Thursday, 2014-09-04

*** jorge_munoz has left #openstack-keystone00:00
*** vishy has quit IRC00:02
*** r-daneel has quit IRC00:03
*** r-daneel has joined #openstack-keystone00:04
*** hockeynut has quit IRC00:04
*** vishy has joined #openstack-keystone00:05
*** hockeynut has joined #openstack-keystone00:05
*** tim_r has joined #openstack-keystone00:09
*** therve has joined #openstack-keystone00:11
*** ekarlso- has joined #openstack-keystone00:11
*** cypriotme has quit IRC00:12
*** ekarlso has quit IRC00:12
*** therve` has quit IRC00:12
*** dhellmann_ has quit IRC00:12
*** timmer has quit IRC00:12
*** esmute has quit IRC00:12
*** esmute has joined #openstack-keystone00:12
*** dhellmann has joined #openstack-keystone00:12
*** packet has quit IRC00:18
*** dims has joined #openstack-keystone00:21
*** gokrokve has joined #openstack-keystone00:24
*** dims_ has joined #openstack-keystone00:24
*** dims has quit IRC00:27
*** r-daneel has quit IRC00:43
*** gokrokve_ has joined #openstack-keystone00:43
*** gokrokve has quit IRC00:43
*** marcoemorais has quit IRC00:43
*** esmute has quit IRC00:50
*** esmute has joined #openstack-keystone00:50
*** gokrokve_ has quit IRC00:50
*** cjellick has quit IRC00:52
*** cjellick has joined #openstack-keystone00:53
*** cjellick has quit IRC00:57
*** amerine_ has quit IRC00:59
*** gokrokve has joined #openstack-keystone01:00
*** amerine has joined #openstack-keystone01:25
*** amerine has quit IRC01:29
*** diegows has joined #openstack-keystone01:33
*** anvilmutant has joined #openstack-keystone01:44
*** anvilmutant has quit IRC01:45
*** HenryG has quit IRC01:51
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow fetching user_id/project_id from auth
*** rkofman has quit IRC02:08
*** openstackgerrit_ has joined #openstack-keystone02:16
*** amerine has joined #openstack-keystone02:26
*** diegows has quit IRC02:28
*** amerine has quit IRC02:30
*** HenryG has joined #openstack-keystone02:40
*** ayoung has quit IRC02:43
*** ncoghlan__ has joined #openstack-keystone02:45
*** ncoghlan__ is now known as ncoghlan_afk02:45
*** ncoghlan has joined #openstack-keystone02:46
*** rkofman has joined #openstack-keystone02:47
*** ncoghlan_ has quit IRC02:49
*** ncoghlan_afk has quit IRC02:50
*** KanagarajM has joined #openstack-keystone02:58
*** david-lyle has joined #openstack-keystone02:59
*** richm has quit IRC03:15
openstackgerritA change was merged to openstack/keystone: Test cleanup: do not leak FDs during test runs
*** stevemar has joined #openstack-keystone03:27
*** amcrn_ has quit IRC03:36
*** rushiagr_away is now known as rushiagr03:42
*** david-lyle has quit IRC03:44
*** rushiagr is now known as rushiagr_away04:07
*** vhoward has joined #openstack-keystone04:12
*** vhoward has left #openstack-keystone04:13
*** dims_ has quit IRC04:21
*** dims has joined #openstack-keystone04:21
*** dims has quit IRC04:26
*** morganfainberg_Z is now known as morganfainberg04:29
morganfainbergugh that took a lot longer than expected today04:32
*** Lordanat3 has quit IRC04:50
*** rushiagr_away is now known as rushiagr04:51
*** amirosh has joined #openstack-keystone04:55
*** KanagarajM has quit IRC05:06
openstackgerritA change was merged to openstack/keystone: Cleanup superfluous string comprehension and coersion
*** ajayaa has joined #openstack-keystone05:20
openstackgerritA change was merged to openstack/identity-api: JSON Home relationships for auth resources
*** Lordanat1 has joined #openstack-keystone05:38
*** KanagarajM has joined #openstack-keystone05:40
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the revocation configuration docs
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the docs that list sections in keystone.conf
*** harlowja is now known as harlowja_away05:50
*** afazekas has joined #openstack-keystone05:51
*** ukalifon1 has joined #openstack-keystone06:06
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** zzzeek has quit IRC06:31
*** stevemar has quit IRC06:31
*** bvandenh has joined #openstack-keystone06:33
*** jaosorior has joined #openstack-keystone06:35
*** KanagarajM has quit IRC06:48
*** mflobo has joined #openstack-keystone06:50
*** ajayaa has quit IRC07:00
*** sunrenjie6 has joined #openstack-keystone07:01
*** lbragstad has quit IRC07:03
*** adam_g has quit IRC07:04
*** dguitarbite has quit IRC07:04
*** lbragstad has joined #openstack-keystone07:05
*** sunrenjie6 has quit IRC07:05
*** adam_g has joined #openstack-keystone07:06
*** adam_g has quit IRC07:06
*** adam_g has joined #openstack-keystone07:06
*** sunrenjie6 has joined #openstack-keystone07:07
*** sunrenjie6 has quit IRC07:11
*** sunrenjie6 has joined #openstack-keystone07:14
*** ajayaa has joined #openstack-keystone07:16
*** sunrenjie6 has quit IRC07:19
*** KanagarajM has joined #openstack-keystone07:20
*** KanagarajM has quit IRC07:23
*** sunrenjie6 has joined #openstack-keystone07:32
*** sunrenjie6 has quit IRC07:36
*** henrynash has joined #openstack-keystone07:40
*** dguitarbite has joined #openstack-keystone07:50
openstackgerritwanghong proposed a change to openstack/keystone: remove default check keys in assertValidEntity
*** wanghong has quit IRC08:01
*** wanghong has joined #openstack-keystone08:13
openstackgerritA change was merged to openstack/keystone: Lower log level for notification registration
ekarlso-jamielennox: around ?08:29
*** gokrokve_ has joined #openstack-keystone09:04
*** gokrokve has quit IRC09:07
*** gokrokve_ has quit IRC09:08
*** andreaf has joined #openstack-keystone09:22
*** henrynash has quit IRC09:30
*** gokrokve has joined #openstack-keystone09:46
*** gokrokve has quit IRC09:52
*** yasukun has quit IRC10:03
openstackgerritAlexander Makarov proposed a change to openstack/keystone: LDAP additional attribute mappings validation
*** Ugallu has joined #openstack-keystone10:18
*** Ugallu has quit IRC10:22
*** ajayaa has quit IRC10:23
*** rushiagr is now known as rushiagr_away10:28
*** k4n0_ has quit IRC10:33
*** k4n0 has joined #openstack-keystone10:35
*** Ugallu has joined #openstack-keystone10:38
*** aix has joined #openstack-keystone10:42
*** gokrokve has joined #openstack-keystone10:46
*** gokrokve has quit IRC10:51
*** ajayaa has joined #openstack-keystone10:54
*** dims has joined #openstack-keystone11:04
*** rushiagr_away is now known as rushiagr11:18
*** dims has quit IRC11:19
*** dims has joined #openstack-keystone11:19
*** dims_ has joined #openstack-keystone11:21
*** dims has quit IRC11:24
*** dims_ has quit IRC11:26
*** dims has joined #openstack-keystone11:27
*** dims_ has joined #openstack-keystone11:30
*** dims has quit IRC11:31
*** dims_ has quit IRC11:42
*** dims has joined #openstack-keystone11:43
*** dims_ has joined #openstack-keystone11:45
*** gokrokve has joined #openstack-keystone11:46
*** dims has quit IRC11:47
*** jamielenz has joined #openstack-keystone11:50
*** _d34dh0r53_ has joined #openstack-keystone11:50
*** dtroyer_zz has joined #openstack-keystone11:50
*** xianghui has quit IRC11:51
*** d34dh0r53 has quit IRC11:51
*** dtroyer has quit IRC11:51
*** jamielennox has quit IRC11:51
*** pabelanger has quit IRC11:51
*** jamielenz is now known as jamielennox11:51
*** pabelanger_ has joined #openstack-keystone11:51
*** gokrokve has quit IRC11:51
*** xianghui has joined #openstack-keystone11:51
*** diegows has joined #openstack-keystone11:57
*** dims_ has quit IRC12:05
*** dims has joined #openstack-keystone12:06
*** gordc has joined #openstack-keystone12:10
*** xianghui has quit IRC12:32
*** xianghui has joined #openstack-keystone12:45
*** gokrokve has joined #openstack-keystone12:46
*** gokrokve has quit IRC12:51
*** miqui has joined #openstack-keystone12:56
*** radez_g0n3 is now known as radez13:02
*** zzzeek has joined #openstack-keystone13:09
*** zzzeek has quit IRC13:09
*** richm has joined #openstack-keystone13:10
*** k4n0 has quit IRC13:12
*** nkinder has quit IRC13:12
*** bvandenh has quit IRC13:23
*** vhoward has joined #openstack-keystone13:23
*** bvandenh has joined #openstack-keystone13:23
*** topol has joined #openstack-keystone13:26
*** joesavak has joined #openstack-keystone13:27
*** bknudson has joined #openstack-keystone13:35
*** ukalifon2 has joined #openstack-keystone13:40
*** ukalifon1 has quit IRC13:41
*** gokrokve has joined #openstack-keystone13:46
*** wanghong has quit IRC13:47
*** gokrokve has quit IRC13:51
*** portante has quit IRC13:52
*** r-daneel has joined #openstack-keystone13:53
*** nkinder has joined #openstack-keystone13:57
*** radez is now known as radez_g0n314:00
ekarlso-jamielennox: how is one supposed to use the adapter with api discovery ?14:01
*** wanghong has joined #openstack-keystone14:03
*** jorge_munoz has joined #openstack-keystone14:05
*** topol_ has joined #openstack-keystone14:06
*** ncoghlan_ has joined #openstack-keystone14:08
*** ncoghlan_ is now known as ncoghlan_afk14:08
*** rkofman has left #openstack-keystone14:14
*** wanghong has quit IRC14:17
*** topol has quit IRC14:17
*** diegows has quit IRC14:17
*** ajayaa has quit IRC14:17
*** Ugallu has quit IRC14:17
*** ncoghlan has quit IRC14:17
*** ekarlso- has quit IRC14:17
*** lsmola has quit IRC14:17
*** harlowja_away has quit IRC14:17
*** grantbow has quit IRC14:17
*** sigmavirus24_awa is now known as sigmavirus2414:20
*** wanghong has joined #openstack-keystone14:21
*** diegows has joined #openstack-keystone14:21
*** ajayaa has joined #openstack-keystone14:21
*** ekarlso- has joined #openstack-keystone14:23
*** portante has joined #openstack-keystone14:23
*** lsmola has joined #openstack-keystone14:25
bknudsondolphm: is there some new trick with workflow-1 workflow+1?14:26
*** andreaf has quit IRC14:28
dolphmbknudson: it's not new, but it's effectively a recheck without a recheck :-/14:28
*** andreaf has joined #openstack-keystone14:28
dolphmbknudson: sends another +A to get picked up by zuul14:28
*** andreaf is now known as andreaf_14:28
dolphmbknudson: which seems to lose events otherwise, sometimes14:28
bknudsondoes it skip the "check" step?14:29
dolphmbknudson: no14:29
dolphmbknudson: i use it when there's no a failed build blocking things, but there's no job in the gate (and there should be)14:29
bknudsonthe gate queue didn't go down much since yesterday.14:30
dolphmbknudson: it's almost half the size that it was yesterday morning14:31
bknudsonit was at 140? I thought it was 10014:31
*** david-lyle has joined #openstack-keystone14:31
dolphmbknudson: it hit like 127 as far as i saw14:32
dolphmbknudson: last 72 hours,%20%27000000%27)&bgcolor=ffffff&140984106371114:32
*** gokrokve has joined #openstack-keystone14:32
dolphmbknudson: maybe 130 by that graph? hard to tell14:32
*** lsmola is now known as 18VAAT2X414:33
bknudsonnow there's a horizon change at the front that doesn't pass its unit tests.14:33
dolphmbknudson: seriously?14:33
*** topol has joined #openstack-keystone14:33
*** 17SAA4J9Y has joined #openstack-keystone14:33
*** Ugallu has joined #openstack-keystone14:33
*** ncoghlan has joined #openstack-keystone14:33
*** 17SAA4BEV has joined #openstack-keystone14:33
*** lsmola has joined #openstack-keystone14:33
*** grantbow has joined #openstack-keystone14:33
*** 17SAA4BEV has quit IRC14:33
*** 17SAA4J9Y has quit IRC14:33
*** grantbow has quit IRC14:33
*** grantbow has joined #openstack-keystone14:33
*** topol has quit IRC14:33
bknudsonI'm serious.14:33
dolphmbknudson: legit fails or transient?14:33
*** ncoghlan has quit IRC14:33
*** lsmola has quit IRC14:34
dolphmbknudson: both jobs are failing the same way...14:34
bknudsonlooks legit to me since it's the test result and not a dns or pip failure14:34
dolphmbknudson: that patch had a clean build 2 days ago14:34
*** stevemar has joined #openstack-keystone14:35
bknudsonmaybe something else merged that broke it.14:35
dolphmbknudson: at least it won't merge, i suppose (if it is a transient)14:35
dolphmjamielennox: see the /topic regarding
dolphmjamielennox: and
*** ayoung has joined #openstack-keystone14:39
*** radez_g0n3 is now known as radez14:40
dolphmjamielennox: i think there are a couple misconceptions in there ^ we could clear up with stevemar / marekd. like what appears in the service catalog regarding foreign clouds14:40
stevemardolphm, o/14:42
dolphmlbragstad: at castle?15:03
lbragstaddolphm: yep15:03
dolphmlbragstad: i'm in the bookstore15:03
dolphmlbragstad: technically we have a meeting that i just realized you're not on15:04
stevemardolphm, i think we safe on the mox / oslotest transition15:05
ayoungdolphm, regarding the PKI->uuid transition, is this how you see it playing out:  we leave UUIDs as the default (for a long while) and continue to build up the PKI infrastructure until it is deployment ready and then tell people "for this set of features you only get them if you run PKI tokens?"15:05
dolphmayoung: what features would be PKI only?15:05
ayoungdolphm, distributes signing15:06
ayoungephemeral tokens15:06
dolphmayoung: oh sure, yeah15:06
ayoungI think PKI is for scale15:06
dolphmayoung: i don't see those as features so much as competitive advantages of one over the other15:06
ayoungit was always meant to be15:06
dolphmayoung: UUID will always be simpler to configure, etc15:06
ayoungand if the low end doesn't need them, that is ok15:06
ayoungyeah, agreed15:06
ayoungdolphm, TBH, the SAML approach for K2K kindof replaces one of the main use cases too15:07
ayoungI originally envisioned a case where a company ran their own Keystone server to talk to a remote cloud, or multiple clouds.  Those remote systems would limit tokens signed by that Keystone server to a specific subset of domains15:08
ayoungK2K is not quite that, but close enough that I wouldn't push for it15:08
ayoungdolphm, also, there is the point rharwood had on the code review.  With PKI tokens, anyone should be able to validate a token, not just "admin"  which means that they could be used in a wider array of applications.15:10
ayoungI'm  thinking, though, that we want to drop revocation events for that.  I never really wanted to do revocation anyway.15:10
ayoungI'd rather just have short lived tokens.15:11
ayoungAnd so  saying "PKI tokens should have a lifespan of roughly 5 minutes"  would work better.15:11
*** cjellick has joined #openstack-keystone15:12
ekarlso-will keystone have more workers anytime soon ?15:12
ayoungI think that better aligns with the "once a token is in Memcached in the endpoint it is valid" approach that UUID tokens were doing when I started on PKI.15:12
ayoungekarlso-, eventlet?15:12
ajayaaayoung, how was revocation event going to help with pki token invalidation?15:13
*** ayoung is now known as ayoung-MEETING15:13
ajayaasorry, if I interrupted you.15:13
*** ajayaa has quit IRC15:15
*** zzzeek has joined #openstack-keystone15:22
morganfainbergekarlso-, keystone can have multiple eventlet workers now (it's a config option), but you'll have better luck with apache+mod_wsgi most likely (especially if running Juno+)15:23
*** wanghong has quit IRC15:25
*** wanghong has joined #openstack-keystone15:25
*** ChanServ sets mode: -o morganfainberg15:29
*** jsavak has joined #openstack-keystone15:30
*** joesavak has quit IRC15:32
ekarlso-morganfainberg: why so vs workers ?15:33
ekarlso-i'm on IH atm15:33
*** jimbaker has quit IRC15:34
*** jimbaker has joined #openstack-keystone15:34
*** jimbaker has quit IRC15:34
*** jimbaker has joined #openstack-keystone15:34
dolphmdstanek: ping15:36
*** ukalifon2 has quit IRC15:39
*** amirosh has quit IRC15:44
*** jimbaker has quit IRC15:45
*** amirosh has joined #openstack-keystone15:45
morganfainbergekarlso-, let me check on that multi worker thing might have landed in Juno15:47
morganfainbergekarlso-, but in short, we gate on apache + mod_wsgi, we do not gate on multiple workers, eventlet has odd side effects and can cause weird edge cases in general.15:48
*** dev-lock has joined #openstack-keystone15:48
morganfainbergekarlso-, eventually i'd like to drop evetlet support (but I don't forsee that being possible anytime soon)15:48
*** amirosh has quit IRC15:49
morganfainbergekarlso-, yeah that multi-eventlet worker patch landed in Juno15:50
ekarlso-morganfainberg: is that faster then standard standalone keystone ?15:51
ekarlso-running in mod wsgi15:51
*** ajayaa has joined #openstack-keystone15:51
morganfainbergekarlso-, it provides better throughput because you can handle multiple requests at once. This doesn't mean you don't have locking / serialization when writing to the db. Generally speaking though, it does make keystone more responsive,15:52
ekarlso-morganfainberg: any docs or guide on howto set that up ? :)15:52
morganfainbergekarlso- in short, yes apache + mod_wsgi will be more responsive15:52
*** jimbaker has joined #openstack-keystone15:52
*** jimbaker has quit IRC15:52
*** jimbaker has joined #openstack-keystone15:52
*** packet has joined #openstack-keystone15:53
morganfainbergekarlso-, in fact, we have a doc just for that!15:53
morganfainbergekarlso-, (that is the icehouse version if you look at the URL)15:53
bknudsonmultiple workers is in juno15:53
ekarlso-will try the wsgi stuff :D15:53
bknudsonalso you can run multiple keystones behind a load balancer15:53
morganfainbergbknudson, ++15:53
bknudsonwe enabled it for our internal ci15:54
morganfainbergthe multi workers?15:54
bknudsonand we had someone here interested in multiple workers so they tested it pretty thoroughly15:54
ekarlso-bknudson: k ?15:54
bknudsonmorganfainberg: yes, multi-workers.15:55
mfischthe "UTF8" all the things in the LDAP code has really broken my keystone15:55
morganfainbergbknudson, we might want to bump the default to more than one worker in our config for J. or at least get the gate that runs eventlet to set that option15:55
mfischI'm annoyed that it was backported15:55
bknudsonmorganfainberg: y, that's a good idea.15:55
morganfainbergbknudson, i'll look at that post gate-hell15:56
bknudsonmorganfainberg: the tests are configured with it for some reason, but that doesn't do anything.15:56
morganfainbergmfisch, what's broken, and how.15:56
ekarlso-gate is still stuck ? :|115:56
morganfainbergekarlso-, it's milestone time, i don't want to add extra load to it.15:56
mfischmorganfainberg: I wish I knew what was broken but in Keystone Icehouse 1.2 I get UTF8 decode errors that breaks LDAP auth15:56
morganfainbergekarlso-, means lots of changes pending15:56
mfischwhich worked fine in Icehouse.115:57
morganfainbergmfisch, mind tossing up some paste's w/ the tracebacks?15:57
bknudsonmfisch: the change can be reverted15:57
mfischThis is all the traceback I get now15:57
mfisch'utf8' codec can't decode byte 0x80 in position 3: invalid start byte15:57
mfisch2014-09-04 15:19:49.835 9270 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from
morganfainbergmfisch, i assume you're getting some in the keystone log. if it's nothing fixable we should revert it.15:57
bknudsonmfisch: the goal of the change was to fix a problem and not to create new ones.15:57
morganfainbergbknudson, ++15:58
*** ncoghlan_afk is now known as ncoghlan_15:58
* morganfainberg plans to get an LDAP gate job together by K1.15:58
morganfainbergwe kind of need a real one i think.15:58
bknudsonmorganfainberg: that might be difficult since there's a lot of things that LDAP doesn't even support15:59
morganfainbergbknudson, i was thinking of it from the functional in-tree test perspective15:59
bknudsontempest will probably need to know that it's LDAP15:59
bknudsonoh, our live unit tests?15:59
*** amerine has joined #openstack-keystone16:00
morganfainbergbknudson, yeah.16:00
bknudsony, those keep breaking16:00
morganfainbergbknudson, and we can use LDAP live as the first real conversion to the in-tree functional16:00
mfischdo you have a live LDAP server to run tests like that against?16:00
morganfainbergmfisch, each time i want to run them i need to stand up a specific devstack with LDAP configured. so no.16:00
bknudsondevstack will set up a local openldap16:00
morganfainbergmfisch, it's just a devstack-ism16:01
morganfainbergnot a "real"/"live" ldap.16:01
mfischah yeah, I forgot brad added that feature16:01
mfischI wonder if my error means that my LDAP server is returning something that the decoder doesn't like?16:02
morganfainbergmfisch, possibly16:02
*** wwriverrat has joined #openstack-keystone16:03
mfischit would be difficult to check for stuff like that with a devstack test16:03
morganfainbergmfisch, aye. but if we can figure out *what* is being passed back that the decoder doesn't like we can build a test that ensures we don't regress on it once we fix it16:05
mfischI had some arguments with PDB about letting me break in that area yesterday, I'll see what I can do today16:06
morganfainbergmfisch, *nod* I'm definitely open to reverting that fix if it isn't something we can fix, but ideally i'd rather fix the issue (might also exist in master, so more info is important)16:06
*** marcoemorais has joined #openstack-keystone16:07
mfischeven if reverted is already packaged and out there, so fixing it for real would be better16:07
morganfainbergmfisch, ++ exactly16:07
*** ncoghlan_ is now known as ncoghlan_afk16:08
morganfainbergbknudson, so python packaging is dark voodoo :( i tried to make the sample config generated when you run (either via pip or directly)16:08
mfischmorganfainberg: its similar to this issue:
uvirtbotLaunchpad bug 1364521 in keystone "LDAP integration with Active Directory backend can throw: UnicodeDecodeError" [Undecided,In progress]16:08
morganfainbergbknudson, it's so inconsistent on how it works.16:08
*** rushiagr is now known as rushiagr_away16:09
morganfainbergoh ick we use codecs.16:12
*** pabelanger_ is now known as pabelanger16:13
*** pabelanger has quit IRC16:13
*** pabelanger has joined #openstack-keystone16:13
*** afazekas has quit IRC16:13
*** jimbaker has quit IRC16:13
stevemardolphm, morganfainberg if you guys don't mind:
*** stevelle_ has joined #openstack-keystone16:15
*** jimbaker has joined #openstack-keystone16:16
*** jimbaker has quit IRC16:16
*** jimbaker has joined #openstack-keystone16:16
*** _d34dh0r53_ is now known as d34dh0r5316:16
ajayaamorganfainberg, In the trust caching while caching get_trust request, a keyword argument is passed which is not accepted by dogpile's default key generator.16:17
morganfainbergajayaa, yes kwargs are just about impossible to do memoization on (invalidation is the issue)16:18
morganfainbergajayaa, it's partly why we didn't have more caching intitally there has been a lot of cleanup work to be done to fix that (slowly trickeled in over time)16:18
ajayaaon a related note please review,
ajayaaidentity caching.16:19
morganfainbergstevemar, looks like general cleanup mostly, right?16:20
stevemarmorganfainberg, yeah, cleanup + add 'whats new' + brief description16:21
*** jaosorior has quit IRC16:22
morganfainbergstevemar, LGTM16:23
*** stevelle_ has quit IRC16:23
*** gyee has joined #openstack-keystone16:25
*** joesavak has joined #openstack-keystone16:28
stevemarmorganfainberg, are you ready for the most useless patch ever?16:28
dev-lockhow does the python keystone client know to use v2 vs v3. Using the OS_IDENTITY_API_VERSION env does not work.16:28
morganfainbergstevemar, oh sure16:28
*** r1chardj0n3s has joined #openstack-keystone16:29
r1chardj0n3shi ayoung-MEETING, could you please ping me when not in meeting?16:29
*** jsavak has quit IRC16:29
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Capitalize all instances of Keystone in the docs
stevemarmorganfainberg, ^16:30
morganfainbergstevemar, you're just trying to boost commit stats now aren't you :P16:30
stevemarmorganfainberg, trying to clean things uP!16:30
morganfainbergstevemar, s/uP/Up16:31
stevemarmorganfainberg, i need my free pass to the conf16:31
stevemarmorganfainberg, i was initially looking at example of keystone client being used, so i searched for `keystone `16:32
stevemarI saw a few instances, let it go... then i saw another 2016:32
gyeestevemar, -1, need to break up your commits16:33
*** radez is now known as radez_g0n316:34
* gyee is trying to help out stevemar's commit stats16:34
stevemargyee, oh now you're just pulling my leg16:34
*** amcrn has joined #openstack-keystone16:34
*** arunkant_work has joined #openstack-keystone16:35
*** radez_g0n3 is now known as radez16:38
stevemarmorganfainberg, finally found the video you were referencing16:38
*** jaosorior has joined #openstack-keystone16:40
*** amirosh has joined #openstack-keystone16:42
*** amirosh has quit IRC16:45
*** amirosh has joined #openstack-keystone16:45
stevemarmorganfainberg, pm'ing16:46
*** jimbaker has quit IRC16:47
*** amirosh has quit IRC16:50
*** rkofman1 has quit IRC16:58
*** rkofman1 has joined #openstack-keystone16:59
*** jimbaker has joined #openstack-keystone16:59
*** jimbaker has quit IRC16:59
*** jimbaker has joined #openstack-keystone16:59
*** sigmavirus24 is now known as sigmavirus24_awa16:59
*** ayoung-MEETING is now known as ayoung17:01
ayoungr1chardj0n3s, i'M HERE17:03
*** bvandenh has quit IRC17:10
*** aix has quit IRC17:19
*** harlowja has joined #openstack-keystone17:20
*** gokrokve has quit IRC17:26
dstanekdolphm: pong - didn't see you there17:29
*** gokrokve has joined #openstack-keystone17:38
*** rushiagr_away is now known as rushiagr17:40
*** packet has quit IRC17:45
*** packet has joined #openstack-keystone17:46
morganfainbergajayaa, yes it is on my list to review, though at this point I'm not 100% sure we can land it in Juno.17:46
*** amirosh has joined #openstack-keystone17:46
ajayaamorganfainberg, np. I am fine as long as it is not abandoned. :)17:47
morganfainbergajayaa, nah we (the cores) don't abandon code that is actively being worked on. and auto-abandon was turned off across the board eariler this dev cycle17:48
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements
*** wwriverrat has left #openstack-keystone17:50
ajayaamorganfainberg, How would revocation event help PKI tokens to become non-persistent?17:50
ajayaaWho would receive the revocation event? keystonemiddleware?17:50
bknudsonajayaa: with revocation events the keystone server doesn't need to know the token ID17:50
*** amirosh has quit IRC17:51
bknudson(doesn't have to know the ID of all the tokens)17:51
morganfainbergajayaa, the middleware would consume/use the events.17:51
morganfainbergbknudson, actually we could move revocation list over to audit_ids now and make revocation list non-priv as well. but ......17:51
bknudsonanybody could use the events to verify that a token is still valid.17:51
bknudsonmorganfainberg: even with the change to audit_ids, the keystone server still needs to know all the tokens to revoke them.17:52
morganfainbergbknudson, true, i was thinking from a priv vs. non-priv API call17:52
morganfainbergbut that also might not be backwards compat because people expect the ids in that list17:53
ajayaaI will use an example. Let's say user A has a token which got revoked and middleware receives a revocation event. When user tries to authenticate with this token, how does middleware token verifies that this token has expired? Does it store the list of tokens revoked so far or something like that?17:54
morganfainbergajayaa, the revocation event has information (e.g. the user id in it)17:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
morganfainbergajayaa, so we revoke tokens based on information in the token, not the token's id17:55
morganfainbergajayaa, it allows us to be more efficient in revocations as well, for example, on a password change instead of needing to enumerate each token that is revoked for that user, one event revokes all tokens for that user17:55
bknudsonmorganfainberg: it could be a different API or a request option17:56
morganfainbergbknudson, different API i think.17:56
morganfainbergbknudson, request option might get wonky with priv vs non-priv enforcement17:56
ajayaaThe information which is used to determine revoked tokens has to be stored somewhere, right?17:56
morganfainbergajayaa, in this case with PKI you pass the PKI token to keystone, keystone has all the information about the token then rather than needing to look up the data from a persistent store from the token id.17:57
morganfainbergajayaa, for uuid tokens we will continue to need persistence17:57
morganfainbergajayaa, so no keystone wont need to store the token data, if you're revoking the specific token you have the information, if you're revoking a class of tokens (e.g. all tokens for user_id X, you don't need to know the token_id).17:58
morganfainbergajayaa, this only works with PKI tokens because the middelware decodes the token directly instead of asking keystone for the information17:59
ajayaaAre the notifications sent through oslo.messaging to which keystone middleware subscribes?18:00
morganfainbergajayaa, right now, no. the middleware still polls keystone for a list of events18:01
morganfainbergajayaa, eventually the plan is to also send via the message bus.18:01
ajayaamorganfainberg. So instead of polling for revoked tokens(current model) we will be polling for revocation events for efficiency sake.18:04
morganfainbergyes, and also revocation events do not need priviledged access because the token ids are not in the event18:05
*** zzzeek has quit IRC18:05
ajayaamorganfainberg, Thanks, There is still possibility of a revoked token being used successfully in between the polling interval.18:06
r1chardj0n3sayoung: sorry, I was away too :) back now18:06
morganfainbergajayaa, there is.18:06
openstackgerritA change was merged to openstack/identity-api: Clean up endpoint grouping API
r1chardj0n3sayoung: I understand you're mulling over some thoughts about client-side keystone token management18:07
morganfainbergajayaa, but that is an issue with any implementation that doesn't use live validation (a call to keystone to check token validity)18:07
morganfainbergajayaa, SSL Cert revocation lists have similar issues.18:07
r1chardj0n3sayoung: I'm toying with a prototype dashboard implementation in almost-entirely javascript, with all state in the browser18:08
*** sigmavirus24_awa is now known as sigmavirus2418:08
morganfainbergif you cache the CRL you wont know until the next time you update hte local cache18:08
*** ericpeterson has joined #openstack-keystone18:08
morganfainbergajayaa, and most implementations will cache for efficiency18:08
ajayaamorganfainberg, ++18:08
ajayaaThank you for your time.18:08
*** ericpeterson has left #openstack-keystone18:09
ayoungr1chardj0n3s, so am I18:11
r1chardj0n3swe should talk ;)18:11
r1chardj0n3sunfortunately I'm in a meeting *right now* but I should be free in an hour-ish18:11
ayoungthat was JQuery, but I've been told the Horizon team has aligned behind AngularJS18:11
ayoungThe solutions look pretty similar18:11
r1chardj0n3sayoung: my prototype is angularjs, quite a different approach to horizon - a much, much thinner support "api proxy" than horizon18:12
*** vhoward has left #openstack-keystone18:13
ayoungr1chardj0n3s, let me get my repo with the angular thing clena (I broke something)  and I'll post18:14
r1chardj0n3sayoung: ok cool18:14
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Make the extension docs a top level entry in the landing page
stevemartopol_, as requested ^18:21
*** topol_ is now known as topol18:22
topolstevemar, you mean my -1 was worthy of some form of mitigation action??? Aww. Thanks for making me feel valuable. You are back on the free dinner list!!! :-)18:25
*** amcrn has quit IRC18:25
dstanektopol: but you are valuable!18:26
morganfainbergdstanek, hey! stop trying to get free dinners (unless you make sure i'm invited as well)18:27
topoldstanek is back on the free dinner list too :-)18:27
dstanektopol: morganfainberg thinks you are great too!18:27
topoldrinks only for morganfainberg18:28
morganfainbergok topol, lets go with a round of Louis XIII de Remy18:30
openstackgerritBob Thyne proposed a change to openstack/keystone: Add delete notification to endpoint grouping
topolmorganfainberg has just lost free drink privileges18:31
morganfainbergtopol, you weren't specific!18:32
topolmorganfainberg, sorry man. Judge Wapner has spoken. Perhaps claco still has free slots18:35
topolParis will be fun. Im already excited18:35
topolmorganfainberg, instead of giving out LGTM pins can you get dolphm a recheck pin?  He deserves one18:37
dstaneki think in general there should be an "i survived OpenStack" pin or shirt18:41
stevemar'I survived Juno'18:41
ayoungr1chardj0n3s, OK, leet at the angular branch on my github accound18:44
r1chardj0n3shey ayoung our meeting just finished. I'll take a look :)18:45
topolstevemar, thanks for I looks good18:45
ayoungr1chardj0n3s, let me make sure Its the right code....18:45
r1chardj0n3sdoesn't look too angular18:45
r1chardj0n3sI will post up my WIP when I get a moment18:46
topolstevemar, dstanek 'I survived the new keystone spec repo' :-)18:46
ayoungr1chardj0n3s, wait. that one is broken18:46
*** ericpeterson has joined #openstack-keystone18:46
ayoungr1chardj0n3s, OK, I did something one should never do:  I completely changed a public git branch18:47
r1chardj0n3ssorry ayoung looks like there's another meeting in 15 :/18:47
r1chardj0n3soops :)18:47
ayoungr1chardj0n3s, ignore it18:47
topolstevemar, dstanek, 'I fought the keystone spec repo, and the spec repo won'18:47
ayoungthis is more important18:47
ayoungr1chardj0n3s, if they fire you, I'll get you another job18:47
r1chardj0n3sok, I should have something I can push up to the gits in about an hour - I vendored a bunch of stuff I shouldn't have and don't want to commit to the repos ;)18:47
ayoungr1chardj0n3s, in my repo look at alt.html and alt.js18:48
stevemartopol, it definitely had it's growing pains18:48
ayoung  r1chardj0n3s18:48
topolstevemar, Im just having fun. I like having everything so well documented in it18:48
ayoung  is where I get a token18:48
ayoungand yes, I made it work with Kerberos first18:49
stevemarayoung, what are you cookin up!?18:49
r1chardj0n3sayoung: you crazy ;)18:49
r1chardj0n3sayoung: oh yeah that's the easy bit ;)18:50
ayoungr1chardj0n3s, easy but essential18:50
r1chardj0n3sayoung: but I assume you're running that on the same host:port as keystone API to avoid CORS?18:50
ayoungyou cut to the chase18:51
ayoungso how are we going to do CORS?18:51
ayoungI think its the service catalog18:51
r1chardj0n3sayoung: I am avoiding the issue using a trivial API proxy18:51
ayoungr1chardj0n3s, nah, lets solve it18:51
r1chardj0n3sOK, sorry, I really have to go to this all-hands thing18:51
ayoungr1chardj0n3s, blow it off18:51
openstackgerritBrent Roskos proposed a change to openstack/keystone: Error trapping for ldap2py
ayoungr1chardj0n3s, they will thank you later18:51
ayoungwe will all thank you later18:51
r1chardj0n3sI should be able to IRC in the meet, but I will be AFK for a few minutes while I transit there18:52
r1chardj0n3sthen I'll show you mine :)18:52
ayoungI'll be here18:52
ayoungstevemar, the answer is this:18:52
ayoungwe are going to make Horizon use AJAX to get a keystone token18:52
stevemarayoung, as opposed to ksc?18:53
ayoungstevemar, this solves both the Federation use case and Kerberos18:53
ayoungstevemar, yes as opposed18:53
stevemarnb nb18:53
ayoungthe users browser will make the call direct to keystone18:53
stevemarlooks neat so far18:53
r1chardj0n3sayoung: problem with "solving" the CORS issue is that every API needs CORS support built into it and then configured and yuck18:53
r1chardj0n3sayoung: horizon (and my solution) avoid that18:53
ayoungr1chardj0n3s, we can do that for you18:53
ayoungits called keystonemiddleware18:54
r1chardj0n3sso it proxies to the other APIs?18:54
ayoungit runs inside other APIs18:54
ayoungr1chardj0n3s, here is what we need for CORS if I understand it correctly18:54
r1chardj0n3sah, so surely that should be part of oslo? (disclaimer: I'm relatively new to OpenStack ;)18:54
ayoungits part of Keystone18:54
ayoungand you are already soaking in it18:55
topolayoung, are you pushing up horizon patches?18:55
ayoungtopol, I will be soon18:55
ayoungtopol, right now Django Openstack Auth18:55
ayoungbut I need to make a tweak to Horizon proper...18:55
ayounghold that thought18:55
topolayoung, I have a very strong horizon contributor who can either help or at least review/sanity check18:55
ayoungtopol, look at these 3 WIP patches then18:55
ayoungtopol, ^^ is probably the most important18:56
ayoungand it dpends on some of jamies work to work correctly18:56
*** tqtran has joined #openstack-keystone18:56
ayoungtopol, lets talk in a bit, but I want to finish with r1chardj0n3s18:56
topolayoung,  meet tqtran18:57
ayoungr1chardj0n3s, OK,  so when a user needs a token18:57
ayoungthey go to "Horizon"18:57
ayoungregardless of wht it looks like, we'll call it Horizon18:57
ayoungthe web ui18:57
ayoungand then it triggers an AJAX call to $AUTH_URL/....18:58
*** palendae has joined #openstack-keystone18:58
topoltqtran, please take a look at and keep in mind as you do your work with stevemar on fed identity support in horizon18:58
ayoungin my case it varies based on Kerberos vs Password auth18:58
r1chardj0n3s["Horizon" carries baggage of proxying (cumbersomely) the entire API set]18:58
ayoungr1chardj0n3s, I know18:58
ayoungr1chardj0n3s, I need to put a plan in place top support both Horizon and what you are doing18:58
ayoungI think this will work...bear with me18:58
ayoungOK, so the request is a POST, and is legal18:59
*** stevelle_ has joined #openstack-keystone18:59
ayoungthe token comes back in a custom header, and the browser enforces a "no read that" policy18:59
ayoungwe need the Keystone server to respond with a CORS specific header18:59
ayoungMachine at is allowed to read averything from my response19:00
*** sigmavirus24 is now known as sigmavirus24_awa19:00
ayoungNow, this means that Keystone needs to know about Horizon19:00
ayoungI think we do that by registering Horizon as a service and the actual Horizon server as an endpoint of that service19:00
*** sigmavirus24_awa is now known as sigmavirus2419:00
ekarlso-whats keystone cop ?19:00
ayoungekarlso-, COPS19:00
ayoungcommong openstack portal system19:01
ekarlso-what's that ?19:01
ekarlso-horizon ?19:01
ayoungekarlso-, its a prototype19:01
ekarlso-of +19:01
ayoungtalking to keystone via javascript and AJAX, as r1chardj0n3s and I are just now discussing19:01
ayoungI had a public demo of it, but the LDAP server is not running19:01
ayoungonce I fix the LDAP server, I'll let you guys play with it19:01
* ayoung was running a beta of the next version LDAP server19:02
ayoungr1chardj0n3s, OK,  so thatt looks like...19:02
david-lyleI can attest, it was running19:02
r1chardj0n3sayoung: I really have to move at the moment, I will be back online in about 5-10 mintues and I'll be able to describe what I am doing, which I think is easier than all that, since no CORS19:02
*** r1chardj0n3s is now known as r1chardj0n3s_afk19:02
ayoungekarlso-, let me see if I can fix the server and I'll show you19:02
*** r1chardj0n3s_afk is now known as r1chardj0n3s19:06
r1chardj0n3sayoung: my code is not in a repos, because I need to clean up those vendored things, but to give you an idea...19:07
ayoungr1chardj0n3s, ok,  so  back tothe CORS headers19:08
r1chardj0n3sok, I let you finish :)19:08
ayoungLets wave hands and say that Keystone knows about Horizon19:08
ayoungit gets the request with an origin header19:08
ayoung Origin:  is the example from
ayoungso lets make that19:09
dstanekdo we need to get the requirements updated today? /cc dolphm19:09
ayoung Origin: https://horizon.example.com19:09
ayoungthen keystone adds a header19:09
ayoungAccess-Control-Allow-Origin: https://horizon.example.com19:09
r1chardj0n3sso keystone has been configured to know about *that* horizon host19:09
ayoungr1chardj0n3s, keystone already knows about all the other hosts too19:10
ayoungits called the service catalog19:10
r1chardj0n3sthe api hosts, yes19:10
ayoungbut I don't know if they really need cors support19:10
ayoungnow that I think about it, I don't think they do19:10
r1chardj0n3sthe angular frontend is going to be speaking directly to them, so CORS is an issue19:10
r1chardj0n3s*unless* if goes through a trivial proxy like I'm proposing ;)19:11
ayoungif the Horizon base Javascript makes a POST to it needs to set a custom header19:11
r1chardj0n3s(or Horizon)19:11
ayoung I think it is allowed to do that19:11
ayoungit just can't read them without a CORS header19:11
ayoungr1chardj0n3s, if it is an issue, we can add the CORS header to keystonemiddleware/auth_token  on the process_response stage19:12
ayoungI don't think we do anything there right now19:12
* ayoung looks19:12
r1chardj0n3sis that in all the APIs?19:12
ayoungr1chardj0n3s, I'll post a link19:12
ayoung  is the code that runs in Nova etc19:13
r1chardj0n3sok. but even if that middleware is in each of the API WSGIs we will still need to configure each of the API instances individually to tell them the allowed origins19:13
r1chardj0n3sayoung: ok, cool19:13
ayoung  AuthProtocol is the class. its a wsgi middleware component19:13
r1chardj0n3s... unless keystone has some way of telling the keystonemiddleware what the allowed origins are19:13
ayoungr1chardj0n3s, and it does19:13
ayoungthe service catalog is in the token19:14
r1chardj0n3sawesome, so single point of config. sounds do-able to me19:14
ayoungain't It wikked smaht?19:14
r1chardj0n3smeans I don't need my crappy proxy ;)19:14
r1chardj0n3sI can go back to the awesome angular parts :)19:14
ayoungr1chardj0n3s, if you take this and run with it and make it work you will make the whole world happy...for  limited values of the whole world19:15
r1chardj0n3sjust so you're aware: I'm in the US for another day and then I fly home, so I have another day of productivity then two days of AFK. I'd be happy to write up that stuff as a patch, but if you're willing to do it I'll be happy to review :)19:15
r1chardj0n3sbut it'll be three days before I can get to it :)19:15
ayoungr1chardj0n3s, I'm core.  If you write the patch, I can review19:16
r1chardj0n3skewl, will do!19:16
ayoungr1chardj0n3s, it will be longer than that for me19:16
ayoungr1chardj0n3s, it needs a blueprint19:16
ayoungwe can start by writing that19:16
stevemarayoung, s/blueprint/spec19:16
ayoungr1chardj0n3s, let me point you at the spec repo19:17
r1chardj0n3sooh, my first blueprint19:17
r1chardj0n3ss/blueprint/spec ;)19:17
ayoungr1chardj0n3s, there is a subdir in there for client specs...19:18
r1chardj0n3sok, I will focus on writing the spec for this thing19:18
ayoungr1chardj0n3s, awesome19:18
ayoungr1chardj0n3s, are you sure the remote services even need CORS support?19:19
ayoungcan I post from Origin: horizon to Nova and set a custom header?  I think so19:19
r1chardj0n3sthey're all going to be poked at directly by the browser19:19
ayoungI just can't read them, and I don't think I need to19:19
r1chardj0n3sit's not just headers19:19
ayoungwhat else?19:20
r1chardj0n3spretty much any HTTP operation when invoked from Javascript19:20
ayoungr1chardj0n3s, So two Blueprints19:21
r1chardj0n3sI do hope OPTIONS is supported...19:21
ayoungone is for Keystone server19:21
ayoungthe second is for keystonemiddleware in19:21
ayoungJust to set expectations, it is too late for Juno for  Keystone server, but we can have the patch ready to go and merge into Kilo the day the repo opens19:22
r1chardj0n3soh, absolutely19:22
r1chardj0n3salso, I have security concerns about exposing the entire API suite to browsers, where currently those are "protected" by Horizon19:22
ayoungrealistically, that is going to be mid November, after the summit, but that is just for upstream consumption.  If we do this cleanly, it should be its own middleware component and something that can be built out of tree to start19:23
r1chardj0n3sin this approach, there's no way of restricting access to the APIs19:23
ayoungr1chardj0n3s, that is what RBAC is for, but I hear ya19:23
r1chardj0n3sayoung: I've already discussed the larger Horizon/angularjs thing with david-lyle, and the plan is present something in Paris to see what people think19:24
ayoungr1chardj0n3s, however, the OpenStack APIs are designed to be hit from the outside world, with Horizon being one, very limited use case19:24
ayoungr1chardj0n3s, I've discussed this with him too19:24
*** jasondotstar is now known as jasondotstar|afk19:24
ayoungand walked him through my demo back when I had it working...19:24
r1chardj0n3sayoung: ok, cool (as I mentioned, I'm new ;)19:24
*** packet has quit IRC19:24
david-lyleand I've been reading along :)19:24
ayoungr1chardj0n3s, thrilled to have you aboard19:24
ayoungI love offloading work19:24
r1chardj0n3shappy to be here :)19:24
david-lylethought you two might hit it off19:25
ayoungdavid-lyle, you saw that I rewrote my prototype using angular?19:25
david-lyleI did, haven't looked at the repo yet though19:25
david-lylebut that helps19:25
ayoungdavid-lyle, I was having real issues with angular/bootstrap19:25
ayoungI had a version with tabs and everything, borked19:25
ayoungso the angular demo is just "get a token" stuff but it works with Kerberos19:26
r1chardj0n3sI have "get a token" working but with username/password, so between us we WIN :)19:26
ayoungmy objections to Angular are moot.  It works right out of the repo19:26
dolphmdstanek: yes we should probably sync19:26
dolphmdstanek: why do we have test failures?19:26
r1chardj0n3sayoung: I have considerable angularjs experience :)19:27
ayoungr1chardj0n3s, david-lyle, btw, let me show you one hack that makes development easier19:27
dstanekdolphm: what failures?19:27
dolphmdstanek: no rush today though, we've already cut j3 :-/19:27
dolphmdstanek: that proposal bot job has unit test failures in keystone19:27
r1chardj0n3salso, I am happy that the node.js programming language remains out of scope :)19:28
ayoungr1chardj0n3s,  I looks to see if the doc url starts with file:.  If it does, I am planning on using static, pre canned responses19:28
ayoungthat way, it is pure UI work, and does not need a live server19:28
*** dev-lock has quit IRC19:28
ayoungthere is a checkbox on the page that allows you to force that...19:29
r1chardj0n3sayoung: yes, I was planning something very similar, good to see we're on the same page :)19:29
dstanekdolphm: how do you see the links for old jenkins build? the used to be added as comments19:29
dolphmdstanek: Toggle CI ?19:29
dolphmdstanek: bottom of page19:29
ayoungr1chardj0n3s, so the idea is that we need a naming convention for the responses...some thin like19:29
dolphmdstanek: patchset 11 was the last to pass19:29
dstanekhmmm...i don't see that button...jas19:29
ayoungPOST keystone/v3/users  becomes  GET sampledata/v3/users.post19:29
dstanekdolphm: ok, my tampermonkey script removed that button :-(19:30
ayoungr1chardj0n3s, ideally, even more fine grained than that, so you can distinguish between POSTs to the same url but with different params..ruminate on that a while and we can brainstorm in Paris19:30
dstanekdolphm: test failures look interesting...i'll get fixed19:31
*** cjellick has quit IRC19:31
dolphmdstanek: i'm opening a bug for you against rc1 :)19:32
*** cjellick has joined #openstack-keystone19:32
dolphmdstanek: lots of LDAP noise in the logs... but is it an ldap failure?19:33
r1chardj0n3sI gotta AFK again for a bit19:33
*** r1chardj0n3s is now known as r1chardj0n3s_afk19:33
topolayoung, when you get serious about trying to get something into horizon you may want to consult tqtran19:33
uvirtbotLaunchpad bug 1365678 in keystone "Sync with openstack/requirements" [Medium,New]19:34
*** cjellick has quit IRC19:37
ayoungtopol, yeah.  So here's the deal19:37
ayoungtopol, we need Kerberos support, and there are two paths there19:38
ayoungthe first is S4U2Proxy19:38
ayoungand...I have a prototype of that working19:38
ayoungthe second is the Javascript approach19:38
ayoungbasically, use AJAX to get a token from keystone, and only Kerberos protect Keystone19:38
ayoungyou *can* kerberos protect Horizon, mind you, you just don't have to19:38
*** rushiagr is now known as rushiagr_away19:39
ayoungI prefer the second approach, but I think it is longer term19:39
ayoungand I think we can support the two together19:39
david-lyleayoung, the js approach is in the right direction for Horizon in general19:39
ayoungdavid-lyle, yeah19:39
ayoungdavid-lyle, it also supports Federation and other mechanisms19:39
ayoungwhich is why I like it19:39
ayoungdavid-lyle, but its more work19:39
ayoungdavid-lyle, and we need something sooner, I think19:40
topolayoung, david-lyle, tqtran, I want to see what works best for horzion. I have tqtran to handle the "more work"19:40
ayoungtopol, OK,   first off, we need to be able to (regardless of how we get it) pass a token to Horizon to authenticate19:40
ayoungthis means that Horizon needs to validate tokens19:40
*** r1chardj0n3s_afk is now known as r1chardj0n3s19:41
ayoungnow, since Horizon only reallty likes UUID tokens, I guess we sauy "lets just do onoline validation"19:41
ayoungforget the PKI token validation to start19:41
topolayoung, stevemar  we have middleware piece for that correct?19:41
ayoungtopol, for horizon?  not really19:41
ayoungits called Django Openstack auth19:41
ayoungand it only does password right now19:41
topolayoung, agreed online only.19:41
ayoungD-O-A talks to Keystone client19:41
ayoungtopol, so...look at that patch I linked above...19:42
topolayoung, K, well stevemar can help there19:42
topolayoung I did look19:42
topolayoung looked like 60 lines of auth code19:42
ayoungyeah...I mean, let me use it as an example...19:42
ayoungthe current code, even in that patch still just does password auth19:42
ayoungfor the S4U2Proxy approach, what I could do is this:19:43
ayoung1.  make a config option in Horionz that says "here is the auth method to use"19:43
* ayoung just had an idea...19:43
ayoungtopol, OK,  let me finish waht I was saying, but I might have some new ideas...19:44
ayoung2.  Django OpenStack auth needs to read that config option and select the appropriate form to show the user.19:44
ayoungin the case of Kerberos, there is no need for a form19:44
topolayoung, thats fine. Im coo with brainstorming  tqtran stevmar fyi:19:45
ayoungyep...Ive been needing to discuss this for a while...there is some thing I don't like19:45
topolstevemar ^19:45
ayoungOK, in the Kerberos case, I can actually detect if Kerberos is in use becasue REMOTE_USER would be set19:45
ayoungif REMOTE_USER is set, (and other Kerberosy type things)  I need to do stuff that I have in a follow on patch...19:46
*** hrybacki has joined #openstack-keystone19:46
ayoungOK, this is pur Proof Of Concept, not really ready for submit but19:46
ayoungso I could check for request.META['KRB5CCNAME']  and use that to say "oh, we are doing Kerberos"19:47
ayoungand then I don't need the config option in Horizon...19:47
ayoungso, david-lyle and topol and anyone else that is not familiar with S4U2Proxy and Kerberos...19:47
ayoungS4U2Proxy means that Horizon takes your Kerberos ticket when you log in, and uses it and some other magic to get a keystone token19:48
ayoungif you don't have S4U2Proxy, you are stuck19:48
topolayoung, makjes sense, but I dont see the part you have done that can be reused for fed identity19:48
ayoungeven though you've cryptographically proven your identity to Horizon, Horizon can't get atoken19:49
ayoungtopol, that is the Javascript approach, not S4U2.19:49
ayoungAnd I prefer the Javascript, but S4U2 is much closer19:49
ayoungI'm trying to see if I should even bother submitting S4U2 upstream.  nkinder and I were discussing it, and we both feel it is much closer to "ready to go"19:50
ayoungand Kerberos is important to a subset of the upstream community, I want to make sure we have a clean path forward19:50
dstanekthis obviously doesn't break hacking, but is it acceptable?
ayoungdstanek, Ithought one import per line19:50
ayoungfrom keystone.i18n import _, _LI  should be19:51
bknudsondstanek: I prefer it.19:51
dstanekayoung: that's why i thought too19:51
ayoungfrom keystone.i18n import _,19:51
ayoungfrom keystone.i18n import _LI19:51
dstanekbknudson: prefer the single line?19:51
bknudsondstanek: yes.19:51
ayoungI really don't care, but I thought it was in our coding standards already19:51
dstanekthe benefit to a single line is that i won't be adding 4 or 5 import lines per file - be i think based on the rules it should be multiple lines19:52
bknudsondstanek: just for the _ imports from i18n, not for everything.19:52
*** r1chardj0n3s is now known as r1chardj0n3s_afk19:53
bknudsondstanek: we also have a rule to import modules and this breaks that rule too19:53
bknudsonshould be `from keystone import i18n` and _, _LI = (i18n._, i18n._LI)19:54
*** stevelle_ has quit IRC19:54
bknudsonwe could go back to adding _, _LI to globals19:55
ayoungnkinder, for the S4U2 Proxy approach, are we going to say "Kerberos only" for horizon, or do we need to provide a fallback to userid and password login?19:57
dstanekbknudson: i'd rather not19:58
david-lyle# noqa is your friend20:00
nkinderayoung: the latter is good to be able to support, but I would expect that a private cloud with Kerberos in the environment would want to only allow Kerberos20:00
nkinderayoung: I think Kerberos only as an option is a good first step (I'm guessing that's easier than the password fallback approach)20:01
nkinderayoung: longer term, I see more of a case for mixing things like Kerberos and SAML (but not passwords)20:02
*** sigmavirus24 is now known as sigmavirus24_awa20:02
*** topol has quit IRC20:03
nkinderayoung: though a kerberized IdP like Ipsilon would eliminate the need for that and just allow you to do 100% SAML in Horizon20:03
*** marcoemorais has quit IRC20:06
*** bklei has joined #openstack-keystone20:06
*** marcoemorais has joined #openstack-keystone20:06
*** marcoemorais has quit IRC20:07
*** marcoemorais has joined #openstack-keystone20:07
*** sigmavirus24_awa is now known as sigmavirus2420:07
*** marcoemorais has quit IRC20:07
ayoungnkinder, I might be able to drop the need for the config option in Horizon20:07
ayoungI can look at the request that comes in and see if it has...20:08
*** marcoemorais has joined #openstack-keystone20:08
ayoungKRB5CCNAME in the variables20:08
ayoungif it does, we can assume we are doing Kerberos.20:08
ayoungIf not, we do password auth20:08
ayoungnkinder, it will be either or, as a Kerberized Horizon will not get that far:20:09
nkinderayoung: ok, and that is there if mod_auth_kerb sets it, right?20:09
ayoungit will doe a 401 instead20:09
ayoungnkinder, there is another config option   Require valid-user20:10
nkinderayoung: so if someone doesn't have a kerberos ticket and they access a kerberized Horizon, they get a 401?20:10
ayoungthat is in the HTTPD config,  I wonder what happens if we set that false20:10
ayoungnkinder, yes20:10
ayoungnkinder, its ugly, too,20:10
nkinderayoung: worth a try... it might just go through without KRB5CCNAME and the other stuff20:10
ayoungthe 401 is from apache, so no Django  rendering of the 401 page20:11
ayoungwhich means youreally should have the Apache static page for that configured20:11
ayoungnkinder, I am pretty sure I tried disabling  Require valid-user  and it still givea 401.  Ith might be that mod_auth_kerb does not check that field.20:12
ayoungnkinder, so the other thing I need to solve to merge D-O-A 's password and Kerberos stuff is figuring how to avoid showing the userid/password field if it is kerberized.  As you recall from the demo, I just had you click login without entering anything, and you wanted it to be automatic20:14
ayoungI kindof agree, although "logout means revoke my token" is not a bad idea, either20:14
nkinderayoung: if you look at FreeIPA, there is still a logout (just no login)20:15
ayoungnkinder, yeah, but that is not constrained by the Django architecture20:16
nkinderayoung: but tokens are fairly short-lived too (though revoking them isn't bad)20:16
*** bklei has quit IRC20:16
ayoungnkinder, I'd love 5 minute tokens.  Right now, they are one hour.  If we had 5 minute tokens, I'd say "never revoke"20:16
nkinderayoung: so it would be nice to have a static page instead of the 401.  Someone like Rob might know about that.20:17
ayoungnkinder, that is pretty easy to do.  its  standard apache.  Yeah, FreeIPA has it already20:17
ayoungits a httpd.conf option20:17
nkinderayoung: ok, so we would just need to drop the page somewhere and configure httpd.conf20:18
*** ocho has joined #openstack-keystone20:18
ochoping openstack-keystone - having an issue with AD identity and horizon login with icehouse20:18
nkinderayoung: having to click on "login" isn't the end of the world20:18
nkinderayoung: but there should be no fields to fill in if that's the case20:19
ochofor some reason, logins are being denied due to invalid user/pass20:19
ayoungnkinder, no, but if we are doing Kerberos, I don't want to have the password fields on there.  Not sure UI have that fine grained control in the Django world, though20:19
ochoanyone around to help me do a bit of troubleshooting?20:19
ayoungocho, does keystone token-get work?20:19
nkinderocho: can you ldapsearch against AD as those users?20:19
nkinderocho: I'd check that the bind op is working first20:19
ocholdapsearch, yes20:19
ochokeystone user-list works20:19
ochoso the bind is good20:19
ochoall my service users are seen20:20
ayoungocho, user-list might be using an admin token20:20
nkinderocho: yeah, but as the user who fails to auth20:20
ayoungdoes it work using openstack credentials from AD?20:20
ochoi mean, it's pulling from ldap at least20:20
nkinderuser-list binds as the "user" and "password" in the [ldap] section of keystone.conf20:20
ayoungocho, but Keystone might be talking to AD anonymously20:20
nkinderwhen you attempt to authenticate (get a token) as a user, it performs an LDAP bind against AD as that user20:20
ayoungocho do a keystone token-get20:20
ochook, let me check20:20
ochoi have a tcpdump as tls20:21
ochomight help out20:21
ocho'NoneType' object has no attribute 'has_service_catalog'20:22
ayoungocho, unset SERVICE_TOKEN20:22
*** david-lyle is now known as david-lyle_afk20:22
ayoungor OS_SERVICE_TOKEN20:22
* ayoung checks20:23
*** david-lyle_afk has quit IRC20:23
ayoungocho, you want to set the following env vars (do this in a file and source it)20:23
ochogot it20:24
ocholooks like invalid user/pass on the token-get20:24
ochowhich i imagine is due to the packstack creating a random password and my AD system not having the same password?20:25
ochowhere can i change the admin password?20:25
ayoungocho,  you are talking to AD, right?20:26
ochoyeh 2008r220:26
ayoungyou need a user out of AD20:26
dstanekdolphm: ping20:26
ayounghere's the general steps:20:26
dolphmdstanek: o/20:26
ochoi have the admin user in AD20:26
dstanekdolphm: the fix for the bug is stupid simple20:26
dolphmdstanek: yay!20:27
dstanekdolphm: patches are now automatically undone via
ayoungocho ok, that admin user should be able to get a token. If they can't its probably becasue they don't have a role on a project20:27
ayoungocho, to fix the admin user, use that same OS_SERVICE_TOKEN we were discussing before20:28
*** david-lyle_afk has joined #openstack-keystone20:28
dstanekso i can either move the setUp to the top and keep the explicit patcher.stop or i can remove the cleanup and let the base testcase do it for us20:28
dstanekdolphm: thoughts? i like explicit, but that may be against the grain20:28
ayoungocho, using the OS_SERVICE_TOKEN  list the roles for the admin user20:28
ochoayoung, ok20:28
dolphmdstanek: so the problem is that we're calling stopall twice? or out of order?20:28
ayoungocho, I liked it back when we were doing all this by hand instead of packstack etc.   The notes from that time are20:29
dolphmdstanek: or the problem is in oslo in that they shouldn't be calling stopall for us?20:29
ochoayoung, i used packstack to get a quick env up20:29
ochoayoung, went swimmingly in osp4 for me20:29
ayoungocho, and then you switched the backend to LDAP?20:29
ochodid a little sql editing after switching to the ldap backend20:29
ochobut it worked fine20:29
nkinderocho: I'm in a similar boat right now20:29
*** david-lyle_afk has quit IRC20:29
nkinderocho: but I get a 401 trying to list users20:30
ayoungocho, OK,  so the admin user needs a role.  And the admin user from sql had a different id than the admin user from LDAP20:30
*** david-lyle_afk has joined #openstack-keystone20:30
nkinderyeah, you need to fix the assignment table to refer to the names instead of uuids20:30
*** david-lyle_afk has quit IRC20:30
*** david-lyle_afk has joined #openstack-keystone20:30
ayoungnkinder, the thing is, there should be no default project set via LDAP, so if you remote that env var, you should be able to get an unscoped token20:31
ochoayoung, nkinder - one sec, sorry...need to list the roles. i actually had found that if you just re-assign after roles after switching to ldap, there was no need to edit the db directly20:31
dstanekdolphm: it's that oslo's stopall gets registered as a cleanup before ours based on our currect setUp20:31
*** amerine has quit IRC20:31
ochoreassign roles after*20:31
ayoungthe thing is, to list projects, you need a scoped token.  Its a catch 2220:31
dstanekdolphm: if ours got registered first we wouldn't have an issue20:32
ochoright, i had to use the service_token20:32
dolphmdstanek: oooh20:32
nkinderocho: I have a full automation setup that is nearly complete that configures all of this (after creating VMs that set up AD and OS)20:32
ayoungocho, that is correct20:32
*** david-lyle has joined #openstack-keystone20:32
*** david-lyle_afk has quit IRC20:32
dstanekdolphm: we have an explicit reference to stop and stopall just stops everything - then after that we try to stop ours20:32
ayoungocho, you will just have some garbage in your database from the SQL users that are no longer present20:32
ochonkinder, what kind of env? kvm?20:32
nkinderocho: kvm, setting up osp4 and AD right now20:32
dolphmdstanek: explicitly register in keystone first with an inline comment?20:33
ochovery cool20:33
dstanekdolphm: done20:33
nkinderocho: uses virt install and does the complete configuration from OS install, AD setup, packstack run, and migrating users into AD20:33
dstanekrunning all of the tests locally now and will push if they pass20:33
ochonkinder, is it based on snapshots? if not, what are you using to provision and configure AD?20:33
nkinderocho: ...but.... my user-list is failing still20:33
ochonkinder, i have a PXE env of 2k8r2..but it was a pita to setup20:33
nkinderocho: nope, uses the cloud-image downloads20:33
nkinderocho: for AD, it uses the MSFT eval images (and will even download them for you)20:34
ayoungnkinder, even with the updated role assignment?20:34
nkinderayoung: yeah, so my role assignment looks good.  Let me pastebin it...20:34
dstanekdolphm: hmmm actually this isn't that easy :-( the cleanups are stored as a set so we are not guaranteed an order anyway20:35
dstanekdolphm: based on oslotest we should probably just remove our cleanup20:35
nkinderayoung, ocho:
dolphmdstanek: boo, alright20:36
nkinderocho: not trying to hijack your problem, but it seems like we're in almost the same situation here20:36
ochonkinder, by all means20:36
ochothe more heads the merrier20:36
ochomy roles are busted20:36
ayoungnkinder, wrong table20:36
ochothey look like the basic packstack ones20:36
ayounguser_project_metadata;'  should be assignemtns now20:36
ochoah, i did notice that that table was no more20:36
r1chardj0n3s_afkayoung: big CORS sticking point is OPTIONS support: keystone doesn't support it and I'm fairly sure none of the other APIs would support it either20:37
ayoungnkinder, I forget exactly when that change was made. osp4  ==  icehouse or Havana?20:37
ochoayoung, nkinder -
r1chardj0n3s_afk(OPTIONS is the first step in a CORS-enabled POST)20:38
ayoungr1chardj0n3s_afk  let me look20:38
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:38
ochoosp4 == havana20:38
ocho5 is icehouse20:38
r1chardj0n3swe *might* be able to intercept OPTIONS in the keystonemiddleware...20:38
nkinderayoung: this is RHOS420:39
nkinderayoung: the table changed in icehouse20:39
ochomine is osp520:39
nkinderthe contents changed too20:39
ayoungocho, OK, you need to change yours in assignments.20:39
nkinderocho: I have a shell script to fix up the icehouse roles20:39
ayoungr1chardj0n3s, what would an OPTIONS request look like?20:39
ochoim trying to figure out why my modifications, when using the service token didn't take care of that for me20:39
ochoand, like you said, leave the old garbage in the db20:40
ochobut at least get the ldap users working20:40
ayoungocho, Oh, I didn;'t realize that was its own verb...interesting20:40
*** samuelmz_ has joined #openstack-keystone20:41
r1chardj0n3sit's just a bunch of headers and specifically includes something like "Access-Control-Request-Headers:accept, content-type" and "Access-Control-Request-Method:POST" and the response would include the Allowed-Origin header allowing the browser to then POST20:41
ayoungnkinder, for OSP4, what you have looks right, but did you do that by hand in the SQL, or using the Keystone API?20:42
nkinderayoung: mysql20:42
r1chardj0n3syeah, it's theoretically possible that OPTIONS might be used for something else (though that's not actually supported by the current APIs)20:42
ayoungnkinder, OK,  try using the API and the OS_SERVICE_TOKEN approach20:42
ochonkinder, just `script <ad_user>`20:42
ayoungr1chardj0n3s, does the browser barf on CORS if it is not supported?20:43
r1chardj0n3sayoung: the browser won't attempt the POST if the OPTIONS doesn't get a good response (ie a 404 or an Allowed-Origin that doesn't allow it)20:43
nkinderocho: you would need to set m_host, m_port, m_user, m_pass for your mysql connection details20:43
ochooh ok20:43
nkinderocho: then you can just add to the bottom of the script to fall the function for each username20:44
nkinderocho: I extracted it from a larger script20:44
ayoungr1chardj0n3s, So maybe the right solution is an OPTIONS middleware that handles all OPTIONS requiests and lets all the others pass20:44
dolphmbknudson: wishlist?
uvirtbotLaunchpad bug 1362343 in python-keystoneclient "weak digest algorithm for PKI" [Undecided,In progress]20:44
ayounga simplistic one does20:44
*** cjellick has joined #openstack-keystone20:45
ayoung  Access-Control-Allow-Origin: *20:45
r1chardj0n3sbut it could do the actual thing using the keystone config20:45
ayoungr1chardj0n3s, yep20:45
ayoungr1chardj0n3s, I knew this was going to be one of the key problems to solve.  The solution might be non-trivial, but we'll keep it as simple as possible20:46
bknudsondolphm: bug/1362343 is kind of a feature, so wishlist makes sense20:46
r1chardj0n3sand I think we could just get OPTIONS handling (for relevant CORS cases) into the keystonemiddleware20:46
dolphmbknudson: thanks20:46
r1chardj0n3sI'm poking around keystonemiddleware right now ;)20:46
ochonkinder, set m_dbname to keystone?20:47
ayoungr1chardj0n3s, cool.  Know that the code moved there recently from python-keystoneclient repo, and some older code bases won't have keystonemiddleware20:47
ayoungr1chardj0n3s, but we've moved over the upstream to use the keystonemiddleware repo, and treating the keystone-client/middleware/ as "security fix only"20:48
nkinderayoung: I can list my users from AD using OS_SERVICE_TOKEN20:49
nkinderayoung: so, my role assignments must be hosed20:49
nkinderocho: yes20:49
openstackgerritDavid J Hu proposed a change to openstack/python-keystoneclient: Proper handling of catalog err cond w/os-token and os-endpoint
ayoungnkinder, just create a new role assignemtn with admin user for admin project, and see if the database table reflects it20:49
dolphmdstanek: did you fix this in master too?
uvirtbotLaunchpad bug 1347862 in keystone/icehouse "keystone will not auth users if there is a bad endpoint " [Medium,In progress]20:50
r1chardj0n3sayoung: ok, cool20:50
ochonkinder, just ran it...let me see how it did20:51
nkinderayoung: it says they already have the role...20:51
*** cdent has joined #openstack-keystone20:51
ayoungnkinder, is OS_TENANT_NAME set?20:52
dolphmdstanek: oh you fixed the same thing in 123027920:52
nkinderayoung: yes, to admin I believe20:52
ochoayoung, nkinder - is there a quick way to change the keystone admin password?20:52
ayoungnkinder, ocho you mean for the admin user?20:52
cdentHi, I'm curious about some weirdness that I'm seeing in the way devstack is configured by default, the result being that it is looking for /v2.0/ on port 35357, where it can't be found:
nkinderocho: well, the admin user is in ldap now, right?20:52
ochoright, but it was previously established by packstack20:53
ayoung_TOKENor OS_SERVICE20:53
nkinderocho: so ldappasswd (or AD's user management GUI)20:53
ayoungcdent, known issue20:53
dstanekdolphm: many moons ago -
ayoungcdent, patch is posted20:53
cdentfigured as much, ayoung, but couldn't find it20:53
dolphmdstanek: ++ closed the more recent one20:53
nkinderocho: so keystonerc_admin will have the old password in it20:53
ochomy token-get is still failing and im thinking that's the reason20:53
cdentyou got a ref ayoung ?20:53
nkinderocho: not sure what else would have it20:53
ayoungcdent, I'll link20:53
ochonkinder, i changed it there20:53
ochoto the ldap admin users password20:54
nkinderocho: the larger concern is that all of your service users have passwords from packstack that you need to put into LDAP20:54
ochoright, but they don't meet the ad complexity requirements :(20:54
ochoso i wanted to change them on the openstack side20:54
ochoshrug, i should have just made my own answer file20:55
ayoungnkinder, OK,  I think I have the flow for D-O-A down.  I'm going to write it up.  The solution should solve password vs Kerberos as phase 1, and then "login with token" as phase 2.  The login with token should replace the S4U2 proxy kerberos approach in the Kilo time frame, and also suport federation20:55
ayoungI'll send it out to -dev20:55
nkinderayoung: +120:56
*** jasondotstar|afk is now known as jasondotstar20:56
nkinderocho: Yeah, that's what I did in my script.  All passwords are the same and meet the complexity requirement, then I pass them via the answerfile and use them when creating the LDAP users20:56
nkinderocho: if I can figure out my role issue, I can get the scripts to you20:57
*** marcoemorais has quit IRC20:57
ochonkinder, that would be great20:57
ochoi suppose i'll turn off local and domain level complexity requirements on my AD for now20:58
ochoand put the proper passwords in20:58
*** david-lyle has quit IRC20:58
ochowhich will take me some googling...been a while :P20:58
*** david-lyle has joined #openstack-keystone20:58
ayoungnkinder, the sticking point is, I think shown by this WIP patch  which I will rewrite to only optionally remove those fields  if we are doing kerberos.  As a phase 2, I will add in a token_id field there.  I think I can make it a hidden field,and prioritize the processing such that if token_id is set, skip the password stuff.20:59
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Add test for getting a token with inherited role
ayoungThat should allow it to all co-exist in the same code base20:59
ayoungI'll write it up clearer in an email20:59
*** gokrokve has quit IRC21:00
*** gokrokve has joined #openstack-keystone21:01
*** marcoemorais has joined #openstack-keystone21:01
*** marcoemorais has quit IRC21:01
*** marcoemorais has joined #openstack-keystone21:02
*** marcoemorais has quit IRC21:02
*** amerine has joined #openstack-keystone21:02
*** marcoemorais has joined #openstack-keystone21:02
*** gokrokve has quit IRC21:04
*** gokrokve has joined #openstack-keystone21:04
*** gokrokve has quit IRC21:04
*** gokrokve has joined #openstack-keystone21:05
*** mfainberg_phone has joined #openstack-keystone21:06
mfainberg_phoneDolphm, ping21:06
*** amirosh has joined #openstack-keystone21:07
cdentayoung, did you find that port in devstack issue link? sorry to pester but I'm trying to park myself on a slope for the end of the day.21:07
*** samuelmz__ has joined #openstack-keystone21:07
ayoungcdent, had a browser freeze, restarting it21:07
cdentI've noticed that my browser is not very happy when presented with huge gate logs21:08
dolphmdstanek: still want to pursue this?
uvirtbotLaunchpad bug 1362309 in keystone "Creating an endpoint with an invalid service_id returns the wrong error code" [Undecided,In progress]21:08
dolphmmfainberg_phone: o/21:08
cdentthank you very much ayoung21:08
ayoungcdent, I see its picked up another +2.  I'll +A that now21:08
mfainberg_phoneDolphm, responded to the memcache bug. Should be easy to fix and contribute to dogpile long term21:09
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add rst code-blocks to a bunch of missing examples
*** samuelmz_ has quit IRC21:10
mfainberg_phoneBut we should fix in tree first so older packaging (icehouse specific release) benefits from the fix. Once it's in dogpile we should be good w/o it.21:10
*** amirosh has quit IRC21:11
mfainberg_phoneI think it's a reasonable Juno target (bug fix)21:11
cdentawesome ayoung that should fix this:
uvirtbotLaunchpad bug 1350533 in ceilometer "CommandError: Unable to determine the Keystone version to authenticate with using the given auth_url: (dup-of: 1351841)" [High,Confirmed]21:12
uvirtbotLaunchpad bug 1351841 in python-ceilometerclient "python-ceilometerclient does not works without v3 keystone endpoint" [High,Triaged]21:12
ayoungcdent, I tripped over this back in April. I could have sworn I submitted a fix for it back then, but I don't see it.21:12
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add rst code-blocks to a bunch of missing examples
dstanekdolphm: yes, i have a few fixes in the queue for that21:16
dstanekdolphm: as long as you thinks it's the right thing to do21:16
*** cdent has quit IRC21:16
*** gordc has quit IRC21:16
*** samuelmz_ has joined #openstack-keystone21:17
*** samuelmz__ has quit IRC21:19
* mfainberg_phone needs to run off to an appt. be back in a bit. 21:20
dolphmmfainberg_phone: thanks!21:20
*** gokrokve has quit IRC21:21
*** jaosorior has quit IRC21:22
ochoayoung, nkinder -
ochoall passwords line up now21:22
ochomaybe i should run your script again21:22
ayoungocho, are you able to do a simple bind against that AD server?21:23
ochoin the log output, it looks to be doing an initial bind with the user in keystone.conf...and working21:23
ayoungocho, is anything set in OS_TENANT_NAME21:23
ayounger,  that env var?21:23
ocholet's see21:23
nkinderocho, ayoung: got it working for user-list21:24
ochoayoung, admin21:24
ochonice nkinder21:24
ayoungocho, the admin user might not have a role in the admin project yet21:24
ocholet me see21:24
nkinderI was missing the "suffix" setting in keystone.conf21:24
ayoungif so, it will fail that way (I think)21:24
nkindernot sure why that is required since I have the user suffix set21:24
ayoungnkinder, that seems wrong21:24
nkinderayoung: yes indeed21:25
ayoungnkinder, which suffix?21:25
ayoungwhat is the whole value?21:25
nkinder[ldap] section, "suffix"21:25
nkindermy suffix is "dc=rhosdom,dc=test"21:25
ocho[root@osp5 ~(keystone_token)]# keystone user-role-add --user-id admin --tenant admin --role admin21:25
ochoWARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).21:25
ochoConflict occurred attempting to store role grant. User OpenStack Administrator already has role 26975dfe6f92430c8b47c1cb0a47f973 in tenant 12868dd555de4b4c97762461447baa13 (HTTP 409)21:25
nkinderayoung: bug I also have user_tree_dn = cn=users,dc=rhosdom,dc=test21:26
ochono go on that21:26
ocholooks like it's there21:26
nkinderayoung: it must be searching for something else (I have a packet capture I'm looking at)21:26
nkinderocho: yeah, your role is fine then21:26
nkinderocho: so your user-list works at this point (with username and password), or not?21:27
ayoungocho, trying unsetting OS_TENANT_NAME and doing keystone token-get again21:27
ayounglets see if an unscoped token works21:27
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Add test for getting a token with inherited role
*** mfainberg_phone has quit IRC21:27
*** andreaf has joined #openstack-keystone21:28
stevemardolphm, will our stuff finally land today?!?21:29
ochoayoung, same error after unsetting21:31
nkinderocho: it could be time to resort to 'sudo tshark -i eth0 -O ldap tcp port 389'21:31
ochonkinder, no, does not work :(21:31
nkinderocho: so now that my token-get is working, lets see if we can get you up and running.21:31
ochoall admin passwords are in alignment21:32
nkinderocho: ok, so user-list is failing using --os-username and --os-password?21:32
ochoi'll need to disable tls21:32
ochoi imagine, yes?21:32
ochoso we are in the clear?21:32
ochoor will that matter21:32
nkinderocho: but it works if you are using OS_SERVICE_TOKEN?21:32
ochoit does21:32
ochoall my AD users show up21:32
nkinderocho: ok, but not with  --os-username and --os-password?21:32
ochoright, if i source my keystone_adminrc file, i get invalid creds21:33
ochoi have two tabs open21:33
*** david-lyle has quit IRC21:34
ochoso i can try things both as admin and with the service token21:34
nkinderocho: ok, so LDAP lookup is good but not LDAP authentication of users21:36
nkinderocho: and the user/pass approach without OS_SERVICE_TOKEN?21:36
ochono go with admin21:36
nkinderocho: follow it up with a pastebin of your [ldap] section of keystone.conf21:36
nkinderocho: 401 error?21:36
nkinderocho: ok, so let's see keystone.conf21:37
ochonothing fancy21:39
nkinderocho: what's up with this? user_filter=(memberOf=CN=openstack_users,CN=Users,DC=example,DC=com)21:39
ochoim filtering users21:39
nkinderocho: did you create a group?21:39
ochoof course21:39
ochothis is the same AD box and ldap configuration i used on OSP4...and it worked like a champ21:39
*** marcoemorais has quit IRC21:39
*** david-lyle has joined #openstack-keystone21:40
ochonkinder, seems to be working due to the users coming back from user-list when using the service_token21:41
ochoi just don't know why im failing to auth21:41 a user21:41
*** ncoghlan_afk is now known as ncoghlan_21:42
nkinderocho: yeah, it's likely fine21:42
nkinderocho: you shouldn't need to set user_pass_attribute in keystone.conf21:43
ochojust comment it out?21:43
nkinderocho: but I doubt that's causing the problem21:43
ochowould it matter?21:43
nkinderocho: yes21:43
ochoi'll give it a shot21:43
nkinderyes you should comment it, no, I'm not sure it matters21:43
*** marcoemorais has joined #openstack-keystone21:43
*** marcoemorais has quit IRC21:44
nkinderocho: I'd see what tshark shows at this point.  Nothing is glaringly obvious.21:44
ochonkinder, kill tls?21:44
nkinderocho: I'll try my automation with icehouse and see if I encounter something similar21:44
*** marcoemorais has joined #openstack-keystone21:44
nkinderocho: yes, disable tls21:44
ochonkinder, ok cool, thanks for the help21:45
nkinderocho: sure.  We'll get it sorted.21:45
nkinderocho: I'm going to do one more clean run with my rhos4 based automation, then I'll send it to you and give osp5 a shot21:45
*** marcoemorais has quit IRC21:46
*** marcoemorais has joined #openstack-keystone21:46
ayoungocho, the fpaste you sent makes it look like a bad password21:47
ayoungocho, that could be one of two things21:47
ayoungone is the simple bind as the user is failing21:47
ayoungtwo is that you are not doing anonymous for the rest of the LDAP work and that password is bad21:48
nkinderocho: el6 or el7?21:48
ayoungthe fact that OS_SERVICE_TOKEN works implies that "two" is not the case21:48
ochoi can ldapsearch using that password and imagine it'll work21:48
ochoayoung, ^21:48
ochoosp5 on rhel7 nkinder21:48
nkinderocho: k, going to head home and I'll give that a try too21:49
ayoungocho, so either the password is bad, or simple bind is rejected21:49
ochonkinder, sounds good, thanks!21:49
ochoayoung, let me ldapsearch real quick using that password and a simple bind21:49
*** ajayaa has quit IRC21:50
ochoayoung, seems to be ok:
*** dims_ has joined #openstack-keystone21:51
ayoungocho, I assume that there is a paste glitch in there:   sAMAccountName=admindn: CN=OpenStack21:52
*** ncoghlan_ is now known as ncoghlan_afk21:52
ayoungand that should be  sAMAccountName=admin dn: CN=OpenStack21:52
*** hrybacki has quit IRC21:52
ochoayoung, lol yes21:52
ochojust a glitch21:52
ayoungocho, OK,  there was a  bug around sAMAccountName21:52
ochoayoung, i remember that21:53
ayoungI bet you are hitting that21:53
ochobut it was just case21:53
ochosamaccountname vs. sAMAccountName21:53
ochoi have the correct case in my keystone.conf21:53
ochounless there is another related bug21:53
ochoayoung, ^21:53
ayoungnope, that was the bug21:53
ochowish it was that easy!21:53
*** dims has quit IRC21:54
*** topol has joined #openstack-keystone21:54
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a mock cleanup issue caused by oslotest
*** dims_ has quit IRC22:00
*** dims has joined #openstack-keystone22:01
*** nkinder has quit IRC22:01
openstackgerritBob Thyne proposed a change to openstack/keystone: Add delete notification to endpoint grouping
*** gokrokve has joined #openstack-keystone22:04
*** dims has quit IRC22:05
*** marcoemorais has quit IRC22:06
*** marcoemorais has joined #openstack-keystone22:06
*** marcoemorais has quit IRC22:07
*** marcoemorais has joined #openstack-keystone22:08
*** zzzeek has joined #openstack-keystone22:09
*** dims has joined #openstack-keystone22:14
*** arborism has joined #openstack-keystone22:14
*** gokrokve has quit IRC22:19
*** gokrokve has joined #openstack-keystone22:19
*** gokrokve has quit IRC22:23
*** david-lyle has quit IRC22:27
dstanekdolphm: had a chat with dhellmann today about the testing bug - he's proposed a fix in olsotest22:29
*** andreaf has quit IRC22:29
*** sigmavirus24 is now known as sigmavirus24_awa22:31
zzzeekheya morganfainberg22:33
zzzeekwoop he’s gone home!  time to drink22:34
*** arborism is now known as amcrn22:35
*** gokrokve has joined #openstack-keystone22:37
*** samuelmz_ has quit IRC22:38
*** gokrokve has quit IRC22:38
*** gokrokve has joined #openstack-keystone22:39
*** dirtyob has joined #openstack-keystone22:39
*** dguitarbite has quit IRC22:42
*** ericpeterson has quit IRC22:45
*** dims has quit IRC22:49
*** stevemar has quit IRC22:50
*** dims has joined #openstack-keystone22:50
*** nkinder has joined #openstack-keystone22:51
*** dirtyob has quit IRC22:54
*** dims has quit IRC22:54
*** valiantfirkin has joined #openstack-keystone22:56
*** valiantfirkin has quit IRC23:01
*** r-daneel has quit IRC23:07
dolphmdstanek: sweet - if you have a link, send it my way23:08
*** arunkant_work has quit IRC23:14
*** topol has quit IRC23:19
dolphmayoung: you approved a review that actually depends on this
jamielennoxdolphm: ?23:27
dolphmjamielennox: o/23:27
jamielennoxoh o23:27
dolphmmarekd: around?23:27
dolphmstevemar is gone23:27
*** amerine has quit IRC23:27
ayoungdolphm, looks good +A.  Didn't realize there was a dependant review.  Anything else I missed23:28
dolphmayoung: i just noticed that one. i was looking at high priority reviews for
dolphmayoung: the other High is an LDAP one if you want to tackle that23:29
dolphmjamielennox: i'll just reply inline, and then stevemar / marekd can correct me where i'm wrong :)23:29
ayoungdolphm, yuck23:30
jamielennoxdolphm: that's fine - i'm just concerned about it flying through FF23:30
ayoungdolphm, something smells in that patch.  I might be jumping to conclusions, but the added id=self._dn_to_id(res[0]) is suspect23:30
dolphmjamielennox: that why i wanted them to comment on it :( i *think* some of your statements/assumptions are based on outdated design, but i'd like to double check with them23:30
*** ncoghlan_afk is now known as ncoghlan_23:31
ayoungnkinder, am I over reacting to,cm  ?  It looks, well, gross23:32
ayoungdolphm, let me talk that one over with gyee .  I don't like it as is, and I need to understand why he wrote it that way23:33
dolphmayoung: ack23:35
ayoungdolphm, it looks like two fixes in one.  I think the attribute map portion of it (the actual bug) is OK.  Its the part where he looks up the id from the ldap server which is wrong.  I think we have that value somewhere already, we just might have to be creative with how we extract it.23:36
ayoungdstanek, dolphm how is logging supposed to work?  Sepcifically, I need to turn on logging for debugging and LDAP problem in the identity code.  I would think I would add to default_log_levels23:39
ayounglike this23:39
ayoungbut there has to be a better way, right?23:39
dolphmayoung: there's a bug about logging levels in LDAP. they're being overridden somewhere screwy23:40
ayoungdolphm, yeah, that too23:40
ayoungbut that is more, I think, that it is logging when it shouldn't23:40
ayoungfor example, I see keystone.common.ldap log messages all the time23:40
ayoung2014-09-04 19:40:36.366 102003 DEBUG keystone.common.ldap.core23:41
*** oomichi has joined #openstack-keystone23:41
ayoungdolphm, how do I turn on logging for just one package?23:41
dolphmayoung: it's easy with pure python logging... with oslo logging i have no clue. grep?23:42
* dolphm afk23:43
bknudsonwhat does this comment mean?
bknudsonhmm... I think it means that sql identity backend calls delete_group, but ldap identity backend doesn't have to.23:51
*** marcoemorais has quit IRC23:51
gyeeayoung, there's no extra lookup, lookup wasn't return the proper id attribute23:51
*** marcoemorais has joined #openstack-keystone23:51
gyeewithout that, my fix won't work because we need the id attribute to return from LDAP23:52
*** marcoemorais has quit IRC23:52
*** marcoemorais has joined #openstack-keystone23:52
*** marcoemorais has quit IRC23:52
ayounggyee, id to DN will do a lookup23:53
*** marcoemorais has joined #openstack-keystone23:53
ayounger, dn_to_id23:53
ayoungOh, wait, I had it backwards23:53
gyeeayoung, for read-only LDAP, we are asking a list of attribute for LDAP to return, the user_id_attribute wasn't on that list23:53
*** marcoemorais has quit IRC23:53
ayounggyee, dn_to_id might be wrong for  "sub"23:53
*** marcoemorais has joined #openstack-keystone23:53
gyeeits all in a single lookup23:53
gyeeayoung, I left dn_to_id as is for writable LDAP23:54
*** joesavak has quit IRC23:54
gyeeI understand the thinking behind that one23:54
ayounggyee, in sub tree searches the dn does not contain the id field23:54
ayoungit is in a distinct attribute23:54
gyeeid is an attribute of the objectclass, we shouldn't be getting it from the DN23:55
ayoungit depends on "sub"23:55
gyeebut I understand why it was designed that way23:55
gyeebecause of groups and roles23:55
ayounghey, I fully accept that it sucks and I should be ashamed of that decision23:56
gyeebut for read-only LDAP, I don't care about them23:56
gyeeI didn't say it sucks :)23:56
ayoungwhy don't you care about it for read only cases?23:56
gyeeI understand the thinking went into the design after I gone through the code23:56
gyeefor read-only LDAP, its all about the mappings23:57
gyeesince we can't force customer to change their LDAP23:57
ayoungwell, read write can be a custome schema, too, but that is less likely to be the case23:58
gyeefor writable LDAP, I don't want to touch the dn_to_id map, otherwise, I'll open up a whole new can of worms23:58
ayoungmy point is that the difference is not readonly vs read-write.  It is one vs sub23:59
gyeewritable LDAP make certain assumptions, which is OK as we have control over how the stuff is stored23:59
gyeeone vs sub gives you the same thing23:59
ayounggyee, I think you want code like this23:59
gyeeDN doesn't change23:59

Generated by 2.14.0 by Marius Gedminas - find it at!