Wednesday, 2019-02-27

adriant	cmurphy: 'should' have time next cycle. I'd really hope so.	00:06
*** markvoelker has joined #openstack-keystone		00:06
*** edmondsw has quit IRC		00:17
*** itlinux has joined #openstack-keystone		00:22
*** itlinux has quit IRC		00:26
*** nsmeds has quit IRC		00:27
erus	is anyone available? :)	00:37
*** markvoelker has quit IRC		00:40
*** jamesmcarthur has joined #openstack-keystone		00:47
*** awalende has joined #openstack-keystone		00:47
*** erus has quit IRC		00:47
*** erus has joined #openstack-keystone		00:48
kmalloc	knikolla: o/ you around?	00:49
knikolla	kmalloc: o/	00:50
*** awalende has quit IRC		00:52
*** lbragstad has quit IRC		00:59
*** jamesmcarthur has quit IRC		01:01
*** jamesmcarthur has joined #openstack-keystone		01:02
erus	D:	01:02
erus	kmalloc knikolla	01:03
*** nsmeds has joined #openstack-keystone		01:15
*** itlinux has joined #openstack-keystone		01:17
*** erus has quit IRC		01:31
*** erus has joined #openstack-keystone		01:31
*** itlinux has quit IRC		01:36
*** markvoelker has joined #openstack-keystone		01:37
*** takamatsu_ has quit IRC		01:39
*** edmondsw has joined #openstack-keystone		01:42
*** takamatsu_ has joined #openstack-keystone		01:45
*** lbragstad has joined #openstack-keystone		01:58
*** ChanServ sets mode: +o lbragstad		01:58
*** whoami-rajat has joined #openstack-keystone		02:01
*** markvoelker has quit IRC		02:10
*** ileixe has joined #openstack-keystone		02:11
ileixe	Hi guys.	02:11
ileixe	Does anybody know current state of dynamic policy? (https://wiki.openstack.org/wiki/DynamicPolicies)	02:11
ileixe	Is there any change to control policy.json using API? :)	02:12
ileixe	endpoint_policy looks promsing for my purpose, but I'm not sure what the exact purpose of it.	02:14
*** erus has quit IRC		02:14
*** gyee has quit IRC		02:15
*** erus has joined #openstack-keystone		02:15
*** jamesmcarthur has quit IRC		02:18
*** jamesmcarthur has joined #openstack-keystone		02:20
*** jamesmcarthur has quit IRC		02:25
*** Dinesh_Bhor has joined #openstack-keystone		02:30
*** rcernin has quit IRC		02:32
lbragstad	ileixe i've never seen that wiki page before	02:44
lbragstad	looks like it was last updated just under 4 years ago	02:45
ileixe	Yes it's quite old	02:45
lbragstad	i think that initiative was abandoned some time ago	02:45
ileixe	So you mean does community not pursue to manage policy via API anymore?	02:46
lbragstad	not in the sense that wiki is describing	02:47
lbragstad	but there are several other policy initiatives underway	02:47
lbragstad	in addition to oslo.policy functionality that allows you to offload policy enforcement to external systems	02:47
lbragstad	which could expose endpoints to modify policies associated to roles	02:48
lbragstad	also - jaosorior has a whole bunch of policy tricks up his sleeve	02:51
lbragstad	is there a specific use case your looking for?	02:51
ileixe	Ah, yes I know the external system from oslo.policy	02:51
lbragstad	or are you just looking for an API to modify policies?	02:51
ileixe	Um.. The first thing I was thinking about was whether there was a way for tempest's testcase to know the policy.	02:53
*** takamatsu_ has quit IRC		02:53
ileixe	Since we customized policy a lot, there were many. cases to be failed.	02:53
ileixe	I do not maintain skip-list so I wonder if policy can be controlled via API, tempest side can configure it.	02:54
ileixe	It's my initiative thinking but I think it looks very gereral problem about policy management	02:55
*** erus has quit IRC		02:55
*** jamesmcarthur has joined #openstack-keystone		02:55
*** erus has joined #openstack-keystone		02:55
ileixe	I do not *want	02:56
lbragstad	oh - interesting...	02:56
lbragstad	are you looking to develop tests for the policy changes you've made?	02:57
lbragstad	to verify they do what you want/expect them to?	02:57
ileixe	I reported at tempest side (https://bugs.launchpad.net/tempest/+bug/1817811), but now sure the project want to do. :)	02:59
openstack	Launchpad bug 1817811 in tempest "Need policy-awared test" [Undecided,New]	02:59
lbragstad	ah	02:59
lbragstad	i could be wrong	02:59
lbragstad	but that sound similar to what the patrole team was trying to solve	03:00
lbragstad	(in a way)	03:00
lbragstad	sounds similar*	03:00
ileixe	Oh, never heard of it. I will look over it.	03:01
*** jamesmcarthur has quit IRC		03:01
lbragstad	https://docs.openstack.org/patrole/latest/	03:01
lbragstad	link to their documentation ^	03:01
ileixe	Thanks lbragstad. You're always very kind to newbie :)	03:02
lbragstad	ileixe anytime - hopefully it helps	03:02
*** markvoelker has joined #openstack-keystone		03:04
*** erus has quit IRC		03:11
*** erus has joined #openstack-keystone		03:12
*** itlinux has joined #openstack-keystone		03:31
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement domain reader for role_assignments https://review.openstack.org/638587	03:52
*** spsurya has joined #openstack-keystone		04:15
*** erus has quit IRC		04:38
*** erus has joined #openstack-keystone		04:38
*** jamesmcarthur has joined #openstack-keystone		04:46
*** ileixe has quit IRC		04:54
*** itlinux has quit IRC		05:01
*** dave-mccowan has quit IRC		05:05
*** shyamb has joined #openstack-keystone		05:16
*** jamesmcarthur has quit IRC		05:19
*** ileixe has joined #openstack-keystone		05:42
*** ileixe has quit IRC		05:42
*** ileixe has joined #openstack-keystone		05:43
jaosorior	lbragstad: o/	05:44
lbragstad	jaosorior o/	05:44
jaosorior	lbragstad: ah, saw you resolved ileixe's issue. cool	05:45
lbragstad	yup	05:45
*** shyamb has quit IRC		06:18
*** jamesmcarthur has joined #openstack-keystone		06:49
*** markvoelker has quit IRC		06:51
*** erus has quit IRC		06:53
*** erus has joined #openstack-keystone		06:54
*** jamesmcarthur has quit IRC		06:54
*** Dinesh_Bhor has quit IRC		06:58
*** Dinesh_Bhor has joined #openstack-keystone		07:01
*** Dinesh_Bhor has quit IRC		07:12
*** erus has quit IRC		07:12
*** erus has joined #openstack-keystone		07:12
*** shyamb has joined #openstack-keystone		07:16
*** takamatsu_ has joined #openstack-keystone		07:21
*** jamesmcarthur has joined #openstack-keystone		07:51
*** markvoelker has joined #openstack-keystone		07:52
*** erus has quit IRC		07:55
*** jamesmcarthur has quit IRC		07:55
*** erus has joined #openstack-keystone		07:56
*** lbragstad has quit IRC		08:01
*** Dinesh_Bhor has joined #openstack-keystone		08:10
*** pcaruana has joined #openstack-keystone		08:13
*** Dinesh_Bhor has quit IRC		08:14
*** imacdonn has quit IRC		08:18
*** imacdonn_ has joined #openstack-keystone		08:18
*** erus has quit IRC		08:25
*** markvoelker has quit IRC		08:25
*** erus has joined #openstack-keystone		08:26
*** pcaruana has quit IRC		08:28
*** takamatsu_ has quit IRC		08:31
*** tkajinam has quit IRC		08:33
*** erus has quit IRC		08:33
*** erus has joined #openstack-keystone		08:33
*** pcaruana has joined #openstack-keystone		08:42
*** pcaruana has quit IRC		08:51
*** erus has quit IRC		08:51
*** jamesmcarthur has joined #openstack-keystone		08:51
*** erus has joined #openstack-keystone		08:52
*** jamesmcarthur has quit IRC		08:56
*** pcaruana has joined #openstack-keystone		08:58
*** pcaruana\|afk\| has joined #openstack-keystone		09:01
*** pcaruana has quit IRC		09:03
*** shyamb has quit IRC		09:03
*** shyamb has joined #openstack-keystone		09:04
*** takamatsu has joined #openstack-keystone		09:15
*** shyamb has quit IRC		09:21
*** shyamb has joined #openstack-keystone		09:22
*** markvoelker has joined #openstack-keystone		09:23
*** takamatsu has quit IRC		09:44
*** shyamb has quit IRC		09:45
*** mvkr has quit IRC		09:46
*** shyamb has joined #openstack-keystone		09:46
*** jamesmcarthur has joined #openstack-keystone		09:52
*** markvoelker has quit IRC		09:57
*** jamesmcarthur has quit IRC		09:57
*** mvkr has joined #openstack-keystone		10:01
*** shyamb has quit IRC		10:36
*** shyamb has joined #openstack-keystone		10:37
*** erus has quit IRC		10:45
*** erus has joined #openstack-keystone		10:46
*** markvoelker has joined #openstack-keystone		10:53
*** Dinesh_Bhor has joined #openstack-keystone		10:57
*** Dinesh_Bhor has quit IRC		11:00
*** ileixe has quit IRC		11:20
*** takamatsu has joined #openstack-keystone		11:24
*** markvoelker has quit IRC		11:26
*** shyamb has quit IRC		11:44
*** shyamb has joined #openstack-keystone		11:44
*** jamesmcarthur has joined #openstack-keystone		11:54
*** erus has quit IRC		11:54
*** erus has joined #openstack-keystone		11:55
*** jamesmcarthur has quit IRC		11:59
*** awalende has joined #openstack-keystone		12:16
*** raildo has joined #openstack-keystone		12:22
*** markvoelker has joined #openstack-keystone		12:22
erus	morning o/	12:35
*** jamesmcarthur has joined #openstack-keystone		12:55
*** markvoelker has quit IRC		12:56
*** jamesmcarthur has quit IRC		12:59
*** shyamb has quit IRC		13:03
*** dave-mccowan has joined #openstack-keystone		13:04
*** pcaruana\|afk\| has quit IRC		13:09
*** mchlumsky has joined #openstack-keystone		13:15
*** jmlowe has quit IRC		13:29
*** jamesmcarthur has joined #openstack-keystone		13:48
*** erus has quit IRC		13:52
*** markvoelker has joined #openstack-keystone		13:53
*** erus has joined #openstack-keystone		13:53
*** jmlowe has joined #openstack-keystone		14:13
*** jamesmcarthur has quit IRC		14:14
*** erus has quit IRC		14:19
*** erus has joined #openstack-keystone		14:20
*** lbragstad has joined #openstack-keystone		14:20
*** ChanServ sets mode: +o lbragstad		14:20
*** markvoelker has quit IRC		14:25
*** erus has quit IRC		14:33
*** erus has joined #openstack-keystone		14:33
*** erus has quit IRC		14:40
*** erus has joined #openstack-keystone		14:41
*** erus has quit IRC		14:47
*** erus has joined #openstack-keystone		14:47
*** pcaruana has joined #openstack-keystone		14:57
*** itlinux has joined #openstack-keystone		14:59
*** erus has quit IRC		14:59
*** erus has joined #openstack-keystone		15:00
*** jamesmcarthur has joined #openstack-keystone		15:03
*** erus has quit IRC		15:13
*** erus has joined #openstack-keystone		15:13
*** aning_ has left #openstack-keystone		15:19
*** aning_ has joined #openstack-keystone		15:19
*** markvoelker has joined #openstack-keystone		15:22
*** erus has quit IRC		15:29
*** erus has joined #openstack-keystone		15:29
*** itlinux_ has joined #openstack-keystone		15:31
*** itlinux has quit IRC		15:34
*** erus has quit IRC		15:36
*** erus has joined #openstack-keystone		15:37
gagehugo	o/	15:40
*** awalende has quit IRC		15:41
*** awalende has joined #openstack-keystone		15:42
*** dmellado has quit IRC		15:42
*** dmellado has joined #openstack-keystone		15:43
*** awalende has quit IRC		15:46
*** itlinux_ has quit IRC		15:46
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system reader for role_assignments https://review.openstack.org/609210	15:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Reorganize role assignment tests for system users https://review.openstack.org/638309	15:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for system members https://review.openstack.org/638310	15:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for system admin https://review.openstack.org/638311	15:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement domain reader for role_assignments https://review.openstack.org/638587	15:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for domain members https://review.openstack.org/638593	15:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for domain admins https://review.openstack.org/638597	15:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718	15:54
*** markvoelker has quit IRC		15:56
*** erus has quit IRC		15:56
*** erus has joined #openstack-keystone		15:56
knikolla	o/	15:57
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for domain admins https://review.openstack.org/638597	15:58
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718	15:58
lbragstad	o/	15:58
kmalloc	o/	16:03
lbragstad	gagehugo are you holding off on the +A for https://review.openstack.org/#/c/619280/ ?	16:07
lbragstad	https://review.openstack.org/#/c/622526/4 is a relatively easy series, too	16:08
*** erus has quit IRC		16:08
*** erus has joined #openstack-keystone		16:09
*** takamatsu has quit IRC		16:09
gagehugo	nope :)	16:09
gagehugo	done	16:09
gagehugo	also done	16:11
lbragstad	woot	16:12
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json https://review.openstack.org/605876	16:14
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json https://review.openstack.org/619333	16:17
*** dmellado has quit IRC		16:32
*** dmellado has joined #openstack-keystone		16:34
*** erus has quit IRC		16:34
*** erus has joined #openstack-keystone		16:35
*** erus has quit IRC		16:40
*** erus has joined #openstack-keystone		16:41
*** prometheanfire has joined #openstack-keystone		16:51
prometheanfire	lbragstad: ping (re https://storyboard.openstack.org/#!/story/2003792 )	16:52
lbragstad	prometheanfire o/	16:53
*** markvoelker has joined #openstack-keystone		16:53
*** pcaruana has quit IRC		16:57
*** gyee has joined #openstack-keystone		16:59
*** mvkr has quit IRC		17:04
*** jamesmcarthur_ has joined #openstack-keystone		17:14
*** erus has quit IRC		17:14
*** erus has joined #openstack-keystone		17:14
cmurphy	just a reminder if you're reviewing app cred things, https://review.openstack.org/633369 has to go in first - don't be fooled by the red ci, it needs its dependencies merged and released before it will be green	17:17
*** jamesmcarthur has quit IRC		17:17
* lbragstad made it through the API changes to keystone for app creds		17:20
*** erus has quit IRC		17:20
lbragstad	if we break this up across stein and train, where were we thinking of making that split?	17:20
cmurphy	lbragstad: see note above ^ you didnt' finish yet	17:21
*** erus has joined #openstack-keystone		17:21
cmurphy	lbragstad: i split the series so that both keystone/api/* changes are at the tail ends of their series	17:21
cmurphy	so we can merge everything up until each of those	17:21
lbragstad	oh - yeah, i was looking at only server changes	17:22
lbragstad	reviewing the ksm patch	17:22
lbragstad	i'm wondering if there is anything wrong with exposing the access rule config API in stein...	17:23
cmurphy	it's got a specific format so if we decide we don't like it or want to discuss it more we'd be out of luck	17:24
cmurphy	or if we don't like the name i went with	17:24
lbragstad	sure	17:24
lbragstad	that brings up another question	17:24
lbragstad	we're planning on this being stable immediately?	17:24
cmurphy	good question	17:25
lbragstad	i guess that gets complicated since app creds are already considered stable	17:25
cmurphy	yeah that	17:25
*** markvoelker has quit IRC		17:25
lbragstad	but the access rules and access rules config APIs are technically new APIs	17:26
lbragstad	er - endpoints*	17:26
cmurphy	i feel like we were safe calling the limits APIs experimental because there's not a good way to use them until the other services in openstack are ready for it, with this it's much more user-facing	17:26
cmurphy	by that i mean we don't have a really official way of saying an api is experimental because the json-home document isn't very well socialized or documented	17:27
lbragstad	are you saying end users won't see "experimental" things like other service developers might?	17:28
lbragstad	or operators?	17:28
cmurphy	users	17:28
lbragstad	as much as i don't care for a term meaning different things to different people, i can see that point	17:29
lbragstad	i think that addresses one of the comments i had	17:33
lbragstad	i think that is plenty of justification to wait for Train to expose the APIs	17:33
*** jmlowe has quit IRC		17:34
*** erus has quit IRC		17:34
*** erus has joined #openstack-keystone		17:35
*** dims has quit IRC		17:35
cmurphy	i'm still on the fence, i wish we weren't under time pressure	17:35
cmurphy	i know a lot of people really want this feature	17:35
lbragstad	i hear ya	17:35
cmurphy	but in any case the ksm change needs to go in in the next like day or none of this matters	17:36
lbragstad	this is a pretty involved change though	17:36
cmurphy	yeah it is	17:36
lbragstad	this is all pretty fresh still, so i wouldn't be surprised if the other openstack services haven't looked at this at all yet	17:40
*** erus has quit IRC		17:40
*** takamatsu has joined #openstack-keystone		17:41
*** erus has joined #openstack-keystone		17:41
jrosser	hello keystone :) could i get your thoughts on this http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002925.html	17:45
openstackgerrit	Hervé Beraud proposed openstack/keystonemiddleware master: Remove oslo.cache class _MemcacheClient who have been removed. https://review.openstack.org/637154	17:46
*** erus has quit IRC		17:47
*** erus has joined #openstack-keystone		17:47
*** dims has joined #openstack-keystone		17:48
cmurphy	jrosser: will try to weigh in, missed it initially because it didn't tag [keystone] explicitly ;)	17:49
jrosser	cmurphy: thankyou :) there are a couple of references to the heat code where i believe that the wrong endpoint is passed	17:50
cmurphy	lbragstad: i think the main benefit is to end users, services like heat magnum nova i think are waiting until this feature is in before they start building on it	17:50
*** takamatsu has quit IRC		18:01
lbragstad	am i reading the series wrong, or are we only going to be able to merge access rule config internal changes in stein?	18:08
lbragstad	or are we planning on rebasing the migration for access rules later?	18:08
lbragstad	nevermind	18:09
lbragstad	i forgot how to gerrit	18:09
kmalloc	cmurphy: i am inlcined to push to train.	18:10
kmalloc	cmurphy: it's why i didn't +2 the API change.	18:10
kmalloc	lbragstad: ^ cc	18:11
kmalloc	but i'd still +2 the API change if you want it to land now	18:11
* lbragstad is fine to push til train		18:11
lbragstad	mainly because i think it would be useful to have a forum session or ptg session where we say "this is all work that's done and here is the proposed API"	18:12
*** markvoelker has joined #openstack-keystone		18:22
cmurphy	lbragstad: kmalloc okay i'm fine with that, i/suse don't have a burning requirement for it to land this cycle	18:24
cmurphy	we might also then consider holding off on https://review.openstack.org/636030 since we can't remove it from keystoneauth once it's released	18:25
openstackgerrit	Merged openstack/keystone master: Add tests for domain users interacting with services https://review.openstack.org/619280	18:33
*** erus has quit IRC		18:38
*** erus has joined #openstack-keystone		18:39
openstackgerrit	Merged openstack/keystone master: Update role policies for system admin https://review.openstack.org/622526	18:42
*** erus has quit IRC		18:44
*** erus has joined #openstack-keystone		18:44
*** jmlowe has joined #openstack-keystone		18:47
*** jmlowe has quit IRC		18:47
lbragstad	cmurphy true	18:48
*** jmlowe has joined #openstack-keystone		18:48
lbragstad	cmurphy would you be willing to drive a session on that at the forum and/or ptg?	18:48
*** prometheanfire has left #openstack-keystone		18:48
*** takamatsu has joined #openstack-keystone		18:52
*** markvoelker has quit IRC		18:56
cmurphy	lbragstad: sure	18:58
lbragstad	awesome	19:00
lbragstad	thanks	19:00
openstackgerrit	Merged openstack/keystoneauth master: Expose app creds and new attrs in fixtures https://review.openstack.org/636030	19:23
*** lbragstad has quit IRC		19:39
*** lbragstad has joined #openstack-keystone		19:41
*** ChanServ sets mode: +o lbragstad		19:41
*** spsurya has quit IRC		19:52
*** markvoelker has joined #openstack-keystone		19:53
*** jamesmcarthur_ has quit IRC		20:20
*** markvoelker has quit IRC		20:26
*** jmlowe has quit IRC		20:29
*** dave-mccowan has quit IRC		20:38
lbragstad	cmurphy for when you're not dealing with app cred things https://review.openstack.org/#/c/622773/17	20:39
*** dave-mccowan has joined #openstack-keystone		20:45
cmurphy	lbragstad: o7 thanks for the reminder	20:46
lbragstad	yup	20:46
rm_work	Hey, heard someone else here was interested in working on an x509 / athenz auth integration plugin -- anyone know who that is? :P	20:49
lbragstad	gyee is working on it intermittently	20:49
*** erus has quit IRC		20:49
lbragstad	still looking for more volunteers though	20:50
*** erus has joined #openstack-keystone		20:50
lbragstad	rm_work are you attempting to use it?	20:52
rm_work	no, we have one internally already on queens but there was a major refactor in the area we patched, and rebasing it up is proving weird	20:53
rm_work	and then i thought "wait why the heck is this internal"	20:53
rm_work	and someone else here told me there was community interest in doing one	20:53
rm_work	(Verizon Media / Oath)	20:54
lbragstad	by "one" do you mean an implementation for x509 support?	20:54
rm_work	for athenz specifically	20:54
lbragstad	yeah - that's what oath is doing	20:54
rm_work	yes	20:54
rm_work	i am at Oath :P	20:54
lbragstad	rm_work oh - jeeze	20:54
lbragstad	i didn't realize	20:55
rm_work	i was told there was someone else in the community	20:55
rm_work	(I just started here in December so your confusion is understandable)	20:55
lbragstad	aha	20:55
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Provide more specific error when namespace is missing https://review.openstack.org/639822	20:55
lbragstad	so - the x509 stuff has interest, possibly for edge usecases (as i'm sure you're aware being at oath)	20:56
lbragstad	so it's been getting time slots in the weekly edge meeting	20:56
rm_work	hmm k	20:57
*** jamesmcarthur has joined #openstack-keystone		20:57
lbragstad	i think most of the edge interest came out of denver when penick hosted a clinic on how oath does federation for edge	20:59
rm_work	ah	21:00
rm_work	yes, penick is my manager :D	21:00
lbragstad	but ildikov has it on the weekly edge call	21:00
lbragstad	nice - i know he responded to the initial note to the mailing list about keystone's x509 support	21:00
rm_work	k	21:00
lbragstad	not sure if you've seen that writeup yet?	21:00
rm_work	well, may be interested in helping out	21:01
rm_work	not yet no	21:01
* lbragstad fetches a link		21:01
rm_work	i avoid the ML in general	21:01
rm_work	but i'll look, appreciate linkage :)	21:01
lbragstad	http://lists.openstack.org/pipermail/openstack-discuss/2019-January/002085.html	21:01
rm_work	thanks	21:01
lbragstad	it was more or less a brain dump	21:02
lbragstad	i think it would help some of the things we're doing internally, but i'm waiting to hear back from our internal teams on it	21:02
rm_work	k	21:03
lbragstad	but - i think it would help with federation overall, making it easier to test	21:03
rm_work	where are you now?	21:03
lbragstad	huawei	21:03
lbragstad	on the plus side, y'all wouldn't need to maintain out-of-tree auth drivers for athenz support	21:04
* lbragstad heard athenz is deprecating token support and pushing everything to using certificates		21:04
rm_work	you may have heard more than me :P	21:07
rm_work	we'll see if i end up being the one working on this	21:07
rm_work	but if i am... i will need to ... learn how keystone works. and also learn wtf athenz is and how it works. lol	21:08
rm_work	right now i'm in info gathering while i try to refactor our existing patch	21:08
*** jaosorior has quit IRC		21:08
rm_work	ah so... if it helps, i can just show you what our existing queens patch looks like	21:09
rm_work	it doesn't seem complex at all	21:09
ildikov	We had interest in Keystone prior to that	21:09
ildikov	Oath's use case generated interest in development direction besides reference architectures	21:10
lbragstad	rm_work i found https://yahoo.github.io/athenz/site/data_model/ helpful	21:11
*** erus has quit IRC		21:11
ildikov	lbragstad: rm_work: we were wondering with csatari to organize hacking days	21:11
*** erus has joined #openstack-keystone		21:12
lbragstad	https://github.com/yahoo/openstack-collab/tree/master/keystone-federation-ocata is the last bits i've seen of the athenz auth plugins	21:12
ildikov	Mainly remote/virtual ones and we could try in person at the Summit	21:12
lbragstad	ildikov nice	21:12
ildikov	And thought of the x509 bugs to work on as one potential topic	21:13
rm_work	so, this is the only patch i see for athenz support, but it looks like it is just the token piece? http://paste.openstack.org/show/Fv2Rl95ipR8dEhfC2GWF/	21:13
rm_work	so probably i will have to start over	21:13
rm_work	i assume this relies also on client patches	21:13
ildikov	I thought to bring it up here too to see if there's interest as we have people around with interest but less Keystone knowledge	21:13
ildikov	It could help with learning/progress	21:14
rm_work	lbragstad: lol yes, thanks for the link to our own docs, somehow no one had sent me that yet >_<	21:14
rm_work	^^ serious	21:15
rm_work	i will read this	21:15
lbragstad	lol	21:15
cmurphy	jrosser: replied to your thread, maybe lbragstad or kmalloc can fact check me	21:15
* jrosser looks		21:15
lbragstad	rm_work no to be confused with https://openathens.org/	21:16
lbragstad	^ that tripped me up several times	21:16
*** jmlowe has joined #openstack-keystone		21:17
lbragstad	cmurphy i think your response makes sense	21:21
cmurphy	hopefully zane or rico can help clear things up	21:23
*** markvoelker has joined #openstack-keystone		21:23
*** jamesmcarthur has quit IRC		21:24
*** jamesmcarthur has joined #openstack-keystone		21:24
rm_work	ah yeah the patch i linked is the same as the one from that repo i guess	21:26
rm_work	yeah so, i guess just need to discuss with folks what this would need to look like in a generic form upstream	21:27
lbragstad	http://tinyurl.com/yxk22bux would actually get you pretty close	21:34
lbragstad	then - users with x509 certificates from athenz could authenticate directly to keystone for tokens	21:35
lbragstad	but you would also get the auto-provisioning functionality we have upstream	21:35
lbragstad	which is part of what the athenz plugins do	21:35
lbragstad	so - the last time i read the athenz auth plugins code, it looked like it did two things 1.) make it so keystone can deal with athenz tokens 2.) auto-provision some resources based on the values in the token	21:39
lbragstad	if users have x509 certificates issued from athenz, then #1 isn't really needed anymore since you're proving authentication with a certificate and not a token	21:40
kmalloc	cmurphy: ++	21:41
lbragstad	and since keystone already supports auto-provisioning to some extent, you could create a federated mapping that provisions resources for users coming in with x509 certificates with athenz acting as the identity provider	21:41
kmalloc	cmurphy: if heat is leaning on the KSM options it makes me want to change the option ... it is wrong.	21:41
kmalloc	:P	21:42
lbragstad	https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#auto-provisioning is the auto-provisioning documentation	21:42
kmalloc	i thouight we weeded out the use of the KSM options when we did the deprecation last time around for the old name	21:42
cmurphy	i'm not sure any of us ever went and did that	21:51
kmalloc	i know there were a lot of threads on it in the paste	21:51
kmalloc	past*	21:51
cmurphy	and it's hard to control because oslo.config just makes it easy to scoop up any parameters it finds	21:51
kmalloc	anyway, heat should transition away from leaning on the KSM options.	21:51
kmalloc	yeah, i wish we could isolate the namespace(s) better.	21:51
kmalloc	especially for KSM.	21:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with roles https://review.openstack.org/622527	21:53
*** markvoelker has quit IRC		21:56
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with roles https://review.openstack.org/622527	21:57
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with roles https://review.openstack.org/622528	21:57
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove role policies from policy.v3cloudsample.json https://review.openstack.org/622529	21:57
*** mchlumsky has quit IRC		21:59
openstackgerrit	Merged openstack/keystone master: Remove domain policies from policy.v3cloudsample.json https://review.openstack.org/605876	22:01
cmurphy	lbragstad: wxy-xiyuan i had two other questions on https://review.openstack.org/#/c/622773	22:05
rm_work	lbragstad: sorry, had a meeting pull me away, but thank you for the links and thoughts	22:11
lbragstad	np	22:11
rm_work	It's going to take me a bit to digest all of this, since it's my first time really looking at the keystone code and how this all works, beyond just being an end user	22:12
rm_work	AND my first time seeing how athenz works :D	22:13
lbragstad	no worries	22:14
lbragstad	it took me a while to wrap my head around the x509 stuff	22:15
openstackgerrit	erus proposed openstack/keystone master: Add new attribute to the federation protocol API https://review.openstack.org/637305	22:30
*** jamesmcarthur has quit IRC		22:36
*** jamesmcarthur has joined #openstack-keystone		22:36
*** raildo has quit IRC		22:37
*** tkajinam has joined #openstack-keystone		23:00
*** rcernin has joined #openstack-keystone		23:06
*** dave-mccowan has quit IRC		23:14
*** erus has quit IRC		23:14
*** erus has joined #openstack-keystone		23:15
*** dave-mccowan has joined #openstack-keystone		23:20
*** itlinux has joined #openstack-keystone		23:26
*** awalende has joined #openstack-keystone		23:43
*** awalende has quit IRC		23:47
*** jamesmcarthur has quit IRC		23:55

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!