Tuesday, 2016-12-20

Zer0Byte__	and question stevemar is possible send a os_user_domain_id and os_user_domain_name	00:00
stevemar	Zer0Byte__: no, one or the other	00:01
Zer0Byte__	cool	00:01
Zer0Byte__	thanks	00:01
Zer0Byte__	another question stevemar	00:04
Zer0Byte__	i can use user_domain_id and project_domain_id	00:04
Zer0Byte__	or is the same?	00:04
Zer0Byte__	sorry i can mix both on keystone?	00:05
*** chris_hultin is now known as chris_hultin\|AWA		00:07
*** ravelar has quit IRC		00:09
ayoung	breton, nope.	00:17
ayoung	breton, pulling up the archives now	00:18
*** Zer0Byte__ has quit IRC		00:19
ayoung	breton, and....wonderful short sightedness on the crypto folks part.	00:19
*** tqtran has quit IRC		00:24
*** guoshan has joined #openstack-keystone		00:27
*** catintheroof has quit IRC		00:29
*** lamt has joined #openstack-keystone		00:54
*** hoangcx has joined #openstack-keystone		00:58
*** chlong has quit IRC		00:59
*** guoshan has quit IRC		01:05
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Add domain_id to the user table https://review.openstack.org/409874	01:08
*** edmondsw has joined #openstack-keystone		01:13
*** edmondsw has quit IRC		01:18
*** zhangjl has joined #openstack-keystone		01:22
*** adrian_otto has joined #openstack-keystone		01:23
*** liujiong has joined #openstack-keystone		01:25
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Delete Python optimized bytecode before test runs https://review.openstack.org/371335	01:26
*** guoshan has joined #openstack-keystone		01:26
openstackgerrit	Gage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS https://review.openstack.org/396752	01:39
*** adrian_otto has quit IRC		01:46
*** browne has quit IRC		01:59
*** adrian_otto has joined #openstack-keystone		02:09
*** liujiong_66 has joined #openstack-keystone		02:16
*** liujiong has quit IRC		02:16
*** agrebennikov has joined #openstack-keystone		02:17
*** liujiong_66 is now known as liujiong		02:17
*** trananhkma has joined #openstack-keystone		02:22
*** adrian_otto has quit IRC		02:29
*** davechen has joined #openstack-keystone		02:38
*** browne has joined #openstack-keystone		02:39
*** adrian_otto has joined #openstack-keystone		02:44
*** adrian_otto has quit IRC		02:53
*** liyuenan has joined #openstack-keystone		02:55
*** browne has quit IRC		02:59
*** liyuenan has quit IRC		03:01
*** jamielennox is now known as jamielennox\|away		03:08
*** chrisplo_ has joined #openstack-keystone		03:10
*** jamielennox\|away is now known as jamielennox		03:22
*** chrisplo_ has quit IRC		03:23
*** agrebennikov has quit IRC		03:25
*** liyuenan has joined #openstack-keystone		03:27
liyuenan	hi team! I have a problem about keystone. When I initialize Fernet key repositories, I run "keystone-manage credential_setup --keystone-user keystone --keystone-group keystone"	03:29
liyuenan	but there is a error. It seems that keystone-manage doesn't have credential_setup	03:30
*** udesale has joined #openstack-keystone		03:30
openstackgerrit	Tony Breeds proposed openstack/oslo.policy: Add Constraints support https://review.openstack.org/410024	03:34
openstackgerrit	Tony Breeds proposed openstack/pycadf: Add Constraints support https://review.openstack.org/410036	03:35
stevemar	liyuenan: the "credential_setup" was only added in newton i believe	03:36
tonyb	stevemar: thanks again for the quick reviews	03:39
stevemar	tonyb: diff ps1:ps3 = added "	03:40
stevemar	and the tab fix :)	03:40
stevemar	err, indent	03:40
stevemar	i just think it's funy you had to redo for all the patches out there lol	03:40
*** liyuenan has quit IRC		03:43
*** chrisplo_ has joined #openstack-keystone		04:03
*** namnh has joined #openstack-keystone		04:05
*** chrisplo_ has quit IRC		04:15
*** liyuenan has joined #openstack-keystone		04:26
*** liyuenan has quit IRC		04:30
*** trananhkma has quit IRC		04:39
*** liyuenan has joined #openstack-keystone		04:41
openstackgerrit	Steve Martinelli proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone https://review.openstack.org/399472	04:43
*** liyuenan has quit IRC		04:45
*** guoshan has quit IRC		04:46
*** r1chardj0n3s is now known as r1chardj0n3s_afk		04:46
*** links has joined #openstack-keystone		04:52
tonyb	stevemar: Yeah real funny ;P	05:04
stevemar	tonyb: well, maybe not for you :)	05:04
tonyb	stevemar: still I wrote a bunch of one off (at least I hoep they're one off) tools to help with it	05:04
tonyb	stevemar: I hummed and harred about leavign them alone as they had some +2's but if the aim is to make them all the same and they're open I decided to just to it	05:05
stevemar	tonyb: the linter gods will happy with you	05:06
tonyb	:)	05:06
stevemar	will be*	05:06
tonyb	stevemar: also once they land I'll be ATC in $all_the_projects :)	05:06
*** adrian_otto has joined #openstack-keystone		05:07
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Add domain_id to the user table https://review.openstack.org/409874	05:07
stevemar	tonyb: your grand plan is finally revealed	05:13
tonyb	:)	05:13
*** Zer0Byte__ has joined #openstack-keystone		05:26
*** adrian_otto has quit IRC		05:28
*** adrian_otto has joined #openstack-keystone		05:39
*** guoshan has joined #openstack-keystone		05:46
*** adrian_otto has quit IRC		05:47
*** guoshan has quit IRC		05:51
*** adriant has quit IRC		05:53
*** jaosorior has joined #openstack-keystone		05:57
*** phalmos has joined #openstack-keystone		06:08
*** shuquan_ has joined #openstack-keystone		06:12
*** phalmos has quit IRC		06:14
*** guoshan has joined #openstack-keystone		06:15
*** jaosorior has quit IRC		06:41
*** jaosorior has joined #openstack-keystone		06:42
*** rcernin has quit IRC		06:59
*** tobberydberg has joined #openstack-keystone		07:01
*** shuquan_ has quit IRC		07:08
*** rcernin has joined #openstack-keystone		07:10
*** tesseract has joined #openstack-keystone		07:11
*** tesseract is now known as Guest14972		07:11
*** rcernin has quit IRC		07:26
*** jamielennox is now known as jamielennox\|away		07:28
*** rcernin has joined #openstack-keystone		07:42
*** Zer0Byte__ has quit IRC		07:43
openstackgerrit	yunfeng zhou proposed openstack/keystone-specs: add CONTRIBUTING.rst https://review.openstack.org/412861	08:15
*** pcaruana has joined #openstack-keystone		08:19
*** shoutm has joined #openstack-keystone		08:22
*** liyuenan has joined #openstack-keystone		08:23
*** amoralej\|off is now known as amoralej		08:35
*** rcernin has quit IRC		08:36
*** shoutm has quit IRC		08:38
*** jaosorior has quit IRC		08:41
*** jaosorior has joined #openstack-keystone		08:43
*** rcernin has joined #openstack-keystone		08:58
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** ktychkova_ has joined #openstack-keystone		09:46
*** ktychkova has quit IRC		09:47
*** ktychkova_ has quit IRC		10:02
*** ktychkova has joined #openstack-keystone		10:02
*** namnh has quit IRC		10:03
openstackgerrit	yunfeng zhou proposed openstack/keystone-specs: add CONTRIBUTING.rst https://review.openstack.org/412861	10:04
*** GB21 has joined #openstack-keystone		10:11
*** hoangcx has quit IRC		10:22
*** guoshan has quit IRC		10:24
*** liujiong has quit IRC		10:24
*** GB21 has quit IRC		10:40
*** zhangjl has quit IRC		10:40
breton	ayoung: what do you think, should we work on a new project, try to convince crypto folks or do it in keystone?	10:41
openstackgerrit	Julia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone https://review.openstack.org/399472	10:44
*** mvk has quit IRC		10:53
*** asettle has quit IRC		10:53
*** udesale has quit IRC		10:58
*** asettle has joined #openstack-keystone		10:58
*** GB21 has joined #openstack-keystone		11:07
*** amac has quit IRC		11:17
*** adriant has joined #openstack-keystone		11:23
*** guoshan has joined #openstack-keystone		11:25
*** mvk has joined #openstack-keystone		11:26
*** thiagolib has joined #openstack-keystone		11:28
*** guoshan has quit IRC		11:29
samueldmq	morning keystone	11:37
stevemar	samueldmq: morning sir	11:55
stevemar	breton: sounds like the fernet backend stuff may not make it in O?	11:55
samueldmq	stevemar: o/	11:57
*** adriant has quit IRC		12:01
*** nicolasbock has joined #openstack-keystone		12:06
*** iurygregory has joined #openstack-keystone		12:08
*** GB21 has quit IRC		12:09
breton	stevemar: yes. But it depends on what we decide with ayoung. If we do it outside of keystone, it won't make it. If in keystone, the code is there and i will just rebase it.	12:10
stevemar	breton: ack	12:13
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Federated authentication via ECP functional tests https://review.openstack.org/324769	12:18
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Settings for test cases https://review.openstack.org/410205	12:18
*** guoshan has joined #openstack-keystone		12:26
*** GB21 has joined #openstack-keystone		12:27
*** guoshan has quit IRC		12:30
*** catintheroof has joined #openstack-keystone		12:37
*** edmondsw has joined #openstack-keystone		12:38
*** GB21 has quit IRC		12:38
*** GB21 has joined #openstack-keystone		12:50
*** chlong has joined #openstack-keystone		12:53
*** asettle has quit IRC		12:59
*** pcaruana has quit IRC		13:01
samueldmq	stevemar: lbragstad: should https://review.openstack.org/#/c/389364 have closed https://bugs.launchpad.net/keystone/+bug/1634568 ?	13:06
openstack	Launchpad bug 1634568 in OpenStack Identity (keystone) "[api] Inconsistency between v3 API and keystone token timestamps" [Low,New]	13:06
*** pcaruana has joined #openstack-keystone		13:06
*** dave-mccowan has joined #openstack-keystone		13:07
openstackgerrit	Merged openstack/keystone-specs: add CONTRIBUTING.rst https://review.openstack.org/412861	13:13
stevemar	samueldmq: nope, see Brant's last comment	13:13
samueldmq	stevemar: docs	13:13
*** lamt has quit IRC		13:14
*** pooja_j has quit IRC		13:16
stevemar	samueldmq: well specifically the api-ref docs	13:16
samueldmq	stevemar: gotcha	13:17
openstackgerrit	Julia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone https://review.openstack.org/399472	13:21
*** guoshan has joined #openstack-keystone		13:26
*** pooja_j has joined #openstack-keystone		13:28
ayoung	breton, so we went crazy down this path before. https://github.com/openstack/kite	13:28
ayoung	that was for the distribution, not storage of keys, but the twain are entwined	13:29
samueldmq	stevemar: regarding bug 1634568	13:30
openstack	bug 1634568 in OpenStack Identity (keystone) "[api] Inconsistency between v3 API and keystone token timestamps" [Low,New] https://launchpad.net/bugs/1634568	13:30
*** nishaYadav has joined #openstack-keystone		13:31
samueldmq	stevemar: if it's only a matter of docs update, timestamps are not being returned with Z anymore?	13:31
*** guoshan has quit IRC		13:31
samueldmq	stevemar: but with +-hh:mm instead? (to be in conformance with CCYY-MM-DDThh:mm:ss±hh:mm)	13:31
nishaYadav	hey, samueldmq stevemar	13:31
samueldmq	nishaYadav: hi, how are you ?	13:32
stevemar	nishaYadav: o/	13:32
nishaYadav	samueldmq, thanks I am good	13:33
stevemar	samueldmq: gotta update https://github.com/openstack/keystone/blob/master/api-ref/source/v3/samples/admin/auth-token-scoped-response.json#L12 and https://github.com/openstack/keystone/blob/master/api-ref/source/v3/samples/admin/auth-token-scoped-response.json#L401 for that bug	13:34
stevemar	and https://github.com/openstack/keystone/blob/b4aa883bcbb259f54225bb69f8105026f6fade3c/api-ref/source/v3/parameters.yaml#L1088	13:35
stevemar	https://github.com/openstack/keystone/blob/9c2a48829d49eb1f59bada735c15280138470b96/api-ref/source/v2/parameters.yaml#L97	13:35
samueldmq	stevemar: I got it, but about the update	13:35
samueldmq	stevemar: is it, for example, replace 2015-11-05T22:00:11.000000Z with 2015-11-05T22:00:11+0000	13:36
samueldmq	?	13:36
ayoung	breton, I'm going to back off and let you go ahead with it. It belongs in python-cryptography, but we don't have time for the fight	13:37
stevemar	samueldmq: i think so, you can make a token create call for v2 and v3 and see what it comes back with	13:37
stevemar	samueldmq: check the expires_at and issued_at times	13:37
samueldmq	stevemar: kk thanks	13:38
stevemar	ayoung & breton thanks for working out a compromise	13:40
*** amoralej is now known as amoralej\|lunch		13:43
*** amac has joined #openstack-keystone		13:45
*** GB21 has quit IRC		13:59
breton	ayoung: thank you. I am going to talk to Barbican folks about it at the ptg, maybe we come up with something.	13:59
*** GB21 has joined #openstack-keystone		14:00
*** catinthe_ has joined #openstack-keystone		14:06
*** catintheroof has quit IRC		14:08
*** lamt has joined #openstack-keystone		14:12
*** chlong has quit IRC		14:16
*** pcaruana has quit IRC		14:23
*** guoshan has joined #openstack-keystone		14:27
*** nishaYadav has quit IRC		14:30
*** nishaYadav has joined #openstack-keystone		14:31
*** guoshan has quit IRC		14:31
*** links has quit IRC		14:32
*** pcaruana has joined #openstack-keystone		14:37
*** clayton has quit IRC		14:38
rderose	lbragstad: around?	14:39
lbragstad	rderose yep!	14:40
*** clayton has joined #openstack-keystone		14:40
rderose	lbragstad: how do I run a patch through the performance bot?	14:40
rderose	lbragstad: also, need to run it while a config option is set	14:41
lbragstad	rderose leave a comment in the review with 'check performance'	14:41
lbragstad	ah	14:41
lbragstad	the performance bot currently uses osa to set all configuration options	14:41
rderose	sorry, what's osa?	14:42
lbragstad	rderose openstack-ansible	14:42
rderose	lbragstad: oh great ;)	14:42
lbragstad	rderose it's the thing that the OSIC performance bot uses to deploy and setup keystone	14:42
lbragstad	before running any of the performance test	14:42
lbragstad	tests*	14:42
lbragstad	https://github.com/openstack/openstack-ansible-os_keystone	14:42
rderose	lbragstad: if I set the default config option in the patch, it should be set during performance bot testing, right?	14:46
lbragstad	rderose correct - it should	14:46
rderose	cool	14:46
rderose	lbragstad: thx	14:46
lbragstad	rderose unless openstack-ansible overrides it	14:46
lbragstad	rderose which patch?	14:46
rderose	lbragstad: https://review.openstack.org/#/c/403916/	14:47
lbragstad	rderose i assume you want to test performance when setting change_password_required_after_reset to True?	14:48
rderose	lbragstad: yes	14:48
*** Guest67717 is now known as med_		14:48
*** med_ has quit IRC		14:48
*** med_ has joined #openstack-keystone		14:48
*** jaosorior has quit IRC		14:48
lbragstad	rderose yeah - that should work if you do it in the patch because I don't think openstack-ansible will know about it yet, so they can't override the value	14:49
*** GB21 has quit IRC		14:49
rderose	lbragstad: okay, I'll create a dummy patch with it set	14:49
lbragstad	rderose awesome	14:49
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.6 Performance test https://review.openstack.org/413126	14:51
openstackgerrit	Merged openstack/keystone: Settings for test cases https://review.openstack.org/410205	14:53
*** udesale has joined #openstack-keystone		15:00
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Federated authentication via ECP functional tests https://review.openstack.org/324769	15:02
*** amoralej\|lunch is now known as amoralej		15:02
openstackgerrit	Ron De Rose proposed openstack/keystone: WIP - Add domain_id to the user table https://review.openstack.org/409874	15:04
openstackgerrit	Steve Martinelli proposed openstack/keystone: test perf for last auth write https://review.openstack.org/413128	15:04
*** raildo has joined #openstack-keystone		15:09
lbragstad	whew - performance bot's getting a workout today1	15:10
rderose	lbragstad: ++	15:11
*** jaugustine has joined #openstack-keystone		15:17
openstackgerrit	Ron De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers https://review.openstack.org/399684	15:20
*** ravelar has joined #openstack-keystone		15:22
*** tobberyd_ has joined #openstack-keystone		15:28
*** guoshan has joined #openstack-keystone		15:28
openstackgerrit	Ron De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers https://review.openstack.org/399684	15:28
lbragstad	rderose stevemar having a bit of a hiccup with the performance bot, running tests manually now	15:30
*** ayoung has quit IRC		15:30
lbragstad	rderose stevemar i should have it squared away shortly	15:30
*** ayoung has joined #openstack-keystone		15:30
*** ChanServ sets mode: +v ayoung		15:30
*** tobberydberg has quit IRC		15:31
*** tobberyd_ has quit IRC		15:32
*** guoshan has quit IRC		15:32
*** nklenke has joined #openstack-keystone		15:33
*** ayoung has quit IRC		15:34
*** ayoung has joined #openstack-keystone		15:34
*** ChanServ sets mode: +v ayoung		15:34
openstackgerrit	Steve Martinelli proposed openstack/keystone: [doc] point release note docs to project team guide https://review.openstack.org/413142	15:36
stevemar	hmm, where in the world is henrynash at :)	15:37
stevemar	ayoung: btw, i proposed https://review.openstack.org/#/c/412236/ over the weekend	15:39
ayoung	stevemar, thanks	15:39
stevemar	ayoung: it should be backwards compatible	15:39
ayoung	stevemar, It was the Green M&M	15:40
rderose	lbragstad: cool	15:40
* stevemar is confused		15:40
ayoung	sorry, Brown M&M	15:43
ayoung	http://www.snopes.com/music/artists/vanhalen.asp	15:43
*** chris_hultin\|AWA is now known as chris_hultin		15:43
*** dave-mccowan has quit IRC		15:44
ayoung	stevemar, the fact that bugs are now being reported means that it is actually being tried.	15:45
stevemar	ayoung: you reported both bugs :)	15:46
ayoung	I know, but you fixed it	15:46
ayoung	heh	15:46
ayoung	stevemar, was that just dilligence, or due to people bugging you about them,?	15:47
stevemar	ayoung: diligence / OCD on my part	15:47
stevemar	ayoung: i wanted to fix the OSC review, but then i saw the bug, and i went down the rabbit hole	15:48
ayoung	stevemar, fair enough, but this is a powerful tool. GLad that you know the internals now	15:48
stevemar	ayoung: i just wanted a simple bug to shake off some rust	15:48
ayoung	I was trying to get an end to end proof of concept working, but then got "redirected" onto other things	15:48
*** udesale has quit IRC		15:48
ayoung	was just coming back to close the loop with the implied roles CLI piece, as that is needed for the RBAC stuff, and delegation, and all that	15:49
*** harlowja has joined #openstack-keystone		15:49
stevemar	yeah, i assumed something like that must have happened	15:49
ayoung	I'm looking for someone to help out on this, someone looking for a way to make a name and get involved	15:49
stevemar	ayoung: i heard theres a fella named dolphm that is looking to get involved in keystone	15:50
ayoung	stevemar, heh	15:50
ayoung	stevemar, I'm trying to get another RHer in here, since you guys poached my last one	15:51
ayoung	course, he didn't stop working on Keystone, so that was actually a good thing	15:51
lbragstad	stevemar rderose so - i'm running https://review.openstack.org/#/c/403916/ locally and it appears the change it what is breaking in the performance test (digging to get some logs now)	15:52
stevemar	lbragstad: yay?	15:53
stevemar	ayoung: get jdennis working on keystone! :D	15:53
*** chlong has joined #openstack-keystone		15:53
stevemar	i could review jdennis patches all day <3	15:54
stevemar	patch = 10 lines, commit message = 50 lines	15:54
ayoung	stevemar, he is dilligent. And no one understands the Federation protocols internals as well.	15:55
ayoung	stevemar, he'll be working on the Federation stuff, but I think it is mostly going to be Puppet and Tripleo-heat-template work	15:55
stevemar	nooo	15:56
*** adrian_otto has joined #openstack-keystone		15:56
ayoung	stevemar, my reaction, too	15:56
ayoung	but if we can't actually use a feature in our product, that feature does not exist	15:56
stevemar	too true	15:59
jdennis	aww, you guys are my Christmas present :-)	15:59
ayoung	jdennis, and Tripleo is the lump of coal in your stocking	16:00
*** chlong has quit IRC		16:01
*** markvoelker_ has joined #openstack-keystone		16:01
lbragstad	rderose hmm - after I install your change and try to authenticate, i get this error http://cdn.pasteraw.com/dxmt8qwxybqs8j27fteii7hysz98nno	16:02
lbragstad	which doesn't seem related to your change at all...	16:02
*** dave-mccowan has joined #openstack-keystone		16:03
*** markvoelker has quit IRC		16:03
*** markvoelker has joined #openstack-keystone		16:04
*** markvoelker_ has quit IRC		16:07
*** chlong has joined #openstack-keystone		16:17
amac	ayoung lbragstad Thanks for the help yesterday. After throwing things at the wall, I think my major issue came from having a bad clock in my Keystone test VM. With NTP in and working, I can issue a token using LDAP.	16:18
ayoung	amac, ++	16:18
*** clayton has quit IRC		16:21
*** mvk has quit IRC		16:22
*** clayton has joined #openstack-keystone		16:22
*** chlong has quit IRC		16:28
*** guoshan has joined #openstack-keystone		16:29
lbragstad	amac awesome - glad you were able to make some progress!	16:30
*** guoshan has quit IRC		16:33
*** catintheroof has joined #openstack-keystone		16:39
*** catinthe_ has quit IRC		16:42
*** harlowja has quit IRC		16:42
*** chlong has joined #openstack-keystone		16:42
*** amac has quit IRC		16:43
*** amac has joined #openstack-keystone		16:48
*** Guest14972 has quit IRC		17:03
stevemar	amac: ahhaha	17:10
stevemar	amac: great to hear you've progressed	17:11
rderose	lbragstad: yeah, that's doesn't seem to be related	17:13
rderose	lbragstad: were you able to figure it out?	17:14
*** Zer0Byte__ has joined #openstack-keystone		17:16
lbragstad	rderose not yet	17:19
lbragstad	rderose still working on it	17:19
rderose	lbragstad: okay, thanks	17:20
*** aloga has quit IRC		17:28
*** aloga has joined #openstack-keystone		17:28
*** guoshan has joined #openstack-keystone		17:29
*** tqtran has joined #openstack-keystone		17:30
openstackgerrit	Ron De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers https://review.openstack.org/399684	17:33
*** guoshan has quit IRC		17:34
stevemar	dstanek: lbragstad i think this patch is ready: https://review.openstack.org/#/c/316991/6	17:39
stevemar	gagehugo: whats up with https://review.openstack.org/#/c/404022/ -- seems like it's perpetually in WIP, do you need help? :)	17:40
*** adrian_otto has quit IRC		17:43
*** harlowja has joined #openstack-keystone		17:53
morgan	p/	17:54
morgan	erm... o/	17:55
gagehugo	stevemar: sure! I was hoping to get more work done on it last week but I ended up being sick half the week. I do have some questions about where to proceed on that though	17:55
stevemar	morgan: o/	17:55
stevemar	gagehugo: ah alright, i'll actually review it	17:55
gagehugo	stevemar: I'll leave a comment on what I'm considering about it	17:56
stevemar	sounds good	17:56
*** pcaruana has quit IRC		17:59
samueldmq	ping agrebennikov, amakarov, annakoppad, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh,	18:00
samueldmq	spilla, srwilkers, StefanPaetowJisc, stevemar, topol	18:00
rodrigods	hi	18:00
samueldmq	it's that time again - #openstack-meeting	18:00
stevemar	o/	18:00
*** catinthe_ has joined #openstack-keystone		18:03
nishaYadav	o/	18:04
*** catintheroof has quit IRC		18:06
*** rcernin has quit IRC		18:29
*** guoshan has joined #openstack-keystone		18:30
*** nishaYadav_ has joined #openstack-keystone		18:33
*** nishaYadav has quit IRC		18:34
*** guoshan has quit IRC		18:35
*** amoralej is now known as amoralej\|off		18:40
*** mvk has joined #openstack-keystone		18:54
*** chlong has quit IRC		18:56
lbragstad	rderose ok - i think i finally got it to work locally	19:02
lbragstad	rderose so i need to do this to re-enable my user? http://developer.openstack.org/api-ref/identity/v3/index.html?expanded=change-password-for-user-detail	19:02
rderose	lbragstad: yes	19:04
rderose	so that there not forced to change their password (password expires next auth)	19:04
lbragstad	rderose do I need to pass a valid token?	19:05
lbragstad	rderose I'm assuming I do	19:06
rderose	lbragstad: yes	19:06
rderose	you do	19:06
lbragstad	but - after the password has been changed, i can't get a new token, can i?	19:07
lbragstad	ah ha -	19:08
lbragstad	nevermind	19:08
lbragstad	my testing doesn't take into consideration the database migration :(	19:08
rderose	lbragstad: oh, I see	19:08
*** nishaYadav_ has quit IRC		19:09
lbragstad	rderose this migration doesn't force password updates does it? I just did a `keystone-manage db_sync` from the new code, verified the new columns exist, and i went to authenticate more than once and I get unauthorized	19:10
rderose	lbragstad: doesn't force password updates?	19:11
lbragstad	WARNING keystone.common.wsgi [req-59f34019-2b79-42bd-869c-e94883b38897 - - - - -] Authorization failed. The password is expired and needs to be reset by an administrator for user: 02bd433f50274a179a4321fce2b43d3c from 127.0.0.1	19:11
lbragstad	i went to authenticate after I did the `keystone-manage db_sync` and I was able to get a token	19:11
lbragstad	then i went to authenticate again and I get ^	19:11
rderose	lbragstad: the migration only adds a new column; the code will set the password expired after first auth	19:12
lbragstad	rderose so in the upgrade scenario, if I'm a deployer, will I be requiring all my users to update passwords after I roll out a new release?	19:12
*** chlong has joined #openstack-keystone		19:13
rderose	lbragstad: yeah, if not self-service password change, then all users would be required to change their password after they auth	19:13
rderose	lbragstad: so operators add this feature, any users that didn't change their password would be allowed to authenticate and then be required to change their password	19:14
lbragstad	ah - i'm only seeing this because i'm testing a change that made it default to true	19:14
rderose	lbragstad: rigth	19:14
rderose	*right	19:14
stevemar	rderose: eh? shouldn't the requirement only be enforced if they fail to auth?	19:15
stevemar	not upon a successful auth?	19:15
rderose	stevemar: no, because they are allowed to auth the first time	19:15
rderose	so after that, they should be required to change their password	19:16
*** adrian_otto has joined #openstack-keystone		19:16
lbragstad	rderose hmm - so I have an admin user, and I'm using the self-service password api to change their password and I get this:	19:17
lbragstad	http://cdn.pasteraw.com/h29c0j5z4yaojckyxucjaxejw04tf8n	19:17
rderose	lbragstad: hmm	19:18
stevemar	rderose: how is that backwards compatible?	19:19
stevemar	rderose: as a admin you flip that switch and you just locked out service accounts and a 1000 users	19:19
stevemar	you took down your cloud	19:19
rderose	stevemar: no	19:19
rderose	stevemar: you flip the switch, users are still able to auth, but now required to change their password	19:19
stevemar	right, so auth once and then you're done?	19:20
stevemar	service accounts will be screwed	19:20
rderose	lbragstad: 1) admin user creates user 2) admin users changes their password via api 3) and the user tries to auth?	19:20
stevemar	they send 100s of requests per minute	19:20
stevemar	you just failed 99 requests	19:20
*** adrian_otto has quit IRC		19:20
lbragstad	rderose my steps to reproduce were the following:	19:21
lbragstad	1.) upgrade with your patch	19:21
rderose	stevemar: so once auth and if you don't change your password, then it's expired	19:21
*** adrian_otto has joined #openstack-keystone		19:21
rderose	stevemar: we may need to ignore service accounts	19:21
lbragstad	2.) enable change_password_required_after_reset = True using https://review.openstack.org/#/c/413126/1	19:22
rderose	stevemar: but that is the gist of the PCI requirement, users must change their password after first auth	19:22
lbragstad	3.) authenticate for a new token	19:22
stevemar	first auth != any succesful auth	19:23
stevemar	next*	19:23
lbragstad	4.) use new token to change admin's password http://cdn.pasteraw.com/5p6is40jk2028e54zg2va6pdirg5dqz	19:23
rderose	stevemar: huh? first auth implies next successful auth, right?	19:23
lbragstad	for me step 4 fails but I'm also unable to get anther token becuase I've already authed	19:24
*** adrian_otto has quit IRC		19:25
rderose	lbragstad: can you change the password at step 3?	19:26
lbragstad	i'm not sure - that's a good question	19:27
rderose	lbragstad: step 3 you get a token (1st auth) and step 4 you get another new token (too late)	19:27
lbragstad	rderose oh - no	19:28
lbragstad	rderose sorry - i'm using the token from step 3 in step 4	19:28
rderose	lbragstad: hmm...	19:29
lbragstad	also - i'm not sure how likely this is... but i just tried to set change_password_required_after_reset=False to try and easily recover my admin account, but the state of the database seems to be preventing my admin user from authenticating	19:30
rderose	lbragstad: the state of the database?	19:30
rderose	lbragstad: no migration, but it probably set your admin's password to expired after you authenticated	19:31
lbragstad	rderose right	19:31
*** guoshan has joined #openstack-keystone		19:31
lbragstad	so at this point - i don't think i'd be able to get back to the previous state	19:31
rderose	lbragstad: you could do an admin password reset for that user, but still trying to figure out why you couldn't use the token to change your password	19:32
lbragstad	rderose yeah - that part is confusing me, too	19:33
rderose	lbragstad: it's like you authenticated twice or something, but it doesn't sound like it	19:33
lbragstad	because it shouldn't matter if that account is the admin account, I'm passing it the token I just got in order to change my password	19:33
rderose	lbragstad: yeah, there is nothing about admin	19:34
rderose	lbragstad: change_password API would make it a self-service password change	19:34
*** tobberydberg has joined #openstack-keystone		19:35
rderose	lbragstad: and when you change your password, it creates a revocation event	19:35
*** harlowja has quit IRC		19:35
rderose	lbragstad: but you're not getting that far	19:35
*** guoshan has quit IRC		19:35
lbragstad	rderose right - i seem to be stumbling on the mandatory password change	19:36
rderose	lbragstad: let me see if I can recreate the issue manually	19:36
*** catintheroof has joined #openstack-keystone		19:37
lbragstad	rderose this is what my database is telling me - http://cdn.pasteraw.com/48qmmzj9ef6c1k4u5ibqxwnirbkwlid	19:39
*** catinthe_ has quit IRC		19:40
rderose	lbragstad: ah, so that's the issue, self_service == 0	19:40
rderose	lbragstad: wait, keep forgetting, you're not getting that far	19:41
rderose	:)	19:41
lbragstad	rderose in step 4, i should be coming in through https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/routers.py#L41-L48	19:42
lbragstad	and then moving along to the manager - https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/core.py#L1284	19:42
rderose	lbragstad: right	19:43
lbragstad	rderose and then into authenticate - https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/core.py#L880	19:44
lbragstad	but - that's the old password, right?	19:44
lbragstad	which means the driver implementation of authenticate would be here - https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/backends/sql.py#L55-L73	19:46
rderose	lbragstad: looking...	19:46
lbragstad	and it would be authenticating the old_password	19:46
lbragstad	which would be tripping this check? https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/backends/sql.py#L68-L69	19:47
rderose	lbragstad: yep, I thought I was accounting for that and ignoring if the password was expired	19:47
lbragstad	ok - cool	19:47
rderose	lbragstad: so change_password authenticates again for the old password	19:47
lbragstad	rderose yes - it appears it will check the "old_password"	19:48
lbragstad	which is passed in the request body	19:48
rderose	lbragstad: could swear that I accounted for that	19:48
rderose	dam	19:48
lbragstad	rderose :)	19:48
lbragstad	rderose i'm surprised the tests didn't fail for that case	19:48
rderose	lbragstad: totally	19:49
lbragstad	so - the problem is that the self service password API will validate the old password, but that validation fails because the identity driver's authenticate implementation will consider the old password expired since it was marked as expired on the last successful authenticate call (thus forcing the password to be updated)	19:49
rderose	yeah, I'll do a try/except there and allow expired password	19:50
lbragstad	rderose cool - i'll clean up my testing environment	19:51
rderose	lbragstad: alright	19:51
lbragstad	rderose and do another manual test for performance numbers when you get a new patch up	19:51
rderose	lbragstad: and thanks for your work on this, can't believe I missed that	19:51
lbragstad	rderose no problem - I probably should have tested that sooner ;)	19:51
lbragstad	rderose i'm also going to remove those patch sets from the performance test queue	19:52
rderose	lbragstad: cool	19:52
*** amac is now known as stradling		20:01
*** stradling has quit IRC		20:02
*** clenimar has quit IRC		20:12
*** chlong has quit IRC		20:15
*** raildo has quit IRC		20:20
*** chlong has joined #openstack-keystone		20:27
*** guoshan has joined #openstack-keystone		20:32
*** guoshan has quit IRC		20:37
*** jamielennox\|away is now known as jamielennox		20:44
*** catintheroof has quit IRC		20:47
*** ayoung has quit IRC		21:01
*** ayoung has joined #openstack-keystone		21:01
*** ChanServ sets mode: +v ayoung		21:01
*** stingaci has joined #openstack-keystone		21:04
*** ravelar1 has joined #openstack-keystone		21:12
Zer0Byte__	hey guys	21:16
Zer0Byte__	im just want to confirm something	21:16
*** ravelar1 has quit IRC		21:17
Zer0Byte__	os_project_domain_id and os_project_domain_name is for older versions os keystone?	21:17
Zer0Byte__	newest version use os_user_domin_id and os_user_domain_name	21:17
Zer0Byte__	right	21:17
Zer0Byte__	/	21:17
Zer0Byte__	?	21:17
knikolla	Zer0Byte__: Both are needed if you use keystone v3	21:23
Zer0Byte__	os_project_domain_id	21:23
Zer0Byte__	and os_user_domain_id?	21:23
knikolla	Zer0Byte__: yes. project_domain_id is for the domain of the project you are scoping to, and user_domain_id is for the user domain.	21:24
Zer0Byte__	for for connect the client is not on the template	21:26
stevemar	rderose: Why not update the user record when an administrators sets the password (with a boolean (needs_new_password)) -- and if it's set when they auth, then do not allow the auth to go through?	21:26
*** dave-mccowan has quit IRC		21:26
rderose	stevemar: if needs_new_password, allow them to auth, right?	21:27
knikolla	Zer0Byte__: are you using keystone v2 or v3?	21:27
Zer0Byte__	v3	21:28
rderose	stevemar: because first time, they should be able to	21:28
Zer0Byte__	knikolla check the templace of rc	21:28
knikolla	Zer0Byte__: can you link me to it?	21:28
Zer0Byte__	sure	21:28
knikolla	Zer0Byte__: you don't need to provide the domain for a user or a project, if you are using user_id or project_id instead of username or project_name respectively.	21:29
openstackgerrit	Merged openstack/keystone: Invalidate token cache after token delete https://review.openstack.org/316991	21:29
Zer0Byte__	https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/templates/access_and_security/api_access/openrc.sh.template	21:29
Zer0Byte__	knikolla	21:29
stevemar	rderose: so theres two cases: 1) admin just created a new user and emailed the person with a temp password, and 2) admin reset a password and emailed the person with a new password	21:30
rderose	yep	21:30
knikolla	Zer0Byte__: as I said, if you use project_id, you don't need project_domain_id.	21:31
stevemar	rderose: we may need to handle the two a bit differently	21:31
stevemar	lemme think on it	21:31
rderose	stevemar: why?	21:31
rderose	stevemar: it's the same thing, right	21:31
rderose	stevemar: but yeah, think on it	21:32
stevemar	rderose: not really, one has never authed before, the other has	21:32
Zer0Byte__	knikolla i guess i do the question wrong	21:32
Zer0Byte__	the variable is os_project_domain_id	21:32
rderose	stevemar: but from a PCI perspective, they need to change their password	21:32
knikolla	Zer0Byte__: and you can use _domain_name instead of _domain_id.	21:32
rderose	stevemar: see your point though	21:32
*** guoshan has joined #openstack-keystone		21:32
Zer0Byte__	i can use project_domain_id ?	21:33
rderose	stevemar: the other thing to consider here is how to let horizon know the user needs to change their password	21:33
Zer0Byte__	or is old variable	21:33
stevemar	Zer0Byte__: all 4 have worked for a long time, just don't use name and ID together	21:34
stevemar	one option is for projects, the other is for users	21:34
*** guoshan has quit IRC		21:37
knikolla	stevemar: i always get confused looks when i explain names and IDs to someone.	21:38
stevemar	rderose: we need to allow prevent access to APIs that aren't related to `change_password`	21:39
rderose	stevemar: you mean only allow change_password?	21:40
rderose	and don't allow any other API calls?	21:41
stevemar	yeah	21:41
rderose	stevemar: hmm...	21:42
rderose	stevemar: I think that would be the strictest interpretation of the rule	21:42
rderose	stevemar: but I tend to agree	21:43
rderose	stevemar: let me give it some thought	21:44
stevemar	rderose: yeah, i'm mulling it over now	21:44
rderose	cool	21:44
stevemar	rderose: we can't do anything backwards incompatible, if a user is able to auth now, a switch is flipped, they should continue to be able to auth	21:45
stevemar	they're not "new users"	21:45
stevemar	rderose: is this an OSIC initiative? or did you just want to be a PCI completionist?	21:45
rderose	stevemar: but it's not a backwards compatible issue, I mean an operator should be able to change their security rules	21:46
*** chlong has quit IRC		21:46
rderose	and require users to change their passwords by flipping a switch	21:46
rderose	stevemar: both	21:46
stevemar	that would be a terrible UX, i have no idea why anyone would want to do that to their users	21:47
rderose	stevemar: user authenticates and is required to change their password	21:47
rderose	stevemar: that doesn't seem so bad	21:47
rderose	stevemar: or, what you are suggesting, a user password never expires?	21:48
rderose	if they are an existing user	21:48
stevemar	they should expire when the config option says so	21:48
rderose	stevemar: so you are thinking that this is just forward looking feature	21:49
rderose	that any user created after flipping the switch would be impacted?	21:49
stevemar	rderose: your solution to backwards incompatability is either: 1) service interruption (service users get owned), 2) tuning a bunch of knobs (adding service users to blacklist), or 3) terrible UX	21:50
stevemar	all of which i think are no-go's	21:50
stevemar	i'm thinking this is not worth the effort	21:50
stevemar	or we restrict users to just the self-service password API if they are newly created OR admin reset their password	21:51
rderose	stevemar: I just don't think if your users are using the same password that you gave them a year ago, why that would be such a big deal to make them change it.	21:51
rderose	yeah, we definitely would need to do something with service users.	21:51
rderose	stevemar: I just want us to be PCI compliant; without this patch, we are not	21:52
stevemar	okay, i think i know what you're getting at now	21:52
stevemar	you added 30/60/90 days to the PCI compliant option, but all the users are still able to auth with their old passwords, this new option would force them to change	21:53
rderose	stevemar: yes	21:53
stevemar	in which case I would say that is a very loose interpretation of the PCI rule -- those users are not "new"	21:54
rderose	stevemar: well, if you flip the switch at 90 days, going forward, you will PCI compliant	21:54
stevemar	i think this needs more thought, the patch was representing one idea, but in essence trying to solve somethign else	21:55
stevemar	you're looking for a migration strategy for users	21:55
stevemar	and trying to leverage this option to do that	21:55
rderose	stevemar: so you send your users a notice to change their password within 30 days and 30 days later you flip the switch	21:55
stevemar	rderose: but we have no way of controling that an admin does step 1	21:56
stevemar	if they do step 2, they are toast	21:56
stevemar	(without step 1)	21:56
rderose	stevemar: hmm...	21:56
rderose	stevemar: if we have an ignore list or domain configurable, they are not toast	21:57
stevemar	rderose: shit, if i wanted to, as an admin i could list all users, loop over each entry, call update user with the ID, generate a new password, make the API call and send an email	21:57
rderose	because service users wouldn't be impacted	21:57
rderose	stevemar: haha	21:57
rderose	stevemar: that's true	21:57
stevemar	we have to be able to say "this is an operator issue" at some point	21:58
rderose	yeah	21:58
stevemar	lets take some time to think it over	21:58
rderose	stevemar: sounds good	21:58
openstackgerrit	Lance Bragstad proposed openstack/keystone: Fix import ordering in tempest plugins https://review.openstack.org/413244	22:03
*** edmondsw has quit IRC		22:04
*** chris_hultin is now known as chris_hultin\|AWA		22:05
lbragstad	dstanek for when you're back from vacation - this would be a good one for you to look at https://review.openstack.org/#/c/324769	22:06
gagehugo	rderose stevemar: I feel like https://review.openstack.org/#/c/404022/ will also affect users required to change their passwords	22:13
*** tobberydberg has quit IRC		22:14
rderose	gagehugo: true	22:15
rderose	gagehugo: mulling this over now	22:15
lbragstad	stevemar configuration error - no? https://bugs.launchpad.net/keystone/+bug/1648753	22:21
openstack	Launchpad bug 1648753 in OpenStack Identity (keystone) "Tempest test ServicesTestJSON.test_create_update_get_service fails for HA Keystone" [Undecided,New]	22:21
lbragstad	stevemar also - i think we can make https://bugs.launchpad.net/keystone/+bug/1648798 a dup of https://bugs.launchpad.net/keystone/+bug/1557238 and reopen it if what sylvain says is true	22:25
openstack	Launchpad bug 1648798 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [Undecided,New]	22:25
openstack	Launchpad bug 1557238 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [High,Fix released] - Assigned to Guang Yee (guang-yee)	22:25
*** guoshan has joined #openstack-keystone		22:33
*** guoshan has quit IRC		22:38
*** chlong has joined #openstack-keystone		22:57
*** adriant has joined #openstack-keystone		23:00
*** chris_hultin\|AWA is now known as chris_hultin		23:01
stevemar	lbragstad: for 1648753, let's let julya run with that one, she seems to have a plan for testing HA / rolling upgrade	23:14
stevemar	oops, julia, my bad	23:14
stevemar	lbragstad: oh shes online as jvarlamova -- i'll ping her tomorrow about it	23:14
stevemar	lbragstad: i wouldn't mark https://bugs.launchpad.net/keystone/+bug/1648798 as a dupe, the creator explicitly called out the dupe and said the fix is insufficient	23:15
openstack	Launchpad bug 1648798 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [Undecided,New]	23:15
*** stingaci has quit IRC		23:23
*** stingaci has joined #openstack-keystone		23:24
stevemar	ayoung: just a heads up about https://review.openstack.org/#/c/363065/ -- i replied to your comment. I was just re-targeting the spec, it was already approved and backlogged.	23:25
ayoung	stevemar, its still wrong	23:25
ayoung	stevemar, honestly, you call that a spec?	23:25
ayoung	its like a placeholder.	23:25
ayoung	why did that one go through without any details?	23:26
ayoung	PLus, that was what is linked to from the Blueprint, need to figure out which is the original	23:26
stevemar	ayoung: i think folks thought it was just meant to be like an abstraction layer	23:26
*** stingaci_ has joined #openstack-keystone		23:26
ayoung	stevemar, at an absolute minimum it needs to cover credentials as well as Fernet	23:27
ayoung	it really should do the passwords for the databases as well, but that might be competing with oslo.policy. Then again, the fernet keys could be handled via oslo,.policy the same way	23:27
ayoung	soooo	23:27
ayoung	needs perspective	23:28
ayoung	just compare that with the drubbing I got on both implied roles and now RBAC and you can see why we are not being consistent in the standard we expect.	23:28
stevemar	the way i remember this was: the file system approach to managing fernet keys wasn't nice -- create an abstraction layer, set file system as the default driver, and folks can implement their own custom driver	23:28
ayoung	And, I am not saying that as bitter...the high standard for RBAC is where we should be	23:29
ayoung	Not sufficient	23:29
ayoung	what we have baked in rotation for a single machine	23:29
ayoung	but makes no effort to export or import	23:29
ayoung	and that is as uimportant as the storage...or more	23:29
*** stingaci has quit IRC		23:29
ayoung	and I have to go pick up my kid now...	23:29
stevemar	ayoung: ttyl	23:30
stevemar	ayoung: it was up for a while, chalk its approval up to hindsight? neither I nor you reviewed it :\	23:31
stevemar	ayoung: this is why I've wanted a roll-call feature for the specs	23:31
stevemar	the implied roles stuff was a fast merge, that was merged in 2 days :P -- and the RBAC stuf, well like you said, we want a high standard there	23:32
*** guoshan has joined #openstack-keystone		23:34
stevemar	ayoung: i think there are two things at play for the fernet backend thing. 1) oversimplification, the idea presented an easy way to appease operators without enough due diligence, and 2) the proposed work is diverting from the spec.	23:35
* rodrigods is going through old in progress tempest bugs		23:35
rodrigods	90% are invalid	23:35
rodrigods	i guess we have the same in keystone*?	23:35
stevemar	rodrigods: for bugs?	23:36
rodrigods	yeah	23:36
stevemar	rodrigods: doubtful, lbragstad and I have been keeping a pretty tight lid on the bugs	23:36
rodrigods	stevemar, ++	23:36
stevemar	rodrigods: you're more than welcome to go through them and triage ;)	23:36
rodrigods	i know heh	23:37
rodrigods	tempest has a huge pile of staled bugs	23:37
rodrigods	helping out them right now	23:37
stevemar	ayoung: anyway, cooking time, we can chat later -- sorry if you are feeling bitter	23:37
*** guoshan has quit IRC		23:39
*** stingaci_ has quit IRC		23:40
*** stingaci has joined #openstack-keystone		23:41
*** lamt has quit IRC		23:45
*** chris_hultin is now known as chris_hultin\|AWA		23:46
*** lamt has joined #openstack-keystone		23:46
*** lamt has quit IRC		23:51
ayoung	Not bitter. This one is important, I just want it done right, and it seems like it is not thought through	23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!