Thursday, 2014-03-06

« Wednesday, 2014-03-05 Index Friday, 2014-03-07 »
jamielennoxand i don't think it's something that i can isolate the new behaviour to just the new auth plugins as the old code will depend on them00:00
jamielennoxwell - it's python i could with some funky kwarg flags...00:00
jamielennoxbut i'm not sure it's worth it00:00
dolphmjamielennox: that whole method needs some better error feedback to protect against bad input00:01
jamielennoxhmm, maybe it is worth it00:01
jamielennoxi copied that method with a few formatting fixes00:01
dolphmjamielennox: it wouldn't be just as unreasonable to pass in domain_id + project_id, and the resulting behavior is equally arbitrary based on the order of the implementation00:02
dolphmjamielennox: it would* be00:02
jamielennoxdolphm: that is caught00:03
*** Fin1te has joined #openstack-keystone00:04
jamielennoxhttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3.py#L7600:04
jamielennoxagain that's a copy and paste00:04
jamielennoxi guess that check should contain a trust check as well00:05
dolphmjamielennox: ++00:06
jamielennoxdolphm: it's not realaly something that can be extended now though is it?00:08
dolphmjamielennox: i think it can, as long as it's in the form of a friendly error message and a 0.x.0 bump00:09
*** dims has joined #openstack-keystone00:11
morganfainbergdolphm, if dstanek's comment is correct, if the truncation stuff changes, it affects all passwords now.00:19
morganfainbergdolphm, i think we have an issue with that being configurable.00:19
dolphmmorganfainberg: ?00:20
*** andreaf has quit IRC00:20
morganfainbergdolphm, truncate a password, you have password of 1024 max, and someone uses it00:20
morganfainbergdolphm, then deployer changes the truncate to 6400:20
dolphmmorganfainberg: 4096 by default i think, but yeah-- they 40000:20
morganfainberganyone with a password > 64 can't auth00:20
dstanekmorganfainberg: you do, but if we tel the operators about it they can enable the setting when they are ready vs. upgrading and getting it pushed to them00:20
*** nkinder has quit IRC00:20
*** nkinder has joined #openstack-keystone00:21
morganfainbergwe may want to add some documentation to that00:21
morganfainbergextra documentation00:21
morganfainbergsomehow i don't think anyone is going to be changing that value once deployed00:21
dolphmmorganfainberg: we need to keep the warning that truncation is being applied, and probably include the user_id?00:21
morganfainbergat least i hope not00:21
dolphmmorganfainberg: you mean reducing it from 4096?00:22
morganfainbergdolphm, we could keep the truncate value (when passwd is set) in the password field00:22
morganfainbergdolphm, not be default00:22
morganfainbergdolphm, secenario, deployer has 4096, and someone uses it (wow silly)00:23
morganfainbergthen deployer decides no one's password should be > 6400:23
morganfainbergthat person who had a 4096 password would be unable to auth00:23
dolphmmorganfainberg: presents a slight leak about passwords (which are shorter than the truncation limit)00:23
morganfainbergmaybe we should make the password field something like pwlen, hash ?00:23
morganfainbergor truncation_limit_when_passwd_was_set, hash00:24
morganfainbergand we only consult the conf when/if the password is being changed00:24
morganfainbergnot a big deal, i think it's an edge case of an edgecase00:24
morganfainbergmost people will never change that value00:24
dolphmmorganfainberg: yeah, especially more than once00:25
dstanekmorganfainberg: is it that common that it's worth the trouble? seems like documentation saying the dangers of lowering the value would be enough00:25
morganfainbergdstanek, either documentation or code00:25
morganfainbergdstanek, i think this is a low prio thing to even worry about00:25
morganfainbergdstanek, so .. meh? just something we should be aware of00:25
morganfainbergnot sure if it's easier to document this issue or just guard against it00:25
dstanekbut that patch does force that on people00:26
*** packet has quit IRC00:26
morganfainbergdstanek, that patch changes a password change to a 400 vs. 200 on long password00:26
morganfainbergdstanek, the patch doesn't change that mucking with that value could prevent people from logging in today00:27
ayoungthe patch seems correct:  you should only scope to the trust, not domain or project00:27
*** gordc has joined #openstack-keystone00:27
*** Fin1te has quit IRC00:27
dstanekmorganfainberg: that's what i mean it's effectively lowering the limit to the configured value00:27
ayoungbut that is in requesting a token...00:27
morganfainbergdstanek, oh oh yes.00:27
morganfainbergdstanek, it forces what would work previously silently (and probably incorrectly)00:28
dolphmayoung: yeah, but the test is asserting a broken use case and illustrating what's really going on00:28
morganfainbergdstanek, vs. just changes causing that issue00:28
ayoungdolphm, it looks correct.  When you say "use a trust" nothing else in the scope is relevant.  You can't change what you get back:  you only get back exactly what the trust delegates to you00:29
dolphmayoung: you're missing the point -- it's a broken user expectation; the client code that's being changed is completely inconsequential if the input had been validated correctly00:31
ayoungdolphm, I actually agreed with you in the review and -1ed.  It should be a client side exception00:32
ayoungyour first suggestion was correct.  Checking that the project matched would not be correct, as that would be purely chance:00:33
ayoungif we overright the scope, if the scope matches the token, it would be due to luck00:33
morganfainberghttps://review.openstack.org/#/c/78449 good change so we can get testing with latest released clients00:36
morganfainbergvs. trunk00:36
jamielennoxhave a fix to enforce the trust_id, project_id check, do i post it or let him fix the patch...00:37
*** Fin1te has joined #openstack-keystone00:40
*** amcrn has quit IRC00:46
*** Fin1te has quit IRC00:48
*** wchrisj has quit IRC00:49
*** wchrisj has joined #openstack-keystone00:50
bknudsonjamielennox: if you just want to get the code out there you could post it as a dependent and mark it a work in progress and point him to it.00:50
*** henrynash has joined #openstack-keystone00:52
*** prad has joined #openstack-keystone01:01
*** devlaps has quit IRC01:02
pradHi All, can i get some help configuring keystone with ssl? I followed the doc and set the [ssl] section in the keystone.conf with enable_ssl to true and passed in the relevant cert paths, also set the public/admin endpoint url to https .. but when i try to run keystone cli, i get  Authorization failed http unable to establish connection to https://192.168.255.207:5000/v2.0/tokens01:08
pradam i missing any other steps here?01:08
ayoungjamielennox, go ahead an post it01:08
ayoungprad, anything in your log?01:09
pradayoung: not much in the logs.. perhaps i need to enable debug?01:10
ayoungprad, well, can't hurt01:10
bknudsonprad: are you using --insecure?01:12
pradbknudson: no01:13
bknudsonprad: is keystoneclient able to connect when you use --insecure?01:13
bknudsonprad: If I had to guess it would be that the server certificate isn't configured for a host of 192.168.255.207 so the client is rejecting it.01:14
pradhmm01:15
pradhttps://gist.github.com/pkilambi/938030101:15
pradbknudson: so thats the msg i get..01:15
pradlet me post you my keystone.conf settings, just to get another pair of eyes01:15
bknudsonprad: ok, well it's probably not that the client is rejecting the server cert then...01:16
bknudsonprad: how about using openssl s_client to connect to the server?01:17
pradbknudson: https://gist.github.com/pkilambi/938032701:17
bknudsonthat can give you some feedback.01:17
ayoungprad, or just point a web browser at it01:17
ayounghttps://192.168.255.207:5000/01:17
pradso to configure keystone with ssl endpoints is that all i need to do in keystone.conf or am i missing something?01:18
bknudsonprad: looks like you've got "cert_required = True" -- but your keystoneclient command isn't presenting a client cert?01:18
pradbknudson: even if i comment that out, i get the same result01:18
*** richm has quit IRC01:24
pradbknudson: ayoung : do i need to setup the [signing] portion of the conf as well? or just the ssl portion is sufficient?01:25
ayoungprad, well, signing will be necessary01:25
bknudsonprad: signing is for pki tokens and not for ssl01:25
ayoungbut you should be able to talk to Keystone via ssl first01:26
pradok01:26
pradhttps://gist.github.com/pkilambi/9380378 are the certs that i currently have.. some files such as serial have root perms but readable by all.. assume thats ok01:28
pradi generated the certs with keystone-manage ssl_setup command01:28
pradthats all i did.. so unless I'm missing some steps, not sure why its not able to talk over ssl01:30
pradnote that i did not add any ssl config to apache virtualhost , i dint see that in the docs as part of the setup01:30
bknudsonprad: if you're running keystone in apache then the ssl options don't apply.01:34
bknudsonthose are only used by keystone-all (running keystone in eventlet)01:35
pradbknudson: yea i'm just running keystone standalone outside of httpd01:36
*** henrynash has quit IRC01:37
*** browne has quit IRC01:46
*** stevemar has joined #openstack-keystone01:53
*** gokrokve has joined #openstack-keystone01:53
*** rwsu has quit IRC01:54
*** harlowja has quit IRC01:58
lbragstaddolphm: this is interesting.. paste.openstack.org/show/72738/ regarding your comment on descriptions being required for creating regions using the v3 api.02:03
*** harlowja has joined #openstack-keystone02:04
*** thedodd has joined #openstack-keystone02:06
lbragstadmust be a result of the migration: https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/037_add_region_table.py#L2702:07
*** marcoemorais has quit IRC02:11
*** marcoemorais has joined #openstack-keystone02:13
*** marcoemorais has quit IRC02:13
*** morganfainberg is now known as morganfainberg_Z02:16
*** david-lyle has joined #openstack-keystone02:20
*** chandan_kumar has joined #openstack-keystone02:21
bknudsonlbragstad: why is description unique?02:25
*** d0ugal has quit IRC02:25
*** dstanek has quit IRC02:26
*** dstanek has joined #openstack-keystone02:26
*** zhiyan_ is now known as zhiyan02:31
*** gordc has quit IRC02:45
dstanekdolphm: why did you mark this one as a wishlist item? https://bugs.launchpad.net/keystone/+bug/127746302:52
dstanekis there more work to be done?02:53
dolphmdstanek: no - it's done02:54
dolphmdstanek: looking at it again, i didn't put much thought into it... i saw a NotImplemented being replaced with an implementation and moved on02:55
dstanekdolphm: i'm trying to catch up on the large amounts of email from today02:56
dolphmdstanek: ha, good luck :P02:57
*** d0ugal has joined #openstack-keystone02:57
*** d0ugal has quit IRC02:57
*** d0ugal has joined #openstack-keystone02:57
*** chandan_kumar has quit IRC02:59
*** prad has quit IRC03:04
*** gokrokve_ has joined #openstack-keystone03:04
*** gokrokve has quit IRC03:08
dolphmlbragstad: should definitely be nullable :-/03:10
dolphmlbragstad: or if it's not nullable, the service should default it to ""03:10
dolphmlbragstad: the second would be an easier one line fix in the manager, and avoid creating unnecessary migrations during feature freeze03:11
bknudsondolphm: lbragstad: default wouldn't work well since it's unique.03:20
bknudsonyou'd only be able to make one with '' and then the next would conflict03:20
*** wchrisj has quit IRC03:21
*** wchrisj has joined #openstack-keystone03:35
ayoungbknudson, Python question:  I was messing with the CMS code and if I do the PEM form, it seems to work fine, but DER fails (can't validate what I just signed)  PEM is text, DER is binary.  Is there something I need to do to handle binary marshalled via stdin/stdout ?03:49
stevemardstanek, select all unread -> delete03:52
stevemarproblem solved03:52
lbragstadbknudson: dolphm not sure why description is unique03:55
lbragstaddolphm: bknudson I could push a change setting description to "" if not provided. Like dolphm said, that can be done in the manager, and then add a FIXME to fix properly with a migration in J after feature freeze03:56
lbragstad?03:57
lbragstadthat might work03:57
stevemarjamielennox, ping?03:58
jamielennoxstevemar: hey04:00
stevemarjamielennox, hey, so question about changes to httpclient04:01
stevemarjamielennox, when I was adding trying to add new args (consumer and access stuff) to client (in the test), i thought i had to update httpclient too? or just auth/v3?04:02
stevemarif i didn't need to change httpclient, then all the changes in accessInfo can go too :)04:02
jamielennoxstevemar: my hope is that the client shouldn't have anything to do with auth anymore04:04
jamielennoxbase client04:04
jamielennoxit will mean that you are limited to using the new method when you want to use oauth04:05
jamielennoxso like create a session, give it a plugin and give it to client04:05
jamielennoxbut this is a pattern i want people to get used to anyway04:05
*** ayoung has quit IRC04:05
jamielennoxonce you have the auth plugin on the session it will work for the client04:06
stevemarjamielennox, i'm all for doing whatever you need me to do, so i don't go against what you designed04:06
stevemarjamielennox, but i guess i'm not seeing the pattern that you want?04:07
jamielennoxumm, alright so blog post04:07
jamielennoxhttp://www.jamielennox.net/blog/2014/02/24/client-session-objects/04:07
jamielennoxhopefully that one explains the desing04:07
jamielennoxthere is an older one: http://www.jamielennox.net/blog/2013/09/27/apiclient-communications/04:07
jamielennoxfor design04:07
jamielennoxbasically the client will know nothing about auth04:08
jamielennoxwhats left on client is all there for compatability04:08
jamielennoxif you have a session object with a plugin then whatever requests passes through that plugin will get given a token04:08
jamielennoxif you have a session object with a plugin then whatever requests passes through that session will get given a token04:09
jamielennoxso all the client does is send it to the session04:09
stevemarjamielennox, so, i agree that i can probably do the signing part in get_auth_data and update the headers there. thats cool04:15
*** wchrisj has quit IRC04:15
stevemarjamielennox, so I guess I'm instantiating the client incorrectly? how can i add a plugin to a session? is there a test that already does this?04:17
jamielennoxstevemar: so keystoneclient/tests/auth/04:18
jamielennoxhave v2 and v3 examples04:18
jamielennoxi don't know if any of those are actually passing session to client04:19
jamielennoxbut thats just v3.Client(session=session)04:19
stevemarjamielennox, ah okay, i was using tests/v3/test_auth.py as a basis04:19
*** derek_c has joined #openstack-keystone04:20
jamielennoxah, yea that's the original stuff04:20
stevemarjamielennox, ah okay, i think I see where the magic happens: a = v3.Password(self.TEST_URL, ... )04:22
stevemarjamielennox, i hope the patch that adds request / access token support raises your blood pressure less :)04:23
jamielennoxstevemar: oh i started that review and never got to the end04:24
jamielennoxno blood pressure raised04:24
jamielennoxyou are the first person (non-me) to attempt a plugin afaik so i want to make sure i've got the plugin calls right04:25
*** bvandenh has joined #openstack-keystone04:41
*** harlowja is now known as harlowja_away04:49
*** devlaps has joined #openstack-keystone04:55
*** harlowja_away is now known as harlowja05:02
stevemarjamielennox, ping05:07
jamielennoxyea05:07
stevemarjamielennox, so it works awesomely05:07
jamielennoxsweet05:07
stevemarjust one catch, i remember why i put the signing in the auth ref05:07
*** wchrisj has joined #openstack-keystone05:07
stevemarit was because i needed the entire url, including the self.auth_url part05:07
stevemardo you think it's possible to add url to get_auth_ref, along with headers?05:08
jamielennoxcrap05:08
jamielennoxumm05:08
stevemaror maybe kwargs05:09
jamielennoxthere's always an edge case05:09
jamielennoxlet me find the revie05:09
jamielennoxw05:09
stevemarhttps://review.openstack.org/#/c/77977/4/keystoneclient/auth/identity/v3.py05:09
jamielennoxstevemar: do you need to communicate with the URL or just use it?05:10
stevemarjust use it05:10
stevemarline 108 of the link i sent you05:10
jamielennoxyep05:11
jamielennoxi'm just trying to think if there is a more common case we could do05:12
jamielennoxlike maybe i provide the original auth plugin to the auth_method and let you get it yourself05:12
jamielennoxit makes sense to make that take kwargs anyway05:13
stevemari was leaning toward kwargs tbh05:13
stevemarcause different plugins will do funky things05:13
jamielennoxyea, i was somewhat trying to restrict funky things05:13
jamielennoxbut i guess it makes sense that they might need the session object as well05:13
jamielennoxto communicate with other places05:14
stevemarunless i can surface the oauthlib object, and sign it later, but that seems messy05:14
jamielennoxyea, it means that the parent has to be aware of the plugin type05:14
stevemarbleh05:14
stevemarwhich is a no-no05:14
jamielennoxok, i think it makes sense to pass session and kwargs through to get_auth_data05:15
jamielennoxkwargs should probably be passed from the get_auth_ref call through to get_auth_data05:16
jamielennoxbut they will mostly be empty05:16
stevemarjamielennox, i made the change to add session in my latest patch, but decided against kwargs, since i don't need them right now.05:31
stevemarjamielennox, new patch up, *much* less code now, thanks for steering me in the right direction!05:32
jamielennoxstevemar: https://review.openstack.org/#/c/78523/05:33
jamielennoxwe kind of need kwargs05:33
jamielennoxbecause if we release the interface without it then plugins written to support it won't accept additional args05:34
jamielennoxand if we ever want to add something in later it can't05:34
jamielennoxso if we do an open ended kwargs not then we don't trap ourselves05:34
stevemarjamielennox, makes sense05:35
jamielennoxstevemar: if you rebase on that one i provided you should just be able to do auth.token_url05:35
stevemarjamielennox, yep05:36
stevemarjamielennox, btw - are you okay with the test living with the other oauth tests? or did you want it in the auth tests?05:36
jamielennoxstevemar: i don't mind05:36
stevemarcool05:36
*** wchrisj has quit IRC05:44
*** stevemar has quit IRC05:59
*** gyee has quit IRC06:00
*** chandan_kumar has joined #openstack-keystone06:04
*** gokrokve_ has quit IRC06:04
*** gokrokve has joined #openstack-keystone06:04
*** gokrokve has quit IRC06:08
*** topol has joined #openstack-keystone06:10
*** gokrokve has joined #openstack-keystone06:15
*** topol has quit IRC06:27
*** thedodd has quit IRC06:34
*** amcrn has joined #openstack-keystone06:40
*** jamielennox is now known as jamielennox|away06:57
*** harlowja is now known as harlowja_away06:59
*** marcoemorais has joined #openstack-keystone07:14
*** marcoemorais1 has joined #openstack-keystone07:16
*** marcoemorais has quit IRC07:18
*** harlowja_away has quit IRC07:21
*** saju_m has joined #openstack-keystone07:22
*** henrynash has joined #openstack-keystone07:40
*** henrynash has quit IRC07:42
*** jaosorior has joined #openstack-keystone07:51
jaosoriorHello, I just downloaded the source code and ran the unit test suit, and it appears that the majority of tests in "keystone.tests.test_keystoneclient.KcMasterTestCase" are failing, is this normal?07:52
*** gokrokve has quit IRC08:00
*** gokrokve has joined #openstack-keystone08:00
*** gokrokve has quit IRC08:04
*** saju_m has quit IRC08:06
*** saju_m has joined #openstack-keystone08:19
*** dstanek has quit IRC08:20
*** saju_m has quit IRC08:24
*** derek_c has quit IRC08:24
*** YorikSar has quit IRC08:33
*** saju_m has joined #openstack-keystone08:37
*** gokrokve has joined #openstack-keystone08:43
*** gokrokve_ has joined #openstack-keystone08:45
*** gokrokve has quit IRC08:47
*** gokrokve_ has quit IRC08:49
*** achudnovets1 has joined #openstack-keystone09:04
*** marcoemorais1 has quit IRC09:08
*** saju_m has quit IRC09:12
achudnovets1hi. I need some help :) Will  domain support  affect  urls of other OpenStack services (nova, etc)? Will domain be added to url (v1/{project_id}/{domain_id}/...) or it will be used only for obtaining token?09:23
*** leseb has joined #openstack-keystone09:25
*** henrynash has joined #openstack-keystone09:30
*** henrynash has quit IRC09:36
*** marekd|away is now known as marekd09:44
*** gokrokve has joined #openstack-keystone09:45
*** gokrokve has quit IRC09:50
*** saju_m has joined #openstack-keystone09:59
*** achudnovets1 has quit IRC10:02
*** marcoemorais has joined #openstack-keystone10:06
*** morganfainberg_Z is now known as morganfainberg10:06
*** marcoemorais has quit IRC10:10
*** YorikSar has joined #openstack-keystone10:10
*** henrynash has joined #openstack-keystone10:31
*** bvandenh has quit IRC10:36
*** gokrokve has joined #openstack-keystone10:45
*** saju_m has quit IRC10:46
*** gokrokve has quit IRC10:50
*** bvandenh has joined #openstack-keystone11:03
*** saju_m has joined #openstack-keystone11:03
*** marcoemorais has joined #openstack-keystone11:07
*** marcoemorais has quit IRC11:11
*** marcoemorais has joined #openstack-keystone11:39
*** marcoemorais has quit IRC11:43
*** gokrokve has joined #openstack-keystone11:45
*** gokrokve has quit IRC11:49
*** devlaps has quit IRC12:11
*** bvandenh has quit IRC12:18
*** morganfainberg is now known as morganfainberg_Z12:27
*** zoresvit has joined #openstack-keystone12:37
*** marcoemorais has joined #openstack-keystone12:39
*** dstanek has joined #openstack-keystone12:41
*** marcoemorais has quit IRC12:43
*** gokrokve has joined #openstack-keystone12:45
*** gokrokve has quit IRC12:49
*** david-lyle has quit IRC13:10
*** marekd has quit IRC13:13
*** dims has quit IRC13:18
*** dims has joined #openstack-keystone13:19
*** marekd has joined #openstack-keystone13:19
*** saju_m has quit IRC13:27
*** bknudson has left #openstack-keystone13:35
*** marcoemorais has joined #openstack-keystone13:40
*** marcoemorais has quit IRC13:45
*** gokrokve has joined #openstack-keystone13:45
*** gokrokve has quit IRC13:49
dolphmjamielennox|away: forced into releasing a keystoneclient today due to bug 128730113:50
*** gordc has joined #openstack-keystone13:58
*** bknudson has joined #openstack-keystone14:12
*** lazzari has joined #openstack-keystone14:12
lazzariHi, I'm always getting "no handlers" when running keystone discover. Is that the expected behavior?14:14
lazzarikeystone discover Keystone found at http://127.0.0.1:5000/v2.0     - supports version v2.0 (stable) here http://localhost:5000/v2.0/ No handlers could be found for logger "keystoneclient.generic.client"14:14
*** ayoung has joined #openstack-keystone14:29
dolphmlazzari: https://bugs.launchpad.net/python-keystoneclient/+bug/93640414:34
lazzarigreat! tnx14:35
*** wchrisj has joined #openstack-keystone14:35
*** browne has joined #openstack-keystone14:39
*** marcoemorais has joined #openstack-keystone14:41
*** stevemar has joined #openstack-keystone14:42
*** gokrokve has joined #openstack-keystone14:45
*** marcoemorais has quit IRC14:45
*** zoresvit has quit IRC14:47
*** gokrokve has quit IRC14:49
*** zoresvit has joined #openstack-keystone14:59
*** nkinder has quit IRC15:00
*** topol has joined #openstack-keystone15:01
*** gokrokve has joined #openstack-keystone15:02
*** zoresvit has quit IRC15:23
*** david-lyle has joined #openstack-keystone15:35
*** thedodd has joined #openstack-keystone15:39
*** marcoemorais has joined #openstack-keystone15:42
*** marcoemorais has quit IRC15:46
ayoungdstanek, Python question.  I am doing a popen, and want to pass binary data via stdin and stdout.  communicate()  indicates that it needs strings.  What is the right mechanism?15:48
dstanekayoung: i've never had to do that, but i suspect if you have your binary data in a str you'd be fine15:51
ayoungdstanek, well, I did not seem to be fine15:51
ayoungdstanek, there are two formats I can pass to openssl cms15:51
dstanekstr is bytes and unicode is text - that's why in Py3 str -> byte and unicode -> str15:51
ayoungone is PEM wyhich is base6415:51
ayoungone is DER, which is binary15:51
dstanekayoung: do you have a snippet i can look at?15:51
ayoungdstanek, ...um, I did...let me reproduce15:52
ayounghere15:52
ayoungdstanek, https://review.openstack.org/#/c/71181/14/examples/pki/gen_cmsz.py15:52
ayounggrab that whole review15:52
ayoungand ...15:52
ayoungactually, let me set it up for you.15:53
ayoungeh...should be good enough , see how I do  #verify before writing15:54
ayoungif you go into the dependent file:15:54
ayounghttps://review.openstack.org/#/c/71181/14/keystoneclient/common/cms.py15:54
ayoungI hard coded it...one sec, let me repost15:54
*** nkinder has joined #openstack-keystone15:55
*** marekd is now known as marekd|away15:58
ayoungdstanek, https://review.openstack.org/#/c/71181/  latest shows the problem in commented out code in16:00
ayounghttps://review.openstack.org/#/c/71181/15/examples/pki/gen_cmsz.py16:00
ayoungand..I have a phone call for an internal meeting16:00
*** mlemay has joined #openstack-keystone16:02
dstanekayoung: ping me when you are back16:10
dolphmbknudson: gating https://review.openstack.org/#/c/75549/16:12
bknudsondolphm: I tried picking up the fix for the mysql warning but that ran into a snag... spammed the logs.16:13
*** chandan_kumar has quit IRC16:13
bknudsonhopefully I can get that figured out later today...16:13
dolphmbknudson: i was just looking at that fix16:14
bknudsondolphm: does it make sense to cache tokens for 5 minutes?16:29
bknudson(by defualt)16:29
dolphmbknudson: sure, why not?16:29
bknudsonthat means that a token will work for 5 minutes after you revoke it.16:29
dolphmbknudson: correct16:30
bknudsonUUID tokens16:30
bknudsonPKI tokens will be invalidated every 1 sec16:30
dolphmbknudson: obviously tunable if you need different performance characteristics16:30
bknudsonI wonder what it's typically set to.16:30
dolphmbknudson: the cache time applies to both UUID and PKI right now16:30
dolphmbknudson: i imagine the default ;)16:31
bknudsonwell, PKI is going to hit the revocation list16:31
bknudsonand revocation_cache_time is 1 second, so they'll be invalid right away16:31
dolphmbknudson: reasonable expectation, but that's not true16:32
dolphmbknudson: https://bugs.launchpad.net/python-keystoneclient/+bug/1287301/comments/416:33
bknudsonnova-api does an odd thing where there are actually multiple caches... one for each worker or something.16:34
bknudsonso a token might work depending on which worker it hits has it cached or not.16:34
bknudsonso the processing doesn't go 1. get-token (from cache) , 2. validate against revocation list?16:36
lbragstaddolphm: bknudson possible region v3 fix for description, per discussion last night: https://review.openstack.org/#/c/78658/16:37
bknudsonlbragstad: add a test where you add 2 with no description.16:38
lbragstadbknudson: I added a test with no description16:38
lbragstadhttps://review.openstack.org/#/c/78658/1/keystone/tests/test_v3_catalog.py16:39
*** richm has joined #openstack-keystone16:39
bknudsonlbragstad: also add a test where you add another one with no descripton.16:39
lbragstadoh, two regions. OK16:40
*** jaosorior has quit IRC16:40
bknudsonLooks like auth_token gets the token from cache: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L82716:40
bknudsonthen verified = self.verify_signed_token(user_token)16:40
bknudsonwhich will check the revocation list16:41
*** dims has quit IRC16:45
*** dstanek has quit IRC16:47
*** dstanek_afk has joined #openstack-keystone16:47
*** dstanek_afk is now known as dstanek16:48
*** lazzari has quit IRC16:50
*** amcrn has quit IRC16:53
*** packet has joined #openstack-keystone16:53
*** gokrokve has quit IRC16:55
dolphmbknudson: if you back auth_token to a memcached instance, you can share that cache across workers16:58
dolphmbknudson: also, https://review.openstack.org/#/c/78650/16:58
lbragstadbknudson: good call, thanks for the heads up.17:00
*** dims has joined #openstack-keystone17:01
*** harlowja has joined #openstack-keystone17:02
dolphmlbragstad: i don't really think you need to make description nullable17:02
dolphmbknudson: lbragstad: but i didn't see where description was made unique?17:02
lbragstaddolphm: description was never checked if it was unique until it was in the sql backend17:03
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/037_add_region_table.py#L2617:05
lbragstadaccording to the migration, description has to be unique17:06
lbragstadlooks like regions is the only keystone resource that enforces its description to be unique.17:07
*** rwsu has joined #openstack-keystone17:08
*** gyee has joined #openstack-keystone17:10
wchrisjCould someone tell me if this bug might still be in play in (devstack) KS? https://bugs.launchpad.net/keystone/+bug/99723117:21
*** marcoemorais has joined #openstack-keystone17:21
stevemarwchrisj, whoa that is old17:22
wchrisjAm trying to hit this URL, and the docs for v2 say it should work: http://devstack.local:5000/v2.0/users/{userid}/roles17:22
wchrisjbut I'm seeing the behavior in that bug17:22
wchrisjstevemar: my thoughts exactly17:22
stevemarwchrisj, what version are you using?17:23
wchrisjversion of what?17:23
stevemarof openstack17:23
wchrisjdevstack17:24
wchrisjfew days old17:24
wchrisjmaster branch, I assume17:24
stevemarwchrisj, /v2.0/users/{user_id}/roles should work17:25
stevemarwhat the error you're seeing?17:25
wchrisjok, then it's something with my code - that's what I was trying to confirm17:25
wchrisjan error 501 - User roles not supported: tenant ID required17:26
wchrisjI think I'm hitting the wrong port17:26
wchrisjmy specs use port 5000 - suspect it should be 3535717:26
wchrisjI think it's a port issue17:26
*** gokrokve has joined #openstack-keystone17:26
wchrisjwhen I manually hit the url, I get a 404 - would I get that if there are no roles associated with the user in question? stevemar:17:28
stevemarwchrisj, if there were not rules it shoulnd't be 404, it would be an empty list17:31
wchrisjmakes sense17:31
stevemarempty list is still valid17:31
dolphmstevemar: wchrisj: i don't think it's a supported call, as the error message indicates17:31
wchrisjyeah, I'm getting a 404 trying to hit this url17:32
wchrisjhttp://devstack.local:5000/v2.0/users/2f649419c1ed4801bea38ead0e1ed6ad/roles17:32
wchrisjmanually17:32
dolphmwchrisj: that sounds right; if you tried port 35357 you'd get a http 501 instead17:32
wchrisjWhat am I missing Steve?17:32
dolphmwchrisj: it's an ambiguously specified API call that we chose to never implement so as to avoid flip-flopping between the two perceivable interpretations of the spec; instead we have GET /v3/role_assignments17:33
dolphmwchrisj: which is much more powerful and avoids any confusing semantics around the call17:33
wchrisjso why do the docs say it exists?17:33
wchrisjv2 docs17:33
ayoungdstanek, I think I figured it:  universal_newlines was set to True...testing now with them False for PEM17:34
ayounger DER17:34
wchrisj... just trying to understand...17:34
dolphmwchrisj: because it *may* be implemented by an alternative implementation of the API, but keystone chooses not to17:34
*** amcrn has joined #openstack-keystone17:34
wchrisjaha17:34
wchrisjI think of Keystone as the canonical implementation - good to know17:35
dolphmwchrisj: ++17:35
dolphmwchrisj: if you have authz on the rackspace public cloud, i think you'll get something back -- but you'd likely file a bug report because it's not the results you'd expect :)17:35
wchrisjI'm a fairly new OS dev, so that's good to know17:35
ayoungdstanek, yep, that was it17:36
dolphmwchrisj: the identity service is one of the few APIs with more than one complete implementation in production floating around17:36
wchrisjwild17:36
dstanekayoung: nice17:36
dolphmwchrisj: keystone just happens to be the one supported by openstack directly17:37
wchrisjdolphm: gotcha17:37
dolphmwchrisj: and if you look at the diablo release of keystone vs the essex release of keystone -- those were actually two completely different implementations from the ground up17:37
wchrisjwow17:37
wchrisjok17:37
ayoungwchrisj, we've stabilized somewhat from that point17:38
wchrisjdolphm: and v3 is a whole different animal altogether!17:38
wchrisj;-)17:38
wchrisjOK, so I'm gonna document this call as one to "stay away" from17:40
wchrisjand handle in v317:40
*** gokrokve_ has joined #openstack-keystone17:40
*** gokrokve has quit IRC17:43
wchrisjMany thanks stevemar: dolphm:17:44
dolphmwchrisj: ++ i'd like it to be removed from openstack's api site since we don't support it directly17:45
dolphmwchrisj: you're not the only one to be confused by it :(17:46
dolphmbknudson: https://review.openstack.org/#/c/75549/17:46
wchrisj++17:46
*** zhiyan is now known as zhiyan_17:49
dolphmbknudson: pushing a merge conflict fix for that17:51
*** browne has quit IRC17:53
dolphmlbragstad: yikes... maybe we really do need a migration to fix that18:00
dolphmlbragstad: it's not that we need to avoid migrations right now, i just want to make sure they're necessary18:01
*** browne has joined #openstack-keystone18:01
dolphmlbragstad: i.e. refactoring the assignments table would be a no-go right now, etc18:01
lbragstaddolphm: yeah, that's understandable. Either way works18:02
dolphmlbragstad: keep nullable=True, and just drop unique=True?18:04
dolphmlbragstad: then in the manager, region.setdefault('description', '') ?18:04
lbragstaddolphm: ok, so we are going carry that in the manager18:05
dolphmlbragstad: err, keep nullable=False i meant18:05
lbragstadright18:05
lbragstadyep18:05
dolphmlbragstad: could ask jaypipes, but i'm guessing that unique=True was either a bad copy/paste that we didn't catch, or it was a sort of workaround before user-defined region IDs was implemented18:06
*** cmart_ has joined #openstack-keystone18:07
lbragstaddolphm: gotcha, makes sense18:07
*** chandan_kumar has joined #openstack-keystone18:07
dolphmlbragstad: set the patch to WIP for now-- ping me when you have another patchset18:08
cmart_Hello18:08
dolphmcmart_: o/18:08
cmart_sorry for interrupt..18:08
lbragstaddolphm: ok, I'll get a migration in the works. Thanks18:09
cmart_I'm new with keystone and I got an error that I could not understand.. I'm using devstack and I pulled the latest changes from Keystone master.. But when I try to run the stack, I got the following error: http://paste.openstack.org/show/72804/18:10
cmart_Where can I find more info related to this (like logs, or smth like that)?18:11
cmart_Is this room the right place to ask these kind of things?18:12
dolphmcmart_: looks like you need the latest version of oslo.config (pip install -U oslo.config)18:12
dolphmcmart_: there wouldn't be additional logs related to that backtrace18:13
dolphmcmart_: you probably need to update all of keystone's dependencies though, so pip install --upgrade -r /opt/stack/keystone/requirements.txt -r /opt/stack/keystone/test-requirements.txt18:14
cmart_dolphm: oh.. I see.. Well, I have the oslo.config updated.. I'll try with the keystone's dependencies then.. Thanks!18:14
cmart_dolphm: Could this be also the reason why running tox gave me a lot of errors? ERROR: could not install deps [-r/opt/stack/keystone/requirements.txt, -r/opt/stack/keystone/test-requirements.txt] ?18:18
dolphmcmart_: looks like you're just missing a space after the -r18:19
cmart_dolphm: I didnĀ“t modify the tox.ini file and that log came from executing tox at /opt/stack/keystone.. This is the final part of the log http://paste.openstack.org/show/72779/18:23
cmart_dolphm: The dependecies upgrade just finished.. I'll give it a try and let you know.. Thanks18:23
*** thedodd has quit IRC18:26
stevemardolphm, ayoung can https://review.openstack.org/#/c/78523/ get a review? ksclient related adding more info the authmethod plugins18:26
ayoungstevemar, you really should add reviewers to the review list on the page18:27
ayoungstevemar, looks pretty straight forward.  I take it you need that for oauth?18:28
stevemarayoung, yep18:28
stevemarayoung, jamie posted it last night18:28
ayoungstevemar, commit message should really read : add auth_url to session...but I am surprised it is not there already18:29
ayounginteresting...18:30
stevemar?18:30
ayoungstevemar, that has some interesting ramificatrions...18:30
stevemarsuch as?18:30
ayoungreturn '%s/auth/tokens' % self.auth_url.rstrip('/')18:30
ayoungimplies that it is always going to one URL.18:30
*** gyee has quit IRC18:30
ayoungI'm thinking like the SAML and Kerberos stuff18:30
ayoungsay you want to use a different suburl due to Apache mapping18:31
ayoungyou could, in theory do18:31
ayoungfor kerberos /v3/kerberos/auth/tokens18:31
bknudsondolphm: that's for taking care of the conflict18:31
ayoungfor x509  kerberos /v3/x509/auth/tokens18:31
stevemarayoung, we're not ready for that anyway, that bit of code was just pulling out something and making it a property18:32
*** mlemay has quit IRC18:32
ayoungyes, but the world is ready for it, and we need to think in those terms18:32
ayoungthese issues are coming up time and again18:32
stevemarayoung, yeah, but this patch isn't going to address that18:32
ayoungstevemar, I realize...you just got me thinkng.  Always a dangerous thing to do18:33
ayoungstevemar, https://review.openstack.org/#/c/71181/  that is going to be needed for compressed tokens and running Keystone in Apache, which means needed for SAML.  Take a look whn you get the chance18:38
*** jnanin has joined #openstack-keystone18:41
*** jnanin has quit IRC18:46
dstanekstevemar: you're fast18:46
stevemardstanek, yay?18:46
*** mlemay has joined #openstack-keystone18:47
stevemardstanek, i don't like lettings things linger when they are easy to fix18:47
dstanekstevemar: definitely a yay18:49
*** dims has quit IRC19:00
*** dims has joined #openstack-keystone19:02
dstaneki was looking at https://review.openstack.org/#/c/75741 and i noticed an inconsistency19:08
dstanekwe typically use our own exception hierarchy for dealing with errors, but there are a few cases where we don't and we use WebOb's implementation19:09
dstanekdoing this (i believe) leads to HTML error pages instead of JSON error pages19:09
dstanekhas anyone come across that before?19:09
dstanektrying to unwind the insanity that is webob now19:10
*** thedodd has joined #openstack-keystone19:20
richmis anyone else having problems signing into gerrit?19:26
*** gyee has joined #openstack-keystone19:29
dstanekrichm: i was able to login in an incognito window - are you getting an error?19:42
richmdstanek: it just hangs for a while trying to get to login.launchpad.net, then times out19:43
dstanekcan you get to launchpad.net at all?19:43
richmI can go directly to login.launchpad.net just fine19:43
richmbut somehow through the "sign in" link it fails19:43
dstanekhmmm...maybe launchpad is having issues?19:44
dstanekif you continue to have issues infra would probably be the best place to ask19:44
richmwell, if no one else is having issues, then I probably need to logout and delete cookies19:45
*** zhiyan_ is now known as zhiyan19:46
dolphmbknudson: https://review.openstack.org/#/c/78521/19:48
dstanekis ec2_token middleware still used?19:51
dolphmdstanek: by heat19:51
dolphmrichm: just signed out of and back into gerrit without issue19:51
dstanekdolphm: did you see my webob question above? i think that middleware will return HTML in some cases - i wanted to augment the tests, but I can't find them19:52
richmyeah - I had to sign out of everything launchpad and openstack related, then delete all corresponding cookies19:52
dolphmdstanek: ec2 returns html?19:52
dstanekdolphm: i thought maybe they were in test_v3_credential.py, but i don't think so19:52
dolphmdstanek: i've definitely seen html produced in error conditions; we used to use webob in more places so it was more common19:53
dolphmdstanek: auth_token still returns plain text on failure, which is weird too19:53
dstanekdolphm: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/ec2_token.py#n5319:53
dolphmdstanek: the change you linked is changing a docstr btw19:54
dstaneksomething would have to catch those and turn them into something else - if it runs in heat's stack they may already be doing that19:54
ayoungrichm, should this be considered a bug fix? https://review.openstack.org/#/c/76002/19:55
richmayoung: yes, and a behavior change19:55
dolphmdstanek: the v3 version does it correctly, i believe19:56
dolphmdstanek: but i don't think there's any reason we couldn't rewrite those as proper exception.ValidationError's19:56
dolphmdstanek: that module predates our own exception hierarchy, and just hasn't been given much love19:56
dstanekdolphm: yeah, i know - i was trying to figure out which is more correct detail or explanation and it led me to this19:57
dstanekdolphm: technically speakeing the original way we had it would most likely be what we want *if* we used the HTML responses https://github.com/Pylons/webob/blob/master/webob/exc.py#L23419:57
*** wchrisj_ has joined #openstack-keystone19:57
dolphmdstanek: in https://review.openstack.org/#/c/75741 ?19:57
bknudsondstanek: you can check the coverage report to see how well tested it is19:58
bknudsonhttp://logs.openstack.org/5d/5d65f0f0401e5a9f6b142c01659c3bb3434fdf44/post/keystone-coverage/87a4606/cover/keystone_middleware_ec2_token.html19:58
*** dstanek_afk has joined #openstack-keystone19:59
dstanek_afkdolphm: if you use detail (as we currently have it) then the HTML looks something like 'Forbidden Message From WebOb<br><br>Nice Try'19:59
dstanek_afkhmmm...looks like i got bounced19:59
*** dstanek has quit IRC20:00
*** dstanek_afk is now known as dstanek20:00
dstaneki think think it matters though because we don't used either property and we don't want HTML20:00
*** topol_ has joined #openstack-keystone20:02
*** wchrisj__ has joined #openstack-keystone20:02
*** wchrisj_ has quit IRC20:03
dolphmdstanek: ++20:03
dolphmbknudson: so, it's not even imported :P20:03
*** wchrisj has quit IRC20:03
*** harlowja has quit IRC20:03
bknudsondolphm: there's no coverage for the ec2 middleware in our unit tests.20:03
bknudsonimporting it would be a good first step.20:03
*** harlowja has joined #openstack-keystone20:04
*** topol has quit IRC20:05
*** topol_ is now known as topol20:05
dstanekbknudson: that'll get you to 15% without even writing tests!20:06
ayoungrichm, file it as a bug first, then, and we can consider it for Icehouse.  That change doesn't look horrible enough that we should rule it out on size20:08
richmwell, it was a bug in rh bugzilla20:08
*** cmart_ has quit IRC20:08
richmthe rh bz has since been closed20:08
*** dstanek is now known as dstanek_afk20:09
richmayoung: I'm not sure what you mean by "file it as a bug first"20:11
*** marcoemorais has quit IRC20:13
*** marcoemorais has joined #openstack-keystone20:15
*** marcoemorais has quit IRC20:16
*** marcoemorais has joined #openstack-keystone20:16
*** marcoemorais has quit IRC20:16
*** marcoemorais has joined #openstack-keystone20:17
*** achudnovets has joined #openstack-keystone20:28
*** devlaps has joined #openstack-keystone20:36
dolphmrichm: he's referring to https://bugs.launchpad.net/keystone20:39
richmdolphm: yes20:39
*** achudnovets has quit IRC20:40
*** achudnovets has joined #openstack-keystone20:40
*** achudnovets has quit IRC20:42
*** achudnovets1 has joined #openstack-keystone20:42
dolphmdstanek_afk: there's tons of violations in keystone against the hacking's master... make sure you're not re-implementing any of those!20:42
dolphmdstanek_afk: it's finally checking import grouping :D (H305, H307)20:43
dolphmand backslash line continuations H90420:43
*** mlemay has quit IRC20:46
*** achudnovets1 has left #openstack-keystone20:54
*** andreaf has joined #openstack-keystone21:06
*** topol has quit IRC21:07
*** andreaf has quit IRC21:09
*** andreaf has joined #openstack-keystone21:09
*** marcoemorais has quit IRC21:10
*** gordc has left #openstack-keystone21:12
*** gordc has quit IRC21:12
wchrisj__dolphm: given the issue with that call into the keystone API (method not implemented), is there another resource I should consult in terms of discovering valid api method calls, preferably with params, etc.21:49
wchrisj__ie: what is the reference for that?21:50
*** zhiyan is now known as zhiyan_22:00
*** marcoemorais has joined #openstack-keystone22:00
*** mlemay has joined #openstack-keystone22:09
*** packet has quit IRC22:12
*** nkinder has quit IRC22:12
ayoungrichm, or find an existing bug to link it to.22:22
richmok22:23
*** leseb has quit IRC22:25
*** leseb has joined #openstack-keystone22:25
*** dims has quit IRC22:28
*** leseb has quit IRC22:29
*** ayoung has quit IRC22:37
*** leseb has joined #openstack-keystone22:39
*** morganfainberg_Z is now known as morganfainberg22:41
morganfainbergafternoon22:42
*** dims has joined #openstack-keystone22:42
*** stevemar has quit IRC22:51
morganfainbergdolphm, ping, re password truncation change review. I'm going to -2 it until Juno at this point String Freeze, Possible extra options, etc22:52
morganfainbergdolphm, unless you want to keep it as a possible Icehouse target (just don't see it being worth the FFE)22:52
*** jamielennox|away is now known as jamielennox22:57
*** dstanek_afk has quit IRC22:58
*** dstanek_afk has joined #openstack-keystone23:00
*** nkinder has joined #openstack-keystone23:01
*** mlemay has quit IRC23:02
*** mlemay has joined #openstack-keystone23:04
*** dstanek_afk is now known as dstanek23:08
*** leseb has quit IRC23:20
*** thedodd has quit IRC23:23
*** mlemay has quit IRC23:25
*** mlemay has joined #openstack-keystone23:27
bknudsonwondering if you do "tox -e docs" do you get the man pages?23:32
bknudsonthe output ends with "creating doc/build/man" -- but it's empty23:33
morganfainbergbknudson, probably should generate them23:35
bknudsonmorganfainberg: I think it used to.23:35
morganfainbergmight be when we switch some sphinx stuff up23:36
morganfainbergthat may have borken23:36
bknudson"Sphinx documentation setups are altered to generate man pages by default."23:36
bknudsonhttp://docs.openstack.org/developer/pbr/#sphinx-autodoc23:36
morganfainberghmmmm23:37
morganfainberggeee, wouldn't that be swell if it worked23:37
*** andreaf2 has joined #openstack-keystone23:37
bknudsonI'm going to try a newer sphinx23:39
*** andreaf has quit IRC23:39
bknudsonRunning Sphinx v1.2.223:41
bknudsonFTW23:41
bknudsonwriting... keystone-manage.1 { } keystone-all.1 { }23:41
jamielennoxmorganfainberg: do you have the links to your kite in stackforge reviews? i can't find them23:42
morganfainbergjamielennox, brb will find them when i'm back23:42
*** browne has quit IRC23:52
« Wednesday, 2014-03-05 Index Friday, 2014-03-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!