<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 04/18/2016 02:10 PM, Matt Fischer
wrote:<br>
</div>
<blockquote
cite="mid:CAHr1CO9w_snUQm7-J48N3tBcbgmeWq0TkdHBSPny24bp_YRQfQ@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks Brant,
<div><br>
</div>
<div>I will missing that distinction.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Apr 18, 2016 at 9:43 AM, Brant
Knudson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:blk@acm.org" target="_blank">blk@acm.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div class="h5">On Mon, Apr 18, 2016 at 10:20 AM,
Matt Fischer <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:matt@mattfischer.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt@mattfischer.com">matt@mattfischer.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div>On Mon, Apr 18, 2016 at 8:29 AM,
Brant Knudson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:blk@acm.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:blk@acm.org">blk@acm.org</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On
Fri, Apr 15, 2016 at 9:04
PM, Adam Young <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ayoung@redhat.com">ayoung@redhat.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px
solid
rgb(204,204,204);padding-left:1ex">We
all want Fernet to be a
reality. We ain't there
yet (Except for mfish who
has no patience) but we
are getting closer. The
goal is to get Fernet as
the default token provider
as soon as possible. The
review to do this has
uncovered a few details
that need to be fixed
before we can do this.<br>
<br>
Trusts for V2 tokens were
not working correctly.
Relatively easy fix. <a
moz-do-not-send="true"
href="https://review.openstack.org/#/c/278693/"
rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/278693/">https://review.openstack.org/#/c/278693/</a></a>
Patch is still failing on
Python 3. The tests are
kindof racy due to the
revocation event 1 second
granularity. Some of the
tests here have A sleep
(1) in them still, but all
should be using the time
control aspect of the unit
test fixtures.<br>
<br>
Some of the tests also use
the same user to validate
a token as that have, for
example, a role
unassigned. These expose
a problem that the
revocation events are
catching too many tokens,
some of which should not
be treated as revoked.<br>
<br>
Also, some of the logic
for revocation checking
has to change. Before, if
a user had two roles, and
had one removed, the token
would be revoked. Now,
however, the token will
validate successful, but
the response will only
have the single assigned
role in it.<br>
<br>
<br>
Python 3 tests are failing
because the Fernet
formatter is insisting
that all project-ids be
valid UUIDs, but some of
the old tests have "FOO"
and "BAR" as ids. These
either need to be
converted to UUIDS, or the
formatter needs to be more
forgiving.<br>
<br>
Caching of token
validations was messing
with revocation checking.
Tokens that were valid
once were being reported
as always valid. Thus, the
current review removes
all caching on token
validations, a change we
cannot maintain. Once all
the test are successfully
passing, we will
re-introduce the cache,
and be far more aggressive
about cache invalidation.<br>
<br>
Tempest tests are
currently failing due to
Devstack not properly
identifying Fernet as the
default token provider,
and creating the Fernet
key repository. I'm
tempted to just force
devstack to always create
the directory, as a user
would need it if they ever
switched the token
provider post launch
anyway.<br>
<br>
</blockquote>
<div><br>
</div>
</span>
<div>There's a review to
change devstack to default
to fernet: <a
moz-do-not-send="true"
href="https://review.openstack.org/#/c/195780/"
target="_blank"><a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/195780/">https://review.openstack.org/#/c/195780/</a></a>
. This was mostly to show
that tempest still passes
with fernet configured. It
uncovered a couple of test
issues (similar in nature to
the revocation checking
issues mentioned in the
original note) that have
since been fixed.<br>
<br>
</div>
<div>We'd prefer to not have
devstack overriding config
options and instead use
keystone's defaults. The
problem is if fernet is the
default in keystone then it
won't work out of the box
since the key database won't
exist. One option that I
think we should investigate
is to have keystone create
the key database on startup
if it doesn't exist.<span><font
color="#888888"><br>
</font></span></div>
<span><font color="#888888">
<div><br>
</div>
<div>- Brant<br>
<br>
</div>
</font></span></div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div>I'm not a devstack user, but as I
mentioned before, I assume devstack
called keystone-manage db_sync? Why
couldn't it also call keystone-manage
fernet_setup? </div>
</div>
</div>
</div>
<br>
</blockquote>
<div><br>
</div>
</div>
</div>
<div>When you tell devstack that it's using fernet
then it does keystone-manage fernet_setup. When you
tell devstack to use the default, it doesn't
fernet_setup because for now it thinks the default
is UUID and doesn't require keys. One way to have
devstack work when fernet is the default is to have
devstack always do keystone-manage fernet_setup.<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
My thought was to have this as a temporary fix as the default
changes. Once we settle in to Fernet, we can swap to "only Fernet
if Fernet"<br>
<br>
There is no reason Devstack can't read the config option from
Keystone, but that is a larger change than I want to make for this.<br>
<br>
<br>
<blockquote
cite="mid:CAHr1CO9w_snUQm7-J48N3tBcbgmeWq0TkdHBSPny24bp_YRQfQ@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Really what we want to do is have devstack work
like other deployment methods. We can reasonably
expect featureful deployers like puppet to
keystone-manage fernet_setup in the course of
setting up keystone. There's more basic deployers
like RPMs or debs that in the past have said they
like the defaults to "just work" (like UUID tokens)
and not require extra commands.<span class="HOEnZb"><font
color="#888888"><br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
<div>- Brant<br>
</div>
<br>
</font></span></div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>