Wednesday, 2014-07-16

« Tuesday, 2014-07-15 Index Thursday, 2014-07-17 »
jamielennoxjust remind me, does roles on an unscoped token make sense in V2?00:01
*** marcoemorais has joined #openstack-keystone00:04
openstackgerritA change was merged to openstack/python-keystoneclient: SAML2 ECP auth plugin  https://review.openstack.org/9216600:05
openstackgerritA change was merged to openstack/keystonemiddleware: prefer identity API v3 over v2 in auth_token  https://review.openstack.org/10681900:05
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10620800:07
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/10623200:07
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone-specs: Updated from global requirements  https://review.openstack.org/10623300:07
*** gabriel-bezerra has joined #openstack-keystone00:09
*** marcoemorais has quit IRC00:09
*** marcoemorais has joined #openstack-keystone00:10
*** marcoemorais has quit IRC00:10
morganfainbergdstanek, dolphm, stevemar, does it make sense to make the *_api object handle things like .assert_X_enabled ?00:10
morganfainbergdstanek, dolphm, stevemar, trying to consolidate some code.00:10
*** marcoemorais has joined #openstack-keystone00:11
stevemarso like federation_api and .assert_federation_enabled?00:11
*** marcoemorais has quit IRC00:11
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10621000:11
*** marcoemorais has joined #openstack-keystone00:17
*** marcoemorais has quit IRC00:18
*** marcoemorais has joined #openstack-keystone00:18
*** marcoemorais has quit IRC00:18
*** marcoemorais has joined #openstack-keystone00:19
*** stevemar has quit IRC00:26
*** stevemar has joined #openstack-keystone00:26
*** marcoemorais has quit IRC00:27
*** marcoemorais has joined #openstack-keystone00:28
*** marcoemorais has quit IRC00:28
*** marcoemorais has joined #openstack-keystone00:28
*** marcoemorais has quit IRC00:28
*** marcoemorais has joined #openstack-keystone00:29
*** harlowja_away is now known as harlowja00:30
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use keystoneclient fixtures in middleware tests  https://review.openstack.org/10721200:34
*** oomichi has joined #openstack-keystone00:42
*** bknudson has joined #openstack-keystone00:43
*** nkinder has quit IRC00:43
*** topol has joined #openstack-keystone00:43
morganfainbergstevemar, yeah00:50
morganfainbergstevemar, i'll post up the change, you'll see00:51
*** ayoung has joined #openstack-keystone00:52
*** dims__ has joined #openstack-keystone00:58
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Sync with oslo-incubator  https://review.openstack.org/10721700:59
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move token_api.unique_id to token_provider_api  https://review.openstack.org/10721800:59
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move keystone.token.default_expire_time to token.provider  https://review.openstack.org/10721900:59
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Consolidate `assert_XXX_enabled` type calls to managers  https://review.openstack.org/10722000:59
*** dims__ has quit IRC01:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update middleware that was moved to keystonemiddleware  https://review.openstack.org/10647801:11
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Don't log sensitive auth data  https://review.openstack.org/10179201:12
*** bknudson has left #openstack-keystone01:17
ayoungmorganfainberg, how the F(*& do we get decent logging out of Keystone in Apache mode?  I'm just getting on wsgi line and the LDAP spew...01:24
stevemarayoung, yeah, that and debug mode no longer works :(01:26
*** gabriel-bezerra has quit IRC01:26
ayoungstevemar, why?  Obviously LDAP and something is capable of logging01:26
ayoungand I see that the log messages get mirrored to /var/log/keystone as well as /var/log/httpd/error_log01:27
*** gabriel-bezerra has joined #openstack-keystone01:27
stevemarayoung, my main issue is that pdb breakpoints no longer work01:27
morganfainbergayoung, yes, i need to do some fixes for that01:27
ayoungstevemar, ah, yeah, that.  I had a thought about running httpd in a single thread, and then attaching a debugger to it01:28
jamielennoxmorganfainberg: blueprints don't exist for keystonemiddleware?01:29
*** marcoemorais has quit IRC01:29
morganfainbergjamielennox, i was unable to retarget one, LP errored01:30
morganfainbergjamielennox, otherwise they do01:30
jamielennoxhttps://blueprints.launchpad.net/keystonemiddleware01:30
*** marcoemorais has joined #openstack-keystone01:30
morganfainberghit refresh01:31
jamielennoxcool01:31
morganfainberg:)01:31
stevemarayoung, how does one attach a debugger to httpd?01:33
ayoungstevemar, carefully01:33
ayoungstevemar, daf3bdae226a76926a8a877e1ed4bd7046f9192d  checkout that commit01:33
ayoungit seems to imply that the python process can listen on a port to some sort of remote control from pydev01:34
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Use keystoneclient fixtures in middleware tests  https://review.openstack.org/10721201:34
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Create an Auth Plugin to pass to users  https://review.openstack.org/10722201:34
*** bknudson has joined #openstack-keystone01:35
ayoungstevemar, that is the merge commit, it was actually 0f225743e8644416df2f200d710912c40b7acd4701:37
ayoungfrom pydev import pydevd01:37
ayoungpydevd.settrace(CONF.pydev_debug_host,                            port=CONF.pydev_debug_port,                            stdoutToServer=True,                           stderrToServer=True)01:38
morganfainbergstevemar, ayoung, you'll want to make sure there is only 1 worker under apache (total) if you do that.01:44
morganfainbergit would be a config in the mod_wsgi part of the vhost01:44
ayoungmorganfainberg, that was the first thing I said01:44
morganfainbergpydevd should stull work even under apache01:44
ayoungmorganfainberg, need a non GUI debugger, though01:45
ayoungactually, I guess it would work with remote...01:45
morganfainbergayoung, use eventlet >.<01:45
morganfainberg:P01:45
morganfainbergbut remote should work w/ pydevd and apache01:45
ayoungyep...01:45
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Create an Auth Plugin to pass to users  https://review.openstack.org/10722201:47
jamielennoxmorganfainberg: is there a plan yet to remove the git fetch for keystoneclient in keystone tests?01:49
morganfainbergjamielennox, i want to, just not sure... if / when01:50
jamielennoxdiscovered recently that because of this the stable/icehouse and possibly stable/havana keystone requirements must include the up-to-date requirements of keystoneclient so that the stable tests will run01:50
jamielennoxotherwise it pulls in the master client which is new and the dependency for client doesn't exist01:51
jamielennoxso dumb01:51
morganfainbergjamielennox, well the ppoint is master _shouldn't_ break stable/havana or stable/icehouse01:53
*** mberlin1 has joined #openstack-keystone01:56
*** mberlin has quit IRC01:56
*** diegows has quit IRC01:58
*** xianghui^ has joined #openstack-keystone02:00
*** gokrokve has joined #openstack-keystone02:01
*** stevemar has quit IRC02:02
ayoungmorganfainberg, something is wrong with out logging setup, and I have no idea how it works.02:04
morganfainbergayoung, logging.conf getting in your way?02:07
ayoungmorganfainberg, I have no idea.02:07
morganfainbergthat is _usually_ my issue, if i've got a logging.conf running it overrides *everything*02:08
ayoungI see only a few debugging loggin statements, even though keystone.cong has debug=true02:08
ayoungso maybe try moving it out of the way?02:08
morganfainbergit's probably logging.conf02:08
morganfainbergyeah.02:08
morganfainbergalso, i think there might be an apache setting?02:08
morganfainbergnow that i think about it02:08
ayoungno difference02:09
ayoungI have apache set;  LogLevel debug02:10
morganfainbergis this unit tests? or devstack and a fully running keystone?02:10
morganfainbergok so full run02:10
morganfainberghm.02:10
ayoungkeystone in httpd from packstack02:11
morganfainbergis the logging ending up in horizon's log?02:11
morganfainbergby chance?02:11
ayoungonly LDAP02:11
ayoungand the dmp of the config02:11
* morganfainberg doesn't use packstack.02:11
ayoungmorganfainberg, no one uses packstack02:11
ayoungbut it is the setup from the puppet modules02:12
morganfainbergcan you post the keystone.conf? and logging.conf?02:12
ayoungmorganfainberg, sure.  although I just moved logging.conf out of /etc/keystone and no difference02:13
morganfainbergok so just keystone.conf02:13
* morganfainberg really wanted to go for a bike ride today. but another day recovery = good. *slow*...02:13
ayoungmorganfainberg, http://paste.fedoraproject.org/118306/05476837/02:14
morganfainbergayoung, yeah looks sane to me02:15
ayoungmorganfainberg, I'm going to drop the log_dir value and see what happens02:16
morganfainberg*nod*02:16
morganfainbergalso see if the logs are somehow ending in some _other_ apache log location02:16
morganfainberghat would be my first guess.02:16
ayoungmorganfainberg, Ok, now the same data is going to /var/log/keystone/keystone.log02:17
ayoung keystone.common.ldap.core02:17
ayoungbut not much else02:17
ayoung keystone.notifications02:17
morganfainbergit's almost as if something has overridded the log levels02:17
ayoung oslo.db.sqlalchemy.session (one line)02:17
ayounghmmm02:18
ayoungthis was actually a manual Keystone setup, on top of a Horizon setup....02:18
ayoungI see the horizon stuff goingint into /var/log/horizon/horizon.log02:19
ayoungmorganfainberg, default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN02:21
ayounglet me tweak that....02:21
morganfainbergayoung, that should be fine actually02:22
morganfainbergno keystone specifics. but eh doesn't hurt to add em i guess02:23
ayoungheh...but setting it explicitly kicked things into gear02:23
ayoungmorganfainberg, OK, getting somewhere02:24
ayoungmorganfainberg, OK, I'm shutting off everything causing spew, and then I'll turn back on just the packages I want...I think this is the trick we need02:25
morganfainbergi think something is wonky in the deep dark defaults02:26
morganfainbergwe had this issue back a while ago, somehow "keystone=Warn" snuck in somewhere02:26
morganfainberglike... early icehouse / late havana iirc02:26
ayoungmorganfainberg, so I can turn all the spew off now  with02:36
*** hrybacki has quit IRC02:36
ayoungdefault_log_levels             = ['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'keystone.common.ldap.core=WARN', 'dogpile.core.dogpile=WARN', 'stevedore.extension=WARN', 'oslo.db.sqlalchemy=WARN', 'routes.middleware=WARN', 'keystone.common.wsgi=WARN', 'keystone.middleware.core=WARN', 'keystone.notifications=WARN']02:36
ayoungI need to turn something back on, now, but DEBUG doesn't seem to do it02:36
ayoungany idea?02:37
morganfainbergah.02:37
morganfainbergnot too far off from what I did https://review.openstack.org/#/c/106496/2/keystone/tests/core.py02:37
morganfainbergthat is what we are using for unit tests and it _seems_ sane-ish02:37
morganfainbergis there  a global keystone=XXX value you can set?02:38
ayoungI tried appending keystone.common.controller=DEBUG but nope02:41
ayoungI suspect that there is something else?02:42
morganfainbergtry keystone=DEBUG02:42
morganfainbergsee how ugly it gets.02:42
morganfainbergor did you try that?02:42
ayoungmorganfainberg, # Print more verbose output (set logging level to INFO instead02:45
ayoung# of default WARNING level). (boolean value)02:45
ayoung#verbose=false02:45
ayoungverbose=True02:45
ayoungI wonder if that override debug02:45
morganfainbergoh interesting02:46
*** gokrokve has quit IRC02:49
*** marcoemorais has quit IRC02:49
*** dims__ has joined #openstack-keystone02:52
*** gokrokve has joined #openstack-keystone02:56
*** daneyon has joined #openstack-keystone03:00
*** stevemar has joined #openstack-keystone03:00
*** daneyon has quit IRC03:00
*** daneyon has joined #openstack-keystone03:01
*** hrybacki has joined #openstack-keystone03:03
ayoungmorganfainberg, what would you expect the format to be to turn on debugging for a specific python module?03:07
morganfainbergadd to the default_log_levels <module_path, e.g. keystone.token.core>=Level03:08
morganfainbergthere are other ways to do it, including using logging.conf, but that would be the first place i tried03:08
ayoungnot making a bit of difference03:08
*** harlowja is now known as harlowja_away03:16
*** ukalifon1 has joined #openstack-keystone03:30
*** gokrokve has quit IRC03:30
*** ukalifon1 has quit IRC03:31
ayoungjamielennox, if I used the Kerberos plugin, that will only setup a Negotiate call for authentication, no?03:32
ayounghttps://review.openstack.org/#/c/74974/10/keystoneclient/contrib/auth/v3/kerberos.py,cm03:32
jamielennoxayoung: yep03:32
jamielennoxwhat else do you need it to do?03:32
ayoungjamielennox, so If Want to turn around and list projects with an unscoped token....03:32
*** gabriel-bezerra has quit IRC03:32
jamielennoxit would work the same as before, once the token has been fetched the kerberos work is done03:33
*** gabriel-bezerra has joined #openstack-keystone03:33
ayoungjamielennox, but the whole URL is kerberos protected, not just /auth/tokens03:33
jamielennoxso you need kerberos to be present on every request?03:34
*** amcrn has quit IRC03:34
ayoungmorganfainberg, which explains why I was seeing no debugging, as it was getting kicked out by HTTPD03:34
jamielennoxi think we discussed this and decided to not worry about that case because it means 3 calls per request03:35
ayoungjamielennox, I need to be able to enable it I think, for the list projects call03:35
*** chandankumar has joined #openstack-keystone03:35
ayoungjamielennox, this is why I want unscoped tokens to return the project list03:35
ayoungcan I reset the auth url on a session?03:36
jamielennoxthere isn't a mechanism for that at the moment03:36
jamielennoxauth_url is per plugin03:36
jamielennoxwhat is returned from the ednpoint lookup there will come from the service cataog03:37
jamielennoxugh, no service catalog03:37
ayoungjamielennox, so I would reset the auth_url on the plugin to hack it in?03:37
ayoungI think I can do that...proof of concept for now03:37
jamielennoxyea, you can do that03:38
jamielennoxthe other option is just to pass the full url to the session.get03:38
ayoungI think in the future the auth_plugin needs to be able to affect the request setup03:38
jamielennoxif it's a fully qualified URL it won't bother doing lookup03:38
ayoungw00T!03:40
ayoungI just logged in with Kerberos03:40
jamielennoxayoung: yea, that's come up unfortunately it get's a bit nasty03:40
ayoungI'm going to leave it for tonight.  We'll work on making it clean tomorrow .  And the next day.03:41
ayoungjamielennox, but I would like the option to have a completely kerberized session for the unscoped work03:41
ayoungbut thanks...I can sleep now03:42
*** ayoung is now known as ayoung_ZZzzZZzzz03:42
jamielennoxayoung: hmm, not sure how it goes seperating scoped from unscoped requests - that could get werid03:42
*** xianghui^^ has joined #openstack-keystone03:48
*** xianghui^ has quit IRC03:50
*** dims__ has quit IRC04:10
*** jaosorior has joined #openstack-keystone04:13
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Fix mistakes in token fixtures  https://review.openstack.org/10722804:23
stevemarmorganfainberg, please sir, one more review https://review.openstack.org/#/c/96326/1104:31
stevemarjamielennox, you might want to review https://review.openstack.org/#/c/99704/ to make sure it keystoneclient-centric04:34
jamielennoxstevemar: i just noticed that the underlying patch went it04:34
jamielennoxs/it/in04:34
jamielennoxwhich is fine except perhaps for https://review.openstack.org/#/c/92166/43/setup.cfg04:35
stevemarjamielennox, yep!04:35
jamielennoxi'm not sure if there is a situation where you would want to use an unscoped saml token from the cmdline04:35
stevemarjamielennox, oh? is that something that shouldn't be enabled by default?04:35
jamielennoxit's the discovery process, it's how you tell either a config file or cmdline what plugin to laod for a name, so it just depends if marekd|away wants it discoverable like that04:36
jamielennoxlast i spoke to him he was going to write kind of like a manger plugin that would deal with the scoping for you04:36
stevemarjamielennox, well given the fact that there is no CLI for this, it was probably a mistake04:36
jamielennoxstevemar: CLIs are automatic now (or soon) so i'm ont sure04:37
jamielennoxi don't have a way to test the SAML so i've not been doing much fo the reviews04:38
stevemarjamielennox, I wish I could help with that :( i've got my env. set up but it's all internal stuff04:41
jamielennoxstevemar: i should set one up, i'm supposed to be doing a talk in a couple of weeks about federation - i mean i know the principals and i've watched the code go past but eek04:42
stevemarjamielennox, I commented out the changes to setup.cfg, and it seems to work...04:42
stevemarjamielennox, doesn't seem needed at all04:42
stevemarjamielennox, let me know if you want the slides from our ATL talk, I think I have them somewhere04:43
jamielennoxstevemar: you'll need to re-run setup.py develop after commenting it out04:43
* stevemar shrugs04:45
stevemarjamielennox it still works as long as i am running a python script04:45
jamielennoxstevemar: yea, it's only needed for loading from config and from cli which we don't implement anywhere yet04:47
jamielennoxi'd remove it for now until he's sure he wants/needs it04:47
stevemarjamielennox, i'll toss up a patch04:48
*** xianghui^^ has quit IRC04:48
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Remove SAML unscoped token auth from setup.cfg  https://review.openstack.org/10723104:50
stevemarjamielennox, ^04:50
*** hrybacki has quit IRC04:54
*** dstanek is now known as dstanek_zzz04:54
*** stevemar has quit IRC05:07
*** chandankumar has quit IRC05:16
*** ukalifon has joined #openstack-keystone05:23
*** shausy has joined #openstack-keystone05:26
*** ajayaa has joined #openstack-keystone05:32
*** ayoung_ZZzzZZzzz has quit IRC05:32
*** andreaf has quit IRC05:37
*** dims__ has joined #openstack-keystone05:39
*** dims__ has quit IRC05:44
*** topol has quit IRC05:45
*** shausy2 has joined #openstack-keystone05:46
*** ayoung_ZZzzZZzzz has joined #openstack-keystone05:46
*** shausy has quit IRC05:47
*** chandankumar has joined #openstack-keystone05:58
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10693906:04
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9927806:14
*** tomoiaga has joined #openstack-keystone06:16
*** dwaite has quit IRC06:24
*** dims__ has joined #openstack-keystone06:40
*** dims__ has quit IRC06:45
*** tkelsey has joined #openstack-keystone06:50
*** arosen has quit IRC06:51
*** arosen has joined #openstack-keystone06:51
*** BAKfr has joined #openstack-keystone06:55
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9927806:56
*** d0ugal has quit IRC07:07
*** d0ugal has joined #openstack-keystone07:07
*** junhongl has quit IRC07:25
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9554507:36
*** bvandenh has quit IRC07:40
*** bvandenh has joined #openstack-keystone07:53
*** ChanServ changes topic to "July 9-11 Hackathon notes https://etherpad.openstack.org/p/keystone-juno-hackathon | Now with 100% gate and check runs on Apache deployed Keystone"07:54
*** afazekas has joined #openstack-keystone08:03
*** mberlin1 has quit IRC08:20
*** mberlin has joined #openstack-keystone08:22
*** arosen has quit IRC08:26
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.  https://review.openstack.org/9970408:29
*** ajayaa has quit IRC08:29
*** ajayaa has joined #openstack-keystone08:40
jamielennoxmarekd|away: i posted some comments on the older version of that review ^08:41
marekd|awaylooking08:41
marekd|awaywhy am i still marked as ...|away... ?08:42
*** marekd|away is now known as marekd08:42
jamielennoxbut my main thing is that if you want to do like a 'list projects for token' then you should do that on the unscoped token08:42
jamielennoxby the time you are creating a scoped token you should know what project_id/domain_id that you want08:43
marekdhow is done in a 'normal workflow' ?08:43
marekdis it done*08:44
marekdwhen user lists his projects?08:44
jamielennoxnormal work flow is a bit weird because a plugin can be scoped or unscoped08:44
jamielennoxbut the idea is you get an unscoped token, you list the available projects, you pick a project and scope a token to it08:44
marekdlet me read your comments, ok?08:46
marekdno need for you to repeat yourself here.08:46
jamielennoxyou can list projects with a scoped token as well - but we really shouldn't be promoting that i think08:46
marekdso what do you suggest?08:47
marekdor, let me suggest sth:08:47
marekdunscoped plugin stays as is.08:47
marekdscoped can only scope08:47
marekdand the wrapper will only list projects/domains providing neither was specified08:48
jamielennoxwhat's your usage for listing if not provided?08:48
marekdhm, not....user should be able to list project/domains if he wants to.08:48
jamielennoxat the moment list projects/domain is an explict operation08:49
*** gabriel-bezerra has quit IRC08:49
marekdwell, you just authenticatd yourself, and you are not sure what project/domains you can access...08:49
marekdwhat do you mean by explicit here?08:49
jamielennoxyep, i mean it is a different step, it's not done in response to not having enough parameters08:49
*** gabriel-bezerra has joined #openstack-keystone08:50
jamielennoxso like you get unscoped then call client.federation.projects() or something to get your list08:50
marekdso it should be separated patch, right?08:50
jamielennoxand then you scope it using the information from the client call rather than something embedded in the auth plugin08:50
jamielennoxcould be a new patch08:51
jamielennoxbecause this isn't specific to SAML right? it's a part of federation08:52
marekdyes08:52
marekdactually you are right...08:52
jamielennoxso i'd be looking to put it in /v3/contrib/federation/projects or something08:52
marekddo you expect user to be able to call it from his cli?08:53
marekdsomething like osc --list-fed-projects08:53
jamielennoxcould do08:53
marekdok i will see how it is implemented for normal projects.08:53
marekdhm, so probably new AuthMethod could be required for scoping the token08:54
marekdnot whole plugin.08:54
marekdnew AuthMethod as it sends 'saml2': <id> instead of 'token': <id> in the req body.08:54
jamielennoxok, if it sends new body then yes you need a new AuthMethod08:54
jamielennoxI was thinking after you had the unscoped it would just use tha t08:55
marekdthe only reason why i extended whole plugin was the list_projects()/list_domains(), otherwise it was using v3.Token goodness.08:55
jamielennoxso why does it specify saml2: to scope an unscoped plugin? surely it just presents it's unscoped token08:56
*** junhongl has joined #openstack-keystone08:56
marekdwait, how use? so you want to make one plugin where unscoped is retrieved and automatically scoped?08:56
jamielennoxi'm just wondering if we can use v3.Token for this scoping step - and if not why not08:57
jamielennoxi was under the impression that once you had an unscoped token via federation it worked pretty much like any other unscoped token08:57
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9554508:58
marekdwell, pretty much08:59
marekdbut it doesn't do any db lookups checking users etc.08:59
marekdthat's why from the user experience it's almost the same.08:59
marekdhttps://github.com/openstack/keystone/blob/master/keystone/auth/plugins/saml2.py#L2309:00
marekdjamielennox: what about my comments in https://review.openstack.org/107231 ?09:00
tomoiagaI wonder if there is a clean way of telling keystoneclient (the library) what endpoint to search for. I see endpoint_filter in the httpclient but from what I gather this is only there to satify unit testing. I want to use v3 for keystone stuff (defined in service catalog with a different name) and leave v2 for nova and others.09:01
marekdjamielennox: still here?09:05
marekdanswering your question we can use v3.Token base class but with other AuthMethod class, mainly due to https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#request-a-scoped-os-federation-token-post-authtokens which was dictated by https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/saml2.py#L5009:07
marekdnow, my question is whether we should only keep wrapper plugin as a top level plugin registered in setup.cfg09:07
jamielennoxmarekd: sorry, back09:12
marekdsure09:13
marekdok, i am removing list_{projects, domains} from the code.09:13
jamielennoxtomoiaga: that doesn't really make sense because there is a v2 and a v3 client09:13
jamielennoxmarekd: regarding the setup.cfg if you want to have them there then that's cool, it just means they'll be available eg keystone --os-auth-plugin v3unscopedsaml ...09:14
jamielennoxi'm just not sure it they are useful that way09:14
marekdwhat's the use for v3.Token today ?09:15
jamielennoxyes we need the 3 plugins in code, but i was thinking you probably just exposed the top 'saml' plugin in the setup.cfg09:15
jamielennoxyou can exchange a token for another token, particularly unscoped -> scoped09:15
marekdright, but when users use it?09:15
jamielennoxbut partially it's just keeping up with what used to be available in client09:15
marekdhow do those users get their unscoped token? do they even use it?09:16
jamielennoxmarekd: i was thinking it would emulate the existing plugins09:16
*** oomichi has quit IRC09:16
marekdmy thinking was: if we allow them to do this now with classy tokens we should also allow for that in federation, and that's all.09:16
jamielennoxso for example with v2.Password you give auth_url/user/password and you get an unscoped token09:16
jamielennoxif you add a tenant_id you get a scoped token09:16
jamielennoxsame thing for the saml manager - if you don't specify a project_id/domain_id then you get the unscoped token, if you do it automatically scopes it for you09:17
marekdso basically v2.Password <-> Saml2UnscopedToken and v3.Token <-> Saml2Scopedtoken - they are corresponding somehow.09:17
marekdjamielennox: good point with that scoping behaviour.09:18
marekdi am going to finish wrapper patch today.09:18
*** bvandenh has quit IRC09:18
tomoiagajamielennox: I may have missunderstood how to define the v3 endpoint in the catalog alongside the v2 endpoint but right now if I use the v3 client it will try to use the v2 endpoint from the catalog for some operations other than authentication09:18
*** andreaf has joined #openstack-keystone09:19
jamielennoxso i don't know if they relate that directly because v2.Password and v3.Token both can be scoped or unscoped, federation is simply going to be different to what we have already but i'm trying to emulate the existing behaviour09:19
jamielennoxtomoiaga: are you using the session?09:19
marekdjamielennox: eh, i can remove entries from setup.cfg and put only one for wraper. I don't really have strong opinions. I don't think any way is better than another, it all depends on how users will use the tokens.09:20
tomoiagajamielennox: yes. Let me change the v3 endpoint and try something else (I set the service type to identityv3, most likely this is the issue)09:21
jamielennoxmarekd: i think for the sake of consistency with the existing endpoints it makes sense to just have the manager one in setup.cfg09:22
marekdjamielennox: ok09:22
marekdi am fine with that.09:22
jamielennoxmarekd: for every entry we are going to have to explain what it is, and i don't know how to tell people to use Saml2ScopedToken from the cmd line09:22
jamielennoxtomoiaga: so unfortunately there is a hack we do in the original client that is still up for review in the session code09:23
marekdjamielennox: so how are they using v3.Token today from cli?09:23
jamielennox--os-auth-plugin v3token --os-auth-url http://url:5000/v3 --os-token XXXXXXXXX09:23
jamielennoxtomoiaga: you can see it here: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/client.py#L196-L19709:24
marekdso the use of Saml2ScopedToken would be exactly the same...09:24
jamielennoxtomoiaga: so if it's using the v3 client and it gets a /v2.0 endpoint it knows we have a problem and it strips it09:24
marekdjamielennox: ok, we will remove it from setup.cfg but i am just trying to understand the usecases now09:24
jamielennoxtomoiaga: we need this because if we just set the endpoint in the service catalog we'd break the world09:25
jamielennoxtomoiaga: https://review.openstack.org/#/c/90632/ is the equivalent hack for sessions but it hasn't landed yet09:25
jamielennoxtomoiaga: so if you try by creating the Client(username=XXX) etc it will work, or you have to wait for that to pass09:26
tomoiagajamielennox: yes, that's a hack :) And yes, I just broke the world in my service catalog trying to have multiple endpoints. That is why I figured it would be nice to be able to specify a service type and name or just name since it makes more sense09:26
jamielennoxmarekd: ok, if it makes sense to have it be usable like that then keep it in, i just thought that you would have to pass a whole bunch of data around that would make it infeasible from the command line09:27
tomoiagajamielennox: well, I can overwrite the get_endpoint method from the auth plugin since I have my auth plugin anyway, until a better solution comes along09:27
*** andreaf has quit IRC09:27
jamielennoxtomoiaga: if you've got your own plugin then yes that's the best way to handle it for now09:28
*** andreaf has joined #openstack-keystone09:28
marekdjamielennox: it's just --os-auth-plugin v3scopedtoken --os-token XXXXXXX --project-id09:28
*** dims__ has joined #openstack-keystone09:29
jamielennoxmarekd: ok - make sure you put saml somewhere in that plugin name09:31
jamielennoxmarekd: the other option is to make the manager know that if it receives an --os-token then skip the unscoped step09:31
jamielennoxso rather than need to specify user/pass to the saml plugin you could specify token09:32
marekdhm, yeah.09:33
*** dims__ has quit IRC09:33
*** kwss has joined #openstack-keystone09:35
marekdjamielennox: hm, maybe you are able to answer it in 5 secs: does v3.Token complain if project or domain is not specified?09:35
marekdor in case both are specified09:36
marekdok it does :-)09:36
kwssmarekd, I wonder if you could answer a question for me about keystone-to-keystone federation09:38
marekdkwss: hey, i can try :-)09:39
jamielennoxmarekd: yea, it does09:39
kwssI'm just catching up on the spec and I notice it says no modifications are required to allow Keystone to consume saml assertions09:39
marekdkwss: yes.09:39
kwssbut I thought keystone doesn't directly consume assertions at the moment but via apache09:39
jamielennoxnot for neither, because technically you could get another unscoped token, but it will complain if both are given09:39
marekdkwss: one moment, i will explain it.09:40
kwssmarekd, thanks :)09:40
marekdjamielennox: blah.....let me check what happens if we don't scope such token.09:40
marekdkwss: by saying "Keystone consume assertions" we meant "Keystone on top of apache"09:46
marekdkwss: in other words from the SP perspective Icehouse federation code is completely reused.09:46
kwssmarekd: ok, can you directly present a SAML assertion to modshib protected apache2?09:47
marekdthe only thing that has changed is that you trade your openstack token for saml2 assertion.09:47
marekdkwss: ha! I thought it was impossible, but apparently it is :-)09:48
marekdkwss: let me find sth for you09:48
*** dims__ has joined #openstack-keystone09:48
kwssmarekd, ok thanks so much, I didn't realise it was possible either :)09:48
*** gabriel-bezerra has quit IRC09:48
marekdkwss: http://shibboleth.1660669.n2.nabble.com/Authentication-with-SAML2-assertion-only-td7603547.html09:49
*** gabriel-bezerra has joined #openstack-keystone09:49
marekdit's probably nt the most standard way but definitely it's possible, according to shibboleth guys.09:49
kwssmarekd, thta's really interesting stuff, I had no idea :) do you know how it works? do you send it as a post to the protected URL or ??09:51
marekdkwss: i don't know at this point :(09:52
marekdmaybe i will be able to try it soon.09:53
boris-42jamielennox ping09:53
kwssmarekd, ok ^^ I shall be interested to know how it all comes together09:53
boris-42jamielennox now keystone profiling works out of the box09:53
boris-42jamielennox https://review.openstack.org/#/c/103420/09:53
marekdstevemar wants to work on it, he is super optimistic about it.09:53
kwssmarekd, I look forward to seeing it!09:54
*** ajayaa has quit IRC09:59
marekdkwss: yeah :-)09:59
jamielennoxboris-42: excellent, that's cool - i've been wanting to see some ceilometer interaction10:02
boris-42jamielennox as well I am going after vacation10:03
boris-42jamielennox to make plugins that will collect audit info10:03
boris-42jamielennox e..g auth failures and crud operaiton on resources10:04
boris-42jamielennox so you can try to test one more time my patch10:06
marekdjamielennox: we are not immune to missing X-Subject-Auth in the response from Keystone?10:09
marekdjamielennox: i was expecting InvalidResponse should be raised, rather that KeyError "missing x-subject-auth"10:09
jamielennoxmarekd: lol, urgh10:09
marekdjamielennox: what?10:10
jamielennoxmarekd: sounds like a bug10:10
jamielennoxthey just keep coming :)10:10
*** gabriel-bezerra has quit IRC10:10
marekdhehe, i will double check it.10:10
*** gabriel-bezerra has joined #openstack-keystone10:11
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints  https://review.openstack.org/9554510:13
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Calculate a suitable column width for positional arguments  https://review.openstack.org/9787310:16
*** ajayaa has joined #openstack-keystone10:22
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Calculate a suitable column width for positional arguments  https://review.openstack.org/9787310:30
*** afazekas has quit IRC10:32
*** andreaf has quit IRC10:32
*** andreaf has joined #openstack-keystone10:34
openstackgerritA change was merged to openstack/keystone: Clean up the endpoint filtering configuration docs  https://review.openstack.org/10647510:43
openstackgerritA change was merged to openstack/keystone: render json examples with syntax highlighting  https://review.openstack.org/10684010:43
*** dims__ has quit IRC11:10
*** afazekas has joined #openstack-keystone11:12
*** dims__ has joined #openstack-keystone11:13
*** gabriel-bezerra has quit IRC11:19
*** gabriel-bezerra has joined #openstack-keystone11:20
*** kwss has quit IRC11:27
openstackgerritJamie Lennox proposed a change to openstack/keystone-specs: Auth Specific Data  https://review.openstack.org/10732511:33
openstackgerritChristian Berendt proposed a change to openstack/keystone: Bump hacking to 0.9.x series  https://review.openstack.org/9899611:33
marekdjamielennox: i am tempted to raise an exception in case neither project nor domain were specified11:36
marekdjamielennox: otherwise kerystone will return HTTP 40111:36
openstackgerritJamie Lennox proposed a change to openstack/keystone-specs: Auth Specific Data  https://review.openstack.org/10732511:36
marekdjamielennox: what do you think?11:36
*** diegows has joined #openstack-keystone11:38
openstackgerritChristian Berendt proposed a change to openstack/keystone: Bump hacking to 0.9.x series  https://review.openstack.org/9899611:38
jamielennoxmarekd: if it doesn't make sense to use it without a project or domain then that's ok11:41
marekdjamielennox: OK11:41
marekdthanks.11:41
jamielennoxmarekd: have a look at the spec i just posted ^11:42
jamielennoxwill that work for the federation case and the normal case?11:42
openstackgerritChristian Berendt proposed a change to openstack/keystone: Bump hacking to 0.9.x series  https://review.openstack.org/9899611:42
marekdjamielennox: nvm, let me finish one thing first and i will look at it11:44
jamielennoxmarekd: no rush11:44
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series  https://review.openstack.org/10732811:48
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: Calculate a suitable column width for positional arguments  https://review.openstack.org/9787311:53
openstackgerritJamie Lennox proposed a change to openstack/keystone-specs: Add a catalog to an unscoped token  https://review.openstack.org/10733312:01
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.  https://review.openstack.org/9970412:20
*** dims__ has quit IRC12:28
*** dims__ has joined #openstack-keystone12:30
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: Trusted Attributes Policy for External Identity Providers  https://review.openstack.org/10027912:32
*** jamielennox is now known as jamielennox|away12:33
*** bvandenh has joined #openstack-keystone12:34
*** kwss has joined #openstack-keystone12:34
*** ajayaa has quit IRC12:35
*** bknudson has quit IRC12:39
*** gabriel-bezerra has quit IRC12:39
*** gabriel-bezerra has joined #openstack-keystone12:40
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: reengineered-federation  https://review.openstack.org/10430112:49
*** ajayaa has joined #openstack-keystone12:51
*** bknudson has joined #openstack-keystone12:57
*** radez_g0n3 is now known as radez13:02
*** dstanek_zzz is now known as dstanek13:05
*** hrybacki has joined #openstack-keystone13:06
*** hrybacki has quit IRC13:06
*** hrybacki has joined #openstack-keystone13:06
marekdhttps://pbs.twimg.com/media/BpD9YbYIIAAmOrL.png:large13:06
*** dvorak has quit IRC13:09
*** vhoward has joined #openstack-keystone13:10
*** joesavak has joined #openstack-keystone13:11
*** dvorak has joined #openstack-keystone13:11
*** diegows has quit IRC13:11
*** hrybacki has quit IRC13:12
*** hrybacki has joined #openstack-keystone13:12
*** diegows has joined #openstack-keystone13:14
*** ajayaa has quit IRC13:20
*** lbragstad has joined #openstack-keystone13:21
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: reengineered-federation  https://review.openstack.org/10430113:26
openstackgerritJeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess  https://review.openstack.org/5161013:27
*** stevemar has joined #openstack-keystone13:28
*** hyakuhei has quit IRC13:30
*** diegows has quit IRC13:31
*** hyakuhei has joined #openstack-keystone13:38
afaranhaHello, Did you have issues when trying to use OS-INHERIT extension to assign a inherit role to a domain different from the default with a new user, new project and new role?13:42
afaranhavishy morganfainberg Do you know something about it?13:42
*** diegows has joined #openstack-keystone13:43
openstackgerritClayton O'Neill proposed a change to openstack/keystone: Add pluggable range functions for token flush  https://review.openstack.org/10172613:44
chandankumarHello,13:56
chandankumarfor this review https://review.openstack.org/#/c/107079/13:56
*** topol has joined #openstack-keystone13:57
chandankumardevstack-bashate gate is failing by giving this: http://fpaste.org/118449/19066140/13:57
chandankumarhere is the console log: https://jenkins05.openstack.org/job/gate-devstack-bashate/73/console13:58
chandankumarWhat is going wrong here?13:58
chandankumarand how to fix it?13:58
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains  https://review.openstack.org/10739314:04
dstanekchandankumar: you may have better luck asking in the #openstack-dev channel14:05
chandankumardstanek, i have asked in infra channel.14:05
dstanekchandankumar: and no response?14:05
dstanekchandankumar: have you run bash8 on your code to see if it fails locally?14:06
*** gabriel-bezerra has quit IRC14:06
chandankumardstanek, got the response14:07
*** gabriel-bezerra has joined #openstack-keystone14:07
chandankumardtroyer, it is working in my system14:07
*** lbragstad has quit IRC14:20
*** lbragstad has joined #openstack-keystone14:22
*** lbragstad has quit IRC14:33
*** tomoiaga has quit IRC14:35
*** shausy2 has quit IRC14:39
*** richm has joined #openstack-keystone14:39
*** joesavak has quit IRC14:47
*** bvandenh has quit IRC14:53
*** lbragstad has joined #openstack-keystone14:54
*** joesavak has joined #openstack-keystone14:54
*** lbragstad has quit IRC14:56
*** lbragstad has joined #openstack-keystone14:58
*** thedodd has joined #openstack-keystone15:01
stevemarmarekd, ping15:03
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Remove SAML unscoped token auth from setup.cfg  https://review.openstack.org/10723115:07
morganfainbergdolphm, do we have the specific docs on *what_v3_keystone_consumption_means_for_other_projects* written down anywhere? (besides heat, they're kind of special)15:17
*** gokrokve has joined #openstack-keystone15:18
dolphmmorganfainberg: let me know what's missing here http://docs.openstack.org/developer/keystone/http-api.html15:18
morganfainbergdolphm, perfect, thanks15:19
morganfainbergdolphm, hopefully it's all (with the v2->v3 catalog code) "new features, and it works™"15:20
dolphmmorganfainberg: ++15:20
*** david-lyle has joined #openstack-keystone15:20
morganfainbergjoe gordon is asking for some specifics15:21
morganfainbergand i think we're at that point that it is really transparent15:21
morganfainbergbut... i want to spend some time to be fore before saying it that bluntly :)15:21
*** daneyon_ has joined #openstack-keystone15:22
*** afazekas has quit IRC15:23
*** daneyon has quit IRC15:25
*** afazekas has joined #openstack-keystone15:25
bknudsonthe clients need to support identity v315:26
bknudsone.g., novaclient needs to be changed to support identity v315:26
bknudsonand if nova is authenticating to talk to neutron then neutronclient needs to support identity v315:27
bknudsonand then there's new config options that need to be added for the neutron config15:27
bknudsonfor the domain for the user and project15:28
morganfainbergbknudson, right.15:28
bknudsonwhich we should be able to switch to using the session options15:28
morganfainbergbknudson, ++15:28
openstackgerritA change was merged to openstack/python-keystoneclient: Document authentication plugins  https://review.openstack.org/8407115:30
*** afazekas has quit IRC15:35
dolphmand that helps ^15:41
stevemardolphm, aye it does15:42
*** ayoung_ZZzzZZzzz is now known as ayoung15:44
*** gokrokve has quit IRC15:45
stevemarmorganfainberg, dolphm, can you guys look at the keystone2keystone stuff? https://review.openstack.org/#/c/10002315:45
morganfainbergdolphm, bknudson, FYI: https://bugs.launchpad.net/devstack/+bug/134066015:46
uvirtbotLaunchpad bug 1340660 in devstack "Apache failed to start in the gate" [Undecided,New]15:46
morganfainberg~242 hits since july 10th15:46
morganfainbergthis is likely a result of us gating on mod_wsgi15:46
bknudsonhow would adding keystone make apache fail when having horizon didn't?15:48
afaranhaHello, Did you have issues when trying to use OS-INHERIT extension to assign a inherit role to a domain different from the default with a new user, new project and new role?15:48
morganfainbergbknudson, because it's slow to release the port and the initi script thinks apache has stopped15:49
morganfainbergbknudson, so start fails to bind15:49
bknudsonkeystone is?15:49
morganfainberglong long long standing issue with the init scripts on *every* linux distribution15:49
morganfainbergapache is15:49
morganfainbergif you have even a slight delay between the stop and start calls everything is free.15:49
morganfainbergthis is more of an issue when mod_wsgi or similar is used to controll an application under apache15:50
morganfainbergapache wiki says "apachectl restart" resolves this.15:50
morganfainbergbut no init scripts use apachectl, they insist on using their own mechanism for controlling the processes15:50
*** afazekas has joined #openstack-keystone15:51
dstanekmorganfainberg: that sounds like all kinds of fail15:52
morganfainbergdstanek, yeah, welcome to linux distributions :P15:53
*** daneyon_ has quit IRC15:56
*** vhoward has left #openstack-keystone15:56
*** daneyon has joined #openstack-keystone15:57
*** afazekas has quit IRC15:57
dolphmstevemar: i'm working on a revision to the keystone to keystone spec, since it looks like my diff was never applied.15:59
dolphmstevemar: also reviewing it in the process15:59
stevemaryay15:59
stevemardolphm, i didnt apply your diff because it was made pre-deciding-saml15:59
afaranhamorganfainberg: As yesterday Henrynash told me you had some issues like the one I mentioned above, Could you tell me how did you solve it?16:00
dolphmstevemar: then you should have applied it and moved on from there :P16:00
stevemardolphm, something something hackathon16:00
*** jsavak has joined #openstack-keystone16:01
dolphmstevemar: review lbragstad's patches for api validation and my get-catalog thing while i do this :D16:01
* lbragstad lurks 16:02
*** joesavak has quit IRC16:02
dolphmlbragstad: p.s. burritos downstairs today from freebirds - maybe upstairs too16:03
* lbragstad stops lurking and starts wandering16:03
*** daneyon has quit IRC16:04
* dolphm is already hungry16:04
*** daneyon has joined #openstack-keystone16:07
dolphmjamielennox|away: could use your input on https://bugs.launchpad.net/python-keystoneclient/+bug/129220216:08
uvirtbotLaunchpad bug 1292202 in python-keystoneclient "keystoneclient appears to ignore --os-cacert option" [Undecided,Incomplete]16:08
*** daneyon_ has joined #openstack-keystone16:10
*** kwss has quit IRC16:13
*** chandankumar has quit IRC16:13
*** daneyon has quit IRC16:14
*** mfainberg_phone has joined #openstack-keystone16:15
*** andreaf has quit IRC16:17
dstanekdolphm: any reason not to remove the dep here any just go with this patch? https://review.openstack.org/#/c/10642016:18
dolphmdstanek: you'll need to squash them in that case16:19
dolphmdstanek: oh wait, maybe you don't!16:19
*** lbragstad has quit IRC16:20
dolphmdstanek: fixed16:21
*** mfainberg_phone has quit IRC16:21
bknudsonis lbragstad working again?16:22
*** spandhe has joined #openstack-keystone16:23
dstanekdolphm: nice16:24
stevemarbknudson, i'd say he's not working very hard since he's not on irc16:25
stevemarbknudson, also he keeps wandering around, probably getting lost in the RAX castle16:26
bknudsonI still haven't seen that place16:26
dstanekdolphm: yikes, i tried to run that patch, but it appears that my devstack is busted16:29
dstanekstevemar: he's probably working harder because he's not paying attention to the chatter :-)16:30
stevemardstanek, i'm sticking to my wandering around the castle story, it's funnier in my head16:30
*** spandhe has quit IRC16:32
*** marcoemorais has joined #openstack-keystone16:33
*** jdennis has quit IRC16:36
*** spandhe has joined #openstack-keystone16:36
*** tkelsey has quit IRC16:38
*** gokrokve has joined #openstack-keystone16:41
openstackgerritAndre Aranha proposed a change to openstack/keystone: Add tests to OS-INHERIT extension  https://review.openstack.org/10743916:44
*** BAKfr has quit IRC16:45
morganfainbergafaranha, hrm? which issues?16:46
dstaneki'll be back a little later - have to go do some public speaking16:48
afaranhaWhen I'm trying to use OS-INHERIT extension to assign a inherit role to a domain different from the default, with a new user, new project and new role the role assignment is not updated with the new information, when I check in sql the column "inherited" stills 016:48
morganfainbergdstanek, that sounds sinister16:49
morganfainbergafaranha, so, from what i've read, you need to post the grant to the OS-INHERIT extension for it to have that flag set.  let me 2x check16:49
morganfainbergafaranha, i don't think you create the grant then mark it as inherited16:49
morganfainbergafaranha, give me a few minutes (I dug around in this code not too long ago)16:50
dstanekmorganfainberg: nah, a friend's company is replatforming and has been asking people to talk about their expertise - i get to talk about Python16:51
morganfainbergdstanek, so. super sinister! ;)16:51
afaranhaI think the 3-4 times I checked it I didn't try to create the role with OS-INHERIT16:51
*** lbragstad has joined #openstack-keystone16:51
dstanekmorganfainberg: i have to take out the Java-hate slides!16:51
morganfainbergdstanek, dang! but... those are the best ones!16:52
morganfainbergafaranha, yeah let me 2x check, but i think you create it with OS-INHERIT (we should make this a *not-an-exention* in my opinion, but that is a different topic)16:53
morganfainbergafaranha, yes, https://github.com/openstack/keystone/blob/master/keystone/assignment/routers.py#L140-L144 looks like you create the grant with OS-INHERIT16:54
afaranhamorganfainberg: Yes, that's why I'm dealing with it right now, helping in this spec https://review.openstack.org/#/c/101017/16:54
morganfainbergit calls the same thing as the standard create grant, but i think just sets the value16:54
* morganfainberg checks a little further16:54
*** amcrn has joined #openstack-keystone16:55
morganfainbergafaranha, yep, there is a specific check to see if it came through OS-INHERIT16:55
morganfainbergand that is how that bit is set16:55
morganfainbergwow.  uh... that is...16:55
*** lbragstad has quit IRC16:56
morganfainbergthat could be not-intuitive i guess16:56
afaranhamorganfainberg: I'll check that, thank you. I think it should update the existing grant, am I wrong?16:57
afaranhamaybe a blueprint for this, or a blueprint for a update function?16:58
*** andreaf has joined #openstack-keystone17:01
morganfainbergafaranha, well grants are immutable17:01
morganfainbergafaranha, afai17:01
morganfainbergk17:01
morganfainbergso, if you want an inherited one, you create one, if you don't want an inherited one create a non-inherited one17:01
morganfainbergit ensures we don't have "well this grant id now is something totally different"17:02
morganfainbergafaranha, so i'd say no, just create the new grant that is inheritable vs. "change one we have"17:02
*** afazekas has joined #openstack-keystone17:06
*** dstanek is now known as dstanek_zzz17:06
afaranhaSo, if I have, for example, admin role assigned to default domain, and now I want to set it to be inherited, I have to revoke the assignment to assign it again with inherit = True ?17:06
morganfainbergafaranha, or not revoke it and create a new grant that is inherited17:07
morganfainbergafaranha, if that doesn't work, then it should (and could be a bug)17:07
morganfainbergwe don't "update" grants. it's a serious headache.17:08
morganfainbergif you want a new / different grant either delete the old one and issue a new one, or just issue a new one (if the old one is valid still)17:08
vishymorganfainberg: have you been keeping up on the hierarchical multitenancy stuff?17:10
vishyunfortunately I’ve been focusing exclusively on network stuff lately17:10
*** andreaf has quit IRC17:10
*** afaranha_ has joined #openstack-keystone17:13
morganfainbergvishy, i have been trying to, but it's hard to keep track of everything going on17:13
morganfainbergvishy, raildo has been working on that mostly iirc17:13
*** openstackgerrit has quit IRC17:16
morganfainbergno openstackgerrit! come back!17:16
morganfainberg>.>17:17
*** openstackgerrit has joined #openstack-keystone17:17
*** harlowja_away is now known as harlowja17:18
*** harlowja is now known as harlowja_away17:19
*** harlowja_away is now known as harlowja17:19
*** hrybacki has quit IRC17:20
*** thedodd has quit IRC17:21
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move keystone.token.default_expire_time to token.provider  https://review.openstack.org/10721917:24
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Consolidate `assert_XXX_enabled` type calls to managers  https://review.openstack.org/10722017:24
*** andreaf has joined #openstack-keystone17:25
*** marcoemorais has quit IRC17:33
*** shakamunyi has joined #openstack-keystone17:39
*** shakamunyi has quit IRC17:39
*** shakamunyi has joined #openstack-keystone17:40
*** hrybacki has joined #openstack-keystone17:41
*** shakamunyi has quit IRC17:42
*** marcoemorais has joined #openstack-keystone17:50
dolphmbknudson: lbragstad is mostly trying to get his dev environment setup on his shiny new not-ibm laptop17:55
*** lbragstad has joined #openstack-keystone17:55
bknudsondolphm: I hope he's installing linux.17:56
dolphmbknudson: not that i'm aware of17:56
bknudsonmaybe we should rewrite keystone in .NET17:57
*** lbragstad has quit IRC17:58
*** lbragstad has joined #openstack-keystone17:59
stevemardid something land between the 12th and 14th that made keystone logs in jenkins go over 50 MB ?18:00
*** marcoemorais1 has joined #openstack-keystone18:02
*** marcoemorais1 has quit IRC18:03
*** marcoemorais1 has joined #openstack-keystone18:03
*** marcoemorais1 has quit IRC18:03
*** marcoemorais1 has joined #openstack-keystone18:03
*** marcoemorais has quit IRC18:04
*** bvandenh has joined #openstack-keystone18:05
dolphmlbragstad: abandon https://review.openstack.org/#/c/98621/ now18:05
morganfainbergstevemar, ??18:05
*** otwieracz has left #openstack-keystone18:06
dolphmmorganfainberg: did you patch to reduce them merge?18:06
morganfainbergdolphm, think so *checks*18:06
morganfainbergdolphm, https://review.openstack.org/#/c/106496/ yep18:06
*** tesh has joined #openstack-keystone18:07
teshتحذير18:07
teshwarning18:07
tesh you may be  watched18:07
teshdo usa&israel use the internet(facebook,youtube,twitter, chat rooms ..ect)to spy??18:07
teshdo usa&israel use the internet 2 collect informations,,can we call that spying??18:07
teshdo they record&analyse everything we do on the internet,,can they harm you using these informations??18:07
*** tesh has quit IRC18:07
dolphmmorganfainberg: where is ban button18:07
morganfainbergi have to lookup how to do it on IRC, i always forget18:07
lbragstaddolphm: done, https://review.openstack.org/#/c/98621/ thanks!18:08
dolphmmorganfainberg: or they already left the channel?18:08
morganfainbergdolphm, already left, got excess flood18:09
lbragstaddolphm: http://irchelp.org/irchelp/changuide.html scroll down to banning18:10
*** dims__ has quit IRC18:11
hrybackiis https://bugs.launchpad.net/python-keystoneclient/+bug/1066785 still a relevant bug? If so, this should be resolved in middleware now, yes?18:13
uvirtbotLaunchpad bug 1066785 in python-keystoneclient "auth_token middleware have twice cache  for a valided token" [Low,Triaged]18:13
*** morganfainberg sets mode: +b *!awrbgh@197.123.75.19118:13
morganfainberghrybacki, i think bknudson18:14
morganfainbergfixed that one18:14
morganfainbergor has a fix pending to solve that18:15
hrybackimorganfainberg: dang18:15
*** gabriel-bezerra has quit IRC18:15
bknudsonmorganfainberg: I've got a fix in middleware18:15
morganfainbergi think18:15
morganfainbergbknudson, ++18:15
hrybackihow do we close that bug?18:15
*** gabriel-bezerra has joined #openstack-keystone18:16
bknudsonhrybacki: https://review.openstack.org/#/c/102399/18:16
morganfainbergchecking to make sure it's tracked in middleware18:16
bknudsonit's not merged18:16
bknudsonview it18:16
bknudsonit has to be reviewed18:16
hrybackiOh, got it18:16
bknudsonhmm, maybe https://bugs.launchpad.net/keystonemiddleware/+bug/1289075 is a dup of https://bugs.launchpad.net/python-keystoneclient/+bug/106678518:17
uvirtbotLaunchpad bug 1289075 in keystonemiddleware "'invalid' tokens redundantly remarked as 'invalid'" [Medium,In progress]18:17
morganfainberghrybacki, https://bugs.launchpad.net/python-keystoneclient/+bug/1066785 is marked as wont' fix and linked to the middleware bug18:19
uvirtbotLaunchpad bug 1066785 in python-keystoneclient "auth_token middleware have twice cache  for a valided token" [Low,Triaged]18:19
hrybackimorganfainberg: ++ thank you18:19
openstackgerritA change was merged to openstack/python-keystoneclient: add deprecation warning for auth_token  https://review.openstack.org/10718218:20
*** afazekas has quit IRC18:20
*** bvandenh has quit IRC18:21
morganfainbergstevemar, ayoung, hrybacki, if you're poking at a devstack in the near future maybe look at https://review.openstack.org/#/c/102425/ to stand it up, should make the logs for apache-keystone more... uhm.. like they are under eventlet18:23
morganfainbergayoung, also, what was the fix lastnight for logging?18:23
*** mat-lowery has left #openstack-keystone18:23
ayoungmorganfainberg, heh, the fix was to realize my problem was in apache rejecting the request (Kerberos) before it ever got to Keystone18:24
morganfainbergayoung, ahhh18:24
morganfainbergayoung, ok :P18:24
ayoungmorganfainberg, the problem is that the auth plugin for Kerberos sets up the connection info.  But hat is only used to get a token18:24
morganfainberggot it18:24
stevemarmorganfainberg, i'll be trying that out soon18:26
morganfainbergstevemar thanks18:26
*** thedodd has joined #openstack-keystone18:26
morganfainbergstevemar, requires 14.04 (apache 2.4)18:26
ayoungmorganfainberg, the good news is that I got Kerberized Horizon to work.   http://adam.younglogic.com/2014/07/kerberos-for-horizon-and-keystone/18:27
morganfainbergotherwise it wont matter18:27
morganfainbergayoung, nice!18:27
ayoungmorganfainberg, yep.  Still needs more work, but right now I'm taking an admin day.  I have an expense report to fill out and a trip to Europe to plan18:27
morganfainbergayoung, yep, same here (well, at least an expense report to file)18:28
dolphmsomeone showed me a trick to download all the logs for a jenkins run - i don't recall what it was. wget --recursive and something?18:30
*** dims__ has joined #openstack-keystone18:35
*** andreaf has quit IRC18:38
stevemardolphm, wget -r ?18:57
*** gabriel-bezerra has quit IRC18:57
stevemarpoint to a dir18:57
dolphmstevemar: *clears throat*....18:57
dolphmstevemar: wget -np -nd -r -l0 --accept gz -e robots=off --follow-tags=ref,a http://logs.openstack.org/06/100006/1/check/check-tempest-dsvm-full/6dbf332/18:57
stevemarnp being no-parent, good call18:57
stevemarfancy18:58
dolphmstevemar: i'm going to wrap this into a tool that also unzips everything18:58
*** gabriel-bezerra has joined #openstack-keystone18:58
stevemargz zips it?18:58
dolphmstevemar: they're already gz'd18:58
stevemarah18:58
dolphmstevemar: my current task is to un-gz18:58
dolphmbut gunzip doesn't like any of the files18:58
stevemargzip -d that18:58
*** ukalifon has quit IRC18:59
dolphmoh they're html files18:59
stevemarthat would explain why you can't gunzip them18:59
dolphmls18:59
dolphmwhoops18:59
dolphmpasteraw is also mishandling unicode apparently :( http://pasteraw.com/pc85nx361ry6c47hzvl9mtzu34op29q19:02
*** marcoemorais1 has quit IRC19:07
*** dims__ has quit IRC19:08
*** topol has quit IRC19:11
*** jaosorior has quit IRC19:12
*** marcoemorais has joined #openstack-keystone19:27
*** lbragstad has quit IRC19:34
*** hrybacki has quit IRC19:37
openstackgerritAbhishek Kekane proposed a change to openstack/keystone: Keystone service throws error on SIGHUP signal  https://review.openstack.org/10748219:45
*** lbragstad has joined #openstack-keystone19:46
*** Chicago has quit IRC19:54
*** navid has joined #openstack-keystone20:00
navidhi20:00
navidanybody knows about the kesystoneclient/tests/v3/test_revoke.py it is not in the master20:02
navidso how to test model.py in keystoneclient20:02
*** afaranha_ has quit IRC20:04
dolphmstevemar: https://github.com/dolph/dotfiles/blob/master/bin/logcp20:05
stevemardolphm, hate those robots20:05
dolphmnavid: where *was* that file?20:06
stevemardolphm, i added a new library (some saml one) to my machine, and added it to requirements.txt, and it shows up in the tox env i'm using... but when i run a test, tox does that silly thing where it runs 0 tests cause of import errors :\20:07
dolphmstevemar: import error on the new dep?20:07
dolphmstevemar: how do you know it's in the tox env?20:07
stevemar.tox/debug/bin/pip show <library_name>20:08
dolphm.tox/whatever/bin/python -c "import newlib" ?20:08
stevemardolphm, that works too20:09
dolphmstevemar: debug won't be the tox env that the test runner is using20:09
dolphmstevemar: maybe blow away tox and let it rebuild?20:09
stevemardolphm, it will be if i use tox -e debug test_name20:10
stevemardolphm, tried that too20:10
stevemardolphm, either way, i installed it under py27 too20:10
stevemarbah, i'll blow it all away20:11
stevemargrumble grumble20:11
navid@dolphm: the kesystoneclient/tests/v3/test_revoke.py and this is the review:https://review.openstack.org/#/c/81166/29/keystoneclient/tests/v3/test_revoke.py20:13
*** dims has joined #openstack-keystone20:14
dolphmnavid: that file is being added by that review20:14
dolphmnavid: use 'git review -d 81166' to check it out20:14
navid@dolphm: thanks20:19
*** dstanek_zzz is now known as dstanek20:25
morganfainberghmm.20:26
* morganfainberg tries to remember the next step in non-persistent tokens.20:26
morganfainbergooh i know rm -rf keystone/token/backends , doing it right?20:27
dolphmmorganfainberg: ++20:44
*** lbragstad has quit IRC20:44
dolphmmorganfainberg: last step: fix what breaks20:44
*** lbragstad has joined #openstack-keystone20:45
*** stevemar has quit IRC20:49
*** andreaf has joined #openstack-keystone20:54
*** diegows has quit IRC20:55
*** mgarza has joined #openstack-keystone21:00
*** afazekas has joined #openstack-keystone21:05
*** diegows has joined #openstack-keystone21:12
*** hrybacki has joined #openstack-keystone21:13
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: Federating multiple Keystones  https://review.openstack.org/10002321:16
*** jsavak has quit IRC21:21
*** hrybacki has quit IRC21:23
*** gabriel-bezerra has quit IRC21:23
*** gabriel-bezerra has joined #openstack-keystone21:24
*** radez is now known as radez_g0n321:31
*** mrmoje has joined #openstack-keystone21:31
*** tatialchueyr has joined #openstack-keystone21:31
*** marcoemorais has quit IRC21:32
*** marcoemorais1 has joined #openstack-keystone21:32
dolphmomg so many new transient bugs :'(21:38
morganfainbergdolphm, i know :(21:38
*** mrmoje has quit IRC21:43
*** tatialchueyr has quit IRC21:49
*** topol has joined #openstack-keystone21:56
*** gabriel-bezerra has quit IRC21:56
*** gabriel-bezerra has joined #openstack-keystone21:56
*** david-lyle has quit IRC22:00
*** david-lyle has joined #openstack-keystone22:01
*** diegows has quit IRC22:05
*** diegows has joined #openstack-keystone22:18
*** lbragstad has quit IRC22:30
*** dims_ has joined #openstack-keystone22:34
*** bknudson has quit IRC22:36
*** lbragstad has joined #openstack-keystone22:37
*** dims has quit IRC22:38
*** thedodd has quit IRC22:45
*** jamielennox|away is now known as jamielennox22:52
*** mrmoje has joined #openstack-keystone22:59
*** lbragsta_ has joined #openstack-keystone23:01
*** lbragsta_ has quit IRC23:01
*** mrmoje has quit IRC23:03
*** lbragstad has quit IRC23:04
*** gokrokve has quit IRC23:04
*** mrmoje has joined #openstack-keystone23:05
*** gokrokve has joined #openstack-keystone23:05
*** gokrokve has quit IRC23:10
*** mrmoje has quit IRC23:10
openstackgerritJamie Lennox proposed a change to openstack/keystone-specs: Auth Specific Data  https://review.openstack.org/10732523:14
*** david-lyle has quit IRC23:19
*** afazekas has quit IRC23:27
*** diegows has quit IRC23:32
*** mgarza has quit IRC23:42
*** mgarza has joined #openstack-keystone23:43
*** mgarza has quit IRC23:45
*** mgarza has joined #openstack-keystone23:45
*** miqui has quit IRC23:47
*** mgarza has quit IRC23:47
*** mgarza has joined #openstack-keystone23:48
jamielennoxdolphm: i'd like to get some eyes on https://review.openstack.org/#/c/107228/ which should be fairly simple, then a release?23:48
*** hrybacki has joined #openstack-keystone23:49
*** diegows has joined #openstack-keystone23:52
*** diegows has quit IRC23:58
« Tuesday, 2014-07-15 Index Thursday, 2014-07-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!