Thursday, 2014-10-02

« Wednesday, 2014-10-01 Index Friday, 2014-10-03 »
dstanekmorganfainberg: yt?00:01
morganfainbergdstanek, hi00:01
dstanekmorganfainberg: g'evening00:02
morganfainbergdstanek, was just about to go for a bike ride, what can i do for you?00:02
dstanekmorganfainberg: ah, go ahead. we can talk later or tomorrow00:03
morganfainbergnah, this works00:03
morganfainbergi'm here:)00:03
morganfainbergi can do a bike ride tomorrow morning if i miss it tonight (it might be too late anyway... couldn't get off the phohe... family "got to go.. got to... *sigh* sure" :P00:04
*** mikedillion has quit IRC00:04
*** marcoemorais has joined #openstack-keystone00:07
*** cjellick has quit IRC00:08
*** gyee has quit IRC00:08
*** mikedillion has joined #openstack-keystone00:08
dstanekmorganfainberg: you sure00:09
dstanek?00:09
morganfainbergdstanek, yeah00:09
morganfainbergdstanek, i wouldn't have offered if i wasn't sure.00:10
dstaneki was looking at https://review.openstack.org/#/c/122037/ at it make me think about memcache in general00:10
morganfainberghehe, thats a dangerous place to go filled with landmines and spiked pits and the like00:11
dstanekis it possible to use different memcache instances for each subsystem? one for tokens and another for identity caching, for instance00:11
morganfainbergright now, Token persistence has no bearing on caching00:12
morganfainbergor... well let me 2x check, but *shouldnt*00:12
morganfainbergit would absolutely be possible to split it up so each subsystem was it's own cache region00:12
morganfainbergso identity caching and assingment caching could be handled differently (for example) in different servers.00:12
dstanekso it can be independantly configured? that's what i thought based on browsing that review00:13
morganfainbergtoday all caching shares a set of memcache servers, but easy to expand on that as well00:13
morganfainbergdstanek, yeah token persistence *should* be separate from caching00:13
morganfainbergif it isn't, it's a bug.00:13
dstanekmorganfainberg: cool, i'll play with it and see what i find00:14
dstanekmorganfainberg: last qustion...https://review.openstack.org/#/c/125410/1/keystone/token/providers/common.py00:14
dstanekthis passes unit tests, but seems to fail tempest00:15
dstanekthat implies that when the audit_ids come back in they are strings, but when we create them they are binary00:15
morganfainbergjson00:16
morganfainbergjson is a u'' when decoded in py2700:16
morganfainbergnot a b'' or ''00:16
dstanekmorganfainberg: would you prefer the review checks for both types or if i change the callers using base64 to convert to strings00:16
morganfainbergprobably should convert to strings, iirc we said they are strings in the spec00:17
dstanekok, that sounds good to me00:17
dstanekmorganfainberg: thx! no go take that ride00:17
dstaneks/no/now/00:17
morganfainberg"Each id in the audit_ids attribute is a randomly (unique) generated string that can be used to track the token"00:17
morganfainberglet me check sunset, it might, like i said already be too late.00:18
morganfainbergboo only 1h00:18
morganfainbergnope, tomorrow morning it is00:18
morganfainbergdarn it.00:18
dstanekit's an easy change for sure; i'll also add some test(s) to catch a regression00:19
morganfainbergsounds good00:22
*** lcheng has quit IRC00:30
*** praneshp has quit IRC00:31
*** zzzeek has quit IRC00:33
ayoungrm_work, does this interest you:  http://adam.younglogic.com/2014/09/multiple-signers/00:43
*** marcoemorais has quit IRC00:49
morganfainbergayoung, i have some concern with that proposal00:52
ayoungmorganfainberg, lots of details to work out00:53
morganfainbergayoung, mostly the data sync bit. we went around a lot on that with K2K00:53
morganfainbergi think we *cant* expect any kind of sync, especially in the "promise not to touch this" aspect00:53
morganfainbergit's the whole reason we ended up needing a second "local" token for the remote keystone.00:53
morganfainbergunless you're saying this is more akin to region 1 in HP vs Region 2 in HP where we *might* have full control00:54
morganfainbergwe being the org running them.00:54
morganfainbergayoung, and let me be clear, not saying "no", just voicing the same conclusion we came to for k2k.00:55
*** gokrokve has joined #openstack-keystone00:57
*** gokrokve has quit IRC00:57
*** gokrokve has joined #openstack-keystone00:58
openstackgerritBrant Knudson proposed a change to openstack/keystone: pki/ssl_setup configurable digest  https://review.openstack.org/11736601:01
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change the default digest for pki/ssl_setup to sha256  https://review.openstack.org/11736701:01
*** gokrokve_ has joined #openstack-keystone01:01
*** lcheng has joined #openstack-keystone01:01
*** lcheng has quit IRC01:02
*** lcheng has joined #openstack-keystone01:02
*** praneshp has joined #openstack-keystone01:02
*** gokrokve has quit IRC01:04
nkinderstevemar, ayoung: it's alive!  I'm able to issue a token via OS-FEDERATION with mod_mellon and ipsilon.01:05
stevemarnkinder, it's ALIVE!01:05
nkinderI just have a stupid mapping right now, so I need to tweak my IdP to expose group membership in the assertion01:05
nkinderstevemar: one thing that threw me off is that everything defined in the "remote" part of the mapping must exist01:06
stevemarnkinder, within the assertion i assume?01:06
nkinderstevemar: yes01:06
nkinderstevemar: the example in the API for mappings maps the UserName and orgPersonType01:07
stevemarnkinder, that seems wrong, link?01:07
nkinderstevemar: I didn't have orgPersonType set up in my IdP, so it would think that no mapping rule applied01:08
nkinderstevemar: fetching it...01:08
*** mikedillion has quit IRC01:08
nkinderstevemar: https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#create-a-mapping-put-os-federationmappingsmapping_id01:08
stevemarnkinder, ahh, i think i know whats going on (with your claim that everything has to exist)01:09
stevemarnkinder, do you have the json of the mapping you used?01:09
nkinderstevemar: yeah, let me pastebin01:09
ayoungmorganfainberg, you don;t need any data sync beyond the same definition of domain01:09
nkinderstevemar: they are both in a single rule, which is likely the problem01:10
ayoungeach side can create their own projects if they really want01:10
stevemarnkinder, yep!01:10
morganfainbergayoung, except if project names collide.01:10
ayoungor you let one Keystone be the definitive and the other just says "yeah, that one can sign for this domain"01:10
nkinderstevemar: http://paste.openstack.org/show/117613/01:10
stevemarnkinder, if in a single rule {} then the remote values are AND'd01:10
nkinderstevemar: I did a cut/paste of that from somewhere (and tweaked UserName to user_id)01:10
morganfainbergayoung, you're giving a *lot* of trust to the remote (aka not me) keystone, which was the big concern of just allowing signing like this, hence k2k01:10
ayoungmorganfainberg, even then I think we are ok, as everything is done by id, but,  yeah,  I basically assume that it is possible for anyone to screw it up01:11
morganfainbergayoung, yeah thats my major concern.01:11
nkinderstevemar: ok, that makes sense.  So make them separate rules if I always want to map user_id (even if no groups are present)01:11
ayoungmorganfainberg, where are quotas saved?01:11
morganfainbergayoung, we don't have quotas in keystone iirc, and nova saves locally01:11
stevemarnkinder, yeppers! use something like this: http://paste.openstack.org/show/117614/01:11
*** gokrokve_ has quit IRC01:11
ayoungmorganfainberg, I mean in nova01:11
morganfainbergayoung, in the db01:12
ayoungare they per project?01:12
morganfainbergayoung, so locally.01:12
morganfainbergyeah nova isn't domain aware01:12
stevemarnkinder, *but* the result should be that after the mapping, user['name'] has to be *something*01:12
ayoungso once you have admin on a project you can set the quote for it?01:12
morganfainbergthink so01:12
stevemarnkinder, otherwise we can't audit it, so we don't issue the token01:13
ayoungmorganfainberg, I think that is going to be the lynchpin01:13
nkinderstevemar: so you potentially end up with a large mapping with rules for every local group, then a rule for user id/name most likely01:13
morganfainbergand it also means even if remote nova was listening for keystone events, without a mapping for k2k, you'd never know if a project was removed01:13
stevemarnkinder, you got it!01:13
nkinderstevemar: yeah, user['name'] wouldn't get set in my case, and boom01:13
morganfainbergwith the mapping, always the local keystone knows/manages the project (just a mapped value)01:13
ayoungmorganfainberg, that kind of stuff doesn't really worry me01:13
stevemarnkinder, thanks for trying this all out with mod_mellon and ipsilon (spelling?)01:14
morganfainbergayoung, i think it does matter, we'd need a way to reconsile projects01:14
ayoungmorganfainberg, notifications alwasy seemed suspect01:14
morganfainbergayoung, unless you're allowing remote keystone to ask me (local) keystone about projects01:14
nkinderstevemar: sure!  I'll be writing some stuff up for this01:14
ayoungmorganfainberg, I'd not have direct Keystone to Keystone communication01:14
ayounglets keep it manual to start01:14
nkinderstevemar: likely will start with a blog post and then we can see how to improve docs01:14
morganfainbergit's how the mapping table for federation bought us a lot of reuse, everything is always "local" for that keystone01:14
ayoungif project names collide...things get broken01:15
nkinderstevemar: the cool thing here is that I use kerberos to auth to my IdP, so no passwords are being used :)01:15
stevemarnkinder, nice01:15
ayoungthe quota thing worries me, the rest not so much to start01:15
ayoungnkinder, I think I have the DOA thing under control01:15
morganfainbergayoung, the quota thing is solved if we ensure local keystone knows some kind of "to local project" mapping :)01:15
morganfainbergayoung, in either case, it's roughly the same issue.01:16
morganfainbergayoung, something to keep in mind as it's explored.01:16
ayoungmorganfainberg, yep...or if quotas are stored in the authoritative  keystone for the Nova instance01:16
ayoungyep01:16
stevemarnkinder, i tried to make the docs have an obvious plug point for this stuff01:16
nkinderayoung: awesome01:16
ayoungnkinder, I think I only need the one patch I have posted for the keystone client01:17
stevemarnkinder, just need a "Setup Mellon" instead of "Setup Shibbolet" at http://docs.openstack.org/developer/keystone/configure_federation.html#configure-apache-to-use-a-federation-capable-authentication-method01:17
ayounghttps://review.openstack.org/#/c/122309/01:17
*** gokrokve has joined #openstack-keystone01:17
ayoungI'm going to un -1 that one01:17
ayoungnkinder, here's the path01:17
ayoungright now, if you create a client without a session, it authenticates immediately, but if you create one with a session it defers authentication01:18
ayoungand the "authenticate" method on the client is not session aware01:18
ayoungso there is no way to say "just authenticate"01:18
ayounghence the need for that patch01:18
ayoungonce that patch is in,  I think its a matter of adding an auth plugin and  session creation before the client create, and an authenticate call afterwards01:19
ayoungI've been hacking on the Mox tests and I think I have them down.01:19
ayoungI'm about to start a refactoring effort on the DOA tests.  There is a lot of duplicated code for creating mock Clients that I want to have written once and only once, so that when I make a change to the real code, I only have to make the change once in the tests01:20
ayoungright now, a one line change in the real code leads to fixing a dozen or more places in the tests01:20
*** Tahmina has quit IRC01:20
ayoungOnce I have that clean up, adding in the session code is much easier.  Once I have the session code, the kerberos stuff should be fairly minimal01:21
ayoungmorganfainberg, do you know if there is any movement on either per Domain quotas or storing quotas in Keystone?01:22
openstackgerritKui Shi proposed a change to openstack/keystone: Add memcached_backend configuration  https://review.openstack.org/12203701:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Cleanup mock patch usage  https://review.openstack.org/12553301:26
*** zzzeek has joined #openstack-keystone01:26
morganfainbergayoung, not that i'm aware of01:26
ayoungmorganfainberg, so one other problem is the "where does it live" issue.  Do you know if any of the services actually work with multiple endpoints of another service?01:27
*** bknudson has quit IRC01:27
*** bknudson has joined #openstack-keystone01:27
morganfainbergnot sure. i think a lot of quota stuff is driven by nova [though this may have changed in the last year]01:27
*** gokrokve_ has joined #openstack-keystone01:29
*** gokrokve has quit IRC01:30
ayoungmorganfainberg, there was a session at the last two summits about putting a unified quota extension somewhere.  Of course people said Keystone01:31
morganfainbergayoung, and i think it didn't go very far01:31
ayoungwe said "well, we can store the absolute values, but we are not going to enforce"....and then said01:31
morganfainbergno one picked up the work.01:31
morganfainbergyeah01:31
ayoung"its the wrong place"01:31
morganfainbergthen the whole congress thing01:31
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add an XML code directive to a shibboleth example  https://review.openstack.org/12553501:31
morganfainbergpolicy + lots of other stuff01:31
*** lcheng has quit IRC01:37
*** lcheng has joined #openstack-keystone01:38
*** lcheng has quit IRC01:42
*** diegows has quit IRC01:58
openstackgerritKui Shi proposed a change to openstack/keystone: Add memcached_backend configuration  https://review.openstack.org/12203701:59
*** ncoghlan has joined #openstack-keystone02:03
*** zzzeek has quit IRC02:05
*** mitz_ has quit IRC02:11
*** mitz_ has joined #openstack-keystone02:18
*** gokrokve_ has quit IRC02:23
*** lcheng has joined #openstack-keystone02:39
*** lcheng has quit IRC02:44
*** andreaf has quit IRC02:54
*** andreaf has joined #openstack-keystone02:54
*** lcheng has joined #openstack-keystone02:59
*** praneshp has quit IRC03:02
*** openstackgerrit has quit IRC03:08
*** openstackgerrit has joined #openstack-keystone03:09
*** richm has quit IRC03:17
*** openstackgerrit has quit IRC03:18
*** openstackgerrit has joined #openstack-keystone03:18
*** oomichi has joined #openstack-keystone03:25
*** dguitarbite has quit IRC03:29
*** alex_xu has quit IRC03:37
*** praneshp has joined #openstack-keystone03:53
*** praneshp_ has joined #openstack-keystone03:57
*** praneshp has quit IRC03:58
*** praneshp_ is now known as praneshp03:58
*** dims has quit IRC04:00
*** ncoghlan is now known as ncoghlan_afk04:00
*** dims has joined #openstack-keystone04:00
*** dims has quit IRC04:04
*** vdreamarkitex has quit IRC04:07
*** dguitarbite has joined #openstack-keystone04:30
*** gokrokve has joined #openstack-keystone04:50
*** praneshp has quit IRC04:54
*** lcheng has quit IRC04:55
*** lcheng has joined #openstack-keystone04:55
*** ncoghlan_afk is now known as ncoghlan04:57
*** harlowja is now known as harlowja_away05:00
*** lcheng has quit IRC05:00
*** lcheng has joined #openstack-keystone05:17
*** lcheng has quit IRC05:17
*** lcheng has joined #openstack-keystone05:17
*** gokrokve_ has joined #openstack-keystone05:24
*** gokrokve has quit IRC05:26
*** gokrokve_ has quit IRC05:28
*** gokrokve has joined #openstack-keystone05:29
*** gokrokve has quit IRC05:36
*** gokrokve has joined #openstack-keystone05:36
*** gokrokve has quit IRC05:41
*** ukalifon has joined #openstack-keystone05:43
*** lcheng has quit IRC05:44
*** lhcheng has joined #openstack-keystone05:46
*** lhcheng_ has joined #openstack-keystone05:47
*** amcrn_ has quit IRC05:49
*** lhcheng has quit IRC05:50
*** lhcheng_ has quit IRC05:53
*** lhcheng has joined #openstack-keystone05:53
*** lhcheng has quit IRC05:54
*** lhcheng has joined #openstack-keystone05:56
*** lbragstad1 has joined #openstack-keystone05:59
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/12495006:04
*** lhcheng has quit IRC06:07
*** lhcheng has joined #openstack-keystone06:07
*** oomichi__ has joined #openstack-keystone06:08
*** oomichi has quit IRC06:10
*** lhcheng has quit IRC06:15
*** lhcheng has joined #openstack-keystone06:17
*** jedix has quit IRC06:19
*** stevemar has quit IRC06:20
*** oomichi__ has quit IRC06:27
*** gokrokve has joined #openstack-keystone06:29
*** lhcheng has quit IRC06:29
*** lhcheng has joined #openstack-keystone06:31
*** gokrokve has quit IRC06:34
*** lbragstad1 has quit IRC06:35
*** ncoghlan has quit IRC06:46
*** lhcheng has quit IRC06:49
*** lhcheng has joined #openstack-keystone06:50
*** lufix has joined #openstack-keystone06:51
*** lhcheng has quit IRC06:55
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Implement group related methods for LDAP backend  https://review.openstack.org/10224407:15
*** gokrokve has joined #openstack-keystone07:30
*** r1chardj0n3s is now known as r1chardj0n3s_afk07:33
*** gokrokve has quit IRC07:35
openstackgerritA change was merged to openstack/keystone: Remove unused cache functions from token.core  https://review.openstack.org/11967907:37
*** jistr has joined #openstack-keystone07:42
openstackgerritMarcos Fermín Lobo proposed a change to openstack/python-keystoneclient: Attributes required using token for auth  https://review.openstack.org/11522807:51
*** marekd|away is now known as marekd07:51
*** mitz_ has quit IRC07:53
*** mitz_ has joined #openstack-keystone07:55
*** lsmola has joined #openstack-keystone08:02
*** amerine has joined #openstack-keystone08:11
*** amerine_ has quit IRC08:12
*** andreaf has quit IRC08:17
*** amakarov_away is now known as amakarov08:17
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Templated catalog backend not implemented  https://review.openstack.org/12001108:31
*** afazekas has joined #openstack-keystone08:34
*** jedix has joined #openstack-keystone08:39
*** garcianavalon has joined #openstack-keystone08:42
*** nellysmitt has joined #openstack-keystone08:51
*** gokrokve has joined #openstack-keystone09:30
*** gokrokve has quit IRC09:35
*** aix has joined #openstack-keystone09:51
*** diegows has joined #openstack-keystone09:54
*** oomichi has joined #openstack-keystone10:03
*** nellysmitt has quit IRC10:04
*** vdreamarkitex has joined #openstack-keystone10:05
oomichihi bknudson10:17
*** Dafna has quit IRC10:31
*** gokrokve has joined #openstack-keystone10:32
*** gokrokve has quit IRC10:36
*** Dafna has joined #openstack-keystone10:37
*** nellysmitt has joined #openstack-keystone10:46
*** diegows has quit IRC10:53
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Notify a consumer that all dependenices injected  https://review.openstack.org/11752311:00
*** dims has joined #openstack-keystone11:08
*** jaosorior has joined #openstack-keystone11:16
*** andreaf_ is now known as andreaf11:18
*** Tahmina has joined #openstack-keystone11:25
*** gokrokve has joined #openstack-keystone11:30
*** gokrokve has quit IRC11:34
*** dims has quit IRC12:06
*** dims has joined #openstack-keystone12:06
*** dims has quit IRC12:06
*** dims has joined #openstack-keystone12:07
*** NM1 has joined #openstack-keystone12:08
*** NM1 has quit IRC12:09
openstackgerrithenry-nash proposed a change to openstack/keystone: Remove identity and assignment kvs backends  https://review.openstack.org/12561012:15
*** topol has joined #openstack-keystone12:29
*** alex_xu has joined #openstack-keystone12:29
*** gokrokve has joined #openstack-keystone12:30
*** oomichi has quit IRC12:32
*** gokrokve has quit IRC12:35
ekarlsoshouldn't there be a admin v2.0 endpoint at http://localhost:35357/v2.0 ?12:37
*** fifieldt has joined #openstack-keystone12:37
*** NM1 has joined #openstack-keystone12:41
*** miqui has joined #openstack-keystone12:50
*** henrynash has joined #openstack-keystone12:51
*** NM1 has quit IRC13:00
*** NM1 has joined #openstack-keystone13:01
*** breton_ has joined #openstack-keystone13:04
breton_hello fellas, I'm going to hang out here from now on13:06
*** dims has quit IRC13:06
*** dims has joined #openstack-keystone13:07
*** gordc has joined #openstack-keystone13:07
*** breton_ is now known as breton13:07
marekdbreton: hello, welcome :-)13:10
*** raildo_away is now known as raildo13:10
*** richm has joined #openstack-keystone13:10
*** dims has quit IRC13:11
*** nkinder has quit IRC13:13
*** radez_g0n3 is now known as radez13:20
*** bdossant_ has joined #openstack-keystone13:30
*** bdossant_ has quit IRC13:30
*** joesavak has joined #openstack-keystone13:30
*** gokrokve has joined #openstack-keystone13:30
*** bdossant has quit IRC13:31
*** gokrokve has quit IRC13:35
*** r-daneel has joined #openstack-keystone13:45
*** gokrokve has joined #openstack-keystone13:46
*** sigmavirus24_awa is now known as sigmavirus2413:49
*** andreaf is now known as andreaf_13:49
*** nellysmitt has quit IRC13:49
*** dguitarbite has quit IRC13:53
*** NM2 has joined #openstack-keystone13:54
*** NM1 has quit IRC13:54
*** ukalifon2 has joined #openstack-keystone13:56
*** ukalifon has quit IRC13:57
*** nkinder has joined #openstack-keystone13:59
ekarlsohey guys, i've deployed keystone behind apache httpd but I can't GET on http://127.0.0.1:35357/v2.0 - it gives a 404 ?14:07
ekarlsoapache config: http://paste.openstack.org/show/117771/ and the wsgi file mentionde in the config is: http://paste.openstack.org/show/117772/14:08
*** stevemar has joined #openstack-keystone14:08
richmekarlso: can you get on /v3?  can you get on :5000?14:13
*** nellysmitt has joined #openstack-keystone14:14
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: Remove depreacted kvs backends  https://review.openstack.org/12312214:15
*** bdossant has joined #openstack-keystone14:23
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Remove dependencies from docs test env in tox.ini  https://review.openstack.org/12565014:24
*** jdandrea has quit IRC14:24
*** nellysmitt has quit IRC14:28
*** nellysmitt has joined #openstack-keystone14:29
openstackgerritSteve Martinelli proposed a change to openstack/pycadf: Remove dependencies from docs test env in tox.ini  https://review.openstack.org/12565014:32
*** bdossant has quit IRC14:33
*** nellysmitt has quit IRC14:33
morganfainbergrichm, ekarlso, hm. look at the apache error log, that might be a permissions error on the admin/main scripts14:36
*** gokrokve has quit IRC14:36
morganfainbergekarlso, richm, see if mod_wsgi is actually executing the scripts.14:37
*** david-lyle has joined #openstack-keystone14:37
*** nellysmitt has joined #openstack-keystone14:38
morganfainbergdolphm, i'm going to point that BP at "removed as of kilo" instead, but otherwise +2 from me on it.14:38
morganfainbergdolphm, no need for lots of various bps for removing things.14:39
dolphmmorganfainberg: ++14:39
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Remove depreacted kvs backends  https://review.openstack.org/12312214:42
dolphmmorganfainberg: when are we dropping the python 2.6 gate?14:43
morganfainbergdolphm, as soon as we get the"ok" from infrao14:43
morganfainberg:)14:43
dolphmmorganfainberg: i'm looking at 2.6 bugs like https://bugs.launchpad.net/keystone/+bug/130655914:43
uvirtbotLaunchpad bug 1306559 in keystone "Fix python26 compatibility for RFCSysLogHandler" [Low,Confirmed]14:43
morganfainbergthis cycle, but we can't drop py26 from stable/* or client/middleware14:43
morganfainbergyeah, i'd probably expect us to mark it as wont fix soon14:44
morganfainbergas soon as py26 dies.14:44
dolphmmorganfainberg: i'm going to leave it as Incomplete for the moment14:44
morganfainbergyeah14:45
dolphmwith an explanation14:45
morganfainberghttps://bugs.launchpad.net/keystone/+bug/133188414:45
uvirtbotLaunchpad bug 1331884 in keystone "A V2 token from trust cannot be generated with user/pass" [Wishlist,In progress]14:45
morganfainbergi really don't want to add new functionality to v2 :(14:45
dolphmmorganfainberg: +1 for killing it14:48
NM2morganfainberg: Please, remember the swift users :'(14:48
*** gokrokve has joined #openstack-keystone14:48
morganfainbergNM2, please explain14:48
dolphmmorganfainberg: you certainly don't need user/password authentication while consuming a trust in v2 to use swift14:48
dolphmNM2: ^14:48
morganfainbergwe're not killing V2 trusts, just the ability to get a trust token from the username/password directly14:49
morganfainbergwhich is that bug/wishlist item14:49
morganfainbergit doesn't work like that today.14:49
morganfainbergdolphm, neutron for LBaaS is looking to use trusts. they don't want to have a hard v3 keystone requirement for it, and would appreciate that ^ fix. I told them I didn't want extra functionality for V2 but it was under review if we wanted to accept the fix14:50
morganfainbergdolphm, to be upfront why this came up now.14:50
morganfainbergdolphm, it doesn't *really* change my view much, V2 should be frozen.14:51
morganfainbergshort of security fixes and massive bugs, and this looks like "new functionality" to me.14:51
*** ukalifon2 has quit IRC14:51
NM2Well, that is a good point. Frozen is fair. Just don't kill it :)14:52
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove identity and assignment kvs backends  https://review.openstack.org/12561014:52
*** thedodd has joined #openstack-keystone14:53
morganfainbergNM2, Ideally we will formally deprecate v2 within K, L, or M cycles [depending on the state] but V2 isn't dead for a while.14:53
dolphmmorganfainberg: v3 has been "stable" long enough that they should be using it for new features as well - i don't really buy the argument14:54
morganfainbergdolphm, ++14:54
morganfainbergdolphm, ok going to kill that bug then.14:55
ayoungdstanek, I'm doing some test cleanup and the following change does not work:  http://paste.openstack.org/show/117787/14:55
ayoungwhat am I missing?14:55
morganfainbergdolphm, +2 on the spec for kvs, +2 on the code (retargeted the bp tag in the code)14:55
morganfainbergdolphm, i'm good with the removal code going in as soon as the spec lands.14:55
*** bdossant has joined #openstack-keystone14:55
*** lhcheng has joined #openstack-keystone14:56
*** dims has joined #openstack-keystone14:56
dolphmmorganfainberg: -- the spec filename should match the bp ID it's implementing14:58
dolphmor describing or whatever14:58
morganfainbergdolphm, should it? because it's not *really* completely implementing the bp14:58
dolphmmorganfainberg: you have to get manual with ttx's bp management tools otherwise14:58
ayoungare we even continuing to use BPs?  Is that so we have something to track?14:58
dolphmayoung: yes and yes until storyboard14:58
morganfainbergayoung, yeah its for Milestone tracking14:58
ayoung++14:58
*** cjellick has joined #openstack-keystone14:59
morganfainbergdolphm, easy enough to rename the file.14:59
dolphmwhich reminds me, i'm going to start attending storyboard meetings because holy crap we need that project running14:59
nkinderekarlso: your pastebin links don't work.  Did you figure out why you get a 404?14:59
morganfainbergdolphm, infra is moving to it this cycle14:59
morganfainbergdolphm, it's in beta14:59
morganfainbergonce they feel "good about it" it'll open up to other projects14:59
*** NM2 is now known as NM14:59
*** nellysmitt has quit IRC15:00
*** cjellick has quit IRC15:05
*** cjellick has joined #openstack-keystone15:06
dstanekayoung: what error are yo getting?15:11
ayoungdstanek, no idea.  THe test just starts failing15:12
ayoungits mox, and thethings are not matchin15:12
ayoungmatching15:12
dstanekayoung: one thing is that you are using mox - i think that's been removed from most of our stuff15:12
ayoungdstanek, this is Django OpenStack Auth15:12
ayoungthis is a refactoring effort toward getting Horizon to work with Kerberos15:13
dstanekayoung: ah, nothing looks wrong at first glance15:13
ayoungIf I do this right, it should be much easier to replace mox in this code15:13
*** lhcheng has quit IRC15:14
ayoungdstanek, interesting...I just forced it to work with this code:15:14
ayounghttp://paste.openstack.org/show/117795/15:15
*** lhcheng has joined #openstack-keystone15:15
*** dguitarbite has joined #openstack-keystone15:17
*** lhcheng has quit IRC15:18
*** lhcheng has joined #openstack-keystone15:19
*** lhcheng has quit IRC15:24
ayoung openstack_auth/tests/tests.py | 604 +++++++++++-------------------------------15:25
ayoung 1 file changed, 154 insertions(+), 450 deletions(-)15:25
ayoungamost 300 lines shorter15:25
ayoungI bet I could keep going15:25
ayounghttps://review.openstack.org/12567315:26
*** vdreamarkitex has quit IRC15:32
ayoungmorganfainberg, dstanek we need to help out poor Horizon:  https://review.openstack.org/#/c/123745/6/openstack_auth/user.py,cm15:33
*** garcianavalon has quit IRC15:34
morganfainberghm, i was looking at something15:35
morganfainbergand got distracted15:35
*** gokrokve_ has joined #openstack-keystone15:35
morganfainbergdolphm, so do we need to swap back to the dedicated bp for that kvs removal one?15:35
morganfainbergdolphm, easy enough i guess to just toss in a second 'bp:' line if so15:36
ayoungmaybe we should have a standard set of roles per project that mirrors wordpress:  Subscriber, Contributor, Author, Editor, Administrator15:36
dolphmmorganfainberg: let me fuss with the spec review15:36
morganfainbergdolphm, ok sounds good.15:37
ayoungSubscriber is read only,  Contributor can change existing resources, but not add or delete,  author can add new resources,  editor can (mumble mumble) and Administrator can set quotas.15:37
*** gokrokve has quit IRC15:38
ayoungI can see atiwari's point that roles should be scoped to projects;  some people should not be messing with network setups15:39
morganfainbergyou have no idea how happy this makes me: https://bugs.launchpad.net/keystone/+bugs?search=Search&field.status=New15:39
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Remove OS-STATS monitoring  https://review.openstack.org/12568315:40
ayoungroles really should be inheritable15:41
stevemardolphm, ^15:41
ayoungmorganfainberg, I think the server  is down15:41
ayoungnothing is getting returned15:41
ayoungyou broke it15:41
morganfainbergayoung, lol15:42
morganfainbergstevemar, did we *officialy* deprecate stats?15:42
morganfainbergoh nope i see it15:42
morganfainbergnvm15:42
stevemarmorganfainberg, i think so15:42
* morganfainberg needs to scroll further down15:42
morganfainbergstevemar, in_favor_of='external tooling',  heh15:43
stevemarhehe15:43
stevemari remember when we wrote that - was funny15:43
ayoungstevemar, new minus of 316 lines is OK in my book15:44
openstackgerritDolph Mathews proposed a change to openstack/keystone-specs: Remove deprecated kvs backends  https://review.openstack.org/12312215:45
stevemarmorganfainberg, ayoung even if it wasn't targetted for Kilo, I was just going to but it WIP, i doubt the locations of the code was going to change..15:45
dolphmmorganfainberg: so, it's now one bp :: one spec, where the spec has room for to expand to cover more things for removal, if necessary15:45
dolphmmorganfainberg: https://review.openstack.org/#/c/123122/4/specs/kilo/removed-as-of-kilo.rst15:45
ayoungstevemar, you know, instead of enumerating all the tests in tox.ini, we really should segregate them at the directory level15:47
*** gokrokve has joined #openstack-keystone15:48
ayoungsomethinkg like  test/unit  test/live15:48
ayoungah, that is 34...got it15:49
*** gokrokve_ has quit IRC15:50
stevemarayoung, yeah, because py33 and py34 are 'spedcial'15:52
ayoungin a short bus sort of way15:52
*** lufix has quit IRC15:55
*** ukalifon1 has joined #openstack-keystone16:09
ekarlsomorganfainberg: I can get :35357/v3 yes16:09
*** gokrokve has quit IRC16:12
ekarlsoand I can do GET /v2.0 /v3 on :500016:13
*** Clabbe has quit IRC16:13
*** Clabbe has joined #openstack-keystone16:13
ekarlsobut on :35357/v2.0 it fails with 404 :|16:14
ekarlsomorganfainberg: / richm any clues ?16:14
*** afazekas has quit IRC16:15
*** lhcheng has joined #openstack-keystone16:18
*** jasondotstar has joined #openstack-keystone16:25
*** praneshp has joined #openstack-keystone16:26
*** gyee has joined #openstack-keystone16:30
openstackgerritDolph Mathews proposed a change to openstack/keystone: Remove deprecated external authentication plugins  https://review.openstack.org/12570116:35
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Remove images directory from docs  https://review.openstack.org/12570216:36
gyeebknudson, ping16:37
bknudsongyee: will be available in a moment16:38
gyeek, got a oslo db question for ya whenever you have a moment16:38
*** gokrokve has joined #openstack-keystone16:38
openstackgerritayoung proposed a change to openstack/keystone-specs: implied roles  https://review.openstack.org/12570416:38
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove deprecated access log middleware  https://review.openstack.org/12570316:38
stevemardolphm, i see we're trying to find out who can clean up more stuff today?16:44
dolphmstevemar: BEST DAY EVER16:44
dolphmmorganfainberg: Dear PTL, XML support is targeted for removal in Kilo, but need PTL input. Love, not-PTL.16:45
gyeeheh16:45
*** jistr has quit IRC16:45
lbragstadI was just going to ask about that :)16:47
lbragstadRe: XML support16:47
*** gokrokve has quit IRC16:47
dolphmlbragstad: have you already started a patch to remove it?16:47
lbragstadnot yet, but I can16:48
openstackgerritSteve Martinelli proposed a change to openstack/keystonemiddleware: Clean up the middleware docs  https://review.openstack.org/12570616:48
dolphmlbragstad: slash, what's your interest16:48
*** lsmola has quit IRC16:48
*** gokrokve has joined #openstack-keystone16:48
lbragstadI remember seeing the deprecation message in the XMLMiddleware, I can pull that out16:48
dolphmlbragstad: i was about to do the same, mostly just to see what it would look like / break. pretty sure tempest will argue16:48
*** gokrokve has quit IRC16:48
lbragstadyeah16:48
*** gokrokve has joined #openstack-keystone16:48
dolphmi also haven't followed the xml conversation on list anytime recently, so i don't know if it's still something we can remove?16:49
nkinderwho's up for reviewing some of the pending proposed/juno backports?16:49
nkinderhttps://review.openstack.org/#/c/125467/16:49
lbragstadthe lxml import stuff that we fixed in Juno was under the impression that it would be removed in K16:49
nkinderhttps://review.openstack.org/#/c/125257/16:49
nkinderhttps://review.openstack.org/#/c/125258/16:50
*** gokrokve has quit IRC16:50
*** gokrokve_ has joined #openstack-keystone16:50
*** lhcheng has quit IRC16:50
nkinderThose all made it into master and were clean cherry-picks to juno16:50
*** lhcheng has joined #openstack-keystone16:50
dolphmnkinder: on it16:50
nkinderdolphm: thanks!16:51
ekarlsoanyone got a clue on my error for :35357/v2.0 failin ?16:51
stevemaris the templated catalog dying with fire finally?16:51
bknudsongyee: ok, finally off the phone... what's up16:52
*** lhcheng_ has joined #openstack-keystone16:52
*** lhcheng__ has joined #openstack-keystone16:52
gyeebkudson, have a question on use_db_reconnect16:53
gyeefor HA, we have multiple DB instances fronted by VIP, with keepalive enabled16:53
*** praneshp has quit IRC16:53
gyeesupport somebody yank the wire on one of the instances, does oslo.db do reconnect16:54
gyeeassuming use_db_reconnect is set to True16:54
gyeeI am worry about the "experimental use" part in the description16:54
ayoungnkinder, I'm looking now...16:55
*** lhcheng has quit IRC16:55
ayoungnkinder, I you sure https://review.openstack.org/#/c/125467/1  is not going to break anyone?16:56
*** lhcheng_ has quit IRC16:56
bknudsongyee: I thought that we had db reconnect forever... since I remember having to look at it for db2 support.16:56
gyeebknudson, have you use that option before? I just curious how reliable it is16:56
*** marcoemorais has joined #openstack-keystone16:57
gyeeuse_db_reconnect is Fase by default16:57
*** praneshp has joined #openstack-keystone16:57
ayoungoh,these are just to Juno...ok16:57
*** lhcheng__ has quit IRC16:58
ekarlsorichm: morganfainberg ?16:58
gyeebkudson, see https://review.openstack.org/#/c/12211416:58
*** lhcheng has joined #openstack-keystone16:58
gyeebknudson, https://review.openstack.org/#/c/12211416:58
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Remove deprecated TemplatedCatalog class  https://review.openstack.org/12570816:59
stevemardolphm, last one of the bunch i think ^16:59
bknudsongyee: for some reason I'm not able to get to review.openstack.org lately... always get a connection reset :(16:59
bknudsonmaybe I need to restart the browser16:59
dolphmstevemar: nice17:00
dolphmbknudson: i haven't had an issue17:00
*** lhcheng_ has joined #openstack-keystone17:00
stevemarno issues here17:00
bknudsonthere must be something with the vpn.17:00
gyeebknudson, welcome to corporate email service man17:00
bknudsonfound a workaround since it works from my vm17:00
gyeeI think I had murdered 5 IT guys over the years over email issues17:01
dolphmbknudson: although i once had issues like that and i think morganfainberg told me to kill my LP SSO session or something17:01
bknudsongyee: so the glance change looks like they're not using oslo.db?17:01
gyeebknudson, the commit message seem to suggest they are17:02
bknudsongyee: or is this saying we have to wrapper all keystone db calls?17:02
*** sigmavirus24 is now known as sigmavirus24_awa17:03
*** lhcheng has quit IRC17:03
gyeebkundson, my understanding is that the patch is aim to mitigate db reconnect issue17:03
bknudsonglance has one file with all their db calls? we should do that in keystone.17:03
*** gokrokve_ has quit IRC17:03
*** Haneef has joined #openstack-keystone17:04
gyeebknudson, I am not sure17:04
bknudsonhttps://review.openstack.org/#/c/122114/2/glance/db/sqlalchemy/api.py is a pretty snazzy change but seems like it should be in oslo.db17:04
gyeeHaneef, you encounter this issue with Keystone too right?17:05
*** lufix has joined #openstack-keystone17:05
HaneefYes. we encounter this , when we use keepalive/haproxy due to keeplaive moving IP from one node to other17:05
gyeebknudson, Haneef, yeah, we should fix that in oslo.db17:06
bknudsonyou get 500 internal server errors for a while?17:06
bknudsonwhat database backend?17:06
bknudsonDB2?17:06
gyeemysql17:06
bknudsonhp should write their own database someday.17:06
gyeeyeah, vertica I think :)17:07
HaneefThe error is : DBConnectionError: (OperationalError) (2006, 'MySQL server has gone away')17:07
bknudsony, I thought we had code in our DB code before to handle that, so this seems like a regression.17:07
bknudsonI remember it was easy to recreate, just start keystone in devstack and restart it.17:08
bknudsonrestart mysqld17:08
Haneefbknudson:   oslod.db has something reconnect on error config , but the comment is experimental. Do you have any idea on that17:08
bknudsonHaneef: I don't know what that means... and I don't see zzzeek online...17:09
gyeelet give it a whirl and find out17:09
gyeeto paraphrase topol's comment on recreational drug, ya never try ya never know :)17:10
Haneefhttps://github.com/openstack/oslo.db/blob/master/oslo/db/options.py#L11617:10
bknudsonit looks like it does what the glance change does.17:11
bknudsoncatches DBConnectionError17:11
morgan_remote_Haneef. There should be a fix coming for Oslo.db reconnect issues if it is what j think it is.17:11
bknudsonand then it has a sleep in there which is ugly17:11
morgan_remote_There was a bug where the reconnect code was moved.17:11
richmekarlso: ?17:13
morgan_remote_There is a larger fix keystone should make as well but it was not an rc "fix" as the code in Oslo.db broke previous functionality. The Oslo team agreed they'd release a new Oslo.db instead to restore he seamless reconnect.17:13
*** lufix has quit IRC17:13
gyeemorgan_remote, what was the reason for pulling out that functionality?17:14
morgan_remote_gyee: it was moved. But the way we are using it, that move broke things.17:14
morgan_remote_Wasn't meant to be removed.17:14
*** harlowja_away is now known as harlowja17:14
morgan_remote_The fix should be released soon or maybe has been released17:15
morgan_remote_dhellmann: ping, the Oslo.db reconnect bug, has that been released yet or soon to be released?17:16
bknudsongyee: what version of oslo.db do you have?17:16
Haneef  We have  oslo.db>=0.2.017:18
*** gokrokve has joined #openstack-keystone17:18
bknudsonwhat version is installed?17:18
morgan_remote_Wow. Launchpad is awful.17:18
gyeebknudson, installed with devstack?17:18
bknudsongyee: what version is installed where you're seeing the problem?17:19
vishyis morgan_remote_ == morganfainberg17:19
vishy?17:19
morgan_remote_vishy: yep17:20
vishymorgan_remote_: are you aware of any way using the keystone api to make sure that you don’t accidentally create duplicate records?17:20
vishyespecially for endpoints but it applies to other types as well17:20
morgan_remote_vishy: what kind of duplicate records?17:20
morgan_remote_Most cases we have unique constraints in the back ends.17:21
vishyi.e. if I could set the id of the record on create and have it fail if the id exists17:21
*** vhosakot_ has joined #openstack-keystone17:21
bknudsongyee Haneef: latest oslo.db is 1.0.217:21
morgan_remote_vishy: that should be the case. Id should always be unique.17:21
vishymorgan_remote_: well you can create multiple copies of the same endpoint data very easily17:21
vishymorgan_remote_: except the id is not exposed to the api17:21
vishyso that doesn’t help17:21
morgan_remote_Ah17:22
vhosakot_Dear friends, I see error when I do keystone user-create.. Can someone please help17:22
vhosakot_keystone --debug user-create --name localadmin --tenant-id admin --pass ubuntu --email vhosakot@cisco.com --enabled True17:22
vishycurrently to deal with races we have to take out a global lock17:22
vhosakot_DEBUG:keystoneclient.auth.identity.v2:Making authentication request to http://localhost:35357/v2.0/tokens INFO:urllib3.connectionpool:Starting new HTTP connection (1): localhost DEBUG:urllib3.connectionpool:Setting read timeout to 600.0 DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 401 143 DEBUG:keystoneclient.session:Request returned failure status: 401 DEBUG:keystoneclient.v2_0.client:Authorization Failed.17:22
openstackgerritA change was merged to openstack/pycadf: Remove dependencies from docs test env in tox.ini  https://review.openstack.org/12565017:22
vishywhich is just not very helpful17:22
stevemardammit - i told myself to get lunch at 12:3017:22
morgan_remote_vishy: yes. I can see that17:22
stevemarnow it's 1:2217:22
vishybut I wasn’t sure if I was missing something17:23
*** wwriverrat has joined #openstack-keystone17:23
morgan_remote_vishy: end points I think are a special case. Everything else should have unique constraints in a way that prevents duplicate data (ID, name+domain, etc)17:23
vishyendpoints could have a unique constraint on service/region perhaps17:23
morgan_remote_Yeah.17:24
vhosakot_Can some please share their /etc/keystone/keystone.conf if keystone is working for you..17:24
*** wwriverrat has quit IRC17:24
morgan_remote_vishy: valid point on some extra constraints probably needed there.17:24
vishyi can’t see sticking multiple copies of the same service in the same region17:24
vhosakot_also, after changing /etc/keystone/keystone.conf, how do I retstart keystone ?17:24
vhosakot_"service keystone restart" throws this error17:25
vhosakot_keystone: unrecognized service17:25
morgan_remote_vishy: probably not. Service shouldn't be duplicated afaict. But end points might have multiples for a service in a give. Region17:25
morgan_remote_S/give. Region/given region17:26
vishymorgan_remote_: hmm ok, so we can’t have unique17:26
richmvhosakot_: try service openstack-keystone restart17:26
vishymorgan_remote_: I guess I will just work around this for now17:26
*** amcrn has joined #openstack-keystone17:27
morgan_remote_vishy: not purely unique. But we might be able to make things a bit better (eg expose id)17:27
*** amakarov is now known as amakarov_away17:27
vishythat would give a way around it yes17:27
vhosakot_vishy: same error for "service openstack-keystone restart"17:27
vhosakot_openstack-keystone: unrecognized service17:27
morgan_remote_vishy: mind opening a bug on it? I see value in ensuring your not duplicating unless you *really* want to17:28
morgan_remote_It should be easy to determine if you've already got the data you need in the catalog.17:28
morgan_remote_Or at least via the CRUD interface.17:28
vhosakot_I see the error "openstack-keystone: unrecognized service" when I do "user-create" with keystone...17:29
vhosakot_Can some please share their /etc/keystone/keystone.conf if keystone is working for you..17:29
morgan_remote_vhosakot_: how did you install keystone? Is this a devstack? And what version (master, Juno proposed, icehouse, etc)?17:31
vhosakot_yeah... this is devstack17:31
morgan_remote_vhosakot_: if it is a Juno or later vintage devstack. Keystone is run under Apache. So you'll restart / graceful / sighup Apache to load the new config.17:32
vhosakot_keystone comes with devstack when I clone devstack from git right ?17:32
*** gokrokve has quit IRC17:33
nkindervhosakot_: yes17:33
morgan_remote_By default that is keystone is under Apache+mod_wagi. It is possible to run keystone under event let, and it is started in the devstack screen in that case. (Screen 1).17:33
bknudsonalso, if you're running devstack it doesn't start the servers as a service, just runs them under screen.17:33
bknudsonexcept for keystone and horizon which can be run under apache httpd17:33
bknudsonmaybe somebody here can answer this question -- do you think it would be possible to have apache do reverse-proxy to keystone and still use federation?17:34
vhosakot_nkinder, morgan_remote_ : I cloned devstack, and creating new user with keystone, and see the error "Authorization Failed. Could not find user: localadmin"17:34
vhosakot_i ran stack.sh17:35
morgan_remote_Localadmin? That's not one I've seen.17:35
gyeebknudson, sorry, looks like we are running a really old version17:35
gyee0.4.017:35
gyeeI need to talk to people, and people's people17:35
bknudsonvhosakot_: ./rejoin-stack.sh and you can see the screen17:35
*** david-lyle has quit IRC17:35
vhosakot_morgan_remote_ : should I use only admin for --name ? I thought I can use any name17:36
dolphmwhat response does keystone return when you try to PATCH a user's domains when domains are immutable?17:37
dolphma user's domain*17:37
morgan_remote_dolphm: huh. Good question. Should be, 403 right?17:37
morgan_remote_vhosakot_: depends on what you told devstack to use.17:38
gyeeyeah, should be 40317:39
morgan_remote_dolphm: no other status really makes sense.17:39
vhosakot_I see this new error now.. I changed localadmin to admin for user-create17:41
vhosakot_Invalid user / password (Disable debug mode to suppress these details.) (HTTP 401)17:41
vhosakot_where can I see the user / password that I am supposed to use for net-create17:42
vhosakot_(I'm new to keystone, please)17:42
nkindervhosakot_: how are you trying to create a user?17:43
nkindervhosakot_: could you pastebin the exact command/output?17:43
*** aix has quit IRC17:44
vhosakot_nkinder : I have pasted my environment variables, command output, and my /etc/keystone/keystone.conf at pastebin at  -  http://pastebin.com/0mum6GM417:48
nkindervhosakot_: you are trying to create the "admin" user while authenticating as the "admin" user?17:51
nkindervhosakot_: there should be an "admin" user that devstack set up, with a password that you specified IIRC17:53
nkindervhosakot_: so with that user's detail set in your OS_* environment variables, you should be able to do a 'keystone user-list'.17:53
vhosakot_nkinder : yes.. I am following http://docs.openstack.org/user-guide/content/app_cheat_sheet.html... I need to create a network (create_network) in neutron for which I need keystone setup properly17:53
nkindervhosakot_: make sure you can just do a user-list first17:54
vhosakot_"keystone user-list" displays the error below17:54
vhosakot_Invalid user / password (Disable debug mode to suppress these details.) (HTTP 401)17:54
nkindervhosakot_: so the user/password in your environment variables is not correct17:54
nkindervhosakot_: you need to use the values you used when you set up devstack17:55
morgan_remote_Or not presented via cli args17:55
morgan_remote_Present*17:55
vhosakot_how I can see what user / password devstack setup ?17:55
morgan_remote_Hm. Does that go into localrc still?17:56
nkinderit sets up an "admin" user by default.  I think the password is spit out at the end of running stack.sh17:56
nkinderI don't have a devstack set up right now17:56
vhosakot_do I need to use the same user / password that devstack setup in my environment variables for keystone to work ?17:56
nkindervhosakot_: yes, those should be correct17:56
vhosakot_oh right right.. I have saved devstack's output at end... 1 sec please17:56
vhosakot_shatck.sh spit this output17:57
vhosakot_Horizon is now available at http://192.168.122.93/ Keystone is serving at http://192.168.122.93:5000/v2.0/ Examples on using novaclient command line is in exercise.sh The default users are: admin and demo The password: nomoresecrete This is your host ip: 192.168.122.9317:57
nkindervhosakot_: ok, so set OS_PASSWORD to nomoresecrete17:57
vhosakot_let me use nomoresecrete in my env variable, and rerun keystone17:57
vhosakot_ok oh.. 1 sec nkinder :)17:57
vhosakot_cool, "keystone user-list" worked.. let me create a network (create_network) in neutron for admin17:59
vhosakot_localadmin@ubuntu-14:~/devstack$ keystone user-list  +----------------------------------+----------+---------+----------------------+ |                id                |   name   | enabled |        email         | +----------------------------------+----------+---------+----------------------+ | c3462b4e0ef84de8b941c1cf5615c266 |  admin   |   True  |                      | | 75f62eb7016742e58903647f939ab5ae | alt_demo |17:59
*** ctracey_ has joined #openstack-keystone18:00
*** stevemar has quit IRC18:00
*** stevemar has joined #openstack-keystone18:01
*** ctracey_ is now known as ctracey18:01
vhosakot_nkinder : I see the error below error when I create a network in neutron by doing "neutron net-create net1". Is the error below related to keystone or neutron? It looks like neutron (in which case I will jump to the neutron's ICR chat)18:02
vhosakot_publicURL endpoint for network service not found18:02
*** sigmavirus24_awa is now known as sigmavirus2418:03
vhosakot_nkinder : I will be back 3-5 mins18:03
*** david-lyle has joined #openstack-keystone18:06
morganfainbergstevemar, dolphm, henrynash, I'm not sure we actually need a spec for "removing" deprecated things.18:06
morganfainbergstevemar, dolphm, henrynash, if they were marked as deprecated as expected and being removed in the timeline they were expected to be removed (or later than)18:06
nkindervhosakot_: so that sounds like neutron is not set up properly in the endpoint catalog.  You can confirm that by running 'keystone endpoint-list' and correlating with 'keystone service-list'18:07
morganfainbergstevemar, dolphm, henrynash, I'm fine witht he spec as-is going in but expect we should expand it to mark everything we're removing then?18:07
nkindervhosakot_: or just 'pip install python-openstackclient', then run 'openstack --os-auth-url http://127.0.0.1:5000/v3 --os-identity-api-version 3 endpoint list' for a nicer display with service names18:08
dolphmmorganfainberg: this is a merge commit to update feature/hierarchical-multitenancy to be in sync with master... it should merge before anything else to that branch because that branch is already 170 commits behind :( https://review.openstack.org/#/c/125726/18:09
morganfainbergdolphm, oh my18:10
vhosakot_nkinder : yes, neutron is not seen in the output of "keystone service-list"18:10
dolphmmorganfainberg: which is really 85 commits + merge commits18:10
*** david-lyle has quit IRC18:10
morganfainbergdolphm, well +2 on that provided jenkins doesn't complain... i doubt it will.18:10
vhosakot_how do I add the publicURL endpoint for neutron ? Is it thru the neutron CLI or the keystone CLI ?18:11
nkindervhosakot_: stack.sh should have done that18:11
nkindervhosakot_: it's a keystone API call, but the fact that it's not registered makes me think that neutron wasn't set up properly18:12
dolphmvhosakot_: openstack endpoint create http://pasteraw.com/omek504dcx8f7qf9hu680s0heb7lufh18:12
*** gokrokve has joined #openstack-keystone18:15
vhosakot_stack.sh has setup neutron (because I used the default local.conf that came from devstack's git).. If I pastebin my localrc of my devstack, could you please help me add the required parts for neutron, rerun stack.sh (restack ?), and add the publicURL endpoint for neutron thru keystone CLI18:16
ekarlsorichm: the keystone apache problem I asked about ;)18:16
vhosakot_I meant stack.sh has NOT setup neutron (because ... blah... blah... blah)18:16
henrynashmorganfainberg: I’m cool with that!18:16
morganfainberghenrynash, lets see what everyone else has to say, but I'm def fine with not having a spec enumerating what was removed, it's why we have the BP and we can *always* revert something back in if needed.18:17
nkindervhosakot_: https://wiki.openstack.org/wiki/NeutronDevstack18:19
stevemarmorganfainberg, we should have a spec for it, just to doc what exactly we're taking away18:19
vhosakot_nkinder : thanks for the steps for setting up neutron on devstack.. after I do the steps, Do i just run stack.sh so my changes in local.conf are taken in account in my env for keystone ?18:20
*** ukalifon1 has quit IRC18:21
*** Tahmina has quit IRC18:21
*** sigmavirus24 has left #openstack-keystone18:22
*** nellysmitt has joined #openstack-keystone18:23
*** jaosorior has quit IRC18:23
vhosakot_is it ok if I run devstack's stack.sh multiple times when I change local.conf18:24
stevemarwhy is jenkins failing so often today :(18:25
vhosakot_dolphm : thanks for the link about openstack endpoint create18:25
*** webx has joined #openstack-keystone18:26
*** david-lyle has joined #openstack-keystone18:27
richmekarlso: does port 5000 or /v3 work?18:27
nkindervhosakot_: unstack, then stack.sh again is how I've always done it18:28
nkinderstevemar: it was failing a bunch yesterday too18:28
stevemarnkinder, it makes me sad18:28
*** henrynash has quit IRC18:29
vhosakot_cool, I will unstack and stack.sh again... thanks kinder!18:29
vhosakot_nkinder*18:29
openstackgerritA change was merged to openstack/keystone: Remove OS-STATS monitoring  https://review.openstack.org/12568318:29
openstackgerritA change was merged to openstack/keystone: Fix tests comparing tokens  https://review.openstack.org/12540618:30
*** henrynash has joined #openstack-keystone18:31
ekarlsorichm: correct18:33
ekarlso /v3 /v2.0 works on :500018:34
ekarlso /v3 on :3535718:34
richmekarlso: hmm - not sure why there is no /v2.0 on 3535718:34
ekarlsorichm: booo18:35
morganfainbergstevemar, then we need to update the spec for all things we're removing,18:36
*** webx has left #openstack-keystone18:36
morganfainbergstevemar, if we're doing that, lets just make sure we're getting it done. ^ also we merged remove os-stats already18:36
vhosakot_nkinder : unstacked, now running stack.sh.. already saw "running setup.py for neutron" in the output of stack.sh... so, I'm hoping neutron comes up this tim18:36
stevemaryeah i saw that18:37
vhosakot_time*18:37
stevemarmorganfainberg, reason for the spec, because now we don't have any proof that we made a decision to remove os-stats18:37
lbragstaddolphm: I ripped out most everything xml and get all but one test to pass18:38
vhosakot_nkinder : instead of chaining devstack's local.conf according https://wiki.openstack.org/wiki/NeutronDevstack, can I install the neutron networking service in http://docs.openstack.org/havana/install-guide/install/apt/content/neutron-install-network-node.html as well ?18:38
vhosakot_changing*18:38
henrynashmorganfainberg, stevemar: so this why I created a spec specifically for kvs backends…..so we can agree that we want to remove those….if we have to agree on spec of everything we are goingto remove, I’m just concerened it will delay us working on the individual pieces18:38
ekarlsonoone that knows? /v2.0 is not available and breaks stuff atm when ks is behind keystone18:39
*** marcoemorais has quit IRC18:39
*** marcoemorais has joined #openstack-keystone18:39
*** marcoemorais has quit IRC18:39
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Make client.authenticate use session if provided  https://review.openstack.org/12230918:40
*** marcoemorais has joined #openstack-keystone18:40
stevemarhenrynash, considering it's pre-summit, i think a day or two delay won't hurt :)18:40
henrynashmorganfainberg, stevemar: what I mean is - craming everything into one spec seems counter to incremental developemnt when the rationale or arguments may be different for the removal of un-related items18:40
*** marcoemorais has quit IRC18:40
*** marcoemorais has joined #openstack-keystone18:41
morgan_remote_henrynash: I think if it is deprecated is where that rational comes from.18:41
morgan_remote_The removal is more of a "we actually removed it and it was slated to be removed "18:41
stevemarmorganfainberg, as the newly minted PTL, it's your call :D18:41
henrynashmorgan_remote: meaning…the ship sailed when people approved thhe item being marked as deprecated?18:41
*** leonchio_ has quit IRC18:42
henrynashmorgan_remote: I could be convinced by that argument18:43
morgan_remote_Meaning if it is deprecated we have documentation of rational then. Do we need to rehash that for removal? We can say "yes we're good with removing" or "no we aren't" and we can always in deprecate between the first and second step18:43
henrynashmorgan_remote: ok, sold….so the (new) bp is just the reference that we’ll hang these removals off18:45
nkinderekarlso: It should work.  I'm in the middle of a new setup of Keystone in httpd right now.  I'll check and see if it's working for me once it's complete.18:45
morgan_remote_Yeah. Sounds right18:46
*** praneshp has quit IRC18:48
ekarlsonkinder: it's not sadly18:49
nkinderekarlso: I think is was working on my installation yesterday, but I'll confirm18:49
henrynashmorgan_remote: and when we say bp, do we mean just bp or a spec?18:49
nkinderekarlso: what does your httpd config look like?18:49
nkinderekarlso: is it just a copy of http/wsgi-keystone.conf?18:50
nkinderekarlso: I can say that my configuration is different, as I'm using puppet-keystone's support for deploying in httpd18:51
ekarlsonkinder: I already pasted it18:51
nkinderekarlso: ah, I missed it.  Let me scroll back18:51
dolphmlbragstad: what's the one test?18:52
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Remove deprecated TemplatedCatalog class  https://review.openstack.org/12570818:53
nkinderekarlso: I don't see it.  Mind supplying the link again?18:54
lbragstaddolphm: keystone.tests.test_v3_auth.TestPKIZTokenAPIs.test_v3_token_id18:54
dolphmlbragstad: why does that fail without xml?18:54
lbragstaddolphm: no idea. I was digging into it but couldn't find anything obvious18:55
lbragstaddolphm: pushing up the patch and marking as WIP,18:55
dolphmlbragstad: is that the bug that bknudson fixed this morning?18:55
lbragstadpossibly?18:55
dolphmlbragstad: rebase onto https://review.openstack.org/#/c/125406/18:55
dolphmlbragstad: which is in master18:55
henrynashlbragstad: that method just got change18:55
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support  https://review.openstack.org/12573818:56
lbragstadahh...18:56
lbragstadok18:56
*** praneshp has joined #openstack-keystone18:56
bknudsonI wonder why the test problem hasn't showed up until now...18:56
openstackgerritLance Bragstad proposed a change to openstack/keystone: Remove XML support  https://review.openstack.org/12573818:56
dolphmlbragstad: passes for me18:57
bknudsonit's random18:57
lbragstaddolphm: cool, I bet that was it then18:57
dolphmbknudson: is the fix in juno and icehouse?18:57
lbragstadrerunning all the tests with that patch18:57
bknudsondolphm: it was backported to icehouse... not to juno-proposed18:57
bknudsonat least I didn't notice if it was in juno-proposed18:57
dolphmbknudson: will you propose it?18:57
bknudsonsure, just a min18:58
dolphmbknudson: proposed/juno18:58
ekarlso16:08:23         ekarlso | apache config: http://paste.openstack.org/show/117771/ and the wsgi file mentionde in the config is: http://paste.openstack.org/show/117772/                                           │ bjornar18:58
*** diegows has joined #openstack-keystone18:59
bknudsonwake up virtbot.19:02
bknudsonhttps://review.openstack.org/#/c/125741/ is the backport19:02
bknudsonI just pushed the button on gerrit19:02
*** marcoemorais has quit IRC19:03
*** marcoemorais has joined #openstack-keystone19:03
*** marcoemorais has quit IRC19:03
*** marcoemorais has joined #openstack-keystone19:04
*** marcoemorais has quit IRC19:04
*** marcoemorais has joined #openstack-keystone19:04
*** marcoemorais has quit IRC19:04
*** marcoemorais has joined #openstack-keystone19:05
*** marcoemorais has quit IRC19:05
lbragstad... wow, the weekly bug reports the lowest it's ever been...19:05
*** marcoemorais has joined #openstack-keystone19:06
lbragstad4 open bugs across all keystone projects in the last week...19:06
*** vhosakot_ has quit IRC19:06
*** david-lyle has quit IRC19:07
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove deprecated access log middleware  https://review.openstack.org/12570319:07
openstackgerritDolph Mathews proposed a change to openstack/keystone: Remove deprecated external authentication plugins  https://review.openstack.org/12570119:08
dolphmlbragstad: you're kidding19:09
dolphmlbragstad: all the devs are on vacation and everyone is waiting for packages?19:09
bknudsonwhen removing functions, are we looking at updating the requirements.txt , and openstack-common.conf ?19:09
lbragstaddolphm: must be19:10
dolphmbknudson: i haven't, but access log and external auth don't have any unique deps19:10
dolphmbknudson: nor should kvs19:10
dolphmbknudson: stevemar's catalog removal certainly doesn't...19:10
bknudsonand we still have xml in federation code?19:11
dstanek lbragstad that's amazing19:11
lbragstadbknudson: yes19:12
lbragstadI was going to ask stevemar and marekd about that19:12
stevemardolphm, ++ stats/access log/external/catalog probably don't have any funky oslo or requirements bits19:12
lbragstaddstanek: ++19:12
stevemarlbragstad, hmm, from that bug last release we already moved lxml to test-requirements19:13
lbragstadstevemar: yeah, that should be good19:17
stevemarlbragstad, so selfishly i want to say that we don't support XML output from the core APIs, but we'll still support it for federation19:18
stevemarwhich means carry the lxml req in test-req :(19:18
lbragstadstevemar: we have to support it for federation, right?19:18
stevemaryessum19:19
lbragstadok19:20
stevemarlbragstad, marekd and i might just hack something up ourselves for this specific set of stuff19:20
stevemarwe can probably use a template for most of it19:20
lbragstadstevemar: then you won't need XML?19:20
stevemarlbragstad, thats the hope19:20
lbragstadok,19:20
lbragstadthat sounds good,19:20
lbragstadthat should be fine, XML support is out of the core apis19:21
stevemarlbragstad, no promises, we'd have to assess it first :)19:21
bknudsonplease don't try to generate XML (or any other structured document) without using a library.19:21
lbragstadyep, that understandable19:21
lbragstadlibrary?19:22
*** zzzeek has joined #openstack-keystone19:22
lbragstaddolphm: sweet, passed 4607 tests without XML19:30
*** jasondotstar has quit IRC19:32
morganfainbergdolphm, i'm going to go ahead and approve that merge commit.19:40
dolphmmorganfainberg: ++19:40
bknudsoncan we merge the feature branch back into master now?19:42
stevemarlbragstad, i think bknudson's message was for me :)19:42
dolphmbknudson: did anything land in it?19:43
lbragstadstevemar: lol yeah, I figured19:43
bknudsondolphm: I don't think so...19:43
dolphmbknudson: then there's no reason to merge it, we can just nuke it. but then we're committing to delivering hierarhical in kilo19:44
bknudsondolphm: there's nothing landed but there's reviews posted to it.19:44
lbragstadyeah, I was reviewing a few of them..19:44
lbragstadthat had a pretty good list of reviews going19:44
lbragstadhttps://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:feature/hierarchical-multitenancy+topic:bp/hierarchical-multitenancy,n,z19:45
bknudsonI hope that if someone has their code posted even before the release is open that we could get it in.19:46
morganfainbergbknudson, hehe19:46
*** david-lyle has joined #openstack-keystone19:54
*** david-lyle_ has joined #openstack-keystone19:56
ekarlsonkinder: did yoi hava a cle on it ?19:58
*** david-lyle has quit IRC19:59
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update docs to no longer show XML support  https://review.openstack.org/12575320:01
*** radez is now known as radez_g0n320:06
*** radez_g0n3 is now known as radez20:06
ekarlsonkinder: what's your config then for it ?20:07
nkinderekarlso: not yet.  I had some problems with my setup, so I'm fixing that up.20:07
*** bknudson has quit IRC20:07
*** henrynash has quit IRC20:07
nkinderekarlso: let me paste my config, then I need to step away for a bit20:08
nkinderekarlso: I have 2 separate wsgi files (one for 5000, one for 35357) - http://paste.openstack.org/show/117875/20:11
nkinderekarlso: bbiab20:11
*** bknudson has joined #openstack-keystone20:13
ekarlsonkinder: care to paste the wsgi files ?20:14
ekarlsoor are they the same20:14
*** david-lyle_ is now known as david-lyle20:15
bknudsonlbragstad: http://developer.openstack.org/api-ref-image-v2.html#image-schemas-v2 -- json schema publication20:16
*** nkinder has quit IRC20:17
morganfainbergekarlso, in my experience they can be the same file (but linked/named differently)20:18
ekarlsoj20:19
ekarlsomorganfainberg: yeah, that's what i've done but doesn't work :(20:19
morganfainbergekarlso, since i don't *know* your specific configuration the best thing I can do is recommend looking at what devstack does20:22
morganfainbergekarlso, we know for sure devstack is standing up V2.0 behind apache in a sane way20:23
ekarlsomorganfainberg: does it do behind apache as defaulr or ?20:23
morganfainbergekarlso, https://github.com/openstack-dev/devstack/blob/master/lib/keystone#L142-L14420:23
*** nellysmitt has quit IRC20:23
lbragstadbknudson: we need that for identity?20:23
morganfainbergekarlso, current devstack deploys keystone behind apache by default20:23
bknudsonlbragstad: yes, we should do the same20:24
morganfainbergekarlso, and all gate tests are done with keystone behind apache20:24
morganfainbergekarlso, and here is what it does to configure the apache conf: https://github.com/openstack-dev/devstack/blob/master/lib/keystone#L146-L15820:25
morganfainbergekarlso, and here is the template: https://github.com/openstack-dev/devstack/blob/master/files/apache-keystone.template20:25
morganfainbergekarlso, for the apache conf20:25
*** andreaf has joined #openstack-keystone20:27
morganfainbergbknudson, gyee, https://bugs.launchpad.net/keystone/+bug/1374497 this isthe oslo.db thing I was talking about earlier20:29
uvirtbotLaunchpad bug 1374497 in oslo.db "change in oslo.db "ping" handling is causing issues in projects that are not using transactions" [High,Fix committed]20:29
*** marcoemorais1 has joined #openstack-keystone20:31
*** marcoemorais1 has quit IRC20:31
bknudsonmorganfainberg: that looks like it.20:32
bknudsonand I wish there weren't 2 morgan's in the room.20:32
morganfainbergbknudson, hah,20:32
morganfainbergmorgan_remote_ is me too!20:32
*** marcoemorais1 has joined #openstack-keystone20:32
morganfainbergso, i'll see it either way :P20:32
morganfainbergi can probably change that name to something else.20:32
morganfainbergjust dunno what to change it to.20:32
bknudsonautocomplete doesn't work20:32
*** andreaf has quit IRC20:33
*** marcoemorais has quit IRC20:34
morganfainbergbknudson, ok i'll find some other name for it20:34
morganfainbergbknudson, for that bug ^ i think the juno fix might be getting a juno requirements update through20:34
bknudsonmorganfainberg: it's already allowed in requirements20:34
bknudsonI assume it's not capped.20:34
morganfainbergthe right, i mean a floor.20:34
morganfainberg*might*20:35
morganfainberg*shrug*.20:35
morganfainbergeh, anyway 1.0.2 fixes it.20:35
ekarlsotjnx morganfainberg  :)20:35
ekarlsowill check tmrw20:35
bknudsonmorganfainberg: gyee mentioned that they were using version 0.2 or something.20:36
* morganfainberg pokes gyee20:37
bknudsonI thought you 2 worked together.20:37
morganfainbergbknudson, he's in the bay area and not directly on the same team as I am20:38
morganfainbergbknudson, i see him about as often (in person) as you do :P20:39
* morganfainberg is in LA.20:39
bknudsonI thought you were moving?20:39
morganfainbergbknudson, saying around SoCal if I am20:40
morganfainbergstaying*20:40
morganfainbergtoo much $ to live in the bay area20:40
bknudsonmust be the weather20:40
morganfainbergtoo hot here for me actually, and not enough rain, PDX would probably be my alternative choice. Santa Barbara or Santa Monica would be likely the best choices in SoCal20:40
bknudsonportland? I've got some family there and have visited and it's a nice area.20:42
morganfainbergyeah i like portland a lot20:42
*** raildo is now known as raildo_away20:46
*** andreaf has joined #openstack-keystone20:47
*** morgan_remote_ is now known as remote_morgan_20:48
*** wwriverrat has joined #openstack-keystone20:50
*** remote_morgan_ is now known as morgan_remote_20:50
*** morgan_remote_ is now known as morgan_remote20:50
*** morgan_remote is now known as remote_morgan_20:51
remote_morgan_bknudson: better?20:52
*** lhcheng_ has quit IRC20:52
bknudsonmorganfainberg: can I still just type morganfainberg?20:52
*** wwriverrat has left #openstack-keystone20:52
remote_morgan_bknudson: yes, will see it on both places highlighted20:52
*** lhcheng has joined #openstack-keystone20:52
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:52
*** marcoemorais1 has quit IRC20:55
bknudsonI am happier since now it's just mo20:55
*** HenryG has quit IRC20:55
morganfainberghehe unless mordred is in a channel20:56
*** lhcheng has quit IRC20:57
*** gordc has quit IRC21:00
*** gokrokve has quit IRC21:00
*** gokrokve has joined #openstack-keystone21:00
*** lhcheng has joined #openstack-keystone21:01
*** amcrn has quit IRC21:01
*** marcoemorais has joined #openstack-keystone21:02
*** amcrn has joined #openstack-keystone21:04
*** stevemar has quit IRC21:05
*** radez is now known as radez_g0n321:15
openstackgerritBrant Knudson proposed a change to openstack/keystone: pki/ssl_setup configurable digest  https://review.openstack.org/11736621:23
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change the default digest for pki/ssl_setup to sha256  https://review.openstack.org/11736721:23
openstackgerritBrant Knudson proposed a change to openstack/keystone: Move unit tests from test_backend_ldap  https://review.openstack.org/11992821:32
*** marcoemorais has quit IRC21:35
*** marcoemorais has joined #openstack-keystone21:36
*** marcoemorais has quit IRC21:37
*** marcoemorais has joined #openstack-keystone21:38
*** marcoemorais has quit IRC21:38
*** marcoemorais has joined #openstack-keystone21:38
*** amakarov_away has quit IRC21:39
*** amakarov_away has joined #openstack-keystone21:39
*** leveldoc has joined #openstack-keystone21:48
*** nkinder has joined #openstack-keystone21:53
vishyremote_morgan_: https://bugs.launchpad.net/keystone/+bug/137693721:57
uvirtbotLaunchpad bug 1376937 in keystone "No way to prevent duplicates in endpoints" [Undecided,New]21:57
*** henrynash has joined #openstack-keystone22:01
*** gokrokve has quit IRC22:02
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Log token with sha1  https://review.openstack.org/12381922:02
*** praneshp has quit IRC22:03
*** rkofman has quit IRC22:03
*** topol has quit IRC22:04
*** praneshp has joined #openstack-keystone22:04
*** rkofman has joined #openstack-keystone22:04
*** thedodd has quit IRC22:06
*** praneshp has quit IRC22:07
bknudsondstanek: one option for getting rid of dependency injection is to use notifications (publish/subscribe) where cross-backend communication is required.22:09
*** praneshp has joined #openstack-keystone22:10
nkinderbknudson: so why SHA1?22:10
dstanekbknudson: the tradeoff there is visibility - what happens when a user is deleted and in what order...22:10
bknudsonnkinder: sha1 for what?22:11
*** gokrokve has joined #openstack-keystone22:11
nkinderbknudson: the patch you proposed 9 minutes ago ^^^22:11
nkinderlogging a sha1 hash of the token22:11
bknudsonnkinder: oh, this is the scheme that was agreed to on -dev mailing list... there's probably a bug for it I should have referenced22:12
bknudsonnkinder: https://bugs.launchpad.net/python-glanceclient/+bug/132930122:12
*** wwriverrat has joined #openstack-keystone22:12
uvirtbotLaunchpad bug 1329301 in python-glanceclient "Update how tokens are redacted" [Undecided,Fix released]22:12
bknudsondstanek: the code will have to be written in such a way that the order doesn't matter.22:13
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Log token with sha1  https://review.openstack.org/12381922:14
dstanekbknudson: and very idempodent - for instance doing X triggers Y and Z - doing Z also triggers Y22:14
dstanek*idempotent*22:14
bknudsondstanek: shouldn't that be the case anyways?22:15
*** wwriverrat has left #openstack-keystone22:16
dstanekbknudson: yes, but it would be in a single method and you wouldn't have to grep everything22:16
dstanekbknudson: you'd have to build a tree in your head...what is triggered by X...then for each of those things what do they trigger22:17
bknudsondstanek: if we have both publish/subscribe and DI, should we pick one or the other?22:17
dstanekbknudson: DI solves a different problem so you would need both22:18
*** NM has quit IRC22:18
dstanekDI is about composition of objects22:18
bknudsondstanek: here's an example, btw: https://review.openstack.org/#/c/125521/22:18
bknudsondstanek: is that a place where DI should be used or notifications?22:18
dstanekbknudson: that's probably an OK use of notifications22:21
bknudsondstanek: is it better to use notifications there or DI?22:22
nkinderbknudson: I tend to agree with morganfainberg's comments in that thread.  Logging the SHA1 of the token is not a great idea.22:23
bknudsonnkinder: does it open a security hole?22:23
dstanekbknudson:  you can't solve that with DI becase the object structure is bad - all DI does is allow you to build up object graphs , but that code has a circular dependency22:23
nkinderbknudson: one assumption in that thread was that PKI tokens were in use.  There was a repeated argument that "we're hashing 4k of data", so it's safe.22:23
nkinderuuid is much smaller22:23
morganfainbergvishy, thanks22:23
dstanekmorganfainberg: a new feature request https://bugs.launchpad.net/keystone/+bug/137693722:24
nkinderbknudson: it's not horrible, but I just don't see the strong reason to log them22:24
uvirtbotLaunchpad bug 1376937 in keystone "No way to prevent duplicates in endpoints" [Undecided,New]22:24
nkinderbknudson: given that the tokens end up in server side logs (like horizon)22:25
morganfainbergdstanek, yeah22:25
bknudsonnkinder: the difficulty that people are having is tracking a request through the system.22:25
morganfainbergdstanek, totally reasonable feature request imo22:25
nkinderbknudson: using a credential for tracking doesn't seem right though22:25
bknudsonnkinder: I think you're correct and something better is needed.22:26
morganfainbergbknudson, nkinder, i *think* osprofiler was trying to solve some of this with the unique request id generation stuff22:26
morganfainbergbut... it's not a clear line22:27
bknudsonnkinder: I'm not sure I could be convinced the UUID tokens make this worse than PKI tokens... you won't be able to figure out the UUID from the sha1 either way22:27
*** topol has joined #openstack-keystone22:27
bknudsonmorganfainberg: I wish that request tracking wasn't tied into osprofiler, since that seems to be a tougher sell.22:27
bknudsonsplit it out and build osprofiler on top of it22:27
morganfainbergso, wrt using something like audit_id from within the token, almost every single case we need to convert a UUID token -> token data, or pki token -> decoded token data, it means we *could* just use the audit_ids at that point22:28
dstanekmorganfainberg: yes22:28
morganfainbergif the token is invalid / doesn't parse, we actually *could* log the token22:28
morganfainbergif needed.22:29
topolI just reconnected back to what sounds like an intersting conversation22:29
morganfainbergif this is a case of the clients are opaque and don't know the token info, e.g. passed in a uuid token-id into the client as auth, we could a) ask keystone, or b) not log it. once you're inside a wrapped app or you had to grab the token info, you have audit_ids22:30
morganfainbergin the case of a PKI id, we can again decode in the clients22:30
bknudsonto decode a PKI token you're going to need the cert?22:31
morganfainbergbknudson, hm, i was wondering about that. I don't know if we need the cert.22:31
morganfainbergwe aren't needing to validate the signature in that case22:32
*** henrynash has quit IRC22:32
dstanekwhy is this a foreign key error? http://paste.openstack.org/show/117897/22:32
morganfainbergthe client doesn't care, (middleware clearly does)22:32
morganfainbergas would keystone22:32
morganfainbergdstanek, where did that come from?22:32
dstanekmorganfainberg: my experiments :-)22:33
dstaneki'm doing some form of science over here22:33
morganfainbergdstanek, because ... there is a FK for group on the id22:33
morganfainbergthe idea is you shouldn't delete the id if it's part of a group22:33
morganfainbergunless it is supposed to cascade22:33
dstanekah, i didn't think about the id being in other tables....i was too focused on the "i'm deleting by ID:22:34
nkinderbknudson: I don't think it's a horrible security issue, but it definitely doesn't make it more secure to log a SHA1 of the token22:34
morganfainbergdstanek, ahh22:35
nkindermorganfainberg: the idea of an audit_id would be better.  If we want an id to track a request, we should use something designed for that (not a credential)22:35
dstaneki'm deleting/shuffling/screwing up large parts of our code to see what happens :-)22:35
morganfainbergnkinder, and each token juno and beyond all have audit ids22:35
morganfainbergnkinder, the only *issue* is you need the token body to know it.22:36
bknudsonnkinder: I agree it's less secure since there's more info provided.22:36
*** andreaf has quit IRC22:36
*** andreaf has joined #openstack-keystone22:36
bknudsonI also think that something designed for tracking requests would be the best approach. Not sure what it would look like.22:37
morganfainbergbut unique request id and token audit id also serve two different purposes22:37
morganfainbergaudit id is great for tracking authn/authz across reqeusts22:37
bknudsonit would be nice to be able to be able to link an error that the user sees to the error in the log.22:37
morganfainbergbknudson, i'm actually a fan of pulling the osprofiler stuff out and making the request get a header that follows it22:38
bknudsonnot just say "contact your admin and tell him to look at the logs", but you should be able to say "contact your admin with this request ID"22:38
morganfainbergif everything used keystoneclient (it should) and sessions (it should) we could make session request_id aware22:39
morganfainbergand middleware just maintains the request from the header through to the context so we can reference it from within a service.22:39
morganfainbergthen you can use both audit_id (tracking auth chain) and request_id (tracking specific request chain) -- an all around win?22:40
morganfainbergrequest id could become part of the pycadf middleware thing we adopted.22:41
morganfainbergor even some other middleware *shrug*22:41
*** dims has quit IRC22:42
*** dims has joined #openstack-keystone22:43
*** joesavak has quit IRC22:46
*** dims has quit IRC22:47
gyeemorganfainberg, bknudson, sorry I missed the oslo.db conversation earlier. So if we are using 1.2.0 we should be fine right?22:47
morganfainberggyee, 1.0.2 should be fixed for that bug22:47
bknudsonwhat's this then? https://review.openstack.org/#/c/125347/22:48
morganfainbergi think that is a longer term fi22:48
bknudsonoh, this bug is just on startup22:48
morganfainbergx22:48
morganfainbergyeah22:48
morganfainbergor that create_engine22:49
gyeek, I'll ask the guys to pull that version and give it a shot22:49
gyeewe were using a really old version22:49
morganfainberggyee, yeah they just released 1.0.2 for that fix iirc22:49
gyeemorganfainberg, bknudson, thanks for the info22:49
*** david-lyle has quit IRC22:51
nkinderekarlso: I also get a 404 when trying to access 35357/v2.022:56
dstanekthis test shouldn't work, but because sqlite sucks it does! http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_associate_project_endpoint_extension.py#n99722:56
ekarlsonkinder: so a bug then ?23:05
nkinderekarlso: not sure.  Still investigating23:05
*** wwriverrat has joined #openstack-keystone23:05
ekarlsonkinder: funny is that it works fine when running keystone-all instead of behind httpd23:05
nkinderekarlso: yeah, I don't get what would cause that23:05
*** victsou has quit IRC23:06
ekarlso:D23:06
*** victsou has joined #openstack-keystone23:07
*** victsou is now known as vsilva23:09
*** HenryG has joined #openstack-keystone23:10
openstackgerritDolph Mathews proposed a change to openstack/keystone: switch from sample_config.sh to oslo-config-generator  https://review.openstack.org/11390523:11
dstanekdoes anyone know if endpoint_filter actually works?23:11
*** wwriverrat has left #openstack-keystone23:14
*** grantbow has quit IRC23:22
dstanekthe correct answer seems to be no, or at least not fully23:23
*** grantbow has joined #openstack-keystone23:28
*** grantbow has quit IRC23:31
*** grantbow has joined #openstack-keystone23:36
*** andreaf has quit IRC23:47
*** andreaf has joined #openstack-keystone23:48
*** dims has joined #openstack-keystone23:49
*** dims has quit IRC23:54
*** dims has joined #openstack-keystone23:55
*** diegows has quit IRC23:57
*** topol has quit IRC23:58
*** dims has quit IRC23:59
« Wednesday, 2014-10-01 Index Friday, 2014-10-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!