Wednesday, 2014-04-30

*** marcoemorais has quit IRC00:05
*** nkinder has joined #openstack-keystone00:05
*** browne has quit IRC00:05
*** derek_c has joined #openstack-keystone00:14
openstackgerritA change was merged to openstack/keystone: Correct `nullable` values in models and migrations
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation
*** praneshp has quit IRC00:31
*** richm has quit IRC00:33
openstackgerritA change was merged to openstack/keystone: Redundant unique constraint
openstackgerritA change was merged to openstack/keystone: Migration DB_INIT_VERSION in common place
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Set proper DB_INIT_VERSION on db_version command
*** theocean154 has joined #openstack-keystone01:00
*** daneyon has quit IRC01:16
*** theocean154 is now known as theocean154_zzZZ01:23
*** david-lyle has joined #openstack-keystone01:32
*** Daviey has quit IRC01:33
*** theocean154_zzZZ is now known as theocean15401:43
*** david-lyle has quit IRC01:57
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add endpoint handling to Token/Endpoint auth
*** diegows has quit IRC02:11
*** zhiyan_ is now known as zhiyan02:12
*** mberlin has joined #openstack-keystone02:20
*** mberlin1 has quit IRC02:21
*** harlowja is now known as harlowja_away02:27
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
*** praneshp has joined #openstack-keystone02:41
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
*** sbfox has quit IRC02:54
*** gyee has quit IRC02:55
*** dstanek is now known as dstanek_zzz02:59
*** dstanek_zzz is now known as dstanek03:00
*** sbfox has joined #openstack-keystone03:05
*** amcrn has joined #openstack-keystone03:07
*** RockKuo_Office has joined #openstack-keystone03:14
*** chandan_kumar has joined #openstack-keystone03:21
*** stevemar has joined #openstack-keystone03:30
*** chandan_kumar has quit IRC03:32
*** bach has joined #openstack-keystone03:34
*** stevemar has quit IRC03:43
*** chandan_kumar has joined #openstack-keystone03:51
*** shakamunyi has quit IRC04:05
*** praneshp has quit IRC04:17
*** praneshp_ has joined #openstack-keystone04:17
*** sbfox has quit IRC04:26
*** stevemar has joined #openstack-keystone04:41
*** sbfox has joined #openstack-keystone04:49
*** cp16net has left #openstack-keystone04:54
*** dstanek is now known as dstanek_zzz05:10
*** morganfainberg is now known as morganfainberg_Z05:10
*** zhiyan is now known as zhiyan_05:20
*** bach has quit IRC05:20
*** dstanek_zzz is now known as dstanek05:31
*** dstanek is now known as dstanek_zzz05:40
*** dstanek_zzz is now known as dstanek05:49
*** amcrn has quit IRC05:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
marekddstanek: hi!06:22
marekddstanek: still around?06:22
marekdstevemar: o/ you here?06:24
stevemarmarekd, ^06:24
marekdi know it's lat in Canada so a quick thing. did you have a chance to read my question about migration scripts and mapping_id FKness?06:25
marekdstevemar: ^06:25
*** Chicago has joined #openstack-keystone06:25
*** Chicago has joined #openstack-keystone06:25
marekdstevemar: to rephrase i was asking whether we are still allowed to play with 001_*, 002_* migration scripts and change them or we should leave them and add 003_* migration script that would alter protocols table and and make mapping_id a FK06:26
stevemarmarekd, hmm, was it posted in this channel? can you repeat it? i don't recall reading it06:26
stevemarmarekd, ah06:26
stevemarmarekd, i think we are screwed06:26
stevemarmarekd, we shouldn't alter 001_* or 002_*06:27
stevemarand bknudson seemed very doubtful about adding a FK06:27
marekdstevemar: why?!06:27
stevemarsince, if the user downgrades, what do you place in there?06:27
marekdhm, he reluctant to add a FK right now (because it was not added from the very begining) or in general?06:28
stevemarmarekd, since it wasn't added from the beginning06:30
marekdoh maaaan ;/ i checked the patches history yesterday06:31
marekdand i saw bknudson was looking at nullness/fkness of that parameter06:31
marekdbut since mappings and idps with protocols were added in different patches i think that was the reasong of not making mapping_id a fk from the beginning...06:32
marekddo you think it's worth spending few minutes and submit a patch as a starting point for kind of discussion?06:33
marekdi guess top contributors could got involved in that (dolph, morgan, dstanek, adam , bknudson ofc etc)06:33
*** ukalifon has joined #openstack-keystone06:33
stevemarmarekd, couldn't hurt06:34
marekdstevemar: ok06:34
stevemarthe upgrade path is easy06:34
marekdstevemar: ok, thanks.06:36
marekdnow, go to bed, i think it's like 2:30am?06:36
stevemarmarekd, it is, but i'm learning about factory functions... and how i can use them to solve my import problem06:37
*** dstanek is now known as dstanek_zzz06:46
marekdstevemar: hmm, just pulled newest keystone master and the nullable patch went in...06:48
stevemarmarekd, yes, it did06:49
*** theocean154 has quit IRC06:53
*** skb has joined #openstack-keystone07:07
*** skb has left #openstack-keystone07:08
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient
*** ekarlso has joined #openstack-keystone07:17
stevemarmarekd, alright, now i'm out07:17
stevemarmarekd, see you tomorrow / later today07:17
marekdstevemar: good night!07:18
*** sbfox has quit IRC07:20
*** stevemar has quit IRC07:22
*** Daviey has joined #openstack-keystone07:25
*** amcrn has joined #openstack-keystone07:30
*** ThomasCrowe1 has quit IRC07:34
*** praneshp_ has quit IRC07:38
*** leseb has joined #openstack-keystone07:39
*** dstanek_zzz is now known as dstanek07:47
*** zigo_ is now known as zigo07:55
*** dstanek is now known as dstanek_zzz07:57
*** topol has joined #openstack-keystone08:05
*** topol has quit IRC08:06
*** topol has joined #openstack-keystone08:06
*** derek_c has quit IRC08:07
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method
*** theocean154 has joined #openstack-keystone08:30
*** theocean154 has quit IRC08:34
openstackgerritMarek Denis proposed a change to openstack/keystone: Make FederationProtocolModel.mapping_id a FK
*** topol has quit IRC09:01
*** sphoorti has joined #openstack-keystone09:09
sphoortiHello folks, I ran a test coverage command in python-keystoneclient. I get the error:-  No handlers found for Logger. What possibly could be going wrong?09:12
sphoortiAnd running the same command on /opt/stack/keystone leads to following error: - No changes have been made to any codebase. I am running the test commands on freshly cloned devstack09:30
sphoortiWhat could be going wrong ?09:30
*** andreaf has joined #openstack-keystone09:30
*** leseb has quit IRC09:53
*** leseb has joined #openstack-keystone09:53
*** leseb has quit IRC09:58
*** theocean154 has joined #openstack-keystone10:19
*** theocean154 has quit IRC10:23
*** openstackgerrit has quit IRC10:51
*** leseb has joined #openstack-keystone10:53
*** leseb has quit IRC10:58
*** RockKuo_Office has quit IRC11:03
*** leseb has joined #openstack-keystone11:04
ukalifonHello. How can I find the list of protocols that federation can work with? I know that saml2 is supported but are there other protocols besides that one?11:05
*** leseb has quit IRC11:08
*** tomoiaga has joined #openstack-keystone11:17
marekdukalifon: hi11:22
marekdukalifon: currently this will be only saml11:22
marekdukalifon: Is there any specific federation protocol you were looking for?11:24
*** leseb has joined #openstack-keystone11:25
ukalifonmarekd: thanks for your reply. I am not looking for something specific, just looking to test the federation API and I don't currently have a saml provider...11:25
marekdukalifon: ok, so I suggest sticking to the SAML2 for now :-)11:26
marekdukalifon: besides, it's keystone who acts as a Service Provider11:26
marekdukalifon: and if you don't have a working IdP you can try out testshib.org11:26
marekdas an Identity Provider11:27
ukalifonmarekd: I will look into testshib, thanks.11:28
marekdthere is ongoing review process for the federated-keystone documentation ( and here you can find drafted 'tutorial' for setting up federated-keystone with testshib (
marekdalso feel free to ping me if you have any problems.11:30
marekdukalifon: what tz are you?11:31
marekdsame for me.11:31
* dolphm NEIGHBORS!11:35
marekddolphm:  ?11:37
dolphmmarekd: ukalifon and yourself11:37
marekddolphm: yeah, very few stackers are in my tz :(11:37
boris-42dolphm hi11:47
boris-42dolphm could we speak about performance job in keystone11:50
boris-42dolphm actually this one patch
dolphmboris-42: lgtm11:56
boris-42dolphm nice thanks11:59
boris-42dolphm I will make some email to share common workflow how to work with rally in gates11:59
boris-42dolphm I mean a better way to work on patches related to the performance12:00
*** sphoorti has quit IRC12:02
gabriel-bezerramarekd: is it possible to use federation with LDAP? Can Shibboleth's IdP use LDAP as a backend, for example?12:07
*** theocean154 has joined #openstack-keystone12:07
marekdgabriel-bezerra: hey. I think this is the most common way of federation configuration. but it's specific to IdP which is completely independent piece of software.12:08
marekdgabriel-bezerra: what we do with OpenStack is rather Service Provider side.12:09
*** tomoiaga has left #openstack-keystone12:09
gabriel-bezerraI got that. I was just wondering if it would be possible to integrate with LDAP in any way.12:11
marekdgabriel-bezerra: for sure.12:11
*** theocean154 has quit IRC12:11
gabriel-bezerra..without having to change keystone's code12:12
marekdgabriel-bezerra: hm, wait.12:12
rodrigodsanyone available to review and
marekdgabriel-bezerra: normally, in a typical federation use-case keystone has nothing in common with IdP.12:13
marekdgabriel-bezerra: well ok, it does, but not directly. Keystone will communicate IdP via the SAML protocol.12:14
marekdgabriel-bezerra: but this is a matter of confguration, not changes in the code.12:15
gabriel-bezerraWhat I got is:  Keystone[SP]<--->[IdP]Shibboleth---LDAP.12:15
marekdgabriel-bezerra: correct.12:16
marekdgabriel-bezerra: so now, Keystone[SP]<--->[IdP]Shibboleth happens via the SAML protocol.12:16
*** erecio has joined #openstack-keystone12:20
gabriel-bezerrajust a beginners question: My change got a +2. What should happen now?
*** erecio_1 has joined #openstack-keystone12:36
*** erecio has quit IRC12:38
*** dstanek_zzz is now known as dstanek12:43
*** bada has quit IRC13:05
*** dstanek is now known as dstanek_zzz13:15
*** joesavak has joined #openstack-keystone13:16
ayoungukalifon, don't bother testing the internal events...that BP was written in support of the revocation events13:19
*** bknudson has joined #openstack-keystone13:22
boris-42ayoung ^13:23
boris-42ayoung now it works in keystone13:23
boris-42ayoung should wait a bit for results13:23
ayoungboris-42, edit the commit message:  preformance13:24
ayoungbut now you can do that right in gerrit!13:24
boris-42ayoung heh13:24
boris-42ayoung yep nice thing=)13:24
*** dstanek_zzz is now known as dstanek13:24
boris-42ayoung so now we should wait tempest13:25
ayoung++  let me find the RH perf guy and clue him in13:25
boris-42ayoung and we will see pretty graphs in check-rally-dsvm-keystone13:25
boris-42ayoung nick?13:25
ayoungI like this.  A lot13:25
marekdayoung: what Identity Provider do you use at RH? Is it some homemade software, something open sourced, commercial (lol) ?13:25
ayoungone sec...I have his email13:25
ayoungboris-42, his real name is Neependra Khare13:26
boris-42ayoung actually he wrote all tests=)13:26
ayoungboris-42, it might be his nighttime...I think he's in Pune13:27
boris-42ayoung benchmarks for keystone in rally=)13:27
boris-42ayoung so I know that guy=)13:27
ayoungboris-42, yeah, once he caught on to the upstream effort, he stopped bothering me and started talking with people who actually knew what they were doing, like you13:28
ayounghint hint ukalifon ....13:28
boris-42ayoung thanks i will )13:32
*** stevemar has joined #openstack-keystone13:34
boris-42ayoung yep systematization of benchmarks is key of success=)13:34
*** erecio_1 has quit IRC13:39
*** dstanek is now known as dstanek_zzz13:53
*** theocean154 has joined #openstack-keystone13:55
*** stevemar has quit IRC13:55
*** openstackgerrit has joined #openstack-keystone13:56
*** erecio_1 has joined #openstack-keystone13:57
*** theocean154 has quit IRC13:59
*** ukalifon has quit IRC14:02
*** daneyon has joined #openstack-keystone14:04
marekdayoung: what Identity Provider do you use at RH? Is it some homemade software, something open sourced, commercial (lol) ?14:06
ayoungmarekd, you are kidding, right?14:08
ayoungmarekd, Simo  Sorce also has a project burning to get a saml front end to this and the whole sssd infrastructure:
*** sbfox has joined #openstack-keystone14:11
*** tomoiaga has joined #openstack-keystone14:11
*** diegows has joined #openstack-keystone14:12
gabriel-bezerraayoung: I tried applying the patch 4 of your change 90476, but the problem when trying to the token is still happening14:13
gabriel-bezerrais there any conflict between that and federation?14:13
marekdayoung: i recall our talk about ipsilon not.14:13
gabriel-bezerraI turned federation on14:14
gabriel-bezerraI mean, it is in my keystone's pipeline14:14
ayounggabriel-bezerra, first thought is "are you sure you applied it"14:14
ayoungthere should be no relationship between that patch and Federation14:14
ayoungthe token is signed in the client and returned in guess is that last version of the patch should be reverted to the one bfore that does the explixct str()14:15
ayounggabriel-bezerra, try just editing it by hand and see if the fix works...I've been using it in a Proof of concept I'm working on.  THe old version, though14:16
gabriel-bezerraTypeError: expected byte string object for header value, value of type unicode found14:16
gabriel-bezerrathis is the error in my /var/log/apache2/keystone14:16
gabriel-bezerrathis is the patch 414:16
gabriel-bezerraI'll change to the patch 314:17
gabriel-bezerraa service apache2 restart is enough to reload the code, isn't it/14:17
gabriel-bezerraI changed the line six.text_type to str14:18
gabriel-bezerraby hand14:18
gabriel-bezerraas it is on patch 314:18
gabriel-bezerrait worked14:18
gabriel-bezerraso the patch 4 has that error ^14:19
ayounggabriel-bezerra, please comment on that in the code review...and I'll revert as well14:20
*** wchrisj has joined #openstack-keystone14:21
*** wchrisj has left #openstack-keystone14:21
boris-42ayoung so here is the result
boris-42ayoung take look at check-rally-sdvm-keystone14:26
ayoungboris-42, you mean  ?14:27
boris-42ayoung yep it is the result14:27
ayoungthink it just crashed my browser14:27
boris-42ayoung of this task
boris-42ayoung hehe=)14:28
boris-42ayoung 2500 iterations to much info on graphs14:28
ayoungI'm sure it has nothing to do with the fact that I hacve something like 60 tabs open14:28
boris-42ayoung too much*14:28
boris-42ayoung hmmm I don't know I haven't any problems with opening it14:28
boris-42ayoung it takes a couple of seconds to render it14:29
boris-42ayoung but after it it wors just fine14:29
ayoungnah...too much open in my browser.  THis was the cinder block that broke the camels back14:29
*** david-lyle has joined #openstack-keystone14:29
boris-42ayoung actually I am thinking about tuning graph14:29
boris-42ayoung to reduce amount of points14:30
boris-42ayoung e.g. to don't show more then 1 points14:30
boris-421k points14:30
ayoungboris-42, are you doing the rendering in the browser for that?14:31
ayoungI closed all tabs, closed the browser, reopened, and it is still crawling14:33
ayounglemme try chrome14:33
boris-42ayoung yep14:33
boris-42ayoung rendering is done online14:33
boris-42ayoung graphics are not static14:33
ayoungthat is a contradiction.14:33
ayoungrendering is done in the browser, not online, right?14:34
ayoungchrome is much smoother14:34
ayoungOK,  I have to admit, I have no idea what Iam looking at here14:34
*** stevemar has joined #openstack-keystone14:36
*** erecio_1 has quit IRC14:37
*** sbfox has quit IRC14:37
*** bach_ has joined #openstack-keystone14:45
*** bach_ has quit IRC14:45
*** bach_ has joined #openstack-keystone14:46
boris-42ayoung lol=)14:48
boris-42ayoung it's in browser not online14:48
ayounggabriel-bezerra, I'm battling Federation as well.  I am having trouble with my mapping:14:48
ayoungboris-42, so, what is it showing me?14:48
boris-42ayoung so benchmark scenario is next14:49
boris-42create user and then delete user14:49
boris-42we are running 60 such scenarios simultaneously14:49
boris-42total amount of scenario runs is 2.5k14:49
boris-42we are seeing that after 2k something wired is happaning14:50
boris-42as well you can analyze the duration of operation to create_user and delete_user14:50
boris-42that are actually quite huge14:51
boris-42especially creating user14:51
boris-42then you are able to analyze keystone logs14:51
boris-42and see in them what you already saw14:51
boris-42that eventlet should be used at all in production14:51
boris-42^ ayoung14:51
ayoungboris-42, my eye looks like things change at the 1800 mark?14:52
boris-42ayoung it depends =)14:52
boris-42ayoung on performance of node14:52
ayoungyeah, makes it hard to nail things down if you can't hold otherthings fixed14:53
boris-42ayoung in this run it was at 1.8 but usually at 2k in my local installation it's about 3k14:53
ayoungboris-42, what is the RAM size of the various machines?14:53
boris-42ayoung oh I don't know what we have in gates14:54
boris-42ayoung in my case it's was 4GB ram14:54
ayoungboris-42, might be simple memory exhaustion14:54
boris-42ayoung you are trying to find the reason why eventlet failed?14:55
ayoungboris-42, well, not going to go crazy trying to figure out if something is wrong if its that we are trying to carry 10 lbs of stone in a 5lb bucket14:55
boris-42ayoung imho14:56
boris-42ayoung if first 2k iteration works well14:56
*** andreaf has quit IRC14:56
boris-42ayoung other 10k should works well as well14:56
boris-42ayoung dstat14:58
boris-42ayoung there is less and less memory14:58
boris-42ayoung but minimal value is about 240 mb14:59
boris-42ayoung so I don't think that memory is issue14:59
boris-42ayoung any way why it uses so much memory?15:00
*** dstanek_zzz is now known as dstanek15:00
boris-42ayoung it will be interesting to see the results for HTTPs15:02
boris-42ayoung if it's evenetlet crap we should get rid of it asap=)15:02
stevemardstanek, i am seeing a weird error when running python3 tests for keystoneclient, have you seen this before? ctrl+f import error15:04
stevemardstanek, ... running python3 tests for my patch, not in master or anything (sorry about the wording of the last msg :P)15:04
dstanekstevemar I think it's an import error15:07
openstackgerritMatthieu Huin proposed a change to openstack/keystone: More random values for oAuth1 verifier
*** theocean154 has joined #openstack-keystone15:12
*** thedodd has joined #openstack-keystone15:19
*** doddstack has joined #openstack-keystone15:20
*** erecio_1 has joined #openstack-keystone15:22
*** thedodd has quit IRC15:23
gabriel-bezerraayoung: I haven't even gotten to retrieve the identity_providers15:27
gabriel-bezerrait is complaining about authentication15:28
marekdgabriel-bezerra: federation ?15:28
gabriel-bezerracurl -H "X-Auth-Token: $ADMIN_TOKEN" -H "Content-type: application/json"
gabriel-bezerrayes, marekd15:29
gabriel-bezerraadmin token is really a token, i echoed it to check15:30
*** klrmn has left #openstack-keystone15:30
marekdgabriel-bezerra: ah, i thought you have some auth/saml2 problems, but it looks like general auth problem :P15:31
marekdgabriel-bezerra: is it related to this: ?15:32
gabriel-bezerra401: Unauthorized15:32
gabriel-bezerraI applied the patch 315:32
gabriel-bezerrayou can see my comment about patch 4 there15:33
gabriel-bezerraso.. the error is no longer 500, now it is 40115:33
marekdand logs?15:34
marekdgabriel-bezerra: did you have a chance the line of code that raised that exception ?15:34
marekd trace the line of code that raised that exception*15:34
gabriel-bezerrathe 401 or the 500?15:35
marekdgabriel-bezerra: btw are you running standalone keystone or w/ apache ?15:35
gabriel-bezerraI haven't enabled ssl nor shib on keystone.conf, it is just as the template created by devstack15:37
gabriel-bezerrai mean apache2/sites-available/keystone.conf15:37
*** topol has joined #openstack-keystone15:37
gabriel-bezerrabut I enabled federation on /etc/keystone/keystone.conf and /etc/keystone/keystone-paste.ini15:38
*** topol has quit IRC15:38
*** topol_ has joined #openstack-keystone15:38
*** topol_ is now known as topol15:38
gabriel-bezerrahey, how to cat the log with colors?15:39
gabriel-bezerraneither tail nor cat did it15:39
gabriel-bezerraI want to get the message without the color codes to copy/paste15:39
*** gyee has joined #openstack-keystone15:40
marekdgabriel-bezerra: so with or without ?15:40
gabriel-bezerraI want it to print with colors so the color codes aren't shown15:40
marekdnot sure if it supports shell color-codes but you can try: ave some auth/saml2 problems, but it looks like general auth problem :P15:44
marekdnot sure if it supports shell color-codes but you can try:
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient
*** erecio_1 has quit IRC15:46
ayounggabriel-bezerra, redirected for a little bit.  Something about my rule is not matching the groups15:48
ayoungmarekd, if we are going to let Domain admins manage their own rules...we are going to need some tooling or better output support.15:49
marekdayoung: something in the API or better logs?15:50
gabriel-bezerraayoung: Regarding this : Should I create a new change and abandon this or just remake my commit, commit message and so to just change the
ayoungmarekd, marekd can't be logs, as domain admins won't see them...I don't know the answer.  Maybe something like a way to test auth, and get back a subset of the logging data?15:50
stevemardstanek, ahh, apparently import exceptions blows up in python315:51
marekdayoung: you probably now thinking about something like "rule X didn't match so i didn't assign this group" ?15:51
ayounggabriel-bezerra, it looks basically good, just fix and resubmit, I think.  I haven't looked at it too closely, though15:51
ayoungmarekd, yeah....but only for admins15:52
*** serverascode has quit IRC15:52
ayoungmarekd, something like:  "here is a request, minus the secret.  Assuming the secret were correct, what kind of auth response would Keystone give me?"15:52
gabriel-bezerraayoung: I asked it because of the comment of Sean Dague.15:53
ayounggabriel-bezerra, ah...15:53
ayounggabriel-bezerra, I have to admit, I kinda like your patch15:53
ayoungas we get more and more devstacked services, making things explicit will be better documenting...15:53
ayoungbut, he's right in this case, better to make the docs match15:54
*** tomoiaga has left #openstack-keystone15:54
ayoungkey  is the normal trigger for all of devstack, and your fix would only work for the apache side of it,15:54
*** serverascode has joined #openstack-keystone15:54
ayoungfor example, in ENABLED_SERVICES=+keystone would not work15:55
marekdayoung: hah, this basicaly means writing/reusing another SAML2 parser...i'd say writing, as we would be presenting invalid (w/o secret) assertion.15:55
gabriel-bezerramy comment for that is (I'm still going to post it): "Ok. I would change things to get closer to its ideal way (keystone instead of key), but it seems reasonable to fix only the documentation for now and change key->keystone everywhere on a single commit down the road."15:55
ayoungmarekd, I would think something more like returning a trace of the rules evaluation15:56
marekdayoung: right, but what's the input? If XMLized assertion, than we need to parse it like SAML-soft does it, if just a set of 'already' parsed env_variables then..domain admins might need some info from mod_shib configuration.15:57
marekdayoung: if we do that, I would go for option two either way.15:58
*** jayh has joined #openstack-keystone15:58
gabriel-bezerrabut my question is: should I create a new change just touching the doc and abandon this, or should I reuse the Change-Id with a totally new commit message and content?15:59
*** KurtMartin is now known as kmartin15:59
*** erecio_1 has joined #openstack-keystone15:59
*** jsavak has joined #openstack-keystone16:00
*** packet has joined #openstack-keystone16:01
ayoungjayh, yeah, this is the right place to discuss things about Keystone....16:01
ayounggabriel-bezerra, new change, I think, as this one may have a life of its own.16:02
*** joesavak has quit IRC16:02
ayoungmarekd, ah...I was thinking post parse:16:02
gabriel-bezerraayoung: ok. I'll do that.16:02
ayoungmarekd, I want the parsing-etc to be handled by APache modules, so not our problem16:02
*** packet has quit IRC16:03
ayoungmarekd, for example, I am using mod_identity_lookup to populate my groups list.  If I hit a simple WSGI app, I can see the REMOTE_GROUPS env var16:03
ayoungREMOTE_GROUPS = admins;hawk;osprey;eagle16:03
*** chandan_kumar has quit IRC16:03
ayoungNow I try this set of rules;16:03
marekdayoung: ah, so you want to do the saml2 authn, but instead to go and obtain unscoped token you would rather get some feedback - this rule matched, this didn't.16:03
*** sbfox has joined #openstack-keystone16:04
ayoungmarekd, that is my current pain point, so, yeah, that woulkd be swell16:04
*** packet has joined #openstack-keystone16:05
*** packet has quit IRC16:05
marekdayoung: i think you want to squeeze this into one 'local' object and one 'remote' object.16:05
marekdand in fact make it one rule.16:06
*** packet has joined #openstack-keystone16:06
ayoungmarekd, ah...lemme try that16:06
marekdayoung: what's your business case - assign keystone group osprey if osprey is in REMOTE_GROUPS, right?16:07
ayoungmarekd, I want REMOTE_USER to become userid and REMOTE_GROUPS to be the set of group assignments16:07
*** marcoemorais has joined #openstack-keystone16:08
ayoungI was trying to cut it down to a single group,16:08
ayoungso, yes, assign keystone group osprey if osprey is in REMOTE_GROUPS  plus the REMOTE_USER thing16:09
marekdtry this (after checking on syntax)16:10
*** gabriel-bezerra has quit IRC16:10
*** rodrigods has quit IRC16:10
marekdayoung: first of all: every local object need a "user", without that you endup with HTTP 40116:11
*** afaranha has quit IRC16:11
marekdwhat i pasted will simply map REMOTE_USER to user['name'] and do the matching on REMOTE_GROUPS env variable.16:12
marekdthere should be '}' between lines 23 and 2416:12
ayoung{"error": {"message": "Could not map user", "code": 401, "title": "Unauthorized"}}16:14
ayoungso I need user id16:14
marekdayoung: do quick test: replace "{0}" with some const string.16:14
marekdand see if it works.16:14
ayoungmarekd, nope, no difference16:15
*** andreaf has joined #openstack-keystone16:18
marekdayoung: this is the rule that worked for me:
ayoungmarekd, I suspect my problem is that I still have the LDAP backend wired up.16:20
marekd -> this is where you get into troubles. can you somehow check what's in REMOTE_USER ?16:21
marekdayoung: ^^16:21
marekdayoung: because  after you specified some fixed string you should not get http 401 :(16:22
ayoungmarekd, 1 sec...trying with no groups specified on either side...16:22
ayoungOK:  "Unable to find valid groups while using mapping cloudlab"16:22
ayoung "User ayoung has no access to project 5d15013cbebd4b1e95ad3b5785c866f7",16:23
ayoungthat looks good....16:23
ayoungit is the group matching that was messing me up.16:23
ayoungI wonder if the parsing is wrong, and it is not getting any groups?16:23
*** gabriel-bezerra has joined #openstack-keystone16:23
marekdwhat if you specify group id instead of it's name?16:24
ayoungI did16:25
*** rodrigods has joined #openstack-keystone16:25
*** rodrigods has quit IRC16:25
*** rodrigods has joined #openstack-keystone16:25
ayoung"group": {                        "id": "osprey"                    }16:25
ayoungmarekd, I might inject some more tracing in the Mapping plugin.16:26
marekdpity pdb cannot be used when running with apache :(16:26
*** afaranha has joined #openstack-keystone16:26
marekdthis would speed up things.16:26
ayoungmarekd, so I have a thought a bout that16:26
ayoungwhat if we ran apache with one thread16:26
ayoungand allowed attaching a remote debugger16:27
ayoungmarekd, look in keystone-all:  there is a switch in there for the eventlet case16:28
ayoungits in  commit:  git show 0f225743e8644416df2f200d710912c40b7acd4716:28
ayoungmarekd, it wouldn't be pdb, but it would be a remote debugger.  I use pydev, albeit on a separate machine.  But it probably would work16:30
marekdi don't care as long i can stop and check what it's in my variables...16:30
gabriel-bezerraayoung: Is there any way to tie these changes as related on Gerrit?16:31
marekdayoung: i have some guests here and need to run away for now. If you find something drop me an e-mail. I will try to be back in next couple of hours.16:31
ayounggabriel-bezerra, not direcly, but put in a comment that includes the link and that should be sufficient16:31
*** marekd is now known as marekd|away16:31
*** erecio_1 has quit IRC16:31
*** richm has joined #openstack-keystone16:34
dstanekstevemar: did you get it figured out?16:40
stevemardstanek, yep! put up a patch for oauth support on keystoneclient16:40
stevemardstanek, i think i managed to get the factory function working, if you could take a look (no rush on it), that would be awesome16:41
dstanekstevemar: link? there are so many reviews16:41
stevemardstanek, of course sir:
*** chandan_kumar has joined #openstack-keystone16:43
*** browne has joined #openstack-keystone16:43
*** joesavak has joined #openstack-keystone16:43
*** thiagop has joined #openstack-keystone16:44
*** jsavak has quit IRC16:46
*** topol has quit IRC16:46
*** Chicago has quit IRC16:48
*** andreaf has quit IRC16:51
*** harlowja_away is now known as harlowja16:54
dstanekstevemar: i didn't review the whole thing yet, but i left you some early feedback on the factory16:54
stevemardstanek, cool16:55
*** erecio_1 has joined #openstack-keystone16:55
*** theocean154 has quit IRC16:58
*** praneshp has joined #openstack-keystone16:59
*** theocean154 has joined #openstack-keystone17:00
*** jamielennox is now known as jamielennox|away17:00
*** sbfox has quit IRC17:01
*** sbfox has joined #openstack-keystone17:01
*** andreaf has joined #openstack-keystone17:01
*** praneshp_ has joined #openstack-keystone17:02
*** praneshp has quit IRC17:04
*** praneshp_ is now known as praneshp17:04
*** ukalifon1 has joined #openstack-keystone17:04
*** chandan_kumar has quit IRC17:06
*** andreaf has quit IRC17:11
*** leseb has quit IRC17:11
*** bada has joined #openstack-keystone17:13
*** bada has quit IRC17:14
*** Ju has joined #openstack-keystone17:14
*** Ju has quit IRC17:19
*** Ju has joined #openstack-keystone17:21
*** sbfox has quit IRC17:23
gabriel-bezerramarekd|away: RBAC: Invalid token17:26
gabriel-bezerrais there anything I should put in policy.json to access the federation api?17:27
gabriel-bezerraayoung: ^17:30
ayounggabriel-bezerra, I didn't add anything17:30
gabriel-bezerraare you using the v3sample?17:30
ayounggabriel-bezerra, um...not sure17:30
gabriel-bezerraor v2 is ok?17:30
*** amcrn has quit IRC17:31
ayounggabriel-bezerra, looks like default policy.json17:31
ayounggabriel-bezerra, look for rules like this:17:31
*** leseb has joined #openstack-keystone17:31
ayoung"identity:create_identity_provider": "rule:admin_required",17:31
*** leseb has quit IRC17:31
*** leseb has joined #openstack-keystone17:32
ayounggabriel-bezerra, you mean for authentication?17:33
ayoungI'm cheating, and using the SAML plugin, but you need to enable that in conf and pipeline17:33
*** abhirc has joined #openstack-keystone17:34
gabriel-bezerrathis is what is happening:17:35
gabriel-bezerra1 - I applied the patch 3 from your review on the code17:36
*** leseb has quit IRC17:36
gabriel-bezerra2 - I'm running keystone on Apache17:36
boris-42gabriel-bezerra ooo17:36
boris-42gabriel-bezerra could you benchmark it?)17:36
boris-42gabriel-bezerra just interesting will it fail as with event et or not17:36
gabriel-bezerra3 - I configured federation according to the docs (some changes in keystone.conf and keystone-paste.ini)17:37
gabriel-bezerra4 - I put policy.v3sample.json as my policy.json I got a token for admin on project demo, domain Default. The token comes with the role admin17:38
gabriel-bezerra4 - I put policy.v3sample.json as my policy.json17:38
gabriel-bezerra5 - I got a token for admin on project demo, domain Default. The token comes with the role admin17:38
gabriel-bezerra6 - when I do: curl -si -H "X-Auth-Token: $ADMIN_TOKEN" -H "Content-type: application/json", I get an 401 Unauthorized17:39
gabriel-bezerraand the log shows RBAC: Invalid token17:39
gabriel-bezerraboris-42: I can't do it now. Do you need any help making it run on apache?17:40
boris-42gabriel-bezerra heh do you have locarc for it?17:40
boris-42gabriel-bezerra or some script17:41
gabriel-bezerrayes, I do17:41
gabriel-bezerraare you on Ubuntu?17:41
boris-42gabriel-bezerra yep I am running stack in ubuntu17:41
gabriel-bezerraboris-42: please see: and
boris-42gabriel-bezerra ahh thanks17:42
boris-42gabriel-bezerra okay I'll try17:42
boris-42gabriel-bezerra and I'll benchmark apache one17:42
boris-42ayoung ^17:42
gabriel-bezerraboris-42: with that you will have keystone running on apache. But you will still have to configure federation17:43
*** david-lyle has quit IRC17:45
*** erecio_1 has quit IRC17:45
ayounggabriel-bezerra, $ADMIN_TOKEN might not have access to what you need for that.  I'd create a real token for a real user and see if that works.  I've been doing this via the python api, and I can post my changes17:46
ayounggabriel-bezerra, I've made afew tweak, so don't be surprised, and I've pulled in some of jamielennox's recent changes17:47
gabriel-bezerraadmin token is a project scoped token: project=demo, domain=Default, user=admin17:47
gabriel-bezerrapardon me. I didn't get17:48
ayounggabriel-bezerra, so you need to set some env vars to run that.  Source keystone.rc plus the location of the CA cert (since I do SSL)17:49
*** david-lyle has joined #openstack-keystone17:51
gabriel-bezerraayoung: but that's just the client, right?17:52
ayounggabriel-bezerra, yeah17:53
gabriel-bezerraI'll try another method of the api17:53
gabriel-bezerracan you list identity providers?17:53
gabriel-bezerrawith your client17:53
*** amcrn has joined #openstack-keystone17:53
gabriel-bezerraayoung: You will develop it on your own fork; how then you get that merged into the main branch? Do you create a review for each commit of your fork?17:57
gabriel-bezerraand set as depends-on relation between them?17:58
ayounggabriel-bezerra, most of those are jamielennox's patches, and will get merged before I submit...I'll wait until the upstream tree is in a stable enough state before submitting, as some of those don't really depend on each other18:00
*** doddstack has quit IRC18:00
ayoungI'm still working through things. Until I get something working, no need to submit.  I have some other sample_script work I need t otighten up, as well as some other client code that needs to address reviewers comments.18:01
*** bach_ has quit IRC18:03
*** bach_ has joined #openstack-keystone18:03
*** leseb has joined #openstack-keystone18:09
*** bach_ has quit IRC18:11
*** morganfainberg_Z is now known as morganfainberg18:14
*** erecio has joined #openstack-keystone18:27
*** sbfox has joined #openstack-keystone18:31
morganfainbergayoung, we can't use six.text_type to convert unicode (text) to byte_str18:35
morganfainbergayoung, this is a case where str() was more correct probably with a TODO to fix for py33 (if six.PY3)18:36
morganfainbergayoung, do you want me to upload a quick fix for that back to STR w/ a todo comment?18:36
*** abhirc has quit IRC18:48
morganfainbergdstanek, dolphm, ayoung, stevemar, the rally job is in via infra (zuul) now we need this one to make rally actually run18:53
morganfainbergbknudson, ^ (missed ya on the last line as well)18:53
*** david-lyle has quit IRC18:57
*** bach_ has joined #openstack-keystone19:01
*** Manishanker has joined #openstack-keystone19:01
*** bach_ has quit IRC19:05
bknudsonmorganfainberg: how do we know if it's correct?19:07
*** bach_ has joined #openstack-keystone19:07
morganfainbergbknudson, the actual job ran and passed, there are the responses19:08
morganfainbergbknudson, there will likely be tuning/future changes but it gets us started19:08
bknudsonthis can't be correct... takes 40 seconds to create and delete a user??19:09
bknudsonand it fails 13% of the time?19:09
morganfainbergbknudson, there are issues boris-42 is seeing after ~2000 events with eventlet19:09
morganfainbergboris-42, might be memory starvation on the test nodes, might be a number of other things19:09
*** chandan_kumar has joined #openstack-keystone19:09
morganfainbergbknudson, ^19:09
morganfainbergthere was a convo ayoung and boris-42 had earlier19:10
morganfainbergbknudson, there is also a concurrency of 60 it looks like19:13
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient
bknudsonmorganfainberg: I hope he's running about 60 instances of keystone.19:13
morganfainbergbknudson, nope. single instance. but that mirrors what people really do in production19:14
morganfainbergbknudson, unfortunately19:14
bknudsonif that were the case then wouldn't we be getting bugs about auth timeout?19:14
morganfainbergbknudson, well we may not see people doing 60 concurrency and a tight loop create/delete19:15
ayoungmorganfainberg, yeah, was fixing that up...just ran the test...then moved on and forgot to resubmit19:16
morganfainbergayoung, ah, hehe, happens to all of us.19:16
openstackgerritayoung proposed a change to openstack/keystone: Ensure token is a string
morganfainbergbknudson, but it's expected we will be adding more test scenarios and tuning current ones as we expand what we want rally to test. there are also plugins soon, so we can change how rally test works w/o needing to submit a patch to rally19:17
bknudsonmorganfainberg: I like the plugins idea!19:18
morganfainbergbknudson, yeah they that the patch up for review and it's just waiting documentation last i heard (yesterday) from boris-4219:18
bknudsonI'd prefer if our initial tests actually worked.19:18
bknudsonwe can crank up the concurrency as we improve the performance19:19
morganfainbergbknudson, i think there is value in having a graph that shows where things tip over vs a clean run as well. perhaps we should have both?19:20
morganfainbergbknudson, if we don't have something demonstrating where it falls over how do we know if we're fixing that issue.19:21
bknudsonwe shouldn't need rally to show us that there's an issue... add a test19:21
bknudsonif there's a bug we should be gating on it19:22
morganfainbergbknudson, but tipping over due to concurrency/number of ops is not something our tests can really show at the moment.19:22
bknudsonis it keystone tipping over or is it rally?19:22
morganfainbergbknudson, let me look at the logs, but it looks like keystone.19:23
morganfainberggreenio buffering issues19:25
morganfainbergand socket limitations it looks like19:25
bknudsonmorganfainberg: that might be because the client disconnects?19:26
rodrigodsstevemar, ping19:26
morganfainbergbknudson, perhaps19:26
bknudsonI wonder if keystoneclient has a default timeout or if rally is setting it19:27
stevemarrodrigods, 64 bytes from stevemar: icmp_seq=1 ttl=64 time=0.024 ms19:27
stevemarrodrigods, pong :)19:28
morganfainbergbknudson, i think it's worth looking into. 30seconds between iter start and failure on 2417: (Start) (end) to19:29
morganfainbergoh sec19:29
morganfainbergbknudson, start was
morganfainbergwonder if we're hitting FD max on the system.19:30
morganfainbergor something19:30
bknudsontaking 40 sec to get a token is too long19:30
morganfainbergbknudson, agree.19:30
bknudson14:04:16.999 - 14:04:47.029 -- 30 sec19:30
bknudsonbut maybe setting the timeout longer would allow the test to pass19:31
bknudsonwe'll still get the rally results, it'll just show a bunch of tests taking > 30 sec19:31
morganfainbergbknudson, well, we have a start, we can playwith all the settings / changes / etc now :)19:31
*** gaud has joined #openstack-keystone19:31
bknudsonmorganfainberg: ok, so how do we speed up getting token / creating user?19:32
bknudsonremove the sleeps?19:32
bknudsonno logging?19:32
*** david-lyle has joined #openstack-keystone19:32
morganfainbergbknudson, hm. less logging (or smarter logging) will help. reduce trips to the DB19:33
morganfainbergbknudson, db/backing store19:33
bknudsoncache the catalog rather than regen it all the time?19:33
morganfainbergbknudson, ++ yes19:33
morganfainbergbknudson, work to lighten the tokens up (id only discussion) less data to muck with, handle on each request19:34
morganfainbergbknudson, try under mod_wsgi vs eventlet.19:34
openstackgerritAndreas Jaeger proposed a change to openstack/identity-api: Replace non-breaking space
bknudsonI wonder what the diff in performance is between the templated catalog and the sql catalog19:35
morganfainbergbknudson, templated is probably significantly faster19:35
*** sbfox has quit IRC19:36
*** sbfox has joined #openstack-keystone19:37
*** derek_c has joined #openstack-keystone19:38
morganfainbergbknudson, revocation events vs. TRL19:41
*** doddstack has joined #openstack-keystone19:41
bknudsonmorganfainberg: I doubt that these tests are revoking any tokens.19:42
bknudsonmorganfainberg: or is it deleting the user as the user? that would revoke a lot of tokens19:43
*** chandan_kumar has quit IRC19:43
*** leseb has quit IRC19:44
*** leseb has joined #openstack-keystone19:51
*** leseb has quit IRC19:55
*** sbfox1 has joined #openstack-keystone20:03
*** sbfox has quit IRC20:04
*** sbfox1 has quit IRC20:14
ayoungsomething wrong with role_assignements and Federation20:23
ayoungIf I use "external"  Kerberos and get a token:  I get20:23
ayoungwell I get a token....specifically requesting for Demo project20:23
ayounglemme make sure that is correct.  But doing it via Federation I get:20:24
ayoung"User ayoung has no access to project 5d15013cbebd4b1e95ad3b5785c866f7"20:24
ayoungI see the relationship in mysql20:24
morganfainbergbknudson, if there are tokens for the user, yes20:24
ayoung UserProject | ayoung   | 5d15013cbebd4b1e95ad3b5785c866f7 | a5ba1b4809c9471db77402446a5170ee |         020:24
morganfainbergbknudson, not sure how it all works atm, but we should look20:24
ayoungwhat could be messing that up?20:24
-openstackstatus- NOTICE: the gate is backed up due to broken nodepool images, fix in progress (eta 22:00 utc)20:25
*** ChanServ changes topic to "the gate is backed up due to broken nodepool images, fix in progress (eta 22:00 utc)"20:25
bknudsonI thought federation only used group assignments?20:25
ayoungah...that must be it20:26
ayoungbknudson, that would explain it...let me test20:26
ayoungwhat is the magic incantation to get groups in the CLI?20:27
*** Manishanker has quit IRC20:31
bknudsonayoung: --os-identity-api-version=320:34
ayoungbknudson, thanks.  I gave up on the CLI and went right to the API.  That seems to be the norm for me these days20:34
bknudsonthe cli is getting better. maybe needs to do version discovery?20:35
bknudsonor just switch to v3 if someone uses group20:35
*** bach_ has quit IRC20:36
ayoungbknudson, nah, we need to make better use of the Python API.20:36
ayoungI need to clean up my example scripts patches and resubmit, among other things20:36
ayoungCHA CHING20:37
ayoungbknudson, thanks.  That was the last hump20:37
*** marekd|away is now known as marekd20:39
*** bach has joined #openstack-keystone20:40
marekdgabriel-bezerra: hi.20:41
marekdso what's up with the token?20:41
*** Chicago has joined #openstack-keystone20:45
*** Chicago has joined #openstack-keystone20:45
gabriel-bezerramarekd: I don't know yet.20:46
gabriel-bezerraayoung is getting it to work with his fork of python-keystoneclient20:46
gabriel-bezerraI was trying to use the REST api20:46
*** bach has quit IRC20:47
morganfainbergboris-42, hi20:47
marekdand you had problem with listing idp, right?20:47
ayounggabriel-bezerra, I win.20:47
boris-42morganfainberg bknudson  the issues is not in rally20:47
gabriel-bezerramy only clue was that RBAC: Invalid token20:47
boris-42morganfainberg bknudson  it's eventlet20:47
*** bach has joined #openstack-keystone20:47
boris-42morganfainberg bknudson  let me just show from logs of keystone20:47
marekdgabriel-bezerra: but when listing idps, right?20:47
ayounggabriel-bezerra, I gots me a token.  Needed the group-role assignemtn20:47
ayounggabriel-bezerra, you're useing the cloudsample policy file, right?20:48
morganfainbergboris-42, i found the events in the keystone log corresponding to the greenio/buffer issues20:48
gabriel-bezerrayes, I am.20:48
morganfainbergboris-42, we discussed that :)20:48
marekdayoung: are you using  SAML2 itself?20:48
morganfainbergboris-42, we were also talking about the places to aim to fix that stuff.20:48
ayounggabriel-bezerra, OK, so this is the rule that should be executing20:48
boris-42morganfainberg so this stuff =)20:48
ayoung "identity:list_identity_providers": "rule:admin_required",20:48
morganfainbergboris-42, yep.20:49
ayoung   "admin_required": "role:admin",20:49
boris-42morganfainberg btw about base configuration for keystone.yaml20:49
ayoungand you said that the token you got had that role in it?20:49
boris-42morganfainberg it can be any actually20:49
boris-42morganfainberg cause now we know that we have this bug20:49
boris-42morganfainberg and when fix will be ready we can change together with fix keystone.yaml20:50
boris-42morganfainberg to show that everything works20:50
morganfainbergboris-42, i think we have a lot of tuning we need to work on to give us multiple views and a number of metrics20:50
morganfainbergboris-42, but .. yes i agree.20:50
ayounggabriel-bezerra, when you fetch the token, you can look at the body of the response and see the roles in it.  I assume you saw "admin" in there?20:50
bknudsonboris-42: I think keystone is just telling us that the client disconnected so it failed to write the response20:50
ayoungmarekd, I used the SAML auth plugin, but I use mod_identity_lookup and sssd20:50
morganfainbergboris-42, it might be a timeout was part of the discussion20:51
boris-42bknudson I can try just to change configuration of rally20:51
marekdayoung: interesting!20:51
boris-42bknudson to make timeout bigger20:51
ayoungmarekd, one of the goals for our group at RH is to make the LDAP and general Identity stuff consumable to all webapps20:51
morganfainbergbknudson, actually i can tell you if it's a timeout i think.20:51
boris-42bknudson morganfainberg  but imho it's still bug20:51
ayoungmarekd, link in a sec...20:51
boris-42morganfainberg bknudson  why anything changed??20:51
morganfainbergbknudson, let me see when the io error comes from.20:51
morganfainbergbknudson, if it happens immidiately, it's not a timeout.20:51
gabriel-bezerraayoung: Yes, I did.20:52
boris-42morganfainberg bknudson  we don't change at all load20:52
boris-42morganfainberg bknudson  load is always the same20:52
ayounggabriel-bezerra, that is weeeeeird20:52
morganfainbergboris-42, right. but that doesn't mean the client isn't disconnecting due to load. load issue with a disconnect is a different issue to try and solve20:52
marekdayoung: gabriel-bezerra: i dont think you are getting roles in your token.20:52
morganfainbergdisconnect due to timeout that is20:53
marekdunless we are talking about different tokens...20:53
boris-42morganfainberg let me explain how rally works20:53
ayoungmarekd, that may very well be true20:53
boris-42morganfainberg every time when we are running iteration we are doing authentifiction20:53
gabriel-bezerraI get a project scoped token20:53
ayoungI didn't look at the token itself20:53
boris-42morganfainberg and then create/delete20:53
gabriel-bezerraproject=demo, domain=Default, user=admin20:53
marekdayoung: no roles, just groups...20:53
boris-42morganfainberg so why we are getting timeout in this case?20:53
marekdgroups are linked internally...20:53
boris-42morganfainberg and why after ~ 2k iteration=)20:54
marekdgabriel-bezerra: let me try with my federated keystone....20:54
marekdgabriel-bezerra: i was more interested in federated authn and rules mappings.20:54
morganfainbergbknudson, yep error occurs at ~the point where the ITER is marked as failed20:54
morganfainbergbknudson, it does look like it's timeout20:54
morganfainbergboris-42, right. not disputing an issue with keystone or eventlet here20:55
boris-42morganfainberg could you explain me20:55
boris-42morganfainberg cause it's not clear to me20:55
boris-42morganfainberg for every iteration we are using own client with own authentification20:55
boris-42morganfainberg it's not one client all iterations20:55
morganfainbergboris-42, but if we're disconnecting due to timeout and then getting an error the issue could be due to other things (GC?) working in the server and binding up the response20:55
ayoungmarekd, I got a scoped token back from the federated auth call20:56
morganfainbergboris-42, it could also be bad co-routine-like logic selection on what connection to service via eventlet20:56
marekdayoung: cool.20:56
marekdayoung: i think i did it too, some time ago :-)20:56
morganfainbergboris-42, it looks like we're hitting the timeout of the keystoneclient, keystoneclient disconnects, and we raise a buffer error in the server because the socket is no longer valid20:56
marekdayoung: i am wondering...20:57
boris-42morganfainberg but why we are facing timeout?20:57
ayoungmarekd, I need to write this whole thing up.20:57
boris-42morganfainberg some GC things?20:57
boris-42morganfainberg slows down keystone?20:57
boris-42morganfainberg okay lemme put 240 timeout instead of 3020:58
marekdayoung: does freeipa handle ECP extension?20:58
morganfainbergboris-42, could be. this info just tells us we need to look at why ekystone is slow.20:58
*** marcoemorais has quit IRC20:58
marekdayoung: i think not really.20:58
boris-42morganfainberg okay I will put timeout to 24020:58
*** erecio has quit IRC20:58
boris-42morganfainberg and run 3k iterations ok?20:58
morganfainbergboris-42, it also means we aren't hitting a memory limit or file-descriptor limitation. :)20:58
ayoungmarekd, FreeIPA does not do SAML.  But I am not really doing SAML20:58
morganfainbergboris-42, don't change the current review. it's gating :)20:58
boris-42morganfainberg nope I have to to this in rally20:59
marekdayoung: so what does SAML in RH? :-)20:59
ayoungmarekd, the question is whether ipsalon will support it, and I think the answer is yes,20:59
boris-42morganfainberg like a do not merge patch20:59
boris-42morganfainberg cause it's setup of rally20:59
morganfainbergboris-42, ah right20:59
morganfainbergboris-42, sure.20:59
boris-42morganfainberg but seems like I should put it on top20:59
morganfainbergboris-42, lets try 240+3k iter20:59
marekdayoung: since it's open and you have something to say: please do.20:59
boris-42morganfainberg one sec20:59
ayoungmarekd, I'm not really doing SAML.  I'm using Kerberos and ...20:59
marekdayoung: right now...20:59
morganfainbergboris-42, looking forward to the plugin stuff :)20:59
marekdayoung: but i am asking a general question..21:00
boris-42morganfainberg yep yep it will be quite soon21:00
ayoungmod_lookup_identity does the LDAP call for me.  So I will be able to drop the LDAP backend, put a SQL in there, but still consume LDAP.21:00
morganfainbergbknudson, the iter 2417 failure happend a few ... miliseconds i think before this error in the keystone log so i'm inclinded to agree it's a timeout.21:00
ayoungmarekd, so We have, and I have no idea what that is runnning.  It is run by our IT.21:00
boris-42morganfainberg btw you can take samples of benchmarks from here21:00
morganfainbergboris-42, awesome!21:00
boris-42morganfainberg for keystone stuff
ayoungcan you even see that, or is it just internal?21:00
morganfainbergboris-42, thanks for the info21:01
boris-42morganfainberg authentification21:01
* ayoung would have to kill VPN to check21:01
marekdayoung: checking.21:01
morganfainbergboris-42, and this does in-fact indicate a problem in keystone, i'm just trying to narrow down where to look.21:01
boris-42morganfainberg yep yep21:01
marekdayoung: some "redhat internal sso" showing up.21:01
*** derek_c has quit IRC21:01
boris-42morganfainberg I understand so I am trying to help you=)21:01
ayoungmarekd, marekd yep, that is it21:01
boris-42morganfainberg to find the reason21:02
bknudsonmorganfainberg: ran a little test here and templated backend isn't any faster.21:02
ayoungmarekd, it gives me shivers that it says "Username (Kerberos ID)"21:02
morganfainbergbknudson, :( boo21:02
marekdayoung: hehe21:02
bknudsonI wonder where the slowness is.21:02
gabriel-bezerraayoung, marekd: I got the same 401-Unauthorized when trying to get /v3/services21:02
morganfainbergbknudson, ok so we should layer caching in on it in both cases --- but that is odd are we string subbing on every request?21:02
gabriel-bezerraayoung, marekd: with that very token21:03
marekdgabriel-bezerra: so there is problem somewhere not related to the federation?21:03
ayoungmarekd, I had an intern last summer that worked on a proxy that let Kerberos work over port 443, so you could get tokens across the public internet.  He submitted it to MIT, but then went back to school.  I really wanted that in for RHEL721:03
ayoungButit will probably be more like 7.1 or .221:03
gabriel-bezerraayoung, marekd: I'll remove federation from the pipeline and check if the problem still happens21:03
ayoungand Fedora 22 probably21:03
marekdgabriel-bezerra: ok!21:03
ayounggabriel-bezerra,  where in the pipeline did you put it?21:03
ayoungYou might have put it before hte auth stuff...21:04
ayoungnot that it should matter for the other services though21:04
ayoungmine looks like this21:04
morganfainbergboris-42, i'll keep my eye on the review21:04
ayoungpipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s321:04
ayoung_extension simple_cert_extension federation_extension service_v321:04
ayoungno break between s2 and _extension21:05
ayoungmarekd, so say I want to map a user to multiple groups...what would that look like?21:05
openstackgerritKevin Kirkpatrick proposed a change to openstack/keystone: Keystone doc change Added warning for keystone auth module is only supported in v3.0 * bug/1311324
gabriel-bezerrapipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension simple_cert_extension federation_extension service_v321:06
*** afaranha has left #openstack-keystone21:06
ayounglooks right21:07
gabriel-bezerrait didn't work even without federation on the pipeline21:08
marekdgabriel-bezerra: is it  normal openstack installation, some devstack or what?21:09
marekdayoung: ah, ha, don't remember at the moment.21:09
rodrigodsstevemar, =)21:09
ayoungmarekd, so there will be a few things I need to clear up.  One is how to match multiple groups, where a user can be in any specfic subset of them ,adn get each group to become a separate group assignment in Keystone.21:10
ayoungso sya I have 3 groups:  osprey, eagle, hawk21:10
rodrigodsstevemar, asking you to review the blueprints again, if possible21:10
bknudson "POST /v2.0/tokens HTTP/1.1" 200 0 37.32476021:10
rodrigodsstevemar, and
gabriel-bezerramarekd: devstack21:10
ayoungand I want users that are in each of those groups in LDAP to be in the corresponding group in Keystone21:10
bknudson"POST /v2.0/users HTTP/1.1" 200 302 1.37317821:11
marekdayoung: try with multiple {"group": "gid"} in the local object in the rule.21:11
ayoungmarekd, yep, that was my first thought.  Tryin now21:12
bknudson"POST /v2.0/tokens HTTP/1.1" 200 0 55.890097 -- that was a slow one21:13
*** marcoemorais has joined #openstack-keystone21:13
ayoungmarekd, nope....think we have some work to do...21:15
ayoungand now I have to go play dad21:15
*** ayoung is now known as ayoung_DadMode21:15
marekdayoung_DadMode: spitted out only first group?21:16
marekdgabriel-bezerra: let me share my configs with you..21:16
marekdgabriel-bezerra: or just reinstall your devstack...21:16
marekdit should work out of the box.21:17
*** bach has quit IRC21:18
*** bach has joined #openstack-keystone21:18
gabriel-bezerramarekd: I'll try that later. I have to go for now.21:21
gabriel-bezerrathank you guys for the hand today.21:21
*** sbfox has joined #openstack-keystone21:22
*** sbfox has quit IRC21:25
*** derek_c has joined #openstack-keystone21:26
*** bach has quit IRC21:27
*** bach_ has joined #openstack-keystone21:27
*** thiagop has quit IRC21:29
*** sbfox has joined #openstack-keystone21:34
*** sbfox has quit IRC21:35
*** sbfox has joined #openstack-keystone21:38
*** stevemar has quit IRC21:56
*** gaud has quit IRC22:07
*** stevemar has joined #openstack-keystone22:09
*** bach_ has quit IRC22:09
*** bach has joined #openstack-keystone22:10
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token configurable check of revocations for cached
*** leseb has joined #openstack-keystone22:13
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Remove unused AdjustedBaseAuthTokenMiddlewareTest
*** bach has quit IRC22:17
*** stevemar has quit IRC22:19
*** gaud has joined #openstack-keystone22:20
*** marekd is now known as marekd|away22:21
*** bknudson has quit IRC22:29
*** amerine has joined #openstack-keystone22:37
*** gyee has quit IRC22:39
*** doddstack has quit IRC22:40
amerineDid I read somewhere that XML Content-Type support was going away? I'm having a hard time finding where I might have read that22:40
*** bach has joined #openstack-keystone22:44
*** bach has quit IRC22:46
*** bknudson has joined #openstack-keystone22:49
*** bach has joined #openstack-keystone22:50
*** amerine has quit IRC22:51
*** bknudson has quit IRC22:54
*** david-lyle has quit IRC22:58
*** david-lyle has joined #openstack-keystone22:58
*** david-lyle has quit IRC22:58
*** amerine has joined #openstack-keystone23:01
*** jamielennox|away is now known as jamielennox23:01
*** diegows has quit IRC23:08
*** bknudson has joined #openstack-keystone23:09
bknudsonlooks like during devstack heat setup it tries to create a domain23:22
bknudsonwhich doesn't work with ldap?23:22
jamielennoxbknudson: is the mailing list thread you are referring to?23:23
bknudsonjamielennox: I haven't seen a mailing list thread, just tried to run devstack with ldap config23:23
jamielennoxbknudson: ah ok - there is a topic & bug to do with heat and the way it creates domains, wasn't sure where the problem was exactly23:24
bknudsonjamielennox: I see the mailing list... hopefully they don't try it with ldap, they'll go ballistic.23:25
bknudsonthey'll trash keystone at the developer conference again.23:25
jamielennoxyea - there's no way the devstack ldap code is correct with the one idp per domain model23:25
jamielennoxmeh, identity should be slower moving than the other projects23:26
bknudsonlooks like the post to create the domain worked but then get domain failed. weird23:27
*** diegows has joined #openstack-keystone23:36
*** gaud has quit IRC23:38
*** joesavak has quit IRC23:40
*** gaud has joined #openstack-keystone23:41
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the size limit tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the policy tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more tests to the Python 3 test run
*** bach has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!