Sunday, 2014-05-04

*** leseb has joined #openstack-keystone00:02
*** rodrigods has quit IRC00:08
*** rodrigods has joined #openstack-keystone00:17
*** leseb has quit IRC00:20
*** Chicago has quit IRC00:33
*** rodrigods has quit IRC00:36
*** rodrigods has joined #openstack-keystone00:43
*** Chicago has joined #openstack-keystone00:45
*** key1 has joined #openstack-keystone00:54
key1Any keystone gurus who can help with question on LDAP integration ?00:54
*** rodrigods has quit IRC00:55
key1after integrating with LDAP i get this error on starting keystone : 2014-05-03 19:49:16.252 TRACE keystone.common.wsgi AttributeError: 'Identity' object has no attribute 'get_domain'00:55
key1anythoughts ?00:55
*** derek_c has joined #openstack-keystone00:57
key1Can any one help me please00:57
morganfainbergkey1, 2 things, 1) it's saturday (weekend) for a lot of people so might be a bit limited responses, 2) let me see if i can help you out :)00:58
morganfainbergkey1, what version of keystone?00:58
key1sure morgan thank you so much00:58
morganfainbergkey1, happy to try and help.00:59
key1i have  the trunk version of devstack00:59
morganfainbergkey1, ok so latest master00:59
morganfainbergkey1, can you provide (via or similar) your keystone config?01:00
key1sure i will paste it01:00
morganfainbergkey1, and out of curiosity what are tyou trying to do that is generarting the error.01:01
morganfainbergi think i see your issue01:06
morganfainbergyou're using the Identity driver for assignment01:07
key1i am trying to start keystone and it is generating that error01:07
key1ohh is t01:07
morganfainbergkey1, assignment and identity are two very different systems01:08
morganfainbergkey1, are you trying to use LDAP for both identity and assignment or just identity (users/groups)01:08
key1I want LDAP just for identity01:08
morganfainbergso in the [assigment] block use "driver = keystone.assignment.backends.sql.Assignment"01:09
morganfainbergand in the [identity] section put the "identty" one you have at the top of your file01:09
key1yea just doing that01:10
key1server started successfully01:10
morganfainbergkey1, :)01:10
key1so if i create an entry under OU=Users and login with that inside horizon it should work you think ?01:10
morganfainbergkey1, let me look at the config a bit more closely.01:11
key1sure let me paste01:11
morganfainbergkey1, nah i'm just looking at the one you pasted01:11
morganfainbergkey1, i'm assuming it's close to what you have.01:11
key1yea ... i changed assignment to identity and matched to these instructions
morganfainbergit looks like if you create a proper user object in OU=Users it should work01:12
key1Is it let me try01:13
key1this is what i got : userid=keystone,ou=Users,dc=xyz,dc=com will this work01:14
morganfainbergkey1, you'd need to have the expected attributes.01:14
morganfainbergkey1, but yeah that sounds right01:15
morganfainbergit's been a while since i've worked with the LDAP stuff.01:15
key1its failing01:17
morganfainbergkey1, you might be missing needed attributes01:18
key1here is error log01:18
key1i see this when trying to login to horizon with username password : keystone/admin01:19
morganfainbergkey1, what object type did you use for the user?01:19
key1i am using that LDAP PHP admin tool ... i used simpleSecurityObject01:20
morganfainbergkey1, user_objectclass = inetOrgPerson01:21
morganfainbergneeds to be inetOrgPerson01:21
key1ok let me try again01:21
key1so this what I got01:22
key1does this look goog01:24
morganfainbergkey1, that might work01:28
morganfainbergkey1, not suire if you have all the attributes you need tbh, i would need to figure out what the object needs to look like.01:28
key1ohh ok01:29
morganfainbergkey1, but you're on the right path01:29
key1i will give this a try01:29
*** diegows has quit IRC01:31
key1hey morgan... sweet its gone one step ahead01:34
morganfainbergkey1, cool!01:34
key1I am still not able to get inside because horizon says :        You are not authorized for any projects.01:34
key1i had to play with cn sn values to get there01:34
morganfainbergkey1, you need to create an assignment in the assignment backend for the user01:35
key1i  gotcha01:35
key1Well in the logs i see this another query :01:41
key12014-05-03 20:37:27.579 DEBUG keystone.common.ldap.core [-] LDAP search: base=ou=UserGroups,dc=xyz,dc=com scope=1 filterstr=(&(&(objectClass=groupOfNames)(member=cn=admin,ou=Users,dc=xyz,dc=com))(objectClass=groupOfNames)) attrs=['ou', 'description'] attrsonly=0 from (pid=29303) search_s /opt/stack/keystone/keystone/common/ldap/
key1so do i need an entry in ou=UserGroups01:41
key1how do i create assignment backend01:52
key1i mean that user admin was already there before ldap integration01:52
key1and i am assuming was there within MYSQL01:52
morganfainbergkey1, yes, this goes in the SQL assignment backend01:58
key1but its already there right01:58
key1i mean when i setup devstack it already created admin and i was able to login to horizon then01:58
morganfainbergkey1, you would need to make sure the assignment matches the correct id for the user in ldap01:59
key1ok do you think there is an entry needed for base=ou=UserGroups,dc=xyz,dc=com  ?01:59
morganfainbergkey1. we use a method on the ldap module to convert the DN to an id02:00
key1ok how do i match assignment02:01
morganfainbergkey1, usually that is done via the REST api.02:01
morganfainbergkey1, you need to update the sql in the assignment table so the admin user's id would be utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1])02:02
morganfainbergkey1, though it would be easier to use the rest api (and the basic admin token for bootstrapping)02:03
key1umm ok02:03
key1looking at it now02:03
key1from LDAP side i am all good ... correct ? I dont need to add or change anything there02:04
morganfainbergkey1, i think you're good.02:04
key1ok let me see MYSQL02:05
morganfainbergkey1, unfortunately i need to go. hope this has set you on the right track.02:05
key1ok no problem morgan ... are you from mirantis if i may ask :)02:06
key1thanks for the help02:06
morganfainbergkey1, nope, i work for a small startup called Metacloud02:06
key1ohh cool is it in US ?02:06
morganfainbergkey1, yeah02:06
morganfainbergkey1, Southern California02:07
key1cool cool I am in Minneapolis02:07
morganfainbergkey1, nice! hows the weather out there?02:07
key1we can talk if you are around tommorow ...02:07
morganfainbergkey1, it's a bit toasty here in Pasadena today :P02:07
morganfainbergkey1, i'll be around on monday for sure, not sure if i'll be on irc tomorrow.02:07
key1ohh it was 60 here this morning but still cold02:07
morganfainbergkey1, but if i am, i'm happy to chat then02:08
key1Sure morgan appreciate so much i am on GIThub rkatti02:08
key1but i will be here tommorow .... so you said i need to tweak mysql right02:08
key1is there a guide ?02:08
key1i mean documentation of what to tweak or what rest apis to call02:08
key1i dont see that02:08
morganfainbergkey1, well you'll need to adust the grant in the assignment table. not sure if there is a good example of directly injecting the rows02:09
key1ohh ok i will give it a try tommorow i will be here afternoon CST02:09
key1have a good evening in sunny Pasadena02:09
morganfainbergkey1, ok.02:10
morganfainbergkey1, cheers02:10
*** key1 has quit IRC02:16
*** mberlin has joined #openstack-keystone02:17
*** mberlin1 has quit IRC02:17
*** stevemar has joined #openstack-keystone02:25
*** derek_c has quit IRC02:50
*** dims has joined #openstack-keystone03:03
*** stevemar has quit IRC03:03
*** dims has quit IRC04:28
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Closes-Bug: #1315798
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** fribeiro has joined #openstack-keystone06:12
*** fribeiro has left #openstack-keystone06:13
*** ukalifon1 has joined #openstack-keystone06:31
*** morganfainberg is now known as morganfainberg_Z06:49
*** Chicago has quit IRC08:00
*** Chicago has joined #openstack-keystone08:01
*** Chicago has joined #openstack-keystone08:01
*** wendle has quit IRC08:03
openstackgerritLi Ma proposed a change to openstack/keystone: Password trunction makes password insecure
*** zhiyan_ is now known as zhiyan09:05
*** RockKuo_iPad has joined #openstack-keystone11:28
boris-42morganfainberg_Z ping11:33
*** RockKuo_iPad has quit IRC11:35
*** zhiyan has quit IRC11:45
*** zhiyan has joined #openstack-keystone11:47
*** RockKuo_iPad has joined #openstack-keystone11:57
*** RockKuo_iPad has quit IRC11:59
*** praneshp has joined #openstack-keystone12:05
*** dims has joined #openstack-keystone12:08
marekdboris-42: i think it's around 5 am in California right now :-)12:09
boris-42marekd it's ok=)12:09
boris-42sunday 5.a.m. the best time to work=) nobody distribute=)12:09
*** dims has quit IRC12:09
marekdboris-42: hah, right.12:10
*** Chicago has quit IRC13:14
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token
*** praneshp_ has joined #openstack-keystone13:42
*** praneshp has quit IRC13:45
*** praneshp_ is now known as praneshp13:45
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token
*** leseb has joined #openstack-keystone14:38
*** ukalifon1 has quit IRC14:50
*** rodrigods has joined #openstack-keystone14:57
*** rodrigods has quit IRC15:26
boris-42bknudson ping15:31
bknudsonboris-42: what's up?15:32
boris-42bknudson hm why we need infra patch at all?15:32
boris-42bknudson I mean this one
boris-42bknudson if everything works here ?15:32
bknudsonboris-42: we only need the py33 part if we're going to run rally on stable/icehouse15:33
bknudsonand stable/havana15:33
bknudsonI haven't seen a rally run on stable/havana yet...15:33
bknudsoncould backport the patch to add rally config15:33
boris-42bknudson actually I am not sure that we need to run it15:33
boris-42bknudson against stable branches15:34
boris-42bknudson so probably we can just remove it15:34
bknudsonboris-42: the only reason might be if we have some performance fix to backport.15:34
*** leseb has quit IRC15:34
boris-42bknudson hmm yep probably15:35
boris-42bknudson but in such rare cases probably we can just test by hand?15:35
bknudsonboris-42: I think it makes sense to test it yourself for stable backports.15:35
boris-42bknudson yep15:35
bknudsonor maybe have an experimental option.15:35
boris-42bknudson yep but not for every patch15:36
bknudsonboris-42: so go ahead with the -infra patch?15:36
bknudsonboris-42: and abandon the stable/icehouse patch? Or should we take that one anyways?15:36
boris-42bknudson let's just remove rally work from stable branches15:37
boris-42bknudson so +1 infra patch15:38
boris-42rally job*15:38
bknudsonboris-42: that works for me. it's easy enough to add it back again if we want it15:38
boris-42bknudson not sure that we will need =)15:38
boris-42bknudson performance bugs are often related to work with DB/RPC and so on15:39
boris-42that couldn't be backported15:39
boris-42can not*15:39
*** bvandenh has quit IRC15:40
boris-42bknudson btw I bump timeout of keystone client in rally15:40
bknudsonboris-42: it looked like some of the POST /v2.0/tokens were taking about 60 sec15:41
bknudsonboris-42: is rally supposed to fail if any of the operations fail?15:42
*** dstanek is now known as dstanek_zzz15:42
boris-42bknudson nope15:43
boris-42bknudson rally shouldn't fail15:43
boris-42bknudson even if you are benchmarking dead cloud15:44
boris-42bknudson we are catching all exceptions and storing info about them for future analyze15:44
bknudsonlooks like now we need to figure out how to speed up creating and deleting users15:44
boris-42bknudson seems like that it's more about configuration15:44
boris-42bknudson cause my colleague tried to benchmark opnestack deployed by fuel and seems like it works well15:45
boris-42bknudson btw I will add way to setup rally.conf file from other projects tree15:46
*** ukalifon1 has joined #openstack-keystone15:46
bknudsonseems like the keystone benchmark scripts should be in keystone.15:46
boris-42bknudson it's another thing15:48
boris-42bknudson I mean there will be as well support of plugins15:49
boris-42bknudson so you guys will be able to write own benchmarks inside keystone tree and run in gates15:49
boris-42bknudson but it's not related to the configuration of rally15:49
boris-42bknudson I mean you are not able to specify anything from this file inside keystone15:50
bknudsonboris-42: so we'll be able to have our own keystone.rally.conf that gets loaded to override rally.conf options?15:51
boris-42bknudson exactly15:51
boris-42bknudson for example if you would like to bump keystone clients timeouts15:51
boris-42bknudson or run in debug mode15:52
bknudsonboris-42: the timeout is in rally.conf somewhere?15:52
boris-42bknudson oh we should regenerate sample conf15:53
boris-42bknudson yep it's in CONF
*** zhiyan is now known as zhiyan_15:56
bknudsonboris-42: how does fuel configure keystone differently? memcache backend?15:57
*** diegows has joined #openstack-keystone15:57
boris-42bknudson not sure that it uses memcached at the moment15:57
boris-42bknudson I'll ask=)15:57
*** leseb has joined #openstack-keystone16:26
*** rodrigods has joined #openstack-keystone17:02
*** rodrigods has joined #openstack-keystone17:02
*** leseb has quit IRC17:04
*** diegows has quit IRC18:24
*** dstanek_zzz is now known as dstanek18:34
*** daneyon_ has joined #openstack-keystone19:09
*** daneyon has quit IRC19:09
*** rodrigods has quit IRC19:31
*** rodrigods has joined #openstack-keystone19:43
*** stevemar has joined #openstack-keystone19:49
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm
*** rodrigods has quit IRC19:53
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Fix client fixtures
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm
*** stevemar has quit IRC20:06
openstackgerritFernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token
*** rodrigods has joined #openstack-keystone20:55
*** key1 has joined #openstack-keystone21:22
key1Any keystone gurus here have question with this error :       You are not authorized for any projects.21:22
key1hi morgan21:22
key1i think you are talking about this yesterday :
key1Hey morgan ... another awesome doc :
*** jamielennox|away is now known as jamielennox22:08
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make auth_token return a V2 Catalog
*** rodrigods has quit IRC22:10
*** leseb has joined #openstack-keystone22:35
*** leseb has quit IRC22:49
*** daneyon_ has quit IRC22:50
*** daneyon has joined #openstack-keystone22:50
*** jamielennox is now known as jamielennox|away23:10
*** stevemar has joined #openstack-keystone23:23
*** diegows has joined #openstack-keystone23:24
*** dstanek is now known as dstanek_zzz23:51

Generated by 2.14.0 by Marius Gedminas - find it at!