Thursday, 2014-11-13

« Wednesday, 2014-11-12 Index Friday, 2014-11-14 »
*** shakamunyi has quit IRC00:01
*** marcoemorais1 has joined #openstack-keystone00:02
*** shakamunyi has joined #openstack-keystone00:03
*** dtturner has quit IRC00:04
*** marcoemorais has quit IRC00:06
*** david-lyle_afk is now known as david-lyle00:10
patrickeastHi all, I’m getting an error with my DevStack related to keystone (i think), when starting up i see “ERROR: openstack The plugin token_endpoint could not be found” whenever it tries to run openstack commands. Any ideas why it would be doing that? I see the token_endpoint.py file in my devstack in the keystoneclient/auth directory so I’m not sure what the isse is00:15
patrickeasti’m not sure if its a config issue or some new change that caused this, it only started to break my CI a few hours ago00:15
jamielennoxpatrickeast: that's weird, stevemar did you merge that change to OSC?00:15
jamielennoxdoesn't look like it00:16
jamielennoxso the current master of OSC does a few weird tings with token_endpoint it doesn't use the one from keystoneclient it does its own00:16
patrickeastoh interesting00:17
*** Viswanath has joined #openstack-keystone00:17
jamielennoxit wwill, but it doesnt at the moment00:18
patrickeastah ok, this thing? https://github.com/openstack/python-openstackclient/blob/747a62494ca17375b835c54992ea5907e68a9a4f/openstackclient/api/auth.py#L18300:19
*** zzzeek has quit IRC00:19
*** Viswanath has quit IRC00:20
jamielennoxpatrickeast: yes, and adds it to setuptools https://github.com/openstack/python-openstackclient/blob/747a62494ca17375b835c54992ea5907e68a9a4f/setup.cfg#L3100:24
jamielennoxwhy is generally a bad idea as it's going to conflict with the existing plugin00:24
jamielennox(which is currently a little broken)00:24
*** tellesnobrega_ has joined #openstack-keystone00:28
stevemarjamielennox, sry bout the late reply... the only thing merged to osc recently was to use test fixtures from ksc00:31
*** lhcheng has quit IRC00:31
jamielennoxstevemar: yea saw that, just not sure why patrickeast would have started seeing that error00:31
*** lhcheng has joined #openstack-keystone00:32
patrickeastjamielennox: stevemar: hmm yea looking around through the code and logs from the run I’m not sure what changed, the weird part is that things look ok on the official jenkins but at least a couple 3rd party ci’s are suffering from it00:33
jamielennoxpatrickeast: i can understand the keystoneclient token_endpoint clashing with the osc token_endpoint00:34
jamielennoxand they don't work the same00:34
jamielennoxalso the ksc one is a little broken unfortunately https://review.openstack.org/133866 and https://review.openstack.org/#/c/133865/100:35
jamielennoxstevemar: i think OSC loads token_endpoint by name rather than directly?00:35
*** lhcheng has quit IRC00:36
patrickeastlooks like by name https://github.com/openstack/python-openstackclient/blob/8ba74451ee9efe21a0554c184f28e380fe714313/openstackclient/common/clientmanager.py#L9000:38
*** tellesnobrega_ has quit IRC00:39
*** tellesnobrega_ has joined #openstack-keystone00:40
*** tellesnobrega_ has quit IRC00:48
jamielennoxayoung: looking at certmonger - how do you set the default CA00:49
*** gokrokve has quit IRC00:49
jamielennoxthere doesn't seem to be an option for it (which seems dumb)00:49
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments manager/driver.  https://review.openstack.org/13095400:51
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263400:53
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352500:54
*** henrynash has quit IRC00:55
*** raildo has joined #openstack-keystone01:00
*** wwriverrat has joined #openstack-keystone01:01
*** _cjones_ has quit IRC01:01
*** amcrn has quit IRC01:04
*** dims_ has quit IRC01:05
*** dims has joined #openstack-keystone01:06
*** nkinder has joined #openstack-keystone01:07
*** alex_xu has joined #openstack-keystone01:14
*** shakamunyi has quit IRC01:14
*** RockKuo_Office has joined #openstack-keystone01:21
*** gyee has quit IRC01:25
*** gokrokve has joined #openstack-keystone01:28
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Constraint to prevent duplicates endpoints  https://review.openstack.org/13409501:29
*** marcoemorais1 has quit IRC01:30
*** wwriverrat has quit IRC01:32
openstackgerritZhiQiang Fan proposed openstack/python-keystoneclient: Enable hacking rule F821  https://review.openstack.org/13409601:33
ayoungjamielennox, you have to specify which CA to use.  I think we will have our own logic for which to select01:35
ayoungI was just working on that Spec01:35
jamielennoxthe devstack certmonger thing?01:36
jamielennoxi was just playing with certmonger, i've done this before and remember it being fairly simple01:36
jamielennoxnow it's being a PITA01:36
jamielennoxhttps://bugzilla.redhat.com/show_bug.cgi?id=1163539 doesn't help01:37
uvirtbotjamielennox: Error: Could not parse XML returned by bugzilla.redhat.com: HTTP Error 404: Not Found01:37
openstackgerritZhiQiang Fan proposed openstack/python-keystoneclient: Enable hacking rule F821  https://review.openstack.org/13409601:40
*** raildo has quit IRC01:47
*** sigmavirus24 is now known as sigmavirus24_awa01:51
*** tellesnobrega_ has joined #openstack-keystone01:53
*** wwriverrat has joined #openstack-keystone01:53
*** gokrokve has quit IRC01:56
*** gokrokve has joined #openstack-keystone01:56
openstackgerritayoung proposed openstack/keystone-specs: certmonger  https://review.openstack.org/13409902:00
*** gokrokve has quit IRC02:01
ayoungjamielennox, it is not that bad, but you need to have the client dbus installed, and that is in somethinkg like dbus-xorg02:01
jamielennoxayoung: oh, i'm actually not so much thinking even just keystone02:02
jamielennoxi was going to start with SSL in devstack02:02
ayoungah, cool02:02
ayoungOK, so you need:02:02
ayoungsudo yum install /usr/bin/dbus-launch02:02
jamielennoxIMO keystone should just get out of the cert management business altogehter02:02
ayoungthat is in:02:02
ayoungdbus-x11-1.6.12-9.fc20.x86_6402:03
jamielennoxjust drop the manage pki functions completely02:03
ayoungjamielennox, eventually02:03
ayoungbut for now, there is tooling built around it, so this gives us a transition plan02:03
ayoungIf devstack wants to ignore it, that should be fine02:03
*** ayoung has quit IRC02:04
jamielennoxright, but whatever we do in certmonger is going to require some system setup and config02:05
jamielennoxso it's not just a transition, it's if you do these changes then your old stuff will still work02:05
jamielennoxwe may as well just ditch it directly02:05
*** ayoung has joined #openstack-keystone02:05
ayoungjamielennox, and I managed to just kill my desktop X session02:06
jamielennoxlol02:06
jamielennoxyea, don't mess with dbus02:06
ayoungthought I was on a VM02:06
*** tellesnobrega_ has quit IRC02:07
*** david-lyle is now known as david-lyle_afk02:08
ayoungjamielennox, anyway...you run02:10
ayoungdbus-launch02:10
ayoungand if gives you two env vars02:10
ayoungreally should export at least the second:02:10
ayoungDBUS_SESSION_BUS_PID=2445302:10
ayoungso you can kill it when devstack is done02:10
jamielennoxayoung: i have the basics working02:11
ayoungnice!02:11
jamielennoxwouldn't i just use the system bus?02:11
ayoungdepends on if you want to force it to be done by root or not02:12
jamielennoxrather than launch a custom02:12
ayoungI was doing it all as the end user02:12
jamielennoxhmm, yea, might be a problem for devstack and re-running things02:12
ayoungwhich, for devstack, is the right approach02:12
ayoungfor packaging, I suspect it is still correct, but would be willing to let it go to root as well02:12
jamielennoxso by that i mean i have a test folder where i've gotten certs from certmaster, not wired any further than that02:12
jamielennoxwas trying to see if there was a way to influence the certmaster CA cert02:15
jamielennoxcan i change the one being used, can i fetch it over getcert or something02:15
openstackgerritZhiQiang Fan proposed openstack/python-keystoneclient: Enable hacking rule E122  https://review.openstack.org/13410102:16
*** browne has quit IRC02:17
*** tellesnobrega_ has joined #openstack-keystone02:17
openstackgerritZhiQiang Fan proposed openstack/python-keystoneclient: Enable hacking rule H304  https://review.openstack.org/13410202:21
*** tellesnobrega_ has quit IRC02:25
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Constraint to prevent duplicates endpoints  https://review.openstack.org/13409502:33
ayoungjamielennox, you'd have to ask nalind02:36
ayoungjamielennox, but the CA cert is not what you need, you would need the corresponding private key, and, no, that cannot be fetched02:36
jamielennoxayoung: right - i just need to add the CA to the system list02:37
*** diegows has quit IRC02:39
*** raildo has joined #openstack-keystone02:41
*** richm has quit IRC02:45
*** dims has quit IRC02:49
*** dims has joined #openstack-keystone02:50
*** raildo has quit IRC02:53
*** esp has joined #openstack-keystone02:55
*** patrickeast has quit IRC02:56
*** tellesnobrega_ has joined #openstack-keystone02:59
*** kobtea has joined #openstack-keystone03:25
*** kobtea has quit IRC03:29
*** browne has joined #openstack-keystone03:31
*** browne has quit IRC03:31
*** ctracey has quit IRC04:05
*** ctracey has joined #openstack-keystone04:06
*** gus_ has joined #openstack-keystone04:11
*** tristanC_ has joined #openstack-keystone04:12
*** RockKuo_ has joined #openstack-keystone04:12
*** colettecello has joined #openstack-keystone04:12
*** mhu has quit IRC04:12
*** htruta has quit IRC04:12
*** EmilienM has quit IRC04:12
*** vishy has quit IRC04:12
*** cyeoh has quit IRC04:12
*** redrobot has quit IRC04:12
*** gus has quit IRC04:12
*** RockKuo_Office has quit IRC04:12
*** afaranha has quit IRC04:12
*** mitz_ has quit IRC04:12
*** tristanC has quit IRC04:12
*** gothicmindfood has quit IRC04:12
*** tsufiev has quit IRC04:12
*** swartulv has quit IRC04:12
*** mitz has quit IRC04:12
*** henrique_ has joined #openstack-keystone04:12
*** mhu1 has joined #openstack-keystone04:12
*** tsufiev has joined #openstack-keystone04:12
*** mitz has joined #openstack-keystone04:12
*** mhu1 is now known as mhu04:12
*** afaranha has joined #openstack-keystone04:13
*** redrobot has joined #openstack-keystone04:14
*** redrobot is now known as Guest1762704:14
*** EmilienM has joined #openstack-keystone04:14
*** cyeoh has joined #openstack-keystone04:15
*** swartulv has joined #openstack-keystone04:15
*** vishy has joined #openstack-keystone04:15
openstackgerritTakashi NATSUME proposed openstack/keystone: Enable cloud_admin to list projects in all domains  https://review.openstack.org/13411104:19
*** ayoung is now known as ayoung-mia04:27
*** radez is now known as radez_g0n304:47
*** tellesnobrega_ has quit IRC04:52
*** marcoemorais has joined #openstack-keystone05:15
*** alex_xu has quit IRC05:16
*** marcoemorais1 has joined #openstack-keystone05:17
*** marcoemorais has quit IRC05:20
*** wwriverrat has quit IRC05:39
*** wwriverrat has joined #openstack-keystone05:40
*** wwriverrat has quit IRC05:40
*** wwriverrat has joined #openstack-keystone05:40
*** ajayaa has joined #openstack-keystone05:58
*** KanagarajM has joined #openstack-keystone05:59
*** ukalifon has joined #openstack-keystone06:05
*** k4n0 has joined #openstack-keystone06:09
*** wwriverrat has quit IRC06:22
*** kobtea has joined #openstack-keystone06:59
*** josecastroleon has quit IRC07:03
*** kobtea has quit IRC07:04
*** josecastroleon has joined #openstack-keystone07:12
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412407:17
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412507:23
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412407:25
*** stevemar has quit IRC07:29
*** __afazekas has quit IRC07:36
*** henrynash has joined #openstack-keystone07:38
*** harlowja has joined #openstack-keystone07:41
*** henrynash has quit IRC07:44
*** harlowja has quit IRC07:53
*** nellysmitt has joined #openstack-keystone08:01
*** afazekas has joined #openstack-keystone08:01
*** marcoemorais1 has quit IRC08:02
*** harlowja has joined #openstack-keystone08:06
*** marekd|away is now known as marekd08:12
marekdlol, gating problems for domain inheriting roles.08:14
marekd?08:14
*** harlowja has quit IRC08:23
*** ukalifon has quit IRC08:29
*** amirosh has joined #openstack-keystone08:34
*** ajayaa has quit IRC08:36
*** gordc has joined #openstack-keystone09:07
*** henrynash has joined #openstack-keystone09:07
*** junhongl has quit IRC09:11
*** RockKuo_ has quit IRC09:11
*** junhongl has joined #openstack-keystone09:11
*** ukalifon has joined #openstack-keystone09:12
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412409:16
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412409:19
*** RockKuo_ has joined #openstack-keystone09:24
*** henrynash has quit IRC09:25
*** henrynash has joined #openstack-keystone09:27
*** amirosh has quit IRC09:27
*** amirosh has joined #openstack-keystone09:27
*** amirosh has quit IRC09:28
*** amirosh has joined #openstack-keystone09:28
*** ajayaa has joined #openstack-keystone09:31
*** amirosh has quit IRC09:32
*** jistr has joined #openstack-keystone09:34
*** jacorob has quit IRC09:41
*** diegows has joined #openstack-keystone09:49
*** RockKuo_ has quit IRC09:53
*** eglynn-officeafk is now known as eglynn-office09:54
*** sluo_laptop has quit IRC09:58
*** RockKuo_ has joined #openstack-keystone10:06
*** aix has joined #openstack-keystone10:07
*** diegows has quit IRC10:17
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263410:22
*** alex_xu has joined #openstack-keystone10:25
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352510:27
*** tellesnobrega_ has joined #openstack-keystone10:35
*** kobtea has joined #openstack-keystone10:37
*** henrynash has quit IRC10:39
*** kobtea has quit IRC10:41
openstackgerritEamonn O'Toole proposed openstack/keystonemiddleware: Added pycrypto>=2.6 to requirements.txt  https://review.openstack.org/13416110:50
*** tellesnobrega_ has quit IRC10:59
*** nellysmitt has quit IRC11:00
*** nellysmi_ has joined #openstack-keystone11:01
openstackgerritMarek Denis proposed openstack/keystone: Don't return ``user_name`` in mapped.Mapped class.  https://review.openstack.org/13402711:02
*** marg7175 has joined #openstack-keystone11:03
*** mflobo has joined #openstack-keystone11:06
*** aix has quit IRC11:09
*** henrynash has joined #openstack-keystone11:09
*** marg7175 has quit IRC11:11
samuelmsmarekd, ping11:11
samuelmsmarekd, having problems with domain inherited roles?11:11
*** RockKuo_ has quit IRC11:11
samuelmshenrynash, ping11:12
marekdsamuelms: hey11:13
henrynashsamuelms: hi11:13
marekdi saw henrynash couldn't merge it.11:13
henrynashmarekd: which one?11:13
henrynashmarekd: oh, the bug fix?11:14
*** amakarov_away is now known as amakarov11:14
samuelmsmarekd, what kind of problem are you having ?11:14
*** marg7175 has joined #openstack-keystone11:14
marekdhenrynash: yes, i could see lots of reverify as jenkins was failing on unrelated tests11:15
marekdhttps://review.openstack.org/#/c/132872/11:15
henrynashmarked: indeed…still trying!11:15
marekdsamuelms: i don't have problems ith os-inherit - there were few problems with gating the fix :-)11:15
marekdsamuelms: like https://review.openstack.org/#/c/132872/11:15
marekdthat's all11:15
samuelmsmarekd, ok taking a look at this11:17
samuelmshenrynash, for my 'list role assignments' patch, I'd propose to use the same representation at manager and driver levels11:17
samuelmshenrynash, and then controller formats as it needs11:18
marekdsamuelms: sure, but henrynash is probably also reveryfing :P11:18
samuelmshenrynash, take a look at https://review.openstack.org/#/c/132872/11:18
henrynashsamuelms: will do…11:18
samuelms:)11:19
henrynashsamuelms: did you mean to send me an example of your proposal….or did you mean to just send me teh link of my failing patch?11:20
samuelmshenrynash, haha sorry xD11:20
samuelmshenrynash, https://etherpad.openstack.org/p/role-assignment-backend-language11:20
henrynashsamuelms: rubbing if in, eh?11:20
samuelmshaha :p11:21
*** saipandi has joined #openstack-keystone11:22
*** links has joined #openstack-keystone11:22
henrynashsamuelms: I’ll be able to take a look in a while…11:23
henrynashsamuelms: nice iea to write it up liek that11:23
samuelmshenrynash, ok thanks :-)11:24
*** aix has joined #openstack-keystone11:25
*** KanagarajM has quit IRC11:27
samuelmshenrynash, you'll be working on domain owned roles, right?11:27
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263411:28
henrynashsamuelms: I’d have thought so, yes :-)11:29
samuelmshenrynash, really would like to work on that with you :)11:29
samuelmshenrynash, from spec to merge11:29
henrynashsamuelms: you mean the “domain-ness” idea and inheritance…or something else...11:29
henrynashsamuelms: or the role groups idea?11:30
samuelmshenrynash, yes .. 'domain-ness' idea, where we will have roles owned by those entities (namespaced roles)11:30
henrynashsamuelms: right, got it11:30
henrynashsamuelms: happy to work on it together!11:31
samuelmshenrynash, :D11:31
samuelmshenrynash, have you already started the spec? (we need one, right)11:31
marekdhenrynash: samuelms: you want to take a look at a chain of reviews?11:33
marekdstarting with https://review.openstack.org/#/c/133005/311:33
samuelmsmarekd, sure .. will take a look on them today11:35
samuelmsmarekd, it's time to learn about federation (-:11:36
marekdsamuelms: sure, why not11:36
henrynashsamuelms: well my approach is a bit different than perhaps other expect…spec is here: https://review.openstack.org/#/c/133855/11:37
henrynashmarekd: will do11:37
openstackgerrithenry-nash proposed openstack/keystone: Ensure controllers and managers reference new resource manager.  https://review.openstack.org/13352511:38
*** henrynash has quit IRC11:38
marekdthanks.11:38
*** lhcheng has joined #openstack-keystone11:41
*** lhcheng has quit IRC11:42
*** lhcheng has joined #openstack-keystone11:42
samuelmshenrynash, ok thanks for the link .. will take a look at11:44
*** dims has quit IRC12:07
*** dims has joined #openstack-keystone12:08
*** henrynash has joined #openstack-keystone12:14
*** ajayaa has quit IRC12:35
*** diegows has joined #openstack-keystone12:44
*** ajayaa has joined #openstack-keystone12:48
*** amirosh has joined #openstack-keystone12:49
*** marg7175 has quit IRC12:52
*** henrynash has quit IRC12:54
openstackgerritMarek Denis proposed openstack/keystone: Don't return ``user_name`` in mapped.Mapped class.  https://review.openstack.org/13402712:57
*** diegows has quit IRC13:01
*** aix has quit IRC13:01
*** aix has joined #openstack-keystone13:04
*** afazekas has quit IRC13:07
*** raildo has joined #openstack-keystone13:18
*** nellysmi_ has quit IRC13:19
*** afazekas has joined #openstack-keystone13:23
*** saipandi has quit IRC13:25
*** miqui has joined #openstack-keystone13:31
*** marg7175 has joined #openstack-keystone13:32
marekdmorganfainberg:  can we +2 this https://review.openstack.org/#/c/134027/3 ?13:32
marekddstanek: ^^13:32
*** afazekas has quit IRC13:32
*** henrynash has joined #openstack-keystone13:34
*** henrynash has quit IRC13:40
*** aix has quit IRC13:40
*** sigmavirus24_awa is now known as sigmavirus2413:43
*** lhcheng_ has joined #openstack-keystone13:44
*** raildo has quit IRC13:44
openstackgerritEamonn O'Toole proposed openstack/keystonemiddleware: Added pycrypto>=2.6 to requirements.txt  https://review.openstack.org/13416113:45
*** afazekas has joined #openstack-keystone13:45
*** alex_xu has quit IRC13:45
*** lhcheng has quit IRC13:47
*** radez_g0n3 is now known as radez13:48
*** jistr has quit IRC13:53
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Creating parameter to list inherited role assignments  https://review.openstack.org/11730013:54
*** aix has joined #openstack-keystone13:54
*** jistr has joined #openstack-keystone13:54
*** raildo has joined #openstack-keystone13:56
*** alex_xu has joined #openstack-keystone13:58
*** gokrokve has joined #openstack-keystone14:00
*** henrynash has joined #openstack-keystone14:03
*** ityaptin has joined #openstack-keystone14:05
*** nkinder has quit IRC14:08
*** packet has joined #openstack-keystone14:08
*** dims has quit IRC14:10
*** k4n0 has quit IRC14:10
*** dims has joined #openstack-keystone14:10
openstackgerrithenry-nash proposed openstack/keystone-specs: Replace the concept of extensions in Keystone.  https://review.openstack.org/13380914:11
*** richm has joined #openstack-keystone14:12
*** wolsen has quit IRC14:19
*** wolsen has joined #openstack-keystone14:19
*** diegows has joined #openstack-keystone14:22
*** marg7175 has quit IRC14:23
*** marg7175 has joined #openstack-keystone14:24
*** alex_xu has quit IRC14:40
*** afazekas has quit IRC14:44
openstackgerritLance Bragstad proposed openstack/keystone: Move test_pemutils.py to unit test directory  https://review.openstack.org/13423314:45
*** svasheka has joined #openstack-keystone14:49
svashekahi guys, is there any good documentation on how create trusts with python api?14:49
morganfainbergMarek +214:50
lbragstadsvasheka: https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-trust-ext.md might be a good place to start if you haven't already referenced it14:50
svashekathanks,  I'm trying to test keystone with rally, so I need python bindings examples14:52
*** nkinder has joined #openstack-keystone14:54
marekddoes anybody have some experience regarding python-keyring?14:56
marekdmorganfainberg: thanks.14:56
*** afazekas has joined #openstack-keystone15:00
*** jistr has quit IRC15:06
*** jistr has joined #openstack-keystone15:07
*** ajayaa has quit IRC15:13
*** gokrokve_ has joined #openstack-keystone15:15
*** gokrokve has quit IRC15:19
*** saipandi has joined #openstack-keystone15:24
amakarovmorganfainberg, hello! Can you please review my spec change for redelegation?  (you asked for it :)) https://review.openstack.org/#/c/131541/15:25
*** stevemar has joined #openstack-keystone15:26
morganfainbergamakarov: yes I can review it. We have some changes we've been discussing that are in line with that as well.15:26
morganfainbergNot sure when I'll be doing reviews today. Still recovering a little from jet lag.15:26
morganfainbergmarekd: What's up with keyring? It's... Been kinda thorny / icky in the past.15:27
amakarovmorganfainberg, good luck with that ) Is there any blueprint for changes?15:27
marekdmorganfainberg: so i want to go ahead and enhance saml2 client plugins and make them store unscoped tokens in some cache - simply doing federated auth seems to be too expensive.15:28
morganfainbergamakarov: it is more along the lines we want to make delegation (and re delegation) part of the base API instead of it being an extension.15:28
marekdmorganfainberg: however currently everytime i want to set/get a password i need to pass my desktop password15:29
marekdand was wondering if this could be somehow disabled.15:29
morganfainbergmarekd: sure. I *think* it can. But I am unsure how.15:29
morganfainbergThis is outside my knowledge of keyring.15:29
marekdmorganfainberg: basically i think this could be done for auth plugins for general, but jamielennox seems to need to wait and he adviced me to play in my own playground - with saml auth plugins.15:30
morganfainbergamakarov: so, the spec is very valid, just might get a little reworking as we go through it.15:30
morganfainberg;)15:30
*** kobtea has joined #openstack-keystone15:30
morganfainbergamakarov: I'll definitely review today and comment as I see needed.15:30
morganfainbergmarekd: I agree we can make the ux better for everyone and all plugins.15:31
marekdmorganfainberg: i'd say it's proper use of tokens :-)15:31
marekdmorganfainberg: isn't it currently that there are tokens valid for n hours, but with each REST call Keystoe isses a new one?15:32
morganfainbergLol. Since we're not ditching tokens.... Yeah.15:32
amakarovmorganfainberg, ah, I recall something about that from sessions. +1, extension framework is indeed a strange thing for core feature implementation :)15:32
marekdmorganfainberg: exactly, and this fills the db.15:32
morganfainbergPeople keep pushing for reissuing tokens. I'd rather use keyring. That seems way better15:32
morganfainbergKeyring is clients being smart, not the server needing to know if it should reissue a token.15:33
morganfainbergIt feels like a client should be smart in that regard. Over needing to make the server way way more aware of your intentions.15:33
marekdmorganfainberg: i will propose something for saml eiter way and this may be a starting point for some architecture decision.15:34
morganfainbergSounds good.15:34
stevemarmorganfainberg, heads up on https://bugs.launchpad.net/keystone/+bug/139226415:34
uvirtbotLaunchpad bug 1392264 in keystone "Keystonemiddleware crashes when memcache encryption is enabled with Swift" [Undecided,New]15:34
morganfainbergReally? Nice. :(15:35
*** kobtea has quit IRC15:35
*** diegows has quit IRC15:35
morganfainbergstevemar: ok let's confirm that is actually happening and get that prioritized high/critical if it is (justifies a release as soon as fixed if it's happening)15:36
morganfainbergOh.15:37
morganfainbergI see what is going on. Uhhh. "Optional dep"15:37
stevemarmorganfainberg, i'm just not sure if it ... yeah that bit15:37
morganfainbergstevemar: ok hmm. Let me finish my coffee and noodle on this one.15:38
stevemarif you're up for an easy one: https://review.openstack.org/#/c/133005/ :)15:39
morganfainbergstevemar: +315:42
stevemaryee haw15:42
morganfainbergstevemar: when I'm done with coffee need to pick your brain a little.15:43
stevemarsure15:43
marekdmorganfainberg: keystoneclient puts into X-Auth-Token  token_id (string) if the uuid tokens are used and *whole* thoken in case pki tokens are used, correct ?15:47
morganfainbergYes. The PKI string *is* the ID for PKI tokens.15:48
marekdmorganfainberg: so it's a json structure or again some random string?15:49
marekdi thought it's the json15:49
morganfainbergIt is ASN1 encoded/signed json.15:50
morganfainbergBut it could be some other opaque string (see ae-token proposal)15:50
morganfainbergBasically token ID is used. What that ID is can vary. Either middleware can validate it or keystone is asked to validate it (and return the json blob)15:51
marekdso, no matter is uuid tokens or pki tokens are used and my input is keystoneclient.access.AccessInfoV3 i can simply save access_token.auth_token value to a keyring or file or wherever ?15:51
morganfainbergCheck to make sure auth_token string is the long (not hashed) form of PKI tokens. But yes if it is the full string.15:52
*** jistr has quit IRC15:53
marekdwell, it's always used in ksc as a input val for X-Auth-Token, just wanted to make sure i don't need to serialize to str depending on token's type.15:53
*** gokrokve_ has quit IRC15:53
morganfainbergNo you shouldn't need to serialize that in ether case.15:54
marekdthanks15:54
*** gokrokve has joined #openstack-keystone15:54
*** raildo has quit IRC15:57
baffleI'm trying to get keystone policy.json + v3 domains + roles to work. First I'm trying to do something simple like "list users in domain". The "admin" role is assigned to an "Administrators" group for the domain, wich my user is a member of. If I list effective role assignments for my user, the ID of the "admin" role pops up for the domain. But "user list --domain <domain>" doesn't work, 403. Ideas? My policy.json is based on the Juno v3cloud sa16:00
*** ukalifon has quit IRC16:01
baffleI'm scoped to my domain, not project.16:02
*** raildo has joined #openstack-keystone16:02
henrynashbaffle: on the surface of it, you seem to be doing the right thing16:05
henrynashbaffle: the fact that it is a 403 is a little interesting, since that’s “harder” than a 401 Unathorized16:06
henrynashbaffle: are you using domain-specific config files?16:07
henrynashbaffle: …and I’m assuming this is the osc (openstack client), not keystone client?16:08
bafflehenrynash: Yes, this is OSC.16:08
bafflehenrynash: No, not domain-specific config files, everything stored in SQL.16:08
bafflehenrynash: Normal usage works fine, I have 130+ domains.16:08
henrynashbaffle: nice!!!16:09
henrynashbaffle: let me have a quick squint at the code…hold on16:09
bafflehenrynash: And users of the magic admin_domain is able to list users etc.16:09
henrynashbaffle: interesting16:09
baffleI'll pastebin relevant sections.16:09
*** agireud has joined #openstack-keystone16:10
henrynashbaffle: thx…just got a phone call interrupt…16:11
morganfainberghmm.16:12
morganfainbergok16:12
*** links has quit IRC16:14
bafflehenrynash: Here: http://paste.openstack.org/show/1tRLQffdJ4YVTxShuXWf/16:15
baffleUsually I scope to a project with OS_PROJECT_NAME/OS_PROJECT_DOMAIN_NAME but now I've scoped to the domain with OS_DOMAIN_NAME instead. I guess that is correct? I tried both.16:18
*** thedodd has joined #openstack-keystone16:20
*** links has joined #openstack-keystone16:27
baffle(I'm not using the other roles anywhere yet, as I haven't been able to get things to work with just an "admin" role yet)16:29
*** jacorob has joined #openstack-keystone16:31
raildobaffle, maybe you can use the policy.v3cloudsample, so you can use roles like project_admin, domain_admin instead of just "admin"16:31
*** dtturner has joined #openstack-keystone16:32
raildohttps://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json16:32
*** raildo has left #openstack-keystone16:32
*** raildo has joined #openstack-keystone16:32
baffleraildo: I'm using that.16:33
*** Guest17627 is now known as redrobot16:34
baffleraildo: As I mentioned, "cloud_admin" works fine. :-/16:35
raildobaffle, sorry I was offline when you spoke , I just read the log now16:36
baffleraildo: All the commands I issued in the paste is done with a user scoped to the admin_domain; The ID of that domain is in the cloud_admin entry in policy.json.16:36
*** marekd is now known as marekd|away16:36
raildobaffle, ok16:37
baffleraildo: So, when I get the role:admin working for identity:list_users, I want to replace it with role:identity_domain_admin or something similar instead.16:37
baffleDomainID of stenstad.net is "2cfcdadf1e944cabac0b28d0361c5de7", just noticed I hadn't listed that.16:38
*** zzzeek has joined #openstack-keystone16:40
henrynashbaffle: nice paste info…16:42
*** ajayaa has joined #openstack-keystone16:42
henrynashraildo, baffle: not sure we need to change admin to domain_admin….I think it’s Ok as it is (raildo, I don’t think we’ve changed the v3 policy sample to use that, have we?)16:43
raildohenrynash, i don't think so...16:44
raildoi think that this match "domain_id:%(domain_id)s" is not working16:45
raildomaybe change this for target.domain_id16:45
baffleraildo: Yeah, that might be it.16:46
henrynashraildo: no, for list that’s not right16:46
raildohenrynash, hum... ok.16:47
henrynashraildo, it shouldn’t be target.domain_id for a list….I think it is correct as it is (but doesn’t explain why it;s not working)16:47
henrynashbaffle: are you using inherited roles?16:47
bafflehenrynash: Well, they're inherited from the group?16:48
henrynashbaffle: ok, true….I was talking more about the OS-INHERIT extension, which allows you to assign a role to a domain in order that it be inherited to all projects in that domain16:49
*** amirosh has quit IRC16:49
bafflehenrynash: No, nothing like that.16:50
*** wwriverrat has joined #openstack-keystone16:50
henrynashbaffle: and it’s a 403, not a 401?16:50
*** wwriverrat has left #openstack-keystone16:50
baffleERROR: cliff.app You are not authorized to perform the requested action: identity:list_users (HTTP 403)16:51
*** jistr has joined #openstack-keystone16:51
bafflekeystone.log: 2014-11-13 17:51:32.294 12502 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_users16:52
baffleHmmm. Maybe it's not here the problem is..16:54
henrynashbaffle: are you able to turn debug loggging on and get me a full keystone log of a failed attemtp16:54
openstackgerritMerged openstack/keystone: Fix domain federation tokens for inherited roles.  https://review.openstack.org/13287216:56
*** amirosh has joined #openstack-keystone16:56
rodrigodshenrynash, ^ finally!16:57
henrynashrodigods: yahhhhhh!!!16:57
baffleI'm just doing debug logging on the client now.. If I just do "user list" I see it tries to call "https://identity.api.zetta.io:35357/v3/users".. Will it only list users belonging to the domain I'm scoped to then? And I specify --domain I see it gets a 404 on https://identity.api.zetta.io:35357/v3/domains/stenstad.net and then it tries https://identity.api.zetta.io:35357/v3/domains?name=stenstad.net and gets a "Forbidden: You are not authorized16:57
*** david-lyle_afk is now known as david-lyle16:58
*** _cjones_ has joined #openstack-keystone16:59
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Creating parameter to list inherited role assignments  https://review.openstack.org/11730017:01
baffleIf I specify the domain_id instead of domain to --domain, it does https://identity.api.zetta.io:35357/v3/domains/2cfcdadf1e944cabac0b28d0361c5de7 and I get a {"error": {"message": "You are not authorized to perform the requested action: identity:get_domain", "code": 403, "title": "Forbidden"}}17:01
henrynashbaffle: so when you list users, it will only proceeed with the call IF you have authorization….i.e. if you just try and list users for a domain you don’t have a role on, it will error, rather then give you nothing17:01
henrynashbffle: but it should give yo u a 401 not a 40317:01
*** wwriverrat has joined #openstack-keystone17:02
*** marcoemorais has joined #openstack-keystone17:02
*** ajayaa has quit IRC17:02
raildohenrynash, ++17:02
bafflehenrynash: So, does a call to https://identity.api.zetta.io:35357/v3/users without any other specification just list users that are in my tokens scoped domain by default? Or do I need to specify that? And it seems like I'm unable to get domain info.. Confused. So confused..17:03
*** _cjones_ has quit IRC17:03
morganfainberghenrynash, going to split up the non-persistent tokens spec now to "fix token provider" spec and then add a "non-persistent PKI provider"17:03
*** _cjones_ has joined #openstack-keystone17:04
morganfainbergso..17:05
baffleidentity:list_domains: "rule:cloud_admin", <- Shouldn't this be "rule:cloud_admin or rule:admin_required and domain_id:%(target.user.domain_id)s" ... Or something..17:05
baffleWith ( ) .. :)17:05
openstackgerritMerged openstack/keystone: fix the wrong order of assertEqual args in test_v3  https://review.openstack.org/12711017:05
baffleSame with identity:get_domain?17:05
henrynashbaffle: so that is determined by the policy.json file, which says: if you are “cloud admin” then you can list everything, but if not then you must specific a domain and you must use a domain scoped token for teh call that matches that domain AND has the role ‘admin’ in it17:06
bafflehenrynash: I'm thinking I'm having a problem with using a specific domain, because only cloud_admin has access to information about the domain? If I understand the v3cloudsample policy correctly..17:07
*** miqui has quit IRC17:08
bafflehenrynash: And it seems the client wants do do some lookups on that domain..17:08
henrynashbaffle: so teh fact that only cloud admin can acccess it, tells us that the something is wrong with matching teh domain you are asking for against the token you are provding (for list_users)17:08
*** wwriverrat has left #openstack-keystone17:09
henrynashbaffle: you can argue whether a domain admin should be able to list his own domain (and he probably should be able to)….remember that v3policysample is just a guide to setting this up…we exepct peopel to modify it17:09
baffleYeah.. When I use the cloud admin, it does a GET for https://identity.api.zetta.io:35357/v3/domains/stenstad.net wich 404s, then it does a GET for https://identity.api.zetta.io:35357/v3/domains?name=stenstad.net to get the domain ID.. Wich is what the "normal" admin gets a 403 on..  Then it does GET https://identity.api.zetta.io:35357/v3/users?domain_id=2cfcdadf1e944cabac0b28d0361c5de7 ..17:09
henrynashare you sure you are working with domain scoped token?17:10
bafflehenrynash: Yeah, and I really want to, but it's hard to understand everything. :)17:10
*** miqui has joined #openstack-keystone17:11
henrynashbaffle: agreed….I wrote most of it, and I still struggle sometimes :-)17:11
*** afazekas has quit IRC17:12
henrynashbaffle: …actually I have looked at code that eventually does check the policy file and (surprising, to me anyway) it does indeed throw a 403 if you don’t have the correct role…so maybe the 403 isn’t that unusual here…and points to (for some reason) there not being the correct domain/role match17:14
henrynashbaffle: I think I really need a keystone server debiug log, unfortutnaley17:14
bafflehenrynash: Yeah, pretty sure. I auth just like I do with my cloud-admin user.17:14
baffleI can ghetto in some debug logging. This is a superlive platform. 8)17:15
henrynashbaffle: I kind of guessed that was the case :-)17:15
baffleBut I think the problem is that the client is trying to look up the domain_id, but it's not allowed to do that..17:15
*** aix has quit IRC17:16
baffleSince only users that match the cloud_admin rule will actually be able to do a domain search to get the domain_id..17:16
baffleSo, I think it boilds down to missing access to look up my own domain_id using v3/domains?name=<my domain name>17:17
baffleUnless a call to v3/users will automatically filter output to my scoped domain.. Wich I don't really believe in. :)17:18
*** diegows has joined #openstack-keystone17:18
*** links has quit IRC17:20
*** links has joined #openstack-keystone17:21
*** tellesnobrega_ has joined #openstack-keystone17:22
*** marg7175 has quit IRC17:23
henrynashbaffle: oh, I see what you mean17:24
henrynashbaffle: one thing you could try is change the rule for “get domain” to be:17:27
henrynash"rule:cloud_admin or admin_and_matching_domain_id"17:28
*** marg7175 has joined #openstack-keystone17:28
henrynashthis should let you at least read a domain as the domain admin17:28
henrynashbaffle: so if that’s what the client is doing, then that should then work17:29
bafflehenrynash: I'm suddenly unsure if I'm scoped to the domain or not.. I scope to the domain using OS_DOMAIN_NAME, right?17:31
*** jistr has quit IRC17:32
*** marg7175 has quit IRC17:32
*** marcoemorais has quit IRC17:32
*** marcoemorais has joined #openstack-keystone17:33
*** openstackgerrit has quit IRC17:34
*** openstackgerrit has joined #openstack-keystone17:34
baffleDoes baffle@xwing:~$ openstack user list17:35
baffleERROR: cliff.app You are not authorized to perform the requested action: identity:list_users (Disable debug mode to suppress these details.) (HTTP 403)17:35
bafflebaffle@xwing:~$ openstack user list --domain stenstad.net17:35
baffleERROR: cliff.app You are not authorized to perform the requested action: identity:list_domains (Disable debug mode to suppress these details.) (HTTP 403)17:35
baffleSorry for pasting. It uses list_domains, not get_domain it seems. Hmm.17:35
henrynashbaffle: so if osc is really using list_domains, then hmm, that’s a problem!17:37
baffleYup.17:37
henrynashbaffle: meaning, if it issues a list_domains on its way to doing a list_users, then that’s a problem17:37
*** nellysmitt has joined #openstack-keystone17:38
baffleYes, it seems like it does. :-/17:38
henrynashbaffle: ouch17:38
*** links has quit IRC17:38
baffleSince you can't use "matcing_domain_id" in that search afaik.17:38
henrynashbaffle: nope17:40
henrynashbaffle: sounds liek we need a to raise a bug and get this looked at by a client folks17:40
baffleOr.. I'm not scoping something correctly.17:41
henrynashbaffle: indeed17:42
henrynashbaffle: but I don’t think cloud admin would work if you weren’t csoping corectly17:43
baffleSo, if I scope to project, I have a token.project json stanza. If I scope to domain I have a token.domain stanza. That means I'm scoped to the domain, right?17:45
baffleI guess the question is if a call to /v3/users will actually reply with a filtered list based on the domain scope by default. I think it won't.17:46
baffleSometimes I wonder if I'm the only one using v3. :)17:47
*** colettecello is now known as gothicmindfood17:50
baffleYup. There we go.. Brought out some curl. If I call https://identity.api.zetta.io/v3/users/66b228407ee74fccb09dba5d672c41eb with my domain-scoped token, I get a user listing in return.17:50
baffleSo seems I'm able to list out users, and that it is OSC that is the problem..17:51
*** gokrokve_ has joined #openstack-keystone17:52
*** topol has joined #openstack-keystone17:52
baffleBut I guess I still need to have a get_domain kind of access.17:52
baffleTo actually look up the ID? Or?17:52
baffleOr, technically, that is in my token.17:53
*** gokrokve has quit IRC17:55
*** gokrokve_ has quit IRC17:56
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Kilo version of non-persistent token specification  https://review.openstack.org/12973617:57
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Token Provider Cleanup Spec  https://review.openstack.org/13431417:57
*** patrickeast has joined #openstack-keystone17:58
morganfainbergstevemar, henrynash, ^17:58
*** marcoemorais has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:02
*** rharwood has quit IRC18:02
*** gokrokve has joined #openstack-keystone18:03
*** marcoemorais has quit IRC18:03
*** marcoemorais1 has joined #openstack-keystone18:03
*** amakarov is now known as amakarov_away18:03
*** openstackgerrit has quit IRC18:03
*** openstackgerrit has joined #openstack-keystone18:04
*** sigmavirus24 is now known as sigmavirus24_awa18:16
*** sigmavirus24_awa is now known as sigmavirus2418:17
*** gokrokve has quit IRC18:17
*** gokrokve has joined #openstack-keystone18:18
*** afaranha has quit IRC18:18
*** henrique_ has quit IRC18:19
*** gabriel-bezerra has quit IRC18:19
*** links has joined #openstack-keystone18:19
*** samuelms has quit IRC18:19
*** tellesnobrega has quit IRC18:19
*** tellesnobrega_ has quit IRC18:20
*** raildo has quit IRC18:20
*** stevemar2 has joined #openstack-keystone18:20
*** gokrokve has quit IRC18:22
*** stevemar has quit IRC18:22
*** amcrn has joined #openstack-keystone18:30
dtturnerkeystone gurus, I have a bizzare one here:  Has anyone here ever seen requests for an openstack service being incorrectly routed to a service running on a completely different endpoint IP and port?18:31
dtturnerI'm testing mistral.  Upon launching mistral services, users report that every other request "or so" time out on them.  When they experience the time outs, I see the requests in mistral logs. Of course mistral errors with noSuchMethod18:36
*** gokrokve has joined #openstack-keystone18:36
dtturnerKeystone service endpoint for mistral is configured to point to a completely different IP/port.  Keystone services have been bounced.   Currently at a loss as to how this is happening.18:37
*** nellysmitt has quit IRC18:39
*** gokrokve has quit IRC18:39
*** gokrokve has joined #openstack-keystone18:39
*** gokrokve has quit IRC18:39
*** gokrokve has joined #openstack-keystone18:40
*** vhoward has left #openstack-keystone18:43
*** thedodd has quit IRC18:44
henrynashmorganfainberg: I’ll checkout your token spec split a bit later…and if you have a few minutes, there are few more of the assignment fixes in teh chain that could get approved, starting at: https://review.openstack.org/#/c/133299/18:45
morganfainberghenrynash, yeah sounds good. will start there shortly. taking a small break and still working on some writeup stuff (plus need to do expense reports today/tomorrow)18:45
henrynashmorganfainberg: expenses……yeah, gotta do that too!18:46
bafflehenrynash: Thanks for all your help, I'll post a features request/bug for OSC. Sorry for disturbing everyone with my enduser problems. :-)18:47
*** openstackgerrit has quit IRC18:49
*** openstackgerrit has joined #openstack-keystone18:49
*** samuelms has joined #openstack-keystone18:49
*** htruta has joined #openstack-keystone18:49
*** raildo has joined #openstack-keystone18:50
*** tellesnobrega has joined #openstack-keystone18:50
*** tellesnobrega_ has joined #openstack-keystone18:50
*** edmondsw has joined #openstack-keystone18:52
*** marcoemorais1 has quit IRC18:52
*** marcoemorais has joined #openstack-keystone18:53
*** marcoemorais has quit IRC18:53
*** marcoemorais has joined #openstack-keystone18:53
*** afaranha has joined #openstack-keystone18:56
henrynashbaffle: no, it’s an excllent find!18:56
*** gabriel-bezerra has joined #openstack-keystone18:57
openstackgerritLance Bragstad proposed openstack/keystone: Move functional tests to keystone/tests/functional  https://review.openstack.org/13355618:59
*** marcoemorais has quit IRC19:00
*** marcoemorais has joined #openstack-keystone19:00
*** marcoemorais has quit IRC19:00
*** marcoemorais has joined #openstack-keystone19:01
*** amcrn_ has joined #openstack-keystone19:01
*** marcoemorais has quit IRC19:01
*** marcoemorais has joined #openstack-keystone19:02
bafflehenrynash: Turns out I am late to the party. Must be a few weeks since I dit a git pull on OSC. https://bugs.launchpad.net/python-openstackclient/+bug/137856519:04
uvirtbotLaunchpad bug 1378565 in python-openstackclient "The '--domain' arg for identity commands should not require domain lookup" [Undecided,Fix committed]19:04
*** amcrn has quit IRC19:04
*** amcrn_ is now known as amcrn19:04
*** kobtea has joined #openstack-keystone19:08
henrynashbaffle: aaha!19:08
henrynashbaffle: well at least we deduced the problem correctly!19:08
baffleSo now instead of just failing on the 403 returned by the "GET /v3/domains?name=stenstad.net" (since we don't have permissions to list_domains) it goes forward and does a "GET /v3/users?domain_id=stenstad.net" .. Wich also doesn't work. But if I put in a domain_id in --domain it works. \o/19:10
henrynashbaffle: I think maybe a better fix is that we need to provide a way that an admin for domain can look up their ID given the domain name19:10
bafflehenrynash: You mean except studying the auth token? :)19:10
henrynashbaffle: :-)19:11
henrynashbaffle: i.e. GET /domains?name=mydomainname should work if you have admin role on that domain19:11
henrynashbaffle: but it doesn’t today19:11
bafflehenrynash: Yeah, it is just a filter on list_domains right now.19:12
*** kobtea has quit IRC19:12
henrynashbaffle: or an explict get domain by name call…19:13
henrynashbaffle: which actually exists in teh code, we just don’t expose it19:13
*** nellysmitt has joined #openstack-keystone19:14
*** openstackgerrit has quit IRC19:18
*** openstackgerrit has joined #openstack-keystone19:18
*** stevemar2 has quit IRC19:19
*** ayoung-mia is now known as ayoung19:25
ayounghenrynash, "resource"  do you really think that is the right name?19:25
*** marcoemorais has quit IRC19:27
*** stevemar has joined #openstack-keystone19:28
*** marg7175 has joined #openstack-keystone19:29
*** marcoemorais has joined #openstack-keystone19:29
*** marcoemorais1 has joined #openstack-keystone19:31
*** marcoemorais1 has quit IRC19:31
*** marg7175 has quit IRC19:33
*** marcoemorais has quit IRC19:34
*** telemonster has joined #openstack-keystone19:36
telemonsterAny AD/LDAP ninjas around? I found out about this channel while digging through the bug tracking database. Our AD integreation works fine on Havana but moving that config into Icehouse --19:38
telemonsterit just fails with username / password.19:38
ayoungtelemonster, I'd deny it with my dying breath19:38
telemonsterI've played with the cn / sAMAccountName fields and stuff a bunch -- I don't think that's it19:38
telemonsterI do notice when debugging is enabled on both, and running side by side there is a slight difference in one of the queries19:38
ayoungtelemonster, Icehouse was a long time ago...I can't remember exactly what we did when19:41
ayoungsAMAccountName was a captialization issue.19:41
ayoungtelemonster, can you get enough logging to see what it is actually trying to do?19:41
telemonsteryea, ours was a working fine config on havana, moving up to icehouse seems problematic19:41
telemonsterI can see the queries via logging but not the password check part19:42
ayoungof course not, we don't want to dump passwords to the log...19:42
ayoungis this production?19:43
stevemarbaffle, henrynash whats up with OSC?19:44
telemonsteryea. Doesn't AD use kerberos encrypted passwords?19:44
openstackgerritRodrigo Duarte proposed openstack/keystone: Rename openid to oidc in test_auth_plugins.conf  https://review.openstack.org/13349419:47
openstackgerritRodrigo Duarte proposed openstack/keystone: Adds dynamic checking for mapped tokens  https://review.openstack.org/13313019:47
*** links has quit IRC19:48
*** chrisshattuck has joined #openstack-keystone19:48
ayoungtelemonster, test to make sure you can still do a simple bind.  Guessing that, if you have not changed AD, it will still work19:49
telemonsterI can see when I try to login with the sAMAccountName value, I can see the full name in the CN= fields, so the bind part is okay as data is coming back19:49
telemonsterone thing that is different between new and old, is this ldap string visible on the console debug log output19:50
telemonsterput_filter: "(&(cn=Neutron Service)(memberof:1.2.840.113556.1.4.1941:=CN=Cloud,OU=Security Groups,OU=User Accounts,DC=int,DC=company,DC=com)(objectClass=person))"19:50
telemonsterthe part "(cn=Neutron Service)" doesn't exist on the earlier, working, debug output strings19:51
telemonsterWe've got those accounts all created on the AD server and such19:51
telemonsterI notice others are modifying code in the ldap core.py but looking at our version it's already different than what's in the bug tracking system so I'm thinking it was already fixed19:55
*** sterns has joined #openstack-keystone19:55
*** thedodd has joined #openstack-keystone19:56
*** diegows has quit IRC19:57
*** gordc has quit IRC19:57
*** toddnni has quit IRC19:58
ayoungtelemonster, cool.  Good luck.20:03
telemonsteryea20:03
telemonsterI'm looking to see if I can take the ldap module from the old version and jam it into icehouse20:03
*** openstackgerrit has quit IRC20:04
*** openstackgerrit has joined #openstack-keystone20:04
*** rharwood has joined #openstack-keystone20:05
ayoungstevemar, https://review.openstack.org/#/c/133037/6  maybe drop the dependency on the older doc review.  It doesn't seem to be a real "depends" relationship20:20
*** tellesnobrega_ has quit IRC20:21
stevemarayoung, meh, the other one is already gating20:21
ayoungthe doc one has a big red X from Jenkins20:23
ayounghttps://review.openstack.org/#/c/133005/320:23
*** amirosh has quit IRC20:31
bafflestevemar: The thing with OSC is that the use case "I am admin of a domain and want to do create/list/set operations on users/groups/projects" doesn't really work. It needs to know the domain_id to query /v3/users/ and similar functions. Up till some weeks ago, it tried to do a filtered search on /v3/domains?name=<domain_name> if you used the "--domain=<domain_name>" parameter to the commands. But since a domain admin (except v2 "default" admin20:32
bafflestevemar: https://review.openstack.org/#/c/126754/20:32
bafflestevemar: So, there has to/should be a way for a domain admin to query its own domain_id from domain_name. Wich according to henrynash allready exists but isn't exposed externally.20:33
*** agireud has quit IRC20:35
*** edmondsw has quit IRC20:40
*** topol has quit IRC20:44
*** _cjones_ has quit IRC20:45
*** edmondsw has joined #openstack-keystone20:50
*** vhoward has joined #openstack-keystone20:51
*** agireud has joined #openstack-keystone20:53
*** nellysmitt has quit IRC20:55
*** agireud has quit IRC20:57
stevemarbaffle, *reading*20:59
stevemarbaffle, so what are your authN variables set to? and what commands are you trying to do?21:01
stevemarbaffle, ah yeah, the linked review is exactly what i was thinking of...21:01
bafflestevemar: My authtoken is fine, in that I have access to /v3/users/<domain_id>/ to list users of my domain.21:02
*** thedodd has quit IRC21:02
*** marcoemorais has joined #openstack-keystone21:02
*** agireud has joined #openstack-keystone21:05
stevemarbaffle, oh you're not using a uname/pass and domain scoping?21:08
bafflestevemar: Yeah, standard username/password and domain scoping.21:09
*** thedodd has joined #openstack-keystone21:10
baffleHmm.. v3cloudsample currently has "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",  .... Wich means that the cloud_admin doesn't have permissions to list projects in other domains.. That can't be on purpose? :)21:11
*** chrisshattuck has quit IRC21:14
*** chrisshattuck has joined #openstack-keystone21:16
*** openstackgerrit has quit IRC21:19
dtroyerdefault domain question:  keystone.conf has "#default_domain_id=default"…is a default name set anywhere?  I've seen references to 'Default' working…21:19
*** openstackgerrit has joined #openstack-keystone21:19
dtroyerreason is https://review.openstack.org/#/c/132083/6/openrc,unified wants to set the default name for DevStack to 'Default' in openrc21:19
*** sterns has left #openstack-keystone21:19
dtroyerI'm thinking it would be better to set OS_xxx_DOMAIN_ID instead?21:20
*** marg7175 has joined #openstack-keystone21:24
*** marg7175 has quit IRC21:29
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Fix broken references in OAuth code  https://review.openstack.org/13436421:29
stevemarmorganfainberg, ^21:29
stevemardtroyer, DOMAIN_ID is probably better21:30
stevemarrather than name21:30
openstackgerritLance Bragstad proposed openstack/keystone: Increase test coverage of test_versions.py  https://review.openstack.org/13436521:30
bafflepolicy.v3cloudsample.json has: "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",    but it seems keystone is unable to parse it? See: http://paste.openstack.org/show/ZoPdw0lSO3JMftDRVDAK/21:39
baffleShould it be domain_id:%(scope.domain.id)s) instead?21:40
*** gokrokve has quit IRC21:42
*** amirosh has joined #openstack-keystone21:42
*** toddnni has joined #openstack-keystone21:45
openstackgerritLance Bragstad proposed openstack/keystone: Increase test coverage of test_versions.py  https://review.openstack.org/13436521:45
*** _cjones_ has joined #openstack-keystone21:46
*** jacorob has quit IRC21:46
*** amirosh has quit IRC21:47
*** thedodd has quit IRC21:47
*** junhongl has quit IRC21:53
*** junhongl has joined #openstack-keystone21:55
*** thedodd has joined #openstack-keystone21:56
*** saipandi has quit IRC21:56
*** nkinder has quit IRC21:56
*** _cjones_ has quit IRC22:03
*** gokrokve has joined #openstack-keystone22:08
*** tellesnobrega_ has joined #openstack-keystone22:08
*** thedodd has quit IRC22:13
*** radez is now known as radez_g0n322:14
*** zzzeek has quit IRC22:14
openstackgerritMerged openstack/keystone: Improve testing of project federation tokens for inherited roles.  https://review.openstack.org/13309122:19
baffleNvm.22:28
*** gyee has joined #openstack-keystone22:37
openstackgerritSteve Martinelli proposed openstack/keystone: Add WSGIPassAuthorization to OAuth docs  https://review.openstack.org/13438822:37
lbragstadstevemar: client question for you22:40
stevemarlbragstad, be quick i'm about to head home22:40
lbragstadusers can update their passwords to be empty strings ''22:40
lbragstadstevemar: that wasn't by design was it?22:40
stevemarwhat's the server side api say? you made the json schema validator :)22:41
lbragstadstevemar: that is in the identity api validation patch,22:41
stevemarah22:42
lbragstadwhich hasn't landed yet because we have to rip out xml support first22:42
lbragstadanywho. I was just curioius22:42
stevemarthen it'll work, but it's a fantastically shitty design22:42
lbragstadlol22:42
lbragstadok22:42
lbragstadthere was a couple bugs filed that were related to it22:42
stevemarit should probably be at least 1 character?22:42
lbragstadI would thinks o22:42
lbragstadthink so*22:42
lbragstadanywho, thought I'd ask quick, no need to hold you up if you're heading home22:43
*** gus_ is now known as gus22:43
stevemarhttp://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#change-user-password22:43
stevemaryeah, there is probably no validation there22:44
lbragstadok,22:44
stevemarit's probably broken as heck for non-alphanumerics too22:44
lbragstadthe clients just check to make sure they aren't None22:44
stevemarbut we get away with it by saying we're not an IdP22:44
*** gus has quit IRC22:44
lbragstad:)22:44
lbragstadcase maker!22:44
stevemaranywho22:45
stevemari'm out22:45
stevemarsee ya boss22:45
*** gus has joined #openstack-keystone22:45
lbragstadlater, thanks!22:45
*** gus is now known as gus_22:46
*** gus_ is now known as gus22:46
*** stevemar has quit IRC22:49
*** _cjones_ has joined #openstack-keystone22:59
*** diegows has joined #openstack-keystone23:00
*** marcoemorais has quit IRC23:00
*** marcoemorais has joined #openstack-keystone23:01
*** _cjones_ has quit IRC23:04
*** diegows has quit IRC23:06
*** sigmavirus24 is now known as sigmavirus24_awa23:08
*** nkinder has joined #openstack-keystone23:17
*** agireud has quit IRC23:19
openstackgerritMorgan Fainberg proposed openstack/keystone-specs: Kilo version of non-persistent token specification  https://review.openstack.org/12973623:19
*** henrynash has quit IRC23:20
*** zzzeek has joined #openstack-keystone23:23
*** henrynash has joined #openstack-keystone23:23
*** _cjones_ has joined #openstack-keystone23:25
openstackgerritMerged openstack/keystone: Move shib specific documentation  https://review.openstack.org/13300523:26
*** henrynash has quit IRC23:27
*** marcoemorais has quit IRC23:33
*** marcoemorais has joined #openstack-keystone23:34
*** gokrokve has quit IRC23:42
*** stevemar has joined #openstack-keystone23:42
ekarlsojamielennox: u up ?23:46
ekarlsoI got some q on ksclient generic stuffs23:46
*** kobtea has joined #openstack-keystone23:46
*** kobtea has quit IRC23:50
*** stevemar has quit IRC23:53
« Wednesday, 2014-11-12 Index Friday, 2014-11-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!