Friday, 2017-12-08

*** gmann_afk is now known as gmann		00:01
*** threestrands has joined #openstack-keystone		00:01
*** itlinux has joined #openstack-keystone		00:03
*** rcernin has quit IRC		00:25
*** rcernin has joined #openstack-keystone		00:25
*** seniorcrepe has joined #openstack-keystone		01:00
*** gyee has quit IRC		01:01
seniorcrepe	Correct me if I am wrong.. but fernet keys are 128bit AES?	01:02
*** david-lyle has joined #openstack-keystone		01:18
*** seniorcrepe has quit IRC		01:18
*** Dinesh_Bhor has joined #openstack-keystone		01:28
*** david-lyle has quit IRC		01:36
lbragstad	seniorcrepe yes - they consist of a 128 AES encryption key and a SHA256 HMAC signing key	02:02
lbragstad	https://cryptography.io/en/latest/fernet/#implementation	02:02
*** harlowja has quit IRC		02:03
*** annp has joined #openstack-keystone		02:26
*** namnh has joined #openstack-keystone		02:38
*** aselius has quit IRC		02:42
*** zhurong has joined #openstack-keystone		02:47
*** Dinesh_Bhor has quit IRC		03:25
*** dave-mccowan has quit IRC		03:26
openstackgerrit	wangxiyuan proposed openstack/keystone-specs master: Limits API https://review.openstack.org/455709	03:29
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add schema check for authorize request token https://review.openstack.org/526296	03:37
*** links has joined #openstack-keystone		03:42
openstackgerrit	wangxiyuan proposed openstack/keystone master: Deprecate member_role_id and member_role_name https://review.openstack.org/522461	03:46
openstackgerrit	wangxiyuan proposed openstack/keystone master: Remove useless function https://review.openstack.org/526262	03:46
openstackgerrit	wangxiyuan proposed openstack/keystone master: Remove useless function https://review.openstack.org/526262	03:51
openstackgerrit	wangxiyuan proposed openstack/keystone master: Remove useless function https://review.openstack.org/526262	03:54
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types for user policies https://review.openstack.org/526203	04:03
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types for policy policies https://review.openstack.org/526197	04:03
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to ec2 policies https://review.openstack.org/526191	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to credential policies https://review.openstack.org/526189	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to oauth policies https://review.openstack.org/526184	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to trust policies https://review.openstack.org/526176	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to token revocation policies https://review.openstack.org/526175	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to token policies https://review.openstack.org/526174	04:04
*** aojea has joined #openstack-keystone		04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to domain policies https://review.openstack.org/525705	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to role policies https://review.openstack.org/526171	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to implied role policies https://review.openstack.org/526193	04:04
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to service policies https://review.openstack.org/525696	04:05
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to project policies https://review.openstack.org/526159	04:05
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to endpoint policies https://review.openstack.org/525695	04:05
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to endpoint group policies https://review.openstack.org/525700	04:05
*** Dinesh_Bhor has joined #openstack-keystone		04:06
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to identity provider policies https://review.openstack.org/526145	04:06
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to protocol policies https://review.openstack.org/526161	04:06
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to project endpoint policies https://review.openstack.org/526160	04:07
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types for revoke event policies https://review.openstack.org/526198	04:07
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to region policies https://review.openstack.org/525698	04:08
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to service provider policies https://review.openstack.org/526173	04:08
*** aojea has quit IRC		04:08
openstackgerrit	Dai Dang Van proposed openstack/keystone master: Add scope_types to policy association policies https://review.openstack.org/526195	04:09
*** Dinesh_Bhor has quit IRC		04:19
*** Dinesh_Bhor has joined #openstack-keystone		04:19
*** zhurong has quit IRC		04:26
*** sticker has quit IRC		05:03
*** rcernin has quit IRC		05:11
*** threestrands has quit IRC		05:24
*** harlowja has joined #openstack-keystone		05:37
*** threestrands has joined #openstack-keystone		05:39
*** threestrands has quit IRC		05:39
*** threestrands has joined #openstack-keystone		05:39
*** zhurong has joined #openstack-keystone		05:40
*** rcernin has joined #openstack-keystone		06:11
*** swain has joined #openstack-keystone		06:12
*** harlowja has quit IRC		06:14
*** threestrands has quit IRC		06:28
*** Shunli has joined #openstack-keystone		06:39
*** zhurong has quit IRC		06:47
-openstackstatus- NOTICE: Due to some unforseen Zuul issues the gate is under very high load and extremely unstable at the moment. This is likely to persist until PST morning		07:03
*** ChanServ changes topic to "Due to some unforseen Zuul issues the gate is under very high load and extremely unstable at the moment. This is likely to persist until PST morning"		07:03
*** amito has quit IRC		07:06
*** kencjohnston has quit IRC		07:08
*** odyssey4me has quit IRC		07:08
*** melwitt has quit IRC		07:08
*** cmurphy has quit IRC		07:08
*** cmurphy has joined #openstack-keystone		07:09
*** melwitt has joined #openstack-keystone		07:10
*** melwitt is now known as Guest9054		07:11
*** odyssey4me has joined #openstack-keystone		07:12
*** kencjohnston has joined #openstack-keystone		07:13
*** bhagyashri_s has joined #openstack-keystone		07:28
*** david-lyle has joined #openstack-keystone		07:52
*** zhurong has joined #openstack-keystone		08:16
*** aojea has joined #openstack-keystone		08:20
*** aojea has quit IRC		08:20
*** aojea has joined #openstack-keystone		08:20
*** tesseract has joined #openstack-keystone		08:20
*** swain has quit IRC		08:22
*** sapd__ has joined #openstack-keystone		08:31
*** sapd_ has quit IRC		08:31
*** aojea has quit IRC		08:33
openstackgerrit	Mehdi Abaakouk (sileht) proposed openstack/keystonemiddleware master: Add missing python-memcached requirements https://review.openstack.org/526624	08:34
openstackgerrit	Mehdi Abaakouk (sileht) proposed openstack/keystonemiddleware master: Revert "Use oslo_cache in auth_token middleware" https://review.openstack.org/526628	08:44
openstackgerrit	Mehdi Abaakouk (sileht) proposed openstack/keystonemiddleware master: cfg.CONF must not be used directly https://review.openstack.org/526631	08:59
*** itlinux has quit IRC		09:01
*** amito has joined #openstack-keystone		09:06
*** sapd__ has quit IRC		09:11
*** sapd has joined #openstack-keystone		09:12
*** sapd_ has joined #openstack-keystone		09:22
*** sapd has quit IRC		09:22
*** Shunli has quit IRC		09:29
*** Dinesh_Bhor has quit IRC		09:37
*** gmann is now known as gmann_afk		09:48
*** annp has quit IRC		10:07
*** namnh has quit IRC		10:19
*** daidv has quit IRC		10:38
*** zhurong has quit IRC		10:40
*** hoonetorg has quit IRC		10:44
*** hoonetorg has joined #openstack-keystone		10:46
*** openstackgerrit has quit IRC		11:17
*** links has quit IRC		11:28
*** links has joined #openstack-keystone		11:41
*** dave-mccowan has joined #openstack-keystone		11:45
*** tesseract has quit IRC		11:50
*** tesseract has joined #openstack-keystone		11:51
*** raildo has joined #openstack-keystone		12:00
*** efried is now known as fried_rice		12:29
*** jaosorior has quit IRC		13:12
*** jaosorior has joined #openstack-keystone		13:13
*** aojea has joined #openstack-keystone		13:33
*** aojea has quit IRC		13:37
*** markvoelker has quit IRC		13:40
*** markvoelker has joined #openstack-keystone		13:43
*** panbalag has joined #openstack-keystone		13:45
*** panbalag has left #openstack-keystone		13:45
*** tesseract has quit IRC		13:47
*** tesseract has joined #openstack-keystone		13:50
*** crepe has joined #openstack-keystone		13:55
crepe	Hopped off last night so I apologize if this was answered.. I read in the docs that keystone uses aes256 with fernet, but it looks like fernet only supports 128?	13:55
cmurphy	crepe: lbragstad responded just after you left http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-12-08.log.html#t2017-12-08T02:02:56	13:58
crepe	Thanks!	13:58
cmurphy	no problem	13:59
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/5F0h9Hoe/keystone"		13:59
-openstackstatus- NOTICE: The issues have been fixed, Zuul is operating fine again but has a large backlog. You can recheck jobs that failed.		13:59
crepe	Its more of a curiosity at this point.. but I believe this means that fernet+keystone wouldn't satisfy FIPS requirements. If not FIPS then there are other requirements that it wouldn't satisfy. I guess the alternative would be to use PKI instead of fernet	14:00
cmurphy	we don't support PKI tokens any more	14:01
cmurphy	crepe: have a link handy for those specifications?	14:01
crepe	Yea lemme track down something that I can link	14:01
cmurphy	we're also working on implementing JWT as an alternative token format http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/json-web-tokens.html	14:02
lbragstad	crepe: let me know if you find a link, i'd be interested in that	14:11
lbragstad	cmurphy: that'd be another good reason to do JWT... if JWT is FIPS compliant?	14:14
cmurphy	I don't know much about fips compliance except that it makes compiling openssl a pita :P	14:15
crepe	Heh yea FIPS can be a pain. So far I have found this: https://www.iad.gov/iad/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/assets/public/upload/CNSA-Suite-and-Quantum-Computing-FAQ.pdf&WpKes=aF6woL7fQp3dJiaUTzJUSR35PvDWGNkSuyZ38R	14:18
crepe	Real links are hard to find. Standards for different classification levels now appear to require AES256, but again I am having a hard time finding a good link. The Information Assurance one is probably the best I can find for now	14:21
crepe	Again like I said, not a huge deal and at this point more of a curiosity.	14:22
cmurphy	I'd be interested if there are companies rejecting using openstack/keystone because of non-FIPS compliance, we've certainly been working towards becoming PCI compiant	14:24
*** dansmith is now known as superdan		14:25
crepe	I'd imagine waivers could be / have been granted but it'd be nice to eventually be FIPS/DoD compliant	14:26
crepe	Although that is an ever-moving target	14:26
cmurphy	lbragstad: i finally went through https://review.openstack.org/#/c/455709 top to bottom again and i'm worried it's not fully fleshed out yet :/ feel bad about getting to it so late though :(	14:29
*** links has quit IRC		14:37
lbragstad	cmurphy: i'll read up on your comments	14:38
lbragstad	cmurphy: in your opinion, what do you think the hierarchy check is on line 407?	14:42
cmurphy	lbragstad: what i meant by "keystone cannot do any hierarchical checks" was wrt the hierarchical quota model, if we don't have the model defined then keystone doesn't have rules to follow when checking the limits in the hierarchy	14:48
lbragstad	ok	14:49
lbragstad	so - we would allow for limits to be associated to projects (that may or may not be in a hierarchy)	14:51
lbragstad	and then enabled enforcement of limits based on the hierarchy in a subsequent release?	14:51
lbragstad	(would that be backwards incompatible?)	14:51
lbragstad	or - would we only allow you to set limits on projects that aren't in a hierarchy	14:52
*** Guest9054 is now known as melwitt		14:52
lbragstad	i wish sdague was around	14:54
cmurphy	that might work	14:54
cmurphy	i was thinking about the backwards compat issue	14:54
lbragstad	yeah...	14:54
lbragstad	that's going to be tricky	14:54
cmurphy	and thinking we'd need some kind of discovery mechanism	14:54
cmurphy	but if we just forbid using it on a project in a hierarchy that might circumvent the problem	14:55
lbragstad	especially if people start associating invalid limits to projects in a hierarchy, and then we go and implement proper validation	14:55
*** spilla has joined #openstack-keystone		14:55
*** rcernin has quit IRC		14:55
cmurphy	sdague is online just not here	14:56
lbragstad	cmurphy: should we move this to -dev?	14:56
lbragstad	in hopes of attracting someone from bm/vm	14:56
cmurphy	++	14:56
kmalloc	lbragstad: responded to your comments on the PRoviderAPIs patch	15:23
kmalloc	tl;dr, yep, only _provides_api attr is needed on the manager(S)	15:23
*** samuelbartel has joined #openstack-keystone		15:24
kmalloc	lbragstad: i think it would be backwards incompat if suddenly we checked the hierarchy for quota limit restrictions	15:24
kmalloc	cmurphy: ^ cc	15:25
cmurphy	kmalloc: yeah, my idea was to have some kind of discovery mechanism to get around that but in -dev i think we settled on just forbidding applying limits to child projects	15:26
kmalloc	wfm	15:27
*** openstackgerrit has joined #openstack-keystone		15:28
openstackgerrit	wangxiyuan proposed openstack/keystone-specs master: Limits API https://review.openstack.org/455709	15:28
cmurphy	oh wxy is still awake :)	15:28
lbragstad	cmurphy: kmalloc we have sdague's attention in -dev :)	15:33
lbragstad	cc wxy ^	15:34
kmalloc	ok i need coffee and food.	16:13
*** jaosorior has quit IRC		16:13
* kmalloc goes to wake up family members for said coffee and foodz		16:13
*** itlinux has joined #openstack-keystone		16:14
lbragstad	kmalloc: cmurphy think we can re-write the spec to target the "flat" model for queens/	16:20
*** MasterOfBugs has joined #openstack-keystone		16:22
*** pramodrj07 has joined #openstack-keystone		16:22
*** samuelbartel has quit IRC		16:24
cmurphy	lbragstad: I think it can be done, not sure about the timeline :)	16:31
lbragstad	alright - i'll repropose the specification today	16:31
lbragstad	i think it will simplify the implementation	16:31
*** AlexeyAbashkin has joined #openstack-keystone		16:40
*** itlinux has quit IRC		16:42
*** itlinux has joined #openstack-keystone		16:43
*** AlexeyAbashkin has quit IRC		16:44
openstackgerrit	Merged openstack/keystone master: Updated from global requirements https://review.openstack.org/526377	16:46
cmurphy	lbragstad: do you think you want to extend the spec deadline? if so i'll add it to my email	16:49
lbragstad	i think we could just submit a spec freeze exception	16:50
lbragstad	for this spec - everything else is pretty set	16:50
cmurphy	++	16:50
*** d0ugal has quit IRC		16:52
*** d0ugal has joined #openstack-keystone		16:54
*** d0ugal has quit IRC		16:54
*** d0ugal has joined #openstack-keystone		16:54
*** david-lyle has quit IRC		16:57
*** itlinux has quit IRC		17:00
*** itlinux has joined #openstack-keystone		17:05
*** gyee has joined #openstack-keystone		17:14
*** tesseract has quit IRC		17:29
*** raildo has quit IRC		17:29
*** spilla has quit IRC		17:33
*** david-lyle has joined #openstack-keystone		17:36
*** fried_rice is now known as fried_rolls		17:41
*** raildo has joined #openstack-keystone		17:53
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Update unified limits spec to clarify flat-ness https://review.openstack.org/526745	17:57
lbragstad	wxy: cmurphy kmalloc ^	17:57
*** openstackgerrit has quit IRC		18:03
*** crepe has quit IRC		18:03
*** panbalag has joined #openstack-keystone		18:07
*** raildo has quit IRC		18:12
*** raildo has joined #openstack-keystone		18:13
*** r-daneel has joined #openstack-keystone		18:15
*** david-lyle has quit IRC		18:21
*** aselius has joined #openstack-keystone		18:33
* lbragstad breaks for lunch		18:37
*** panbalag has left #openstack-keystone		18:41
*** openstackgerrit has joined #openstack-keystone		19:05
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Update unified limits spec to clarify flat-ness https://review.openstack.org/526745	19:06
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Fix line-too-long error https://review.openstack.org/526756	19:07
*** aojea has joined #openstack-keystone		19:08
*** pramodrj07 has quit IRC		19:13
*** MasterOfBugs has quit IRC		19:13
*** aojea has quit IRC		19:15
*** harlowja has joined #openstack-keystone		19:21
*** raildo has quit IRC		19:25
*** MasterOfBugs has joined #openstack-keystone		19:27
*** pramodrj07 has joined #openstack-keystone		19:27
*** __david has joined #openstack-keystone		19:29
*** AlexeyAbashkin has joined #openstack-keystone		19:46
__david	I'm trying to setup swift3 ( S3 API compatibility with Openstack Swift) and I'm having issues with the s3_extension function of keystone. In the staging setup I have, the logs show 404 on POST requests to /v2.0/s3tokens on the Keystone admin service . I believe the POST is coming from the s3token middelware in Swift.	19:50
*** fried_rolls is now known as fried_rice		19:53
timburke	__david: it is. following https://github.com/openstack/swift3/commit/2a48861 you can configure s3token to use v3 keystone with `auth_version = 3`	19:53
timburke	that path component used to be hardcoded, so swift3 couldn't use a sane default :-(	19:54
*** raildo has joined #openstack-keystone		19:55
*** AlexeyAbashkin has quit IRC		19:56
*** jmlowe has quit IRC		20:04
*** jmlowe has joined #openstack-keystone		20:10
__david	@timburke - I'm using ver 1.12 of swift3, so I have that commit. My proxy server config has the s3token section with the following	20:11
__david	reseller_prefix = AUTH_ delay_auth_decision = False auth_uri = https://keystone-url:35357/ auth_version = 2.0 http_timeout = 10.0	20:11
timburke	__david: right. and i'm guessing it's a v3-only keystone install? i think just changing that "auth_version = 2.0" to be "auth_version = 3" will square you	20:13
__david	@timburke it's v2.0 and v3. We only use v2.0 actually.	20:14
timburke	oh, weird then... does the keystone wsgi pipeline include s3_extension?	20:14
*** sbezverk has joined #openstack-keystone		20:14
__david	I think keystone-paste.ini is unchanged from the example in the keystone etc folder. admin composite in keystone-paste.ini maps /v2.0 to admin_api which has the following: pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service	20:16
*** david-lyle has joined #openstack-keystone		20:16
__david	keystone is from the newton release and swift is pike, with the 1.12 swift3 release fwiw	20:17
*** ChanServ has quit IRC		20:17
*** ChanServ has joined #openstack-keystone		20:24
*** barjavel.freenode.net sets mode: +o ChanServ		20:24
*** sbezverk has quit IRC		20:29
__david	Does anyone know why the word "admin" is in the middle of the URL in this log entry:	20:31
__david	2017-12-08 20:30:03.752 1385 INFO keystone.common.wsgi [req-e6df7039-d024-4f50-b4c8-e315377ee59b - - - - -] POST https://lax-staging.identity.sohonet.com:35357admin/v2.0/s3tokens	20:31
*** sbezverk has joined #openstack-keystone		20:31
*** david-lyle has quit IRC		20:32
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Update unified limits spec to clarify flat-ness https://review.openstack.org/526745	20:37
*** dgonzalez has left #openstack-keystone		20:45
*** itlinux has quit IRC		20:55
*** itlinux has joined #openstack-keystone		20:59
*** sbezverk has quit IRC		21:02
*** kuma has joined #openstack-keystone		21:09
*** fried_rice is now known as efried_cya_jan		21:12
jdennis	workflow question, I submitted a gerrit review and in the commit message it said "Closes-Bug: xxxx" but the launchpad bug was never updated with the proposed fix, it was suggested to me this might be because there was no # in front of the bug number, the documented workflow does not show using a #, is the missing # causing it to fail linking the review to the bug? BTW the review is https://review.openstack.org/#/c/525744/ and	21:13
jdennis	the bug is https://bugs.launchpad.net/os-client-config/+bug/1635696	21:13
openstack	Launchpad bug 1635696 in os-client-config "Having a '{' or '}' in password causes formatting errors" [High,Confirmed] - Assigned to John Dennis (jdennis-a)	21:13
lbragstad	jdennis: sometimes the underlying infrastructure misses reviews	21:15
lbragstad	i don't think i could tell you why though	21:15
jdennis	lbragstad: I could add a comment in the bug pointing to the review but that would hid it from the rest of the tool chain I suspect, is there a recommend way to fix this? Or is it a non-issue?	21:16
lbragstad	honestly, ^ that's usually what I do	21:17
lbragstad	i just leave a comment in the bug so that others can find it	21:17
jdennis	lbragstad: thanks, OK	21:17
*** david-lyle has joined #openstack-keystone		21:24
*** dave-mccowan has quit IRC		21:25
*** kuma has quit IRC		21:25
*** david-lyle has quit IRC		21:29
*** panbalag has joined #openstack-keystone		21:34
*** panbalag has quit IRC		21:42
*** rcernin has joined #openstack-keystone		21:44
*** panbalag has joined #openstack-keystone		21:55
*** edmondsw has joined #openstack-keystone		21:55
*** edmondsw has quit IRC		21:56
*** itlinux has quit IRC		22:01
*** rcernin has quit IRC		22:03
*** rcernin has joined #openstack-keystone		22:03
*** raildo has quit IRC		22:07
*** itlinux has joined #openstack-keystone		22:17
*** itlinux has quit IRC		22:18
*** gmann_afk is now known as gmann		22:21
lbragstad	gagehugo: FYI - https://review.openstack.org/#/c/526525/1	22:39
lbragstad	we'll catch the project tags client stuff in queens-3	22:39
lbragstad	or whenever it's done, i can roll another python-keystoneclient release.	22:39
*** panbalag has left #openstack-keystone		22:46
lbragstad	stepping away for a bit, have a good weekend all!	22:49
openstackgerrit	Jaewoo Park proposed openstack/python-keystoneclient master: Add project tags to keystoneclient https://review.openstack.org/481223	23:02
*** aojea has joined #openstack-keystone		23:13
*** aojea has quit IRC		23:18
*** markvoelker has quit IRC		23:49
*** markvoelker has joined #openstack-keystone		23:50
*** markvoelker has quit IRC		23:54

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!