Wednesday, 2015-04-15

*** amerine has quit IRC00:02
*** _cjones_ has quit IRC00:11
jamielennoxmorganfainberg, or anyone else: ksc-saml or ksc-saml200:15
morganfainberglhcheng, that direct map one is not worth the headache for rc00:16
morganfainbergjamielennox, we have that?00:17
jamielennoxmorganfainberg: no, we were going to rename ksc-federation00:18
morganfainbergoh sure00:18
morganfainberguhm call it saml200:18
morganfainbergwe don't support non-saml2 things00:18
morganfainbergand saml3 may be totally different00:18
jamielennoxgod forbid00:19
*** r-daneel has quit IRC00:24
*** browne has quit IRC00:29
*** dims_ has joined #openstack-keystone00:35
*** dims has quit IRC00:36
openstackgerritDavid Stanek proposed openstack/keystone: Stops injecting revoke_api into TestCase
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-federation: Rename project to keystoneclient-saml2
openstackgerritDavid Stanek proposed openstack/keystone: Removes an unused tox environment
*** leonchio_ has quit IRC00:47
openstackgerritMerged openstack/keystone: Redundant events on group grant revocation
jlkmorganfainberg: hi there.... so I think I'm running into haproxy problems with saml2 stuffs.00:49
jlk015-04-07 06:50:07 ERROR OpenSAML.MessageDecoder.SAML2ECP [5]: PAOS response targeted at (, but delivered to (
morganfainberggyee, stevemar, ^ cc00:49
jlkI think this is because haproxy terminates the ssl, and passes off to the backend via http00:49
morganfainberggyee, ^ what did we do to address that?00:50
jlkI do have:   reqadd X-Forwarded-Proto:\ https00:50
jlkbut that's obv not enough00:50
morganfainbergyou might be able to get away with [if the target] was the HTTP00:51
morganfainberginstead of the https00:51
morganfainbergand you just hit https, which then pushes it down to the http00:51
jlkexcept that our proxy isn't listening to the http port :/00:51
morganfainbergthere is a way to reverse proxy shib00:51
*** jeffDeville has joined #openstack-keystone00:52
* morganfainberg is reading this page00:52
morganfainbergso no idea if it's helpful yet, just figured i'd point you to what i was looking at00:52
morganfainbergso first is: With SSL offloaded to the proxy, also set handlerSSL="false" in shibboleth2.xml, so the Shibboleth handler will accept protocol messages on plain HTTP.00:54
jlkyeah I'm reading.00:55
jlkthat's already set to false00:55
morganfainbergbecause HAProxy isn't *really* a reverse proxy it looks like00:56
morganfainbergin your config you're using it as a load balancer, right?00:56
jlkmaybe ServerName00:57
morganfainbergthat might be it.00:57
jlkyeah it's load balancing and ssl offloading00:57
morganfainbergjlk, looks like *exactly* what we're doing here00:58
morganfainbergresult thread:00:59
morganfainbergYes sir! my virtual hosts were not correctly configured with the https00:59
morganfainbergscheme. Problem solved:00:59
morganfainbergServerName https://MyApplication.com00:59
morganfainbergUseCanonicalName On00:59
jlkgiving that a go01:00
*** tqtran has joined #openstack-keystone01:01
jlkwell, new error message now, to be tackled tomorrow01:02
jlk2015-04-07 06:50:13 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [7]: replay detected of message ID (82bd889fae7a485eb1ce574037f1ba01)01:02
morganfainbergi'm guessing that is detecting re-use of the assertion01:02
jlkmorganfainberg: thanks so far, I think that got me farther.01:02
gyeejlk, make sure you set session affinity at haproxy01:02
jlkgyee: it is set01:02
gyeethe request url has to match the sp url01:02
gyeemake sure the protocol is set to https01:03
jamielennoxmorganfainberg: be good to get ptl +1 on
morganfainbergjamielennox, done01:06
*** jeffDeville has quit IRC01:07
*** ayoung has joined #openstack-keystone01:09
*** ChanServ sets mode: +v ayoung01:09
openstackMozilla bug 667429 in Networking: HTTP "Shibboleth Replay Detection Failure" [Normal,Resolved: invalid] - Assigned to nobody01:10
morganfainbergoh neato01:10
morganfainbergopenstack knows how to talk to mozila bugtracker01:10
* morganfainberg did not intend that when configuring it btw.01:10
ayoungmorganfainberg, I'm guessing it is a standard bot that parses the name bugzilla01:10
ayounglet's seee...01:10
morganfainbergayoung, no mozilla's is part of the base config01:11
* morganfainberg did the puppet work (or parts of it) to enable that feature01:11
gyeeproblem is shibboleth validates binding after the policy01:11
gyeeand the shit is hardcoded01:12
gyeebinding should be part of policy01:12
*** lhcheng has quit IRC01:12
*** jeffDeville has joined #openstack-keystone01:12
gyeeline 12501:13
gyeepolicy is validated on line 11401:14
gyeebinding validation should be dictated by policy01:14
*** sdake_ has joined #openstack-keystone01:17
morganfainbergthat is dumb01:20
*** sdake has quit IRC01:21
*** alexsyip has quit IRC01:23
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Prompt for password on CLI if not provided
*** tqtran has quit IRC01:23
morganfainberggyee, at least that is a known "why"01:24
*** davechen has joined #openstack-keystone01:27
gyeemorganfainberg, yet, so haproxy to keystone has to be the same protocol to preserve the request url01:30
gyeeto get around the binding validation01:30
*** davechen1 has joined #openstack-keystone01:34
*** davechen has quit IRC01:36
*** vilobhmm1 has quit IRC01:37
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Provide a means to get all installed plugins
gyeejlk, make sure X-Forwarded-Proto is set to https01:41
morganfainberggyee, laaaaaaaaaaaaame01:41
morganfainbergisn't what  "handlerSSL="false" in shibboleth2.xml" is meant for?01:44
morganfainbergor is that only solving 50% of it01:44
*** davechen has joined #openstack-keystone01:45
gyeewon't solve it, they have to make binding validation as part of policy01:45
gyeethat's the right way to do it I think01:45
morganfainbergxtra lame01:46
gyeecan you imaging part of your authorization is coming from policy while other part comes from the code?01:46
morganfainbergsure i can.01:46
gyeethat's major suckage01:46
* morganfainberg looks at keystone01:46
*** davechen1 has quit IRC01:46
* morganfainberg looks at shibboleth01:46
morganfainbergdon't have to look that far01:46
gyeethe security auditors are going to hate us01:47
*** jeffDeville has quit IRC01:47
gyeelike what? you have to make us read the code to find out what's going on?!!!01:47
morganfainbergwe are doing better01:47
morganfainberguh. yeah01:48
*** jeffDeville has joined #openstack-keystone01:48
*** erkules has quit IRC01:48
*** erkules_ has joined #openstack-keystone01:48
* gyee is imaging the congress people going over the code01:49
*** sdake has joined #openstack-keystone01:52
openstackgerritNathan Kinder proposed openstack/keystone: Fix incorrect setting in WebSSO documentation
*** davechen1 has joined #openstack-keystone01:55
*** davechen has quit IRC01:55
*** sdake_ has quit IRC01:56
*** jeffDeville has quit IRC01:56
*** gyee has quit IRC02:02
jlkgyee: morganfainberg: wait, I'm confused. I already have X-Forwarded-Proto set to https02:03
*** harlowja is now known as harlowja_away02:17
*** dims_ has quit IRC02:21
openstackgerritKun Huang proposed openstack/python-keystoneclient: Use "RegionOne" as default region
*** vilobhmm1 has joined #openstack-keystone02:28
*** browne has joined #openstack-keystone02:32
*** Ephur has quit IRC02:46
stevemargyee, morganfainberg what is this going on about shib?02:48
morganfainbergstevemar, issues with haproxy + shibboleth02:56
*** richm has quit IRC03:33
ayoungstevemar,  might bite you in a  deployment03:34
openstackLaunchpad bug 1444244 in django-openstack-auth "websso does not prepend WEBROOT to redirect URL" [Undecided,New]03:34
ayounglooks like an easyish fix03:35
*** ashleighfarnham has joined #openstack-keystone03:37
stevemarayoung, i was hoping to improve the way we validate the hostname on the keystone side03:49
ayoungstevemar, Meh03:50
ayoungI think strict is fine there03:50
ayoungOK...going to bed.  Need to test this out tomorrow03:51
*** ayoung is now known as ayoung_ZZZzzz03:52
*** ashleighfarnham has quit IRC03:56
*** stevemar has quit IRC04:01
*** ashleighfarnham has joined #openstack-keystone04:04
*** sdake has quit IRC04:11
*** ashleighfarnham has quit IRC04:13
*** rushiagr_away is now known as rushiagr04:36
*** rushiagr is now known as rushiagr_away04:38
*** rushiagr_away is now known as rushiagr04:38
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow saving and caching the plugin auth state
*** lhcheng has joined #openstack-keystone04:50
*** ChanServ sets mode: +v lhcheng04:50
*** stevemar has joined #openstack-keystone04:55
*** ChanServ sets mode: +v stevemar04:55
*** ajayaa has joined #openstack-keystone05:14
openstackgerritMerged openstack/keystone: Fix incorrect setting in WebSSO documentation
*** lhcheng has quit IRC05:57
*** lhcheng has joined #openstack-keystone05:58
*** ChanServ sets mode: +v lhcheng05:58
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** ajayaa has quit IRC06:07
*** browne has quit IRC06:09
*** henrynash has joined #openstack-keystone06:10
*** ChanServ sets mode: +v henrynash06:10
*** stevemar has quit IRC06:15
*** henrynash has quit IRC06:15
*** alex_xu has quit IRC06:18
*** ajayaa has joined #openstack-keystone06:24
*** alex_xu has joined #openstack-keystone06:30
*** kiran has joined #openstack-keystone06:33
*** kiran is now known as kiran-r06:33
openstackgerritDave Chen proposed openstack/keystone: Remove assigned protocol before removing IdP
*** lhcheng has quit IRC06:39
*** lhcheng has joined #openstack-keystone06:41
*** ChanServ sets mode: +v lhcheng06:41
*** vilobhmm1 has quit IRC06:49
*** henrynash has joined #openstack-keystone07:02
*** ChanServ sets mode: +v henrynash07:02
*** henrynash has quit IRC07:02
*** rwsu has quit IRC07:09
openstackgerritLin Hua Cheng proposed openstack/keystone: Make get_trust a protected method
*** mabrams has joined #openstack-keystone07:12
*** pnavarro has joined #openstack-keystone07:20
*** jistr has joined #openstack-keystone07:24
*** krykowski has joined #openstack-keystone07:33
*** chlong has quit IRC07:35
*** c0m0 has joined #openstack-keystone07:42
*** fhubik has joined #openstack-keystone07:47
*** jaosorior has joined #openstack-keystone07:49
*** rushiagr is now known as rushiagr_away07:49
*** rushiagr_away is now known as rushiagr08:01
*** viktors has joined #openstack-keystone08:25
viktorshi folks! Can someone approve patch with two +2 - (Fix index name the assignment.actor_id table)  ? Thanks!08:28
*** davechen1 has left #openstack-keystone08:47
*** lhcheng has quit IRC09:00
*** lhcheng has joined #openstack-keystone09:02
*** ChanServ sets mode: +v lhcheng09:02
*** sdake has joined #openstack-keystone09:10
*** jamie_h has joined #openstack-keystone09:12
jamie_hare there any fixture files that can be run to set up keystone with an initial data set of users, projects, etc.?09:13
*** lhcheng has quit IRC09:18
*** fhubik is now known as fhubik_afk09:21
*** fhubik_afk is now known as fhubik09:30
*** jeffDeville has joined #openstack-keystone09:30
*** fhubik is now known as fhubik_afk09:45
*** jamielennox is now known as jamielennox|away09:52
*** fhubik_afk is now known as fhubik10:03
*** jeffDeville has quit IRC10:20
*** ParsectiX has joined #openstack-keystone10:33
*** topol has joined #openstack-keystone10:40
*** ChanServ sets mode: +v topol10:40
*** sdake has quit IRC10:46
*** fhubik has quit IRC10:53
*** fhubik has joined #openstack-keystone10:54
*** mattfarina has joined #openstack-keystone10:58
*** mattfarina has quit IRC11:04
*** dims has joined #openstack-keystone11:08
*** mattfarina has joined #openstack-keystone11:11
samueldmqbreton, hello11:14
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware
*** jdennis has quit IRC11:36
*** fhubik is now known as fhubik_afk11:47
*** jsheeren has joined #openstack-keystone11:47
jsheerengood afternoon!11:48
jsheereni have a small question concerning keystone and the apache wsgi script11:48
jsheerenwhen i run the keystone python client outside of apache, i get the results i asked for11:48
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK
jsheerenwhen i configure it in an apache vhost, with the wsgi script i get following error: Target WSGI script '/var/www/cgi-bin/keystone/main' cannot be loaded as Python module.   ImportError: cannot import name messaging11:49
jsheerenI'm running Ubuntu server 14.04 and have installed all necessary packages .. including oslo.messaging: ii  python-oslo.messaging                1.4.1-0ubuntu1~cloud0            all          oslo messaging library11:50
jsheerenanyone have an idea i which direction i should look?11:50
*** aix has quit IRC11:50
jsheereni should mention i'm installing openstack juno11:51
samueldmqjsheeren, hi, thanks for coming to ask in our community11:52
samueldmqjsheeren, I think you will find most of people up in ~2 - 3 hours11:52
samueldmqjsheeren, unfortunately I don't have enough deployment experience to help you out :)11:53
jsheerensamueldmq: hi,  thanks, i'll ask again in a few hours.  i can continue without the keystone/httpd stuff11:53
samueldmqjsheeren, great11:53
jsheerensamueldmq: thanks for your answer! see you in a few hours11:54
samueldmqjsheeren, no problem11:55
samueldmqdolphm, ping - you up to talk about the placeholders on migrations ?11:57
*** mabrams has left #openstack-keystone12:02
*** arif-ali has quit IRC12:05
*** raildo has joined #openstack-keystone12:06
*** arif-ali has joined #openstack-keystone12:12
*** fhubik_afk is now known as fhubik12:17
*** fhubik has quit IRC12:25
*** fhubik has joined #openstack-keystone12:26
*** aix has joined #openstack-keystone12:28
*** bknudson has joined #openstack-keystone12:30
*** ChanServ sets mode: +v bknudson12:30
dstaneksamueldmq: do you need to use one?12:33
*** gordc has joined #openstack-keystone12:34
*** henrynash has joined #openstack-keystone12:40
*** ChanServ sets mode: +v henrynash12:40
*** jdennis has joined #openstack-keystone12:51
*** jeffDeville has joined #openstack-keystone12:52
*** ayoung_ZZZzzz is now known as ayoung13:06
*** mattfarina has quit IRC13:06
samueldmqdstanek, sorry was afk (daily meeting :))13:08
samueldmqdstanek, yeah, basically I need to use one13:08
*** mattfarina has joined #openstack-keystone13:08
samueldmqdstanek, but I think we had better options than putting placeholder files13:09
samueldmqdstanek, and would like to discuss about :-)13:09
samueldmqdstanek, you available for a quick discussion ? (yeah, I hope it's quick)13:10
*** dims has quit IRC13:13
*** fhubik is now known as fhubik_afk13:14
samueldmqbasically, if we left none instead of placeholders would avoid to have duplicated migrations13:14
*** dims has joined #openstack-keystone13:15
samueldmqin my case, I am writing 072, and we will need to backport it as 068, and then cherry-pick, right?13:15
samueldmqif we hadn't created 068_placeholder, I just needed to write 068 on master and then backport13:16
*** fhubik_afk is now known as fhubik13:16
samueldmqQ: but how to leave those hold those places (68-72) ?13:16
samueldmqA: we add a test that fails if them exist, so we make sure we really want to add such migrations when we do13:17
samueldmqbknudson, morning, you might be interested on this as well ^13:17
*** topol has quit IRC13:20
*** richm has joined #openstack-keystone13:21
dstaneksamueldmq: i think the problem is that it won't be picked up because we will be past that number13:23
dstaneksamueldmq: the migration systems i have worked on in the past only keep track of what they have migrated to and not each individual migration13:23
*** david-lyle has quit IRC13:24
bretonI don't quite understand what's the problem now13:24
samueldmqdstanek, so we store the number of the latest version we have migrated, instead of a list of migrated versions13:24
bretonsa-m stores the last applied migration13:25
samueldmqbreton, hi, do you know what those 068-072 placeholders are for ?13:25
samueldmqdstanek, ^ yeah so it will not work like I described :/13:25
dstaneksamueldmq: right - dolphm post describes it pretty well13:26
dstaneksamueldmq: does that make sense?13:27
*** joesavak has joined #openstack-keystone13:28
dstanekin stable they will not have had place holders applied so we can add them later13:28
breton , right?13:28
dstanekon master we will go passed the placeholders so the migration will need to be applied twice13:28
dstanekbreton: yes13:28
bretonsamueldmq: "Deployments hopping between stable/* branches" part describes your concernes, doesn't it? :)13:28
dstaneksamueldmq: the thing you may be thinking is why not just merge the commit with the migration into stable and not use a placeholder...13:29
samueldmqdstanek, yeah, that's what I was saying13:29
dstanekbut if you do that for say 072 and later you find out you need to also merge 068, then you are in trouble since the system thinks it has already migrated to 072 - the older migrations will not be applied13:30
*** r-daneel has joined #openstack-keystone13:31
samueldmqdstanek, but you shouldnt need to migrate 068 right? since the placeholders are only for backports, which are meant to be idempotent13:31
dstaneksamueldmq: no i'm saying if you didn't do placeholders you would run into the problem i described above - merging things out of order would not work13:32
samueldmqbreton, yes that section describes what I was saying, thanks13:32
samueldmqdstanek, yeah, because we just store the last migration we run, instead of individual migrations we have ran13:32
samueldmqdstanek, I agree with you, and.. if this model is good, we could change the migration control to support individual migrations we have ran, if that's worth it13:34
samueldmqdstanek, I think we would have a better model for our migrations/backport13:34
samueldmqwhat you think?13:34
dstaneksamueldmq: i'm not sure sure - the empty migrations are not really a problem for me13:34
samueldmqdstanek, well they work, but :13:35
samueldmqdstanek, i) duplicated migrations ii) the process need a cherry-pick after backport13:36
samueldmqdstanek, iii) when backporting/cherry-picking, we need to fix the tests on test_sql_upgrade, in order to upgrade to the right version13:36
dstaneksamueldmq: going the other way can be just as bad13:36
dstanekfor instance one of the systems i worked with in the past forced you to do all migrations13:37
samueldmqdstanek, why? we won't have i) ii) iiI) above13:37
samueldmqdstanek, go ahead13:37
dstanekso what ended up happening is that you had to know which migrations were already applied to run a command telling it so13:37
samueldmqdstanek, the results are exactly the same at the end13:38
samueldmqdstanek, it just makes the process of slotting and backporting easier, imo :)13:38
dstaneksamueldmq: not sure - we have yet to do a backport, but we would for sure have had to manually tell the system that things were applied13:38
bretonsamueldmq: the whole thing will change after I finish that alembic stuff13:39
dstanekalso what happens if you need to change the migratiion?13:39
*** ozialien has joined #openstack-keystone13:39
openstackgerritAlexander Makarov proposed openstack/keystone: Redis cache backend
bretonsamueldmq: there won't be any more placeholders because migrations will not be numbered13:39
dstanekbreton: how does alembic store completed migrations? just the last one or all that are applied?13:39
dstanekbreton: so how does it know what was applied?13:40
samueldmqdstanek, why manually ? keystone-manage db_sync stores it for us, dont it?13:40
samueldmqdstanek, today it knows the last migration ran, right?13:40
*** Ephur has joined #openstack-keystone13:40
samueldmqbreton, nice13:40
samueldmqdstanek, interesting question ^ :)13:41
* samueldmq needs to read about alembic13:41
dstaneksamueldmq: not necessarily - that's why this is a fun problem13:41
dstanekactually i think in South you also had to tell it about migration you already ran13:42
dstanekyeah, i need to read about it too. i don't understand how the ordering works just flipping through the tutorial13:43
bretondstanek: last one afaik13:43
samueldmqdstanek, hmm, nice13:43
dstanekbreton: if it stores the last one then we'd have the same placeholder issue13:44
bretondstanek: it keeps "down_revision" in migration .py13:44
samueldmqbreton, so it stores each individual migration ran ?13:44
dstanekbreton: how are the migrations ordered?13:44
samueldmqdstanek, I think 'the second one' is storing each migration13:44
bretondstanek: based on their parent revision13:46
bretondstanek: like in git13:47
dstanekbreton: interesting - since if uses version control the placeholder issue melts away13:47
bretondstanek: there are merges and branches and stuff13:47
*** markvoelker has joined #openstack-keystone13:48
davidckennedyhenrynash I've got stuck with endpoint enforcement.  If the token is v2 the service_id will not be in the catalog so we'd only be able to filter by endpoint_id - so should I fail all v2 tokens where the endpoint enforcement is by service_id only?13:50
*** fhubik has quit IRC13:57
amakarov_awayrodrigods, hi! Are you here?13:58
*** amakarov_away is now known as amakarov13:58
rodrigodsamakarov, hi13:59
amakarovrodrigods, Looks like HMT is only implemented in SQL, right?14:00
*** rushil has joined #openstack-keystone14:01
rodrigodsamakarov, yes, it was part of the discussion about freezing the LDAP assignment backend14:01
amakarovrodrigods, so it's ok if I stick to SQL too?14:02
rodrigodsamakarov, absolutely!14:02
amakarovrodrigods, thanks )14:02
*** stevemar has joined #openstack-keystone14:09
*** ChanServ sets mode: +v stevemar14:09
*** markvoelker_ has joined #openstack-keystone14:13
*** markvoelker has quit IRC14:16
*** ozialien has quit IRC14:17
morganfainbergdavidckennedy: v2 is special cased all over, I think failure if service Id is missing in v2 is fair for enforcement.14:17
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion and project disabling
morganfainbergdavidckennedy: or we add service id to v2 *cringe*14:17
*** ozialien has joined #openstack-keystone14:19
*** sigmavirus24_awa is now known as sigmavirus2414:20
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion
rodrigodshenrynash, ^ tried to comply with gyee suggestions.14:22
henrynashwill check!14:23
*** ozialien has quit IRC14:26
viktorsdstanek: ping14:26
*** browne has joined #openstack-keystone14:29
*** rushiagr is now known as rushiagr_away14:33
*** topol has joined #openstack-keystone14:33
*** ChanServ sets mode: +v topol14:33
*** kiran-r has quit IRC14:36
*** markvoelker has joined #openstack-keystone14:36
*** markvoel_ has joined #openstack-keystone14:38
*** markvoelker_ has quit IRC14:40
*** markvoel_ has quit IRC14:41
*** markvoelker has quit IRC14:42
davidckennedymorganfeinberg yes, I don't think it would be right to start adding stuff to v2 tokens.  Whoever configures keystonemiddleware has the option of specifying an endpoint_id to enforce so v2 should still work in that case.  I'm adding some info to the config properties to make this clear.14:45
davidckennedyBut if we don't fail a token when only service_id is enforced then we might as well lock the door but leave the window open - it would be possible just to walk round endpoint enforcement just by using v2 token.14:46
morganfainbergdavidckennedy: so we document "service id only" is a v3 feature.14:53
*** joesavak has quit IRC14:53
morganfainbergdavidckennedy: we have a lot of v3 only features.14:54
morganfainbergAnd we should fail if service Id only *and* v214:54
*** rwsu has joined #openstack-keystone15:00
dstanekviktors: hi15:03
viktorsdstanek: hi!15:04
davidckennedymorganfeinberg I'm picking up where a colleague left off and I'm piecing together his intentions so it's a little sketchy.  Whatever is done with this we'll need to document it.  The spec will need updating and I'll do that once I've got it coherent.15:04
viktors are you still working on functional test for keystone?15:04
davidckennedyback shortly.15:05
*** davidckennedy has quit IRC15:05
*** thedodd has joined #openstack-keystone15:07
dstanekviktors: yes, i have a few things cooking in there15:07
*** jsheeren has quit IRC15:07
dstanekviktors: that's me pre-summit focus15:09
viktorsdstanek: I want to show to you patch - it's might be related to your work15:10
viktorswill such code play well  with your approach?15:11
dstanekviktors: cool. I'll take a look in a bit15:11
*** rushiagr_away is now known as rushiagr15:11
dstanekviktors: I'll let you know in about an hour15:11
*** markvoelker has joined #openstack-keystone15:12
viktorsdstanek: ok15:12
*** c0m0 has quit IRC15:13
*** markvoelker has quit IRC15:16
*** pnavarro has quit IRC15:16
*** ParsectiX has quit IRC15:17
*** david-lyle has joined #openstack-keystone15:19
*** david-lyle_ has joined #openstack-keystone15:19
*** david-lyle_ has quit IRC15:19
*** c0m0 has joined #openstack-keystone15:19
*** pnavarro has joined #openstack-keystone15:20
*** ozialien has joined #openstack-keystone15:26
*** jamie_h has quit IRC15:28
*** stevemar has quit IRC15:28
*** pnavarro is now known as pnavarro|off15:31
viktorsfolks, can someone +A patch with two +2 - ? Thanks!15:31
*** jdennis has quit IRC15:32
*** davidckennedy has joined #openstack-keystone15:33
*** ajayaa has quit IRC15:34
*** browne has quit IRC15:34
*** _cjones_ has joined #openstack-keystone15:34
*** sdake has joined #openstack-keystone15:35
rodrigodshenrynash, replied your comments15:35
*** _cjones_ has quit IRC15:38
*** _cjones_ has joined #openstack-keystone15:38
*** sdake_ has joined #openstack-keystone15:39
*** samueldmq has quit IRC15:40
*** sdake has quit IRC15:42
*** joesavak has joined #openstack-keystone15:47
*** csoukup has joined #openstack-keystone15:48
*** viktors is now known as viktors|afk15:54
*** jeffDeville has quit IRC15:56
*** sdake has joined #openstack-keystone15:59
ayoung do we need  a CLI command  openstack token get ?15:59
*** tqtran has joined #openstack-keystone15:59
*** vilobhmm1 has joined #openstack-keystone16:00
*** vilobhmm11 has joined #openstack-keystone16:02
ayoungviktors|afk, done16:03
*** sdake_ has quit IRC16:03
*** tqtran_ has joined #openstack-keystone16:03
*** jistr has quit IRC16:03
*** alexsyip has joined #openstack-keystone16:04
*** jistr has joined #openstack-keystone16:04
*** vilobhmm1 has quit IRC16:04
*** krykowski has quit IRC16:06
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy
*** csoukup has quit IRC16:08
*** jistr has quit IRC16:09
*** markvoelker has joined #openstack-keystone16:13
*** rushil has quit IRC16:13
*** kiran has joined #openstack-keystone16:14
*** jistr has joined #openstack-keystone16:15
*** jistr has quit IRC16:17
*** _cjones_ has quit IRC16:19
*** markvoelker has quit IRC16:19
ayoung$ openstack --os-auth-url project list16:19
ayoungERROR: openstack Authorization Failed: Cannot authenticate without an auth_url16:19
*** tqtran_ has quit IRC16:19
ayoungpackage hell16:20
*** browne has joined #openstack-keystone16:20
*** _cjones_ has joined #openstack-keystone16:21
ayoungOK...I'm guessing we can't run with cligg 1016:27
*** davidckennedy has quit IRC16:37
*** EmilienM is now known as EmilienM|afk16:38
*** c0m0 has quit IRC16:40
*** markvoelker has joined #openstack-keystone16:44
*** afazekas has joined #openstack-keystone16:47
*** zzzeek has joined #openstack-keystone16:48
*** markvoelker has quit IRC16:50
*** tqtran_ has joined #openstack-keystone16:50
*** jaosorior has quit IRC16:52
*** tqtran_ has quit IRC16:54
*** david-lyle has quit IRC16:57
*** raildo has quit IRC16:58
ayoungdtroyer, I'm trying to unravel a packaing mystery running OSC.  I have, I think, all the dpes up to date, but running the basic commands like project list fail with :17:00
ayoung  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/", line 196, in get_raw_token_from_identity_service17:00
ayoung    _("Authorization Failed: %s") % e)17:00
ayoungAuthorizationFailure: Authorization Failed: Cannot authenticate without an auth_url17:00
*** ozialien has quit IRC17:00
*** kiran has quit IRC17:00
ayoungI've both set the env var and passed it on the command line.17:00
*** lhcheng has joined #openstack-keystone17:01
*** ChanServ sets mode: +v lhcheng17:01
ayoungbut somehow auth_url doesn't make it down to the token fetch step17:01
dstanekviktors|afk: i think that's a good idea - doesn't impact what i am doing in any way. is it ready to come out of wip?17:04
dtroyerayoung: so first, assumptions:  you have master or current release on osc and *client deps?17:06
*** raildo has joined #openstack-keystone17:06
ayoungdtroyer, I'm using the RDO build opf the packages. which means ...17:06
ayoungdtroyer, and...the RDO packaging is somewhat broken WRT versions...17:07
ayoungas in, the spec files don't seem to have version dependencies in them17:07
ayoungdtroyer, so I've been making sure I had the right versions manually17:08
ayoungfor cliff, I had to jump up to17:08
ayoungwhich I built myself17:08
ayoungusing 1.7  gave me an error that we should look into as well, maybe need to bump the required verions up above 1.7...but I want a positive run first.17:09
*** david-lyle has joined #openstack-keystone17:09
dtroyeron 1.0.3 you should be good with cliff 1.7.0, modulo packaging patches17:09
ayoungdtroyer, if I do that I get17:09
dtroyerbut there is a requirements.txt bump to set the stable/kilo (roughly 1.0.3) to cliff 1.10.017:09
ayoungdtroyer, some error about the deferred help arg not being supported17:10
ayoungso I jumped to 1017:10
ayoungI can reproduce it if you want, as the problem I'm seeing might be clidff related17:10
*** david-lyle has quit IRC17:11
ayounglet me try from master without the rpm, and see if it is my RPM that is broken17:11
dtroyerheh, we only merged the deferred help thing yesterday that requires that in cliff…unless something earlier needed it.17:11
*** david-lyle has joined #openstack-keystone17:11
dtroyerthat's a secondary problem though17:11
*** samueldmq has joined #openstack-keystone17:11
ayoungwooo hole bunch of pip packages got grabbed...17:12
ayoungdtroyer, what does it  mean that it uninstalls these packages:
ayoungthat the RPM versions were out of date with what python install forced in based on requirements.txt?17:14
dtroyerit means that since you probably had those installed from pacakges, now you have a mess since botht he pacakges and the pip installs write to the same place17:15
dtroyerthis has long been a problem and everyone points in the opposite direction when you bring it up between python and fedora folk.17:16
ayoungdtroyer, nah, I understand the mess, and am capable of dealing with it17:17
ayoungI just thought that the versions of those packages I had fulfilled the pip dependencies17:18
ayoungdtroyer, this feels like a problem with cliff.17:19
*** sigmavirus24 is now known as sigmavirus24_awa17:19
ayoungor oslo config or something dealing withthe arg parsing17:19
dtroyerfor the auth thing, use —debug and look for the auth messages just after the bunch of commandmanager messages, make sure the plugin chosen is what you expect17:22
*** aix has quit IRC17:22
*** ajayaa has joined #openstack-keystone17:32
*** jeffDeville has joined #openstack-keystone17:33
*** harlowja_away is now known as harlowja17:36
jlkmorganfainberg: so I'm still a bit stuck, not sure how to proceed with the haproxy issue. As a last ditch solution I could take out haproxy and terminate ssl right in apache17:37
morganfainbergjlk, i'll have gyee here in a moment17:37
morganfainbergjlk, so we can talk it through17:38
morganfainbergi just sat down in sunnyvale17:38
*** markvoelker has joined #openstack-keystone17:47
*** markvoelker has quit IRC17:52
*** openstackstatus has quit IRC17:58
*** openstackstatus has joined #openstack-keystone17:59
*** ChanServ sets mode: +v openstackstatus17:59
ayoungdtroyer, DEBUG: openstackclient.api.auth Auth plugin osc_password selected18:01
ayoungDEBUG: openstackclient.identity.v2_0.project.ListProject take_action(Namespace(columns=[], formatter='table', long=False, max_width=0, quote_mode='nonnumeric'))18:01
ayoungDEBUG: openstackclient.identity.client Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'>18:01
*** edmondsw has joined #openstack-keystone18:02
dtroyerayoung: that's what I would expect18:02
*** ozialien has joined #openstack-keystone18:02
*** pnavarro|off has quit IRC18:02
dtroyeris that where the error occurs?18:02
ayoungdtroyer, yeah...18:02
ayoungdtroyer, here's the full paste18:03
-openstackstatus- NOTICE: Gerrit has stopped emitting events so Zuul is not alerted to changes. We will restart Gerrit shortly to correct the problem.18:03
*** ChanServ changes topic to "Gerrit has stopped emitting events so Zuul is not alerted to changes. We will restart Gerrit shortly to correct the problem."18:03
ayoung  dtroyer18:03
ayoungdtroyer, argparse is responsible for both the CLI args and the env vars, right?18:04
ayoungand that is from the base python install18:05
*** ashleighfarnham has joined #openstack-keystone18:06
*** mattamizer has joined #openstack-keystone18:07
*** alexsyip has quit IRC18:07
dstanekjlk: what is the issue with haproxy?18:08
jlkdstanek: haproxy is terminating ssl, communicating with keystone (apache) via http, but saml2 doesn't like that.18:09
jlkit appears to be a protocol level issue and I need to make haproxy talk to apache via ssl instead18:09
dstanekjlk: ah, odd. so the mod_ship expects the traffic over ssl?18:10
jlkotherwise it throws a replay error18:10
*** sigmavirus24_awa is now known as sigmavirus2418:10
dtroyerayoung: there is a chunk of stuff missing in there, here is my output for the same thing against a default devstack:
*** david-lyle has quit IRC18:10
dtroyerspecifically, you don't have lines 17-42 and i'm not sure why18:11
dstanekjlk: have you gone through this?
dstanekhmmm..that was an ugly url18:12
ayoungdtroyer, well, that gives me a good place to put a pdb break point18:13
jlkI already have handlerSSL set to false but that wasn't enough18:13
jlkand I was setting the ServerName right.18:13
ayoungDEBUG: openstackclient.api.auth fetching option os_auth_url18:13
jlkthose were giving me a different error at first18:13
jlknow that those are fixed it's a new replay error rather than a name mismatch18:13
ayoungdtroyer, is that a cliff thing?  it looks like plugin enumeration,18:14
dtroyercliff knows nothing about auth18:15
ayoungdtroyer, ah...and those are the params being passed down, too, but that is in OSC, not KC yet18:15
dtroyerThis starts in setup_auth()18:15
dstanekjlk: any reason not to use SSL all the way back to the Apache server?18:16
jlkwell, because typically we don't have apache sitting in front of keystone, we typically have keystone running it's own thing, and doing ssl termination there is... exciting.18:17
jlkfor this demo, we're going to insert ssl between haproxy and apache to get it to work, but it's not a desired outcome. We'd normally want to terminate ssl at the load balancer18:17
morganfainbergIt's a limit of policy stuff.18:18
dstanekif you are using mod_shib you'll have to have apache anyway; i'm also paranoid about clear text traffic anywhere (even in the private, internal network)18:19
ayoungdtroyer, ok, breakpoint in that function shows: (Pdb) print self._cli_options.os_auth_url18:19
ayoungso it is properly parsed and accepted.18:19
*** jdennis has joined #openstack-keystone18:19
ayoungand print self.auth_plugin_name  returns osc_password18:20
ayoungdtroyer, what should be doing all of the DEBUG: openstackclient.api.auth fetching option os_auth_url18:21
ayoungtype statements?18:21
dtroyerayoung: what I don't see in your output is the log messages from auth.build_auth_params()18:21
*** EmilienM|afk is now known as EmilienM18:22
ayoungdtroyer, I don't think it gets that far, errors out on the line before I think18:22
*** krotscheck has joined #openstack-keystone18:23
jlklolol, note to self, when changing time to try and use an old token, don't forget to change time back to do other things18:23
amakarovrodrigods, hi! Thanks a lot for your tips: I'll address them a bit later (when I can access gerrit again), and I can say for adjacency list in external table: it ruins performance entirely, especially in the reseller case: every insert will cause reindexing of a looong table. I tried, really :) Materialized path performs much better from my experience. Just to say this approach is best used in discussion engines (with quickly updated long18:23
amakarovconversation threads)18:23
dtroyerbut it does print the messages from openstackclient.identity.v2_0.project.ListProject so somehow it kept going...18:23
krotscheckGerrit is back18:23
morganfainbergYay gerrit18:23
rodrigodsamakarov, np! thanks!18:24
ayoungdtroyer, I think I am getting the wrong error message.  I think I should be getting18:24
ayoungSet a scope, such as a project or domain, with --os-project-name or OS_PROJECT_NAME18:24
ayounglet me try again18:24
ayoungdtroyer, if I undertand what is happening, this call is failing out, but then the client is continuing to try and process, instead of reporting the error here18:25
dtroyerthat's what it seems like18:25
*** ChanServ changes topic to "Liberty Development Open | Look for RC-critical bugs | Review KeystoneClient and KeystoneMiddleware code | Review Liberty Keystone Specs"18:25
-openstackstatus- NOTICE: Gerrit has been restarted. New patches, approvals, and rechecks between 17:30 and 18:20 UTC may have been missed by Zuul and will need rechecks or new approvals added.18:25
ayoungdtroyer, there is a bug in here somewhere...just not sure where18:26
dtroyerayoung: so auth.check_valid_auth_options() doesn't require a project, so yeah, we should somewhere trap that and give a decent error message18:26
ayoungdtroyer, it shouldn't require a project.  we should be able to perform some operatiosn against keystone with unscoped tokens18:27
ayoungI was trying to list my projects....18:27
dtroyerI'm not always clear on scoped/unscoped token business so there is likely the root cause ;)18:27
ayoungthis is a Keystoneism.  Think like "I'm a new user to this cloud...what am I allowed to do?"18:28
dtroyer...and what is allowed with unscoped tokens18:28
ayoungand you think...ok, what projects am I in.18:28
ayoungnot much, but a user listing their own projects is one18:28
dtroyeragreed, that should work18:28
ayoungThat is what Horizon does.  A user comes in and does not have a project set (and if their account doese not have a default proejct) they only get back an unscoped token, which they use to enuemrate their projects.  THen Horizon selects the first from the list18:29
dtroyerthis very likely could be an impedance mis-match between OSC and ksc's plugins, as in something specific needs to be set to allow it to work right18:29
ayoungdtroyer, I'll file the bug, anyway, and we can track the discussion in there18:30
dtroyerI was just typing that…sounds good18:30
samueldmqdstanek, morganfainberg so backporting migrations will require a downgrade18:32
openstackLaunchpad bug 1444640 in python-openstackclient "Not setting project returns error AuthorizationFailure: Authorization Failed: Cannot authenticate without an auth_url" [Undecided,New]18:37
*** farhan has joined #openstack-keystone18:42
*** rushil has joined #openstack-keystone18:46
*** farhan has quit IRC18:46
*** tqtran is now known as tqtran_afk18:49
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy
amakarovrodrigods, ^^18:56
*** tqtran has joined #openstack-keystone19:02
*** amakarov is now known as amakarov_away19:03
*** tqtran has quit IRC19:06
*** pnavarro has joined #openstack-keystone19:08
*** stevemar has joined #openstack-keystone19:13
*** ChanServ sets mode: +v stevemar19:13
*** pnavarro has quit IRC19:14
*** pnavarro has joined #openstack-keystone19:20
*** pnavarro has quit IRC19:20
openstackgerritLin Hua Cheng proposed openstack/keystone: Make get_trust a protected method
*** ashleighfarnham has quit IRC19:25
*** david-lyle has joined #openstack-keystone19:30
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy
lhchengbknudson: got a upgrade related question..  how do we handle update of policy file?19:37
lhchengbknudson: I hit a problem while working on:
bknudsonlhcheng: I can tell you how our product handles it... we have chef scripts that update it.19:38
lhchengbknudson: the patch fixes an unused policy rule, and now our code consumes it19:38
lhchengbknudson: the problem is, grenade does not consume the latest policy file when it runs19:39
bknudsontypically we require that the server works with the old file.19:39
lhchengfor upgrade, it is assumed that the policy file have to be updated manually by the user?19:39
bknudsonI think this is considered part of our stability guidelines.19:40
lhchengbknudson: so for your case, the chef script merges the policy file with the new one?19:40
bknudsonlhcheng: the update scripts just overwrite it... I guess a customer might have supplied their own policy file so they'd like that to continue to work.19:41
lhchengbknudson: yup, that guideline makes perfect sense.19:42
bknudsonlhcheng: so what's the failure if the old policy file is used?19:43
bknudsonyou can't use trusts?19:43
samueldmqmorganfainberg, dolphm I have an issue when backporting a migration :/19:44
lhchengcan't GET trust19:44
lhchengbknudson: the definition in the policy file is: "identity:get_trust": "rule:admin_or_owner",19:44
lhchengbknudson: the definition of "owner" doesn't apply for trust19:44
samueldmqmorganfainberg, dolphm basically I cant backport 073 to 068 since in stable/juno the last migration is 055, and it will then look for 05619:45
lhchengbknudson: it needs to be trustor_or_trustee19:45
bknudsonlhcheng: seems easier to just remove the line from policy.json...19:45
dolphmsamueldmq: to which branch are you trying to backport a migration to?19:46
morganfainbergsamueldmq: you have to do the same idempotent migration for each backport.19:46
samueldmqdolphm, I am trying to backport it to stable/juno19:46
morganfainbergsamueldmq: the 068 one is for kilo19:46
morganfainbergNot Juno.19:46
dolphmsamueldmq: what's the master review?19:46
samueldmqmorganfainberg, so I create 056 there, and when we cherry-pick it back, we do so for 06819:47
samueldmqdolphm, let me get the link19:47
morganfainbergDoes this need to go to Juno?19:47
samueldmqmorganfainberg, well, this should go for when role assignments were introduced, right?19:48
samueldmq(which is not juno)19:48
morganfainbergSo kilo is easy. It's rc219:48
dolphmsamueldmq: you should also focus on landing it to master before we discuss backporting19:48
morganfainbergBut land in master and do rc219:48
*** alex_xu has quit IRC19:48
morganfainbergJuno is not important until those two are done.19:48
lhchengbknudson: hah that would fix the confusion of having it there. :)   But using the policy file instead of having the code do it is the "right" thing to do..19:49
samueldmqdolphm, morganfainberg k makes sense, it just got a merge conflict this afternoon19:49
*** alex_xu has joined #openstack-keystone19:49
samueldmqI will rebase and it will be up for review again19:49
*** markvoelker has joined #openstack-keystone19:50
bknudsonlhcheng: I can't think of a way to do it right that doesn't break backwards compatiliby with the policy.json... the default is admin-only, so if you use a new rule then that won't work either.19:50
*** ozialien has quit IRC19:50
bknudsonmaybe it could be done but that would require some invention in oslo.policy19:50
bknudsonkeystone would have to tell oslo.policy to use a special default rule for the trust rules.19:51
lhchengbknudson: yeah, maintaining the backward compatibility is tricky.  The crazy thing is, it wasn't even consume before. :P19:52
*** rushil has quit IRC19:52
bknudsonthe first step can be to remove it, since that's an easy fix.19:52
bknudsonthen we can think about how to add it back in.19:53
bknudsonwe've got stable/kilo branches now.19:53
*** markvoelker has quit IRC19:55
lhchengbknudson: yeah, seems like that's the only non-disruptive way to do it..19:55
lhchengbknudson: do you mean remove it for stable/kilo  (tag as rc potential) ?19:56
bknudsonDoesn't seem worth it to backport.19:57
bknudsonI was just mentioning stable/kilo branches because I didn't expect that to happen already.19:57
lhchengah, got it19:58
*** ajayaa has quit IRC19:58
bretonbknudson: there is proposed/kilo now afaik19:59
lhchengbknudson: thanks for the guidance, I'll just remove it from policy.json  for now..20:00
bknudsonbreton: and stable/kilo
bknudsonnot sure what we're supposed to use.20:01
bretonand they point to the same commit. weird.20:02
bretonwhen I googled for proposed/ branches some time ago, they were suggested to be used before release. And now there is stable/.20:03
lhchengseems like stable/kilo is where is should be..  dhellmann has been moving all our patches from proposed/kilo to stable/kilo20:03
*** henrynash has quit IRC20:05
*** rushiagr is now known as rushiagr_away20:06
dstanekaggregator sounds interesting, but feels strange as a bolt-on20:07
ayoungdtroyer, um...  ERROR: openstack Multiple possible networks found, use a Network ID to be more specific. (HTTP 400) (Request-ID: req-657a6947-54b0-4c95-9891-3e6d422fe687)20:09
ayoungbut we don't have that as  CLI param to server create?20:09
*** edmondsw has quit IRC20:10
bretonbknudson: lhcheng: there is a reply from infra- about branches in #openstack-dev20:14
*** rushil has joined #openstack-keystone20:16
bknudsonworks for me. Don't expect me to +2 anything in stable/ since I don't have authority anyways.20:20
*** rushiagr_away is now known as rushiagr20:24
dtroyerayoung: if that's not part of the —nic argument then we are missing that option20:25
ayoungdtroyer yeah  this is what it shows20:26
dtroyerI am not on top of that as much as I'd like, particularly if it's a Neutron back-end20:26
ayoung  --nic <nic-config-string>20:26
ayoung                        Specify NIC configuration (optional extension)20:26
ayoungI was able to determine what it needed from the nova docs
dtroyerright, I think we've just copied the argument format…that certainly needs attention20:27
openstackgerritDavid J Hu proposed openstack/python-keystoneclient: Access Info Formatter
openstackLaunchpad bug 1444685 in python-openstackclient "server create does not explain network values" [Undecided,New]20:29
ayounggreat bug for someone to cut their teeth on in Open Stack.20:29
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK
bknudson"Fuel Devops McRobotson "?20:35
bretonbknudson: where is that?20:37
openstackLaunchpad bug 1411063 in keystonemiddleware "S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)" [Critical,In progress] - Assigned to Tristan Cacqueray (tristan-cacqueray)20:38
bknudsonit's the last comment.20:38
bretonbknudson: it's our bot spamming bugreports again :(20:39
bretonsorry about that, I'll notify people about that20:40
bknudsonno problem.20:40
breton"about that, about that"20:41
jlkholy crap you guys, I think I just got a token out of this thing!20:41
*** stevemar has quit IRC20:41
*** gyee has joined #openstack-keystone20:44
*** ChanServ sets mode: +v gyee20:44
*** gyee has quit IRC20:44
*** thedodd has quit IRC20:49
*** alexsyip has joined #openstack-keystone20:52
jlkyeah something that's been passed around to help test federation stuff20:53
*** jeffDeville has quit IRC20:54
*** rushil has quit IRC20:57
dstanekjlk: neat. where can i get my hands on that?20:57
dstaneki assume that you've fix your SSL troubles20:58
jlkit may not actually have been ssl, it may have been needing to restart shib before trying the simulation again20:58
jlkI'm running more tests20:58
*** raildo has quit IRC21:00
*** gyee has joined #openstack-keystone21:00
*** ChanServ sets mode: +v gyee21:00
jlkI don't need ssl between haproxy and apache after all.21:01
jlkmorganfainberg: gyee: we were chasing a red herring this morning. The reason I was getting a replay warning was because I needed to restart shib service between simulation attempts.21:02
*** mattfarina has quit IRC21:02
*** mattamizer has quit IRC21:03
morganfainbergjlk, aha!21:04
morganfainbergok so we're good21:04
jlkyeah, no ssl between haproxy and apache.21:04
morganfainbergbtw, this is awesome it shows we are safe from replay attacks :P21:05
jlkat least until you restart the service :)21:05
dstanekthat sorta worries me in a production deployment - too easy to sniff21:05
jlkdstanek: we're working toward ssl everywhere on our private network, but openstack doesn't make this easy21:06
ayoungjlk, richm has been working on that, too.  We need to get off eventlet everywhere21:07
ayoungit is annoying, cuz we dug our own hole here21:07
*** leonchio_ has joined #openstack-keystone21:07
dstanekayoung: that's two different issues, although i do agree21:07
richmapache == ssl termination + wsgi21:08
ayoungdstanek, I'd argue it is one and the same, as with HTTPD, we'd have SSL by default, and people would have worked through the issues by now21:08
jlkso without doing a lot of tweaking, doing apache fronted keystone vs eventlet fronted keystone made things significantly slower21:08
jlkLOTS of variables at play of course, but it wasn't a very comforting first step21:08
dstanekayoung: it's trivial to put a terminator in front of an eventlet app21:09
ayoungdstanek, no it isn't21:09
ayoungthat solves the easy part of the problem21:09
richmapache = x509 cert auth termination + SASL auth termination + federation auth termination + etc.21:09
ayoungdstanek, it doesn't solve the whole problem21:10
dstanekayoung: SSL everywhere is the problem i want to solve. what is the other one?21:10
ayoungdstanek, getting the damn thing set up right so the service catalog finds the endpoints21:10
ayoungand getting it tested in devstack21:10
jlkwe also have the problem of trying to do many services on a single host, each service with it's own venv, and to front them all with apache gets.. interesting21:10
ayoungand getting it into puppet21:10
ayoungand getting into all the things that consume puppet21:10
ayoungand so forth and so on on merrily down the stream21:11
dstanekagain that's different. you can put up SSL in front of eventlet with a trivial init script. so people should start doing that21:11
*** joesavak has quit IRC21:11
ayoungdstanek, come live in my world for a week and you will have a different perspective21:11
ayoungor..should I say, in richm's world21:12
dstaneki'm already doing this stuff all over the place so there is no reason when we can't get openstack services to fix their stuff; this can totally be done21:12
dstaneki'm also not arguing that we should keep eventlet21:13
richmIf SSL is the only problem with eventlet then yes, there are other ways to solve that problem - just put some sort of proxy/shim in front of it - doesn't have to be apache21:13
dstaneki just think we need to be careful to not conflate unrelated issues - it makes it harder for people to agree when they think you are like congress sliding a personal thing through under the cloak of another issue21:14
dstanekrichm: exactly21:14
richmBut there is also the problem that keystone + eventlet doesn't scale very well with thousands of connections and requests - perhaps there is also another way to solve that problem without apache wsgi too21:15
dstanekthere are several ways to deal with that issue - in my personal stuff i always favor running nginx and it should be able to work there too21:16
richmnginx + wsgi?21:16
dstanekyes, i do that all of the time - that's the most popular deployment scenario for Python app IME21:17
dstaneknginx -> gunicorn -> application21:18
dstanekgunicorn runs the app multi-(process, thread) and nginx will proxy to it21:18
richminstead of apache + wsgi + application21:19
bknudsondstanek: how do you do haproxy?21:19
dstanekbknudson: what do you mean? it just sits in front of all of the nginx servers21:20
bknudsondstanek: I was just wondering if you changed it up when you did haproxy.21:20
dstanekbknudson: no, it's no different then when i use apache21:21
dstanekbknudson: maybe i need to submit my patch - i have keystone running under gunicorn21:21
dstanekwhich btw can be run behind apache too, but there is the added benefit that the python is out of process21:22
bknudsondstanek: then apache is just reverse proxy?21:23
dstanekbknudson: yes21:24
dstanekthat's what i'd do with nginx too21:24
*** rushiagr is now known as rushiagr_away21:24
bknudsondstanek: does gunicorn have the plugins for federation?21:24
dstaneki'll do a little research on deployment speeds and report back tomorrow - i'm curious21:25
dstanekbknudson: no, you'd have to run it behind something that does (Apache does obviously, but i thought that there was some plugins for nginx too)21:26
*** dims_ has joined #openstack-keystone21:46
*** jamielennox|away is now known as jamielennox21:46
*** dims has quit IRC21:48
*** topol has quit IRC21:49
*** tqtran has joined #openstack-keystone21:52
*** vilobhmm11 has quit IRC21:53
*** markvoelker has joined #openstack-keystone21:53
*** bknudson has quit IRC21:54
*** tqtran has quit IRC21:57
*** markvoelker has quit IRC21:58
*** _cjones_ has quit IRC22:24
*** _cjones_ has joined #openstack-keystone22:37
*** gordc has quit IRC22:45
*** markvoelker_ has joined #openstack-keystone22:53
*** zzzeek has quit IRC23:01
*** erkules_ is now known as erkules23:03
*** chlong has joined #openstack-keystone23:11
jamielennoxwhat's the point of memcaching the data of a PKI token? do we do that on purpose?23:16
*** mhu has quit IRC23:16
*** mhu has joined #openstack-keystone23:16
dstanekjamielennox: we get it out of cache even though we have the actual data already?23:25
jamielennoxit appears that we do memcache instead of just validating the PKI token23:25
jamielennoxi would think time difference would be negligable23:26
*** drjones has joined #openstack-keystone23:31
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove unused policy rule for get_trust
*** mestery_ has joined #openstack-keystone23:33
*** j_king_ has joined #openstack-keystone23:34
*** luminalf1ux has joined #openstack-keystone23:34
*** HenryG_ has joined #openstack-keystone23:35
dstanekjamielennox: that's an interesting decision. so that means we must have memcached installed?23:37
jamielennoxno, i think if memcache isn't available it's ignored23:37
*** nonameentername has joined #openstack-keystone23:38
*** _cjones_ has quit IRC23:38
*** luminalflux has quit IRC23:38
*** j_king has quit IRC23:38
*** grantbow has quit IRC23:38
*** arunkant has quit IRC23:38
*** HenryG has quit IRC23:38
*** bigjools has quit IRC23:38
*** bigjools_ has joined #openstack-keystone23:38
*** cburgess_ has joined #openstack-keystone23:38
*** vhoward- has joined #openstack-keystone23:38
*** markvoelker has joined #openstack-keystone23:39
*** vhoward has quit IRC23:39
*** _nonameentername has quit IRC23:39
*** mestery has quit IRC23:39
*** cburgess has quit IRC23:39
*** arunkant has joined #openstack-keystone23:39
*** bigjools_ is now known as bigjools23:39
*** markvoelker_ has quit IRC23:40
*** bigjools has quit IRC23:40
*** bigjools has joined #openstack-keystone23:40
*** markvoelker has quit IRC23:40
*** markvoelker has joined #openstack-keystone23:40
*** markvoelker_ has joined #openstack-keystone23:41
*** grantbow has joined #openstack-keystone23:41
*** grantbow has joined #openstack-keystone23:41
*** markvoelker has quit IRC23:45
*** tqtran_afk is now known as tqtran23:57
*** mattamizer has joined #openstack-keystone23:58
*** wolsen_ is now known as wolsen23:59

Generated by 2.14.0 by Marius Gedminas - find it at!