| *** ravelar has joined #openstack-meeting-cp | 00:04 | |
| *** tovin07_ has joined #openstack-meeting-cp | 00:52 | |
| *** ravelar has quit IRC | 01:05 | |
| *** zhurong has joined #openstack-meeting-cp | 01:11 | |
| *** piet_ has quit IRC | 01:12 | |
| *** topol has joined #openstack-meeting-cp | 02:47 | |
| *** topol has quit IRC | 03:11 | |
| *** Rockyg has quit IRC | 03:28 | |
| *** tovin07 has quit IRC | 03:31 | |
| *** tovin07 has joined #openstack-meeting-cp | 03:35 | |
| *** ravelar has joined #openstack-meeting-cp | 03:37 | |
| *** ravelar has quit IRC | 03:37 | |
| *** prateek has joined #openstack-meeting-cp | 03:55 | |
| *** jgriffith is now known as jgriffith_away | 04:28 | |
| *** jamespage has quit IRC | 05:00 | |
| *** jamespag` has joined #openstack-meeting-cp | 05:01 | |
| *** prateek_ has joined #openstack-meeting-cp | 05:11 | |
| *** prateek has quit IRC | 05:14 | |
| *** parora has joined #openstack-meeting-cp | 05:15 | |
| *** prateek_ has quit IRC | 05:17 | |
| *** gouthamr has joined #openstack-meeting-cp | 05:33 | |
| *** parora has quit IRC | 06:13 | |
| *** prateek has joined #openstack-meeting-cp | 06:13 | |
| *** zhurong__ has joined #openstack-meeting-cp | 07:07 | |
| *** zhurong has quit IRC | 07:10 | |
| *** mars has joined #openstack-meeting-cp | 07:20 | |
| *** rarcea_ has joined #openstack-meeting-cp | 07:53 | |
| *** ativelkov has quit IRC | 08:25 | |
| *** ativelkov has joined #openstack-meeting-cp | 08:25 | |
| *** MarkBaker has quit IRC | 08:26 | |
| *** beisner has quit IRC | 08:33 | |
| *** beisner has joined #openstack-meeting-cp | 08:35 | |
| *** prateek has quit IRC | 09:07 | |
| *** hogepodge has quit IRC | 09:11 | |
| *** hogepodge has joined #openstack-meeting-cp | 09:12 | |
| *** mars has quit IRC | 09:22 | |
| *** mars has joined #openstack-meeting-cp | 09:25 | |
| *** hogepodge has quit IRC | 09:31 | |
| *** hogepodge has joined #openstack-meeting-cp | 09:32 | |
| *** MarkBaker has joined #openstack-meeting-cp | 09:47 | |
| *** openstack has joined #openstack-meeting-cp | 10:04 | |
| *** ChanServ sets mode: +o openstack | 10:04 | |
| *** homerp_ has joined #openstack-meeting-cp | 10:31 | |
| *** sdague_ has joined #openstack-meeting-cp | 10:34 | |
| *** MarkBaker has quit IRC | 10:39 | |
| *** bswartz has quit IRC | 10:39 | |
| *** homerp has quit IRC | 10:39 | |
| *** luzC has quit IRC | 10:39 | |
| *** tonyb has quit IRC | 10:39 | |
| *** dansmith has quit IRC | 10:39 | |
| *** lbragstad has quit IRC | 10:39 | |
| *** MarkBaker has joined #openstack-meeting-cp | 10:43 | |
| *** bswartz has joined #openstack-meeting-cp | 10:43 | |
| *** luzC has joined #openstack-meeting-cp | 10:43 | |
| *** tonyb has joined #openstack-meeting-cp | 10:43 | |
| *** dansmith has joined #openstack-meeting-cp | 10:43 | |
| *** lbragstad has joined #openstack-meeting-cp | 10:43 | |
| *** MarkBaker has quit IRC | 10:47 | |
| *** gouthamr has quit IRC | 11:35 | |
| *** topol has joined #openstack-meeting-cp | 11:39 | |
| *** MarkBaker has joined #openstack-meeting-cp | 11:50 | |
| *** topol has quit IRC | 11:56 | |
| *** topol has joined #openstack-meeting-cp | 12:05 | |
| *** topol has quit IRC | 12:05 | |
| *** sdague_ is now known as sdague | 12:20 | |
| *** topol has joined #openstack-meeting-cp | 12:41 | |
| *** topol has quit IRC | 12:41 | |
| *** mars has quit IRC | 12:43 | |
| *** lamt has joined #openstack-meeting-cp | 13:34 | |
| *** lamt has quit IRC | 14:01 | |
| *** lamt has joined #openstack-meeting-cp | 14:07 | |
| *** gouthamr has joined #openstack-meeting-cp | 14:17 | |
| *** gouthamr_ has joined #openstack-meeting-cp | 14:22 | |
| *** jaugustine has quit IRC | 14:22 | |
| *** gouthamr has quit IRC | 14:22 | |
| *** jamespag` is now known as jamespage | 14:31 | |
| *** gouthamr has joined #openstack-meeting-cp | 14:34 | |
| *** gouthamr_ has quit IRC | 14:36 | |
| *** vkmc has left #openstack-meeting-cp | 15:07 | |
| *** stevemar has joined #openstack-meeting-cp | 15:12 | |
| *** edtubill has joined #openstack-meeting-cp | 15:20 | |
| *** stevemar_znc has joined #openstack-meeting-cp | 15:29 | |
| *** jgriffith_away is now known as jgriffith | 15:32 | |
| *** dims has quit IRC | 15:46 | |
| *** MarkBaker has quit IRC | 15:55 | |
| *** dims has joined #openstack-meeting-cp | 16:00 | |
| *** topol has joined #openstack-meeting-cp | 16:04 | |
| *** MarkBaker has joined #openstack-meeting-cp | 16:08 | |
| *** stevemar_znc is now known as topol_ | 16:12 | |
| *** topol has quit IRC | 16:20 | |
| *** topol_ is now known as topol | 16:20 | |
| *** MarkBaker has quit IRC | 16:37 | |
| *** MarkBaker has joined #openstack-meeting-cp | 16:38 | |
| *** MarkBaker has quit IRC | 17:11 | |
| *** garloff has quit IRC | 17:39 | |
| *** piet has joined #openstack-meeting-cp | 17:40 | |
| *** rarcea_ has quit IRC | 18:07 | |
| *** xyang1 has joined #openstack-meeting-cp | 19:13 | |
| *** Rockyg has joined #openstack-meeting-cp | 19:26 | |
| *** Rocky_g has joined #openstack-meeting-cp | 19:27 | |
| *** david-lyle_ has joined #openstack-meeting-cp | 19:28 | |
| *** Rocky_g has quit IRC | 19:30 | |
| *** david-lyle has quit IRC | 19:31 | |
| *** bknudson has left #openstack-meeting-cp | 19:46 | |
| *** r1chardj0n3s has joined #openstack-meeting-cp | 19:53 | |
| r1chardj0n3s | stevemar: would you like to chair the meeting today? | 19:53 |
|---|---|---|
| stevemar | r1chardj0n3s: sure thing | 19:53 |
| stevemar | r1chardj0n3s: oh wait | 19:53 |
| stevemar | r1chardj0n3s: i randomly have a phone call in 30 minutes (not regularly scheduled) | 19:54 |
| r1chardj0n3s | ah dang :-) | 19:54 |
| r1chardj0n3s | I will work through my sleep haze and chair it :-) | 19:54 |
| lbragstad | o/ | 19:57 |
| lbragstad | r1chardj0n3s you're a trooper | 19:57 |
| r1chardj0n3s | \o/ | 19:57 |
| *** jamielennox has joined #openstack-meeting-cp | 19:57 | |
| crinkle | o/ | 19:58 |
| stevemar | o/ | 19:58 |
| edtubill | o/ | 19:59 |
| stevemar | if i could make a suggestion, we don't need to motor through all the topics. getting into the nitty gritty is fine :) | 20:00 |
| r1chardj0n3s | #startmeeting keystone_horizon | 20:00 |
| openstack | Meeting started Thu Dec 1 20:00:07 2016 UTC and is due to finish in 60 minutes. The chair is r1chardj0n3s. Information about MeetBot at http://wiki.debian.org/MeetBot. | 20:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 20:00 |
| *** openstack changes topic to " (Meeting topic: keystone_horizon)" | 20:00 | |
| openstack | The meeting name has been set to 'keystone_horizon' | 20:00 |
| r1chardj0n3s | stevemar: I'm always open to suggestions how to better run things! | 20:00 |
| jamielennox | o/ | 20:00 |
| r1chardj0n3s | #link https://etherpad.openstack.org/p/ocata-keystone-horizon is our current list of issues | 20:01 |
| david-lyle_ | o/ | 20:01 |
| *** david-lyle_ is now known as david-lyle | 20:01 | |
| stevemar | what are we starting with first? :) | 20:01 |
| r1chardj0n3s | looks like rderose has an update for Proper Domain-admin support | 20:02 |
| r1chardj0n3s | "still in WIP" | 20:02 |
| rderose | o/ | 20:02 |
| stevemar | i think the initial bug goes beyond the limitations imposed by a federated user | 20:03 |
| r1chardj0n3s | (otherwise doesn't look like a lot of updates in the issues etherpad) | 20:03 |
| rderose | yep, still in WIP, but once done, all federated users will belong to a real domain | 20:04 |
| r1chardj0n3s | so, who has a topic they'd like to discuss? | 20:04 |
| stevemar | r1chardj0n3s: we have edtubill and crinkle around, they're both working on bugs | 20:04 |
| crinkle | o/ | 20:05 |
| stevemar | pick on one of them :P | 20:05 |
| r1chardj0n3s | crinkle, what're you working on? | 20:05 |
| rderose | also, I'd like to quickly discuss PCI | 20:05 |
| stevemar | rderose: get in line! | 20:05 |
| r1chardj0n3s | rderose: ack | 20:05 |
| crinkle | https://review.openstack.org/#/c/389679/ and https://review.openstack.org/#/c/389337/ could use keystone and horizon eyes | 20:05 |
| crinkle | i don't have an update beyond that | 20:06 |
| *** ying_zuo has joined #openstack-meeting-cp | 20:06 | |
| stevemar | crinkle: so https://review.openstack.org/#/c/389679/ seems like an issue from when we moved to the bootstrap command? | 20:06 |
| crinkle | stevemar: no, it's that different parts of the code were using a config setting as either an ID or a name | 20:07 |
| stevemar | crinkle: hmm, yeah.. "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN" isn't very clear is it | 20:07 |
| stevemar | "NOTE: This value must be the name of the default domain, NOT the ID" | 20:08 |
| stevemar | isn't that backwards incompatible? | 20:09 |
| stevemar | this: https://review.openstack.org/#/c/389679/4/openstack_dashboard/local/local_settings.py.example | 20:09 |
| stevemar | ? | 20:09 |
| crinkle | no because it was a bug, if you were using it the way it was documented it wasn't working | 20:09 |
| david-lyle | stevemar: the comment was incorrect before | 20:10 |
| knikolla | o/ | 20:10 |
| david-lyle | we expect a name | 20:10 |
| stevemar | ah okay | 20:10 |
| david-lyle | because that's the only way the login form makes sense | 20:10 |
| stevemar | david-lyle: so what's the hold up on getting this merged? :) | 20:10 |
| stevemar | david-lyle: true | 20:10 |
| david-lyle | crappy reviewer | 20:10 |
| * david-lyle points at self | 20:10 | |
| crinkle | :) | 20:10 |
| r1chardj0n3s | that patch hasn't hit the mandatory 69-day minimum delay for Horizon reviews yet :/ | 20:10 |
| stevemar | r1chardj0n3s: team review in the meeting :P | 20:11 |
| stevemar | ship it! | 20:11 |
| r1chardj0n3s | :-) | 20:11 |
| lbragstad | aaaand break! | 20:11 |
| stevemar | (i am only half joking) | 20:11 |
| *** bknudson has joined #openstack-meeting-cp | 20:12 | |
| r1chardj0n3s | stevemar: and I am intrigued by the idea! | 20:12 |
| stevemar | okay, crinkle also has https://review.openstack.org/#/c/389337/ up | 20:12 |
| crinkle | slightly more involved | 20:12 |
| stevemar | crinkle: this was a bug you noticed when playing around with federation / sso? | 20:13 |
| crinkle | stevemar: yes | 20:13 |
| crinkle | this could use someone from keystone saying "yep that's how that API works" or "no that's not how it's supposed to work at all" | 20:13 |
| david-lyle | just to reverify, the list_domains call will work with an unscoped token in the federation case? | 20:13 |
| crinkle | david-lyle: yes, and only in the federation case | 20:14 |
| stevemar | david-lyle: yes, that is correct i believe... http://developer.openstack.org/api-ref/identity/v3-ext/index.html?expanded=list-domains-a-federated-user-can-access-detail#list-domains-a-federated-user-can-access | 20:14 |
| david-lyle | and that's not guarded by policy? | 20:15 |
| knikolla | says deprecated | 20:16 |
| jamielennox | that one only works in the federation case, but we replaced it with a general purpose api a while ago | 20:16 |
| rderose | jamielennox: ++ | 20:16 |
| david-lyle | but that one is guarded to "admin" only? | 20:16 |
| david-lyle | oh wait it's auth | 20:16 |
| jamielennox | listing /v3/auth/projects or /v3/auth/domains should tell you the projects/domains a user has access to, regardless of federated/regular login | 20:16 |
| jamielennox | checking on client equivalent... | 20:17 |
| stevemar | jamielennox: right, those are the new APIs /auth/project not the one i pointed out (old ones) | 20:17 |
| jamielennox | v3.Client.auth.projects | 20:17 |
| jamielennox | v3.client.auth.domains | 20:17 |
| lbragstad | yeah - i thought we deprecated the OS-FEDERATED apis a while ago | 20:17 |
| crinkle | jamielennox: could you comment on the review and I'll fix it? | 20:17 |
| stevemar | david-lyle: so why don't we check what domains a user has access to, in addition to projects? | 20:17 |
| jamielennox | not all, but we deprecated those | 20:17 |
| david-lyle | wasn't accessible when I wrote the original implementation | 20:18 |
| stevemar | i suppose we can put that as a follow-on if someone wanted it | 20:19 |
| david-lyle | but I'm not sure dumping into an arbitrary domain is ideal | 20:19 |
| stevemar | but this is decently isolated | 20:19 |
| lbragstad | jamielennox ah - yes... specifically the apis for getting domains and projects for federated users | 20:19 |
| stevemar | crinkle: commented | 20:20 |
| crinkle | thanks | 20:20 |
| stevemar | david-lyle: r1chardj0n3s y'all good with this once crinkle updates? | 20:20 |
| crinkle | david-lyle | but I'm not sure dumping into an arbitrary domain is ideal | 20:21 |
| r1chardj0n3s | crinkle: also, as a matter of procedure, could you please link those to a bug to aid our tracking backports? | 20:21 |
| stevemar | r1chardj0n3s: ++ | 20:21 |
| crinkle | r1chardj0n3s: okay | 20:21 |
| r1chardj0n3s | thanks | 20:21 |
| david-lyle | in the federation case, will there be more than 1 domain? | 20:21 |
| stevemar | david-lyle: possible? | 20:22 |
| rderose | david-lyle: federated users will belong to only a single domain | 20:22 |
| rderose | different domain, different user | 20:22 |
| david-lyle | because we're shadowing the users? | 20:23 |
| stevemar | rderose: belong to != have access to | 20:23 |
| david-lyle | horizon doesn't have a switch to change domains | 20:23 |
| stevemar | oh no? | 20:23 |
| stevemar | thats a bummer | 20:24 |
| stevemar | is/was there a reason why? | 20:24 |
| david-lyle | so if we dump into the first of possibly many then they can never get to the other | 20:24 |
| rderose | david-lyle: yeah, because we're shadowing federated users, they are like any other keystone user and will have to belong to a single domain. | 20:24 |
| david-lyle | until your newer API domain list was guarded to be "admin" only by the policy file | 20:24 |
| david-lyle | so there was no point adding it | 20:25 |
| stevemar | i see what you mean | 20:25 |
| david-lyle | this all went into the Havana release, btw | 20:25 |
| david-lyle | so it has some gray hair now | 20:25 |
| stevemar | might be worth adding it since we have /auth/domains now | 20:25 |
| stevemar | anywho, getting off topic for this specific change/bug | 20:25 |
| r1chardj0n3s | good discussion tho, I think :-) | 20:25 |
| stevemar | yep | 20:26 |
| david-lyle | right, the method to switch would go into doa, but the actual user interface would be in Horizon | 20:26 |
| stevemar | edtubill: still around? | 20:26 |
| edtubill | stevemar: yeah | 20:26 |
| edtubill | I can talk about k2k federation for horizon: david-lyle approved the new k2k dropdown blueprint. I am currently writing some patches, I'll push them out for review soon. | 20:26 |
| stevemar | dammit, stupid call starting soon | 20:26 |
| david-lyle | stevemar, I'm not sure it's off topic | 20:26 |
| david-lyle | because the unnavigable domain issue above, based on the current patch | 20:26 |
| crinkle | is it worth the effort to make domains navigable or is it usually expected that all users have projects and this doesn't need to be fixed? | 20:27 |
| david-lyle | something is better than nothing I suppose, but adding the switch method to forms.py would be a good piece for this patch as well | 20:27 |
| stevemar | david-lyle: okay, maybe crinkle's assumption that a federation setup result in a domain admin isn't a good one? | 20:28 |
| crinkle | david-lyle: okay i can work on that | 20:28 |
| stevemar | david-lyle: so it'll be like the project switcher? | 20:28 |
| david-lyle | stevemar: yes | 20:28 |
| stevemar | thanks for volunteering to do the work crinkle | 20:28 |
| crinkle | ofc | 20:28 |
| david-lyle | then once it's merged in doa and released we can put a user control in horizon | 20:29 |
| stevemar | david-lyle crinkle okay, let's let crinkle tinker around for now, she can come back with an update next week? | 20:29 |
| david-lyle | sounds good | 20:29 |
| stevemar | a domain switcher would be all kinds of useful, i think | 20:29 |
| david-lyle | yes, didn't realize we had gained access to the list for the user | 20:30 |
| stevemar | has to dial into a call, will be half paying attention :( | 20:30 |
| r1chardj0n3s | so edtubill, any issues or will we await the patches? | 20:30 |
| stevemar | oh wait, meeting at 4! | 20:30 |
| stevemar | yay! | 20:30 |
| r1chardj0n3s | \o/ stevemar | 20:30 |
| stevemar | \o/ | 20:30 |
| stevemar | david-lyle: edtubill: so what was actually decided? | 20:31 |
| edtubill | No issues so far | 20:31 |
| r1chardj0n3s | #link https://blueprints.launchpad.net/horizon/+spec/k2k-horizon this blueprint | 20:31 |
| edtubill | And also I will make the 'K2K at login time' work with the new blueprint as well. | 20:32 |
| stevemar | edtubill: so it'll be a drop down next to projects (and the new domains drop down ;)) ? | 20:32 |
| david-lyle | edtubill: make that a separate bp | 20:32 |
| david-lyle | stevemar: that's the current bp yes | 20:33 |
| stevemar | david-lyle: cool | 20:33 |
| edtubill | david-lyle: ok I'll make that a seperate bp for 'k2k at login time' | 20:33 |
| stevemar | david-lyle: how is the list of SPs selected? | 20:33 |
| stevemar | edtubill: ^ | 20:33 |
| edtubill | It's taken from the access info object for a scoped token. | 20:33 |
| david-lyle | for the current bp, or the latter | 20:33 |
| stevemar | david-lyle: i guess on login time it's a set of config options? and once logged in, from the token? | 20:34 |
| david-lyle | the latter will require another hardcoded list unless keystone has an open call to obtain it, or we go to a two step login process, which I'm not excited about | 20:34 |
| *** MarkBaker has joined #openstack-meeting-cp | 20:35 | |
| edtubill | stevemar: So the user logs in and gets to see the list of available sps in a dropdown. The blueprint is different from the 'k2k at login time'. It gets it dynamically from the token and not the config file. | 20:35 |
| stevemar | so it sounds like both are on the table right now? | 20:35 |
| stevemar | is there a reason we are not deciding one over the other? | 20:35 |
| stevemar | or is it -- we can do both, so why not? | 20:36 |
| david-lyle | hardcoded lists are bad | 20:36 |
| stevemar | (sorry for all the questions, i think i've missed a few meetings :( ) | 20:36 |
| david-lyle | and my thoughts were the selector once logged in was cleaner and useful, but did not bar the login case | 20:36 |
| david-lyle | I'm not excited about how we have to do the login case at this point | 20:37 |
| stevemar | david-lyle: okay, sounds like since both can happily co-exist, we let them co-exist? | 20:38 |
| edtubill | I am for having them co-exist incase someone wants them both. | 20:38 |
| edtubill | But prioritize the drop down blueprint more. | 20:38 |
| david-lyle | I think so, but I'm open to other opinions | 20:38 |
| stevemar | i'm trying to get a firm decision on what will be accepted by the team, so we don't make edtubill go back and forth | 20:39 |
| stevemar | :) | 20:39 |
| stevemar | and if the decision is 'meh', that's cool too! | 20:39 |
| stevemar | (we can move to another topic, i think i beat this horse to death) | 20:39 |
| r1chardj0n3s | I'm deferring to people who know more about what's going on (hi, david-lyle) | 20:39 |
| stevemar | hehe | 20:40 |
| stevemar | david-lyle, pressure's on | 20:40 |
| r1chardj0n3s | so, rderose, about about that PCI? | 20:40 |
| david-lyle | I would think if you had other keystones that were cost inducing, you could use the current endpoint list on login page and let the user choose | 20:40 |
| rderose | I've added a patch to support "PCI-DSS 8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use" | 20:40 |
| rderose | https://review.openstack.org/#/c/403916/ | 20:40 |
| rderose | So after first auth, the user's password will be set to expire and they will be required to change their password. | 20:40 |
| rderose | 1) horizon gets token for user (first time after password reset) | 20:40 |
| rderose | 2) horizon will inpsect the 'password_expires_at' attribute in the token | 20:40 |
| rderose | 2a) if expired, show password dialog for user to change their password | 20:40 |
| rderose | sound good? | 20:41 |
| stevemar | lookin' | 20:41 |
| rderose | questions? | 20:41 |
| r1chardj0n3s | sounds good to me. we have some expiry interface work in progress, just not sure if we have the step 2) stuff covered yet | 20:42 |
| *** openstack has joined #openstack-meeting-cp | 20:44 | |
| *** ChanServ sets mode: +o openstack | 20:44 | |
| david-lyle | it could | 20:44 |
| stevemar | grey out / disable the rest of the pages, force the user to change password | 20:44 |
| r1chardj0n3s | rderose: can I confirm that the password_expires_at will be in the past for *all* tokens not just the "first time after password reset"? | 20:44 |
| r1chardj0n3s | until the password is changed, that is | 20:44 |
| rderose | yes, it will be in all tokens | 20:44 |
| stevemar | a password change should revoke all old tokens | 20:45 |
| r1chardj0n3s | stevemar: hmm, disabling all other things is more challenging | 20:45 |
| r1chardj0n3s | rderose: ok cool | 20:45 |
| stevemar | r1chardj0n3s: whatever the UX is, i assume you guys can handle that, i'm just talking a loud | 20:45 |
| david-lyle | r1chardj0n3s: could add a new page on a splash | 20:45 |
| r1chardj0n3s | david-lyle: yeah | 20:45 |
| david-lyle | and redirect to that | 20:45 |
| stevemar | rderose: who's doing the horizon work? | 20:45 |
| rderose | stevemar: Juan Pablo lopez Gutierrez | 20:46 |
| rderose | https://review.openstack.org/#/q/owner:juan.pablo.lopez.gutierrez%2540intel.com+status:open | 20:46 |
| stevemar | rderose: cool irc name | 20:46 |
| stevemar | you should tell him to come to our super cool meeting | 20:46 |
| rderose | stevemar: will do, forgot his IRC nic | 20:46 |
| david-lyle | our authenticated decorator may have to get an upgrad | 20:46 |
| stevemar | is there a patch already up? | 20:46 |
| david-lyle | e | 20:46 |
| rderose | stevemar: not for requiring a user to change their password after reset | 20:47 |
| rderose | no | 20:47 |
| david-lyle | stevemar: only for similar work, not this work specifically | 20:47 |
| stevemar | cool | 20:47 |
| r1chardj0n3s | I've pinged JP to join us | 20:47 |
| stevemar | i'll be patient | 20:47 |
| rderose | Regarding making the password strength requirements discoverable, are we thinking an API call? Currently, it's in Keystone config. | 20:47 |
| stevemar | that'll be tough | 20:48 |
| stevemar | might just be better to keep the horizon setting | 20:48 |
| r1chardj0n3s | hmm, duplicated settings make david-lyle sad | 20:48 |
| r1chardj0n3s | and you don't want his sad face | 20:48 |
| rderose | stevemar: but this is needed outside of Horizon, right? | 20:49 |
| david-lyle | OSC anyone? | 20:49 |
| stevemar | david-lyle: what's that? <sarcasm> | 20:49 |
| david-lyle | I guess you just let them fail in OSC | 20:49 |
| stevemar | that's what we've been doing :D | 20:50 |
| rderose | :) | 20:50 |
| david-lyle | do they get any hints as to what magical rules they're attempting to satisfy? | 20:50 |
| stevemar | okay, keystoners, any ideas on how to expose the password regex config and what policy it should have? | 20:50 |
| stevemar | david-lyle: they sure do | 20:51 |
| david-lyle | ok | 20:51 |
| stevemar | https://github.com/openstack/keystone/blob/master/keystone/conf/security_compliance.py#L124-L131 | 20:51 |
| lbragstad | by expose it you mean just advertise it? | 20:51 |
| stevemar | configurable message | 20:51 |
| stevemar | lbragstad: yeah | 20:51 |
| r1chardj0n3s | oh, yes, please expose password_regex_description! | 20:51 |
| lbragstad | yeah - the description is the import thing to expose | 20:52 |
| lbragstad | i wouldn't think exposing the regex through horizon would be all that useful | 20:52 |
| david-lyle | lbragstad: it saves trips and failures to the server | 20:52 |
| r1chardj0n3s | we could do real-time feedback for the user, but ueah, that's icing | 20:52 |
| rderose | lbragstad: how would we expose it? | 20:52 |
| stevemar | so we have "config" related stuff already in the API for ldap stuff: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L224 | 20:52 |
| stevemar | lbragstad: the regex is also important to expose! | 20:52 |
| lbragstad | david-lyle oh - meaning horizon would check the password against the regex before sending it to keystone? | 20:53 |
| stevemar | from an OSC point of view too! | 20:53 |
| stevemar | lbragstad: currently we just pass whatever crap the user inputs | 20:53 |
| david-lyle | lbragstad: yeah, like UIs you like, rather than the ones you hate ;-) | 20:53 |
| lbragstad | ah | 20:53 |
| lbragstad | that's a good point | 20:53 |
| david-lyle | we check it currently | 20:53 |
| david-lyle | but we have a setting that predates keystone's | 20:54 |
| stevemar | i just wondered what the harm is in an API call to show the entire config -- lol | 20:54 |
| stevemar | only about a bunch of passwords | 20:54 |
| david-lyle | no risk there | 20:54 |
| * stevemar needs coffee | 20:54 | |
| lbragstad | +2 | 20:54 |
| stevemar | david-lyle: trouble with showing the option for passwords is, what policy do we surround it with? | 20:55 |
| stevemar | just "", so any authenticated user? | 20:55 |
| david-lyle | I would assume so | 20:55 |
| stevemar | we only show the [security_compliance] section | 20:55 |
| lbragstad | why no just the regex and regex description? | 20:55 |
| lbragstad | not* | 20:55 |
| david-lyle | that's the ask | 20:55 |
| stevemar | lbragstad: could limit it to that | 20:56 |
| stevemar | GET /v3/users ... | 20:56 |
| stevemar | GET /v3/compliance ? | 20:56 |
| lbragstad | we have a password api for password changes... maybe the path makes sense there? | 20:56 |
| rderose | lbragstad: that might work | 20:56 |
| stevemar | probably /v3/users/compliance | 20:56 |
| stevemar | lbragstad: rderose one of you want to pick it up? | 20:57 |
| lbragstad | since it'd be the api that users go to when they want to reset their password, they could use it to ask for the requirement they need to meet | 20:57 |
| stevemar | it would need a spec :( | 20:57 |
| lbragstad | ah | 20:57 |
| lbragstad | i can tackle the spec | 20:57 |
| rderose | stevemar: I can take it | 20:57 |
| rderose | :) | 20:57 |
| *** jlopezgu has joined #openstack-meeting-cp | 20:57 | |
| stevemar | you two work it out :P | 20:57 |
| rderose | lbragstad: go for it | 20:57 |
| r1chardj0n3s | thanks rderose | 20:57 |
| r1chardj0n3s | ok, and we're pretty much out of time | 20:58 |
| lbragstad | i'll get a spec up | 20:58 |
| r1chardj0n3s | say hi to jlopezgu tho ;-) | 20:58 |
| stevemar | r1chardj0n3s: yeppers | 20:58 |
| jlopezgu | o/ | 20:58 |
| jlopezgu | hahah | 20:58 |
| jlopezgu | were you talking about me? xD | 20:58 |
| stevemar | r1chardj0n3s: next week i want to talk about the "v3 policy is not parseable using oslo.policy" bug | 20:58 |
| stevemar | that thing is a mess | 20:58 |
| r1chardj0n3s | stevemar: oh, let's! :-) | 20:58 |
| david-lyle | I'll bring the matches | 20:58 |
| * stevemar goes to that call | 20:59 | |
| r1chardj0n3s | thanks everyone! | 20:59 |
| r1chardj0n3s | #endmeeting | 20:59 |
| crinkle | o/ | 20:59 |
| r1chardj0n3s | hello, bot? | 20:59 |
| r1chardj0n3s | *tap tap* | 20:59 |
| r1chardj0n3s | #endmeeting | 21:00 |
| r1chardj0n3s | darn it | 21:00 |
| david-lyle | bot died and reappeared in the middle | 21:01 |
| fungi | oh, i wonder if someone merged a change to its configuration in the middle of a meeting, checking | 21:02 |
| r1chardj0n3s | ah, so half the meeting won't have been recorded? | 21:02 |
| fungi | we normally try to avoid that when there are meetings underway, but someone might have failed to check before approving a change | 21:02 |
| r1chardj0n3s | :-( ah well | 21:03 |
| fungi | in which case, yeah, you can refer to the channel log for this channel and i can optionally try to splice some of it into the meeting log | 21:03 |
| r1chardj0n3s | I think we'll be right just referring to the channel log, thanks | 21:04 |
| *** ChanServ changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings" | 21:07 | |
| *** ying_zuo has quit IRC | 21:17 | |
| *** MarkBaker has quit IRC | 21:47 | |
| *** garloff has joined #openstack-meeting-cp | 22:00 | |
| *** gouthamr has quit IRC | 22:17 | |
| *** MarkBaker has joined #openstack-meeting-cp | 22:17 | |
| *** MarkBaker has quit IRC | 22:39 | |
| *** edtubill has quit IRC | 22:52 | |
| *** edtubill has joined #openstack-meeting-cp | 22:53 | |
| *** edtubill has quit IRC | 22:58 | |
| *** xyang1 has quit IRC | 23:12 | |
| *** piet has quit IRC | 23:38 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!