| *** guoshan has joined #openstack-keystone | 00:05 | |
| *** richm has quit IRC | 00:08 | |
| *** guoshan has quit IRC | 00:09 | |
| *** agrebennikov has quit IRC | 00:12 | |
| *** antwash has quit IRC | 00:31 | |
| *** jlwhite has quit IRC | 00:32 | |
| *** Dave has quit IRC | 00:37 | |
| *** jlwhite has joined #openstack-keystone | 00:38 | |
| *** antwash has joined #openstack-keystone | 00:39 | |
| *** Dave_____ has joined #openstack-keystone | 01:00 | |
| *** Dave_____ is now known as Dave | 01:05 | |
| *** guoshan has joined #openstack-keystone | 01:06 | |
| *** guoshan has quit IRC | 01:10 | |
| *** zhangjl has joined #openstack-keystone | 01:26 | |
| lbragstad | adriant that's a good question - i'm not entirely sure what uses cert... | 01:30 |
|---|---|---|
| lbragstad | that might be a good usage question for the mailing list though | 01:30 |
| *** dave-mccowan has joined #openstack-keystone | 01:31 | |
| *** guoshan has joined #openstack-keystone | 01:31 | |
| *** jperry has joined #openstack-keystone | 02:01 | |
| *** guoshan has quit IRC | 02:07 | |
| *** dave-mccowan has quit IRC | 02:07 | |
| *** chrisplo has quit IRC | 02:07 | |
| *** zhangjl has quit IRC | 02:08 | |
| *** guoshan has joined #openstack-keystone | 02:08 | |
| *** namnh has joined #openstack-keystone | 02:09 | |
| *** zhangjl has joined #openstack-keystone | 02:09 | |
| *** guoshan has quit IRC | 02:33 | |
| openstackgerrit | ayoung proposed openstack/keystone: Refactor Authorization: https://review.openstack.org/387161 | 02:34 |
| openstackgerrit | ayoung proposed openstack/keystone: Refactor is_admin https://review.openstack.org/387710 | 02:35 |
| *** tqtran has quit IRC | 02:36 | |
| *** guoshan has joined #openstack-keystone | 02:38 | |
| *** Alagar has joined #openstack-keystone | 02:38 | |
| adriant | lbragstad: I thought it was something to do with tokenless auth via certs, but I just couldn't find any code that actually used the credential api :( | 02:41 |
| adriant | Will email the list. | 02:42 |
| ayoung | adriant, I did not. That was gyee | 02:54 |
| adriant | ayoung: ah, thanks. I found spec. Steve merged it, and gyee was the one who worked on it from what was there. | 02:56 |
| *** richm has joined #openstack-keystone | 02:56 | |
| *** dikonoor has joined #openstack-keystone | 03:10 | |
| stevemar | adriant: tokenless auth didn't actually use the certs from the credentials API | 03:11 |
| stevemar | adriant: the credentials API was largely unused for a long time | 03:11 |
| adriant | stevemar: hmmm ok. That makes more sense. | 03:12 |
| stevemar | adriant: when originally designed, it was deliberately made generic enough to support many type of credentials, by simply stating the 'type' and the 'blob' | 03:12 |
| stevemar | adriant: whats the original question about certs anyway? | 03:12 |
| adriant | You've answered it. :) | 03:13 |
| adriant | I was trying to work out if it used the credentials api or not | 03:13 |
| stevemar | adriant: we eventually reworked the ec2 bits to actually store stuff in credentials, but even there... i'm not sure anyone uses the ec2 stuff | 03:13 |
| adriant | we do | 03:13 |
| stevemar | yay | 03:13 |
| adriant | the interoperability with openstack and AWS is useful. | 03:14 |
| Alagar | i have installed openstack using devstack script top of xen hypervisor, in this open stack as a virtual machine. | 03:14 |
| Alagar | when i create instance in openstack, the instance should create in xen hypervisor. but its not happening. | 03:14 |
| Alagar | Some one could you please guide me please | 03:14 |
| Alagar | Iam trying to integrate openstack with xen | 03:14 |
| stevemar | adriant: cool. that's good to know | 03:14 |
| adriant | Alagar: wrong channel perhaps? | 03:15 |
| stevemar | adriant: unfortunately, i dont think many people use it to store certs | 03:15 |
| stevemar | Alagar: you'll have better luck in #openstack-dev or #openstack-nova | 03:15 |
| stevemar | adriant: so what are you thinking about for certs and the credentials api? | 03:16 |
| adriant | Oh nothing, just the OSClient lists the types for credentials as cert and ec2 | 03:16 |
| adriant | and i just couldn't actually find the code that used the cert type so was confused | 03:16 |
| adriant | stevemar: was mainly in relation to this spec https://review.openstack.org/#/c/345705 | 03:17 |
| adriant | stevemar: and trying to figure out exactly what the credentials api is used for | 03:17 |
| adriant | stevemar: the main jist being that I'm not sure using the credentials API directly is a good idea, but as it stands i'm not sure how useful refactoring it is either. So I'm leaning towards new APIs for TOTP creds. | 03:20 |
| stevemar | it is AFAIK rarely used, only for ec2 stuff | 03:24 |
| adriant | stevemar: yeah, that's seems to be the case. Well that answers me questions. :) | 03:31 |
| adriant | oh stevemar: did you get a chance to look over the silly CIDR authentication I was playing with? http://paste.openstack.org/show/589067/ | 03:32 |
| stevemar | adriant: its been on my to-read for days | 03:40 |
| adriant | stevemar: hah, np. :) It was a silly idea I had, and thought I'd test it with a quick and dirty prototype. | 03:41 |
| stevemar | adriant: the thing that came up in my mind was - load balancers, gotta make sure we're getting the right ip address | 03:41 |
| adriant | yeah, as long as they correctly pass along the request and don't pollute the IP. I'll need to check how that's handled in our deployment to see if it is viable. | 03:42 |
| adriant | stevemar: hmmm, yeah in our case we're using HAproxy and 'forwardfor' so it is being passed along, but likely as a header. | 03:47 |
| adriant | Need to dig into that some more. | 03:47 |
| *** dikonoor has quit IRC | 03:47 | |
| adriant | stevemar: ah, found it: "HTTP_X_FORWARDED_FOR" is the ip as passed along by our load balancers. So the question is how can I access that data easily in keystone. | 03:49 |
| stevemar | adriant: i think someone had a patch for that so the IP is properly recorded in a notification | 03:51 |
| * stevemar goes digging | 03:51 | |
| adriant | stevemar: at any rate, provided your load balancer passes along the IP somehow, and the header/ip_location is configurable, we could totally do something like IP based authentication in keystone. | 03:53 |
| stevemar | adriant: https://review.openstack.org/#/c/367031/ | 03:53 |
| adriant | stevemar: oh, fantastic. | 03:54 |
| stevemar | adriant: yeah, i haven't thought about the revoking bits yet | 03:54 |
| *** guoshan has quit IRC | 03:55 | |
| *** jperry has quit IRC | 04:06 | |
| *** links has joined #openstack-keystone | 04:08 | |
| *** dikonoor has joined #openstack-keystone | 04:08 | |
| *** udesale has joined #openstack-keystone | 04:10 | |
| *** guoshan has joined #openstack-keystone | 04:18 | |
| *** adriant has quit IRC | 04:24 | |
| *** GB21 has joined #openstack-keystone | 04:33 | |
| *** Alagar has quit IRC | 04:33 | |
| *** Alagar has joined #openstack-keystone | 04:33 | |
| *** tqtran has joined #openstack-keystone | 04:34 | |
| *** edtubill has joined #openstack-keystone | 04:40 | |
| *** edtubill has quit IRC | 04:42 | |
| *** dikonoor has quit IRC | 04:52 | |
| *** Alagar has quit IRC | 05:04 | |
| *** Alagar has joined #openstack-keystone | 05:06 | |
| openstackgerrit | Merged openstack/keystone: Update configuration.rst documentation https://review.openstack.org/399730 | 05:26 |
| *** GB21 has quit IRC | 05:28 | |
| *** chrisplo has joined #openstack-keystone | 05:30 | |
| *** chrisplo has quit IRC | 05:34 | |
| *** guoshan has quit IRC | 05:35 | |
| *** GB21 has joined #openstack-keystone | 05:46 | |
| *** guoshan has joined #openstack-keystone | 06:10 | |
| *** GB21 has quit IRC | 06:10 | |
| *** jaosorior has joined #openstack-keystone | 06:17 | |
| *** GB21 has joined #openstack-keystone | 06:22 | |
| *** richm has quit IRC | 06:41 | |
| *** jaosorior has quit IRC | 06:49 | |
| *** jaosorior has joined #openstack-keystone | 06:49 | |
| *** josecastroleon has joined #openstack-keystone | 06:56 | |
| *** belmoreira has joined #openstack-keystone | 07:23 | |
| *** belmoreira has quit IRC | 07:24 | |
| openstackgerrit | Juan Antonio Osorio Robles proposed openstack/keystoneauth: Add reauthenticate to generic plugins https://review.openstack.org/400550 | 07:29 |
| *** daemontool has joined #openstack-keystone | 07:48 | |
| jaosorior | jamielennox: hey, actually, I don't really know where to put the tests for that | 07:50 |
| jaosorior | was browsing around the repo and there doesn't seem to be an appropriate place for them, any hints? | 07:51 |
| *** belmoreira has joined #openstack-keystone | 07:53 | |
| *** pcaruana has joined #openstack-keystone | 07:56 | |
| jaosorior | jamielennox: nevermind, found a place | 07:58 |
| openstackgerrit | Juan Antonio Osorio Robles proposed openstack/keystoneauth: Add reauthenticate to generic plugins https://review.openstack.org/400550 | 07:59 |
| *** rcernin_ has joined #openstack-keystone | 08:14 | |
| *** daemontool has quit IRC | 08:37 | |
| *** tqtran has quit IRC | 08:38 | |
| openstackgerrit | Merged openstack/keystone: Verbose 401/403 debug responses https://review.openstack.org/372433 | 08:38 |
| *** amoralej|off is now known as amoralej | 08:40 | |
| *** hogepodge has quit IRC | 08:45 | |
| *** jpich has joined #openstack-keystone | 08:57 | |
| *** zzzeek has quit IRC | 09:00 | |
| *** zzzeek has joined #openstack-keystone | 09:01 | |
| *** GB21 has quit IRC | 09:26 | |
| *** tqtran has joined #openstack-keystone | 09:35 | |
| *** tqtran has quit IRC | 09:40 | |
| *** GB21 has joined #openstack-keystone | 09:40 | |
| *** asettle has joined #openstack-keystone | 09:40 | |
| *** asettle has quit IRC | 09:41 | |
| *** asettle__ has joined #openstack-keystone | 09:41 | |
| *** chrisplo has joined #openstack-keystone | 09:42 | |
| *** asettle__ is now known as asettle | 09:42 | |
| *** chrisplo has quit IRC | 09:47 | |
| openstackgerrit | Julia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone https://review.openstack.org/399472 | 09:52 |
| *** namnh has quit IRC | 09:59 | |
| *** GB21 has quit IRC | 10:13 | |
| openstackgerrit | Merged openstack/keystone: Lockout ignore user list https://review.openstack.org/398571 | 10:18 |
| *** thiagolib has joined #openstack-keystone | 10:22 | |
| *** zhangjl has left #openstack-keystone | 10:31 | |
| *** GB21 has joined #openstack-keystone | 10:35 | |
| *** guoshan has quit IRC | 10:41 | |
| *** udesale has quit IRC | 10:43 | |
| *** GB21 has quit IRC | 10:52 | |
| *** hoonetorg has quit IRC | 10:53 | |
| openstackgerrit | Johannes Grassler proposed openstack/keystone-specs: Added spec on standalone trusts https://review.openstack.org/396634 | 10:56 |
| openstackgerrit | Julia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone https://review.openstack.org/399472 | 10:58 |
| *** josecastroleon has quit IRC | 10:59 | |
| *** GB21 has joined #openstack-keystone | 11:05 | |
| *** richm has joined #openstack-keystone | 11:10 | |
| *** mvk has quit IRC | 11:15 | |
| *** guoshan has joined #openstack-keystone | 11:42 | |
| *** mvk has joined #openstack-keystone | 11:43 | |
| *** guoshan has quit IRC | 11:46 | |
| *** nicolasbock has joined #openstack-keystone | 11:49 | |
| *** chrisplo has joined #openstack-keystone | 12:09 | |
| jaosorior | rodrigods: can you revisit https://review.openstack.org/#/c/400550/ ? | 12:10 |
| rodrigods | jaosorior, done :) | 12:11 |
| jaosorior | rodrigods: thanks | 12:13 |
| *** chrisplo has quit IRC | 12:14 | |
| openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Improvements in error messages https://review.openstack.org/400715 | 12:16 |
| *** aloga has quit IRC | 12:18 | |
| *** aloga has joined #openstack-keystone | 12:18 | |
| openstackgerrit | Merged openstack/keystone: refactor notification test to work with either format https://review.openstack.org/399937 | 12:18 |
| *** tesseract has joined #openstack-keystone | 12:19 | |
| *** tesseract is now known as Guest3787 | 12:19 | |
| *** jvarlamova has quit IRC | 12:27 | |
| *** jperry has joined #openstack-keystone | 12:31 | |
| *** guoshan has joined #openstack-keystone | 12:43 | |
| *** GB21 has quit IRC | 12:45 | |
| *** guoshan has quit IRC | 12:47 | |
| *** dave-mccowan has joined #openstack-keystone | 13:05 | |
| *** amoralej is now known as amoralej|lunch | 13:06 | |
| openstackgerrit | Julia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone https://review.openstack.org/399472 | 13:07 |
| *** GB21 has joined #openstack-keystone | 13:10 | |
| *** jperry has quit IRC | 13:10 | |
| openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Upload service provider metadata to testshib https://review.openstack.org/400747 | 13:11 |
| openstackgerrit | Rodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests https://review.openstack.org/324769 | 13:14 |
| *** jvarlamova has joined #openstack-keystone | 13:15 | |
| openstackgerrit | Merged openstack/keystone: Enable CADF notification format by default https://review.openstack.org/397339 | 13:16 |
| *** josecastroleon has joined #openstack-keystone | 13:19 | |
| *** GB21 has quit IRC | 13:22 | |
| openstackgerrit | Merged openstack/keystone: Swap the notification formats in the docs https://review.openstack.org/399938 | 13:22 |
| openstackgerrit | Rodrigo Duarte proposed openstack/keystone: Federated authentication via ECP functional tests https://review.openstack.org/324769 | 13:24 |
| rodrigods | stevemar, knikolla https://review.openstack.org/#/c/400747/ https://review.openstack.org/#/c/400750/ | 13:26 |
| *** lamt has joined #openstack-keystone | 13:28 | |
| *** chlong has joined #openstack-keystone | 13:36 | |
| *** tqtran has joined #openstack-keystone | 13:36 | |
| *** tqtran has quit IRC | 13:41 | |
| *** guoshan has joined #openstack-keystone | 13:43 | |
| *** guoshan has quit IRC | 13:48 | |
| *** deep_1 has joined #openstack-keystone | 14:05 | |
| deep_1 | Is it possible to use ldap backend for storing s3 credentials ?? | 14:05 |
| *** daemontool has joined #openstack-keystone | 14:13 | |
| *** alex_xu has quit IRC | 14:14 | |
| *** alex_xu has joined #openstack-keystone | 14:18 | |
| *** amoralej|lunch is now known as amoralej | 14:18 | |
| breton | deep_1: no | 14:20 |
| *** jperry has joined #openstack-keystone | 14:21 | |
| stevemar | deep_1: nope | 14:24 |
| deep_1 | @breton, @stevemar : So even when keystone is configured with ldap, one will need to create the credential in database | 14:26 |
| stevemar | deep_1: yep, only identity (users and groups) can be pulled from ldap | 14:28 |
| *** daemontool has quit IRC | 14:28 | |
| openstackgerrit | Steve Martinelli proposed openstack/keystone: Improvements in error messages https://review.openstack.org/400715 | 14:33 |
| bknudson | deep_1: keystone provides a plugin interface so you can plug in your own backend for credentials. | 14:40 |
| *** daemontool has joined #openstack-keystone | 14:41 | |
| *** guoshan has joined #openstack-keystone | 14:44 | |
| *** guoshan has quit IRC | 14:49 | |
| *** jaosorior has quit IRC | 14:49 | |
| *** jaosorior has joined #openstack-keystone | 14:50 | |
| lbragstad | jamielennox o/ curious if you've seen this - https://review.openstack.org/#/c/396634/3/specs/keystone/ocata/standalone-trusts.rst | 14:50 |
| *** jaosorior has quit IRC | 14:51 | |
| *** jaosorior has joined #openstack-keystone | 14:51 | |
| lbragstad | ayoung too - https://review.openstack.org/#/c/396634 | 14:55 |
| openstackgerrit | Steve Martinelli proposed openstack/keystone: clean up developer docs https://review.openstack.org/399781 | 14:59 |
| deep_1 | breton: thanks | 15:06 |
| deep_1 | stevemar: thanks | 15:06 |
| *** agrebennikov has joined #openstack-keystone | 15:14 | |
| *** chris_hultin|AWA is now known as chris_hultin | 15:26 | |
| *** hoonetorg has joined #openstack-keystone | 15:37 | |
| *** chris_hultin is now known as chris_hultin|AWA | 15:42 | |
| *** chris_hultin|AWA is now known as chris_hultin | 15:44 | |
| *** Alagar has quit IRC | 15:44 | |
| *** Alagar has joined #openstack-keystone | 15:45 | |
| *** ayoung has quit IRC | 15:45 | |
| *** guoshan has joined #openstack-keystone | 15:45 | |
| *** daemontool has quit IRC | 15:46 | |
| *** jaugustine has joined #openstack-keystone | 15:48 | |
| *** guoshan has quit IRC | 15:49 | |
| *** edtubill has joined #openstack-keystone | 15:51 | |
| *** udesale has joined #openstack-keystone | 15:53 | |
| *** jaosorior has quit IRC | 15:55 | |
| *** dave-mccowan has quit IRC | 15:55 | |
| *** anush has joined #openstack-keystone | 16:01 | |
| *** links has quit IRC | 16:04 | |
| *** rcernin_ has quit IRC | 16:06 | |
| *** deep_1 has quit IRC | 16:10 | |
| *** dave-mccowan has joined #openstack-keystone | 16:11 | |
| *** ravelar has joined #openstack-keystone | 16:12 | |
| *** Guest3787 has quit IRC | 16:16 | |
| *** belmoreira has quit IRC | 16:18 | |
| *** chrisplo has joined #openstack-keystone | 16:24 | |
| *** nk2527 has joined #openstack-keystone | 16:26 | |
| *** udesale has quit IRC | 16:26 | |
| *** ayoung has joined #openstack-keystone | 16:27 | |
| *** ChanServ sets mode: +v ayoung | 16:27 | |
| *** Alagar has quit IRC | 16:30 | |
| *** Alagar has joined #openstack-keystone | 16:31 | |
| knikolla | stevemar: o/ | 16:43 |
| *** guoshan has joined #openstack-keystone | 16:46 | |
| *** diazjf has joined #openstack-keystone | 16:46 | |
| *** mvk has quit IRC | 16:48 | |
| *** diazjf has quit IRC | 16:48 | |
| knikolla | we'll be offering a cloud computing course at BU next semester, and we're looking for class projects. maybe a feature/spec in keystone that is easy to tackle but still has enough work to keep a team busy for the entire student semester would be a great way to introduce some students to the open source community. thoughts? | 16:48 |
| knikolla | the end of the class in the beginning of May aligns pretty well with the boston summit. | 16:49 |
| lbragstad | knikolla interesting - we tried that a couple times with various capstone groups at NDSU | 16:50 |
| *** guoshan has quit IRC | 16:50 | |
| knikolla | lbragstad: how did that go? | 16:51 |
| lbragstad | knikolla well - we did several different approaches... my first experience with it was 2012 and I was in the group | 16:52 |
| lbragstad | it was myself and 3 other students and we had to deploy openstack cactus and diablo for the computer science department at NDSU | 16:53 |
| lbragstad | that was an interesting experience and it was very operator centric | 16:53 |
| morgan_ | o/ | 16:53 |
| lbragstad | we did hardly any development, except hacking small bits together to get authentication to tie into keystone somehow | 16:54 |
| morgan_ | lbragstad: sounds like most development around cactus timeframe | 16:54 |
| lbragstad | the next year - i was one of the mentors for the group that took over the deployment we had laid down the year prior | 16:54 |
| lbragstad | morgan_ right? | 16:54 |
| morgan_ | lbragstad: well... even until grizzly :P | 16:54 |
| lbragstad | knikolla we had the group after us build on the usecases we originally established, perform an upgrade, and add a couple new services to the deployment | 16:55 |
| lbragstad | knikolla so still very operator centric | 16:55 |
| knikolla | lbragstad: i see. i was thinking something development related. | 16:56 |
| lbragstad | knikolla the year after that we wanted to try out development, so we had a different group start writing a tool for organizing the meeting structure for openstack | 16:56 |
| knikolla | it's the first time we offer the course, and we always had projects be about developing things | 16:56 |
| lbragstad | knikolla which ultimately turned into https://github.com/openstack-infra/irc-meetings | 16:56 |
| lbragstad | and https://github.com/openstack-infra/yaml2ical | 16:57 |
| lbragstad | we wanted to have them do some development... but of the three groups, the operator-oriented projects seemed to go a little smoother for both the mentors and the mentees | 16:58 |
| lbragstad | knikolla i think the reason for that was because we were expected under-graduates to be familiar with all the openstack concepts and ready to contribute code by the first two weeks of the semester in order to stay on track with the release | 16:59 |
| lbragstad | s/expected/expecting/ | 16:59 |
| lbragstad | the operator-focused projects allowed them to see how the different projects interact with each other, understand how to fix things, and experience first hand what needs improvement, etc... | 17:00 |
| lbragstad | which was useful because they started to get a pretty good understanding of openstack as they went, versus having them develop something they'd never used before | 17:01 |
| *** browne has joined #openstack-keystone | 17:01 | |
| knikolla | lbragstad: true. | 17:01 |
| lbragstad | knikolla if we had the opportunity to work with the group for two semesters, it would have been easier to get into development | 17:02 |
| *** Alagar has quit IRC | 17:02 | |
| lbragstad | but at the time, the spring semester fell halfway through the release, and for students unfamiliar with some of the concepts - we didn't want to set them up to fail by giving them a feature to implement by milestone 3 | 17:03 |
| *** anush has quit IRC | 17:04 | |
| knikolla | lbragstad: the timing would be that pike would open up for development around 1 month after the class starts | 17:04 |
| lbragstad | knikolla that would be much better timing than when we tried this | 17:04 |
| lbragstad | since the semester would flow naturally in the release instead of awkwardly in the middle of it | 17:05 |
| lbragstad | knikolla i'm all *completely* for the idea, just wanted to share the experiences we've had | 17:05 |
| knikolla | lbragstad: i know, i understand. i'm carefully optimistic about the scope of asking students to contribute code. | 17:06 |
| knikolla | lbragstad: and i love that the summit will be here in boston just as the semester ends. | 17:07 |
| knikolla | lbragstad: so that would grant students a ticket to it without requiring travel. | 17:07 |
| lbragstad | and obviously - being able to give a group of student a feature or spec depends on their programming experience, etc... | 17:07 |
| lbragstad | knikolla right - that's a really nice situation | 17:07 |
| stevemar | it also ususally means someone handholding for a while | 17:08 |
| stevemar | that can eat up day(s) | 17:08 |
| lbragstad | yes | 17:08 |
| knikolla | stevemar: i'd be the on-site mentor | 17:08 |
| knikolla | along with whoever wants to help through hangouts/irc | 17:09 |
| knikolla | we can limit the project to students who say they have prior python experience | 17:09 |
| knikolla | and most students here do have python experience as that's what we teach some classes with | 17:09 |
| lbragstad | knikolla for a development specific course? | 17:10 |
| lbragstad | knikolla nice | 17:10 |
| stevemar | thats handy | 17:10 |
| knikolla | http://okrieg.github.io/EC500/index-spring-2015.html | 17:10 |
| knikolla | this is last year's course page with project list | 17:11 |
| lbragstad | knikolla so - if you realistically wanted to have them target something for Pike, you'd have to condense all the "how to contribute" information and patterns into 1 month? | 17:11 |
| knikolla | lbragstad: correct | 17:11 |
| *** tqtran has joined #openstack-keystone | 17:11 | |
| lbragstad | as well as have a few specs (or even refactors for that matter) loaded and in the pipe when the semester starts | 17:11 |
| openstackgerrit | Gage Hugo proposed openstack/keystone: Add reason to CADF notifications in docs https://review.openstack.org/400882 | 17:12 |
| knikolla | lbragstad: one spec for 1 group would be enough. | 17:12 |
| lbragstad | knikolla how big would the group be? | 17:12 |
| knikolla | lbragstad: 3-5 | 17:13 |
| knikolla | lbragstad: with 5-8 hours of work expected per student, during 13 weeks | 17:13 |
| lbragstad | knikolla cool - so a pretty small group | 17:13 |
| knikolla | around 90 hours per person of dev time | 17:13 |
| lbragstad | 5 - 8 hours of work expected per student per week? | 17:13 |
| knikolla | lbragstad: yes | 17:13 |
| knikolla | 5-8 per week. 90 total per student. | 17:13 |
| lbragstad | that's always an interesting metric since it varies widely with experience | 17:14 |
| lbragstad | but that's a lot of time! | 17:14 |
| openstackgerrit | Gage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS https://review.openstack.org/396752 | 17:14 |
| lbragstad | knikolla it sounds do-able... depending on the specification or work you're planning on giving them | 17:15 |
| lbragstad | the big thing is that you'd have a pretty small group, and the prerequisite language knowledge would be there | 17:15 |
| knikolla | lbragstad: there will be no midterms/finals. so the project and reading a few papers is the only thing they'll be doing. | 17:15 |
| lbragstad | knikolla and reviews? | 17:15 |
| *** tqtran has quit IRC | 17:16 | |
| knikolla | lbragstad: they'll be presenting the ongoing work to the class every 2 weeks. so we can also give them review from the keystone side every 2 weeks as they work on it. | 17:16 |
| knikolla | this won't be a hide in a corner and work a month project. | 17:16 |
| lbragstad | knikolla oh - i specifically meant code reviews | 17:17 |
| lbragstad | knikolla do you plan on having them review code weekly, or at all, etc? | 17:17 |
| knikolla | lbragstad: them reviewing other code, or us reviewing their code? | 17:17 |
| *** asettle has quit IRC | 17:18 | |
| lbragstad | well - we're obligated to reviewing their code.. i specifically meant them reviewing other code... | 17:18 |
| lbragstad | the whole "in order to have your code reviewed you need to review other's code" | 17:18 |
| knikolla | lbragstad: hmm… maybe we can set 1-2 hours a week for them to review code. | 17:19 |
| knikolla | that makes sense as part of the open source community | 17:19 |
| lbragstad | knikolla just thinking about the visibility it provides | 17:19 |
| lbragstad | and teaching the review process can be as intense or detailed as you want it to be | 17:20 |
| lbragstad | but solid reviews from new contributors is a great way to ensure they get noticied | 17:20 |
| lbragstad | knikolla i also think about what things would be like for me today if i started contributing to open-source soon in my academic career ;) | 17:21 |
| lbragstad | knikolla http://lbragstad.com/why-you-should-contribute-to-open-source-in-college/ | 17:21 |
| knikolla | lbragstad: i was actually one of the students in the course last year. that's why i'm here now. | 17:22 |
| lbragstad | knikolla nice! we share quite a bit in common then | 17:23 |
| knikolla | lbragstad: nice :) | 17:25 |
| *** josecastroleon has quit IRC | 17:28 | |
| lbragstad | knikolla so - since you were in those shoes a year ago and given your python experience at the time, what would have been a *reasonable* task for you and your group? | 17:29 |
| lbragstad | within keystone or openstack? | 17:30 |
| *** tqtran has joined #openstack-keystone | 17:30 | |
| knikolla | lbragstad: i'm not sure. my project was mostly from an openstack api user perspective. basically make an hpc application use openstack for scheduling. so the code changes where mostly done to the application hosted on top of openstack. | 17:31 |
| lbragstad | knikolla aha - sure | 17:31 |
| lbragstad | that makes sense | 17:31 |
| knikolla | lbragstad: though form my experience as an openstack newbie contributor. keystone isn't too hard to get up to speed with, compared to nova/etc. | 17:32 |
| knikolla | from* | 17:32 |
| lbragstad | knikolla yeah - this is true | 17:32 |
| lbragstad | knikolla when i was a student and we deployed openstack, that was were we all really started to understand the scale of each project | 17:33 |
| *** spilla has joined #openstack-keystone | 17:33 | |
| *** sirushti has joined #openstack-keystone | 17:35 | |
| knikolla | lbragstad: same. that was my first job as an intern though. | 17:38 |
| *** Alagar has joined #openstack-keystone | 17:39 | |
| knikolla | went from user to deployer when the class ended. | 17:39 |
| lbragstad | knikolla interesting - sounds like fun (and familiar!) | 17:40 |
| *** mvk has joined #openstack-keystone | 17:41 | |
| *** guoshan has joined #openstack-keystone | 17:46 | |
| *** anush has joined #openstack-keystone | 17:49 | |
| *** guoshan has quit IRC | 17:51 | |
| stevemar | do i go for lunch during the keystone meeting? :) | 17:54 |
| *** raildo has quit IRC | 17:57 | |
| stevemar | hoping someone else runs the show! | 17:58 |
| SamYaple | stevemar: ill take care of it | 17:58 |
| stevemar | SamYaple: :) | 17:58 |
| * stevemar pokes lbragstad | 17:59 | |
| *** raildo has joined #openstack-keystone | 17:59 | |
| *** chrisplo has quit IRC | 18:00 | |
| *** chrisplo has joined #openstack-keystone | 18:00 | |
| SamYaple | nah its cool stevemar. ive got this. we might end up reverting all this domain/project nonsense though. also PKI tokens 4 life. | 18:03 |
| SamYaple | small price to pay for lunch IMO | 18:03 |
| *** henry_ has joined #openstack-keystone | 18:05 | |
| *** hyakuhei has quit IRC | 18:08 | |
| *** henry_ has quit IRC | 18:09 | |
| *** Alagar has quit IRC | 18:11 | |
| *** Alagar has joined #openstack-keystone | 18:14 | |
| *** hyakuhei has joined #openstack-keystone | 18:15 | |
| *** henrynash has joined #openstack-keystone | 18:17 | |
| *** ChanServ sets mode: +v henrynash | 18:17 | |
| *** anush has quit IRC | 18:27 | |
| *** hyakuhei has quit IRC | 18:28 | |
| *** hyakuhei has joined #openstack-keystone | 18:28 | |
| *** hyakuhei has quit IRC | 18:28 | |
| *** hyakuhei has joined #openstack-keystone | 18:28 | |
| *** henrynash has quit IRC | 18:31 | |
| *** asettle has joined #openstack-keystone | 18:32 | |
| *** henrynash has joined #openstack-keystone | 18:34 | |
| *** ChanServ sets mode: +v henrynash | 18:35 | |
| *** Alagar has quit IRC | 18:46 | |
| *** guoshan has joined #openstack-keystone | 18:47 | |
| *** Alagar has joined #openstack-keystone | 18:49 | |
| *** anush has joined #openstack-keystone | 18:49 | |
| *** guoshan has quit IRC | 18:52 | |
| *** henrynash has quit IRC | 18:55 | |
| *** asettle has quit IRC | 18:57 | |
| *** asettle has joined #openstack-keystone | 18:58 | |
| *** henrynash has joined #openstack-keystone | 19:00 | |
| *** ChanServ sets mode: +v henrynash | 19:00 | |
| *** asettle has quit IRC | 19:02 | |
| *** henrynash has quit IRC | 19:06 | |
| ayoung | dstanek, GAH, you know that thing in Python where if you add a comma on the end of a dictionary definition you get a tuple? Man I can't stand that | 19:08 |
| *** Alagar has quit IRC | 19:22 | |
| lbragstad | ayoung still around? | 19:35 |
| ayoung | lbragstad, yep | 19:35 |
| lbragstad | ayoung so step 1 from the meeting discussion was to break the URL pattern into it's own spec | 19:36 |
| lbragstad | right? | 19:36 |
| ayoung | lbragstad, yes | 19:36 |
| ayoung | the management API and the middleware enforcement | 19:36 |
| ayoung | those can be one or two specs | 19:37 |
| ayoung | and then the enforcement via token validation is a separate spec as well | 19:37 |
| lbragstad | middleware enforcement was the second step - right? | 19:37 |
| ayoung | yes | 19:37 |
| lbragstad | ok | 19:37 |
| lbragstad | ayoung i'm probably going to mix implementation and design/spec questions together here | 19:37 |
| ayoung | fire away | 19:38 |
| lbragstad | but keystone would consider a URL pattern an entity that it owns, just like a user or a project, right? | 19:38 |
| ayoung | lbragstad, yes | 19:38 |
| ayoung | lbragstad, I'm adding it to the role backend | 19:38 |
| lbragstad | ayoung would that just live here - https://github.com/openstack/keystone/tree/613c048b6f4bda91de1c0e9618abd0bda78ccc50/keystone/policy ? | 19:38 |
| lbragstad | oh | 19:38 |
| ayoung | leaving the policy backend alone | 19:38 |
| lbragstad | so where and how do URL patterns fit into the role backend? | 19:39 |
| ayoung | they have a one to many relationship with (non-domain-specific) roles | 19:39 |
| ayoung | maybe I have that backwards | 19:40 |
| ayoung | each URL pattern has exactly one role | 19:40 |
| ayoung | one role has multple url patterns | 19:40 |
| lbragstad | ayoung well | 19:40 |
| lbragstad | is it not many-to-many? | 19:40 |
| lbragstad | GET /servers/ for example can be done as member and admin for example | 19:41 |
| ayoung | lbragstad, https://paste.fedoraproject.org/488619/98436681/ | 19:41 |
| dstanek | ayoung: not a dict - x = 3, is equal to x = (3, ) | 19:41 |
| ayoung | lbragstad, we will use implied roles for that | 19:41 |
| ayoung | you only ever especify the lowest role for an url pattern | 19:41 |
| lbragstad | ayoung so this is built entirely on implied roles | 19:41 |
| ayoung | so admin implies member, you say an url pattern matches member | 19:42 |
| ayoung | lbragstad, yes | 19:42 |
| ayoung | that was why I needed implied roles first | 19:42 |
| ayoung | to be able to do stuff like this | 19:42 |
| ayoung | you could do it without impliedroles, but then you lose the delegatability | 19:42 |
| ayoung | well,the ability to delegate only the operation, and not all operations that a role allows | 19:42 |
| lbragstad | ayoung how so? | 19:43 |
| ayoung | ok... | 19:43 |
| ayoung | so lets say you want to be able to delegate just ... image fetch | 19:43 |
| ayoung | if you said that member or admin were allowed roles for that URL, then you have to give someone a token (via trust or oauth say) that has either one of those roles | 19:44 |
| ayoung | but say you do admin implies member, and member implies 'image-get' | 19:44 |
| ayoung | you now specify that the image-get operation requires the image-get role. And anyone with the member role has that by implication | 19:45 |
| lbragstad | but - member isn't solely used for image-get, right? | 19:45 |
| lbragstad | member can also GET /servers/ | 19:45 |
| ayoung | and, if a user then wants to delegate only image-get, they can create a trust with only the image-get role, and since they have that via implication, it works | 19:45 |
| ayoung | lbragstad, right. So if you need to deleaget all of the member operations, you can do so | 19:45 |
| ayoung | or any subset of them | 19:45 |
| ayoung | now, lets say you tried to do this withou implied roles | 19:46 |
| ayoung | you creae a new role calls image-get | 19:46 |
| *** amoralej is now known as amoralej|off | 19:46 | |
| ayoung | but non of your member have that role, so you have to explicitly assign it to them | 19:46 |
| ayoung | Or they can't delegate just that operation | 19:46 |
| ayoung | Capisce? | 19:46 |
| lbragstad | ok - so to achieve the same outcome you'd need a bunch more role assignments | 19:47 |
| *** guoshan has joined #openstack-keystone | 19:48 | |
| ayoung | lbragstad, and then they would have to be done manually | 19:50 |
| lbragstad | so - the relationship between url patterns and roles is one to many? One url pattern to many roles (through implied roles) | 19:50 |
| ayoung | lbragstad, this gives the deployer a lot more ability to tweak. It also allows Horizon to answer the question: based on this role, what operations can I perform | 19:50 |
| ayoung | lbragstad, yes, through the chaining, it will be multiple effective roles, only one that is explicitly linked to the url Pattern | 19:51 |
| ayoung | and, the thing that is somewhat counterintuitive is that the chaining is backwards from the current Role API. | 19:52 |
| ayoung | role API links from admin->memeber->getimage | 19:52 |
| ayoung | this works from getimage which is implied by member which is implied by admin | 19:52 |
| *** guoshan has quit IRC | 19:52 | |
| lbragstad | a url pattern can only imply a single role, but a role can be implied by multiple url patterns | 19:54 |
| *** chlong has quit IRC | 19:55 | |
| *** odyssey4me has quit IRC | 19:56 | |
| ayoung | Ugh... the word implied is a little backwards there... | 20:01 |
| *** chlong has joined #openstack-keystone | 20:01 | |
| lbragstad | a better statement would be, a url pattern can only have *one* role, a role can be used by multiple url patterns | 20:01 |
| ayoung | access to an url can only be directly assigned by a single role but a role may imply multple URL patterns | 20:01 |
| ayoung | so, what is implied isthe role-assignment | 20:01 |
| ayoung | one role can imply another, and one role can imply access to multiple URL patterns | 20:02 |
| *** odyssey4me has joined #openstack-keystone | 20:02 | |
| ayoung | I was originally going to subclass Role for the URL patterns, but the naming is horriblew | 20:02 |
| ayoung | I also might consider renaming url_pattern to operation | 20:02 |
| ayoung | an operation is an url-pattern + Verb | 20:03 |
| ayoung | GET /v3/users for Keystone | 20:03 |
| lbragstad | sure - that makes sense | 20:03 |
| ayoung | lbragstad, this is not a 100% solution for amny things. URL parameters are one thingI am putning on for now | 20:07 |
| ayoung | as is anything inside the request body | 20:07 |
| ayoung | lets see if this makes an impact before driving on with anything more invasive | 20:07 |
| lbragstad | ayoung ok - so how would keystonemiddleware use this resource in comparison to they it does already? | 20:09 |
| *** dave-mccowan has quit IRC | 20:10 | |
| lbragstad | comparison to what it does already?* | 20:10 |
| openstackgerrit | Merged openstack/keystone: Remove trailing "d" from -days param of OpenSSL command https://review.openstack.org/400433 | 20:10 |
| openstackgerrit | Merged openstack/keystone: Normalizes use of ForbiddenAction in trusts https://review.openstack.org/400387 | 20:11 |
| *** catinthe_ has joined #openstack-keystone | 20:11 | |
| *** catintheroof has quit IRC | 20:13 | |
| *** catintheroof has joined #openstack-keystone | 20:16 | |
| *** catinthe_ has quit IRC | 20:20 | |
| *** akrzos has quit IRC | 20:20 | |
| *** agrebennikov has quit IRC | 20:24 | |
| *** adriant has joined #openstack-keystone | 20:26 | |
| *** raildo has left #openstack-keystone | 20:39 | |
| *** raildo has quit IRC | 20:39 | |
| openstackgerrit | Merged openstack/keystone: Fix doc example https://review.openstack.org/400333 | 20:48 |
| *** guoshan has joined #openstack-keystone | 20:49 | |
| SamYaple | ayoung: that comma this is a thing for lists and strings and other things as well | 20:52 |
| *** guoshan has quit IRC | 20:53 | |
| openstackgerrit | Merged openstack/keystone: move content from configuringservices to configuration https://review.openstack.org/399787 | 20:53 |
| *** ayoung has quit IRC | 20:55 | |
| *** nk2527 has quit IRC | 20:56 | |
| *** ayoung has joined #openstack-keystone | 20:56 | |
| *** ChanServ sets mode: +v ayoung | 20:56 | |
| *** ayoung has quit IRC | 21:01 | |
| -openstackstatus- NOTICE: Gerrit is offline until 21:30 UTC for scheduled maintenance: http://lists.openstack.org/pipermail/openstack-dev/2016-November/107379.html | 21:09 | |
| *** ChanServ changes topic to "Gerrit is offline until 21:30 UTC for scheduled maintenance: http://lists.openstack.org/pipermail/openstack-dev/2016-November/107379.html" | 21:09 | |
| *** phalmos has joined #openstack-keystone | 21:13 | |
| *** phalmos has quit IRC | 21:17 | |
| *** agrebennikov has joined #openstack-keystone | 21:20 | |
| *** jpich has quit IRC | 21:23 | |
| *** phalmos has joined #openstack-keystone | 21:25 | |
| *** diazjf has joined #openstack-keystone | 21:38 | |
| *** ChanServ changes topic to "Meeting Agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Ocata goals: https://docs.google.com/spreadsheets/d/156q820cXcEc8Y9YWQgoc_hyOm3AZ2jtMQM3zdDhwGFU/edit?usp=sharing" | 21:40 | |
| *** ayoung has joined #openstack-keystone | 21:46 | |
| *** ChanServ sets mode: +v ayoung | 21:46 | |
| *** guoshan has joined #openstack-keystone | 21:49 | |
| *** chris_hultin is now known as chris_hultin|AWA | 21:52 | |
| *** guoshan has quit IRC | 21:54 | |
| *** edtubill has quit IRC | 22:02 | |
| *** asettle has joined #openstack-keystone | 22:03 | |
| lbragstad | jamielennox curious to see what your take on https://bugs.launchpad.net/keystonemiddleware/+bug/1643422 would be | 22:05 |
| openstack | Launchpad bug 1643422 in keystonemiddleware "auth_token sems to ignore settings for auth_url and use catalog endpoint for keystone" [Undecided,New] | 22:05 |
| *** masuberu has joined #openstack-keystone | 22:05 | |
| *** edtubill has joined #openstack-keystone | 22:06 | |
| *** asettle has quit IRC | 22:08 | |
| *** masber has quit IRC | 22:08 | |
| *** edtubill has quit IRC | 22:10 | |
| jamielennox | lbragstad: works as expected? | 22:12 |
| jamielennox | you auth to a url and then you use the catalog | 22:12 |
| *** jaugustine has quit IRC | 22:12 | |
| lbragstad | ah | 22:12 |
| lbragstad | but it is keystoneauth making that decision, and not middleware, right? | 22:13 |
| jamielennox | i'm really wondering what is going on if they can't access the url in the catalog | 22:13 |
| jamielennox | yea | 22:13 |
| lbragstad | jamielennox it's almost like the services are all deployed on a single node (or controller services anyway) and therefore are expected to be able to use localhost | 22:14 |
| lbragstad | instead of the vip in the catalog | 22:14 |
| jamielennox | yea but Failed to contact the endpoint at https://keystone.example.org:35357/v2.0/ for discovery | 22:14 |
| jamielennox | and 127.0.0.1 is what they want, so something is screwy | 22:15 |
| *** nicolasbock has quit IRC | 22:18 | |
| openstackgerrit | Gage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS https://review.openstack.org/396752 | 22:18 |
| *** lamt has quit IRC | 22:20 | |
| *** anush has quit IRC | 22:21 | |
| *** spilla has quit IRC | 22:22 | |
| *** phalmos has quit IRC | 22:22 | |
| *** diazjf has quit IRC | 22:26 | |
| lbragstad | jamielennox is that a typical setup? | 22:28 |
| lbragstad | jamielennox I wouldn't assume so, but... | 22:28 |
| *** jperry has quit IRC | 22:34 | |
| jamielennox | no, i'm guessing this is something they ewre doing in a test environment and has changed | 22:40 |
| *** anush has joined #openstack-keystone | 22:44 | |
| openstackgerrit | Merged openstack/keystone: Move docs from key_terms to architecture https://review.openstack.org/399760 | 22:49 |
| openstackgerrit | Merged openstack/keystone: Remove extension and auth_token middleware docs https://review.openstack.org/399767 | 22:49 |
| *** guoshan has joined #openstack-keystone | 22:50 | |
| *** chlong has quit IRC | 22:52 | |
| *** guoshan has quit IRC | 22:55 | |
| *** bknudson has left #openstack-keystone | 22:55 | |
| *** diazjf has joined #openstack-keystone | 23:03 | |
| *** akrzos has joined #openstack-keystone | 23:16 | |
| *** jamielennox is now known as jamielennox|away | 23:24 | |
| *** jamielennox|away is now known as jamielennox | 23:24 | |
| *** asettle has joined #openstack-keystone | 23:27 | |
| *** asettle has quit IRC | 23:30 | |
| *** diazjf has quit IRC | 23:30 | |
| *** asettle has joined #openstack-keystone | 23:31 | |
| *** asettle has quit IRC | 23:35 | |
| *** browne has quit IRC | 23:36 | |
| *** asettle has joined #openstack-keystone | 23:39 | |
| morgan_ | is stevemar out today? | 23:40 |
| morgan_ | i need to bug him about a bug. | 23:40 |
| *** asettle has quit IRC | 23:42 | |
| *** catintheroof has quit IRC | 23:46 | |
| *** jperry has joined #openstack-keystone | 23:46 | |
| *** catintheroof has joined #openstack-keystone | 23:47 | |
| *** guoshan has joined #openstack-keystone | 23:51 | |
| *** catintheroof has quit IRC | 23:51 | |
| *** guoshan has quit IRC | 23:55 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!