| *** mvkr has quit IRC | 03:15 | |
| *** mvkr has joined #openstack-keystone | 03:28 | |
| *** evrardjp has quit IRC | 04:36 | |
| *** evrardjp has joined #openstack-keystone | 04:37 | |
| *** shyamb has joined #openstack-keystone | 05:12 | |
| *** shyamb has quit IRC | 05:43 | |
| *** shyamb has joined #openstack-keystone | 05:55 | |
| *** abdysn has joined #openstack-keystone | 06:10 | |
| *** dancn has joined #openstack-keystone | 06:14 | |
| *** dancn has quit IRC | 06:49 | |
| *** dancn has joined #openstack-keystone | 06:52 | |
| *** shyam89 has joined #openstack-keystone | 06:55 | |
| *** shyamb has quit IRC | 06:58 | |
| *** bengates has joined #openstack-keystone | 07:07 | |
| *** bengates has quit IRC | 07:09 | |
| *** bengates has joined #openstack-keystone | 07:09 | |
| *** shyam89 has quit IRC | 07:11 | |
| *** shyamb has joined #openstack-keystone | 07:43 | |
| *** xek__ has joined #openstack-keystone | 07:46 | |
| *** spsurya_ has joined #openstack-keystone | 07:59 | |
| *** Abdallahyas has joined #openstack-keystone | 08:09 | |
| *** abdysn has quit IRC | 08:12 | |
| *** shyamb has quit IRC | 08:16 | |
| *** shyamb has joined #openstack-keystone | 08:17 | |
| *** abdysn has joined #openstack-keystone | 08:57 | |
| *** Abdallahyas has quit IRC | 08:59 | |
| *** rcernin has quit IRC | 09:03 | |
| *** shyamb has quit IRC | 09:21 | |
| *** shyamb has joined #openstack-keystone | 09:22 | |
| *** vishalmanchanda has joined #openstack-keystone | 09:24 | |
| *** shyamb has quit IRC | 10:06 | |
| *** shyamb has joined #openstack-keystone | 10:17 | |
| *** rcernin has joined #openstack-keystone | 10:37 | |
| *** tkajinam has quit IRC | 10:59 | |
| *** shyamb has quit IRC | 11:02 | |
| *** shyamb has joined #openstack-keystone | 11:17 | |
| *** shyamb has quit IRC | 11:44 | |
| *** tkajinam has joined #openstack-keystone | 11:51 | |
| *** shyamb has joined #openstack-keystone | 11:56 | |
| *** raildo has joined #openstack-keystone | 11:57 | |
| *** rcernin has quit IRC | 12:04 | |
| *** rcernin has joined #openstack-keystone | 12:05 | |
| *** shyam89 has joined #openstack-keystone | 12:11 | |
| *** shyamb has quit IRC | 12:15 | |
| *** tkajinam has quit IRC | 12:18 | |
| *** shyam89 has quit IRC | 12:43 | |
| *** rcernin has quit IRC | 12:52 | |
| *** raildo_ has joined #openstack-keystone | 12:54 | |
| *** raildo has quit IRC | 12:56 | |
| *** Luzi has joined #openstack-keystone | 13:01 | |
| *** raildo_ has quit IRC | 13:02 | |
| *** raildo_ has joined #openstack-keystone | 13:03 | |
| *** raildo_ has quit IRC | 13:05 | |
| *** raildo_ has joined #openstack-keystone | 13:07 | |
| *** lbragstad_ is now known as lbragstad | 13:16 | |
| lbragstad | knikolla mapped == openid == saml2 from an authentication plugin perspective, right? | 13:29 |
|---|---|---|
| knikolla | lbragstad: yeah | 13:29 |
| lbragstad | ok, is there any reason to have methods = mapped, openid, saml2, token, password? | 13:30 |
| knikolla | if you have multiple ways to connect from one idp | 13:31 |
| knikolla | you can have different protocols, but use the same aliased plugin | 13:31 |
| lbragstad | ah - and the mapped plugin knows how to handle data for all those cases, thne? | 13:35 |
| knikolla | lbragstad: for all practical purposes, the mapped plugin has no idea about openid or saml | 13:35 |
| knikolla | that is what apache does | 13:36 |
| knikolla | and feeds environment variables to the mapped plugin | 13:36 |
| knikolla | which maps them to a user | 13:36 |
| lbragstad | ok - cool | 13:36 |
| lbragstad | that's what i thought, but i'm really rusty on that part of the code base | 13:36 |
| lbragstad | so - the only advantage to having saml2 and openid as authentication methods is in case you have multiple ways to authenticate from the same idp | 13:37 |
| lbragstad | that's the only advantage | 13:37 |
| lbragstad | ? | 13:37 |
| *** also_stingrayza is now known as stingrayza | 13:39 | |
| knikolla | it also allows you to set this on a per protocol basis https://github.com/openstack/keystone/blob/389d8f5a4edbbe05e69740c00c50ff3fbaf36d51/keystone/conf/federation.py#L41-L49 | 13:41 |
| knikolla | which is the environment variable that apache puts the identity provider id in | 13:41 |
| knikolla | that changes depending on mellon,shibboleth, or mod_auth_openidc | 13:41 |
| knikolla | so if you have multiple, you need that on a protocol basis rather than keystone-wide | 13:42 |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone-tempest-plugin master: Test case for openstack_groups https://review.opendev.org/704271 | 13:48 |
| lbragstad | knikolla ack - ok, that helps a bunch | 13:51 |
| *** Blinkiz has joined #openstack-keystone | 13:53 | |
| *** Blinkiz has quit IRC | 13:57 | |
| *** Blinkiz has joined #openstack-keystone | 14:01 | |
| *** raildo_ has quit IRC | 14:10 | |
| cmorpheus | lbragstad: knikolla we fixed that https://bugs.launchpad.net/keystone/+bug/1724645 so you should be able to use 'mapped' for everything | 14:12 |
| openstack | Launchpad bug 1724645 in OpenStack Identity (keystone) "remote_id_attribute config options prevents multiple protocol variations for Federation" [Low,Fix released] - Assigned to Colleen Murphy (krinkle) | 14:12 |
| lbragstad | cmorpheus awesome, thank you! | 14:13 |
| *** Luzi has quit IRC | 14:15 | |
| knikolla | cmorpheus: oh cool! I forgot about that, and I need more sleep | 14:15 |
| knikolla | looks like the federation job is flaky because of a race condition | 14:19 |
| knikolla | https://zuul.opendev.org/t/openstack/build/e3f1a09932654abd81411f57ed94b129/console | 14:19 |
| knikolla | if the test_service_providers_in_token method runs while the k2k test runs, there will be an extra SP for keystone that the first test didn't expect to see. | 14:20 |
| cmorpheus | maybe we could switch it to checking that a key is in the list instead of the list matching exactly | 14:27 |
| *** gary_perkins has quit IRC | 14:30 | |
| *** gary_perkins has joined #openstack-keystone | 14:32 | |
| *** bengates_ has joined #openstack-keystone | 14:46 | |
| *** bengates has quit IRC | 14:47 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone-tempest-plugin master: [DNM] Test openstack_groups https://review.opendev.org/716686 | 14:48 |
| *** raildo has joined #openstack-keystone | 14:48 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone-tempest-plugin master: Test case for openstack_groups https://review.opendev.org/704271 | 14:54 |
| *** cmorpheus is now known as cmurphy | 14:55 | |
| openstackgerrit | Merged openstack/oslo.policy master: Use unittest.mock instead of third party mock https://review.opendev.org/716391 | 15:01 |
| *** beekneemech is now known as bnemec | 15:02 | |
| *** abdysn has quit IRC | 15:16 | |
| knikolla | cmurphy: i was thinking more about making it sequential. Their running time is only 30 seconds, and sequentially it would still be only 2 minutes, compared to how much time setting up devstack takes. | 15:21 |
| cmurphy | knikolla: i think the tests should be able to run independently of one another regardless of how the test infrastructure is set up | 15:25 |
| knikolla | cmurphy: that is a good point. | 15:26 |
| *** manuvakery has joined #openstack-keystone | 15:29 | |
| knikolla | cmurphy: on a different note, i don't think i can get the "list users in group" part of expiring group membership done by end-of-week. would you be okay with having that as a follow-up patch? | 15:32 |
| knikolla | (it needs to support the password_expires_at query, and i need to work out how to best do that) | 15:32 |
| *** vishalmanchanda has quit IRC | 15:33 | |
| cmurphy | knikolla: i didn't realize it would be so complex, we could think about it for next cycle | 15:34 |
| cmurphy | it's not that important to me, just noticed it seemed like a gap | 15:34 |
| knikolla | cmurphy: it would have probably been much simpler had i gone with a `expires_at` column in the membership, rather than `last_active` and then having to do the math on query time. | 15:36 |
| *** gyee has joined #openstack-keystone | 15:38 | |
| *** AJaeger has joined #openstack-keystone | 16:00 | |
| AJaeger | keystone team, here're two changes for ldappool, could you review them, please? https://review.opendev.org/717548 and https://review.opendev.org/716993 | 16:01 |
| AJaeger | and here are some for python-keystoneclient: https://review.opendev.org/717443 https://review.opendev.org/716227 | 16:03 |
| AJaeger | thanks, cmurphy ! | 16:06 |
| cmurphy | AJaeger: yw | 16:06 |
| *** xek__ is now known as xek | 16:09 | |
| openstackgerrit | Merged openstack/ldappool master: Cleanup py27 support https://review.opendev.org/717548 | 16:13 |
| openstackgerrit | Merged openstack/ldappool master: Update hacking for Python3 https://review.opendev.org/716993 | 16:15 |
| *** evrardjp has quit IRC | 16:36 | |
| *** evrardjp has joined #openstack-keystone | 16:37 | |
| *** bengates has joined #openstack-keystone | 17:10 | |
| *** bengates_ has quit IRC | 17:14 | |
| *** dancn has quit IRC | 17:14 | |
| *** dancn has joined #openstack-keystone | 17:14 | |
| *** bengates has quit IRC | 17:29 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone-tempest-plugin master: [DNM] Test openstack_groups https://review.opendev.org/716686 | 17:35 |
| openstackgerrit | Merged openstack/python-keystoneclient master: Cleanup py27 support https://review.opendev.org/717443 | 17:58 |
| *** AJaeger has left #openstack-keystone | 17:58 | |
| *** d34dh0r53 has quit IRC | 18:13 | |
| *** d34dh0r53 has joined #openstack-keystone | 18:14 | |
| *** kukacz has quit IRC | 18:55 | |
| *** kukacz has joined #openstack-keystone | 18:57 | |
| *** xek has quit IRC | 20:37 | |
| *** raildo has quit IRC | 21:30 | |
| *** rcernin has joined #openstack-keystone | 22:30 | |
| *** dancn has quit IRC | 22:32 | |
| *** tkajinam has joined #openstack-keystone | 22:42 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!