| fungi | of course, volume list breaks doing that, but server list will work | 00:00 |
|---|---|---|
| Clark[m] | Ya you have to use cinder v1 iirc | 00:00 |
| Clark[m] | I know Mordred said v2 would work but I'm not sure it ever did with tax. But that shouldnt affect server list? | 00:00 |
| fungi | yeah, but for some reason cinderclient is getting loaded and forcing an error early even when it's not needed by the call | 00:05 |
| fungi | yeah, the errors are coming from cinderclient/api_versions.py | 00:05 |
| fungi | when running `openstack server list` | 00:06 |
| fungi | so the real problem, i guess, is that new cinderclient refuses to support old cinder api, and openstackclient hasn't been fixed to not use cinderclient | 00:07 |
| fungi | and also cinderclient.client.get_client_class() is being called even when there are no volume commands run | 00:18 |
| mordred | We need to replace cinderclient with sdk in osc and this should get better | 00:26 |
| mordred | But, you know, ENOTIME | 00:26 |
| mordred | Fwiw, I frequently just open a repl, make an sdk object and call shade methods instead | 00:28 |
| opendevreview | James E. Blair proposed opendev/zone-opendev.org master: Add keycloak01 https://review.opendev.org/c/opendev/zone-opendev.org/+/820411 | 00:35 |
| opendevreview | James E. Blair proposed opendev/system-config master: Add keycloak01 https://review.opendev.org/c/opendev/system-config/+/820412 | 00:37 |
| corvus | okay everything's ready to go | 00:37 |
| *** dpawlik6 is now known as dpawlik | 14:45 | |
| opendevreview | Merged opendev/zone-opendev.org master: Add keycloak01 https://review.opendev.org/c/opendev/zone-opendev.org/+/820411 | 15:57 |
| opendevreview | Merged opendev/system-config master: Add keycloak01 https://review.opendev.org/c/opendev/system-config/+/820412 | 16:10 |
| opendevreview | Merged opendev/system-config master: Add a keycloak server https://review.opendev.org/c/opendev/system-config/+/819923 | 16:50 |
| corvus | let's see if we magically end up with a keycloak server sometime today :) | 17:18 |
| corvus | we do have a keycloak server now :) | 17:51 |
| fungi | yay! | 18:06 |
| corvus | there's some config issues, i'm manually working through them now and will propose a patch shortly | 18:29 |
| opendevreview | James E. Blair proposed opendev/system-config master: Correct keycloak proxy config https://review.opendev.org/c/opendev/system-config/+/820446 | 18:50 |
| fungi | corvus: out of curiosity, why is keycloak.vhost a template? i don't see any actual jinja2 substitutions in it | 19:12 |
| corvus | copypasta from etherpad which did have a substitution... and i've developed a habit of making files that might develop template substitutions templates from the start. i don't know if it's a good habit, but i enjoy not having to switch them from static to template just to add a variable (or the other way if we remove the last variable). | 19:14 |
| corvus | i can change that if folks don't like it, but i think it's a good idea for vhosts and docker-compose files and the like | 19:15 |
| fungi | nah, it doesn't hurt anything, i was just curious whether i was missing a substitution | 19:16 |
| corvus | fungi: want to check it out? go to https://keycloak.opendev.org/auth/realms/corvustest1/account/#/ and click "sign in" in top right | 19:27 |
| corvus | fungi: then click the 'openstackid' button on the signin page; that will let you log into the keycloak realm with openstackid creds | 19:27 |
| fungi | Welcome to Keycloak Account Management | 19:29 |
| fungi | huzzah! | 19:29 |
| fungi | should we be putting together notes/observations yet, or are you still tuning? | 19:29 |
| corvus | fungi: go for it. i've achieved my immediate goal of confirming that openstackid can be a federated idp. :) | 19:31 |
| fungi | cool, my only significant observation so far was wondering if we can/should hide the username/password option, since one of the goals of the sso spec was to not have local accounts | 19:32 |
| corvus | yeah, i looked into that briefly -- it looks like the only option there is basically to make a custom theme without the html elements (which is weird, that is a very frequently requested feature) | 19:33 |
| fungi | got it, that seems straightforward enough. i'm not worried about fixing things like that now, more just understanding feasability | 19:34 |
| corvus | fungi: also, you're welcome to grab the admin password from bridge (keycloak_admin_password) and then log into https://keycloak.opendev.org/auth/admin/master/console to see the admin side of things | 19:34 |
| jrosser | i have ansible to configure keycloak realms via the rest api which i can share next week if you're interested | 19:34 |
| corvus | jrosser: awesome thanks, i think we will want that :) | 19:35 |
| jrosser | no problem, i'll look at getting our repo public | 19:36 |
| fungi | yeah, that was one of the undecided bits i think? whether we configure via the webui and then stick the resulting config in git, or orchestrate the configuration itself | 19:36 |
| fungi | but seeing how folks are doing it with ansible would be a big help | 19:36 |
| jrosser | yeah, we have a kind of opinionated ansible role to do all the HA stuff and set up realms and oidc mappings | 19:37 |
| jrosser | so taking whatever inspiration / tasks from that was what i was thinking | 19:38 |
| opendevreview | Merged opendev/system-config master: Correct keycloak proxy config https://review.opendev.org/c/opendev/system-config/+/820446 | 19:44 |
| corvus | fungi: i added a google provider (but it's in test mode so to work i need to manually add google accounts to it); let me know if you want me to add yours (if you have one) and you can try out linking a second provider | 19:58 |
| * corvus uploaded an image: (34KiB) < https://matrix.org/_matrix/media/r0/download/acmegating.com/vZfixHQNjHuyWTAXyDdAKWQd/image.png > | 19:59 | |
| * corvus uploaded an image: (38KiB) < https://matrix.org/_matrix/media/r0/download/acmegating.com/gOAgzIgKnpqKuOePpXesFzup/image.png > | 19:59 | |
| corvus | but there's some screenshots -- it's super intuitive | 20:00 |
| fungi | corvus: i have a google account... what specifier would you need for it? | 20:00 |
| corvus | 20:00 | |
| fungi | fungi-google@yuggoth.org | 20:00 |
| corvus | fungi: done | 20:01 |
| fungi | yeah, i was able to log into that and it shows two linked accounts | 20:02 |
| fungi | interestingly, on the linked accounts panel, it has a "link account" option next to the openstackid entry in the unlinked accounts section, but gives an error if i click it "Federated identity returned by openstackid is already linked to another user." | 20:03 |
| corvus | keycloak (optionally -- this is highly configurable) does matching on email addresses when you login, so since my addresses matched, when i clicked log in via google, i got the option to link on login. with different email addrs, people would get 2 accounts if they logged in twice, i think. not sure what the reconciliation options are in that case. | 20:04 |
| fungi | ahh, yep, that's it. if i log out and then log in again with openstackid, it shows the openstackid as linked but google as unlinked, and gives the same error if i try to link the google id | 20:05 |
| corvus | fungi: so starting with an openstackid-linked account, you used the "link account" button and still ended up with 2 accounts? interesting, that's not very intuitive to me... :/ | 20:08 |
| fungi | i think the update to my account logged me out, since it sent me back to the login page, at which point i selected to log in with google | 20:10 |
| fungi | possible i did that incorrectly | 20:10 |
| corvus | oh ok, that makes sense then | 20:10 |
| fungi | now i realize the screenshots you linked a moment ago were probably instructions on what to do | 20:10 |
| fungi | and i should have logged back in with my openstackid first | 20:11 |
| corvus | i just did it the other way (log in via openstackid, then link google account with different email), and it did link them (so i ended up still with 1 account) | 20:11 |
| corvus | well, i didn't know that at the time, i'm still learning :) | 20:11 |
| corvus | so there's still a rough edge with the "i accidentally made 2 accounts and now can't link them" issue that you discovered | 20:11 |
| corvus | i'm guessing the only resolution to that is to delete one of them to then allow the user to purposefully link | 20:12 |
| fungi | sure, i expect if i log in with the admin creds i can delete the second account and then go back to my openstackid account and link them correctly | 20:12 |
| corvus | yeah, that's more or less what i did with my testing just now | 20:13 |
| fungi | okay, after deleting my google account from the users panel in the admin console, i logged in with my openstackid and was then able to link my google account | 20:20 |
| fungi | so that seems to work | 20:20 |
| fungi | now if i log out and sign back in with google it takes me to the correct account both are linked in | 20:21 |
| corvus | i can't think of a way to make this work self-service (at least, not without tortuous things like "associate with a new fake account then disassociate from the original one), so there might be some admin action required for situations like this. | 20:25 |
| corvus | but at least it's easy, and hopefully rare? | 20:26 |
| corvus | well, actually, if we allow password login, then it could be done self-service... in that case you can unlink from all external idps. so you could unlink from the unwanted account and then link to the wanted one. | 20:28 |
| fungi | yeah, worth discussing | 20:31 |
| corvus | related -- if we don't want that, we still need to figure out how to disable setting the password from the self-serv management menu since that's what i just did and it worked :) | 20:32 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!
