrichs | So each service pushes resource properties into oslo.policy for whichever properties it thinks are important for writing policy over. Yes? | 16:38 |
edmondsw | yes | 16:39 |
thinrichs | Got it. Thanks. | 16:39 |
lbragstad | alright - what do we like about the existing system, if anything? | 16:39 |
lbragstad | s/if anything/in addition to what's already in the list/ | 16:40 |
edmondsw | it's the target in https://github.com/openstack/nova/blob/master/nova/policy.py#L126 | 16:40 |
thinrichs | Handles the HA problem since services don't need to ping keystone to get a policy decision. (Does each service need to hit keystone to do token validation?) | 16:41 |
edmondsw | lbragstad I like that nova has moved default policy into code... I'd like to see more services do that | 16:42 |
lbragstad | thinrichs yeah | 16:42 |
edmondsw | greatly simplifies the policy.json files | 16:42 |
thinrichs | HA/performance—can run multiple policy checks for a single request without repeatedly hitting keystone | 16:42 |
lbragstad | edmondsw so - the policy files essentially become a list of policies you want to override | 16:42 |
edmondsw | exactly | 16:42 |
ruan_04 | is it possible to centralize all policy.json files? | 16:43 |
lbragstad | with the existing format in policy - is there a way to make it apply to a specific resource? | 16:43 |
edmondsw | ruan_04 several have suggested that, but it gets really tricky really fast | 16:43 |
ktychkova | It is possible to do not use policy.json files :) | 16:44 |
ktychkova | For example, to use LDAP as storage for policies or Apache Fortress | 16:44 |
edmondsw | lbragstad what exactly do you mean... maybe give a use case/ | 16:44 |
thinrichs | ruan_04: I'd think you'd want (a) distributed enforcement with something like policy.json like we have now and (b) centralized administration. | 16:44 |
lbragstad | edmondsw i want to apply a policy to a specific instance instead of all instances | 16:44 |
thinrichs | lbragstad: based on the discussion earlier, can't the service push in object properties that include say the ID of each resource and then write policy over that? | 16:45 |
edmondsw | if you got nova to add the instance's UUID to the target object it passes to authorize, then you could reference that UUID in your policy.json | 16:45 |
thinrichs | lbragstad: though I'd think you'd almost immediately want to build groups of resources and write policy over those groups. | 16:46 |
edmondsw | not exactly pretty, though | 16:46 |
lbragstad | thinrichs yeah - what i'm trying to figure out is if the lack of fine-grained policies is a limitation of the current syntax or a lack of policy administration | 16:46 |
dstanek | thinrichs: i'd also think that as the owner of some resource i'd want to give a user permission to that resource (and i have to access to policy.json) | 16:46 |
*** henrynash has joined #openstack-keystone | 16:46 | |
*** ChanServ sets mode: +v henrynash | 16:46 | |
ruan_04 | I like Adam's idea, externalize all policies and properties of users and objects into a new service | 16:47 |
thinrichs | I wouldn't think anyone would actually write a policy that enumerates UUIDs that are allowed | 16:47 |
*** arunkant has quit IRC | 16:47 | |
lbragstad | FYI - we're at the ten minute mark | 16:47 |
thinrichs | They'd use metadata like "people can only create VMs using blessed-images from glance" where the "blessed" tag is a group that people add to images somewhere else | 16:47 |
edmondsw | the id of the resource probably isn't the best choice typically, but there could be other attributes on the resource that make more sense | 16:48 |
lbragstad | two things quick 1.) do we think the list of painpoints is complete? 2.) do we like the direction of the items in our ideal policy system? | 16:48 |
*** jistr is now known as jistr|biab | 16:48 | |
edmondsw | I'm sure the list of painpoints isn't complete... there are so many I can't keep them all in my head at one time :) | 16:48 |
dstanek | thinrichs: i don't think a cloud admin would write a policy like that, but as a resource owner i would | 16:49 |
thinrichs | It might be useful to have a concrete, fine-grained policy to discuss and analyze tradeoffs. | 16:49 |
thinrichs | dstanek: not sure who would write the policies at this point. | 16:49 |
dstanek | i can't remember what ayoung called it, but it's basically layering policy | 16:49 |
lbragstad | anyone here an expert on Apache Fortress? | 16:50 |
ayoung | edmondsw, I have some fodder for today's policy meeting | 16:50 |
ktychkova | o/ | 16:50 |
ayoung | is that happening now? | 16:51 |
lbragstad | ktychkova does AF allow fine-grained policy control as we've talked about it here? | 16:51 |
edmondsw | ayoung this is that meeting | 16:51 |
lbragstad | ayoung yes | 16:51 |
edmondsw | about to end | 16:51 |
ayoung | AAAAH! | 16:51 |
ayoung | MOther puss bucket.... | 16:51 |
* lbragstad hands ayoung a schedule | 16:51 | |
edmondsw | ayoung I was wondering why you were so quiet... | 16:51 |
ayoung | OK...so I was off by an hour | 16:51 |
ayoung | OK...very fast... | 16:51 |
ktychkova | About Apache Fortress, please read : http://xuctarine.blogspot.ru/2016/08/apache-fortress-easiest-way-to-get-full.html | 16:52 |
ayoung | I have to make a decision on the RBAC spec | 16:52 |
ayoung | 1. policy check as part of the token validation is 1 | 16:52 |
ayoung | in 1 | 16:52 |
ayoung | 2. second API call to do the RBAC check | 16:52 |
ayoung | 3. pull the data into middleware and do the RBAC check in there | 16:52 |
ayoung | Spec is written for 1. But Based on feedback, I am leaning toward 3 | 16:53 |
edmondsw | ayoung, I would probably also lean toward 3 with those options | 16:53 |
ayoung | edmondsw, yeah, it leaves caching in tact | 16:53 |
thinrichs | Are RBAC checks only ever done 1 time per request, or could they happen more than once? If more than once, middleware seems like the clear win. | 16:53 |
ayoung | thinrichs, it depends on the usage pattern | 16:53 |
ayoung | for CLI, each token is used roughly once per service, so caching buys little | 16:54 |
ayoung | and doing it all in Keystone is prefereable | 16:54 |
ayoung | but for Horizon, tokens are reused, and thus caching is heavily used | 16:54 |
edmondsw | thinrichs ayoung it also depends on the API request... some have a check to see if you can call the API, and then run additional checks based on what your request body had in it or didn't have in it, or based on your query params | 16:54 |
ayoung | so I was in process of re-writing the spec to call that out. I think I will actually cover all three in the spec, but rank order then in implementation | 16:55 |
ayoung | 1. external check. 2. separate API check 3. check RBAC with token validation | 16:55 |
edmondsw | e.g., yes you can create a port, but no you can't create THAT kind of port | 16:55 |
ayoung | right. this is not a catch all, but I suspect that the kind of extenal PDP you get with Fortress or the dynamic policy approach from last summer is not going to work for 98% of deployments out there | 16:56 |
ayoung | it is really only going to work for teams that have a full time dedicated policy/security group | 16:56 |
ayoung | I'm trying to lower the bar to make it easier to clear, not raise it | 16:57 |
edmondsw | bump that 98% higher :) | 16:57 |
ayoung | so,let us not forget that we are dumb, and yet the rest of the world consideres *us* the experts | 16:57 |
ayoung | I know I am dumb on this stuff. | 16:57 |
edmondsw | 3 minutes | 16:57 |
lbragstad | alright - so action items | 16:58 |
lbragstad | i'm going to create an official irc meeting for this instead of google hangouts | 16:58 |
ayoung | ++ | 16:58 |
ayoung | I'm going to post an updated RBAC spec with the external and separate API call options | 16:59 |
lbragstad | action item for the rest of the group to continue thinking about painpoints so that by next week we have a solid list of things we don't want the new approach to do | 16:59 |
lbragstad | action item for ayoung to follow up on his specs | 16:59 |
ayoung | I'll also finish up the API proof of concept for generation and management of the URL patterns | 16:59 |
ayoung | Anyone interested to see them they are here: | 17:00 |
lbragstad | ayoung this is the one you're talking about- https://review.openstack.org/#/c/391624/ ? | 17:00 |
lbragstad | right? | 17:00 |
ayoung | https://github.com/admiyo/keystone/tree/url_patterns | 17:00 |
ayoung | lbragstad, yes | 17:00 |
lbragstad | cool - is there *any* other policy related specs we need to be reviewing that haven't been mentioned here/ | 17:01 |
*** Zer0Byte__ has joined #openstack-keystone | 17:01 | |
lbragstad | alrighty - that about sums things up then. | 17:02 |
thinrichs | lbragstad: no specific specs, but Congress has been talking about integrating with policy.json for a while | 17:02 |
lbragstad | thinrichs i did some digging in congress this morning | 17:02 |
ayoung | On the apache fortress...someone did a proof of concept using it. Do we have a link? | 17:02 |
ayoung | ah that was http://xuctarine.blogspot.ru/2016/08/apache-fortress-easiest-way-to-get-full.html | 17:02 |
ayoung | cool | 17:02 |
lbragstad | I'm going to document Congress and AF as action items for the group to get familiar with before next weeks meeting | 17:03 |
thinrichs | lbragstad: sounds good to me | 17:03 |
lbragstad | ktychkova is familiar with it so it would be nice to have an indepth discussion on it | 17:03 |
ayoung | One additional point for next week: lets us start to think about providing services to the cloud instead of just managing it | 17:04 |
lbragstad | sound good? anyone have anything else? | 17:04 |
ayoung | although...that might be a full on Keystone discussion.... | 17:04 |
ayoung | as it touches on identity first. | 17:04 |
ayoung | Are people looking for this form of Policy for the applications running in the cloud? | 17:04 |
lbragstad | i'll end the meeting here but I'm going to hang around if anyone else wants to continue talking policy | 17:05 |
lbragstad | thanks for coming! see you all next week | 17:05 |
* stevemar kicks everyone out | 17:06 | |
ayoung | stevemar, you might be physically larger than me, but you might want to rethink trying to show me the door.... | 17:10 |
*** diazjf has joined #openstack-keystone | 17:10 | |
openstackgerrit | Kristi Nikolla proposed openstack/keystone-specs: Devstack Plugin https://review.openstack.org/395841 | 17:11 |
stevemar | o_O | 17:11 |
stevemar | ayoung: you missed my joke earlier in the meeting | 17:12 |
stevemar | about lbragstad using the keystone room to run a meeting | 17:12 |
ayoung | stevemar, I still don't see why we don't just use this room every week | 17:13 |
ayoung | Each group with a dedicated room makes more sense to use that then to limit the meetings based on official meeting rooms | 17:14 |
*** diazjf has quit IRC | 17:14 | |
stevemar | the meeting rooms have the meet bot, and we could be helping someone with an issue in -keystone | 17:14 |
ayoung | I mean, we have not exaclt deconflicted meeting times with 5 roomes... | 17:14 |
stevemar | i'm not super against it, i was mostly teasing lbragstad cause it was him | 17:14 |
ayoung | I know. I and I was teasing you because I'm me. | 17:15 |
stevemar | i fell for it :( | 17:15 |
ayoung | I know the rest of Keystone core would pay money to watch, say a nerf-sword duel between us | 17:15 |
dstanek | ayoung: ++ | 17:15 |
ayoung | http://www.timberdoodle.com/v/vspfiles/photos/483-030-4.jpg | 17:15 |
stevemar | hehe | 17:15 |
ayoung | I'd quote the Princess Bride and you'd quote Strange Brew | 17:16 |
dstanek | not exactly bloodsport | 17:16 |
ayoung | dstanek, I don't want to hurt him. And I don't want to hurt me. | 17:16 |
ayoung | I'm like, old and stuff | 17:16 |
dstanek | you and me both | 17:17 |
stevemar | i feel old, does that count? | 17:17 |
dstanek | no | 17:18 |
stevemar | though with the rest of the keystone contributors i'm probably in the older range now | 17:18 |
stevemar | when compared* | 17:18 |
dstanek | stevemar: how old are you? | 17:18 |
stevemar | 31 going on 40 | 17:18 |
dstanek | lol, give it a few more years | 17:19 |
stevemar | at least my body is telling me that | 17:19 |
dstanek | i'll be 40 much sooner than i'd like | 17:19 |
*** diazjf has joined #openstack-keystone | 17:24 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests https://review.openstack.org/324769 | 17:25 |
*** raildo has quit IRC | 17:26 | |
*** thinrichs has quit IRC | 17:28 | |
dstanek | do we have an docs for using the cli with federation? | 17:30 |
*** guoshan has joined #openstack-keystone | 17:31 | |
*** raildo has joined #openstack-keystone | 17:34 | |
rodrigods | dstanek, good question | 17:34 |
dstanek | rodrigods: is it even possible? | 17:35 |
rodrigods | dstanek, i think it is - hmm remembered | 17:35 |
rodrigods | dstanek, http://rodrigods.com/what-about-ecp/ | 17:35 |
*** jistr|biab is now known as jistr | 17:36 | |
*** guoshan has quit IRC | 17:36 | |
rodrigods | dstanek, we pass the plugin as --os-auth-type, jamielennox|away has a blog post on how to find out the plugins names | 17:36 |
lbragstad | lamt is your name Tin? | 17:43 |
lamt | yes | 17:44 |
lbragstad | lamt just trying to match up IRC nicks with names from the etherpad | 17:44 |
lbragstad | lamt thank you | 17:44 |
lamt | lbragstad: np | 17:44 |
*** david-lyle has quit IRC | 17:48 | |
*** david-lyle has joined #openstack-keystone | 17:48 | |
openstackgerrit | Gage Hugo proposed openstack/keystone: WIP - Add reason to notifications for PCI-DSS https://review.openstack.org/396752 | 17:51 |
*** chris_hultin is now known as chris_hultin|AWA | 17:51 | |
openstackgerrit | Rodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests https://review.openstack.org/324769 | 17:51 |
rodrigods | stevemar, https://review.openstack.org/#/c/398407/3 think it fixes the issues | 17:54 |
*** thinrichs has joined #openstack-keystone | 17:56 | |
*** mvk has quit IRC | 17:58 | |
*** diazjf has quit IRC | 17:59 | |
*** deep_1 has quit IRC | 18:02 | |
stevemar | dstanek: probably not | 18:06 |
*** jperry has quit IRC | 18:10 | |
openstackgerrit | Merged openstack/keystone: remove release note about LDAP write removal https://review.openstack.org/398436 | 18:11 |
*** catinthe_ has joined #openstack-keystone | 18:13 | |
*** tqtran has joined #openstack-keystone | 18:13 | |
*** ravelar has quit IRC | 18:14 | |
*** harlowja has joined #openstack-keystone | 18:14 | |
*** catintheroof has quit IRC | 18:15 | |
*** catintheroof has joined #openstack-keystone | 18:15 | |
*** chrisplo has joined #openstack-keystone | 18:15 | |
*** tqtran has quit IRC | 18:18 | |
openstackgerrit | Matt Fischer proposed openstack/keystone: cache_on_issue default to true https://review.openstack.org/383333 | 18:18 |
*** catinthe_ has quit IRC | 18:18 | |
*** jperry has joined #openstack-keystone | 18:24 | |
*** thebloggu has joined #openstack-keystone | 18:25 | |
*** Administrator_ has quit IRC | 18:32 | |
rodrigods | bknudson, ping... re: usage of /identity instead of the port number in devstack | 18:32 |
*** guoshan has joined #openstack-keystone | 18:32 | |
*** Administrator_ has joined #openstack-keystone | 18:32 | |
lbragstad | dstanek the mapping in the last couple comments here doesn't look off to you, does it? https://bugs.launchpad.net/keystone/+bug/1557238 | 18:33 |
openstack | Launchpad bug 1557238 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [High,Fix released] - Assigned to Guang Yee (guang-yee) | 18:33 |
*** guoshan has quit IRC | 18:36 | |
*** jpich has quit IRC | 18:36 | |
*** stlbigdog has quit IRC | 18:45 | |
stevemar | lamt: lets see if we can figure out why that change is needed for notifications | 18:47 |
stevemar | otherwise the change looks good | 18:47 |
* stevemar is afk for a bit | 18:47 | |
*** nk2527 has quit IRC | 18:51 | |
*** chlong has joined #openstack-keystone | 18:53 | |
dstanek | lbragstad: nothing stands out as wrong, but i agree with gyee that a no match is probably a 500 | 18:53 |
dstanek | we problably do always expect a match | 18:54 |
dstanek | i can test in my k2k in a little bit | 18:54 |
lbragstad | you mean a direct match from the assertion to the mapping | 18:54 |
dstanek | lbragstad: he is saying if nothing in the mapping matches that we just explodel. i think that probable, but i'll have to check | 18:55 |
*** thebloggu has quit IRC | 19:09 | |
*** chris_hultin|AWA is now known as chris_hultin | 19:10 | |
*** amoralej is now known as amoralej|off | 19:12 | |
*** tqtran has joined #openstack-keystone | 19:14 | |
*** chris_hultin is now known as chris_hultin|AWA | 19:16 | |
*** chris_hultin|AWA is now known as chris_hultin | 19:17 | |
*** jamielennox|away is now known as jamielennox | 19:26 | |
*** guoshan has joined #openstack-keystone | 19:26 | |
*** guoshan has quit IRC | 19:30 | |
lamt | stevemar: planning to look at it this afternoon | 19:32 |
*** pcaruana has quit IRC | 19:51 | |
morgan_ | stevemar: expect some ksa changes being reworked here shortly | 19:52 |
*** r1chardj0n3s_afk is now known as r1chardj0n3s | 19:53 | |
*** thinrichs has quit IRC | 19:54 | |
*** ravelar has joined #openstack-keystone | 19:55 | |
stevemar | morgan_: rgr | 19:59 |
stevemar | lamt: awesomeo | 19:59 |
morgan_ | stevemar: i just need to rebuild my dev environment correctly for it. | 20:00 |
morgan_ | but it's not far odd | 20:00 |
morgan_ | off* | 20:00 |
morgan_ | have tests coming ready for task interface in ksa and will be going through the backlog of anything open | 20:00 |
*** edtubill has joined #openstack-keystone | 20:08 | |
*** thinrichs has joined #openstack-keystone | 20:10 | |
openstackgerrit | Merged openstack/python-keystoneclient: Refactor test_domain_configs https://review.openstack.org/398407 | 20:11 |
stevemar | morgan_: like that betamax failure lol | 20:15 |
stevemar | morgan_: i thought you were talking about that! :P | 20:15 |
morgan_ | stevemar: that is also part of the fixes i'll be digging into | 20:15 |
morgan_ | that one is wierd. some interaction between us, betamax, and requests | 20:15 |
*** guoshan has joined #openstack-keystone | 20:20 | |
*** diazjf has joined #openstack-keystone | 20:21 | |
*** diazjf has quit IRC | 20:22 | |
*** guoshan has quit IRC | 20:25 | |
*** artmr has quit IRC | 20:32 | |
openstackgerrit | Ron De Rose proposed openstack/keystone: Lockout ignore user list https://review.openstack.org/398571 | 20:33 |
openstackgerrit | Ron De Rose proposed openstack/keystone: Lockout ignore user list https://review.openstack.org/398571 | 20:38 |
*** raildo has quit IRC | 20:50 | |
*** nk2527 has joined #openstack-keystone | 20:51 | |
*** rcernin has joined #openstack-keystone | 20:58 | |
openstackgerrit | ayoung proposed openstack/keystone-specs: Token Verify Role Check https://review.openstack.org/391624 | 20:59 |
*** tqtran is now known as tqtran-afk | 21:01 | |
edmondsw | jamielennox, just found that nova's instantiation of glanceclient is not going to use SessionClient because nova doesn't pass the session kwarg. I know you've worked on things like that in the past. Know if anyone's addressing that or what the holdup is? | 21:04 |
edmondsw | https://github.com/openstack/nova/blob/master/nova/image/glance.py#L104 | 21:04 |
jamielennox | edmondsw: there's no one i know working on it and there's no reason it shouldn't be changed | 21:05 |
jamielennox | like, cool, would love you to fix it :) | 21:06 |
edmondsw | yeah :) | 21:06 |
*** nk2527 has quit IRC | 21:09 | |
*** mvk has joined #openstack-keystone | 21:11 | |
*** guoshan has joined #openstack-keystone | 21:14 | |
edmondsw | jamielennox I also noticed that the way it instantiates cinderclient will sometimes use token-based auth: https://github.com/openstack/nova/blob/master/nova/context.py#L135 | 21:15 |
edmondsw | can you explain the note at https://github.com/openstack/nova/blob/master/nova/context.py#L39 and why it's not loading auth from keystone_authtoken section of conf? | 21:16 |
jamielennox | edmondsw: oh, so thats because you have to handle the case where context is created in the API service vs the conductor or scheduler or whatever | 21:16 |
jamielennox | at that point you are passing all that information over the RPC bus and you just have to reconstruct and do the best you can | 21:17 |
*** jdennis has quit IRC | 21:18 | |
*** guoshan has quit IRC | 21:19 | |
stevemar | ayoung: o/ | 21:20 |
ayoung | stevemar, \o | 21:21 |
stevemar | ayoung: whats the story with red hat and kerberos everywhere? would you be upset if the horizon team retired d-o-a-kerb? | 21:21 |
stevemar | ayoung: you can jump to #openstack-horizon where we are discussing this | 21:22 |
ayoung | stevemar, if can die | 21:22 |
ayoung | it | 21:22 |
ayoung | Kerberos will be handled via Federation | 21:22 |
stevemar | coolio | 21:23 |
*** thinrichs has quit IRC | 21:23 | |
*** thinrichs has joined #openstack-keystone | 21:23 | |
*** thinrichs has quit IRC | 21:26 | |
*** thinrichs has joined #openstack-keystone | 21:28 | |
*** catinthe_ has joined #openstack-keystone | 21:32 | |
openstackgerrit | Gage Hugo proposed openstack/keystone: WIP - Add reason to notifications for PCI-DSS https://review.openstack.org/396752 | 21:33 |
*** catintheroof has quit IRC | 21:36 | |
*** thinrichs has quit IRC | 21:37 | |
*** catintheroof has joined #openstack-keystone | 21:51 | |
*** catinthe_ has quit IRC | 21:51 | |
*** ayoung has quit IRC | 21:55 | |
openstackgerrit | Richard Avelar proposed openstack/keystone: Fix typo in doc https://review.openstack.org/398599 | 21:58 |
openstackgerrit | Merged openstack/keystone: Change "Change User Password" request example https://review.openstack.org/398421 | 22:01 |
*** nkinder has quit IRC | 22:01 | |
*** henrynash has quit IRC | 22:01 | |
*** henrynash has joined #openstack-keystone | 22:06 | |
*** ChanServ sets mode: +v henrynash | 22:06 | |
*** guoshan has joined #openstack-keystone | 22:08 | |
*** adrian_otto has quit IRC | 22:08 | |
*** lifeless has quit IRC | 22:11 | |
*** lifeless has joined #openstack-keystone | 22:12 | |
*** guoshan has quit IRC | 22:13 | |
*** henrynash has quit IRC | 22:21 | |
openstackgerrit | Tin Lam proposed openstack/keystone: Enable CADF notification format by default https://review.openstack.org/397339 | 22:21 |
openstackgerrit | Gage Hugo proposed openstack/keystone: WIP - Add reason to notifications for PCI-DSS https://review.openstack.org/396752 | 22:28 |
*** adriant has joined #openstack-keystone | 22:31 | |
*** diazjf has joined #openstack-keystone | 22:32 | |
*** ravelar has quit IRC | 22:35 | |
*** adrian_otto has joined #openstack-keystone | 22:35 | |
*** ravelar has joined #openstack-keystone | 22:36 | |
*** jperry has quit IRC | 22:42 | |
*** thinrichs has joined #openstack-keystone | 22:43 | |
*** ayoung has joined #openstack-keystone | 22:45 | |
*** ChanServ sets mode: +v ayoung | 22:45 | |
*** edtubill has quit IRC | 22:53 | |
*** catintheroof has quit IRC | 22:54 | |
*** chlong has quit IRC | 22:59 | |
*** diazjf has quit IRC | 23:01 | |
*** guoshan has joined #openstack-keystone | 23:02 | |
*** spzala has quit IRC | 23:03 | |
*** henrynash has joined #openstack-keystone | 23:04 | |
*** ChanServ sets mode: +v henrynash | 23:04 | |
*** dave-mccowan has quit IRC | 23:07 | |
*** guoshan has quit IRC | 23:07 | |
*** henrynash has quit IRC | 23:08 | |
*** tqtran-afk is now known as tqtran | 23:13 | |
*** chlong has joined #openstack-keystone | 23:17 | |
*** edmondsw has quit IRC | 23:17 | |
*** asettle has quit IRC | 23:23 | |
*** thinrichs has quit IRC | 23:26 | |
*** chlong has quit IRC | 23:27 | |
*** chris_hultin is now known as chris_hultin|AWA | 23:29 | |
*** lamt has quit IRC | 23:33 | |
*** zhugaoxiao has joined #openstack-keystone | 23:38 | |
*** chrisplo has quit IRC | 23:38 | |
*** khamtamtun has joined #openstack-keystone | 23:39 | |
*** Administrator_ has quit IRC | 23:40 | |
*** khamtamtun has quit IRC | 23:42 | |
*** diazjf has joined #openstack-keystone | 23:44 | |
*** henrynash has joined #openstack-keystone | 23:47 | |
*** ChanServ sets mode: +v henrynash | 23:47 | |
*** david-lyle_ has joined #openstack-keystone | 23:50 | |
*** erhudy has quit IRC | 23:51 | |
*** david-lyle has quit IRC | 23:51 | |
*** rcernin has quit IRC | 23:52 | |
*** ravelar has quit IRC | 23:53 | |
openstackgerrit | Gage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS https://review.openstack.org/396752 | 23:55 |
*** guoshan has joined #openstack-keystone | 23:57 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!