Thursday, 2014-10-09

« Wednesday, 2014-10-08 Index Friday, 2014-10-10 »
morganfainbergmgagne, mod_wsgi based or eventlet based keystone?00:00
*** harlowja is now known as harlowja_away00:01
*** _cjones_ has quit IRC00:04
*** _cjones_ has joined #openstack-keystone00:04
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Fix reference to middleware architecture doc  https://review.openstack.org/12707800:05
*** _cjones_ has quit IRC00:07
*** _cjones_ has joined #openstack-keystone00:07
*** cds has quit IRC00:11
*** harlowja_away is now known as harlowja00:11
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Remove HTTP_X_STORAGE_TOKEN doc  https://review.openstack.org/12708300:11
*** cjellick has quit IRC00:14
*** cjellick has joined #openstack-keystone00:19
*** gokrokve has joined #openstack-keystone00:21
*** openstackstatus has quit IRC00:23
*** alex_xu has joined #openstack-keystone00:23
*** openstackstatus has joined #openstack-keystone00:23
*** ChanServ sets mode: +v openstackstatus00:24
*** cjellick has quit IRC00:24
*** wwriverrat has joined #openstack-keystone00:26
*** wwriverrat has quit IRC00:27
*** arosen has quit IRC00:28
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Docstring cleanup  https://review.openstack.org/12708400:34
*** ayoung has joined #openstack-keystone00:49
ayoungflwang1, you still around?00:50
flwang1ayoung: yes :)00:51
ayoungflwang1, OK...so what do you want 'ResellerAdmin'  to do?00:51
flwang1ayoung: did you see my first question?00:51
flwang1ayoung: my initial goal is to let a user can create new user for current tenant00:51
ayoungso first off, do you want to be able to create a new user, or assign an existing user to the current tneant?00:52
ayounglet me clear one thing up00:52
ayoungin the past,  tenants "owned"users00:52
ayoungnot the case now00:52
ayoungdomain own users00:52
flwang1create a new user and the new user only have access to current tenant00:52
ayoungusers have roles in tenants00:52
ayoungflwang1, OK,  so you need to decide in which domain the user is going to exist00:52
ayounglets assume that the ResellerAdmin is needs two permissions:00:53
flwang1so for v3, I need a domain firstly, is it?00:53
ayoung1.  create user in domain "MyDomain"00:53
ayoungyes00:53
ayoung2.  Assign user to role "Member" in project P100:53
*** _cjones_ has quit IRC00:53
*** _cjones_ has joined #openstack-keystone00:54
flwang1ayoung: actually, I saw HP cloud can do that, but I'm not sure how00:55
flwang1btw, does the Icehouse have fully support for v3? we're still using icehouse00:55
ayoungflwang1, I can't speak to all of Icehouse.  All  I can suggest is that you try it out00:58
flwang1ayoung: got it00:58
ayoungflwang1, Are you guys running Horizon?00:58
flwang1yes00:59
ayoungflwang1, Ok, here is what I found00:59
*** _cjones_ has quit IRC00:59
ayoung1.  There are three changes you need to make to Horizon to get it to do V3.   But then the issue is the Keystone catalog00:59
ayounglets sart with the Keystone catalog:00:59
ayoungI ran a bunch of sql like this:00:59
ayoung update endpoint set url = 'https://ayoungf20packstack.cloudlab.freeipa.org/keystone/main/v3' where url = 'https://ayoungf20packstack.cloudlab.freeipa.org/keystone/main/v2.0';01:00
* ayoung doesn't do port 5000 35357 nonsense01:00
ayoungat the same time, you need to modify Horizon conf01:00
ayoungit should be in /etc/openstack-dashboard/local.py or something01:01
ayoung/etc/openstack-dashboard/local_settings  in  a RPM based install, probably something similar in debian/ubuntu01:01
ayoungin that file, change the auth URL to  end in v3.01:02
ayoungSo  for me it started with01:02
flwang1listening...01:02
*** stevemar has joined #openstack-keystone01:02
ayoungOPENSTACK_KEYSTONE_URL="http://192.168.122.174:5000/v2.0"01:02
ayoungand make it01:03
ayoungOPENSTACK_KEYSTONE_URL="http://192.168.122.174:5000/v3"01:03
ayoungalso,  enable V3 support with01:03
ayoung1 sec01:03
ayoungOPENSTACK_API_VERSIONS = {"identity": 3}01:04
ayoungyou can set other things there if you need different versions of the othe service apis,  like01:04
ayoung "volume": 2  for cinder.01:04
ayoungits a python dictionary, so just make sure you have proper syntax01:04
ayoungfinally....01:04
ayoungOPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True01:05
ayoungI'd recommend bringing up a second Horizon server and trying all that01:05
flwang1so all above is how to enable v3, right?01:05
ayoungflwang1, I assume this is a production deployment?01:05
ayoungyeah,  you need all 4 changes in sync01:05
flwang1ayoung: yes01:05
ayoungand the scary part is the Keystone one01:05
flwang1is it possible to do that without stopping any services?01:06
ayoungI had been pushing for a hack in Keystone client to ignore the version number from the endpoints, but I guess I need to push harder01:06
ayoungI don't thinks so01:06
ayoungflwang1, how do you guys deploy?01:06
flwang1puppet01:07
ayoungstraight puppet?01:07
ayoungno installer?01:07
flwang1puppet with debian package01:07
ayoungI would prefer it if we could somehow do this without risking an interruption in service...01:08
ayounglet me think....01:08
ayoungideally, the Keystone client would work with versionless URLS01:09
ayoungand jamielennox has done a lot of work to make that happen,but it requires "Discovery"  which means multiple orund trips per new client object...01:09
ayoungand older clients assume that it will be V201:10
ayoung meaning assuming the urls in the service catalog end in v201:10
*** marcoemorais has quit IRC01:10
flwang1ayoung: okay, so let's assume we have enabled the v301:10
ayoungK01:10
flwang1ayoung: then what's the next step? :)01:10
ayoungI'd create a domain for the reseller01:10
ayoungall of the users that are clients of that reseller get created in there01:10
flwang1is the reseller must-have?01:10
ayoungyou were the one that wanted a reseller01:11
ayoungI'm just following your example01:11
flwang1ayoung: sorry, they are 2 questions01:11
*** jwy has quit IRC01:11
ayounglets assume the reseller for now01:11
flwang1the first one is how to add a new user if I'm a end user01:11
ayoungin v3?01:11
flwang1the 2nd is how to use the reseller01:11
flwang1sorry for any confusion01:12
openstackgerritA change was merged to openstack/keystonemiddleware: Remove unused iso8601  https://review.openstack.org/12227801:12
ayoungah...right, cuz the CLI is v201:12
ayoungwell, I know many ways,  I tend toward curl...01:12
ayounghttp://adam.younglogic.com/2013/09/keystone-v3-api-examples/01:12
ayoungwow, was that year ago01:12
ayoungtime flys01:12
openstackgerritA change was merged to openstack/keystone: Refactor FakeLdap to share delete code  https://review.openstack.org/12137101:13
flwang1ayoung: in v2, I was trying to add a new role like " manager'01:13
ayoungI think, though, that you can do all of that as an admin in Horizon with V3 enabled01:13
* ayoung gonna check.01:13
*** diegows has quit IRC01:13
flwang1and set the permission for the new role to create/list/delete users01:13
openstackgerritA change was merged to openstack/keystone: revise docs on default _member_ role  https://review.openstack.org/11080301:13
*** Kui has quit IRC01:13
flwang1and set the manager role the current user, but seems it doesn't work01:13
flwang1in v201:13
ayoungflwang1, if you enable V3, you can then create domains etc via horizon01:13
*** Kui has joined #openstack-keystone01:14
ayoungI don't know, however, if it will support your use cases...I've not played around with it too much01:14
ayoungbut there is an identity panel, with domains, projects ,etc...01:14
flwang1ayoung: ok01:14
flwang1so in v3, as you said, I need create a new domain01:15
ayoungyeah01:15
flwang1create a new project in the domian, set the user for the project01:15
flwang1and then is there any api/cli to add a new user for the project?01:15
ayoungdomains are top level namespaces, so if you want to give someone, like a reseller, the power to create things, but keep them from stepping on others, confine them to a domain01:15
ayoungthe term is "assign a user a role in the project" and yes01:16
flwang1cool01:16
flwang1our original idea is like creating a 'managed' cloud for the customer01:16
ayoungflwang1, I wrote a simple Javascript UI for this kind of thing, but  the call you want via curl (to start) is01:17
flwang1that means the customer can create new project, new user based on the resource quota we assigned01:17
ayounghttp://adam.younglogic.com/2013/11/more-keystone-v3-api-examples/01:17
ayoungseee where it says: Let’s give our user this role01:17
flwang1awesome, awesome :)01:17
*** nkinder has joined #openstack-keystone01:18
ayounghttps://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md#grant-role-to-user-on-project-put-projectsproject_idusersuser_idrolesrole_id01:18
ayoungthe call is01:18
ayoungPUT /projects/{project_id}/users/{user_id}/roles/{role_id}01:19
*** gokrokve has quit IRC01:19
flwang1cooooooool01:19
flwang1so based on current v3 design, the user case I mentioned above can be meet, is it?01:20
ayoungTHink so01:21
ayoungyou might want to check out the more advance policy file :01:21
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json01:21
flwang1great01:21
flwang1ayoung: thank you sooooooooooooo much01:21
ayoungif you enable domain specific  backends, the rules for domains change/01:22
ayoungthis is not a well published fact01:22
ayoung But, I think you should try it out, and see.01:22
flwang1yes01:22
ayoungTHe difference is whether a user is limited to enumerating a specifiuc domain or all domains01:22
ayoungthe flag is:01:22
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n78701:23
ayoungdomain_specific_drivers=True01:23
flwang1in the case, I think the user is like a 'sub-administrator' of the 'domain'01:23
flwang1he can do most of the things like a real admin, but just in this domian01:23
flwang1ayoung: really appreciate for your time and the patient01:28
ayounggood luck01:28
*** bknudson has left #openstack-keystone01:42
*** bknudson has joined #openstack-keystone01:42
*** oomichi_ has joined #openstack-keystone01:44
*** david-lyle has joined #openstack-keystone01:50
*** vsilva is now known as victsou01:54
*** victsou is now known as vsilva01:54
*** gokrokve has joined #openstack-keystone02:03
*** _cjones_ has joined #openstack-keystone02:05
*** dimsum_ has joined #openstack-keystone02:06
*** _cjones_ has quit IRC02:09
openstackgerritBrant Knudson proposed a change to openstack/keystone: sys.exit mock cleanup  https://review.openstack.org/12424002:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Tests raise exception if logging problem  https://review.openstack.org/11994602:10
openstackgerritwanghong proposed a change to openstack/keystone: wrong order of assertEqual args in assertValidRoleAssignmentListResponse  https://review.openstack.org/12711002:18
openstackgerritwanghong proposed a change to openstack/keystone: use expected_length parameter to assert expected length  https://review.openstack.org/12711202:20
*** gokrokve has quit IRC02:23
*** dimsum_ has quit IRC02:28
*** lhcheng has quit IRC02:28
*** dimsum_ has joined #openstack-keystone02:28
*** lhcheng has joined #openstack-keystone02:28
*** dimsum_ has quit IRC02:33
*** alex_xu has quit IRC02:33
*** lhcheng has quit IRC02:34
*** samuelmz_ has joined #openstack-keystone02:35
*** samuelmz_ has quit IRC02:35
*** openstackgerrit has quit IRC02:45
*** alex_xu has joined #openstack-keystone02:49
*** gokrokve has joined #openstack-keystone02:54
*** alex_xu has quit IRC03:00
*** stevemar has quit IRC03:12
*** alex_xu has joined #openstack-keystone03:13
*** stevemar has joined #openstack-keystone03:13
*** gokrokve has quit IRC03:23
*** gokrokve has joined #openstack-keystone03:24
*** harlowja is now known as harlowja_away03:29
*** harlowja_away is now known as harlowja03:31
*** amcrn has quit IRC03:32
*** bknudson has quit IRC03:33
*** gokrokve_ has joined #openstack-keystone03:40
*** gokrokve has quit IRC03:42
*** gokrokve_ has quit IRC03:57
*** gokrokve has joined #openstack-keystone04:09
*** gokrokve has quit IRC04:10
*** marcoemorais has joined #openstack-keystone04:26
*** ncoghlan has joined #openstack-keystone04:26
*** flwang1 has quit IRC04:27
*** marcoemorais1 has joined #openstack-keystone04:30
*** marcoemorais has quit IRC04:33
*** gokrokve has joined #openstack-keystone04:41
*** gokrokve has quit IRC04:42
*** gokrokve has joined #openstack-keystone04:42
*** gokrokve has quit IRC04:48
*** ncoghlan is now known as ncoghlan_afk05:00
*** jamielennox has quit IRC05:04
*** jamielennox has joined #openstack-keystone05:09
*** david-lyle has quit IRC05:10
*** ajayaa has joined #openstack-keystone05:17
*** lhcheng has joined #openstack-keystone05:18
*** swamireddy has joined #openstack-keystone05:18
*** lhcheng has quit IRC05:21
*** lhcheng has joined #openstack-keystone05:21
*** david-lyle has joined #openstack-keystone05:27
*** harlowja is now known as harlowja_away05:35
*** gokrokve has joined #openstack-keystone05:43
*** ncoghlan_afk is now known as ncoghlan05:45
*** gokrokve has quit IRC05:48
*** afazekas has joined #openstack-keystone05:51
*** ncoghlan has quit IRC06:19
*** lhcheng has quit IRC06:40
*** lufix has joined #openstack-keystone06:41
*** gokrokve has joined #openstack-keystone06:43
*** gokrokve has quit IRC06:48
*** ukalifon has joined #openstack-keystone06:55
*** marekd|away is now known as marekd06:55
*** k4n0 has joined #openstack-keystone06:56
*** r1chardj0n3s is now known as r1chardj0n3s_afk06:59
*** ukalifon has quit IRC07:00
*** k4n0 has quit IRC07:02
*** k4n0 has joined #openstack-keystone07:15
*** jistr has joined #openstack-keystone07:23
*** andreaf has quit IRC07:26
marekdmhu: o/ Auth plugins almost there!07:29
*** stevemar has quit IRC07:41
*** k4n0 has quit IRC07:42
*** gokrokve has joined #openstack-keystone07:43
*** gokrokve has quit IRC07:48
*** henrynash has joined #openstack-keystone07:54
*** k4n0 has joined #openstack-keystone07:55
*** sunrenjie6 has quit IRC08:04
*** swamireddy has quit IRC08:09
*** jistr has quit IRC08:12
*** swamireddy has joined #openstack-keystone08:12
mhumarekd, yeah ! Imagine my surprise when I saw so much activity on gerrit ! :D08:13
*** flwang1 has joined #openstack-keystone08:15
*** sunrenjie has joined #openstack-keystone08:16
*** marcoemorais1 has quit IRC08:22
*** nellysmitt has joined #openstack-keystone08:24
*** oomichi_ has quit IRC08:24
marekdmhu: hehe08:25
marekdmhu: that's good because i still need to use some ksc wrappers to authenticate via saml08:25
marekdand now i won't08:26
marekdmappings and protocols are already in the openstackclient.08:26
marekdthey got approved yesterday08:26
mhumarekd, I saw this too, that's great08:26
marekdyeah.08:26
*** jistr has joined #openstack-keystone08:31
*** david-lyle has quit IRC08:35
*** Daviey has joined #openstack-keystone08:37
*** gokrokve has joined #openstack-keystone08:43
*** gokrokve has quit IRC08:48
*** mflobo_ has joined #openstack-keystone08:54
*** mflobo has quit IRC08:56
*** mflobo_ has quit IRC09:12
*** mflobo has joined #openstack-keystone09:13
*** sunrenjie has quit IRC09:29
*** gokrokve has joined #openstack-keystone09:43
*** gokrokve has quit IRC09:48
marekdmhu: what's wrong with that patch? https://review.openstack.org/#/c/124101/10:13
mhumarekd, I am looking into it right now10:14
mhumarekd, looks like gerrit's auto-rebase was a bit lost, I had to help it a bit :) looks fixed now, I'll update my copy after I check tox results locally10:20
*** amakarov_away is now known as amakarov10:20
*** eglynn has joined #openstack-keystone10:30
eglynnhey folks10:30
eglynnwould anyone like to comment with some keystone perspective on the memcache auth discussion here https://review.openstack.org/127032 ?10:31
eglynn(given that keystone appears to choose to use memcache in a way that does't, IIUC, support SASL auth)10:32
eglynn... SASL auth not being worth the candle is of course a valid answer10:32
marekdmhu: yeah, gerrit always tries to autorebase patches10:34
marekdmhu: sometimes needs some help10:34
*** topol has joined #openstack-keystone10:36
*** aix_ has quit IRC10:38
*** gokrokve has joined #openstack-keystone10:43
*** gokrokve has quit IRC10:48
*** dimsum_ has joined #openstack-keystone10:51
*** eglynn is now known as eglynn-lunch10:58
*** aix_ has joined #openstack-keystone11:07
*** diegows has joined #openstack-keystone11:10
*** dimsum_ has quit IRC11:13
*** dimsum_ has joined #openstack-keystone11:13
*** dims_ has joined #openstack-keystone11:14
*** dimsum_ has quit IRC11:17
*** ajayaa has quit IRC11:38
*** eglynn-lunch is now known as eglynn11:42
*** gokrokve has joined #openstack-keystone11:43
*** hockeynut has quit IRC11:46
*** swamireddy has quit IRC11:46
*** gokrokve has quit IRC11:48
*** hockeynut has joined #openstack-keystone11:48
*** mgagne has quit IRC11:48
*** mgagne has joined #openstack-keystone11:51
*** mgagne is now known as Guest9205411:51
*** ajayaa has joined #openstack-keystone11:52
*** aix_ has quit IRC11:59
*** afazekas has quit IRC12:04
*** ajayaa has quit IRC12:08
*** topol has quit IRC12:21
*** openstackgerrit has joined #openstack-keystone12:22
*** raildo has joined #openstack-keystone12:23
*** dims_ has quit IRC12:23
*** dimsum_ has joined #openstack-keystone12:24
*** gokrokve has joined #openstack-keystone12:38
mhumarekd: I am good with switching "federated" for "federation", "federated" was mostly a placeholder until someone suggested something better :)12:38
*** jaosorior has joined #openstack-keystone12:39
marekdmhu: ok, that's good.12:43
*** packet has joined #openstack-keystone12:43
marekdmhu: thaks12:44
marekdthanks :-)12:44
*** vsilva is now known as victsou12:48
*** victsou is now known as vsilva12:48
*** sigmavirus24_awa is now known as sigmavirus2412:49
*** miqui has joined #openstack-keystone12:50
*** aix has joined #openstack-keystone12:50
*** radez_g0n3 is now known as radez12:52
*** saipandi has joined #openstack-keystone13:00
*** saipandi has quit IRC13:01
*** ajayaa has joined #openstack-keystone13:01
*** saipandi has joined #openstack-keystone13:05
*** alex_xu has quit IRC13:07
*** Sanchit has joined #openstack-keystone13:07
*** gordc has joined #openstack-keystone13:09
*** nkinder has quit IRC13:13
SanchitHi, Regarding the ACL permissions on Container, Is it possible to specify a particular role in 'X-Container-Read' and then, all the users with that particular role can access the objects in the specified container? In general terms, is role-based ACL a feature in openstack-swift?13:14
rodrigodsmarekd, i'm trying to make a k2k fed experimental deployment here. right now I'm stuck at metadata exchange phase. stevemar told me that i'd a need a shibboleth in place for the keystone idp and them, i would exchange the metadata...13:14
rodrigodsso, i'm kind lost in this step13:19
rodrigods=)13:19
*** joesavak has joined #openstack-keystone13:23
*** thiagop has joined #openstack-keystone13:26
marekdrodrigods: e....13:28
marekdrodrigods: treat keystone as identity provider13:28
marekdrodrigods: or never mind...have you ever set up icehouse federation yourself?13:28
marekd(not k2k)13:28
*** vhoward has joined #openstack-keystone13:29
rodrigodsmarekd, not me, but some folks of my team did and I followed their tutorial to setup the SP part13:33
*** portante has left #openstack-keystone13:33
rodrigodsmarekd, but we used testshib as IdP13:33
rodrigodswe didn't setup an IdP ourselves13:33
marekdrodrigods: ok, so you know how it looks like. So, one of the steps was to provide IdP's metadata (with some urls and what's the most important - its public X509 key)13:34
marekdso now you need to repeat that and simply treat keystone-idp as your IdP :-)13:34
marekdremember you now need two keystones.13:34
marekdone is keystone-sp and this is simply what we delivered in icehouse13:35
rodrigodsmarekd, yeah... and to setup the SP for the IdP keystone?13:35
marekdok: for keystone-idp you only setup region. no need  for shibboleth no tanything like that.13:36
rodrigodshmm, ok marekd13:36
marekd(well, ok you MUST turn on federation extension13:36
marekd)13:36
marekdrodrigods: for keystone-sp you need to do it old way -> federation extension, shibboleth and stuff13:36
marekdrodrigods: one step is indeed skipped.13:37
marekdin kestone + testshib you had to generate SP's metadata and provide to testsshib, remember?13:37
marekdin k2k you skip it.13:37
marekdyou only want keystone-sp to be able to check and verify signature of saml assertion issued by keystone-idp13:38
marekdrodrigods: can you guess why?13:38
marekdrodrigods: hint: at the keystone-idp side you will need to manually install pysaml213:39
rodrigodsmarekd, that was the exactly step i was stuck in13:39
marekdrodrigods: so skip it :-)13:39
rodrigodsmarekd, great13:39
rodrigodsabout the IdP metadata... the way it was setup in regular federation is via an URL to testshib13:40
marekdrodrigods: you have the same here.13:40
marekdrodrigods: w813:40
marekdrodrigods: (in fact you can configure your shibboleth to read it from local file and simply copy the file)13:41
marekdrodrigods: there was a bug regardign that and fix was released, however not sure if it is already merged due to relase/candidates policy and timing.13:41
*** dtantsur has joined #openstack-keystone13:42
morganfainbergmarekd, rc2 is cut / should be13:42
marekdmorganfainberg: ok13:42
rodrigodsmarekd, hmm13:42
morganfainbergi think i saw a mail from ttx on that front13:42
rodrigodsmarekd, thanks a lot!13:43
marekdmorganfainberg: about rc2?13:43
morganfainbergyeah13:43
marekdmorganfainberg: yeah, saw it too13:43
marekdmorganfainberg: actually his tweet13:43
morganfainbergah13:43
marekdrodrigods: you are welcome.13:43
morganfainbergthat was it13:43
dtantsurHi folks! I'm writing a Python service (Flask-based) and I need to authenticate users via keystone token. I also need to check for admin role. What's the easiest way to achieve it? I found GET /token/<ID> endpoint but it does not seem exposed in the client.13:44
*** afazekas has joined #openstack-keystone13:45
marekddtantsur: maybe import keystoneclient and try to use it internally?13:45
openstackgerritKui Shi proposed a change to openstack/keystone: Add memcached_backend configuration  https://review.openstack.org/12203713:45
marekddtantsur: otherwise you will simply need to build your http calls yourself.13:46
*** topol has joined #openstack-keystone13:51
*** Kui has quit IRC13:51
marekddolphm: in pasteraw source coude - why are you converting redis keys from sha1 hexdigest to base36?13:53
marekdhttps://github.com/dolph/pasteraw/blob/master/pasteraw/backend.py#L1913:53
dtantsurmarekd, you mean access GET /token/<ID> using keystoneclient as a basic? yeah I though about it, just wanted to make sure it's the best solution.13:53
dolphmmarekd: to produce shorter URLs13:53
dolphmmarekd: there's probably a faster way to do that, if you can get an integer out of hashlib.sha113:54
dolphmbut i don't see an integer digest in the docs, so nevermind13:55
*** gokrokve has quit IRC13:56
marekddolphm: ah, shorter representation os sha1.hexdigest?13:57
marekddtantsur: i meant: use client libraries if you can :-)13:58
marekddtantsur: keystoneclient, novaclient, *client13:58
dtantsurmarekd, right, I'm going to use keystoneclient, my question remains the same: how to check a token and get admin role. My experiment up to now were a bit confusing13:59
*** nkinder has joined #openstack-keystone14:03
*** gokrokve has joined #openstack-keystone14:09
tellesnobregaayoung, i'm trying to see how the keystoneclient is notified when an idp is deleted. I have a federated setup running. What i want to do is to make sure that the client has the information that the idp was deleted, so we can progress solving the token problem14:19
ayoungclient?14:19
tellesnobregamiddleware14:22
tellesnobregasorry14:22
*** ajayaa has quit IRC14:24
*** bknudson has joined #openstack-keystone14:26
ayoungtellesnobrega, at the middleware layer, all you get is a list of token ids.   Or are you talking about revocation events?   Cuz with revocation events, we got a long  way to go before those are consumed, and I don't think we should start with the IdP issue, but rather getting the existing code to the client14:27
*** ajayaa has joined #openstack-keystone14:27
ayoungthere are no notifications from keystone server to the middleware layers14:27
tellesnobregahmm14:27
ayoungtellesnobrega, please take some time to read up on how the existing token stuff works.  THe problem is that I have three different people asking me about this, and I have no idea who knows what, so it is hard to field the questions14:28
ayoungbut there is so much churn here due to revocation evetns being in a halfway state, I don't fault you guys14:29
tellesnobregai understand14:29
tellesnobreganot how token stuff works lol. what you men14:29
tellesnobregamean14:29
ayoungyeah...and switch the default from pki back to uuid  just complicates matters14:30
ayoungand the fact that I am trying to work on something over in Horizon....14:30
ayoungnkinder, speaking of horizon...let me know when you have second to talk AUTH_URLs for Kerberos14:31
*** richm has joined #openstack-keystone14:32
*** stevemar has joined #openstack-keystone14:32
nkinderayoung: sure14:32
nkinderayoung: you mean the Location set up in the httpd config?14:33
ayoungnkinder, so,  I got myself a bit confused.  When I realize that I had broken the "switch project"  part in the auth_lugins patch for DOA14:33
ayoungI fixed that, and started rebasing the Kerberos one,  and maybe I went too far. Before I undo the work, I want to get it clear.14:33
ayounghere's the deal14:33
ayoungI'm working on the assumption that AUTH_URL is not the endpoint in the catalog14:34
ayoungthis is epcific to Kerberos, sine mod_auth_kerb does not allow you to pass if you don';t authenticate14:34
ayoungmy thinking is that a user going via Horizon has access to kerberos, so S4U2Proxy makes sense, but the service catalog does not mean that all consumers have access to Kerberos14:35
ayoungso...14:35
nkinderayoung: ok, so Horizon would be configured to use the kerberized AUTH_URL, and OSC could as well14:36
ayounghorizon   we would only use Kerberos/S4U2 to get a token the first time, but then the Keystone client is going to use the endpoint in the Serice catalog for additional work14:36
nkinderayoung: but the catalog would have the regular old AUTH_URL14:36
ayoungyeah14:36
*** charz has quit IRC14:37
ayoungnkinder, its a mess...this whole Kerberos-not-evenly-available really makes it sloppy14:37
nkinderayoung: the same would apply for federation though.  We need to support multiple auth methods that have different URLs14:38
ayoungI wish it were either yes, use kerberos for OpenStack and its everywhere or else a clean way to work around it14:38
boris-42bknudson hi there14:38
nkinderayoung: that's just not going to be there from the start.  If we can kerberize service users by giving them keytabs, that would be possible though14:38
bknudsonboris-42: hi14:39
*** charz has joined #openstack-keystone14:39
boris-42bknudson we already have a bunch of benchmarks for checking authentication14:39
boris-42bknudson https://review.openstack.org/#/c/98836/514:39
boris-42bknudson if you wish I can change https://review.openstack.org/#/c/98836/5/rally-scenarios/keystone.yaml14:39
boris-42bknudson to add them14:39
bknudsonboris-42: y, I'm fine with the change as is other than the link doesn't work.14:40
boris-42bknudson hmmm14:40
boris-42bknudson are you sure??14:40
boris-42bknudson https://wiki.openstack.org/wiki/Rally14:40
nkinderayoung: so, what happens by leaving the endpoint in the catalog as the non-Kerberized URL?14:40
ayoungnkinder, I had written a basic-auth approach to getting keystone tokens that would, I think, work with mod_auth_kerb falling back to basic-auth:14:41
bknudsonboris-42: ok.. I must have copy-pasted it incorrectly14:41
ayoungnkinder, OK,  so  our working approach is that the AUTH_URL != endpoint and we only use it to get the initial token.14:41
boris-42bknudson ya there is RST formatting14:41
ayoungnkinder, it means that the client code needs to know to not use the kerberos plugin when doing the switc14:41
ayoungI'll link14:41
boris-42bknudson lemme update a patch a bit okay?14:41
boris-42bknudson there is some new functionality in rally =)14:41
*** k4n0 has quit IRC14:42
bknudsonthe browser added / to the URL for some reason14:42
bknudsonboris-42: please, update it14:42
ayoungnkinder, https://review.openstack.org/#/c/115463/5/openstack_auth/views.py,cm  switch needs to get an "unscoped plugin"14:42
ayoungI made the mistake last night of making that a Kerberos plugin if the server is kerberized14:43
ayounghttps://review.openstack.org/#/c/115463/5/openstack_auth/utils.py,cm  see get_scoped_plugin14:43
nkinderayoung: ah, so we don't get (and keep) an unscoped token in the session?14:43
ayoungnkinder, we keep it, but it is not really used14:44
nkinder...by session, I mean the session on the horizon side14:44
ayoungthat is a wider issue, one I want to discuss with jamielennox when he's back14:44
bknudsondstanek: why is this -2? https://review.openstack.org/#/c/112573/714:44
nkinderayoung: so if we initially used kerberos to get an unscoped token and kept it, we could reuse it to get project-scoped tokens14:44
ayoungthe reason I kerberized it is how the initial authentication works14:44
ayoungit kindof blurs authenticate and switch functionality...14:44
ayounghttps://review.openstack.org/#/c/115463/5/openstack_auth/backend.py,cm  calls the same get_unscoped_token  function, but it knows the auth_url and passes it in.14:45
nkinderayoung: so the switch functionality is going to use the endpoint from the current token, not the configured AUTH_URL?14:45
ayoungI think that I should make only the "get_unscoped_plugin"  be kerberos aware14:45
ayoungcorect14:45
ayoungcorrect14:45
nkinderand should it be that way?14:45
ayoungyeah14:46
ayoungit has to, as it makes multiple calls to keystone14:46
ayoungthere are other places that also call keystone, if you have an admin token, to do things like create users14:46
nkinderbut couldn't it make a call to the configured AUTH_URL any time it attempts to get an unscoped token?14:46
ayoungthose all are going to work with the non-spnego url14:47
ayoungthe only thing that needs to handle an unscoped token is the initial login14:47
ayoungand rmemeber, that behavior is set up by DJango14:47
ayoungwe could probably hack around it, so that if you are kerberized you never get logged out, but it is a larger patch14:48
ayoungand probably needs changes in Horizon14:48
ayoungthis is just the "click to login" approach14:48
dstanekbknudson: i'd have to check to see if the newer patches still have the same coverage problem14:48
dstanekbknudson: but also i think this is the exact reverse of what we should be doing14:48
dstanekbknudson: the "list" assertions should not now about the entity's attributes, the entity assertions should14:49
*** NM has joined #openstack-keystone14:51
dstanekbknudson: i have a patch where i removed keys to check almost entirely - i'll get it mergable for an example14:51
*** gokrokve has quit IRC14:52
bknudsondstanek: that sounds like a good refactoring ... pick one or the other.14:53
nkinderayoung: so what happens today when you switch projects?  It re-authenticates using the password that it kept?14:54
ayoungno...today it stores the endpoint in the request...in the "region" variable14:54
ayoungI'm going to maintain that14:54
ayoungand, in fact, I think I'm going to redo the auth_plugins patch to honor that even for listing the projects14:55
ayoungalthouhg...crud, it might not be stored there yet14:55
*** mewald has joined #openstack-keystone14:55
*** jorge_munoz has joined #openstack-keystone14:55
ayoungso by "listing the proejcts" I mean during the initial authenticate14:55
ayoungauthenticate has to end up with a project scoped token14:55
nkinderayoung: ok, so it gets unscoped, then uses that to list projects14:56
nkinderayoung: right?14:56
mewaldquestion about the Endpoint Policy extension: Isn't the whole problem just there because of the attempt to centralize Policies in Keystone? I mean without using the Policy API, we could already implement different policies per endpoint, couldn't we?14:56
ayoungnkinder, yes.  And you are now smart enough to review https://review.openstack.org/#/c/121281/6/openstack_auth/backend.py,cm14:56
nkinderayoung: then it has to get a project-scoped token.  How does it authenticate to get this scoped token?14:57
nkinderayoung: using a password, or the unscoped token?14:57
ayoungnkinder, the unscoped14:57
ayoungseee line 140 of the old code14:57
ayoungI kept that semantics in the new14:57
ayoungnkinder, so,  what I wanted to do was to have a "rescope" method on the client.  If it is unscoped, add a project id and get a new token scoped to that project14:59
openstackgerritA change was merged to openstack/python-keystoneclient: Log token with sha1  https://review.openstack.org/12381915:01
*** mewald has quit IRC15:01
*** jistr has quit IRC15:08
ayoungnkinder, OK,  so DOA does   store the "unscoped token" in the request.  The switch code can make use of that.15:15
*** thedodd has joined #openstack-keystone15:15
mhustevemar, thanks !15:17
stevemarmhu, np15:19
stevemarmhu, thanks for the code :)15:19
nkinderayoung: yeah, that would be ideal15:21
ayoungnkinder, I think I have a change to the auth_plugins patch that makes sense, and will support unscoped->scoped only15:21
ayoungtesting now15:22
*** lnxnut has joined #openstack-keystone15:31
*** zzzeek has joined #openstack-keystone15:34
*** cjellick has joined #openstack-keystone15:34
*** dtantsur is now known as dtantsur|afk15:37
*** _cjones_ has joined #openstack-keystone15:38
ayoungnkinder, hmmm, the unscoped_token_id saved to the session does not seem to be there when I switch projects.  Like most thinkgs in DOA, this is going to take longer than I initially thought.  I might do it as a second patch on top of the auth_plugins patch.15:40
ayoungnkinder, aaaaaaand the is because of how DOA expects token<->user to work...there are a bunch of factory type things that assume a user has one token, can be created from a token, etc15:42
ayoungbeyond the scope of the Kerberos patch, I think15:42
morganfainbergmornin15:48
*** lufix has quit IRC15:54
*** lhcheng has joined #openstack-keystone16:00
*** Guest92054 is now known as mgagne16:03
*** mgagne is now known as mgagne_16:03
*** mgagne_ is now known as Guest3117816:04
*** Guest31178 has quit IRC16:05
*** Guest31178 has joined #openstack-keystone16:05
ayoungguten morganfainberg,16:06
*** Guest31178 is now known as mgagne16:07
*** lhcheng has quit IRC16:08
*** lhcheng has joined #openstack-keystone16:09
dimsum_morganfainberg: folks: the oslo-incubator's crypto/utils.py seems to be used by kite, python-kiteclient and heat, so do we turn it into a oslo library? or does it go somewhere else?16:12
dimsum_https://review.openstack.org/#/c/125779/16:12
morganfainbergdimsum_ it could become part of kite if *nothing* else uses it16:12
dimsum_heat too...16:13
morganfainbergdimsum_, or we could graduate it to an oslo lib if it is legitimately useful16:13
morganfainbergif heat is using it i say it should move to a lib16:13
*** lhcheng has quit IRC16:13
morganfainbergayoung, i see what you did thar16:14
dimsum_morganfainberg: another thing related that popped out was that we probably lost securemessage.py in oslo.messaging in the transition16:15
dimsum_morganfainberg: ack16:17
*** thedodd has quit IRC16:20
*** thedodd has joined #openstack-keystone16:23
morganfainbergdimsum_, hm.16:25
morganfainbergdimsum_, good to know16:25
*** david-lyle has joined #openstack-keystone16:26
*** _cjones_ has quit IRC16:28
*** _cjones_ has joined #openstack-keystone16:28
*** swamireddy has joined #openstack-keystone16:32
stevemarnkinder, more for you at: https://review.openstack.org/#/c/126475/ :P16:32
nkinderstevemar: yep!  Reviewing now16:32
*** _cjones_ has quit IRC16:33
*** _cjones_ has joined #openstack-keystone16:42
nkinderstevemar: could you expand on your comment here? https://review.openstack.org/#/c/126754/6/openstackclient/identity/v3/project.py16:43
nkinderstevemar: are you saying we should move away from using find_domain in a future patch?16:44
stevemarnkinder, nah, we should stick to find_domain()16:44
nkinderstevemar: the code was already using find_domain, so I didn't change that16:44
stevemarhttps://review.openstack.org/#/c/126754/6/openstackclient/identity/v3/group.py line 31216:44
nkinderstevemar: ah, I see.  The project code differs from the group code16:46
stevemarnkinder, actually if you read the function find_domain it already does all that for us :(16:46
stevemarhttps://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/common.py#L4216:46
openstackgerritAlexander Makarov proposed a change to openstack/keystone: Trust redelegation  https://review.openstack.org/12689716:46
nkinderstevemar: ah, so it does16:47
stevemarnkinder, i completely forgot about that function, and we both made the changes in a lot of spots16:48
nkinderstevemar: let me revise my patch...16:48
*** _cjones_ has quit IRC16:56
*** marcoemorais has joined #openstack-keystone16:56
*** _cjones_ has joined #openstack-keystone16:56
*** eglynn has quit IRC16:57
*** wwriverrat has joined #openstack-keystone17:00
*** wwriverrat1 has joined #openstack-keystone17:00
*** _cjones_ has quit IRC17:01
*** hyakuhei has quit IRC17:01
*** marcoemorais has quit IRC17:01
*** sigmavirus24 is now known as sigmavirus24_awa17:01
*** gyee has quit IRC17:01
*** marcoemorais has joined #openstack-keystone17:02
*** marcoemorais has quit IRC17:02
*** marcoemorais has joined #openstack-keystone17:02
*** wwriverrat1 has left #openstack-keystone17:02
*** wwriverrat has quit IRC17:04
*** andreaf has joined #openstack-keystone17:05
*** marcoemorais has quit IRC17:06
*** marcoemorais has joined #openstack-keystone17:06
*** _cjones_ has joined #openstack-keystone17:15
*** gyee has joined #openstack-keystone17:15
*** swamireddy1 has joined #openstack-keystone17:16
gyeeayoung, ping17:17
*** swamireddy has quit IRC17:17
*** harlowja_away is now known as harlowja17:19
*** lufix has joined #openstack-keystone17:20
*** edmondsw has joined #openstack-keystone17:22
amakarovnkinder, ayoung, good day to all! Please review a fix https://review.openstack.org/#/c/125923/17:24
amakarovThere is 1 line )17:25
ayounggyee, pong17:28
*** arunkant_work has joined #openstack-keystone17:29
*** amakarov is now known as amakarov_away17:31
*** marcoemorais has quit IRC17:32
*** marcoemorais has joined #openstack-keystone17:33
*** marcoemorais has quit IRC17:33
*** marcoemorais has joined #openstack-keystone17:33
*** marcoemorais has quit IRC17:33
*** lhcheng has joined #openstack-keystone17:34
*** marcoemorais has joined #openstack-keystone17:35
gyeeayoung, sorry I was talking to morganfainberg, I didn't understand your multi signer email, but morgan straighten me out17:42
ayoungcool17:42
ayounggyee, you are one of the primary people I need to get on board17:42
morganfainbergayoung, sometimes being able to throw something at people the next desk over helps17:42
gyeehaha17:42
ayoungjust throwing people helps17:42
ayoungjust remember to lift with your legs, not your back17:42
morganfainbergoh sure, but you have to be careful when you're a few stories up...17:43
*** jaosorior has quit IRC17:43
gyeemorganfainberg is literally 5 feet from me17:43
*** samuelmz has quit IRC17:43
*** marcoemorais has quit IRC17:45
ayounggyee, morganfainberg so do you guys get the concern?17:45
*** marcoemorais has joined #openstack-keystone17:45
gyeeayoung, yeah17:46
ayounggyee, where is the state of  X509 Plugin spec?17:47
ayoungAre you doing it all with the Federated plugin, and don;t need any new code?17:47
gyeeayoung, the spec is in review17:47
gyeeyeah, I am going to use the mapping plugin17:48
gyeeI haven't get a chance to push the code yet17:48
ayounggyee, OK,  so  lets assume that gets through17:49
*** lhcheng has quit IRC17:49
ayounghere is what I would think we would need next17:49
gyeeayoung, you can extract signer info from CMS17:49
ayounggyee, well, you could if I hadn;t put a bug in there17:49
gyeebut I don't know if there's apache module that does CMS extraction17:49
*** lhcheng has joined #openstack-keystone17:49
*** edmondsw has quit IRC17:49
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/common/cms.py#n146  and17:50
ayounghttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/common/cms.py#n33317:50
gyeeayoung, so you are not using apache frontend to validate the cms?17:50
ayoungboth ignore the params passed in, making the tokens Base64 PEM   instead of DER...which we could parse.17:50
*** marcoemorais1 has joined #openstack-keystone17:50
ayoungnah, I mean that in the PKIZ tokens I was supposed to be SIGNING binary17:51
gyeeworks fine either way, I suppose you can just add auth_token middleware to Keystone17:51
ayoungthen compressing17:51
gyeeand have it parse CMS and feed it into the mapping layer17:51
ayoungjust means that if we uncompress, we will get Base64 encoded CMS, and we need to unbase64 before we parse, but I digress17:51
ayoungso, yeah, we can get the signing data out of the CMS document17:52
*** marcoemorais has quit IRC17:52
ayoungok,  lets assume a token comes in and it has signing info that this auth_token middleware has never seen17:52
ayoungso it needs to do 3 steps17:52
ayoung1.  fetch the certificate based on that signing info17:53
*** amcrn has joined #openstack-keystone17:53
*** swamireddy1 has quit IRC17:53
ayoung2.  From the certificate, fetch the user17:53
ayoung3.  from the user, fetch the "athority to sign"17:53
ayoungauthority17:53
ayoungauthority to sign is tricky...it probably should be RBAC17:53
*** lufix has quit IRC17:53
*** aix has quit IRC17:53
*** lhcheng has quit IRC17:54
ayoungso in order for user U to sign tokens for projects in domain D  then need the role "DomainSigner" for D17:54
ayoungbut we probably don't want to hard code that17:55
ayoungso...17:55
ayoung3  probably is:17:55
ayoungfetch roles for user on domain D17:55
ayoungand compare with policy17:55
ayoungwhich means fetching policy on demand17:55
*** sigmavirus24_awa is now known as sigmavirus2417:55
ayounggyee, but step 2 ( From the certificate, fetch the user) is pretty much the same mapping rule that you are going to use for the auth plugin17:56
ayoungclear as mud?17:57
*** lnxnut has quit IRC18:00
gyeeayoung, no18:00
gyeeI let apache mod_ssl do the dirty work for me18:01
ayounggyee, sure18:01
ayoungyou end up with an env var for the subject, say18:01
gyeeright18:01
ayounggyee, http://www.freeipa.org/page/Environment_Variables#X.509_Authentication18:02
ayoungvery useful page18:02
*** marcoemorais1 has quit IRC18:02
*** amcrn has quit IRC18:02
gyeenkinder, morganfainberg, http://tiedhouse.com/dinner-menu, say 6pm?18:02
ayoung SSL_CLIENT_S_DN18:02
*** marcoemorais has joined #openstack-keystone18:03
gyeeayoung, yes, that's what I am using18:03
openstackgerritLance Bragstad proposed a change to openstack/keystone: Extract Assignment tests from IdentityTestCase  https://review.openstack.org/12165318:03
morganfainberggyee, nkinder, works for me18:03
ayounggyee, OK,  so  in the case of validating a token...I can parse the certificate used to sign the token to get that variable18:03
ayoungremember, this is not SSL18:04
ayoungso apache can't handle it for us18:04
gyeeayoung, so you can essentially do this in middleware, same as auth_token18:04
*** marcoemorais has quit IRC18:04
gyeevalidate CMS and set the env vars18:04
*** marcoemorais has joined #openstack-keystone18:04
ayounggyee, yep18:05
ayoungexactly18:05
gyeethen ingressing the mapping like all other plugin18:05
gyeeso we have a consistent pattern18:05
ayoungbut this is in, say Nova, not in keystone server, so I need to be able to remotely evaluate the mapping18:05
gyeeayoung, sure, come to think of it, we have per-endpoint policy now, we can think along this line18:06
ayoungyep18:06
ayounggyee, caching in general is going to be an issue.  But again, a digression18:07
ayounggyee, are you guys right next to Moffit Field?18:08
ayoungMoffet18:08
gyeeayoung, yeah, we can see the jumbo jets parking in NASA18:08
*** andreaf has quit IRC18:08
ayoungIf that was not such a pain to get to from SF, I might still be in the Army18:08
ayoungI was 5 years off active service, and overdue for a physical18:08
ayoungthey said I had to get to Moffet for sick call...like 5 AM.18:09
gyeedude, can you handle 50 push ups?!18:09
gyee5 miles in 30 flat18:09
ayoungIn a fit of pique, I just flipped the paper over and signed in the "Or sign here to resign..."18:09
ayoungMy 2 mile time is now measured with a calendar18:09
ayoungif I hadn't, I probably would have gotten stop-lossed and ended up getting called up for Iraq.18:10
ayoungthis was 2001....18:10
gyeeI live 2 miles from a army training facility, still hear canons going off in the middle of the night18:10
ayoungDublin?18:11
gyeeyeah18:11
ayoungI used to drill there18:12
gyeeCamp Park18:12
ayoungyeah. They have a rifle range, and a good amount of space for maneuver training.  What you probably hear is grenade simulators18:14
ayounggyee, so the APIs we would need:  a GET certificate that uses the signer data18:16
*** amerine_ has joined #openstack-keystone18:17
ayoung...I guess we could use the mapping from federaion18:17
ayoungand then we'd have to evaluate it in client18:17
ayoungand get policy18:18
*** amerine has quit IRC18:18
ayoungah...no18:18
ayoungjust evaluating the mapping is not enough18:18
ayoungthat gives the groups, but we'd need something like a token18:18
ayounggyee, what if we did something like POST /auth/tokens?fake18:19
ayoungand then you get back a token that would never validate?18:19
*** amcrn has joined #openstack-keystone18:20
ayoungbut that had all of the users data on it?  Or...with constrainsts, we could do endpoints[]  meaning, yeah, its a real token, but no one should accept it18:20
gyeeayoung, yes, right now mapping can handle user_id and group18:20
gyeewe need to make it more generic18:20
gyeefor the x.509 stuff, I am fine with mapping to groups18:21
*** marcoemorais has quit IRC18:22
gyeegroups are permission templates so they are good enough for most use cases18:22
ayounggyee, right,  I just don't want to reimplement the token pipeline in the client18:24
ayoungso  I need to be able to take a user and a domain and say "what roles would this user have in this domain"18:25
ayoungand then evalutate against the policy file18:25
gyeeayoung, sorry, need to run, be back in an hour, lets do some brainstorming later18:28
ayoungI'm good.  Got it all solved18:29
*** amerine_ is now known as amerine18:30
nkindergyee: works for me too18:31
stevemarnkinder, OK, *now* this is rebased and everything should be super awesome18:40
stevemarhttps://review.openstack.org/#/c/126754/18:40
stevemarall of your domain-ness should be fixed :)18:40
*** NM is now known as INFO18:42
lbragstadbknudson: I think the Location stuff got refactored out the of identity-api spec https://bugs.launchpad.net/keystone/+bug/118268118:46
uvirtbotLaunchpad bug 1182681 in keystone "v3 doesn't return Location header on 201 Created" [Low,Confirmed]18:46
*** INFO is now known as NM18:47
*** andreaf has joined #openstack-keystone18:47
lbragstadbknudson: looks like it was removed here: https://github.com/openstack/identity-api/commit/a59d354947d4771d4614dbfd89ad45bf63289e4518:49
*** marcoemorais has joined #openstack-keystone18:50
bknudsonlbragstad: the HTTP spec says that the Location header must be returned on a 201 Created19:02
bknudsonlbragstad: so if the server isn't returning a Location header then it doesn't conform.19:03
*** flwang1 has quit IRC19:03
lbragstadbknudson: right, I looked for that in the spec but couldn't find what it's suppose to do19:05
lbragstadbecause it was pulled out19:05
bknudsonlbragstad: the spec might have said that location was returned when the server wasn't returning it.19:05
*** flwang1 has joined #openstack-keystone19:14
bknudsonNot sure what corosync is but apparently it doesn't work very well.19:14
*** lhcheng has joined #openstack-keystone19:15
*** radez is now known as radez_g0n319:26
*** afazekas has quit IRC19:28
*** eglynn has joined #openstack-keystone19:28
*** flwang1 has quit IRC19:31
*** marcoemorais has quit IRC19:33
*** marcoemorais1 has joined #openstack-keystone19:33
*** _cjones_ has quit IRC19:39
*** _cjones_ has joined #openstack-keystone19:39
*** _cjones_ has quit IRC19:44
*** ajayaa has quit IRC19:45
*** david-lyle is now known as david-lyle_afk19:47
dstanekare we not going to remove the catalog kvs backend?19:47
*** dimsum_ has quit IRC19:48
*** lhcheng has quit IRC19:48
*** lhcheng has joined #openstack-keystone19:48
lbragstadbknudson: looks like dolphm removed the Location stuff from the identity-api spec19:49
*** topol has quit IRC19:52
*** lhcheng has quit IRC19:53
*** dvorak has quit IRC20:02
*** Kui has joined #openstack-keystone20:05
*** flwang1 has joined #openstack-keystone20:05
*** fifieldt has quit IRC20:08
ayoungwhy does argparse hate me?20:10
*** r1chardj0n3s_afk is now known as r1chardj0n3s20:10
ayoungdstanek, wtf am I doing wrong with arg parse:20:11
dstanek?20:12
ayounghttp://fpaste.org/140757/12885533/20:12
ayoungif I run20:12
ayoung$ python freeipa.py --list20:12
ayoungUsage: freeipa.py [global-options] COMMAND [command-options]20:12
ayoungfreeipa.py: error: no such option: --list20:12
ayoungbut20:12
ayoung$ python freeipa.py -h20:12
ayoungusage: freeipa.py [-h] [--list] [--host HOST]20:12
ayoungI really just want to ignore the --list to start20:13
ayounglater I'll do something with it20:13
dstanekthat's odd - it looks ok20:14
*** vhoward has left #openstack-keystone20:14
lbragstadif --list is a flag should if default if not provided?20:15
ayounglbragstad, it is20:15
dstanekayoung: your code works fine for me20:15
ayoungwhat?20:15
dstanekyou probably don't want to default --list to True because if you do there would be no reason to specify --list20:16
ayoungmaybe it is the name freeipa conflictin with something?20:16
dstanekayoung: i deleted the freeipa import because i don't have that, but otherwise it works20:16
ayoungdstanek, I'm betting the freeipa library is running argparse20:17
ayoungmother....20:17
dstanekayoung: what do i pip install to get ipalib?20:17
lbragstadbut wouldn't that be under a different parser object?20:17
ayoungdstanek, heh, you don't20:17
*** dvorak has joined #openstack-keystone20:17
ayoungi guess python-freeipa?20:17
ayounglbragstad, yeah, but the second parser is still trying to parse me CLI args20:18
dstanekayoung: the strange thing is that your help is different20:18
ayoungmaybe because context=cli...?20:18
ayoungdstanek, yeah...think that is the freeipa cli parsing coming in...let me see if there is a different context I should set20:19
dstanekayoung: ah, that would do it20:19
dstanekayoung: that would be really stupid if it parsed args on import20:20
*** fifieldt has joined #openstack-keystone20:21
ayoungdstanek, this code was written primarily to keep things common between the server and a CLI20:24
ayoungI don't know if people have attempted to use it as a programmatic API on a regular basis20:24
ayoungdstanek, the problem is that I need to specify conetxt ='cli' to turn off debugging ,and I don't think there is a way around that.20:25
*** lhcheng has joined #openstack-keystone20:26
ayoungnope, it isn't the context...20:26
ayoungdstanek, thanks. it was running optparse.  I had just followed the example, which called a function that triggered that, but I can change20:33
ayoung    #api.bootstrap_with_global_options(context='cli')20:34
ayoung    api.bootstrap(context='cli')20:34
ayoungand it works20:34
*** cds has joined #openstack-keystone20:36
*** lhcheng has quit IRC20:38
*** lhcheng has joined #openstack-keystone20:38
*** _cjones_ has joined #openstack-keystone20:39
dstanekayoung: wierd, but I'm glad you got it figured out20:43
*** lhcheng has quit IRC20:43
ayoungdstanek, I got ansible to use freeipa hostgroups in 19 lines of python20:43
ayounghttp://fpaste.org/140767/14128873/20:43
ayounghttp://fpaste.org/140772/41288736/20:43
ayoungprobably could get that down a few lines more20:44
dstaneki really need to start spending some time with freeipa20:44
ayoungdstanek, I've got a public instance up in dreamhost20:44
ayounghttps://ipa.younglogic.net/ipa/ui/20:45
dstanekayoung: nice20:45
ayoungdstanek, and a Keystone instance that points to it20:45
ayoungall nicely kerberized, too20:45
boltRis the keystone api client's auth_ref property just a JSON representation of the keystone server response?20:51
boltRi'm try to instantiate a Keystone api client just by passing an auth_ref object20:52
*** david-lyle_afk is now known as david-lyle20:53
boltRnvm it's not20:54
boltRguess there's some data massaging i have to do20:55
*** alex_xu has joined #openstack-keystone20:59
*** _cjones_ has quit IRC21:05
*** _cjones_ has joined #openstack-keystone21:05
nkinderstevemar: it doesn't look like check-tempest-dsvm-neutron-icehouse is very happy today...21:13
stevemarnkinder, indeed fwiw -> https://review.openstack.org/#/c/127346/21:13
*** HenryG has quit IRC21:14
nkinderstevemar: ah, cool.  +1'd.21:16
*** ayoung is now known as ayoung-afk21:16
nkinderstevemar: thanks for he clarification on the .id thing for my domain patch21:16
stevemarnkinder, could you tell i gave up half way through the explanation?21:16
stevemar:)21:16
nkindermight as well be consistent even though either approach works21:16
nkinder:)21:16
nkinderstevemar: I am glad you found that find_domain() already took care of the heavy lifting we needed21:17
*** lhcheng has joined #openstack-keystone21:20
dstanekwhy of why is the KVS catalog so broken...21:22
*** gordc has quit IRC21:22
morganfainbergdstanek, :(21:23
morganfainbergdstanek, at least is it consistently broken?21:23
dstanekmorganfainberg: since get_catalog only looks for the catalog key, is it possible to change the endpoints?21:24
dstanekany be extension the templated backend is also broken21:24
morganfainbergdstanek, the templated backend is all sorts of unfun21:24
morganfainbergi think the kvs backend (only used for templated?) can't be changed live.21:25
morganfainbergneeds a keystone restart atm21:26
stevemaryeah, i think you need to change the actual templated file and restart21:26
stevemarnot to mention the damn things don't have IDs21:26
dstanekif you do a catalog_api.create_endpoint() i don't think it will get into the catalog in kvs21:26
stevemar(the endpoints or service)21:26
stevemardstanek, pretty sure it won't - theres a patch going around to try and make it less broken21:27
dstanektemplated is just dumb because it subclasses kvs so that it gets around the abc enforcement, but none of the methods actually work21:27
stevemardstanek, https://review.openstack.org/#/c/120011/21:27
dstanekstevemar: i've seen that one...not quite sure about raising NotImplemented21:30
*** alex_xu has quit IRC21:31
*** lhcheng has quit IRC21:36
*** lhcheng has joined #openstack-keystone21:36
*** saipandi has quit IRC21:40
*** henrynash has quit IRC21:41
*** lhcheng has quit IRC21:41
*** _cjones_ has quit IRC21:42
*** _cjones_ has joined #openstack-keystone21:43
*** _cjones_ has quit IRC21:44
*** _cjones_ has joined #openstack-keystone21:45
*** eglynn has quit IRC21:50
nkindermorganfainberg, gyee: I'm going to have to bail on tonight.  Been trying to get over being sick this week, and today has been a losing battle. :(21:55
*** topol has joined #openstack-keystone21:56
*** thedodd has quit IRC21:59
*** packet has quit IRC22:14
*** rkofman has quit IRC22:14
*** sigmavirus24 is now known as sigmavirus24_awa22:14
*** packet has joined #openstack-keystone22:14
*** rkofman has joined #openstack-keystone22:15
*** packet has quit IRC22:19
*** henrynash has joined #openstack-keystone22:20
*** joesavak has quit IRC22:23
morganfainbergnkinder, ah no worries22:26
morganfainbergnkinder, don't get sick!22:26
*** nkinder has quit IRC22:28
*** NM has quit IRC22:31
*** thiagop has quit IRC22:46
*** henrynash has quit IRC22:48
*** cds has quit IRC22:51
*** flwang1 has quit IRC22:53
*** flwang1 has joined #openstack-keystone22:54
*** henrynash has joined #openstack-keystone22:54
*** andreaf has quit IRC23:01
*** _cjones_ has quit IRC23:04
*** _cjones_ has joined #openstack-keystone23:04
*** HenryG has joined #openstack-keystone23:07
*** _cjones_ has quit IRC23:09
*** bknudson has quit IRC23:17
*** henrynash has quit IRC23:17
*** nkinder has joined #openstack-keystone23:34
*** _cjones_ has joined #openstack-keystone23:35
*** jorge_munoz has quit IRC23:38
*** david-lyle has quit IRC23:40
*** alex_xu has joined #openstack-keystone23:42
*** nellysmitt has quit IRC23:47
*** _cjones_ has quit IRC23:51
*** _cjones_ has joined #openstack-keystone23:51
« Wednesday, 2014-10-08 Index Friday, 2014-10-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!