Monday, 2015-08-10

openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Replace endpoint_type with interface in catalog https://review.openstack.org/210269	00:08
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Remove service_type requirement from catalog searching https://review.openstack.org/210268	00:08
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Allow searching a catalog on service or endpoint id https://review.openstack.org/210267	00:08
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Import service catalog tests from keystoneclient https://review.openstack.org/210266	00:08
*** piyanai has quit IRC		00:13
*** shoutm has quit IRC		00:17
*** shoutm has joined #openstack-keystone		00:20
*** mylu has joined #openstack-keystone		00:21
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Replace endpoint_type with interface in catalog https://review.openstack.org/210269	00:22
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Remove service_type requirement from catalog searching https://review.openstack.org/210268	00:22
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Allow searching a catalog on service or endpoint id https://review.openstack.org/210267	00:22
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Import service catalog tests from keystoneclient https://review.openstack.org/210266	00:22
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
*** tellesnobrega has quit IRC		00:27
*** ericksonsantos has quit IRC		00:27
*** hrou has joined #openstack-keystone		00:28
*** ericksonsantos has joined #openstack-keystone		00:31
*** mylu has quit IRC		00:31
*** tellesnobrega has joined #openstack-keystone		00:31
*** lhcheng has quit IRC		00:32
*** thedodd has quit IRC		00:32
*** mylu has joined #openstack-keystone		00:33
*** mylu has quit IRC		00:38
*** mylu has joined #openstack-keystone		00:39
*** shoutm has quit IRC		00:44
*** shoutm has joined #openstack-keystone		01:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/210892	01:06
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth-saml2: Updated from global requirements https://review.openstack.org/210893	01:06
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/210894	01:06
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/210923	01:10
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements https://review.openstack.org/192319	01:10
*** topol has joined #openstack-keystone		01:10
*** ChanServ sets mode: +v topol		01:10
*** shoutm has quit IRC		01:16
*** shoutm has joined #openstack-keystone		01:19
*** shoutm has quit IRC		01:28
*** shoutm has joined #openstack-keystone		01:30
*** topol has quit IRC		01:32
*** mylu has quit IRC		01:39
*** markvoelker has joined #openstack-keystone		01:39
*** markvoelker has quit IRC		01:44
*** davechen has joined #openstack-keystone		01:52
*** alex_xu has quit IRC		01:55
*** alex_xu has joined #openstack-keystone		01:56
*** alejandrito has joined #openstack-keystone		02:08
*** ankita_wagh has quit IRC		02:14
*** ankita_wagh has joined #openstack-keystone		02:14
*** lhcheng has joined #openstack-keystone		02:21
*** ChanServ sets mode: +v lhcheng		02:21
*** lhcheng has quit IRC		02:22
*** lhcheng has joined #openstack-keystone		02:22
*** ChanServ sets mode: +v lhcheng		02:22
*** mylu has joined #openstack-keystone		02:26
*** alejandrito has quit IRC		02:37
*** ankita_wagh has quit IRC		02:38
*** hakimo has joined #openstack-keystone		02:52
*** hakimo_ has quit IRC		02:55
*** mylu has quit IRC		02:55
*** hrou has quit IRC		03:05
*** markvoelker has joined #openstack-keystone		03:40
*** topol has joined #openstack-keystone		03:44
*** ChanServ sets mode: +v topol		03:44
*** markvoelker has quit IRC		03:45
*** topol has quit IRC		03:48
*** stevemar has joined #openstack-keystone		03:48
*** ChanServ sets mode: +v stevemar		03:48
*** ayoung has quit IRC		03:50
openstackgerrit	Merged openstack/keystone: Updated from global requirements https://review.openstack.org/210892	04:45
*** btully has joined #openstack-keystone		04:47
*** ankita_wagh has joined #openstack-keystone		04:53
*** ankita_wagh has quit IRC		04:56
*** stevemar has quit IRC		04:56
*** ankita_wagh has joined #openstack-keystone		04:56
*** stevemar has joined #openstack-keystone		04:57
*** ChanServ sets mode: +v stevemar		04:57
openstackgerrit	Merged openstack/keystonemiddleware: Updated from global requirements https://review.openstack.org/210894	05:00
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/210923	05:01
*** jasondotstar has joined #openstack-keystone		05:21
*** stevemar has quit IRC		05:24
*** stevemar has joined #openstack-keystone		05:25
*** ChanServ sets mode: +v stevemar		05:25
*** jasondotstar has quit IRC		05:26
*** stevemar has quit IRC		05:28
*** markvoelker has joined #openstack-keystone		05:41
*** Nirupama has joined #openstack-keystone		05:46
*** markvoelker has quit IRC		05:46
*** lhcheng has quit IRC		05:52
*** yottatsa has joined #openstack-keystone		05:53
*** Nirupama has quit IRC		06:00
*** josecastroleon has joined #openstack-keystone		06:07
*** marekd has quit IRC		06:09
*** marekd has joined #openstack-keystone		06:12
*** ChanServ sets mode: +v marekd		06:12
marekd	morning	06:15
breton	morning!	06:16
*** henrynash has joined #openstack-keystone		06:17
*** ChanServ sets mode: +v henrynash		06:17
*** henrynash has quit IRC		06:20
*** afazekas_ has joined #openstack-keystone		06:24
*** yottatsa has quit IRC		06:25
*** yottatsa has joined #openstack-keystone		06:28
*** Nirupama has joined #openstack-keystone		06:28
*** topol has joined #openstack-keystone		06:44
*** ChanServ sets mode: +v topol		06:44
*** Nirupama has quit IRC		06:45
*** topol has quit IRC		06:48
*** odyssey4me has quit IRC		06:50
*** odyssey4me has joined #openstack-keystone		06:50
*** ankita_wagh has quit IRC		06:54
openstackgerrit	Marek Denis proposed openstack/keystone: Refactor: Provider._rebuild_federated_info() https://review.openstack.org/208872	07:01
*** hakimo has quit IRC		07:02
*** belmoreira has joined #openstack-keystone		07:02
*** hakimo has joined #openstack-keystone		07:03
*** kiran-r has joined #openstack-keystone		07:03
*** shoutm has quit IRC		07:27
*** Nirupama has joined #openstack-keystone		07:29
*** Nirupama has quit IRC		07:29
*** shoutm has joined #openstack-keystone		07:30
*** Nirupama has joined #openstack-keystone		07:32
*** markvoelker has joined #openstack-keystone		07:42
*** yottatsa has quit IRC		07:43
*** fhubik has joined #openstack-keystone		07:45
*** ankita_wagh has joined #openstack-keystone		07:45
*** fhubik is now known as fhubik_brb		07:46
*** markvoelker has quit IRC		07:46
*** yottatsa has joined #openstack-keystone		07:47
*** btully has quit IRC		07:47
*** fhubik_brb is now known as fhubik		07:47
*** jasondotstar has joined #openstack-keystone		07:48
*** yottatsa has quit IRC		07:51
*** jasondotstar has quit IRC		07:52
*** jagter has left #openstack-keystone		07:54
openstackgerrit	Dave Chen proposed openstack/keystone: Improve a few random docstrings https://review.openstack.org/211023	07:58
*** e0ne has joined #openstack-keystone		08:10
*** jistr has joined #openstack-keystone		08:12
*** e0ne has quit IRC		08:16
*** fhubik is now known as fhubik_brb		08:19
*** fhubik_brb is now known as fhubik		08:25
*** odyssey4me has quit IRC		08:26
*** odyssey4me has joined #openstack-keystone		08:27
*** davechen has quit IRC		08:31
*** davechen has joined #openstack-keystone		08:31
*** e0ne has joined #openstack-keystone		08:32
*** shoutm has quit IRC		08:34
*** henrynash has joined #openstack-keystone		08:34
*** ChanServ sets mode: +v henrynash		08:34
*** ankita_wagh has quit IRC		08:43
*** e0ne has quit IRC		08:53
*** katkapilatova has joined #openstack-keystone		08:55
*** afazekas_ is now known as afazekas		09:04
*** shoutm has joined #openstack-keystone		09:09
*** mkoderer has quit IRC		09:14
*** marzif_ has quit IRC		09:16
*** mkoderer has joined #openstack-keystone		09:17
*** belmoreira has quit IRC		09:18
*** belmoreira has joined #openstack-keystone		09:19
*** yottatsa has joined #openstack-keystone		09:26
*** _kiran_ has joined #openstack-keystone		09:28
*** kiran-r has quit IRC		09:31
*** marzif_ has joined #openstack-keystone		09:36
*** rajesht has joined #openstack-keystone		09:42
*** odyssey4me has quit IRC		09:43
rajesht	hi dolph	09:43
rajesht	you around ?	09:43
*** markvoelker has joined #openstack-keystone		09:43
*** odyssey4me has joined #openstack-keystone		09:43
rajesht	dolphm: you around ?	09:43
*** fhubik is now known as fhubik_brb		09:49
*** markvoelker has quit IRC		09:49
*** davechen has left #openstack-keystone		09:55
*** shoutm has quit IRC		09:58
*** odyssey4me has quit IRC		10:04
*** odyssey4me has joined #openstack-keystone		10:04
openstackgerrit	Boris Bobrov proposed openstack/keystone: Prevent exception due to missing id of LDAP entity https://review.openstack.org/207960	10:21
openstackgerrit	Boris Bobrov proposed openstack/keystone: Expose exception due to missing id of LDAP entity https://review.openstack.org/211088	10:21
*** Nirupama has quit IRC		10:22
*** jasondotstar has joined #openstack-keystone		10:29
*** stevemar has joined #openstack-keystone		10:34
*** ChanServ sets mode: +v stevemar		10:34
*** stevemar has quit IRC		10:37
*** josecastroleon has quit IRC		10:41
openstackgerrit	Marek Denis proposed openstack/keystone: Respect federated user name in UUID tokens. https://review.openstack.org/211093	10:41
openstackgerrit	Marek Denis proposed openstack/keystone: Respect federated user name in UUID tokens. https://review.openstack.org/211093	10:42
*** mylu has joined #openstack-keystone		10:43
openstackgerrit	Marek Denis proposed openstack/keystone: Respect federated user name in UUID tokens. https://review.openstack.org/211093	10:44
openstackgerrit	Marek Denis proposed openstack/keystone: Respect federated user name in tokens. https://review.openstack.org/211093	10:50
openstackgerrit	Boris Bobrov proposed openstack/keystone: Allow to provide an expected exception to `wip` decorator https://review.openstack.org/211098	10:50
*** kiran-r has joined #openstack-keystone		10:51
*** _kiran_ has quit IRC		10:55
*** mylu has quit IRC		10:58
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Fix nits from Project Tree Deletion spec https://review.openstack.org/209057	11:03
*** yottatsa has quit IRC		11:05
*** fhubik_brb is now known as fhubik		11:09
samueldmq	morning	11:11
*** josecastroleon has joined #openstack-keystone		11:11
*** jasondotstar has quit IRC		11:18
*** henrynash has quit IRC		11:28
*** markvoelker has joined #openstack-keystone		11:29
*** shoutm has joined #openstack-keystone		11:30
*** kiran-r has quit IRC		11:32
*** markvoelker has quit IRC		11:34
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Fix nits from Project Tree Deletion spec https://review.openstack.org/209057	11:36
*** marzif_ has quit IRC		11:45
*** marzif_ has joined #openstack-keystone		11:45
*** fhubik is now known as fhubik_brb		12:03
*** htruta has joined #openstack-keystone		12:04
*** markvoelker has joined #openstack-keystone		12:08
*** fhubik_brb is now known as fhubik		12:08
*** raildo has joined #openstack-keystone		12:11
*** gordc has joined #openstack-keystone		12:13
*** pawel_ has quit IRC		12:13
*** yottatsa has joined #openstack-keystone		12:24
*** yottatsa has quit IRC		12:25
*** hrou has joined #openstack-keystone		12:26
*** iurygregory has joined #openstack-keystone		12:34
*** stevemar has joined #openstack-keystone		12:35
*** ChanServ sets mode: +v stevemar		12:35
*** bapalm has joined #openstack-keystone		12:36
*** stevemar has quit IRC		12:38
*** edmondsw has joined #openstack-keystone		12:38
*** eandersson has joined #openstack-keystone		12:40
*** tjcocozz has joined #openstack-keystone		12:41
*** piyanai has joined #openstack-keystone		12:47
breton	where do we get self.identity_api in tests from?	12:50
breton	can't find its initialization	12:50
*** hrou has quit IRC		12:52
*** jamie_h has joined #openstack-keystone		12:52
*** bapalm_ has joined #openstack-keystone		12:58
*** bapalm has quit IRC		13:02
*** Kennan has quit IRC		13:03
*** elmiko has joined #openstack-keystone		13:03
*** diazjf has joined #openstack-keystone		13:07
*** yottatsa has joined #openstack-keystone		13:08
*** petertr7_away is now known as petertr7		13:09
breton	in load_backends of core.py.	13:10
*** nkinder has joined #openstack-keystone		13:16
marekd	dolphm: re: https://bugs.launchpad.net/keystone/+bug/1482701 there is a fix for that here: https://review.openstack.org/#/c/211093/ however this doesn't work for scoped federated tokens.	13:19
openstack	Launchpad bug 1482701 in Keystone "Federation: user's name in rules not respected" [Medium,In progress] - Assigned to Marek Denis (marek-denis)	13:19
*** Kennan has joined #openstack-keystone		13:20
marekd	dolphm: I am curious what's your opinoin on that matter - adding another field to fernet payload or let's change the policy on user name/id and say that for ephemeral users name will always be url_Decoded version of id ?	13:20
*** jecarey has quit IRC		13:20
marekd	oterwise we will be growing with fernet size.	13:20
marekd	lbragstad: Fernet is also your baby, give it some love ^^ :)	13:21
lbragstad	marekd: let me check out the bug report quick to get a little more context.	13:22
marekd	lbragstad: of course	13:22
*** dsirrine has joined #openstack-keystone		13:24
lbragstad	marekd: interesting, so this is something that happens with uuid, too	13:24
marekd	lbragstad: yes	13:24
lbragstad	I thought you meant it was fernet-specific	13:24
marekd	but a proposed fix (read up) fixes uuid	13:24
marekd	it' wont fix scoped fernet	13:24
marekd	lbragstad: well, i come up with the idea while playing with fernet, then found it'd be for all tokens, but when it comes to scoped fernet federated token fernet is not easily fixable.	13:25
lbragstad	marekd: because the token format has to change in order to "persist" the user name	13:25
lbragstad	right?	13:25
marekd	lbragstad:	13:26
marekd	yes	13:26
lbragstad	so, this means that we can't get scoped federated fernet tokens until we include this	13:26
marekd	we can	13:26
lbragstad	if we pass it as a header?	13:26
marekd	but name will be equal to id	13:26
marekd	will be set to is	13:26
lbragstad	oh...	13:26
marekd	id	13:26
lbragstad	sure	13:26
lbragstad	that makes sense	13:26
lbragstad	will that break anything else?	13:27
lbragstad	requiring that username and user id are equal?	13:27
marekd	dont thnk so	13:27
marekd	unless we will break ourselves	13:27
marekd	saying it could have been different.	13:27
*** tjcocozz has quit IRC		13:28
*** zzzeek has joined #openstack-keystone		13:29
*** jasondotstar has joined #openstack-keystone		13:29
*** tjcocozz has joined #openstack-keystone		13:30
lbragstad	marekd: so, this prevents us from being able to do scoped federated tokens.	13:32
lbragstad	but only if the user name and the user ids are different?	13:32
marekd	no	13:32
lbragstad	(how didn't we stumble across this before with UUID tokens?)	13:32
marekd	you can get the tokens	13:33
marekd	but the name will not be persisted	13:33
marekd	it will be set to id.	13:33
marekd	that's all	13:33
*** opilotte has joined #openstack-keystone		13:33
odyssey4me	marekd so I noticed this before, but thought that it was working as designed.	13:33
lbragstad	interesting	13:34
*** jasondotstar has quit IRC		13:34
odyssey4me	if you map the remote user name to either id or name it'll use whatever's provided as both the name and id	13:34
marekd	odyssey4me: yeah.	13:34
odyssey4me	it's not pretty, but it works, so I wasn't too fussed about it	13:34
marekd	odyssey4me: well, yes it works	13:35
marekd	but somehow we allow id and name for users	13:35
marekd	and maybe somebody is using it.	13:35
marekd	i don't know.	13:35
odyssey4me	it's a little horrible if you want to use, say, the SID from ADFS as the id to try to guarantee uniqueness	13:35
marekd	no, id should be unique	13:35
marekd	name is more like "human readable name"	13:36
odyssey4me	I originally had my maps using the upn as the name and the SID as the id	13:36
odyssey4me	that was nice and readable	13:36
*** marzif_ has quit IRC		13:36
marekd	what's SID ?	13:36
*** ayoung has joined #openstack-keystone		13:36
*** ChanServ sets mode: +v ayoung		13:36
odyssey4me	SID is an Active Directory unique ID	13:36
*** marzif_ has joined #openstack-keystone		13:36
lbragstad	https://technet.microsoft.com/en-us/library/Cc961625.aspx	13:36
marekd	odyssey4me: yeah, so id should be your source of user identification	13:37
*** yottatsa has quit IRC		13:37
marekd	but since we allow names we should probably keep them as well	13:37
marekd	or say aloud something's changes.	13:37
odyssey4me	lbragstad so yeah GUID would be a better unique ID - but it'd be nicer to have the name = the upn instead of the GUID	13:38
odyssey4me	we should only copy the id to the name if the name is not provided	13:38
lbragstad	GUIDs would be unique globally	13:38
marekd	odyssey4me: we do	13:38
marekd	we have a function that handles name/id filling if either is missing.	13:39
odyssey4me	oh, except that it's clearly overwriting the name at this point :p	13:39
marekd	odyssey4me: it isn't	13:39
marekd	user name is not stored in the fernet token payload	13:39
marekd	so when the json response is being built there is no name there.	13:40
marekd	that's why my superfunction fills name with id.	13:40
marekd	and it works as designed.	13:40
marekd	problem is the fernet :P	13:40
odyssey4me	ah	13:43
*** yottatsa has joined #openstack-keystone		13:44
lbragstad	so, we should either persist the username in the fernet payload, or make id and names the same	13:44
*** shoutm has quit IRC		13:44
*** tjcocozz_ has joined #openstack-keystone		13:48
marekd	lbragstad: yes	13:48
marekd	lbragstad: i answered your comment	13:48
openstackgerrit	Olivier Pilotte proposed openstack/keystone: Keystone accepts Group IDs from the IdP without any Domain reference https://review.openstack.org/210581	13:48
*** ayoung has quit IRC		13:49
*** jasondotstar has joined #openstack-keystone		13:49
*** tjcocozz has quit IRC		13:51
*** arif-ali has quit IRC		13:53
marekd	lbragstad: i don't know when dolphm's gonna be around so can you bug him for his opinion? Comment on a bug should be sufficient.	13:53
marekd	lbragstad: i might need to disappear relatively soon.	13:54
lbragstad	marekd: yeah, I'll be sure to follow up with him today	13:55
marekd	lbragstad: thanks.	13:55
lbragstad	marekd: worst case we'll add it to the agenda for tomorrow	13:55
openstackgerrit	Henrique Truta proposed openstack/keystone: Replicate domain info in projects table https://review.openstack.org/211170	13:56
marekd	lbragstad: i'd have done it long time ago, but chances are i will have to skip the meeting :P	13:56
marekd	lbragstad: have some evening business tbf.	13:56
marekd	tbd	13:56
lbragstad	marekd: no worries, I think we'll be able to come up with something today	13:56
marekd	lbragstad: super	13:56
*** jasondotstar has quit IRC		13:59
*** jasondotstar has joined #openstack-keystone		14:00
*** jdandrea has joined #openstack-keystone		14:00
*** geoffarnold has joined #openstack-keystone		14:02
*** petertr7 is now known as petertr7_away		14:03
*** boris-42 has joined #openstack-keystone		14:03
*** ayoung has joined #openstack-keystone		14:03
*** ChanServ sets mode: +v ayoung		14:03
*** hrou has joined #openstack-keystone		14:06
*** josecastroleon has quit IRC		14:06
*** petertr7_away is now known as petertr7		14:08
*** Kennan2 has joined #openstack-keystone		14:09
*** Kennan has quit IRC		14:09
*** arif-ali has joined #openstack-keystone		14:10
*** richm1 has joined #openstack-keystone		14:10
dstanek	samueldmq: i has hoping to find a way to make the caching in the client optional :-(	14:11
samueldmq	dstanek: so ... in policy GET calls, the server will be returning max-age in the cache control headers, right?	14:11
*** btully has joined #openstack-keystone		14:11
*** richm1 is now known as richm		14:11
dstanek	samueldmq: yep	14:12
samueldmq	dstanek: why optional? if we (as a server) send cache control headers, we expect that we (as a client) honor it	14:12
samueldmq	dstanek: so... in the point of the headers calculation ..	14:12
dstanek	samueldmq: i'd like to consider it experimental and not on by default, but i'm not sure that's possible	14:13
ayoung	make it a creation option if we don't want to hold on it, but the user can always create a new session if they want, to dump state	14:13
samueldmq	dstanek: yes, need to look more into it	14:14
samueldmq	dstanek: so .. we need to get the max-age value here https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L273-L274	14:14
samueldmq	dstanek: and it gets calculated in the policy manager (who takes care of the business logic)	14:14
samueldmq	dstanek: sounds sane so far? so the point is how it gets there	14:14
dstanek	yes	14:15
openstackgerrit	Lance Bragstad proposed openstack/keystone: Additional documentation for services https://review.openstack.org/211184	14:15
dstanek	ayoung: that's a good idea....it would allow me to make configuration someone else's problem	14:15
samueldmq	dstanek: so the controllers return either a set or a single entity, in this case an entity in the form {'policy': {content...}}	14:15
dstanek	samueldmq: hold on one set	14:16
dstanek	sec	14:16
samueldmq	dstanek: sure	14:16
openstackgerrit	Marianne Linhares Monteiro proposed openstack/keystone: List credentials by type https://review.openstack.org/208620	14:17
dstanek	the way i've started to prototype this is workable for most things. a simple decorator @cachecontrol(max_age={num seconds})	14:17
ayoung	if we do cache, do we keep in memory only, or provide a disk space? Maybe disk is optional, and a max memory size for caching?	14:18
dstanek	and then a little logic is in wsgi.py to set the correct headers	14:18
*** yottatsa has quit IRC		14:18
ayoung	what do we getfrom the requests library for support in caching?	14:18
*** r-daneel has joined #openstack-keystone		14:19
dstanek	ayoung: nothing. i'm using cachecontrol a library that works with requests	14:19
dstanek	i doubt the memory cache has memory limits, maybe object limits...	14:20
*** yottatsa has joined #openstack-keystone		14:20
dstanek	i was planning on just doing a filecache by default	14:21
dstanek	samueldmq: does that make sense? in most cases you won't case about the object itself. the timeout is just general. these resources only last a few seconds	14:22
dstanek	ayoung: what do you think if i have the thing making the Session object just pass in a cache backend. no backend means no cache	14:23
*** fhubik is now known as fhubik_brb		14:24
*** fhubik_brb is now known as fhubik		14:27
*** josecastroleon has joined #openstack-keystone		14:29
*** afazekas has quit IRC		14:31
*** yottatsa has quit IRC		14:34
*** stevemar has joined #openstack-keystone		14:35
*** ChanServ sets mode: +v stevemar		14:35
*** katkapilatova has left #openstack-keystone		14:37
*** jsavak has joined #openstack-keystone		14:37
*** yottatsa has joined #openstack-keystone		14:38
morgan_503	dstanek: that is mostly reasonable.	14:38
*** stevemar has quit IRC		14:38
morgan_503	dstanek: that also alleviates the issue of cache config in keystoneauth itself	14:38
*** jecarey has joined #openstack-keystone		14:41
*** stevemar has joined #openstack-keystone		14:41
*** ChanServ sets mode: +v stevemar		14:41
*** piyanai has quit IRC		14:42
samueldmq	dstanek: yes, I was talking about a little logic in wsgi.py to set the headers	14:42
samueldmq	dstanek: so instead of returning only {'policy': entity}, controller could add {'freshness': freshness} to that dict	14:43
samueldmq	dstanek: wsgi.py would then get it and generate the response with the appropriate cache control (max-age) headers	14:43
samueldmq	morgan_503: hey, what's up? :)	14:44
samueldmq	morgan_503: back to you regular tz ?	14:44
samueldmq	your*	14:44
dstanek	i don't think the controller needs to change at all for this	14:46
samueldmq	dstanek: so how the freshness (calculated at manager level) gets to the application level (wsgi request in wsgi.py)	14:47
dstanek	samueldmq: today's a code day for me (very little reviews!) so i'll push up my changes to show you	14:47
samueldmq	dstanek: does it go into the entity itself?	14:47
dstanek	samueldmq: what needs to be calculated at all?	14:47
*** fifieldt_ has quit IRC		14:47
dstanek	if we say a resource is generally cacheable for 10 seconds then we just say 10 seconds. no need to calculate anything	14:48
samueldmq	dstanek: not for policies	14:48
samueldmq	dstanek: the cache is controled and based on a timeout in the server	14:48
dstanek	right, that's what i'm talking about	14:48
samueldmq	dstanek: that's what the whole spec 'Centralized Policies Distribution Mechanism' is about	14:48
dstanek	so what is there to calculate?	14:49
dstanek	and how do you calculate it?	14:49
samueldmq	dstanek: https://review.openstack.org/#/c/209695/1/keystone/policy/core.py	14:49
samueldmq	dstanek: lines 58-89	14:49
dstanek	samueldmq: why are you not just setting the max ago to a static number of seconds?	14:51
samueldmq	dstanek: multiple endpoint processes behind a proxy	14:52
samueldmq	dstanek: suppose multiple nova processes (having the same endpoint id at keystone), they must use the same policy consistently	14:53
dstanek	with caching they won't - there may be a difference of a second or two	14:53
samueldmq	dstanek: what caching ? they need the polic yto then cache it right ?	14:54
dstanek	why would that be a problem? it would only be a problem if those instance depended on each other	14:54
dstanek	samueldmq: as soon as you just into http caching you are agreeing to a level of eventual consistency	14:55
samueldmq	dstanek: you can't have different policies at different processes behind a proxy	14:55
*** topol has joined #openstack-keystone		14:55
*** ChanServ sets mode: +v topol		14:55
*** narengan has joined #openstack-keystone		14:55
samueldmq	dstanek: we need to ensure they will have the same policy at any time	14:56
dstanek	then we can't use http caching	14:56
samueldmq	why?	14:56
*** henrynash has joined #openstack-keystone		14:56
*** ChanServ sets mode: +v henrynash		14:56
samueldmq	dstanek: we have our own caching mechanism, and we are making use of http headers	14:56
samueldmq	dstanek: we control both sides of the cache	14:57
dstanek	if someone uses an intermediary that doesn't have our custom rules you scheme will break	14:57
*** fhubik has quit IRC		14:57
dstanek	and i'd really, really like to get varnish in front of keystone	14:57
dstanek	what is the problem if processes have difference policies for a few seconds?	14:58
samueldmq	dstanek: I am gonna include the 'private" in the cache control headers	14:58
samueldmq	dstanek: from the spec: ``private``: indicates that the response message is intended for a single endpoint and must not be cached by a shared cache.	14:58
dstanek	samueldmq: why?	14:58
samueldmq	dstanek: because of the max-age, whch is different for different processes (depending on when they ask for the policy update)	14:59
openstackgerrit	Henrique Truta proposed openstack/keystone: Creating tests for projects acting as domains https://review.openstack.org/211219	14:59
dstanek	samueldmq: but why is that a problem?	15:00
samueldmq	dstanek: if we don't control the cache that way, processes can have different policies for X seconds, where X is the policy timeout	15:00
dstanek	samueldmq: also what is you logic actually calculating?	15:00
*** piyanai has joined #openstack-keystone		15:00
dstanek	samueldmq: otherwise everything will hit keystone at the same time for a policy update	15:01
samueldmq	dstanek: no they won't	15:01
samueldmq	dstanek: we took care of the thundering herd	15:01
breton	could some non-ibmer +2a https://review.openstack.org/#/c/210477/ ?	15:01
samueldmq	dstanek: we add a delya based on a policy_id hash,	15:01
openstackgerrit	Boris Bobrov proposed openstack/keystone: Adds a notification testcase for unbound methods https://review.openstack.org/210478	15:01
samueldmq	dstanek: so different policies times out at different points in the time, but with the same timeout	15:02
*** geoffarnold is now known as geoffarnoldX		15:02
dstanek	samueldmq: ok, so you are doing lots of logic so that the times are the same so that policies is not different between process, but on the client side you introduce timeouts the combat the herd and that will make policy different for that client?	15:03
samueldmq	dstanek: the server takes care of the timeouts, so it worries about when it times out	15:04
samueldmq	dstanek: the only thing the client gets is: max-age	15:04
samueldmq	dstanek: and respect it	15:04
samueldmq	dstanek: I believe the section Proposed Solution in the spec has a good (and quick) explanation	15:06
samueldmq	dstanek: https://review.openstack.org/#/c/197980/12/specs/backlog/dynamic-policies-delivering-mechanism.rst	15:06
samueldmq	dstanek: and it would confuse you less than I probably can :(	15:06
dstanek	the freshness is client side right?	15:07
samueldmq	dstanek: it is calculated at server side, and the client side respects it	15:07
dstanek	so how do you prevent the herd?	15:07
samueldmq	dstanek: ok let me give you an example	15:08
dstanek	when everyone comes back for a policy they will come back at the exact same time right?	15:08
samueldmq	dstanek: no, they won't, because everyone doesn"t want the same policy	15:08
samueldmq	dstanek: everyone who wants teh same policy id will come at the same time	15:09
samueldmq	dstanek: how do I prevent that ? ok ..	15:09
*** geoffarnoldX is now known as geoffarnold		15:09
samueldmq	dstanek: I am the server and I am timing out at 12:00, but each policy will times out around that time, but not at that exact time	15:09
samueldmq	dstanek: 12:00 + (policy_id % timeout)	15:10
samueldmq	^	15:10
*** thedodd has joined #openstack-keystone		15:10
dstanek	samueldmq: so let's step back	15:10
samueldmq	dstanek: this is when the policy with a given id will actually expires, not exactly at 12:00	15:10
samueldmq	dstanek: sure	15:10
dstanek	samueldmq: after a policy is changed how quickly should the change occur?	15:11
samueldmq	dstanek: it will occur the next time the server times out for that policy id	15:11
samueldmq	dstanek: so we have the concept of policy releases	15:11
samueldmq	dstanek: for policy X, I timed out at 12:00 o'clock, so I will be delivering the same policy as it was at 12:00 until 12:05, if timeout is 300	15:12
dstanek	samueldmq: think from a admin perspective. what is the SLA we tell them for when their changes take effect?	15:12
*** topol has quit IRC		15:13
dstanek	10 seconds, 1 minute, 1 hour, etc?	15:13
samueldmq	dstanek: they would have soem delay to enable the modified policy using puppet	15:13
samueldmq	dstanek: the max time it will take is the timeout set for policy entities	15:13
samueldmq	same*	15:13
*** jamie_h has quit IRC		15:14
*** geoffarnold has quit IRC		15:15
samueldmq	which is, by default, 300 seonds	15:15
samueldmq	seconds	15:15
dstanek	so every 5 minutes the server will check back. so at that point you may have a herd for some policies	15:16
dstanek	also that mean you accept that 1 or more nodes may be ouf of sync for up to 5 minutes	15:16
samueldmq	dstanek: every 5 minutes, the server will release a new policy, but that is not every 5 minutes, that happnes when the next request comes	15:16
samueldmq	dstanek: and the server detects the policy is out-of-date, then re-release it before returning	15:17
dstanek	what do you mean by releases?	15:17
samueldmq	dstanek: no we don't allow that	15:17
samueldmq	dstanek: we have thought about all that :/	15:17
samueldmq	dstanek: ok, let me explaing all the solution as I see it	15:17
samueldmq	dstanek: ready?	15:18
dstanek	samueldmq: not necessary, i've read the specs	15:18
dstanek	i just don't think it's as cut and dry as you do	15:18
dstanek	what happens is there is a hiccup getting a policy from the server? do we fail or instruct the client to use what they had?	15:19
samueldmq	dstanek: ok, so policies time out at different times, but every 5 minutes	15:19
*** phalmos has joined #openstack-keystone		15:20
samueldmq	dstanek: it doesn't matter what client is going to ask the policy entity	15:20
samueldmq	dstanek: the server returns the requested entity + its freshenss	15:20
samueldmq	dstanek: that's all the client side have to care about	15:21
samueldmq	dstanek: other than that, is on server side	15:21
dstanek	samueldmq: so what happens if the request to fetch a policy fails?	15:21
samueldmq	dstanek: whatever HTTP error ? the client needs to care about it, and should retry, etc	15:22
samueldmq	dstanek: that can happens with nova asking for cinder images for example ?	15:23
dstanek	samueldmq: so assume that it can't get the policy for some reason. what happens?	15:23
samueldmq	dstanek: it is possibly inconsistent with other endpoint processes behind the same policy	15:24
samueldmq	dstanek: so it needs either i) to reject the request, since it can't get enough info to enforce access control	15:24
samueldmq	dstanek: or ii) use the "old" policy	15:24
samueldmq	dstanek: what happens if puppet fails to reach a node when distributing the policies ?	15:25
dstanek	samueldmq: what strategy are you implementing?	15:27
*** arunkant has joined #openstack-keystone		15:27
dstanek	i imagine that #2 is what happens with all current configuration management solutions	15:28
*** josecastroleon has quit IRC		15:28
samueldmq	dstanek: currently, when the middleware receives a HTTP error from the client, it is just logging and saying it can't fetch the policy from keystone and is falling to the old mechanism, i.e ignoring changes form the servers	15:28
samueldmq	dstanek: yes so basically I am doing that ...	15:29
*** kiran-r has joined #openstack-keystone		15:29
samueldmq	dstanek: last lines here https://review.openstack.org/#/c/188561/6/keystonemiddleware/auth_token/_identity.py	15:30
samueldmq	dstanek: and the exception is caught here	15:30
samueldmq	dstanek: https://review.openstack.org/#/c/188561/6/keystonemiddleware/auth_token/_policy.py	15:30
dstanek	so as i said earlier your already accepting the fact that processes can be out of date for up to the policy timeout	15:30
*** rajesht has quit IRC		15:31
samueldmq	dstanek: that's an exceptional behavior, not the planned one	15:31
samueldmq	dstanek: we can't plan and just accept they can be incosistent between endpint processes all the tiem	15:31
samueldmq	dstanek: that was a concern from morgan, btw	15:32
samueldmq	dstanek: and I agree that's important to be considered	15:32
dstanek	it must be explicitly designed for. in any sufficiently sized deployment i would that exceptional case to happen relatively often	15:34
samueldmq	dstanek: the network failing and policy request failing ?	15:34
dstanek	i'd like to design for Amazon scale and hope that one of the OpenStack public clouds get there :-)	15:35
samueldmq	dstanek: if it fails because the server is unavailable, we wouldn't be able to validate teh token anyway	15:35
dstanek	samueldmq: depends on the failure	15:35
dstanek	otherwise your idea of a retry wouldn't work anyway...	15:36
dstanek	also are you expecting two values to be set? one for the timeout and one for the freshness?	15:36
samueldmq	dstanek: no, just max-age is set	15:37
dstanek	no, i mean in the config	15:37
samueldmq	dstanek: the server control the timeout, and according to its own timeout + plicy id hash, it calculates the freshness (max-age)	15:37
samueldmq	dstanek: just in the server config	15:37
*** belmoreira has quit IRC		15:38
samueldmq	dstanek: and adding support of CacheControl at ksclient, so ksmiddleware doesn't need to care about anything at all	15:39
samueldmq	dstanek: other than just 'self.client.policies.get(id)"	15:39
samueldmq	(something like that, since it isn't requesting the policy by its id directly, but using the endpoint_id instead)	15:43
dstanek	samueldmq: the endpoint_id will always return the same policy right?	15:45
*** yottatsa has quit IRC		15:45
samueldmq	dstanek: it depends on the association in the server side, which is defined by endpoint-policy extension	15:47
*** yottatsa has joined #openstack-keystone		15:48
openstackgerrit	Ioram Schechtman Sette proposed openstack/keystone-specs: Basic API spec for managing Policy rules in a database https://review.openstack.org/184903	15:48
dstanek	samueldmq: what would make if give a different response?	15:49
*** yottatsa has quit IRC		15:49
*** jistr has quit IRC		15:50
samueldmq	dstanek: the different response will come with its respective max-age	15:50
samueldmq	dstanek: I don't see the point where it could be an issue	15:50
dstanek	samueldmq: i'm just thinking it through	15:51
samueldmq	dstanek: cool, I think you were leading me to see an issue you were seeing already :-)	15:52
dstanek	samueldmq: so except for it changing at some point we will always return the same response for the same request. we don't vary it by data in the token or anything else right?	15:52
openstackgerrit	Merged openstack/keystone: Correct enabled emulation query to request no attributes https://review.openstack.org/187065	15:52
*** jorge_munoz has joined #openstack-keystone		15:53
*** geoffarnold has joined #openstack-keystone		15:53
*** bknudson has joined #openstack-keystone		15:54
*** ChanServ sets mode: +v bknudson		15:54
samueldmq	dstanek: yes, in every 5 minutes time slice, we return the same policy	15:54
samueldmq	dstanek: even if the policy entity has been changed/deleted, that will only take effect at the next time it times out (when endpoint processes ask for an update)	15:55
*** _cjones_ has joined #openstack-keystone		15:55
samueldmq	dstanek: policy changes/ association changes in the endpoint-policy extension, will take effect in the next timeout	15:55
samueldmq	dstanek: and that doesn't vary by any data at all	15:55
dstanek	samueldmq: no that's fine. i was just making sure that the same request will always get the same response (if the resource hasn't changed)	15:56
samueldmq	dstanek: only max-age will be different, even if resource ahsn't changed	15:56
samueldmq	dstanek: makes sense?	15:56
dstanek	samueldmq: yep, i'm just looking for the common problems	15:57
samueldmq	dstanek: if a second request is a second later the first one, the policy will be valid for 1 second less	15:57
samueldmq	dstanek: nice	15:57
*** darrenc has quit IRC		15:57
*** darrenc has joined #openstack-keystone		15:58
samueldmq	dstanek: if a shared cache stores an entity and it has a max-age set, does it update the max-age value when returning the cached entity ?	16:02
samueldmq	dstanek: I mean, decresing it over the time ?	16:02
dstanek	samueldmq: jas in a meeting	16:03
*** petertr7 is now known as petertr7_away		16:03
*** petertr7_away is now known as petertr7		16:03
samueldmq	dstanek: np, I am gonna continue with the implementation as it is in the specs, want to finish today before the FFE email	16:03
samueldmq	dstanek: thanks for getting involved	16:04
*** browne has joined #openstack-keystone		16:05
*** e0ne has joined #openstack-keystone		16:13
*** kiran-r has quit IRC		16:14
*** jasonsb has quit IRC		16:20
*** ankita_wagh has joined #openstack-keystone		16:22
*** yottatsa has joined #openstack-keystone		16:31
*** e0ne has quit IRC		16:33
*** hrou has quit IRC		16:39
*** bapalm has joined #openstack-keystone		16:43
*** lhcheng has joined #openstack-keystone		16:43
*** ChanServ sets mode: +v lhcheng		16:43
*** marzif_ has quit IRC		16:44
*** marzif_ has joined #openstack-keystone		16:44
*** e0ne has joined #openstack-keystone		16:47
*** diazjf has quit IRC		16:52
*** e0ne has quit IRC		16:52
*** petertr7 is now known as petertr7_away		16:55
samueldmq	dstanek: you ok with the @cachecontrol annotation receiving a function as parameter ?	16:56
samueldmq	dstanek: you already started that code ?	16:56
*** ankita_wagh has quit IRC		16:57
*** ankita_wagh has joined #openstack-keystone		16:58
*** narengan has quit IRC		16:58
samueldmq	dstanek: I will keep it simple for now, can use that annotation an improvement/when you submit it :)	16:59
*** narengan has joined #openstack-keystone		16:59
*** ankita_wagh has quit IRC		17:02
openstackgerrit	Merged openstack/keystone: Fixes an incorrect docstring in notifications https://review.openstack.org/210477	17:02
openstackgerrit	Merged openstack/keystone: Improve a few random docstrings (H405) https://review.openstack.org/210607	17:03
*** narengan has quit IRC		17:04
dstanek	samueldmq: on the server side you mean?	17:05
samueldmq	dstanek: yes	17:06
dstanek	samueldmq: the client side cache should only update the max-age when the server tells it to	17:06
dstanek	samueldmq: i have some partially working stuff that i took from a project i worked on in the past	17:06
samueldmq	dstanek: and how does the server tells it to update ? just passing a max-age value ,	17:08
samueldmq	?	17:08
dstanek	samueldmq: every server response will respond with the current max-age and the client will request again after that getting a new resource and a new max-age	17:09
samueldmq	dstanek: ++	17:10
*** jasonsb has joined #openstack-keystone		17:10
*** jamielennox is now known as jamielennox\|away		17:11
*** jasonsb has quit IRC		17:14
*** jasonsb has joined #openstack-keystone		17:14
*** ankita_wagh has joined #openstack-keystone		17:14
*** bapalm has quit IRC		17:16
*** bapalm has joined #openstack-keystone		17:16
*** HT_sergio has joined #openstack-keystone		17:19
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Enable Cache-Control HTTP values in responses https://review.openstack.org/211271	17:20
samueldmq	dstanek: does this look sane to you ? ^	17:20
*** bapalm has quit IRC		17:21
*** ankita_w_ has joined #openstack-keystone		17:24
*** topol has joined #openstack-keystone		17:24
*** ChanServ sets mode: +v topol		17:24
*** ankita_wagh has quit IRC		17:27
*** topol has quit IRC		17:29
*** diazjf has joined #openstack-keystone		17:31
*** HT_sergio has quit IRC		17:34
*** marzif_ has quit IRC		17:36
*** marzif_ has joined #openstack-keystone		17:36
*** Guest30753 is now known as tsymanczyk		17:38
*** marzif_ has quit IRC		17:44
*** roxanaghe has joined #openstack-keystone		17:53
*** piyanai has quit IRC		17:55
*** piyanai has joined #openstack-keystone		17:56
*** piyanai has quit IRC		17:56
*** HT_sergio has joined #openstack-keystone		17:57
*** flwang has quit IRC		17:58
*** piyanai has joined #openstack-keystone		17:58
*** petertr7_away is now known as petertr7		18:00
*** hrou has joined #openstack-keystone		18:03
*** opilotte has quit IRC		18:04
*** opilotte has joined #openstack-keystone		18:06
*** e0ne has joined #openstack-keystone		18:06
*** bapalm has joined #openstack-keystone		18:07
*** bapalm has quit IRC		18:07
*** bapalm has joined #openstack-keystone		18:08
*** piyanai has quit IRC		18:09
*** e0ne has quit IRC		18:10
*** flwang has joined #openstack-keystone		18:11
*** yottatsa has quit IRC		18:14
*** yottatsa has joined #openstack-keystone		18:16
*** hrou has quit IRC		18:18
*** narengan has joined #openstack-keystone		18:19
*** e0ne has joined #openstack-keystone		18:21
*** narengan has quit IRC		18:21
*** narengan has joined #openstack-keystone		18:22
*** toddnni has quit IRC		18:23
*** toddnni has joined #openstack-keystone		18:23
*** toddnni has quit IRC		18:23
*** josecastroleon has joined #openstack-keystone		18:24
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Enable Cache-Control HTTP values in responses https://review.openstack.org/211271	18:24
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Fixes query.one() return usage in endpoint-policy https://review.openstack.org/208609	18:24
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism https://review.openstack.org/209695	18:24
*** marzif_ has joined #openstack-keystone		18:25
*** narengan has quit IRC		18:26
*** bapalm__ has joined #openstack-keystone		18:27
*** toddnni has joined #openstack-keystone		18:29
*** ankita_wagh has joined #openstack-keystone		18:30
*** bapalm has quit IRC		18:30
openstackgerrit	Henrique Truta proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	18:32
htruta	dstanek: ^ here it is	18:32
*** ankita_w_ has quit IRC		18:32
htruta	300 lines smaller	18:32
*** ayoung has quit IRC		18:33
*** ngupta has joined #openstack-keystone		18:34
*** tsymanczyk has quit IRC		18:34
*** rm_work\|away is now known as rm_work		18:36
*** Tedster has quit IRC		18:44
*** Tedster has joined #openstack-keystone		18:44
*** yottatsa has quit IRC		18:46
*** hrou has joined #openstack-keystone		18:46
*** eandersson has quit IRC		18:46
*** yottatsa has joined #openstack-keystone		18:46
*** piyanai has joined #openstack-keystone		18:53
*** josecastroleon has quit IRC		18:54
*** yottatsa has quit IRC		18:54
*** yottatsa has joined #openstack-keystone		18:55
*** narengan has joined #openstack-keystone		18:56
*** tsymanczyk has joined #openstack-keystone		18:57
openstackgerrit	Boris Bobrov proposed openstack/keystone: Prevent exception due to missing id of LDAP entity https://review.openstack.org/207960	18:57
openstackgerrit	Boris Bobrov proposed openstack/keystone: Expose exception due to missing id of LDAP entity https://review.openstack.org/211088	18:57
*** tsymanczyk is now known as Guest96634		18:57
*** yottatsa has quit IRC		19:00
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Fixes query.one() return usage in endpoint-policy https://review.openstack.org/208609	19:00
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Enable Cache-Control HTTP values in responses https://review.openstack.org/211271	19:00
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism https://review.openstack.org/209695	19:01
*** narengan has quit IRC		19:01
*** narengan has joined #openstack-keystone		19:02
*** petertr7 is now known as petertr7_away		19:05
*** narengan has quit IRC		19:06
*** petertr7_away is now known as petertr7		19:06
*** opilotte has quit IRC		19:07
*** bapalm_ has quit IRC		19:08
*** ankita_w_ has joined #openstack-keystone		19:12
*** Guest96634 has quit IRC		19:13
*** tsymancz1k has joined #openstack-keystone		19:13
*** stevemar has quit IRC		19:15
*** ankita_wagh has quit IRC		19:15
*** gyee has joined #openstack-keystone		19:16
*** ChanServ sets mode: +v gyee		19:16
*** stevemar has joined #openstack-keystone		19:16
*** ChanServ sets mode: +v stevemar		19:16
*** browne has quit IRC		19:18
*** narengan has joined #openstack-keystone		19:18
*** jsavak has quit IRC		19:19
*** ngupta_ has joined #openstack-keystone		19:20
*** ngupta has quit IRC		19:21
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism https://review.openstack.org/209695	19:21
*** opilotte has joined #openstack-keystone		19:22
*** jsavak has joined #openstack-keystone		19:23
*** atiwari has joined #openstack-keystone		19:28
marekd	lbragstad: dolphm why would you need jamies spec?	19:30
*** belmoreira has joined #openstack-keystone		19:34
*** ayoung has joined #openstack-keystone		19:38
*** ChanServ sets mode: +v ayoung		19:38
*** ankita_w_ has quit IRC		19:38
*** bapalm__ has quit IRC		19:44
*** bapalm has joined #openstack-keystone		19:45
*** bapalm has quit IRC		19:46
*** bapalm has joined #openstack-keystone		19:46
samueldmq	omg, there is support for endpoint-policy extension on ksclient already	19:48
samueldmq	I was going to implement it o/	19:49
*** ksavich has joined #openstack-keystone		19:50
samueldmq	ayoung: I have all the needed code for the centralized policy distribution (only needing CacheControl support on ksclient + some unit tests on the server patches)	19:50
*** jsavak has quit IRC		19:51
samueldmq	ayoung: I am going to draft the FFE request email, will ask for you feedback on it in a bit	19:51
*** jsavak has joined #openstack-keystone		19:52
dstanek	samueldmq: once i get it working i'll post an alternate server side impl of caching	19:53
dstanek	i'm trying to figure out the client side tests now	19:53
dstanek	marekd: multple IdP's using the same protocol over WebSSO	19:53
samueldmq	dstanek: nice, thanks	19:54
dstanek	samueldmq: your current impl is broken because it is still caching based on the token	19:55
dstanek	samueldmq: by default (for whatever historical reason) we add a vary header	19:55
*** ankita_wagh has joined #openstack-keystone		19:57
samueldmq	dstanek: so by default every entity is cached based on the token? in ksclient ...	19:57
dstanek	samueldmq: no, on the server side	19:58
dstanek	we are adding a vary header	19:58
marekd	dstanek: you don't need multiple routes for this	19:59
marekd	dstanek: i would even say jamie's goal was different	19:59
*** tsymanczyk has joined #openstack-keystone		19:59
marekd	and this is not what he complained about	19:59
samueldmq	dstanek: what we'll be doing for policies ? not caching at all ?	20:00
*** tsymanczyk is now known as Guest84367		20:00
samueldmq	dstanek: in that case ..	20:00
dstanek	marekd: beyond making protocols like "SAML_ipd_a" and "SAML_idp_b" how do you use multiple IdPs?	20:00
samueldmq	dstanek: in what level do we cache it ?	20:01
dstanek	samueldmq: level?	20:01
samueldmq	dstanek: that should be the first question :)	20:01
samueldmq	dstanek: manager/controller ?	20:01
marekd	dstanek: so for sso there is one entrypoint	20:01
marekd	/auth/websso/saml2	20:01
openstackgerrit	Henrique Truta proposed openstack/keystone: Creating tests for projects acting as domains https://review.openstack.org/211219	20:01
openstackgerrit	Henrique Truta proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	20:01
marekd	you use discovery service, either install some 3rd party stuff, or maybe even implement it yourself	20:02
marekd	like in this blogpost	20:02
samueldmq	dstanek: I am asking because I am worried about the max-age, which changes for every response (so it can't be cached)	20:02
openstackgerrit	Henrique Truta proposed openstack/keystone: List projects filtering by is_domain flag https://review.openstack.org/158398	20:02
dstanek	samueldmq: you're asking about where the the header is defined not where the caching actually happens rigtht?	20:03
samueldmq	dstanek: if it's at the manager level, we add the max-age at the controllr level	20:03
*** tsymancz1k has quit IRC		20:03
openstackgerrit	Henrique Truta proposed openstack/keystone: Restrict inherited role assignments to subdomains https://review.openstack.org/164180	20:03
openstackgerrit	Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	20:03
*** woodster_ has joined #openstack-keystone		20:03
openstackgerrit	Henrique Truta proposed openstack/keystone: Restricting domain_id update https://review.openstack.org/207218	20:03
samueldmq	dstanek: I am defining hte header value at controller	20:03
openstackgerrit	Henrique Truta proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	20:03
openstackgerrit	Henrique Truta proposed openstack/keystone: Add is_domain in token response https://review.openstack.org/197331	20:03
dstanek	samueldmq: all of the HTTP logic should be at the controller layer	20:03
openstackgerrit	Henrique Truta proposed openstack/keystone: Change policy to comply with is_domain in token https://review.openstack.org/206063	20:03
samueldmq	dstanek: yes I am doing it there	20:03
dstanek	the manager shouldn't know anything about HTTP at all	20:03
*** gabriel-bezerra has quit IRC		20:04
samueldmq	dstanek: yes I agree, and I am not doing that :)	20:04
samueldmq	dstanek: I am worried about where the caching occurs, if we cache the controller return, we would probably be caching the max-age, which is not desired	20:04
dstanek	samueldmq: what do you mean by caching the max-age?	20:04
samueldmq	dstanek: if we cache the manager level, we just cache the entities, so there is no problem at all	20:04
dstanek	samueldmq: we are not caching at all on the server side	20:05
lbragstad	marekd: but doesn't implementing a discover service mean that everyone that uses that discovery service know all IdPs you use?	20:05
samueldmq	dstanek: look at how I am doing it right now https://review.openstack.org/#/c/209695/4/keystone/endpoint_policy/controllers.py	20:05
samueldmq	dstanek: huh, I thought you said we were caching at server side	20:06
lbragstad	dstanek: cc ^	20:06
dstanek	samueldmq: no, we only generate headers on the server side	20:06
samueldmq	dstanek: where do the caching occurs? the caching that, by default, is based on the token (as we were talking before)	20:07
samueldmq	does the caching occur*** (bad English)	20:07
samueldmq	:(	20:07
dstanek	samueldmq: the actual caching when we talk about HTTP caching is on the client side	20:08
marekd	lbragstad: it does, but you can also add a hashmap, so the user has to type idp name and it may map to some sort of url.	20:08
dstanek	marekd: lbragstad: the map to URL is what i was thinking in my email and sorta what we talked about today	20:08
*** Ephur has joined #openstack-keystone		20:09
marekd	i didn't talk with you today :(	20:09
*** bapalm has quit IRC		20:09
dstanek	marekd: no, lbragstad, dolphm and i	20:09
marekd	dstanek: sure.	20:09
samueldmq	samueldmq \| dstanek: so by default every entity is cached based on the token? in ksclient ...	20:09
samueldmq	+dstanek \| samueldmq: no, on the server side	20:09
lbragstad	ok, so once the DS knows what IdP the user wants, what call does it make to keystone? (my second questions)	20:09
samueldmq	dstanek: we messed up earlier then :p	20:09
samueldmq	^	20:09
*** bapalm has joined #openstack-keystone		20:09
lbragstad	s/questions/question/	20:09
marekd	dstanek: lbragstad so your goal is to add a dashboard for all the clients, so they can come from different IdPs and they cannot see who else is cloud provider's client?	20:10
dstanek	samueldmq: this has nothing to do with ksc; right now we add a vary header for the token; this means that any client that implements caching will cache based on the token	20:10
lbragstad	marekd: yes, similar to this case that jamielennox\|away described -- http://lists.openstack.org/pipermail/openstack-dev/2015-August/071504.html	20:11
dstanek	ok, i have a 2 hour phone call starting soon :-(	20:11
marekd	lol	20:12
*** bapalm has quit IRC		20:12
marekd	poor David	20:12
*** e0ne has quit IRC		20:12
*** bapalm has joined #openstack-keystone		20:12
* lbragstad wonders if dstanek is going into management?		20:12
marekd	lbragstad: let me read this thread	20:12
dstanek	lbragstad: i'd rather die	20:12
lbragstad	dstanek: lol	20:12
samueldmq	dstanek: hmm, got it ... so in the policy case we will tell the clients to cache based on the policy id (like adding a vary header for it) ..	20:12
marekd	lbragstad: this is where money lay	20:12
samueldmq	dstanek: besides respecting the max-age	20:12
*** browne has joined #openstack-keystone		20:14
lbragstad	marekd: right now, don't we call federated_sso_auth based on the protocol_id?	20:14
dstanek	samueldmq: nope, the vary header is a list of headers that should be used as a part of the cache key; the endpoint_id we are using is in the URL which is already a part of the cache key by default	20:14
lbragstad	I don't think we have a way to call federated_sso_auth based on the idp id alone	20:14
lbragstad	which is what jamielennox\|away was thinking about adding in the proposal	20:15
samueldmq	dstanek: so we just need to remove tje token from that list	20:15
samueldmq	dstanek: if that is not true, I have not understood anything at all :p	20:15
dstanek	samueldmq: in some cases yes that will need to happen	20:15
samueldmq	dstanek: because using the same client, even if tokens are differnet, we get teh same policy	20:16
samueldmq	dstanek: nice, thanks o/	20:16
samueldmq	dstanek: I am preparing the FFE email, I will be updating my patches according to yours as we go this week	20:16
dstanek	samueldmq: right, and if we are caching based on the vary header the thing would be fetched and stored twice	20:16
samueldmq	dstanek: thanks :)	20:16
dstanek	samueldmq: do you need a SFE?	20:17
samueldmq	dstanek: for each token .. just bad , even using CacheControl, which wuld respect it right ?	20:17
samueldmq	dstanek: I asked for a SFE for it .. but now we need a FFE (L3) right ?	20:17
dstanek	samueldmq: do we need a SFE approved to merge into L?	20:18
dstanek	samueldmq: yes cachecontrol will respect the vary header and ask for the resource every time the token changes	20:18
samueldmq	dstanek: I think so.. we needed SFE for new specs being targeted to L after L1	20:19
marekd	lbragstad: heh, i love such threads - everybody clasims everything else and everybody says 'but it was discussed months ago'	20:19
samueldmq	dstanek: that is keystone specific, and had to be approved/rejected	20:19
samueldmq	dstanek: at this point I am not sure it matters, because we didn't agree in a decision	20:19
lbragstad	marekd: ++	20:19
samueldmq	dstanek: and FFE is something valid for the whole community (not keystone specific)	20:20
samueldmq	dstanek: that's my understanding	20:20
dstanek	samueldmq: yeah, but if we need to get a SFE from the Keystone team then we need to do that. (i have no idea if it's required)	20:21
*** stevemar has quit IRC		20:21
*** stevemar has joined #openstack-keystone		20:22
*** ChanServ sets mode: +v stevemar		20:22
samueldmq	dstanek: we needed it post-L1, but I think granting FFE grants, indeed, a SFE	20:22
samueldmq	dstanek: and SFE doesn't make sense without FFE, at this point	20:22
marekd	lbragstad: let me please read whole thread tomorrow.	20:22
lbragstad	marekd: sounds good	20:23
samueldmq	dstanek: and I don't know if FFE is a keystone only decision	20:23
*** topol has joined #openstack-keystone		20:25
*** ChanServ sets mode: +v topol		20:25
dstanek	samueldmq: i don't Keystone makes the final decision on that	20:25
*** HT_sergio has quit IRC		20:26
samueldmq	dstanek: yes, so that's another reason we do need an official email asking for FFE	20:27
openstackgerrit	Olivier Pilotte proposed openstack/keystone: Keystone accepts Group IDs from the IdP without any Domain reference https://review.openstack.org/210581	20:29
*** topol has quit IRC		20:29
*** gabriel-bezerra has joined #openstack-keystone		20:31
breton	no, wait	20:35
breton	FFE is not needed until the 1st of September	20:35
breton	SFE yes	20:35
samueldmq	ayoung: would you mind to change the topic of https://review.openstack.org/#/c/134655/ ?	20:35
samueldmq	ayoung: change it to bp/dynamic-policies-delivery so it will match the others	20:36
ayoung	samueldmq, done	20:37
breton	http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-08-04-18.01.log.html -- here is about FFE, which will be soon.	20:37
breton	oh	20:37
breton	*FF	20:37
*** diazjf has left #openstack-keystone		20:37
samueldmq	breton: ayoung thanks	20:38
samueldmq	breton: not you, just adam :p	20:38
samueldmq	breton: yes I don't know when it's FF for keystone	20:38
samueldmq	breton: according to the general schedule (https://wiki.openstack.org/wiki/Liberty_Release_Schedule)	20:39
samueldmq	breton: it should be somewhen between 31/8 - 4/9	20:39
samueldmq	morgan_503: I need some guidance on whether we need a FFE for dynamic policies atm	20:40
morgan_503	Uhmmmmmmmmmmmmmmmmmmm	20:40
morgan_503	No	20:40
samueldmq	morgan_503: or just approving the SFE is enough for now	20:40
morgan_503	FFE is only post milestone3	20:40
morgan_503	SFE is fine	20:40
samueldmq	morgan_503: nice, so approving the old but gold SFE is fine	20:40
morgan_503	And FFE requires release manager approval. FFE is for landing code not just the spec	20:41
morgan_503	Yeah	20:41
samueldmq	morgan_503: great, let's talk about it tomorrow in the meeting then; since we now have the missing bit : operators feedback!	20:41
samueldmq	morgan_503: and code is >90% ready for review :)	20:42
samueldmq	morgan_503: thanks	20:42
*** bapalm has quit IRC		20:44
*** bapalm has joined #openstack-keystone		20:45
*** bapalm_ has joined #openstack-keystone		20:46
*** jasonsb has quit IRC		20:46
*** henrynash has quit IRC		20:47
*** piyanai has quit IRC		20:47
*** hrou has quit IRC		20:49
*** bapalm has quit IRC		20:49
*** chlong has joined #openstack-keystone		20:49
*** bapalm_ has quit IRC		20:50
*** piyanai has joined #openstack-keystone		20:50
*** Guest84367 has quit IRC		20:50
samueldmq	ayoung: I am going to setup a demo with multiple glance processes behind a HAProxy, and see if eveything is going to work	20:53
ayoung	samueldmq, awesome	20:53
samueldmq	ayoung: expecting to have it working until tomorrow before meeting	20:53
samueldmq	ayoung: :)	20:53
*** raildo has quit IRC		20:55
*** jasonsb has joined #openstack-keystone		21:01
*** belmoreira has quit IRC		21:03
*** petertr7 is now known as petertr7_away		21:05
samueldmq	ssh ssh.lsd.ufcg.edu.br	21:11
samueldmq	sx3sx3e170810	21:11
*** jsavak has quit IRC		21:13
*** tsymanczyk has joined #openstack-keystone		21:15
samueldmq	ssh folha	21:15
samueldmq	yes	21:15
samueldmq	sx3sx3e170810	21:15
*** tsymanczyk is now known as Guest73845		21:15
*** piyanai has quit IRC		21:17
*** piyanai has joined #openstack-keystone		21:19
*** jsavak has joined #openstack-keystone		21:20
*** stevemar has quit IRC		21:23
*** stevemar has joined #openstack-keystone		21:23
*** ChanServ sets mode: +v stevemar		21:23
*** stevemar has quit IRC		21:24
*** stevemar has joined #openstack-keystone		21:24
*** ChanServ sets mode: +v stevemar		21:24
*** jsavak has quit IRC		21:25
*** iurygregory has quit IRC		21:25
*** jsavak has joined #openstack-keystone		21:25
*** ankita_w_ has joined #openstack-keystone		21:27
*** ksavich has quit IRC		21:27
dstanek	samueldmq: nice password! looks pretty secure	21:27
*** ankita___ has joined #openstack-keystone		21:27
openstackgerrit	Olivier Pilotte proposed openstack/keystone: Keystone accepts Group IDs from the IdP without any Domain reference https://review.openstack.org/210581	21:28
*** ankita___ has quit IRC		21:28
*** ngupta_ has quit IRC		21:29
*** ankita___ has joined #openstack-keystone		21:29
*** ankita_wagh has quit IRC		21:30
*** ankita_w_ has quit IRC		21:31
*** opilotte has quit IRC		21:32
*** ankita_wagh has joined #openstack-keystone		21:34
*** ankita___ has quit IRC		21:34
*** tjcocozz__ has joined #openstack-keystone		21:34
* morgan_503		21:35
samueldmq	ssh folha	21:36
samueldmq	yes	21:36
samueldmq	sx3sx3e170810	21:36
samueldmq	sudo passwd	21:36
samueldmq	azerty7	21:36
samueldmq	azerty7	21:36
samueldmq	azerty7	21:36
samueldmq	azerty7	21:36
samueldmq	sx3sx3e170810	21:36
lbragstad	samueldmq: I think you need those to go into a terminal	21:36
samueldmq	ssh folha	21:36
*** jdennis has quit IRC		21:37
elmiko	sounds like time for some passwd changes =(	21:37
*** tjcocozz_ has quit IRC		21:37
*** Guest73845 is now known as tsymanczyk		21:37
samueldmq	lbragstad: dstanek yeah, broadcast messed up :p gonna fix	21:38
*** samueldmq has quit IRC		21:38
*** tjcocozz__ has quit IRC		21:39
*** samueldmq has joined #openstack-keystone		21:47
samueldmq	so yes ... today I learned terminator 'broadcast all' broadcasts even if terminals are in different tabs	21:49
samueldmq	dsirrine: lbragstad ^ cc	21:49
samueldmq	hehe	21:50
dstanek	samueldmq: lol	21:52
samueldmq	dstanek: hehe changed my password, and killed -9 all the ssh processes entering the lab connection using my account o/	21:54
samueldmq	phew	21:54
dstanek	samueldmq: did you remove any backdoors that were added in the mean time?	21:55
samueldmq	dstanek: you mean ssh connections ?	21:55
*** bapalm has joined #openstack-keystone		21:56
dstanek	samueldmq: no, backdoors installed	21:56
samueldmq	dstanek: how do I do it ?	21:56
dstanek	samueldmq: lol, pray	21:56
samueldmq	dstanek: hehehe	21:57
dstanek	i doubt anyone attacked you from in here, but if you broadcast that anywhere else...	21:57
*** narengan has quit IRC		21:57
*** narengan has joined #openstack-keystone		21:58
dstanek	you may find ports opened that you ddin't know about, crons added to open ports/do things later, extra public keys installed for users, etc.	21:58
dstanek	lots of bad stuff can happen	21:58
samueldmq	dstanek: even if I don't have sudo on the machine?	21:59
dstanek	sure, that means that an attacker can't do things as root, but they could have done them all as you	22:00
*** gordc has quit IRC		22:01
*** nkinder has quit IRC		22:01
dstanek	or worse....someone could have done those attacks to any of the nodes that you jump to	22:02
*** bapalm has quit IRC		22:02
*** bapalm has joined #openstack-keystone		22:03
*** nkinder has joined #openstack-keystone		22:04
*** jdennis has joined #openstack-keystone		22:04
dstanek	samueldmq: i have a background in screwing with people	22:04
dstanek	so, now that i know you use passwords i could have hacked together a few lines of python to fake the ssh command and email me any passwords you type in, change your .bash_profile to alias ssh to it and call it a day	22:05
*** marzif_ has quit IRC		22:06
*** bapalm has quit IRC		22:07
*** nkinder has quit IRC		22:09
lbragstad	dstanek: lol	22:10
lbragstad	dstanek: you're making me paranoid	22:11
samueldmq	lbragstad: ++	22:11
*** nkinder has joined #openstack-keystone		22:11
dstanek	lbragstad: i was on the security team at my last job and that's the sorta stuff you have to look out for	22:11
lbragstad	dstanek: that's awesome	22:11
dstanek	it's so easy to get p0wned	22:12
lbragstad	dolphm: I also got this from marekd today, not sure if you've seen it yet -- https://bugs.launchpad.net/keystone/+bug/1482701	22:17
openstack	Launchpad bug 1482701 in Keystone "Federation: user's name in rules not respected" [Medium,In progress] - Assigned to Marek Denis (marek-denis)	22:17
lbragstad	dolphm: he has a patch up to fix the uuid token provider case, but we're discussing how to handle it for fernet	22:17
*** bapalm has joined #openstack-keystone		22:18
*** narengan has quit IRC		22:18
*** narengan has joined #openstack-keystone		22:18
stevemar	samueldmq: time to change passwd :)	22:19
*** narengan has quit IRC		22:22
*** narengan has joined #openstack-keystone		22:22
*** edmondsw has quit IRC		22:25
*** narengan has quit IRC		22:26
*** bapalm has quit IRC		22:29
*** jsavak has quit IRC		22:32
*** jecarey has quit IRC		22:33
*** ankita_w_ has joined #openstack-keystone		22:37
*** ankita_wagh has quit IRC		22:37
*** jamielennox\|away is now known as jamielennox		22:38
*** r-daneel has quit IRC		22:39
*** stevemar has quit IRC		22:39
*** stevemar has joined #openstack-keystone		22:40
*** ChanServ sets mode: +v stevemar		22:40
*** samueldmq has quit IRC		22:42
*** zzzeek has quit IRC		22:42
*** samueldmq has joined #openstack-keystone		22:43
*** stevemar has quit IRC		22:46
*** stevemar has joined #openstack-keystone		22:47
*** ChanServ sets mode: +v stevemar		22:47
*** stevemar has quit IRC		22:50
*** iurygregory has joined #openstack-keystone		23:01
*** thedodd has quit IRC		23:10
*** fangzhou has joined #openstack-keystone		23:27
*** piyanai has quit IRC		23:30
*** jasonsb has quit IRC		23:30
*** e0ne has joined #openstack-keystone		23:30
*** jasonsb has joined #openstack-keystone		23:31
dstanek	i am totally struggling with these ksc tests :-(	23:31
*** jasonsb has quit IRC		23:35
*** samueldmq has quit IRC		23:36
*** e0ne has quit IRC		23:49
*** zzzeek has joined #openstack-keystone		23:52
*** phalmos has quit IRC		23:52
dstanek	dammit! sigmavirus24_awa: only one adapter per prefix?	23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!