Re: [openstack-dev] [keystone] Domain-namespaced user attributes in SAML assertions from Keystone IdPs

2018-09-24 Thread John Dennis
mapping rules documentation). The receiver (our mapping engine) has hard-coded logic to look for a list of names. [2] We might want to prepend a format specifier to string containing complex data, e.g. "JSON:{json object}". Our parser could then look for a leading format tag and if if finds one strip it off and pass the rest of the string into the proper parser. -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [oslo] Proposing Zane Bitter as oslo.service core

2018-08-03 Thread John Dennis
an understanding of the code. Please respond with +1 or any concerns you may have.  Thanks. +1 -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ

Re: [openstack-dev] [oslo] proposing Moisés Guimarães for oslo.config core

2018-08-01 Thread John Dennis
addition to the oslo.config review team. Please indicate your approval or concerns with +1/-1. +1 -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ

Re: [openstack-dev] [tc][all] A culture change (nitpicking)

2018-05-31 Thread John Dennis
consistent for those that follow than it is to coddle in the near term. -- John Dennis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http:/

Re: [openstack-dev] [keystone] Could keystone to keystone federation be deployed on Centos?

2018-04-04 Thread John Dennis
On 04/04/2018 02:52 AM, 何健乐 wrote: Hi all, Could keystone to keystone  federation be deployed on Centos. I have notice all the document was deployment on Ubuntu. If could, is there some documents that is about deploying k2k on centos. Yes k2k should work on centos, there is nothing OS

Re: [openstack-dev] [keystone][zuul] A Sad Farewell

2017-10-03 Thread John Dennis
On 10/02/2017 10:13 PM, Jamie Lennox wrote: Hi All, I'm really sad to announce that I'll be leaving the OpenStack community (at least for a while), I've accepted a new position unrelated to OpenStack that'll begin in a few weeks, and am going to be mostly on holiday until then. It's a

[openstack-dev] [keystone] Additional documentation for mod_auth_mellon

2017-09-06 Thread John Dennis
The existing documentation on setting up mod_auth_mellon (https://docs.openstack.org/keystone/latest/advanced-topics/federation/mellon.html) is sparse. Our experience with using mod_auth_mellon either in the context of OpenStack federation or simply as a SAML SP working in conjunction with

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

2016-08-08 Thread John Dennis
On 08/07/2016 11:16 PM, Adam Young wrote: On 08/06/2016 08:44 AM, John Dennis wrote: On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700

Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

2016-08-06 Thread John Dennis
On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml;

Re: [openstack-dev] [Tripleo] X509 Management

2016-06-21 Thread John Dennis
On 06/21/2016 10:55 AM, Ian Cordasco wrote: -Original Message- From: Adam Young Reply: OpenStack Development Mailing List (not for usage questions) Date: June 21, 2016 at 09:40:39 To: OpenStack Development Mailing List

Re: [openstack-dev] [horizon][keystone] Getting Auth Token from Horizon when using Federation

2016-04-21 Thread John Dennis
On 04/18/2016 12:34 PM, Martin Millnert wrote: (** ECP is a new feature, not supported by all IdP's, that at (second) best requires reconfiguration of core authentication services at each customer, and at worst requires customers to change IdP software completely. This is a varying degree of

Re: [openstack-dev] [keystone federation] some questions about keystone IDP with SAML supported

2015-10-14 Thread John Dennis
On 10/14/2015 07:10 AM, wyw wrote: hello, keystoners. please help me Here is my use case: 1. use keystone as IDP , supported with SAML 2. keystone integrates with LDAP 3. we use a java application as Service Provider, and to integrate it with keystone IDP. 4. we use a keystone as Service

Re: [openstack-dev] [keystone federation] some questions about keystone IDP with SAML supported

2015-10-14 Thread John Dennis
On 10/14/2015 11:58 AM, Marek Denis wrote: pretty much - yes! Luckily for you the reference libraries (shibboleth) are written in Java so it should be easier to integrate with your application. Only the Shibboleth IdP is written in Java. Shibboleth the SP is written in C++. If you're trying

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

2015-09-01 Thread John Dennis
On 09/01/2015 10:57 AM, Clark, Robert Graham wrote: The reason that is compelling is that you can have Barbican generate, sign, and store a keypair without transmitting the private key over the network to the client that originates the signing request. It can be directly stored, and made

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

2015-09-01 Thread John Dennis
On 09/01/2015 02:49 AM, Tim Bell wrote: Will it also be possible to use a different CA ? In some environments, there is already a corporate certificate authority server. This would ensure compliance with site security standards. A configurable CA was one of the original design goals when the

Re: [openstack-dev] [Fuel] SSL keys saving

2015-08-24 Thread John Dennis
On 08/21/2015 05:10 AM, Stanislaw Bogatkin wrote: Hi folks. Today I want to discuss the way we save SSL keys for Fuel environments. As you maybe know we have 2 ways to get a key: a. Generate it by Fuel (self-signed certificate will be created in this case). In this case we will generate private

Re: [openstack-dev] [all][python3] use of six.iteritems()

2015-06-11 Thread John Dennis
On 06/11/2015 01:46 PM, Mike Bayer wrote: I am firmly in the let's use items() camp. A 100 ms difference for a totally not-real-world case of a dictionary 1M items in size is no kind of rationale for the Openstack project - if someone has a dictionary that's 1M objects in size, or even 100K,

Re: [openstack-dev] [nova][all] Architecture Diagrams in ascii art?

2015-05-12 Thread John Dennis
On 05/12/2015 08:47 AM, Clint Byrum wrote: I agree with all the things above, and I want to add that I think SVG is probably the most appropriate candidate as a W3C approved drawing format. We can even enforce style rules and use a reformatter so that diffs make sense. +1 for SVG As already

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread John Dennis
Can't this be solved with a couple of environment variables? The two keys pieces of information needed are: 1) who authenticated the subject? 2) what authentication method was used? There is already precedence for AUTH_TYPE, it's used in AJP to initialize the authType property in a Java

Re: [openstack-dev] [Keystone] Alternative federation mapping

2014-11-04 Thread John Dennis
On 11/04/2014 02:46 AM, David Chadwick wrote: Hi John Good morning David. I hope you're enjoying Paris and the summit is both productive and enjoyable. Wish I was there :-) Its seems like your objective is somewhat different to what was intended with the current mapping rules. You seem to

Re: [openstack-dev] [Keystone] Alternative federation mapping

2014-11-04 Thread John Dennis
On 11/04/2014 04:19 PM, David Stanek wrote: There are probably a few other assumptions, but the main one is that the mapper expects the incoming data to be a dictionary where the value is a string. If there are multiple values we expect them to be delimited with a semicolon in the string. and

Re: [openstack-dev] [Keystone] Alternative federation mapping

2014-11-03 Thread John Dennis
On 11/03/2014 08:50 AM, John Dennis wrote: I had a bunch of notes but I can't find them at the moment so I'm going from memory here (always a bit risky). I found my notes, attached is an reStructured text document that summarizes the issues I found with the current Keystone mapping, the basic

[openstack-dev] [Keystone] Alternative federation mapping

2014-11-02 Thread John Dennis
While working on federated authentication for a different project (OpenDaylight) we discovered we needed to map from the assertion provided by an external federated IdP to local values. This is essentially the same requirement which exists in Keystone's federated support. It was hoped we could

Re: [openstack-dev] [Keystone] Alternative federation mapping

2014-11-02 Thread John Dennis
On 11/02/2014 03:55 PM, Marek Denis wrote: Hi John, It indeed looks interesting and enhancing the mapping engine is on ours to-do list for a long time. I'd be happy to talk this through during the summit. Do you think you will be able to come for a Keystone websso/federation Design Session

Re: [openstack-dev] [Keystone][Oslo] User mapping and X509 for signing

2014-10-09 Thread John Dennis
On 10/08/2014 04:58 PM, Adam Young wrote: When gyee posted his X509 server-side auth plugin patch, the feedback we gave was that it should be using the mapping code from Federation to transform the environment variables set by the web server to the Keystone userid, username, domain name,

Re: [openstack-dev] Add a hacking check to not use Python Source Code Encodings (PEP0263)

2014-07-22 Thread John Dennis
On 07/21/2014 04:45 AM, Christian Berendt wrote: Hello. There are some files using the Python source code encodings as the first line. That's normally not necessary and I want propose to introduce a hacking check to check for the absence of the source code encodings. I assume you mean you

Re: [openstack-dev] [barbican] Nominating Ade Lee for barbican-core

2014-07-10 Thread John Dennis
On 07/10/2014 12:55 PM, Douglas Mendizabal wrote: Hi Everyone, I would like to nominate Ade Lee for the barbican-core team. I'm not a member of the barbican core team but I'd like to endorse Ade anyway with a +1. I've worked with Ade for years and consider him an exceptional engineer whose

Re: [openstack-dev] [Neutron][LBaaS] subjAltName and CN extraction from x509 certificates

2014-06-27 Thread John Dennis
On 06/27/2014 12:21 AM, Carlos Garza wrote: I don't know where we can check in experimental code so I have a demonstration of how to extract CNs subjAltNames or what ever we want from x509 certificates. Later on I plan to use the OpenSSL libraries to verify certs coming from barbican

Re: [openstack-dev] [Neutron][LBaaS]TLS API support for authentication

2014-05-23 Thread John Dennis
Using standard formats such as PEM and PKCS12 (most people don't use PKCS8 directly) is a good approach. Be mindful that some cryptographic services do not provide *any* direct access to private keys (makes sense, right?). Private keys are shielded in some hardened container and the only way to

Re: [openstack-dev] [oslo] strutils: enhance safe_decode() and safe_encode()

2014-05-21 Thread John Dennis
On 05/15/2014 11:41 AM, Victor Stinner wrote: Hi, The functions safe_decode() and safe_encode() have been ported to Python 3, and changed more than once. IMO we can still improve these functions to make them more reliable and easier to use. (1) My first concern is that these functions

Re: [openstack-dev] [oslo] Logging exceptions and Python 3

2014-05-19 Thread John Dennis
On 05/16/2014 09:11 AM, Johannes Erdfelt wrote: six.text_type(exc) is the recommended solution. +1 -- John ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] Timestamp formats in the REST API

2014-05-07 Thread John Dennis
On 04/29/2014 09:48 AM, Mark McLoughlin wrote: What appeared to be unusual was that the timestamp had both sub-second time resolution and timezone information. It was felt that this wasn't a valid timestamp format and then some debate about how to 'fix' it: My conclusions from all that:

Re: [openstack-dev] Security audit of OpenStack projects

2014-05-02 Thread John Dennis
On 04/07/2014 12:06 PM, Nathan Kinder wrote: Hi, We don't currently collect high-level security related information about the projects for OpenStack releases. Things like the crypto algorithms that are used or how we handle sensitive data aren't documented anywhere that I could see. I did

Re: [openstack-dev] Issues when running unit tests in OpenStack

2014-04-29 Thread John Dennis
You may want to take a peek at this recent thread, there may be information in it you'll find useful. http://lists.openstack.org/pipermail/openstack-dev/2014-March/029408.html -- John ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

2014-04-01 Thread John Dennis
On 04/01/2014 04:40 AM, victor stinner wrote: Hi, I will organize a sprint to Port OpenStack to Python 3 during 4 days at Montreal (Canada) during Pycon Montreal 2014, between April, 14 (Monday) and April, 17 (Thursday). The goal of the sprint is to port OpenStack components and OpenStack

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

2014-04-01 Thread John Dennis
On 04/01/2014 04:40 AM, victor stinner wrote: Hi, I will organize a sprint to Port OpenStack to Python 3 during 4 days at Montreal (Canada) during Pycon Montreal 2014, between April, 14 (Monday) and April, 17 (Thursday). The goal of the sprint is to port OpenStack components and OpenStack

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

2014-04-01 Thread John Dennis
On 04/01/2014 09:44 AM, John Dennis wrote: FWIW projects that deal with web services, wire protocols, external datastores, etc. who have already started porting to Py3 have encountered significant pain points with Py3, some of which is just being resolved and which have caused on-going changes

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

2014-04-01 Thread John Dennis
On 04/01/2014 12:15 PM, Victor Stinner wrote: Hi, Le mardi 1 avril 2014, 09:11:52 John Dennis a écrit : What are the plans for python-ldap? Only a small part of python-ldap is pure python, are you also planning on tackling the CPython code? Oh, python-ldap was just an example, I don't

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

2014-04-01 Thread John Dennis
On 04/01/2014 12:28 PM, Victor Stinner wrote: Le mardi 1 avril 2014, 09:44:11 John Dennis a écrit : The goal of the sprint is to port OpenStack components and OpenStack dependencies to Python 3, This is a great goal, thank you! But I'm concerned it might be premature. The portage

Re: [openstack-dev] Sprint at Pycon: Port OpenStack to Python 3

2014-04-01 Thread John Dennis
On 04/01/2014 02:08 PM, John Dennis wrote: My concern is this. The singled biggest change in Py2 - Py3 is string handling, especially with regards to str vs. unicode. We have a significant number of bugs in the current code base with regards to encoding exceptions, I just got done fixing

[openstack-dev] Multiple patches in one review

2014-03-24 Thread John Dennis
When a change is complex good practice is to break the change into a series of smaller individual patches that show the individual incremental steps needed to get to the final goal. When partitioned into small steps each change is easier to review and hopefully illustrates the progression. In

Re: [openstack-dev] [keystone] 5 unicode unit test failures when building Debian package

2014-03-13 Thread John Dennis
On 03/13/2014 12:31 AM, Thomas Goirand wrote: Hi, Since Havana, I've been ignoring the 5 unit test failures that I always get. Though I think it'd be nice to have them fixed. The log file is available over here: https://icehouse.dev-debian.pkgs.enovance.com/job/keystone/59/console Does

Re: [openstack-dev] testr help

2014-03-10 Thread John Dennis
On 03/10/2014 02:31 PM, Zane Bitter wrote: Fewer logs is hardly ever what you want when debugging a unit test. I think what John is looking for is a report at the end of each test run that just lists the tests that failed instead of all the details (like `testr failing --list`), or perhaps

[openstack-dev] testr help

2014-03-07 Thread John Dennis
I've read the following documents as well as the doc for subunit and testtools but I'm still missing some big picture usage. https://wiki.openstack.org/wiki/Testr https://testrepository.readthedocs.org/en/latest/index.html The biggest problem seems to be whenever tests are listed I get thousands

Re: [openstack-dev] testr help

2014-03-07 Thread John Dennis
On 03/07/2014 04:33 PM, Steve Kowalik wrote: On 07/03/14 12:56, John Dennis wrote: Question: How do you list just the failing tests? I don't want to see the contents of the logging data stored under the pythonlogging: key. Ideally I'd like to see the name of the test, what the failure

Re: [openstack-dev] testr help

2014-03-07 Thread John Dennis
On 03/07/2014 04:30 PM, Clark Boylan wrote: Now onto indirectly answering some of the questions you have. If a single unittest is producing thousands of lines of log output that is probably a bug. The test scope is too large or the logging is too verbose or both. To work around this we

Re: [openstack-dev] [nova] 'if foo' vs 'if foo is not None'

2014-03-03 Thread John Dennis
On 03/03/2014 10:00 AM, Matthew Booth wrote: PEP 8, under 'Programming Recommendations' recommends against implicit comparison to None. This isn't just stylistic, either: we were actually bitten by it in the VMware driver (https://bugs.launchpad.net/nova/+bug/1262288). The bug was hard to

[openstack-dev] [keystone] how to enable logging for unit tests

2014-02-28 Thread John Dennis
I'd like to enable debug logging while running some specific unit tests and I've not been able to find the right combination of levers to pull to get logging output on the console. In keystone/etc/keystone.conf.sample (which is config file loaded for the unit tests) I've set debug to True, I've

Re: [openstack-dev] Hierarchicical Multitenancy Discussion

2014-02-20 Thread John Dennis
On 02/19/2014 08:58 PM, Adam Young wrote: Can you give more detail here? I can see arguments for both ways of doing this but continuing to use ids for ownership is an easier choice. Here is my thinking: 1. all of the projects use ids for ownership currently so it is a smaller change That

Re: [openstack-dev] [Neutron] Representing PEM Format file as string

2014-01-27 Thread John Dennis
On 01/26/2014 05:36 PM, rajesh_moh...@dell.com wrote: I am working on SSL VPN BP. CA certificate is one of the resources. We decided to use PEM formatted certificates. It is multi-line string 1 -BEGIN CERTIFICATE- 2

Re: [openstack-dev] a common client library

2014-01-17 Thread John Dennis
Keeping them separate is awesome for *us* but really, really, really sucks for users trying to use the system. I agree. Keeping them separate trades user usability for developer usability, I think user usability is a better thing to strive for. I don't understand how multiple independent

Re: [openstack-dev] Introduction: Rich Megginson - Designate project

2014-01-16 Thread John Dennis
On 01/15/2014 08:24 PM, Rich Megginson wrote: Hello. My name is Rich Megginson. I am a Red Hat employee interested in working on Designate (DNSaaS), primarily in the areas of integration with IPA DNS, DNSSEC, and authentication (Keystone). I've signed up for the

Re: [openstack-dev] Re : welcoming new committers (was Re: When is it okay for submitters to say 'I don't want to add tests' ?)

2013-11-04 Thread John Dennis
On 10/31/2013 10:36 PM, Jeremy Stanley wrote: As has been said many times already, OpenStack does not lack developers... it lacks reviewers. In regards to reviews in general and in particular for welcoming new committers I think we need to be careful about reviewers NAK'ing a submission for

Re: [openstack-dev] Remove vim modelines?

2013-10-25 Thread John Dennis
On 10/25/2013 03:43 PM, Robert Collins wrote: On 26 October 2013 08:40, Dolph Mathews dolph.math...@gmail.com wrote: On Thu, Oct 24, 2013 at 1:48 PM, Robert Collins robe...@robertcollins.net wrote: *) They help casual contributors *more* than long time core contributors : and those are the

Re: [openstack-dev] [oslo] i18n Message improvements

2013-10-18 Thread John Dennis
On 10/18/2013 12:57 PM, Doug Hellmann wrote: On Thu, Oct 17, 2013 at 2:24 PM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: On 10/17/2013 12:22 PM, Luis A. Garcia wrote: On 10/16/2013 1:11 PM, Doug Hellmann wrote: [snip] Option 3 is closer

Re: [openstack-dev] [oslo] i18n Message improvements

2013-10-17 Thread John Dennis
On 10/17/2013 12:22 PM, Luis A. Garcia wrote: On 10/16/2013 1:11 PM, Doug Hellmann wrote: [snip] Option 3 is closer to the new plan for Icehouse, which is to have _() return a Message, allow Message to work in a few contexts like a string (so that, for example, log calls and exceptions can

Re: [openstack-dev] [DevStack] Python dependencies: PyPI vs distro packages

2013-08-06 Thread John Dennis
On 08/06/2013 11:19 AM, Dean Troyer wrote: And that is the crux of the problem. When both can be installed side-by-side and sys.path is in control of the order, things work. This is such a fundamental problem in the distro that I am beginning to thing that we need to address it ourselves.