Thursday, 2018-05-10

*** gyee has quit IRC00:08
*** dklyle has joined #openstack-keystone00:12
*** edmondsw has joined #openstack-keystone00:13
*** dklyle has quit IRC00:14
*** dklyle has joined #openstack-keystone00:14
*** edmondsw has quit IRC00:18
*** Dinesh_Bhor has joined #openstack-keystone00:36
*** devx has quit IRC00:37
*** Dinesh_Bhor has quit IRC00:45
*** Dinesh_Bhor has joined #openstack-keystone01:00
*** jmlowe has joined #openstack-keystone01:01
*** liuzz has joined #openstack-keystone01:05
*** sapd has joined #openstack-keystone01:24
openstackgerritMerged openstack/keystone master: The migration script to add description for limit
*** pcichy has quit IRC01:41
*** pcichy has joined #openstack-keystone01:42
*** edmondsw has joined #openstack-keystone02:01
*** nicolasbock has quit IRC02:01
*** edmondsw has quit IRC02:06
ayoungliuzz, not here its not02:08
*** links has joined #openstack-keystone02:28
*** oikiki has joined #openstack-keystone02:29
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Init repo
*** dave-mccowan has quit IRC03:27
openstackgerritwangxiyuan proposed openstack/keystone master: Remove token driver configuration
*** links has quit IRC03:43
*** edmondsw has joined #openstack-keystone03:50
openstackgerritMerged openstack/keystone master: Fix 500 error when deleting domain
*** adriant has quit IRC03:53
*** adriant has joined #openstack-keystone03:53
*** edmondsw has quit IRC03:54
*** gyankum has joined #openstack-keystone03:56
*** gyan_ has joined #openstack-keystone03:56
*** zeus has quit IRC04:18
*** zeus has joined #openstack-keystone04:22
*** zeus is now known as Guest694504:23
*** oikiki has quit IRC04:39
*** oikiki has joined #openstack-keystone04:46
*** links has joined #openstack-keystone04:49
*** abhi89 has joined #openstack-keystone04:55
*** abhi89 has quit IRC04:59
*** abhi89 has joined #openstack-keystone05:00
*** Dinesh_Bhor has quit IRC05:00
*** adriant has quit IRC05:01
*** adriant has joined #openstack-keystone05:02
*** rcernin has joined #openstack-keystone05:05
*** bigjools has quit IRC05:12
*** bigjools has joined #openstack-keystone05:13
*** bigjools has quit IRC05:13
*** bigjools has joined #openstack-keystone05:13
*** bigjools has left #openstack-keystone05:19
*** oikiki has quit IRC05:25
*** jmccrory has quit IRC05:28
*** jmccrory has joined #openstack-keystone05:28
*** rm_work has quit IRC05:37
*** rm_work has joined #openstack-keystone05:37
*** edmondsw has joined #openstack-keystone05:38
*** adriant has quit IRC05:41
*** adriant has joined #openstack-keystone05:41
*** edmondsw has quit IRC05:42
*** Dinesh_Bhor has joined #openstack-keystone05:48
*** jhesketh has quit IRC05:58
*** blake has joined #openstack-keystone06:40
*** blake has quit IRC06:45
*** pcaruana has joined #openstack-keystone06:51
*** Dinesh_Bhor has quit IRC06:58
*** threestrands_ has quit IRC06:58
*** Dinesh_Bhor has joined #openstack-keystone07:04
*** bswrchrd has quit IRC07:11
*** bswrchrd has joined #openstack-keystone07:11
openstackgerritwangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor
*** aloga has joined #openstack-keystone07:21
*** tesseract has joined #openstack-keystone07:24
*** edmondsw has joined #openstack-keystone07:26
*** edmondsw has quit IRC07:30
*** annp has joined #openstack-keystone07:48
*** annp has quit IRC07:57
*** annp has joined #openstack-keystone08:06
*** jhesketh has joined #openstack-keystone08:29
*** lbragstad[m] has quit IRC08:36
*** jhesketh has quit IRC08:47
*** jhesketh has joined #openstack-keystone09:06
*** johnthetubaguy has quit IRC09:09
*** johnthetubaguy has joined #openstack-keystone09:10
*** edmondsw has joined #openstack-keystone09:14
*** edmondsw has quit IRC09:19
*** lbragstad[m] has joined #openstack-keystone09:34
*** d0ugal_ has quit IRC09:45
*** d0ugal has joined #openstack-keystone09:45
*** d0ugal has quit IRC09:45
*** d0ugal has joined #openstack-keystone09:45
*** Dinesh_Bhor has quit IRC10:33
*** mvenesio has joined #openstack-keystone10:50
*** jmlowe has quit IRC10:57
*** abhi89 has quit IRC10:58
*** edmondsw has joined #openstack-keystone11:02
*** edmondsw has quit IRC11:07
*** nicolasbock has joined #openstack-keystone11:12
*** rcernin has quit IRC11:31
*** mvenesio has quit IRC11:41
*** mvenesio has joined #openstack-keystone11:42
*** raildo has joined #openstack-keystone12:04
*** mvk has quit IRC12:14
*** mvenesio has quit IRC12:23
*** felipemonteiro has joined #openstack-keystone12:23
*** mvenesio has joined #openstack-keystone12:24
*** felipemonteiro_ has joined #openstack-keystone12:27
*** AlexeyAbashkin has joined #openstack-keystone12:28
*** felipemonteiro has quit IRC12:29
*** AlexeyAbashkin has quit IRC12:37
*** AlexeyAbashkin has joined #openstack-keystone12:47
*** AlexeyAbashkin has quit IRC12:48
*** edmondsw_ has joined #openstack-keystone12:51
*** bswrchrd has quit IRC12:55
*** pcaruana|afk| has joined #openstack-keystone13:03
*** NotPcaruana has joined #openstack-keystone13:04
*** gyankum has quit IRC13:05
*** gyan_ has quit IRC13:05
*** jistr is now known as jistr|mtg13:32
*** NotPcaruana has quit IRC13:34
*** pcaruana|afk| has quit IRC13:34
*** dklyle has quit IRC13:40
*** links has quit IRC13:46
*** dmellado has joined #openstack-keystone13:47
*** mvk has joined #openstack-keystone13:52
*** r-daneel has joined #openstack-keystone14:08
*** pcichy has quit IRC14:11
*** jistr|mtg is now known as jistr14:17
lbragstadzzzeek: kmalloc this might be relevant to what we talked about on Tuesday
*** edmondsw_ is now known as edmondsw14:28
kmallocYeah relevant. I do see value  in a utility to allow new clouds to join a cluster though of keystone db, where the operator wants a singular keystone over the regions14:29
kmallocThe projects, domains, etc should also be replicated.14:29
kmallocOr to merge 2 emplty/new deployments into a single overcloud. Long running clouds probably cannot be merged, and should k2k (db headaches abound)14:30
kmallocMostly, it is tooling zzzeek was discussing to make it easier to use deployment tools (ooo) to build the single keystone up without hard-coding sql.14:31
kmallocNova should not be configured for a single region (nor any services should), the nature of Nova existing in a given region is enough, since it talks to it's local glance, etc. Keystone is the only thing spanning regions here, and all elements should be replicated .14:33
lbragstadwith the proposal we talked about on tuesday, would that be a run-once type of thing?14:36
kmallocYeah, well, run once per new region being added.14:36
*** dklyle has joined #openstack-keystone14:36
lbragstadand all the replication is handled by the database?14:37
kmallocBy galera14:37
lbragstadok - cool14:37
lbragstadbecause came across the ML today, too14:37
kmallocWith exception of the initial "make things consistent enough to work/add region data"14:37
gagehugokmalloc should be deprecated-as-of-queens?14:38
kmallocgagehugo: no, as of Rocky, it wasn't deprecated in Queens.14:39
gagehugooh nvm, found the issue14:39
kmallocThe code says in Queens (the deprecation message)14:39
kmallocYah, on mobile, Gerrit is hard to comment in-line14:39
kmalloclbragstad: that is also why I want a dht sync of keystone data..14:40
openstackgerritGage Hugo proposed openstack/keystone master: Remove the TokenAuth middleware
kmalloclbragstad: I should spin up a really PoC of this.14:40
kmallocgagehugo: thanks!14:40
kmallocDistributed hash table14:42
kmallocDHT keystone, replicate the data to all data centers and all endpoints14:42
kmallocWe talked about this some in Denver. I think I am at a point I can start building my actual POC now.14:43
lbragstadi might vaguely remember that?14:44
lbragstadwe've been seeing a higher frequency of multi-region support14:44
lbragstadwhich is somewhat inconsistent with the use survey last year14:45
*** spilla has joined #openstack-keystone14:45
*** spilla has quit IRC14:50
*** felipemonteiro_ has quit IRC14:50
kmallocI'll spend some time and build the PoC up.14:55
kmallocI guess it is time to do it.14:55
kmallocJWE will make it way better/more usable as well.14:56
kmallocMaybe I can have a PoC to show at the summit ;)14:59
kmallocDoubtful, but hey.15:00
*** mvenesio has quit IRC15:00
kmalloclbragstad: ugh I still need a new laptop.15:00
*** jmlowe has joined #openstack-keystone15:04
lbragstador JWS?15:09
openstackgerritPavlo Shchelokovskyy proposed openstack/keystoneauth master: Use defusedxml for XML parsing in SAML
*** spilla has joined #openstack-keystone15:13
kmallocVs sym, whichever that is.15:14
lbragstadoh - sure15:14
lbragstadyeah - i think that is the JWS (signing) bit.15:14
lbragstadJWE (encryption) behaves almost exactly like fernet15:14
lbragstadsince it's asymmetric15:14
lbragstadbut both are considered JWT15:14
kmallocJWS. But yeah signed.15:15
kmallocAnd not just HMAC15:15
kmallocAnd JWE I would like, simply so we can maintain some opawueness on the wire..15:15
*** david-lyle has joined #openstack-keystone15:17
*** david-lyle has quit IRC15:18
lbragstadwe need to figure out what we want to do with jws, too15:20
lbragstadi suppose you could reuse that15:20
lbragstadfor the signing bit15:20
lbragstadin your PoC15:21
*** alex_xu has quit IRC15:24
kmallocJWS (signing) is good in general, so we can know a token is infact valid before handing off to keystone.15:24
kmallocFaster rejection is good.15:24
kmallocOr even that KS can tell before pulling it apart.15:25
openstackgerritBen Nemec proposed openstack/pycadf master: add lower-constraints job
*** dklyle has quit IRC15:28
*** dklyle has joined #openstack-keystone15:33
lbragstadthere are certainly use cases for it15:35
lbragstadand since we don't have jwe support currently, we could just implementing signing as it's own jwt token provide15:36
lbragstadtoken_providers = ['fernet', 'jws']15:36
lbragstadand later15:36
*** oikiki has joined #openstack-keystone15:37
lbragstadwhere the jws provider is an opinionated version of a signing provider15:37
*** pcaruana has quit IRC15:52
*** abhi89 has joined #openstack-keystone16:05
*** rmascena has joined #openstack-keystone16:06
abhi89kmalloc: Hi Morgan.. reg, which we discussed yesterday.. just wanted to know if you will be working on this defect?16:08
openstackLaunchpad bug 1767323 in OpenStack Identity (keystone) "Keystone ldap logs personal information" [Medium,Triaged]16:08
*** raildo has quit IRC16:08
kmallocabhi89: I plan to, but it is not at the top of my list. I am also happy to let someone else work on it and review it. Unfortunately, not a lot of current contributors are familiar with LDAP16:10
*** germs has joined #openstack-keystone16:10
*** germs has quit IRC16:10
*** germs has joined #openstack-keystone16:10
*** gyee has joined #openstack-keystone16:13
abhi89kmalloc: yes, not many contributors on ldap related things.. if you have this defect on your list (not priority though), can i assign it you then, & you can work on it later!16:14
kmallocupdated it and targeted it to R316:20
*** nicolasbock has quit IRC16:22
*** nicolasbock has joined #openstack-keystone16:24
*** mvenesio has joined #openstack-keystone16:28
*** spilla has quit IRC16:32
*** pcaruana has joined #openstack-keystone16:36
*** abhi89 has quit IRC16:40
*** mvk has quit IRC16:41
*** pcaruana has quit IRC16:44
*** spilla has joined #openstack-keystone16:48
*** oikiki has quit IRC16:53
*** knasim-wrs has joined #openstack-keystone16:55
*** oikiki has joined #openstack-keystone16:55
knasim-wrshi folks, I'm trying to determine if Openstack Keystone can be used as the Authentication/Auth service for Docker and Docker-Registry16:56
knasim-wrsi.e as described here:
knasim-wrswe already have Openstack Pike deployed in our product so now bringing in Container Orchestration, if I can integrate Docker with Keystone then I can support Docker talking to some other Openstack services like Neutron or Ceilometer16:57
knasim-wrswas looking at tokenless auth in keystone...
knasim-wrshas anybody here played around with this?16:58
knasim-wrs@lbragstad: have you guys done any work with integrating Keystone with Docker?16:59
*** edmondsw has quit IRC17:02
*** edmondsw has joined #openstack-keystone17:03
lbragstadknasim-wrs: i haven't played with integrating docker directly with keystone, no17:06
kmallocknasim-wrs: i'd need to see how docker does auth17:06
knasim-wrsthey seem to use OAUTH2:
knasim-wrsIt appears that Keystone only supports oauth1 ... is that True ?17:07
knasim-wrsAre there any plans for oauth2 support in Keystone ?17:07
kmallocsoooo... keystone doesn't do oauth2 as an IDP really17:07
kmallocwhich is what we'd need to support, afaict then17:07
kmallocwith docker being the SP.17:07
kmalloc(service provider)17:08
kmallocit is something we could support in the future.17:08
knasim-wrsDocker Registry / Docker Daemon do not appear to support ‘oauth1’17:08
kmallocbut it's not currently on the roadmap17:08
knasim-wrsthanks kmalloc17:08
kmallocthe oauth1 support in keystone isn't great either =/17:08
knasim-wrsthis is the request that Docker-Registry is sending to Keystone:17:08
knasim-wrsMay 10 14:30:58 devstack devstack@keystone.service[10183]: INFO keystone.common.wsgi [None req-f88fb5e6-1d4a-402a-a5b4-cf6c32494004 None None] GET
kmallocmostly keystone simply offers login for exchange of an openstack-specific bearer token17:09
kmallocthat then can be used to talk to other services.17:09
kmallocyeah. we don't support that.17:09
*** oikiki has quit IRC17:09
kmallocwe could work to make keystone a more full-featured IDP (we have done some of the work)17:09
kmallochowever, its a long road17:09
knasim-wrsit talks about this "static token" if you look at the link:
knasim-wrsand then Docker just retrieves this static token17:10
kmallocright. the keystone token is highly, highly openstack specific17:10
kmalloci'm sure docker would have no idea what to do with the content17:10
knasim-wrsyeah the Federation stuff can be simplified... as in support running under UWGI / Gunicorn... and the whole Mappings and Protocol stuff is a nightmare to understand17:10
knasim-wrsok then looks like we'll have to use another Auth backend for Docker17:11
*** david-lyle has joined #openstack-keystone17:11
*** oikiki has joined #openstack-keystone17:11
kmallocyeah, you might want to look into an auth system that does OIDC (whichs hould support oauth2 by nature) and use that as the auth source for Keystone as well17:11
kmallocthen it's at least unified user data17:11
kmallocthe alternative is to use something like... magnum (or one of the COE integration projects openstack has)17:12
kmalloci'm not sure which one is currently "winning" or is most featureful, but those can talk to keystone and docker/k8s/mesos/etc, providing the link for what you're looking for (unless i'm mis-reading your request)17:13
*** dklyle has quit IRC17:14
lbragstadtaking lunch quick17:15
knasim-wrsthanks man :)17:15
*** david-lyle has quit IRC17:15
*** dklyle_ has joined #openstack-keystone17:15
knasim-wrsso ur suggesting maybe using Magnum (kmalloc)17:15
knasim-wrswe have Magnum running in our stack17:16
kmallocor whichever COE project in oepnstack is working the best for you17:16
kmallocit offloads the "talk to openstack components" from docker/k8s to the layer above it17:17
kmallocmagnum may be what you're looking for... it may not17:17
*** felipemonteiro has joined #openstack-keystone17:17
kmalloci haven't played with those bits in quite a while17:17
knasim-wrsthanks... its a place to start17:18
kmallochappy to help17:19
knasim-wrsI was thinking ... use an LDAP server that supports oath2 and use it for docker and as the keystone backend17:19
knasim-wrskeystone already supports LDAP as an Identity backend... I could just tie Docker to LDAP instead and authenticate their17:19
knasim-wrsthe idea is to use the same keystone users for auth... since the Docker webUI is going to be nested within Horizon17:20
*** felipemonteiro_ has joined #openstack-keystone17:20
knasim-wrsso I need to tie into Keystone Identity somehow... if not at the frontend, then certainly at the backend17:20
*** abhi89 has joined #openstack-keystone17:21
knasim-wrskmalloc: is that what you meant when you said, "yeah, you might want to look into an auth system that does OIDC (whichs hould support oauth2 by nature) and use that as the auth source for Keystone as well "17:23
knasim-wrsas in unifying the keystone identity backend to say LDAP which does support Oauth2.0 extensions17:24
*** felipemonteiro has quit IRC17:24
kmallocsure, or use keystone's federation with an OIDC identity provider17:25
kmallockeycloak (from redhat) could be an example17:26
*** abhi89 has quit IRC17:38
*** dklyle_ has quit IRC17:46
*** rcernin has joined #openstack-keystone17:52
*** dklyle_ has joined #openstack-keystone17:58
*** knasim-wrs has quit IRC17:59
*** abhi89 has joined #openstack-keystone18:05
*** tesseract-RH has joined #openstack-keystone18:08
*** tesseract has quit IRC18:09
*** tesseract-RH has quit IRC18:11
*** tesseract has joined #openstack-keystone18:11
*** liuzz_ has joined #openstack-keystone18:15
*** abhi89 has quit IRC18:16
*** masuberu has joined #openstack-keystone18:16
*** liuzz has quit IRC18:17
*** vegarl has quit IRC18:18
*** jgrassler has quit IRC18:18
*** vegarl has joined #openstack-keystone18:19
*** jgrassler has joined #openstack-keystone18:19
*** masber has quit IRC18:19
*** toddnni has quit IRC18:19
*** toddnni has joined #openstack-keystone18:22
*** tesseract has quit IRC18:49
*** rcernin has quit IRC18:50
*** felipemonteiro__ has joined #openstack-keystone18:51
*** felipemonteiro_ has quit IRC18:51
*** pcichy has joined #openstack-keystone18:58
*** felipemonteiro_ has joined #openstack-keystone19:04
*** felipemonteiro__ has quit IRC19:07
*** rcernin has joined #openstack-keystone19:09
*** mvk has joined #openstack-keystone19:13
openstackgerritMerged openstack/pycadf master: add lower-constraints job
*** felipemonteiro_ has quit IRC19:14
*** felipemonteiro_ has joined #openstack-keystone19:14
*** rcernin has quit IRC19:15
lbragstadi suppose it's about that time to start building out etherpads19:16
kmalloclbragstad: our paste-ini is all wonky still and has lots of v2.0 references19:18
kmallocwe should fix that.19:18
* kmalloc checks to be sure on master19:18
lbragstadyeah - i was looking at that yesterday...19:18
lbragstadis it safe to remove?19:18
lbragstadi know we have a weird relationship with that kind of stuff, because we have the ability to break deployments19:18
kmallocshould be safe19:23
kmalloci mean... we have to make sure we don't break anyone... i'm not sure how to fix this easily19:23
kmallocgive me a few, i think i can roll up a "ditch paste" patch while i'm digging around with the stuff we talked about yesterday19:24
kmalloclbragstad: oh...19:25
kmalloclbragstad: i found out why S3 and EC2 are not in core...19:25
kmallocit was "legal concerns"19:26
kmallocand had a -2 from dolph19:26
lbragstadthat makes sense i suppose19:26
kmalloclbragstad: i don't know how we can fix this, but tl;dr i think we need to revisit19:26
lbragstadbecause we could reimplement an API and mark it with an Apache license I assume?19:26
kmallocnot really that19:27
kmallocbut ibm specifically had legal concerns19:27
kmallocthey require removing (from disk) that code19:27
lbragstadoh - yeah... i remember that now19:27
kmallochonestly, i think we need to figure a way out of this and either come to grips we ship it or we work with the TC and remove it19:27
kmallocit is either "in" or "out"19:27
kmalloci don't like this middleground19:27
kmallocso. do you want me to revisit the patch.19:28
kmallocpart of the issue is "ditching" paste is likely to run us into the same issue19:28
lbragstadyeah - it will have to live somewhere, right?19:28
kmallocpretty much19:29
lbragstadhow would we approach this if we wanted to move to flask tomorrow?19:31
kmallocIt would just get rolled in19:43
kmallocJust like anything else.19:43
kmallocIn fact, I think I'm going to look at a flask conversion instead of anything else... It dumps baggage and makes this a lot easier.19:44
lbragstadcool - i figured that's what we ultimately want19:44
lbragstadand figured that was the primary driver for the consolidation19:45
lbragstadi'm all for using someone else's perfectly round wheel :)19:45
*** hoonetorg has quit IRC19:46
mordredkmalloc: I just discovered a bug in the get_all_version_data method we added ... it's a small one - basically, the default value of a paremeter does not match the docs or intent19:48
mordredkmalloc: keystoneauth1.session.Session.get_all_version_data ... the interface parameter19:48
mordredkmalloc: interface='public' is the value on the auth plugin - and is what is documented - but we released with =None ... which way do you think we should fix it?19:49
*** dklyle_ is now known as dklyle19:50
*** pcichy has quit IRC19:51
*** felipemonteiro__ has joined #openstack-keystone19:59
*** spilla has quit IRC19:59
*** spilla has joined #openstack-keystone20:00
*** hoonetorg has joined #openstack-keystone20:00
kmallocUhm sec20:00
kmallocThis is tough... We released.20:01
*** felipemonteiro_ has quit IRC20:02
lbragstadwhat is it, measure once cut twice?20:39
openstackgerritFelipe Monteiro proposed openstack/keystone-specs master: Patrole (RBAC) Keystone Gating
openstackgerritFelipe Monteiro proposed openstack/keystone-specs master: Patrole (RBAC) Keystone Gating
*** rmascena has quit IRC20:47
*** mvenesio has quit IRC20:53
*** martinus__ has quit IRC20:56
*** ayoung has quit IRC20:56
*** felipemonteiro__ has quit IRC21:00
*** felipemonteiro has joined #openstack-keystone21:02
*** ayoung has joined #openstack-keystone21:08
*** edmondsw has quit IRC21:14
*** edmondsw has joined #openstack-keystone21:15
*** felipemonteiro has quit IRC21:17
*** ayoung has quit IRC21:19
*** edmondsw has quit IRC21:19
*** spilla has quit IRC21:23
*** felipemonteiro has joined #openstack-keystone21:23
*** ayoung has joined #openstack-keystone21:30
*** dave-mccowan has joined #openstack-keystone21:39
*** felipemonteiro has quit IRC21:44
*** felipemonteiro has joined #openstack-keystone21:46
*** felipemonteiro has quit IRC22:14
*** oikiki has quit IRC22:16
*** nicolasbock has quit IRC22:50
*** nicolasbock has joined #openstack-keystone22:50
kmalloclbragstad: yeah22:54
kmallocmordred: i think... we can issue a point release to fix this22:54
kmallocand say OMG broken22:54
kmalloclbragstad: ^22:55
kmallocwe did release...22:55
*** germs has quit IRC23:26
*** germs has joined #openstack-keystone23:27
*** germs has quit IRC23:27
*** germs has joined #openstack-keystone23:27
*** liuzz has joined #openstack-keystone23:40
*** liuzz_ has quit IRC23:40
mordredkmalloc: I knew you were going to like this one23:52
kmallocSo IMO, fix and point release asap23:52
kmallocThis was a bug that only hit the latest release, right?23:52
kmallocIf we move fast, we call it a defect, not a behavior.23:53

Generated by 2.15.3 by Marius Gedminas - find it at!