Friday, 2015-03-27

openstackgerritMerged openstack/keystone: Add caching to getting of the fully substituted domain config
*** markvoelker has quit IRC00:02
*** Tahmina has quit IRC00:03
*** bknudson has joined #openstack-keystone00:04
*** ChanServ sets mode: +v bknudson00:04
dstanekmorganfainberg: i'm game for whatever you need00:18
morganfainbergdstanek, you're already on the list00:18
morganfainbergdstanek, this is just a question of if you want to be on that list00:19
morganfainbergdstanek, this is the subset of keystonecore roped in for security bug review/patchreview/etc00:19
morganfainbergdstanek, when the VMT or PTL thinks it is appropriate to do so00:19
dstanekmorganfainberg: i'm totally fine with that00:19
bknudsonyou will learn things you don't want to know about.00:19
morganfainbergdstanek, so its not that i need it, it is purely "are you interested on being on the for it"00:19
morganfainbergs/the for it/ the hook for it00:20
morganfainbergbknudson, you don't get an option for this :P  >.>00:20
morganfainbergok i'm off to grab dinner00:22
gyeedstanek, they have different uniforms for security people00:24
*** gokrokve has quit IRC00:24
bknudsonsecret handshake00:24
dstanekgyee: if i have to wear a tie then count me out00:24
gyeeshit we don't send out a cadf for disabling a user?00:25
gyeewait, we do00:26
lhchenggyee, looks like just an update user event00:26
gyeeyeah looks like it00:26
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change auth_token to use keystoneclient
lhchenggyee is wearing his security hat now00:27
gyeephysical security :)00:32
lhchengaudit security00:32
openstackgerritLin Hua Cheng proposed openstack/keystone: Add routing for list_endpoint_groups_for_project
*** browne has quit IRC00:37
* dstanek isn't following along in here too closely. He's working on his codereview tool.00:37
bknudsondstanek: to replace gerrit?00:38
gyeebased of fuzz AI?00:38
dstanekbknudson: to replace the web interface00:38
bknudsonvim... should be an eclipse plugin.00:39
bknudsonnow I've got my work cut out for me.00:39
dstanekwhat work is that?00:39
bknudsoncreating an eclipse plugin for gerrit00:39
bknudsonit would be awesome.00:40
bknudsoncould have a whole openstack ide.00:41
dstanekyou should totally do that00:42
bknudsonintegrated devstack00:43
dstanekif you do that i'll get devstack to run in vim00:44
bknudsonthat's unpossible...?00:44
morganfainbergdstanek: can I get it ported to emacs?00:44
bknudsonjust meta-x gerrty00:44
morganfainbergI'm asking for a friend.00:44
dstanekmorganfainberg: no00:45
dstaneki have trouble lisping00:45
dstanekviml is hard enough00:45
bknudsoneclipse uses java00:46
dstanekbknudson: that's why i can't install it00:46
gyeejust rewrite everything in go00:46
gyeewait, did someone already said that :)00:46
dstanekthere is a rewrite of vim, but i don't think it's in go00:47
bknudsonisn't vim a rewrite of vi?00:48
*** sigmavirus24_awa is now known as sigmavirus2400:48
*** tqtran_ has quit IRC00:58
*** samueldmq has quit IRC01:07
*** crinkle has quit IRC01:11
*** crinkle has joined #openstack-keystone01:15
bknudson2015-03-26 20:15:18.254 CRITICAL keystone [-] DbMigrationError: None01:15
bknudsonthat's the error when I try to downgrade.01:15
bknudsonwith 16783401:15
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements
*** dims_ has quit IRC01:23
*** raildo has joined #openstack-keystone01:24
*** crinkle has quit IRC01:25
raildodstanek: ping... are you here?01:27
openstackgerritDave Chen proposed openstack/keystone: More content in the guide for core components' migration
*** samueldmq has joined #openstack-keystone01:28
*** _cjones_ has quit IRC01:30
*** _cjones_ has joined #openstack-keystone01:31
*** browne has joined #openstack-keystone01:31
*** _cjones_ has quit IRC01:35
dstanekraildo: sorta yes01:46
raildojust to know if you had read what I say about the bug :)01:47
raildoWe found the bug, but we don't have a good solution for this01:48
dstanekraildo: do you have a link handy?01:50
raildodstanek: I debug the sqlalchemy code, and see this:
raildodstanek: in the teardown, they will load all tables but for group and user tables, the FK for domain_id still exists. So they try to load the Domain table id, but it's dropped.01:52
*** dank_ has quit IRC01:55
dstanekraildo: why do you think it's a bug? that is actually the behavior i expect. this is probably worth bringing up to zzzeek tomorrow01:55
dstaneki think since sqlalchemy was loaded with that table and those foreign keys that when we try to reflect it tries to create them. i was hoping that there was some easy way to clear the cache and reload just what we care about01:56
raildo dstanek because we already remove this FK in this script:
dstanekraildo: but i don't know if that is supposed to delete it from the cache that reflection uses01:57
dstaneknormally the data used in reflection is setup at import time01:58
dstanekmorganfainberg: do you have any idea what's happening here? ^01:58
raildodstanek: morganfainberg this script is related for this bug:
openstackLaunchpad bug 1417451 in Keystone "SQL User & Group entities still have FK to domain" [Medium,Fix released] - Assigned to Steve Martinelli (stevemar)02:00
raildobut the FK still exist for sqlite database...02:00
bknudsonsqlite doesn't support fks as far as I know02:01
dstanekbknudson: sqlalchemy thinks it should be there based on the model and looks for a table that doesn't exist02:02
raildobknudson: I think that doesn't support constraints, but I'm not sure02:02
bknudsonnot worth it working around sqlite errors. it's not production02:02
dstanekit's not sqlite it related to testing migrations02:03
bknudsonit also happens on mysql?02:03
raildobknudson: so I can put a put a if "if not sqlite drop the table"02:03
bknudsonworks for me02:03
raildobknudson: I had tried in the mysql and the script works good02:03
openstackgerritMerged openstack/keystone: Exposes bug when getting hierarchy on Project API
openstackgerritMerged openstack/keystone: Fixes bug when getting hierarchy on Project API
openstackgerritMerged openstack/keystone: Refactor _create_projects_hierarchy in tests
openstackgerritMerged openstack/keystone: Refactor code supporting status in JSON Home
dstanekraildo: you don't get the error on mysql and the table is dropped?02:04
raildodstanek: nope, because in the mysql this FK doesn't exists02:05
raildoso I can drop the table02:05
dstaneki wonder why sqlalchemy is confused02:06
raildodstanek: yes... it's weird, and the problem is, in the future, if somebody want drop other table that contain a FK for other table, the problem will happen again02:08
dstanekraildo: that's why i'd like to find the root cause02:09
dstaneki'll take a look a little later02:09
*** erkules_ has joined #openstack-keystone02:10
raildodstanek: I'll investigate more later, but the problem happen here:
*** lhcheng has quit IRC02:12
*** erkules has quit IRC02:12
raildoI don't know if this a sqlalchemy problem, or a bug in keystone due sqlite02:12
openstackgerritwanghong proposed openstack/keystone: remove assignments when deleting a domain
*** nkinder has joined #openstack-keystone02:13
*** sigmavirus24 is now known as sigmavirus24_awa02:14
openstackgerritBrant Knudson proposed openstack/keystone: Entrypoints for commands
openstackgerritMerged openstack/keystone: Remove SQL Downgrades
openstackgerritMerged openstack/python-keystoneclient: Replace assertRaisesRegexp with assertRaisesRegex
*** crinkle has joined #openstack-keystone02:29
raildoi was just thinking here, why we use sqlite in the keystone tests?02:37
wanghongraildo, we want to run tests faster02:48
*** gyee has quit IRC02:50
raildowanghong: hum... that is a good argument :) thanks02:51
ayoungnkinder, OK...I'm getting closer.  I have the following error:02:53
ayoung{"error": {"message": "Could not find Identity Provider:", "code": 404, "title": "Not Found"}}02:53
ayoungand that makes sense.  If I fetch the file
ayoungand look at the entityId value (which is the rmote_id atribute)02:54
ayoungit says: entityID="
*** devlaps has quit IRC02:54
* ayoung needs stevemar to get this clear...or someone else that knows SAML and Keystone02:55
nkinderayoung: what did you set as the remote_id when you created the IdP in keystone?02:56
ayoungnkinder, used the values from your they are:02:56
ayoung> select * from identity_provider;02:57
ayoung| id      | enabled | description | remote_id |02:57
ayoung| ipsilon |       1 | NULL        | NULL      |02:57
ayoungthat is the databse (happend to be in there now)02:57
nkinderayoung: uh, you missed a step to set the remote_id02:57
nkinderayoung: you have to use curl02:57
nkinderno support in OSC yet (though there is a patch for it)02:57
nkinderayoung: yep, that's it02:58
nkinderayoung: set it to the value that will be in MELLON_IDP02:59
ayoungnkinder, so the URL?02:59
nkinderayoung: that should be "https://$IPA_FQDN/idp/saml2/metadata"02:59
*** raildo has quit IRC02:59
nkinderayoung: you can turn on debug level in Keystone, and it will print out the env variables from the assertion if you wanted to see what MELLON_IDP is03:00
nkinderbut the above looks right03:00
openstackgerritwanghong proposed openstack/keystone: add test of /v3/auth/catalog for endpoint_filter
ayoungcurl -si -X PATCH  -H "X-Auth-Token:secrete" -H "Content-type: application/json" http://$HOSTNAME:5000/v3/OS-FEDERATION/identity_providers/ipsilon  -d '{"identity_provider": {"remote_id": ""}'03:02
ayoungOK let's try again03:02
ayoungnkinder, curl didn't set it.03:03
nkinderayoung: really?03:03
ayoungheh, so I stuck it in qith sql03:04
ayoung{"error": {"message": "An unexpected error prevented the server from fulfilling your request: [Errno 2] No such file or directory: '/etc/keystone/sso_callback_template.html' (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}03:04
nkinderyeah, you missed that step too!03:04
ayoungwell, I wanted to see what we had from upstream03:04
nkinderalmost there...03:04
ayoungso this is OK03:04
nkinderayoung: I hit this error when I first set it up too03:05
nkindercopy it from the source tree03:05
nkinderno modifications needed03:05
ayoungnkinder, do we have the patch submitted for OSC setting remote_id?03:05
nkinderayoung: I have one out for review, but there is another one for the "remote_ids" change that was approved for FFE03:05
nkinderayoung: let me get links...03:06
ayoungfor OS client or for Keystone server?03:06
nkinderthe "remote_ids" one is keystone server and another for OSC03:06
nkinderayoung: OSC remote_ids =
ayoungugh...devstack does not set up the clients by default03:07
nkinderayoung: keystone remote_ids =
*** lhcheng has joined #openstack-keystone03:08
ayoungnkinder, and success...of sorts03:08
ayoungForbidden (403)03:09
ayoungCSRF verification failed. Request aborte03:09
ayoungfrom Horizon.03:09
nkinderayoung: your curl command above was missing a }03:09
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Expose audit_id via AccessInfo
ayoungshould have errored out.03:09
nkinderayoung: if you log things in the browser, you should see that you get a token and the javascript with the form submit03:10
nkinderayoung: what did you pass as the "origin" query param?03:11
ayoungnkinder, the root URL for Horizon03:11
ayoungI didn't configure Horizon at all yet03:12
ayoungso this is OK03:12
nkinderayoung: ok.  I didn't get a 403 with horizon.  I just got the normal login page.03:12
nkinder...doing no config or anything, but you are on a newer horizon03:12
ayoungyou probably passe /login  or what not...let me see03:12
nkinderno, I didn't.03:12
nkinderI just used the root URL too03:13
ayoung{"error": {"message": " is not a trusted03:13
ayounglet's see what happens when I change that...03:13
nkinderok, you need to set trusted_dashboard in keystone.conf03:13
nkinderit has to match the origin03:14
ayoungCSRF verification failed. Request aborted.03:14
ayoungI think because Horizon is not doing the origianal redirect03:15
nkinderayoung: it's supposed to be auth/websso/03:15
lhchengayoung, are you guys trying the websso setup for horizon/keystone?03:15
nkinderlook for trusted_dashboard in here -
nkinderlhcheng: yes03:15
lhchengthe trusted_dashboard must be the full path03:15
ayounglhcheng, yeah, with the ipsilon provider we've been working on03:15
lhchengnot just the http://<host>03:16
nkinderlhcheng: so http://host/websso/auth ?03:16
nkinderor auth/websso I mean03:16
lhchengayoung, I've set this up for oidc few weeks ago03:16
lhchengincude  ../auth/websso/03:16
lhchengso  http://host/auth/websso/03:17
nkinderlhcheng: which patches are needed for horizon/doa?  There are two different patches out there.03:18
nkinderThere's this one -
nkinder...and this one -
lhchengnkinder: both03:18
ayoungPage not found03:18
ayoungapplying now03:19
ayoungGah ...need to do the whoe DOA setup first03:19
nkinderlhcheng: is there any hope of those making it in for Kilo?03:19
ayoungOK...tale for another day03:19
ayoungDOA is not on the Horizon release schedule, so yes03:20
ayoungDOA goes out when it is ready03:20
nkinderyeah, I know DOA is less of an issue03:20
lhchengnkinder: it got an FFE, I am currently porting the DOA patch to use the plugin model that was recently added03:20
nkinderlhcheng: cool, the stuff jamielennox did, right?03:20
lhchengthere are still bugs on the code too, when I tested the patch, I could not switch between projects on the UI03:20
lhchengnkinder: yes03:21
lhchengthe existing patch is missing the logic to use federation.projects.list() for listing user's project03:22
jamielennoxlhcheng: i had a patch for that ....03:23
lhchengjamielennox: to update this ?03:23
jamielennoxi think it was combined with another one, it was pretty simple just put a get_projects on the plugin base with that as the default implementation03:23
jamielennoxi haven't got the websso stuff updated yet03:24
jamielennoxi was planning that for today but got pulled into a security fix for middleware03:24
lhchengcool, I  haven't got to that part yet.03:26
lhchengI assume you have it in DOA-kerberos03:26
lhchengjamielennox: I can look it up there03:26
jamielennoxlhcheng: no, because you don't need it for kerberos, it uses the standard project listing03:26
ayounglhcheng, how do I get : ?  That does not reaquire the DOA patch too, right?03:27
jamielennox line 267, but it's pretty simple to do yourself then web sso can just override the function03:27
ayoungI mean, it won;t work, but it will be there...03:27
lhchengayoung, you need the DOA patch for that.  The path "auth/websso/" routes to a DOA code03:29
lhchengthe DOA code accept the token from the form submitted by keystone03:29
ayounglhcheng, so Horizon won't even have the path?03:30
jamielennoxlhcheng: if you get a minute, really simple one:
jamielennoxbut DOA-kerberos relies on that for now03:30
lhchengayoung: when horizon starts up, it loads all url pattern from horizon + DOA03:30
jamielennoxi think we should consider django_openstack_auth.utils private to DOA03:31
lhchengayoung, the CSRF issue you had should be fixed by line:131  in
lhchengayoung: I'm not sure which version of DOA patch were you testing awhile ago.03:34
ayounglhcheng, I had my own that was doing unspeakable thiungs with Kerberos....jamie took it and cleaned it up03:35
lhchengjamielennox: I agree, we should only make public the bare minimum for DOA to support the django authentication. The patch looks good to me.03:36
openstackgerritwanghong proposed openstack/keystone: make response of endpoint_group API contain full url
*** rushiagr_away is now known as rushiagr03:46
*** _cjones_ has joined #openstack-keystone03:48
*** _cjones_ has quit IRC03:49
*** samueldmq has quit IRC03:55
*** _cjones_ has joined #openstack-keystone03:58
*** _cjones_ has quit IRC04:02
*** _cjones_ has joined #openstack-keystone04:02
*** stevemar has joined #openstack-keystone04:08
*** ChanServ sets mode: +v stevemar04:08
*** lhcheng is now known as lhcheng_afk04:18
*** lhcheng_afk has quit IRC04:21
*** gokrokve has joined #openstack-keystone04:27
*** gokrokve has quit IRC04:32
*** stevemar2 has joined #openstack-keystone04:32
*** ChanServ sets mode: +v stevemar204:32
*** gokrokve has joined #openstack-keystone04:32
*** _cjones_ has quit IRC04:33
*** stevemar has quit IRC04:35
*** gokrokve has quit IRC04:39
*** markvoelker has joined #openstack-keystone04:39
*** junhongl has quit IRC04:41
*** markvoelker has quit IRC04:43
*** junhongl has joined #openstack-keystone04:53
*** stevemar2 is now known as stevemar04:53
*** rushiagr is now known as rushiagr_away05:04
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Expose audit_id via AccessInfo
*** lhcheng_afk has joined #openstack-keystone05:22
*** lhcheng_afk has quit IRC05:26
*** amakarov_away has quit IRC05:38
*** amakarov_away has joined #openstack-keystone05:38
*** markvoelker has joined #openstack-keystone05:39
*** jamielennox is now known as jamielennox|away05:41
*** markvoelker has quit IRC05:43
*** dims has joined #openstack-keystone05:46
*** ajayaa has joined #openstack-keystone05:46
stevemarjamielennox|away, ++ to your comment on oslo.config05:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** rushiagr_away is now known as rushiagr06:09
*** dims has quit IRC06:21
openstackgerritSteve Martinelli proposed openstack/keystone: IdP ID registration and validation
*** afazekas is now known as __afazekas06:28
*** ishant has joined #openstack-keystone06:36
openstackgerritSteve Martinelli proposed openstack/keystone: Change the way values are migrated for 007_add_remote_id_table
*** markvoelker has joined #openstack-keystone06:40
*** markvoelker has quit IRC06:44
openstackgerritSteve Martinelli proposed openstack/keystone: Remove unnecessary import that was not checked
openstackgerritSteve Martinelli proposed openstack/keystone: Remove empty request bodies
*** lhcheng_afk has joined #openstack-keystone07:11
*** afazekas has joined #openstack-keystone07:13
*** lhcheng_afk has quit IRC07:15
*** chlong has quit IRC07:16
*** browne has quit IRC07:30
openstackgerritSteve Martinelli proposed openstack/keystone: Add relay_state_prefix to Service Provider
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion
*** markvoelker has joined #openstack-keystone07:40
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion
*** markvoelker has quit IRC07:45
openstackgerritSteve Martinelli proposed openstack/keystone: Add relay_state_prefix to Service Provider
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion
*** jaosorior has joined #openstack-keystone07:54
*** stevemar has quit IRC07:59
openstackgerritMerged openstack/keystone: Imported Translations from Transifex
*** ajayaa has quit IRC08:08
*** haneef_ has quit IRC08:08
*** ajayaa has joined #openstack-keystone08:08
*** haneef_ has joined #openstack-keystone08:11
*** erkules_ is now known as erkules08:11
*** erkules has joined #openstack-keystone08:11
*** browne has joined #openstack-keystone08:14
*** arunkant has quit IRC08:24
*** arunkant has joined #openstack-keystone08:26
*** jistr has joined #openstack-keystone08:40
*** browne has quit IRC08:41
*** markvoelker has joined #openstack-keystone08:41
*** markvoelker has quit IRC08:46
*** henrynash has joined #openstack-keystone08:50
*** ChanServ sets mode: +v henrynash08:50
*** pnavarro has joined #openstack-keystone08:54
*** lhcheng_afk has joined #openstack-keystone09:07
*** pnavarro is now known as pnavarro|off09:20
*** henrynash has quit IRC09:38
*** markvoelker has joined #openstack-keystone09:42
*** krykowski has joined #openstack-keystone09:43
*** markvoelker has quit IRC09:46
*** dims_ has joined #openstack-keystone09:51
*** kodoku has joined #openstack-keystone09:55
kodokuHi, I try to enable SSL in keystone. keystone client with --insecure works but if I GET on REST API, server doesn't respond.  (on port 5000). Any ideas ?09:56
*** henrynash has joined #openstack-keystone09:56
*** ChanServ sets mode: +v henrynash09:56
marekdkodoku: one idea - try checking what log says :-)09:58
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix for migration 062 on MySQL
kodokumarekd When I get on API, no logs in keystone.log09:59
marekdkodoku: some other apache logs?09:59
kodokuhum I'll see09:59
marekdkodoku: ssl related maybe?09:59
marekdi suggest tail -f /var/log/apache2/keystone (or whatever patch is) and you will have live streaming of logs from apache.10:00
marekdtail -f /var/log/apache2/keystone/*10:00
marekdi meant10:00
kodokuI'am on Rhel10:00
kodokuSo I don't have any keystone log in my apache logs10:01
kodokuand access or error log have nothing10:01
marekdkodoku: are  you running keystone + apache ?10:01
kodokulike my serveur doesn't listen https :/10:02
marekdah, eventlet.10:02
kodokuapache is on other node10:03
marekdso that's why apache does have nothing10:03
kodokukeystone need apache ?10:04
marekdit's recommended way to run keystone10:04
marekdbut it can also run on eventlet, as a standalone instance10:04
marekdtry /var/log/keystone/keystone.log10:05
marekdor find for a file keystone.log10:05
kodokuok, I was frezze my horizon on this node so apache doesn't start. I'll remove horizon and start apache10:05
*** davidckennedy has joined #openstack-keystone10:12
kodokumarekd apache is start but always no reponse10:22
kodokuand 0 logs10:22
marekdkodoku: but do you know HOW you are running keystone?10:23
marekdIs it on top of Apache?10:23
marekdin case of Apache Keystone is ran via WSGI10:23
marekdso check if you have Apache vhosts configured.10:24
marekdor simply do ss -lntp | grep keystone and see what process runs keystone10:24
marekdis it apache?10:24
kodokuLISTEN     0      128                       *:35357                    *:*      users:(("keystone-all",2300,7),("keystone-all",2299,7),("keystone-all",2298,7),("keystone-all",2297,7),("keystone-all",2296,7),("keystone-all",2295,7),("keystone-all",2294,7),("keystone-all",2293,7),("keystone-all",2286,7)) LISTEN     0      128                       *:5000                     *:*      users:(("keystone-all",2300,8),("keystone-a10:24
*** lhcheng_afk has quit IRC10:25
marekdso its probably not apache10:25
marekdso no need to run aache..10:25
kodokuok :)10:25
marekdfind the log file.10:25
marekddo you know command find ?10:26
marekdi'd go with:10:26
marekd# find /var/log -name keystone.log10:26
kodokuin keystone.log I have no logs when I request API10:26
marekdand what exactly you mean by "request API" ?10:26
kodokuWith API client I make a GET request on https://MYIP:5000/10:27
kodokulike a curl10:27
marekdmaybe firewall?10:27
kodokuIt was disable10:28
marekdi mena, if the connection is no rejected, closed, nothing is returned something is making it stall...10:28
kodokuand Before change http to https, connection works10:28
marekdso, it looks like there is misconfiguration with ssl.10:28
kodoku-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT10:28
marekdlike, missing certificates ?10:28
kodokuWhen I make keystone --insecure user-list  works10:29
marekdand when it's keystone user-list it doesn't right?10:29
kodokuyes :/10:29
marekdso try with keystone --debug --verbose user-list10:29
marekdyou should get some info.10:29
kodokuAuthorization Failed: SSL exception connecting to
marekdyou can try enablig debuggin in your keystone.10:30
marekdon rdo it's...i think somewhere in /usr/share ?10:30
marekdanyway, find is your riend!10:31
marekdlook for keystone.conf10:31
*** kodokuu has joined #openstack-keystone10:33
kodokuusorry my proxy bug10:33
kodokuuI'am stoped to debug mode10:33
kodokuuWhen I use --insecure DEBUG:urllib3.connectionpool:"GET /v2.0/users HTTP/1.1" 200 1256  So httpsdoesn't works10:34
*** kodoku has quit IRC10:34
kodokuuSo you have tutorial for enable SSL with the generation of certif10:38
marekdi'd google for "create ssl certificates"10:39
kodokuuin /etc/keystone/ssl/certs/ I have 01.pem  ca.pem  index.txt  index.txt.attr  index.txt.old  openssl.conf  req.pem  serial  serial.old  signing_cert.pem10:41
kodokuuDo I need to generate or I can use there certif10:41
*** markvoelker has joined #openstack-keystone10:43
*** henrynash has quit IRC10:43
*** markvoelker has quit IRC10:48
*** amakarov_away is now known as amakarov10:49
*** kodokuu has quit IRC11:34
*** marekd has quit IRC11:39
*** markvoelker has joined #openstack-keystone11:43
*** markvoelker has quit IRC11:48
*** samueldmq-away is now known as samueldmq11:52
openstackgerritVictor Sergeyev proposed openstack/keystone: Migrate_repo init version helper
openstackgerritVictor Sergeyev proposed openstack/keystone: Share engine between migration helpers.
openstackgerritVictor Sergeyev proposed openstack/keystone: Use metadata.create_all() to fill a test database
openstackgerritVictor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at.
openstackgerritVictor Sergeyev proposed openstack/keystone: Comparision of database models and migrations.
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table.
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table.
*** raildo|away is now known as raildo12:08
htrutabknudson: could you take a 30 seconds look at ?12:15
*** markvoelker has joined #openstack-keystone12:18
*** rushiagr is now known as rushiagr_away12:23
*** gordc has joined #openstack-keystone12:35
*** bknudson has quit IRC12:40
*** davechen has joined #openstack-keystone12:49
*** sigmavirus24_awa is now known as sigmavirus2412:57
*** bknudson has joined #openstack-keystone13:01
*** ChanServ sets mode: +v bknudson13:01
dstanekso what is the rule about changing existing migrations? when is it OK and when is it a no-no?13:05
*** kodoku has joined #openstack-keystone13:10
*** rushiagr_away is now known as rushiagr13:10
kodokuHi. When I restart keystone I have this : DEBUG keystone.notifications [-] Callback: `keystone.token.provider.Manager._delete_......   This is normal ?13:11
dstanekkodoku: do you have debug logging on? if so you will see lots and lots of messages13:12
kodokudstanek Yes I have debug mode13:12
dstanekkodoku: then it's normal to see the debug messages13:12
kodokuMaybe you can help me now :)13:15
dstanekwhat happens when you curl that url?13:17
kodokuwhat url ?13:17
dstaneki assume you are having connectivity issues base on the 'SSL exception ...' message13:18
kodokuwith -k ?13:19
dstanekeither way13:19
dstanekwhat is that ip address in the original paste?13:21
kodokuthis is IP of juno001.fr13:21
dstanekyou could try adding --insecure to the keystone command13:22
dstanekkodoku: that's what you expected, right?13:26
kodokuyes but I see ""GET /v2.0/users HTTP/1.1" 200 1256"13:27
kodokuSo this message is in HTTP13:27
dstaneki don't think that means anything13:28
dstanekit's using the HTTP/1.1 protocol - there is no HTTPS/1.113:29
kodokuSo I need to add the CA in my compute to get response of keystone13:30
dstanekhave you tried to use the openstack client? i don't know is ksc has support for OS_CACERT13:31
*** ishant has quit IRC13:31
*** kodokuu has joined #openstack-keystone13:31
*** jaosorior has quit IRC13:32
kodokuustanek Ok works :) If I enable https, http doesn't works ? I need to change all conf of nova, cinder ....13:34
*** kodoku has quit IRC13:34
kodokuudstanek Ok works :) If I enable https, http doesn't works ? I need to change all conf of nova, cinder ...13:36
dstanekmost likely that is true. you for sure can't run http and https on the same ports13:37
*** henrynash has joined #openstack-keystone13:38
*** ChanServ sets mode: +v henrynash13:38
*** ljfisher has joined #openstack-keystone13:43
kodokuudstanek ok so I change neutron and nova auth.  When "nova list" neutron error : ERROR keystonemiddleware.auth_token [-] HTTP connection exception: Unable to establish connection to
kodokuuhum maybe i need to change IP by CN13:48
*** dims_ is now known as dimsum__13:49
*** f13o has joined #openstack-keystone13:50
ayoungdstanek, I want to pull some changes from DJango-openstack-auth in to a devstack deployment, which means cloning the repo and using  What is the right majik to do this, so that I can use a repo owned as a non-root user ?13:53
ayoungI spent a long time getting this set up, and would rather not trash the system13:53
*** ljfisher has quit IRC13:54
bretondstanek: I think they are OK when they were not released yet13:54
bretondstanek: if a migration is in stable, it cannot be changed13:55
dstanekayoung: if you cloned the repo i think you will just have to 'python develop' to get it installed13:55
dstanekbreton: so we don't care about people tracking master?13:55
ayoungdstanek, as root or as me13:55
ayoungI guess as root13:55
dstanekayoung: yeah, for devstack i think you'll have to do root13:56
bretondstanek: well, we are not on rolling release13:56
bretonbut let's wait for somebody who has a definite answer13:56
kodokuudstanek :
*** r-daneel has joined #openstack-keystone13:58
dstanekkodokuu: can you curl the keystone url from where nova is running?13:58
dstanekare you setting the cacert or insecure option there too?13:59
ajayaadolphm, ayoung, dstanek, morganfainberg, stevemar Here is a demo of Keystone running with NoSql backend, (POC for
dstanekajayaa: that's neat. what db did you use?14:01
*** dimsum__ has quit IRC14:01
ajayaadstanek, MagnetoDB.14:01
ajayaaWe are evaluating Cassandra as well.14:02
*** kodokuu has quit IRC14:02
*** dimsum__ has joined #openstack-keystone14:02
dstaneknice, i'm not familiar with that one.14:02
ajayaaIt provides dynamodb like api on top of Cassandra.14:02
ajayaaIt's not an official project yet but falls under Openstack umbrella.14:02
ajayaaIt's a stackforge project as of now.14:03
*** kodoku has joined #openstack-keystone14:03
dstanekajayaa: do you have a link?14:03
kodokuok I don't find option for insecure in neutron.conf14:03
kodokuand nova is on the same host14:04
dstanekajayaa: thanks i'll have to read up on that this weekend14:05
ajayaadstanek, We are writing a Cassandra backend and would compare with MagnetoDB backend on the basis of schema and code cleanliness.14:05
ajayaadstanek, my pleasure.14:05
ajayaadstanek, just wanted everyone to show a small demo! I hope it's okay.14:06
ayoungajayaa, it needs a soundtrack14:07
*** mattfarina has joined #openstack-keystone14:07
ayoungdstanek, Cassandra was where Termie was origianlly headed with Keystone.14:08
htrutadstanek: hey! I agree with your comment here: maybe we can consider this refactoring in a short future.14:08
ajayaaayoung, you only get what you pay for. ;)14:08
*** _cjones_ has joined #openstack-keystone14:08
morganfainbergajayaa: nice!14:08
ayoungajayaa, More correct to say but you pay for what you get14:08
*** samueldmq is now known as samueldmq-away14:08
dstanekcassandra is very nice. i wonder about deployers though since they seem like a conservative bunch14:08
ajayaaayoung, :)14:09
ajayaaThanks guys. We are working with glance now to have a NoSql backend for it.14:10
ayoung   W000000T!14:10
ajayaaAnd the final target would be Nova. :)14:10
ayoungWe have movement on a DOA patch finally!14:10
ayoungEven if it is trivial14:10
*** trey has quit IRC14:11
*** _cjones_ has quit IRC14:11
*** trey has joined #openstack-keystone14:12
ajayaadstanek, I think Cassandra is a mature technology today but agree that not as mature as MySql or MariaDB.14:13
*** gokrokve has joined #openstack-keystone14:13
kodokudstanek I don't find any option for insecure connection for https in neutron. I search in official docs and nothing :/14:14
dstanekajayaa: i think it's mature enough, but in general it seems like deployers are really conservative14:14
kodokuI think neutron curl without -k :/14:14
ajayaadstanek, agree. People who want a massively scalable cloud would also want a db which would scale. I think they are the one who would be interested in this.14:15
ajayaaAlso, Cassandra backend would be a fault tolerant.14:15
ayoungnkinder, I'm closer on WebSSO.  Now I get a valid redirect back to Horizion but get:14:16
ajayaaIt wouldn't an issue if a node goes down at 3 am in the night. Keystone would run just fine.14:16
ayoungAttributeError at /auth/websso/14:16
ayoung'NoneType' object has no attribute 'token'14:16
ayoungI'm wondering if I need to update KC or something14:16
ajayaadstanek, I would love to have deployer's/op's feedback on this though.14:17
*** zzzeek has joined #openstack-keystone14:19
morganfainbergayoung: I've seen that before. But can't remember where b14:20
dstanekmorganfainberg: did you see my question from earlier about migrations?14:21
morganfainbergdstanek: nope. Just woke up.14:22
morganfainberg(Yes I actually sleep sometimes)14:22
*** timcline has joined #openstack-keystone14:22
dstanekmorganfainberg: i forgot that it's super early there. no pressure. we can chat later about it.14:22
morganfainbergNah all good. What's up?14:23
morganfainbergGotta wait an hour before going for coffee/breakfast.14:23
*** gokrokve has quit IRC14:23
dstanekis there a guideline for when/if it's OK to change an existing migration? are migrations that are new in the release fair game to change?14:24
*** gokrokve has joined #openstack-keystone14:24
morganfainbergThe guideline is (from my perspective). If the change to the migration doesn't change functionality or resulting db/schema/data you can do it.14:25
morganfainbergOtherwise any changes need an idempotent follow up to do the same thing even in the same Dev cycle.14:25
morganfainbergThis is because some deployers run close to master14:26
morganfainbergAnd changing the result of a migration means they'd have inconsistent dbs from what we expect.14:26
dstanekthat's what i was worried about. how much we care about that.14:26
dstanekthere are lots of examples, but the one i found this morning was
morganfainbergSo for the case of the Idp registration review I -1d the fix to not use the model shouldn't  change anything.14:27
morganfainbergUhh. Yeah that's a -114:28
*** gokrokve has quit IRC14:29
*** ayoung is now known as ayoung-afk14:29
dstanekmorganfainberg: which one is the idp registration review?14:30
morganfainbergdstanek: looks like my comment was addressed. But I had -1d because they used the model to do the migration.14:32
morganfainbergWhich is dangerous since the model could change.14:32
morganfainbergSee Stevemar's follow up patch.14:33
dstanekmorganfainberg: when i fixed that patch i didn't think about changing that part too. i just changed the query14:36
bretonFolks, I think there is a problem with
dstanekwhat's the problem?14:37
bretonI'm getting ProgrammingError: column "ccc98bb335df46d796202bd8b0f65a5c" does not exist when I run the test on postgresql14:37
breton*the schema upgrade test14:37
morganfainbergbreton: well 2 things: you run Postgres? (First person who has said as much openly)14:37
morganfainbergAnd 2: I assume it is because you have data in the db vs a clean migrate like what occurs in gate?14:38
bretonmorganfainberg: I test on mysql and on postgres14:38
dstanekit worked on mysql though?14:38
bretonmorganfainberg: I drop the db and create it before running the test14:39
bretondstanek: I will try now14:39
morganfainbergbreton: can you see if the follow up patch also breaks in pgsql?14:39
morganfainbergSince it changes how migrate... Oh the upgrade test? Weird.14:40
bretonmorganfainberg: yes. I started with it.14:40
bretonmorganfainberg: then tried parent commit and it failed on the test too.14:40
bretonmysql is ok though.14:40
* morganfainberg votes OpenStack drop Postgres support because it is poorly tested at best - at worst it is horribly broken.14:41
morganfainbergOr we should use Postgres and really commit to it.14:41
morganfainbergBut this supporting "all db engines sort of" bugs me.14:41
breton -- log from postgres14:42
morganfainbergbreton: we can boot it out of gate easily. But I'd like to know more of why it is broken before we do.14:42
breton*from test14:42
breton*with postgres14:42
*** jorge_munoz has quit IRC14:42
morganfainbergbreton: that is weird.14:43
*** _cjones_ has joined #openstack-keystone14:43
morganfainbergAfict that shouldn't be happening from the query.14:43
*** jorge_munoz has joined #openstack-keystone14:43
morganfainbergOr is that a bad error message from Oslo.db14:44
morganfainbergI don't see how that query is resulting in a column not found for the Idp-id value14:44
*** jorge_munoz has quit IRC14:44
morganfainbergOr.. Is "column not found" Postgres way of saying no rows returned?14:45
dstaneki think that message is saying the row doesn't exist14:46
bretonI don't think so.14:46
bretonI think it is something about quotes14:46
morganfainbergSELECT idp_remote_ids.idp_id, idp_remote_ids.remote_id \nFROM idp_remote_ids \nWHERE idp_id="ccc98bb335df46d796202bd8b0f65a5c"' {}14:46
bretonthat "WHERE" is constructed somehow manually on line 73814:46
morganfainbergWhat is that {} at the end?14:46
morganfainbergOh nvm.14:47
bretonI don't know, but it's outside of single quotes14:47
morganfainbergbreton: yeah that's why I said nvm14:47
dstaneki haven't looked at the code, but i would guess bindvars14:47
dstanekdo you need spaces around the = for postgres?14:47
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint
*** jorge_munoz has joined #openstack-keystone14:48
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains
morganfainbergbreton: yep manual where construction won't work.14:48
morganfainbergPeople seem to go out of their way to avoid using the orm14:48
morganfainbergbreton: ok I can fix this in a quick follow up (rather than booting this out of gate) since this is a test issue. That work?14:49
bretonmorganfainberg: I'll do it (in fact, I already am)14:49
morganfainbergOk sounds good.14:49
morganfainbergdstanek: you and I can pile on the review once breton posts it.14:50
dstaneksounds good14:50
dstanekwow, i had no idea -
*** carlosmarin has joined #openstack-keystone14:53
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creating domain and filtering by parent_id
dstaneklots more differences in simple things than i expected14:53
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog
morganfainbergdstanek: neat. We should yell at people for not using the orm. :P14:54
bknudsonceilometer is working on a cassandra backend.14:56
bretongit review ignores my -R :(14:58
*** _cjones_ has quit IRC14:58
bknudsonthere's probably a config option for rebasing.14:58
*** _cjones_ has joined #openstack-keystone14:59
*** davechen has left #openstack-keystone15:07
morganfainbergdstanek: wow some of the things professed as benefits of Postgres makes my skin crawl. Anytime someone advocates putting business logic in the db (aka functions/stored proceedures) is say they are doing it wrong. Now the views are nice especially since the MySQL version of those afaict don't update where you can have auto updating views in pgsql and oracle.15:07
dstaneki hate stored procedures15:08
dstaneki would love views - that's the only thing i miss from Oracle15:08
dstanekoh, i guess i miss all the money we spent too15:08
bknudsonmight as well just use a flat filesystem if you don't care about store procedures.15:09
*** devlaps has joined #openstack-keystone15:10
dstanekbknudson: are you a fan?15:10
j_kingpostgresql is my preferred rdbms.15:10
*** ajayaa has quit IRC15:11
bknudsondstanek: there's all sorts of things you can do if you're willing to tie yourself to a specific database... probably is anything slightly advanced won't be cross-db.15:11
bknudson"problem is"15:11
amakarovGreetings to all! A question: is 'list_revoked_tokens' still used somewhere? It appears to be a bottleneck...15:12
openstackgerritBoris Bobrov proposed openstack/keystone: Use ORM in upgrade test instead of manual query construction
*** samueldmq has joined #openstack-keystone15:14
gordcbknudson: +1... 'jack of all trades' route is definitely restrictive.15:15
morganfainbergamakarov: it is intact used. It is how we generate the revocation list iirc.15:16
morganfainbergamakarov: at least I think that is where it is used. (Not the revocation events but the old list style)15:17
amakarovmorganfainberg, thanks, so I can't just remove it... Sad.15:18
morganfainbergbknudson: I don't care about stored proceedures. Fork lifting business logic into the db engine results into all sorts of icky issues. It tends to also lead to bad design because "oh we can fix that in the db". There are always exceptions (often migration from one data set to another before all apps are updated, etc)15:19
amakarovmorganfainberg, under high load memcache lock in token kvs backend quickly depletes max lock attempts15:20
morganfainbergamakarov: yep. Don't use memcache. No really don't. :(15:20
morganfainbergamakarov: this is another issue with persisted tokens. Either you suffer with locking in kvs or db sql table sizes and gap lock on flush15:21
*** fifieldt has quit IRC15:21
amakarovmorganfainberg, I'm tuning release based on juno and can't switch to Redis. Feel a bit BDSM victim :)15:22
openstackgerritMerged openstack/keystone: IdP ID registration and validation
morganfainbergamakarov: so, if you use uuid tokens. You could rip out all the house keeping/locking stuff if you don't care about revocation lists15:23
morganfainbergamakarov: but we can't do that upstream atm.15:23
morganfainbergTrust me, I'd like to make the TRL go away permanently.15:24
amakarovmorganfainberg, that's really good news!15:24
*** _cjones_ has quit IRC15:24
morganfainbergbknudson: It dawned on me that ksm dependencies become $project dependencies. Since ksm doesn't used a separate interpreter/venv. Icky :(15:26
morganfainbergamakarov: something we could enhance in liberty when revocation events become really a first class supported option in middleware15:27
bknudsonare ksm dependencies that bad?15:27
*** gyee has joined #openstack-keystone15:29
*** ChanServ sets mode: +v gyee15:29
amakarovmorganfainberg, I was surprised to find TRL instead of revocation events in middleware :)15:30
*** samueldmq_ has joined #openstack-keystone15:31
*** stevemar has joined #openstack-keystone15:34
*** ChanServ sets mode: +v stevemar15:34
*** samueldmq has quit IRC15:34
dstanekmorganfainberg: you would recommend against the memcached backend for tokens?15:35
dstaneki would too, but i'm curious what the official position is15:35
morganfainbergdstanek: I recommend sql backend tbh15:36
morganfainbergFor pre kilo15:36
dstanekwhat about for k?15:36
morganfainbergKilo and later I'd say Fernet15:36
morganfainbergEven being new15:36
dstaneki ask because
morganfainbergIt solves the biggest scale issue with keystone.15:36
morganfainbergThe memcache backend would have been deleted if I though I could do so without being lynched15:37
morganfainbergIt is awful with a ton of really bad housekeeping things to address some design decisions that were regretted later on. (The TRL)15:38
bretonmorganfainberg: I've raised a question about fernet tokens in the ml15:38
bretonmorganfainberg: I don't quite see how to use them on multi-node setup15:39
amakarovmorganfainberg, m.b. Redis? ;)15:39
morganfainbergbreton: yes. Today the answer is the same as the pki stuff. It really is on the deployed to maintain. Next cycle that will be looked at so we can make fernet a default if we wanted to15:39
bretonsql backend is slow as hell15:39
morganfainbergamakarov: redis only solves the issue with persistence in memcache.15:39
bretonmemcache should not be used15:40
bretonfernet are not ready for multi-node setup15:40
bretonlooks depressing :)15:40
morganfainbergbreton: and the memcache backend is a tram wreck because it is beig used for the wrong thing. Memcache is not persistent store.15:40
dstanekbreton: why do you say that?15:40
morganfainbergbreton: the best answer is sql.15:40
bretondstanek: say what? About fernet?15:40
morganfainbergbreton: the issue is most people run untuned MySQL and complain the performance is bad.15:40
amakarovmorganfainberg, yes, I compare it to memcache and sql - Fernet is awsome without question )15:41
dstanekbreton: i got it working fine with a test multnode setup15:41
bretondstanek: how do you sync keys?15:41
dstanekbreton: ansible15:41
dstanekyou could use all kinds of stuff to sync them based on your environment15:41
morganfainbergbreton: ansible, drbd, etc15:41
bretonare they ha? Will they work if one of the nodes go down?15:42
morganfainbergWe didn't try and solve that issue at this point. Solving may be documentation and recommending options for syncing15:42
dstanekbreton: they were both behind the load balancer15:42
morganfainbergBut syncing files of a particular type around is a long solved devops (hate that word) problem15:43
dstanekthe design of how the keys rotate makes it work nicely in multi node since the "next" key is synced before it is used15:43
*** mattamizer has joined #openstack-keystone15:43
morganfainbergSo we figured that was a way to smooth out rough edges the next cycle. Even if that is just documentation.15:43
morganfainbergdstanek: ++15:44
* breton doesn't have enough devops skills15:44
dstanek+100 for Keystone not dealing with the sync - it's a configuration management issue15:44
rodrigodsstevemar, in the ECP and relay_state patches, I changed the controller to use directly the config and it seemed to work15:44
stevemarrodrigods, link?15:44
morganfainbergdstanek: exactly. It might be just docs. But docs and recommendations go a long way.15:44
bretonbut I still do not see how current implementation can be synced without the master node15:44
morganfainbergbreton: it can be synced either way. Make a key, sync, then rotate as you want.15:45
dstaneki ran the rotation on one node and synced to the others15:45
morganfainbergbreton: you always sync a key (either direction) before you use it15:45
*** mattamizer has quit IRC15:46
bretondstanek: what if the node supposed to run the rotation and push the new key gets broken?15:46
morganfainbergIt doesn't need a dedicated node to sync it just needs a node to perform the new key generate (any node), that is then used to sync.15:46
morganfainbergbreton: use the other node. Any node can generate. Sync from whatever node you generate from.15:47
dstanekbreton: right. if the process of generating the new key fails then whatever you are automating the process with should tell you that15:48
*** kodoku has quit IRC15:48
dstanekalso i mentioned this to lbragstad, it would be nice to have a simple way to generate keys without a full keystone installation15:49
morganfainbergdstanek: ++15:49
morganfainbergthings to work on for next cycle.15:50
bretondstanek: well, it's not how high availability works, doesn't it?15:50
lbragstaddstanek: first iteration
*** _cjones_ has joined #openstack-keystone15:50
morganfainbergbreton: if any node can be used and you can sync from that node, I don't see how you're missing on the HA front.15:50
dstanekbreton: the key rotation doesn't have to be HA in the same way that a running system needs to be15:50
morganfainbergIt's not something that happens every 30seconds or even every 30minutes usually.15:51
bretonmorganfainberg: really? Then how often should keys be rotated?15:51
dstaneksay you rotate every hour. something happens and that process fails. the system is still available while the ops team fixes rotation15:51
lbragstaddstanek: ++ that's part of the benefit behind the staging key15:52
dstanekbreton: daily or much longer is probably going to be very common15:52
morganfainbergdstanek: my guess is 1-2 days is likely. Weekly is the outside edge of what people will do.15:53
* breton would like to see some math to find out how often it should be15:53
bretonbecause talks about minutes15:53
lbragstadbreton: yeah, that's an example for the sake of easy math15:54
morganfainbergbreton: how much time does it take to reverse out an aes and hmac key pair.15:54
dstanekit will have to be at least (mins_needed_for_longest_operation / (num_active_keys * expected_rotation))15:54
morganfainbergdstanek: token_ttl15:54
morganfainbergNot mins for operation15:55
morganfainbergBut same effect.15:55
dstanekmorganfainberg: the token_ttl could be 1 day, but if you rotation ever minute and only allow 3 active keys then the effective ttl is 3 minutes15:56
morganfainbergRight. I'd argue that rotation should always be calculated on ttl (barring exceptional circumstances) not15:56
morganfainbergExpected length of time for max length operation15:56
morganfainbergJust when we communicate it to people15:57
dstaneki'd totally agree - was just showing the minimum15:57
morganfainbergWe are in vehement agreement15:57
*** ayoung-afk is now known as ayoung15:59
rodrigodsstevemar, should the relay_state be returned in the service_catalog?15:59
ayoungj_king, a dev after my own heart.  Prefer postgresql, and glad to see Stonebraker won the Turing.16:01
*** _cjones_ has quit IRC16:01
ayoungmorganfainberg, so, rcrit had an interesting suggesting.  Ipsilon has a plugin that uses pam to read users and groups.  We could run devstack to set up islinlon, create a local user, and use that for SAML testing16:02
*** _cjones_ has joined #openstack-keystone16:02
*** ajayaa has joined #openstack-keystone16:02
ayoungNo external dependencies16:02
*** thedodd has joined #openstack-keystone16:04
*** gokrokve has joined #openstack-keystone16:08
rodrigodsstevemar, I fixed the tests here but removed the RELAY_STATE_PREFIX constant from federation/ and I'm using the config directly... if you are ok with it I can submit16:08
*** csoukup has joined #openstack-keystone16:09
openstackgerrithenry-nash proposed openstack/keystone: Update configuration documentation for domain config
stevemarrodrigods, definitely doesn't need to be in the service catalog16:11
stevemarrodrigods, the changes sound fine, go ahead boss16:11
*** browne has joined #openstack-keystone16:11
rodrigodsstevemar, great, just running the tests again here16:12
stevemarapparently i broke something in the tests16:12
stevemarrodrigods, oh, rename the file to 008, i bet that's it16:12
ayoungstevemar, running websso patches against horizon, I get this:16:12
ayoung2015-03-27 16:11:02.395195   File "/opt/stack/django_openstack_auth/openstack_auth/", line 28, in set_session_from_user16:12
ayoung2015-03-27 16:11:02.395197     request.session['token'] = user.token16:12
ayoung2015-03-27 16:11:02.395199 AttributeError: 'NoneType' object has no attribute 'token'16:12
ayoungThis is after the redirect back from the SAML IdP16:13
ayoungwhat did I break?16:13
ayoungdo I need an auth plugin for KC?  I assume not.16:15
rodrigodsstevemar, the error is because it is creating a non-nullable column without a default value16:17
stevemarayoung, there's still DOA work that needs to be rebased16:20
ayoungstevemar, Work is in progress...I have to  wait.16:20
stevemarthey current DOA patch for federation doesn't use the auth plugins yet16:20
ayoungI hate waiting16:20
stevemarme too16:20
*** lhcheng_afk has joined #openstack-keystone16:22
ayoungstevemar, so, what needs to happen?  I want to make sure I understand the path to having a workable WebSSO in Kilo.16:23
ayoungDOA needs to support Auth plugins16:23
ayoungand then ... we use the Federation plugin for this.16:23
*** gokrokve has quit IRC16:23
ayoungDo we need a special auth plugin for Horizon?  THe redirect to Keystone triggers the call to the IDP, when gets the assertion, goes back to Keystone, gets the token, posts the token to Horizon16:24
ayoungat that point, we should have an unscoped token.  DOA should use it just like any other unscoped token16:24
ayoungWher does the auth plugin fit in?16:25
*** krykowski has quit IRC16:26
stevemarayoung, hooold up, you're moving too fast for me - "DOA needs to support auth plugins" jamielennox just delivered this, it's merged16:28
ayoungstevemar, right.16:29
stevemarayoung, we would actually use a token plugin, not a federation plugin. i think lhcheng_afk is trying to rework the current patch to use auth plugins16:29
ayoungAnd the DOA WebSSO patch is -1 cuz he's reqbasing on top of that16:29
ayoungAh...ok,  token plugin makes sense16:29
stevemarand yes, you are right - it would work like any other token at that point, it's unscoped and will list projects16:30
ayoungstevemar, what do you think of my proposal to have Ipsilon in devstack  using a local user and pam as our way of testing Federation?16:30
stevemarayoung, it's good to have options, dstanek was doing some stuff with pysaml2 for functional testing, could easily be ported to devstack16:31
stevemarusing pysaml2 as an idp16:31
stevemarsuper easy review:
openstackgerritRodrigo Duarte proposed openstack/keystone: Add API to create ecp wrapped saml assertion
openstackgerritRodrigo Duarte proposed openstack/keystone: Add relay_state_prefix to Service Provider
rodrigodsstevemar, gyee ^16:33
ayoungstevemar, +2A16:33
stevemarayoung, there's one more i had for EP filter...
stevemarpoor EP filter, it's so neglected16:34
dstanekstevemar: ayoung: i'd love not to use pysaml216:35
stevemarrodrigods, before you switch branches...16:35
stevemarrodrigods, change 007 to 00816:36
stevemarotherwise the migration won't happen16:36
rodrigodsstevemar, is there a 007 script?16:36
rodrigodsstevemar, didn't show up in the rebase here16:36
stevemarrodrigods, just landed16:36
rodrigodsstevemar, ah, cool16:36
ayoungdstanek, I think ipsilon  makes sense for this.  I would be in the HTTPD server config, and, just like everything else, would need to make space in the namespace of the server  by bumping Horizon down one level16:37
dstaneki'll have to read up on it this weekend16:37
stevemarrodrigods, the rename and 1 spot in test_backend_federation16:38
*** atiwari has joined #openstack-keystone16:39
*** afazekas has quit IRC16:40
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix for migration 062 on MySQL
openstackgerritRodrigo Duarte proposed openstack/keystone: Add API to create ecp wrapped saml assertion
openstackgerritRodrigo Duarte proposed openstack/keystone: Add relay_state_prefix to Service Provider
gyeerodrigods, thanks!16:46
*** lhcheng_afk is now known as lhcheng16:50
*** bknudson has quit IRC16:51
*** henrynash has quit IRC16:55
*** tqtran has joined #openstack-keystone17:03
*** asselin has left #openstack-keystone17:04
ayoungstevemar, for the Kerberos  and SSSD approach, I want to use Federation, but I don't need to go to a remote IDP;  Keystone can do everything it needs to issue a token.  I assume I need the DIOA using Token PLugin piece to make that  work...what about on the KEystone side?17:05
ayoungInstead of the protocol being SAML, it really is HTTP+Kerberos17:05
ayoungso, lets say we call it Kerberos (and get yelled at by the Pedants later)17:06
ayoungMy Horizon is currently using mod_mellon to redirect to Keystone...Horizon would have to do that itself17:06
*** henrynash has joined #openstack-keystone17:08
*** ChanServ sets mode: +v henrynash17:08
*** _cjones_ has quit IRC17:08
morganfainbergayoung: I think ipsilon via devstack has potential. Keeping all in-node is much easier than trying to roll it multi node17:08
morganfainbergayoung: I'll obviously need to see ipsilon in action and all that. But it's a decent idea for a real (not awful) Idp17:10
morganfainbergNot based on silly pysaml lib17:10
ayoungmorganfainberg, I'm going to get isplion up on younglogic.net17:10
morganfainbergayoung: so, can I do the needed bind to to treat it as an ldap identity. Backend?17:12
ayoungmorganfainberg, there is a PAM plugin for Ipsilon, so it can use local users.17:12
morganfainbergI'm trying out a deployment were sql is the default identity driver, and default domain is a per-domain configuration17:12
ayoungFOr Devstack, we'd probably use "stack"  or sometjhing17:12
ayoungYou need a public LDAP server...17:13
ayoungI think so.17:13
*** jistr has quit IRC17:13
*** gokrokve has joined #openstack-keystone17:13
morganfainbergI just feel lazy and would rather not setup a 1-off if your server can act as it for my testing / documentation purposes.17:14
morganfainbergIf not I'll spin up openldap but if it is already somewhere I can use, that is better.17:14
ayoungmorganfainberg, firewall port is not open, but other than that, it is ready to go17:15
gyeemorganfainberg, stevemar, henrynash, lhcheng, we should be able to update the doc as a bug right?
stevemargyee, i would think so?17:16
morganfainbergCool I'll ping you once I'm ready to test this (next week). I'm looking for a way to help people migrate from v2 backends to ldap + v3.17:16
stevemari mean... we're correcting it, but it's morganfainberg 's call at the end17:16
morganfainbergSince people just want to mostly add service users in and migrate to v3 etc.17:17
gyeestevemar, agreed17:17
morganfainbergayoung: and a lot of people aren't off v2 so this helps bridge the gap.17:17
morganfainberggyee, stevemar, lhcheng: so new api. Do we need that api to unbreak something or can it defer to liberty?17:19
*** henrynash has quit IRC17:20
morganfainbergAs in it is just not exposed but nothing needs it atm.17:20
gyeethat API was never exposed17:20
ayoungmorganfainberg, so the only issue with the IPA server is that is Version 3, and version 4 has the much prettier UI.  I was hoping to upgrade it, but I'll keep it stable as long as you need it17:21
morganfainbergSo then we defer to liberty if it isn't really going to break anything.17:21
morganfainbergayoung: nah. Upgrade away as long as you don't mind me using ldap stuffs.17:22
morganfainbergOr I can wait till you upgrade.17:22
morganfainbergNo big deal.17:22
ayoungmorganfainberg, it is not on my short list of things to do.17:22
ayoungI was really just doing the coder equivalent of "Sorry my house is so messy" that you get when you walk into the house of someone significantly neater than you are.17:23
gyeemorganfainberg, I am fine with defer it to L17:23
morganfainbergayoung: hehe ok.17:24
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Update path for listing a project's endpoint groups
stevemargyee, morganfainberg lhcheng ^17:26
lhchengstevemar: thanks!17:26
*** davidckennedy has quit IRC17:26
morganfainbergstevemar: I think this is a defer to L unless we are really breaking something without this.17:26
stevemarmorganfainberg, we're not, but the API is broken17:27
gyeewe are unbreaking the broken API17:27
morganfainbergstevemar: the api doesn't work, what doesn't work?17:27
stevemarmorganfainberg, the code and tests are all there, the route/patch never existed17:27
morganfainbergSo what (besides this specific api call) is really not working?17:28
stevemarthe API said go to: /endpoint_groups/projects/{id}, but this route was never handled by keystone server side17:28
stevemarthats it17:28
morganfainbergHow big of an impact to the user is it?17:28
* stevemar shrugs17:28
gyeethere's no user impact as that API was never exposed17:29
morganfainberg"It is a bloody awful ux not to have this we should fix it for kilo" or "meh, no one uses this anyway or feels it is missing" or "oh hell why do we even have this api, it is useless"17:29
gyeebut if there's a reference implementation of Keystone out there written in Go, sucks for them17:29
morganfainbergPick one. ;)17:29
stevemaryeah 2_17:30
morganfainbergThen we should just probably defer to liberty.17:30
stevemarif no one noticed it didn't exist in all of Juno and most of kilo dev, then no one uses it anyway17:30
stevemaralright, lets untarget the bug for kilo-rc1 then!17:30
morganfainbergstevemar: and I'll toss some -2s around.17:31
* morganfainberg really wants a new column: -1 "feature freeze" that the ptl gets17:32
gyeeno argument here17:32
morganfainbergSo I can easily tell if it is feature freeze or -2 "oh hell no"17:32
stevemarmorganfainberg, now if there was a way to automatically set that flag during RC time for every new patch, you're set ;)17:33
morganfainbergI could make a bot at that point. Easy17:33
openstackgerritMerged openstack/keystone: add test of /v3/auth/catalog for endpoint_filter
morganfainbergstevemar: maybe we can make it -2 workflow and make that sticky17:35
* morganfainberg should ask infra.17:35
*** henrynash has joined #openstack-keystone17:38
*** ChanServ sets mode: +v henrynash17:38
* morganfainberg asks jeblair in -infra17:38
openstackgerritSteve Martinelli proposed openstack/keystone: Change the way values are migrated for 007_add_remote_id_table
stevemarmorganfainberg, addressed your concern here ^17:41
morganfainbergstevemar: yep! Thanks17:42
morganfainbergIt wasn't a blocker to land the patch because the model hadn't changed but it needed to happen before rc17:42
*** henrynash has quit IRC17:43
*** _cjones_ has joined #openstack-keystone17:44
*** spandhe has joined #openstack-keystone17:47
rodrigodsmorganfainberg, do we have a new ksc release? I remember there was a discussion to release it earlier this week17:47
morganfainbergrodrigods: yes I released on wed. Looks like announcement email got stuck in my outbox17:48
rodrigodsmorganfainberg, thanks!17:49
*** bknudson has joined #openstack-keystone17:49
*** ChanServ sets mode: +v bknudson17:49
*** chuckcarmack has joined #openstack-keystone17:51
openstackgerritMerged openstack/keystone: Remove empty request bodies
openstackgerritMerged openstack/keystone: Remove unnecessary import that was not checked
*** iwi has joined #openstack-keystone17:54
iwihi there, is it possible tell python-keystoneclient that it should only use public endpoint ?17:55
openstackgerritLin Hua Cheng proposed openstack/keystone: Add routing for list_endpoint_groups_for_project
ayoungnkinder, look what I just fouind in the log:  2015-03-27 18:09:05.415336 Websso is enabled but your keystone does not support it.18:09
ayoung2015-03-27 18:09:05.415373                      Please use keystone version 3 or above.18:09
bknudsonstevemar: you signed up for the openstack booth at pycon?18:11
bknudsonmaybe you can tag team with dstanek18:11
ayoungstevemar, how are we supposed to enumerate the set of values in the "Authenticate Using"  box in Horizon?  Something in local_settings.py18:12
*** chuckcarmack has left #openstack-keystone18:13
*** ericksonfgds_ has joined #openstack-keystone18:17
stevemarbknudson, i did - one way or another i'll get there18:20
stevemarbknudson, train for $60 + crash at gordc's place - booya18:20
stevemargordc, btw18:20
gordci should warn you my couch is meant for a child but sure.18:22
dstanekopenstack booth?18:22
*** afazekas has joined #openstack-keystone18:23
*** amakarov is now known as amakarov_away18:29
*** gyee has quit IRC18:32
openstackgerritPriti Desai proposed openstack/keystone: Fix for listing role assignments by project admin
stevemargordc, i'm kidding / not kidding...18:33
stevemargordc, should get funding, i think18:33
dstanekstevemar: does that mean you'll be at PyCon?18:36
*** afazekas has quit IRC18:37
gordcerrr ok. you can sleep at our office. it's a 5 min walk.18:37
stevemardstanek, yep18:38
gordcstevemar: don't wake up the other people though.18:38
dstanekstevemar: i still have to get a hotel booked18:38
stevemargordc, i'm good with a couch :P18:39
stevemardstanek, gordc i should hear about funding by EOD... the free passes that the foundation was offering definitely helps18:40
* gordc goes to set up airbnb for the office.18:40
dstanekstevemar: i wish i know about free passes - would have save $40018:40
bknudsonhow do you get the pass?18:40
stevemardstanek, i just heard about it yesterday18:41
bknudsonsay you work for a poor company?18:41
stevemarit was on a mailing list18:41
bknudsonthe ceo is barely making it.18:41
gordcstevemar: aight. let me know.18:41
dstaneknow i'm looking for a cheap, but close hotel18:41
stevemarbknudson, dstanek18:41
bknudsonit's hardly volunteering when you're getting 400 for it.18:42
stevemargetting a pass that is valued at 40018:43
dstanekhey, that's my kind of volunteering18:43
openstackgerritMerged openstack/keystone: Use ORM in upgrade test instead of manual query construction
*** carlosmarin has quit IRC19:02
ayounglhcheng, I'm trying out your patch...pre-Jamies change19:09
*** carlosmarin has joined #openstack-keystone19:09
ayoungFor Django Openstack Auth19:09
ayounglhcheng, and the Horizon server seems to be unhappy with me19:10
ayoungYou around to talk this over?19:10
lhchengayoung: yes, did you apply the Horizon patch too?19:10
ayounglhcheng, yes19:11
ayoungand it seems to be working somewhat19:11
ayoungI have  set this in the local_settings:19:11
lhchengayoung: what Horizon error are you seeing?19:11
ayoung    "identity": 3,19:11
ayoungWEBSSO_CHOICES =  (19:11
ayoung                  ("credentials", _("Keystone Credentials")),19:11
ayoung                  ("saml2", _("Security Assertion Markup Language"))19:11
ayoung               )19:11
ayoungWEBSSO_INITIAL_CHOICE = "saml"19:11
ayoungSo,  first stop, I hit the top level URL and get redirect to login19:12
ayoungSo far so good19:12
lhchengayoung: okay.. the local_settings looks right19:12
ayoungthe initial choices seems to be ignored19:12
ayoungIt is set on Credentials, not SAML19:12
lhchengayoung, WEBSSO_INITIAL_CHOICE = "saml2"19:12
ayoungsaml2...ok, let me fix that19:13
ayoungOne bug down!19:13
ayoungOk,  so now it defaults to "Security Assertion Markup Language"19:13
ayoungno visible fiels except a submit button19:13
ayoungHIt connect and it spins until timeout19:14
*** ajayaa has quit IRC19:14
lhchengayoung, So.. the button name should be changing depending on the value of the dropdown19:15
ayoungIt says connect right now19:15
ayoungI think that is right19:15
lhchengayoung: okay19:16
lhchengayoung, does Horizon try to redirect you to another page?19:16
lhchengdid the url in the browser changed?19:16
ayounglet me pull up the saml tracer19:17
ayoungthat shows it doing a POST to /auth/login19:17
bknudsonI wonder if having a stable/ branch for keystoneclient doesn't give us a little more leeway for a 2.0.19:18
ayounglhcheng, nothing in horizon log.  I can try and put in a breakpoint somewhere, but where?19:19
lhchengayoung: right, and DOA should process that POST request and perform a redirect to
ayounglhcheng, something is hanging.19:19
lhchengayoung: somewhere in line 65:
*** gsilvis has quit IRC19:21
ayounglhcheng, nah, it hits that code on an earliert form, but doesn't seem to go through it again19:21
ayoungthee _init__ function I mean19:21
*** gsilvis has joined #openstack-keystone19:22
ayoungsorry, wrong file19:22
ayoungI was in forms, not views19:22
*** afazekas has joined #openstack-keystone19:24
*** atiwari has quit IRC19:25
ayoungOK, redirect url is19:25
*** atiwari has joined #openstack-keystone19:25
lhchengayoung: can you access that if you hit it from your browser?19:25
ayoungtrying now19:25
ayounglhcheng, seems to be hanging now, too19:27
ayounglet me kill the browser and restart the web server19:27
lhchengayoung: okay19:27
*** gokrokve has quit IRC19:30
*** gokrokve has joined #openstack-keystone19:31
*** gokrokve has quit IRC19:31
*** afazekas has quit IRC19:32
*** devlaps has quit IRC19:36
lhchengayoung: heading out for lunch, brb19:47
*** lhcheng is now known as lhcheng_afk19:47
ayounglhcheng, OK.  THanks19:47
*** rushiagr is now known as rushiagr_away19:52
ayoungnkinder, something is wonky.  Now the Keystone redirect is going to19:54
nkinderwhat is redirecting you there?  Horizon?19:54
nkinderayoung: I think that's where the assertion is posted, and mellon handles it19:55
nkinderayoung: look in your SP metadata19:55
ayoungnkinder, looking19:55
ayoungnkinder, in idp-metadata.xml19:56
nkinderayoung: no, http_<keystone-fqdn>_metadata.xml19:56
ayoungnothin points to port 500019:56
nkinderyeah, that one19:57
ayoungnkinder, not quite19:58
nkinderayoung: can you pastebin your xml file?19:59
*** gokrokve has joined #openstack-keystone19:59
nkinderayoung: ok, so it should be postResponse20:00
nkinderayoung: have you looked at the series of redirects that is happening?20:01
ayoungnkinder, I wonder why it is just hanging...but it looks to be a disconnect between Horizon and Mellon then?20:01
ayoungThat was the first one20:01
ayoungI tried with curl20:02
nkinderwhat URL did you hit with curl?20:02
ayoung<p>The answer to your request is located <a href=";">here</a>.</p>20:02
nkinderok, and that goes to your IdP first, right?20:02
nkinderthen the assertion is posted back?20:03
ayoungyeah, that is the URL that horizon redirects me to.  It was working earlier...or so I thought.20:03
nkinderayoung: I don't understand.  You are hitting keystone with curl.  At what point does it get to Horizon?20:04
nkinderit should go keystone->idp->keystone->horizon20:04
ayoungnkinder, I started with:20:04
ayoungthat redirects to20:05
ayoungthat renders fine.  I hit "Connect"20:05
ayoungand it was spinning forever20:05
ayoungso I started tracing using the SAML plugin in FIrefox and got the redirect to20:05
ayoungrather, that is what I posted, and then20:06
*** ericksonfgds_ has quit IRC20:07
*** afazekas has joined #openstack-keystone20:07
ayoungHmmm, not sure where I made the connection with the Keystone url...saw it in some earlier tracing20:09
ayoungah...I know20:09
ayoungit was from rpdb in the DOA code20:09
raildodstanek, ayoung bye bye domain table: :P20:09
ayounghast la vista20:10
stevemarwhoa, i been in meetings for about 2 hrs, and i return to see ayoung deep in sso code20:12
ayoung  seems to redirect20:12
ayoungis that the same URL20:12
ayoungnkinder, ah,  IP address versus hostname20:13
ayoungGuessing that Apache is being picky there20:13
ayounglet me see if I did that20:13
*** ericpete_ has joined #openstack-keystone20:13
mfischhey keystoners, when you rescope a token do you get a new expiration?20:13
bknudsonmfisch: you get the same expiration20:14
mfischthanks bknudson20:14
mfischso much for your hax0r ericpete_20:14
ericpete_thanks bknudson20:14
ayoung{"error": {"message": "Unable to reconcile identity attribute user_id as it has conflicting values admin and 1c07ce91fa64470db1a6a17dac553df2 (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}20:14
bknudsonit's easy to test20:14
ayoungnew message erre!20:14
ayoungstevemar, I'm close to having a working round trip here.20:15
stevemarayoung, that one is not coming from federation-y stuff20:16
mfischI like that word ^20:16
ayoungstevemar, Its in Keystone20:17
ayoungits the response from when ipsilon redirects back20:17
ayoungwhich was working before,  so...20:17
stevemarayoung, yeah, i meant it's not from keystone/contrib/federation (or at least i don't think so...)20:17
stevemarmfisch, i'm great at making up words20:17
ayoungstevemar, its from websso code20:18
stevemarthats my excuse for poor spelling20:18
*** timcline has quit IRC20:19
*** timcline has joined #openstack-keystone20:20
ayoung"GET /v3/auth/OS-FEDERATION/websso/saml2?origin= HTTP/1.1" 401 230 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"20:20
nkinderayoung: that's because federation can map to real users now20:20
nkinderayoung: so you can't use the same username for a federated user as one who exists in the identity backend for the same domain20:20
ayoungmust have picked up admin instead of I messed with ipsilon20:21
nkinderyeah, that would make sense20:21
ayoungyeah,. ips thinks I'm logged in20:21
nkinderayoung: logout from ipsilon, kill the mellon cookie, and try it fresh20:22
nkinder...and use ayoung20:22
ayoungok...back to20:22
ayoungAttributeError at /auth/websso/20:22
ayoung'NoneType' object has no attribute 'token'20:22
*** lhcheng_afk is now known as lhcheng20:22
ayoungI get that now20:23
*** david8hu has quit IRC20:24
ayoungI'm using lhcheng 's webssso patch for DOA pre-jamie's patch20:24
*** jeffDeville has joined #openstack-keystone20:24
*** david8hu has joined #openstack-keystone20:24
nkinderayoung: have you traced things and verified that you are getting a token back in the javascript?20:24
ayoungabove that I see20:24
ayoung2015-03-27 20:22:29.818902 No authentication backend could be determined to handle the provided credentials. This is likely a configuration error that should be addressed.20:24
ayoung2015-03-27 20:22:29.820037 Internal Server Error: /auth/websso/20:24
ayoungnkinder, I was before.  I think the problem is Django trying to handle it20:25
nkindersounds like it20:25
lhchengayoung: you might need to get the PS 20 of DOA patch20:26
lhchengayoung, the error msg you got is related to the new plugin code20:26
ayounglhcheng, I am on 2020:26
ayoungat least, I thought I was...20:27
ayoungcommit 6197368e92fbe71e16f832914d49d242f9cb110f20:27
ayoungok..that makes sense...20:27
ayoungKeystoneAuthException at /auth/websso/20:28
ayoungAn error occurred authenticating. Please try again later.20:28
ayoungOK, new error20:28
ayounglhcheng, want me to put a break point in there and see what is causing it?20:31
openstackgerritSteve Martinelli proposed openstack/keystone: Change the way values are migrated for 007_add_remote_id_table
stevemarmorganfainberg, dstanek ^ that should be the last patch for one of the FFEs20:33
lhchengayoung: yeah, that would be great20:34
dstanekstevemar: cool, i20:34
dstanek'll take a look in a few20:34
ayoungUnable to establish connection to
ayoungthat URL is legit20:35
ayounglhcheng, OK,  SAML token came through from Keystone <QueryDict: {u'token': [u'e24d04bd3847453cb8a632c5ede71084']}>20:37
ayoungprint unscoped_auth20:38
ayoung<keystoneclient.auth.identity.v3.token.Token object at 0x7fc9f77cff50>20:38
ayoung(Pdb) unscoped_auth_ref = unscoped_auth.get_access(session)20:39
ayoung*** ConnectionRefused: Unable to establish connection to
lhchengayoung, good find, DOA expects the token string to be submitted.20:39
lhchengayoung: keystone submit it back using:
lhchengayoung: keystone reads it from the auth response here:
ayoungSo this is converting the unscoped token for a scoped one20:41
lhchengayoung: Yup, that what DOA does with the federated token.20:41
ayoungbut looks like a connection error...which is strange because it is the same machine20:42
*** c_soukup has joined #openstack-keystone20:42
*** joesavak has joined #openstack-keystone20:43
*** raildo has quit IRC20:44
*** csoukup has quit IRC20:45
*** jeffDeville has quit IRC20:45
*** jeffDeville has joined #openstack-keystone20:46
*** afazekas has quit IRC20:47
ayoungso the frist thing this is doing is reauthenticating. Probably not strictly wrong, but wasteful20:47
lhchengayoung: ah horizon and keystone run on the same apache20:47
lhchengayoung: yeah, that's strange. It should be just fine20:48
ayoungdevstack setup20:48
ayounglhcheng, let me make sure login with userid and password works20:49
lhchengayoung, if you try the username/password login from horizon, does it work?20:49
*** jeffDeville has quit IRC20:50
ayoungno rouite to host20:53
*** samueldmq_ has quit IRC20:53
stevemarsamueldmq-away, lbragstad, morganfainberg we need a call made on this one:
openstackLaunchpad bug 1424500 in Keystone "Federation list projects endpoint does not honor project inherited role assignments" [Medium,Triaged] - Assigned to Samuel de Medeiros Queiroz (samueldmq)20:54
*** mfisch has quit IRC20:56
ayoungDHCP  why have you changed my hosts IP!20:56
*** mfisch has joined #openstack-keystone20:57
*** mfisch is now known as Guest9095720:57
ayoungnkinder, We have re-entry.  The Death Star Has Cleared THe Planet!20:59
ayounglhcheng, thanks a bunch.20:59
lhchengayoung: it works now?21:00
*** spandhe has quit IRC21:00
-openstackstatus- NOTICE: Gerrit maintenance commences in 1 hour at 22:00 UTC
ayounglhcheng, yes it does21:02
*** spandhe has joined #openstack-keystone21:02
ayounglhcheng, how hard is the rework on top of Jamie's patch?21:03
lhchengayoung, it isn't that bad, just been distracted with some other work21:07
lhchengayoung, will try to get something up by weekend21:07
ayounglhcheng, Where i sit, it is the weekend now21:07
ayounglhcheng, thanks for doing this21:07
lhchengrather before weekend ends :P21:08
lhchengayoung, by monday then21:08
*** timcline has quit IRC21:11
*** carlosmarin has quit IRC21:14
*** gyee has joined #openstack-keystone21:14
*** ChanServ sets mode: +v gyee21:14
nkinderayoung: awesome!21:15
ayoungnkinder, the last bit was cuz DHCP decided I needed a new internal IP address21:15
nkinderayoung: so rev.20 of the DOA patch, plus the horizon patch were needed21:15
nkinderayoung: ...and you had to use the /auth/websso path on the trusted_dashboard setting21:16
*** ericpete_ has quit IRC21:16
ayoung /auth/websso/21:16
ayoungthe final slash was essential, got and error without it21:16
nkinderoh, that's slightly annoying21:17
ayounghad to set the auth stuff to v 3 for horizon21:17
nkinderI wonder if we should make keystone strip the slash of both sides before comparing21:17
nkinderfailing due to a trailing slash seems overly picky21:18
nkinderayoung: it was giving you the "not a trusted dashboard" error?21:18
ayoungbut, its a config option,  it insists on it matching...I think that is OK21:19
nkinderayoung: that's worth a fix to avoid people running into it IMHO21:19
lhchengnkinder: I think that should be even relax it further, just checking the hostname for trusted_dashboard.21:19
nkinderlhcheng: yeah, possibly21:19
nkinderlhcheng: I suppose it would be something where you could configure what origin the dashboard sends21:20
nkinderlhcheng: then it's up to the deployer how picky they want to be21:20
nkinderlhcheng: as long as it works for kilo, I'll be happy regardless of how picky it is :)21:20
ayoungnkinder, so biggest thing is getting the Horizon patch in21:21
nkinderayoung: yes21:21
ayoungthat is FFE.21:21
nkinderayoung: it's been through a ton of revisions21:22
nkinderayoung: the outstanding comments are simple to address21:23
lhchengnkinder: yeah, we could look at that for liberty. Should be okay to relax later, without impacting the backward compatability.21:23
ayoungPatch in Merge Conflict21:29
stevemarnkinder, yeah lhcheng and i were talking about relaxing the check21:33
stevemari'd be okay with merging a simple rstrip('/') in keystone :)21:35
*** stevemar has quit IRC21:42
*** spandhe has quit IRC21:44
*** mattfarina has quit IRC21:44
-openstackstatus- NOTICE: Gerrit is offline for maintenance, ETA 22:30 UTC
*** ChanServ changes topic to "Gerrit is offline for maintenance, ETA 22:30 UTC"22:04
*** joesavak has quit IRC22:08
*** dimsum__ has quit IRC22:09
*** lhcheng has quit IRC22:14
*** spandhe has joined #openstack-keystone22:16
*** ayoung has quit IRC22:19
*** c_soukup has quit IRC22:19
*** dimsum__ has joined #openstack-keystone22:20
morganfainbergof course stevemar has disappeared22:22
*** thedodd has quit IRC22:27
dstanekFriday night man. Places to go and eople to see.22:27
*** spandhe has quit IRC22:28
dstanek...and i have to get back to my vim plugin22:28
*** ChanServ changes topic to "High Priority Reviews: | Review RC Blocking Reviews. | RC Milestone:"22:33
*** lhcheng has joined #openstack-keystone22:37
*** lhcheng_ has joined #openstack-keystone22:39
*** markvoelker has quit IRC22:40
*** lhcheng has quit IRC22:42
*** gordc has quit IRC22:43
*** spandhe has joined #openstack-keystone22:44
*** gyee has quit IRC22:58
*** pnavarro|off has quit IRC23:12
*** _cjones_ has quit IRC23:21
*** timcline has joined #openstack-keystone23:37
*** markvoelker has joined #openstack-keystone23:41
lhcheng_if I get a project scoped token using federated token, would the response have any indicator if the user account is federated or not?23:42
lhcheng_morganfainberg: ^23:42
*** lhcheng_ is now known as lhcheng23:42
morganfainberglhcheng, it should contain the federated info iirc23:43
rodrigodslhcheng, I believe there is a OS_FEDERATION23:43
morganfainbergand the list of federated groups23:43
morganfainbergrodrigods, ++23:43
morganfainbergit might be part of the user object23:43
* morganfainberg would need to 2x check23:43
rodrigods I saw this yesterday, at least in the docs there is a OS_FEDERATION field in the user object23:43
lhchengmorganfainberg: interesting, trying to figure out if horizon can rely on the token response (accessInfo) to figure if the user is federated or not23:45
lhchengmorganfainberg: rather than horizon keeping that flag and pass around23:46
lhchengrodrigods: the user object may not help that much, since the login federated user may not have access to get user info23:46
*** markvoelker has quit IRC23:46
lhchengrodrigods: but good to know though :)23:46
rodrigodslhcheng, the user object inside the token23:46
lhchengrodrigods: oh23:47
rodrigodslhcheng, let me find here..23:47
rodrigodsthe response23:48
*** iwi has quit IRC23:48
lhchengugh, too bad it isn't expose in the AccessInfo object23:49
lhchengrodrigods: thanks! have to figure out something to get that info23:50
*** dimsum__ has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!