#openstack-meeting log

18:00:36 <stevemar> #startmeeting keystone
18:00:36 <openstack> Meeting started Tue Jan 31 18:00:36 2017 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:37 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:40 <openstack> The meeting name has been set to 'keystone'
18:00:43 <knikolla> o/
18:00:53 <rodrigods> o/
18:01:15 <rderose> o/
18:01:17 <bknudson> hi
18:01:33 <morgan> wow, there is a bknudson here!
18:01:36 <morgan> :)
18:01:52 <gagehugo> o/
18:01:56 <morgan> a rare sighting in the wilds of IRC! :)
18:02:10 <lbragstad> o/
18:02:33 <lbragstad> a bknudson!
18:02:36 * stevemar finishes switching desks
18:03:15 <stevemar> #topic announcements
18:03:23 <stevemar> we're in the RC week, RC must be tagged by thursday, don't expect anything to merge unless it's a priority for the release
18:03:29 <stevemar> oops, agenda link!
18:03:31 <stevemar> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
18:03:46 <stevemar> priorities for RC are listed here: #link https://etherpad.openstack.org/p/keystone-sprint-to-ocata
18:03:53 <stevemar> #link #link https://etherpad.openstack.org/p/keystone-sprint-to-ocata
18:04:10 <stevemar> we approved per-user-auth (MFA) for RC
18:04:37 <stevemar> see bp here: https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs
18:05:33 <stevemar> thanks morgan for working so hard on it
18:05:37 <stevemar> its coming along really nicely
18:05:38 <lbragstad> ++
18:05:54 <morgan> also a bug in some logs found in the process https://review.openstack.org/#/c/427004/
18:06:03 <morgan> needs a second +2/A
18:06:07 <morgan> but it is not directly related
18:06:16 <stevemar> yeah, easy one to review ^
18:06:22 <morgan> release note was just pushed for MFA
18:06:27 <morgan> please look for it.
18:06:38 <morgan> #link https://review.openstack.org/#/c/427328/
18:06:38 <stevemar> ack
18:07:02 <stevemar> yowza, thats a heck of a release note
18:07:13 <morgan> more in depth docs will come post RC likely, pending stevemar's resource option docs
18:07:29 <stevemar> morgan: may have to trim it, just so it doesn't differ too much from the other notes
18:07:33 <morgan> current rendered version: http://docs-draft.openstack.org/28/427328/2/check/gate-keystone-releasenotes/ad8ed97//releasenotes/build/html/unreleased.html
18:07:47 <stevemar> i like the detail though, but i prefer consistency, if that makes sense.
18:07:50 <morgan> stevemar: but... it's an accurate release note
18:08:02 * morgan will leave that trimming to stevemar
18:08:05 <morgan> ;)
18:08:12 <stevemar> :)
18:08:50 <stevemar> any questions about RC? we have some identified bugs but that's the next topic, have some more announcements
18:09:09 <ayoung> +2A
18:09:22 <stevemar> next announcement
18:09:29 <stevemar> gyee is stepping down from core
18:09:41 <stevemar> due to inactivity and a change in responsibility i asked him to step down
18:09:53 <ayoung> Not a huge surprise.
18:10:11 <stevemar> yeah, i wanted to give the next PTL a clean slate to start from
18:10:15 <lbragstad> thanks gyee for your service!
18:10:17 * dolphm salutes gyee
18:10:41 <rodrigods> thanks gyee :)
18:10:45 * morgan cheers for gyee and thanks him for his service
18:10:51 <morgan> though... he's not here to hear it atm
18:10:57 <stevemar> the ether knows
18:11:10 <morgan> s/ether/etherpad
18:11:13 <morgan> *shiftyeyes*
18:11:15 <stevemar> you can email him at his personal address if you want, PM me if you want it
18:11:23 <stevemar> he responds quickly there
18:11:32 <morgan> yeah he typically does.
18:11:36 <stevemar> not sure if hes going to write a note to the ML
18:11:52 <morgan> stevemar: make sure you announce the Core change to the ML sometime
18:12:02 <morgan> if he doesn't write a note.
18:12:05 <stevemar> will do
18:12:07 <henrynash> (sorry I’m late)
18:12:10 * morgan blinks
18:12:13 <lbragstad> henrynash o/
18:12:13 <stevemar> henrynash: heyo!
18:12:15 <morgan> we have a henrynash too! wow.
18:12:30 <ayoung> W00t!
18:12:33 <henrynash> henrynash too! is so much better than the old one
18:12:41 <morgan> it is a redletter day
18:12:47 <stevemar> all the rascally ibm'ers are showing up
18:12:56 <lbragstad> gettin' the band back together
18:13:03 <morgan> stevemar: i don't see topol
18:13:04 <henrynash> (dog eat my homework etc.)
18:13:05 <morgan> stevemar: :P
18:13:07 <stevemar> morgan: zing
18:13:18 <stevemar> last announcement
18:13:21 <samueldmq> thanks gyee!
18:13:23 <stevemar> 19 PTG tickets left
18:13:25 <morgan> stevemar: or jamielennox
18:13:40 <stevemar> i think they started with 200?
18:13:55 * morgan needs to book an airplane
18:13:55 <stevemar> thats a huge drop from 2 weeks ago, i think they have >100 left
18:13:58 <ayoung> I have one, too, that I am not going to use
18:14:11 <ayoung> Was going to go to my backup, but backup is not going
18:14:33 <ayoung> Think the deadline for transfer is soonish.  Let me know if you need it.
18:14:42 * stevemar is pretty sure there are  hourly flights going from toronto to atlanta, will book later
18:15:22 <stevemar> i'm sure the 19 will end up being bough
18:15:23 <stevemar> bought
18:15:26 <topol> o/
18:15:32 <stevemar> perhaps more slowly
18:15:47 <topol> I will be in ATL Sunday night
18:15:57 * morgan will be flying in on Monday night
18:15:59 <lbragstad> I'll be there Wednesday morning
18:16:05 <henrynash> Tues night
18:16:13 <morgan> so i'll be missing day 1
18:16:13 <henrynash> (see, we all synced that so well)
18:16:17 <knikolla> Tuesday night
18:16:21 <lbragstad> and staying until late Friday
18:16:28 * breton will be from Sunday to Saturday
18:16:40 <morgan> and i am either saying until friday mid-day or early sat
18:16:44 <morgan> likely leaving midday friday
18:16:56 <gagehugo> schedued for sun-sat
18:16:58 * topol topol had to come late to this meeting. Still distraught over morgan's incredibly ugly bagels... still shaking :-)
18:17:16 <morgan> topol: it's ok, i gave you a giant release note to review.
18:17:19 <stevemar> i'm there sunday to saturday too
18:17:22 <morgan> topol: because you were late
18:17:42 <lbragstad> stevemar i assume organization of everything will start soon?
18:17:54 <topol> thanks
18:17:58 <samueldmq> I'll be there Sunday night too, in the case someone wants to hang out for food or something
18:18:02 <dstanek> i'm finally here!
18:18:18 <stevemar> lbragstad: yeah, as soon as we cut RC1 we can start planning
18:18:25 <lbragstad> stevemar ok - cool
18:18:37 <stevemar> 3 weeks is plenty of time to plan it all out :P
18:20:22 <stevemar> okay, next topic
18:20:22 * topol who will join me for  a tearful reunion with my Ga Tech Ph.D. advisors? Havent seen them in 18 years...
18:20:36 <stevemar> topol: you're on your own there bud
18:20:40 <topol> :-)
18:20:53 <stevemar> #topic bugs we can fix during RC
18:21:20 <stevemar> i plan on cutting RC1 when morgan's MFA stuff merges
18:21:40 <stevemar> but we can cut RC2 if we deem some bugs are worth backporting
18:21:51 <stevemar> i think these two qualify
18:21:55 <stevemar> Federation: federated users can't log into Horizon - https://bugs.launchpad.net/keystoneauth/+bug/1660436
18:21:55 <openstack> Launchpad bug 1660436 in python-novaclient "Federated users cannot log into horizon" [Undecided,New]
18:21:56 <stevemar> Federation: cannot use Trusts with federaed users - https://bugs.launchpad.net/keystone/+bug/1589993
18:21:57 <openstack> Launchpad bug 1589993 in OpenStack Identity (keystone) "cannot use trusts with federated users" [High,In progress] - Assigned to Boris Bobrov (bbobrov)
18:22:07 <breton> i can talk about the trusts issue
18:22:14 <stevemar> crinkle is working on the first, and breton is working on the second, are either of you around?
18:22:14 <breton> I was actually working on that bug downstream for some time.
18:22:18 <crinkle> o/
18:22:27 <stevemar> breton, you first, crinkle afterwards?
18:22:36 <breton> stevemar: ok
18:22:40 <breton> The problem with the whole thing is that with federated users we cannot really know what the user can unless they have authenticated
18:23:03 <stevemar> can.. do?
18:23:13 <breton> because, for example, with trusts, at the moment of trust creation the user might have already lost his group, that provided a role, because something has changed in the IDP, and we don't know about it
18:23:21 <breton> can do, yes
18:23:55 <rderose> breton: you can use shadow mapping to create users
18:24:11 <breton> for us, downstream, the solution now is to recreate user group membership for federated users each time the user authenticates. We just know that the customer will not add shadow users to groups directly and can live with the possible gap between group removal and next authentication
18:24:19 <dstanek> rderose: that won't help with groups necessarily
18:24:39 <stevemar> breton: can you assign the role necessary to the user directly?
18:24:51 <breton> stevemar: no. There can be very many users.
18:25:00 <stevemar> ah dang
18:25:19 <henrynash> breton: so is the issue that A trusts B, A never logs in again (and meanwhile as lost their group in teh idp), meanwhile B can carry on usingthe trust for ever?
18:25:32 <dstanek> breton: that's how federated mapping works by design right? re-evaluate group membership for each auth
18:25:50 <breton> henrynash: and that sucks
18:26:01 <dstanek> henrynash: ah, that makes sense
18:26:08 <ayoung> if the trust is no longer valid due to a group memebership change, they cannot use it
18:26:18 <dstanek> so you have to evaluate A's group membership for each B use of a trust?
18:26:20 <lbragstad> so the problem is that trusts don't have the opportunity to stay in sync with whatever is in the idp?
18:26:21 <breton> dstanek: kinda. But that group membership never persists inside the database
18:26:21 <henrynash> breton: and we can’t tell from our side that the group has been lost unless A choices to reauthenticate
18:26:34 <dstanek> ayoung: the group membership can be ephemeral
18:26:39 <stevemar> henrynash: which may not happen
18:26:46 <ayoung> dstanek, then the trust will never work
18:26:50 <henrynash> stevemar: yep
18:26:53 <dstanek> breton: exactly. but you can evaluate it anyway right?
18:27:05 <breton> dstanek: no
18:27:12 <morgan> i think the answer here is simple: with shadow users allow explicit group additions
18:27:13 <ayoung> if the trust code cannot link the original user to the roles in the trust, they trust execution fails, no token
18:27:14 <dstanek> if you know the user and the idp of the trustor can't you lookup the mapping?
18:27:15 <morgan> to the shadow user
18:27:19 <breton> dstanek: groups might come from assertion
18:27:21 <morgan> it is only allowed in that case
18:27:26 <morgan> not the "assertion" groups
18:27:42 <dstanek> breton: ah, right. good call
18:27:44 <morgan> i can't get behind supporting trusts on the values that come from an assertion
18:27:46 <lbragstad> you'd need the assertion, wouldn't you?
18:27:50 <ayoung> we need to record all membership information used in a trust
18:27:55 <morgan> ayoung: ++
18:28:10 <morgan> ayoung: therefore the shadow user, if added to a group, could explicitly be granted the values
18:28:15 <morgan> it's "known"
18:28:15 <henrynash> morgan, ayoung: but how would the group memberhsip info ever be deleted
18:28:30 <dstanek> ok, so no trusts based on federated ephemeral group membership?
18:28:32 <morgan> henrynash: you'd purge the shadow user
18:28:43 <dstanek> morgan: that won't work
18:28:44 <henrynash> morgan: agreed
18:28:51 <morgan> dstanek: yeah, i'd -2 adding trusts based on ephemeral group membership
18:28:52 <breton> morgan: i dislike it, because it requires operators manage users manually, not in the idp
18:29:00 <dstanek> if a change in the IdP puts them in a different group then they'd get different ephemeral groups
18:29:10 <breton> and we have code that relies on it -- heat uses it for delayed operations
18:29:13 <henrynash> morgan: but an idp (or whoever is creating users in the idp) would have to know to do that
18:29:16 <morgan> dstanek: right, this is why we only support in the case of explicit group additions in keystone
18:29:17 <dstanek> if you put that in keystone then any change in the idp would need a change in keystone
18:29:22 <breton> we could try fixing heat to use allow_expired though.
18:29:28 <morgan> aka shadow users.
18:29:42 <stevemar> breton: that might be the better call here
18:29:45 <morgan> or the local user w/ mapped values
18:29:50 <breton> morgan: how do we differentiate between explicit and implicit groups?
18:29:57 <breton> morgan: a column in the db?
18:30:00 <morgan> operator assigned in the db
18:30:16 <morgan> it is loaded from the db. vs loaded from the assertion
18:30:34 <morgan> we have the ability to allow a local user to auth with federated creds, we have shadow users now
18:30:47 <morgan> if you grant an explicit membership in either case, that carries forward
18:30:50 <morgan> regardless of assertion
18:30:56 <morgan> that is an explicit assignment
18:31:03 <morgan> implicit from the IDP can never have trusts
18:31:08 <breton> that was the whole point of federation -- to manage users not in openstack, but outside of it
18:31:10 <morgan> because of the issues you've outlined
18:31:25 <breton> that is a step back to moving users around in keystone
18:31:28 <morgan> the IDP provides authentication
18:31:38 <morgan> the IDP never, ever, ever has provided authorization in keystone
18:31:41 <morgan> keystone has done that
18:31:46 <morgan> trusts are authz
18:31:48 <morgan> not authn
18:32:09 <morgan> if the idp is providing authz (not keystone), we have a bigger issue.
18:32:22 <henrynash> morgan: but the group mappings from teh idp ARE used to “generate” authz
18:32:25 <stevemar> we have the same issue if using trusts and LDAP users right?
18:32:31 <morgan> henrynash: that is now what i mean
18:32:33 <breton> stevemar: no
18:32:38 <morgan> henrynash: keystone has to explicitly map that.
18:32:45 <henrynash> morgan: agreed
18:32:58 <stevemar> ah the groups are mapped back, duh
18:33:00 <morgan> henrynash: this is no different except an operator who wants trusts needs to explicitly add federated users.
18:33:07 <morgan> to a group
18:33:14 <morgan> no implicit based on trust
18:33:25 <morgan> unless the trust expiry is a known value
18:33:34 <ayoung> groups are an attribute that are used to assign authz.  Those groups may come from the IdP origianlly, but must be recorded in Keystone in order to have a non-ephemeral effect
18:33:39 <morgan> aka it expires about when the assertion (or similar view) is expired
18:33:45 <stevemar> 13:24 stevemar: breton: can you assign the role necessary to the user directly?
18:33:46 <stevemar> 13:24 breton: stevemar: no. There can be very many users.
18:33:46 <stevemar> 13:24 stevemar: ah dang
18:33:46 <morgan> ayoung: ++
18:34:01 <breton> morgan: it's not the operator wants trusts. Users want.
18:34:01 <lbragstad> ayoung in order to have a non-ephemeral effect on users*
18:34:16 <ayoung> lbragstad, in order to have any non-ephemeral effect
18:34:24 <breton> morgan: we can't make each user ask operator when they want to use a trust
18:34:36 <lbragstad> ayoung aha - yeah
18:34:38 <ayoung> you can create a trust, but if the info used to create that trust is not recorded, the trust is non-executable
18:34:44 <morgan> breton: yes we can.
18:35:06 <morgan> ayoung: ++
18:35:36 <stevemar> ayoung: so you're saying... shadow groups! :D
18:35:36 <morgan> breton: i'm sorry but no creating trusts based on ephemeral idp groups
18:35:51 <ayoung> stevemar, probably should be something explicit
18:35:52 <morgan> if the data is exclusively controlled by the IDP, no trusts
18:35:58 <henrynash> morgan: so the explict support is obvioulsy one approach (and we should support it imho..and I assume we do already),
18:36:00 <dstanek> would short term trusts work? something that expires at the same time as the token of the trustor
18:36:08 <morgan> henrynash: i think it needs it
18:36:11 <rderose> operators will be able to create federated users via API and can then explicitly make trusts
18:36:24 <rderose> *operators/admins
18:36:25 <morgan> dstanek: well i'd do a expiration of the assertion
18:36:34 <morgan> dstanek: but yes, i'd be ok with fixed life trusts
18:36:36 <ayoung> stevemar, something in the mapping that indicates that users in IdP I via protocol P should be added to group G
18:36:42 <lbragstad> rderose but then if something changes in the idp - the trust can still be valid
18:36:49 <morgan> dstanek: as an option provided we track the data from the idp
18:36:51 <breton> morgan: this is a huge step back in federation
18:36:52 <lbragstad> when it might not be
18:36:56 <stevemar> rderose: operators could also assign roles individually. breton is saying he doesn't want his operator/admin to deal with all the requets
18:37:02 <dstanek> if users have to be greated by the operator in this case them mapping buys them nothong and the are using a glorified ldap
18:37:07 <rderose> lbragstad: what idp change would cause it to be invalid?
18:37:18 <morgan> rderose: many things.
18:37:27 <lbragstad> rderose depends on the assertion/idp setup
18:37:37 <lbragstad> (case-by-case problems are *so* fun!)
18:37:41 <breton> morgan: it becomes a thing that doesn't support part of keystone functionality
18:38:01 <dstanek> the whole point of federation is that we don't have to have all the users/groups in keystone and they are dynamically provided by the IdP
18:38:03 <ayoung> we should look at what OpenIDC does here.  This is a pattern larger than Keystone and OpenStack
18:38:09 <morgan> breton: the only way you're gettiing trusts based on idp info is if the trust expires at the expiry of the assertion (or something similar)
18:38:11 <rderose> morgan: lbragstad: but if you explicitly give a federated user a role, that role assignment should exist regardless of changes to the idp
18:38:19 <lbragstad> rderose exactly
18:38:23 <morgan> ayoung: they map it to a local user
18:38:25 <ayoung> We had only looked at OAUTH1a when Trusts were implemented
18:38:28 <morgan> ayoung: then the local user is granted access
18:38:33 <rderose> if you manually provision, then you should manually deprovision
18:38:33 <morgan> ayoung: in almost every-single-case
18:38:36 <dstanek> rderose: exactly. and that;s the problem
18:38:37 <lbragstad> rderose what if something in the idp changes and that trust should no longer be valid?
18:38:39 <ayoung> morgan, I mean for management of delegation
18:38:47 <breton> lets than document that trusts don't work with groups from federated token and stop advertising federation as first-class citizen
18:38:54 <morgan> ayoung: it's checked on each authn
18:38:54 <morgan> ayoung: or fixed life
18:38:55 <ayoung> morgan, is there an analogue to trusts there?
18:39:11 <morgan> ayoung: no. the assertion (token?) is the trust
18:39:20 <morgan> ayoung: so i auth with say google, to APP
18:39:31 <morgan> i give access to the google things for the life of the token/assertion
18:39:42 <rderose> breton: everything you can do with a local user, you should be able to do with a federated user
18:39:55 <morgan> if the app has specific attrs/authz it is given explicitly to the user object that google auth links to
18:40:10 <breton> rderose: i absolutely agree with that. But the reality is different.
18:40:14 <stevemar> rderose: thats breton's issue, he can't right now :P
18:40:19 <dstanek> morgan: exactly what i was thinking with short term trusts
18:40:26 <ayoung> rderose, you can.  The problem is that you still need to record the group membership for the Federated user.  Which gets us back into the "the user needs to log in first before they can be admin'd"
18:40:41 <morgan> dstanek: so ... if we do time-limited trusts and store the information, i'd be ok with it.
18:40:42 <ayoung> rderose, which is why it would be better if the group memebership was triggered by the mapping process
18:40:52 <stevemar> gonna cut this conversation off in a minute or two
18:40:54 <morgan> dstanek: i just wont support indefinite trusts on ephemeral data
18:40:58 <stevemar> i don't think we're going to solve it here
18:41:07 <dstanek> morgan: ++
18:41:15 <lbragstad> this is interesting though - should we save it for -keystone later?
18:41:19 <rderose> ayoung: or, provision your federated users via the API; deprovision when their access should change
18:41:21 <ayoung> someone write up the use case as a spec please
18:41:33 <stevemar> ayoung: the bug exists :P
18:41:43 <breton> short-lived trusts won't work for Heat
18:41:45 <morgan> rderose: there is a mechanism to say assertion is expired...but that feedback is not well supported in most IDPs
18:41:46 <lbragstad> rderose but then we're managing federated users in the IDP and in keystone
18:42:07 <dstanek> lbragstad: ++ that doesn't make sense
18:42:08 <rderose> lbragstad: we're managing their authorization in keystone
18:42:10 <henrynash> morgan: I would also support the time-limiting option for a trust (which should be applicable to regualr suers or federated users)
18:42:11 <breton> (because it explicitely requires long-lived trusts)
18:42:21 <morgan> henrynash: we already support that feature
18:42:28 <morgan> henrynash: it's implemented :).
18:42:37 <rderose> lbragstad: at HP, user requests access, some system calls keystone and provisions access
18:42:38 <morgan> breton: what is a long-lived trust?
18:42:43 <morgan> breton: indefintie?
18:42:47 <henrynash> He’s smart, that morgan guy, ya know
18:42:55 <morgan> 1-day? 2-days? 16-days?
18:43:05 <dstanek> rderose: you are no longer using federation
18:43:07 <breton> morgan: indefinite i guess.
18:43:16 * antwash being the newbie sucks...
18:43:19 <rderose> dstanek: you are using federation for authentication
18:43:23 <stevemar> hehe
18:43:26 <ayoung> #link https://bugs.launchpad.net/keystone/+bug/1589993
18:43:26 <openstack> Launchpad bug 1589993 in OpenStack Identity (keystone) "cannot use trusts with federated users" [High,In progress] - Assigned to Boris Bobrov (bbobrov)
18:43:26 <morgan> breton: that is breaking how security in federation works then
18:43:26 <lbragstad> antwash :)
18:43:33 <morgan> breton: this is *not* secure.
18:43:49 <dstanek> rderose: you don't get any of the benefits of what federation offers
18:43:51 <lbragstad> antwash patience young grass hopper, patience
18:43:55 <stevemar> okay, i'm gonna cut this one off, we have a lot more on the agenda
18:44:04 <breton> morgan: i agree. Then lets stop calling federation first-class citizen and advertise that it can everything local backend can.
18:44:06 <ayoung> breton, grab me after and we can talk through it
18:44:14 <morgan> breton: works for me
18:44:20 <lbragstad> I'll hang out in -keystone after the meeting to continue this discussion with folks if they want
18:44:23 <lbragstad> ayoung morgan ++
18:44:26 <breton> cool
18:44:29 <morgan> anyway lets talk in -keystone
18:44:30 <ayoung> same here
18:44:35 * topol I remember when lbragstad was the grasshopper... feelin old
18:44:42 <stevemar> crinkle: o/
18:44:46 <crinkle> o/
18:44:55 <morgan> breton: i have a fix btw... just want to be very deliberate about how we implement it
18:45:00 <stevemar> Federation: federated users can't log into Horizon - https://bugs.launchpad.net/keystoneauth/+bug/1660436
18:45:01 <openstack> Launchpad bug 1660436 in python-novaclient "Federated users cannot log into horizon" [Undecided,New]
18:45:02 <lbragstad> topol lol
18:45:03 <crinkle> so 1660436 - what's happening is after a federated user successfully authn's, horizon then tries to load one of the nova panels with the novaclient, and it's trying to create a new token session with the federated token, and it fails because it's not persisting domain data, so keystoneauth's discovery returns a v2 endpoint, which a federated user can't use
18:45:19 <morgan> crinkle: euuw.
18:45:20 <crinkle> I was digging into it and more or less ran into a wall at that point because it involves multiple projects, but I put everything I found out into the bug
18:45:25 <morgan> we should fix that :P
18:45:27 <crinkle> morgan: yeah it is super gross
18:45:50 <rodrigods> this is unexpected side effect
18:45:52 <stevemar> to me, it feels like the fix belongs in how horizon doess stuff...
18:46:04 <ayoung> stevemar, probably not
18:46:09 <crinkle> robcresswell said he would look into it
18:46:20 <ayoung> stevemar, Horizon is pretty simple here:  get a Federated unscoped token, convert it to a scoped token
18:46:22 <morgan> we could persist the domain info in the token, no?
18:46:27 <lbragstad> crinkle so it's pulling the domain from the token - but failing to look things up with it?
18:46:30 <morgan> and let horizon consume that?
18:46:30 <stevemar> crinkle: yeah, but we probably need to help the horizon team out here
18:46:35 <ayoung> we'd still have no groups
18:46:52 <morgan> ayoung: oh ugh, and with fernet that becomes icky
18:46:56 <morgan> hmmm.
18:46:56 <ayoung> yeah
18:46:56 <crinkle> lbragstad: no, it's not pulling the domain info
18:47:10 <ayoung> morgan, again, shadow all the info we need for future use
18:47:13 <crinkle> lbragstad: that's kind of the problem, with no domain info keystoneauth says use v2
18:47:20 <ayoung> perhaps we time-limit group membership?
18:47:21 <morgan> ayoung: pretty much how other apps do it
18:47:43 <morgan> ayoung: we can overwrite the data if the assertion is changed (from the same IDP)
18:47:47 <morgan> ayoung: that is sane
18:47:52 <morgan> and no different than how local users work
18:48:07 <morgan> ayoung: so a single record per-user-per-idp for that
18:48:13 <ayoung> morgan, assuming that a new assertion has the complete set of groups, then, yes, remove group membership for missing groups
18:48:26 <ayoung> is that a safe assumption?
18:48:35 <morgan> the new assertion would *have* to have the value of all groups for that ID from that IDP
18:48:39 <morgan> it is authortitative
18:48:45 <morgan> i don't think you get partial assertions ;)
18:49:06 <morgan> i would say worth saying it's safe and have someone do a bit of research before impl
18:49:19 <ayoung> morgan, you could use different profiles, and get different sets of groups, but...I think that in that case, the profile used would be static, and should be authoritative...so still remove
18:49:26 <morgan> exactly
18:49:31 <morgan> again, per-idp-per user
18:49:39 <ayoung> per protocol
18:49:40 <morgan> if you authed with a different idp for example FB vs Google
18:49:41 <morgan> yeah
18:49:52 <morgan> i'd expect it to be different
18:49:56 <ayoung> same IdP, different protocol....
18:50:01 <ayoung> different groups?
18:50:03 <morgan> should result in the same data?
18:50:03 <ayoung> might happen
18:50:12 <morgan> i'd start with per-IDP and expand if needed
18:50:34 <ayoung> mapping is per protocol.  I'd do it per protocol
18:50:39 <morgan> ok sure
18:50:43 <ayoung> er...per mapping, really.
18:50:44 <morgan> anyway
18:50:48 <morgan> per mapping
18:50:56 <morgan> shadow the data,
18:51:02 <ayoung> you cabn technically reuse the mapping for different protocols, but that would be unlikely to work
18:51:16 <ayoung> so would still end up per protocol, I think
18:51:21 * ayoung is done
18:51:29 <morgan> anyway
18:51:44 <morgan> crinkle: fixable we probably need to shadow the user info in keystone
18:52:06 <stevemar> morgan: i don't think we have time to implement all that?
18:52:07 <morgan> crinkle: and we can update that as assertions come in.
18:52:12 <morgan> stevemar: not in Ocata
18:52:25 <stevemar> morgan: right, but right now federated users can't get into horizon
18:52:25 <morgan> going to go on record and say, it wont happen in Ocata (sadly)
18:52:34 <morgan> it's an architectural issue
18:52:35 <stevemar> like, any of them
18:52:41 <morgan> we'd need to store groups too
18:52:51 <morgan> because the token has to be reconstructed
18:53:06 <stevemar> crinkle: can we revert the change that novaclient made?
18:53:09 <morgan> we could make a temp fernet token formatter that stores a ton extra data
18:53:21 <lbragstad> right now - federated fernet tokens store groups in the token itself
18:53:31 <morgan> lbragstad: oh ok then we should be ok
18:53:36 <morgan> and we can just persist domain data
18:53:37 <crinkle> stevemar: well not really, the bug it fixed was a pretty nasty bug too
18:54:01 <morgan> crinkle: ok, so solution: persiste the domain data
18:54:07 <stevemar> crinkle: what about catching the exception on the horizon side?
18:54:17 <lbragstad> morgan https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L596
18:54:24 <morgan> crinkle: much easier and Ocata possible if that is the issue. it's just storing the info in the fernet format
18:54:57 <morgan> crinkle: it will be a new fernet formatter that is then used (we can't change the formatters we have as they are tied to specific format)
18:55:15 <morgan> lbragstad: ^ sound right to you?
18:55:26 <morgan> stevemar: ^cc
18:55:38 <ayoung> dstanek, lbragstad weren't one of you working on creating resources on demand for Federated users?
18:55:46 <ayoung> proejcts was the big one, but also role assignments etc?
18:55:49 <morgan> ayoung: rderose is?
18:55:56 <morgan> ayoung: i think
18:56:01 <lbragstad> morgan i can double check - but i don't think we guarantee the format to not change
18:56:20 <lbragstad> ayoung yeah we worked on that
18:56:21 <lbragstad> ayoung it was federated auto-provisioning
18:56:24 <morgan> lbragstad: it's about ensuring the decoder doesn't give bogus data back passed the same id#
18:56:39 <ayoung> lbragstad, we'd need it for the Federated/Horizon use case, I think
18:56:40 <morgan> lbragstad: the design was to never change a formatter, just make a new one and use the new format id
18:57:08 <stevemar> ah
18:57:09 <morgan> lbragstad: that way tokens stay interoperable in upgrades (no-down-time-upgrades, you'll break things in weird ways)
18:57:23 <stevemar> lbragstad: is there a reason why domain id is not in FederatedScopedPayload ?
18:57:31 <morgan> lbragstad: so, new formatter. old keystones can't decode new, but new keystone can decode old
18:57:31 <stevemar> i guess cause that never existed until now
18:57:47 <morgan> unless this is ocata formatter... just you see where i am going
18:58:00 <stevemar> crinkle: not sure if you've followed the upstream changes, but we now ensure all federated users have a domain id
18:58:16 <crinkle> stevemar: yes i followed that
18:58:21 <stevemar> so can add domain id stuff to https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L586-L635
18:58:22 <morgan> we may need to just make sure that data is available to horizon
18:58:28 <stevemar> i think that'll solve the issue?
18:59:37 <lbragstad> ayoung http://docs.openstack.org/developer/keystone/federation/federated_identity.html#auto-provisioning
18:59:48 <stevemar> bah, barely got through the agenda
18:59:54 <stevemar> thanks for coming y'all
19:00:00 <stevemar> #endmeeting