Friday, 2015-07-17

« Thursday, 2015-07-16 Index Saturday, 2015-07-18 »
*** hrou has joined #openstack-keystone00:00
*** openstack has joined #openstack-keystone00:03
*** tsymanczyk has joined #openstack-keystone00:04
*** markvoelker has quit IRC00:04
*** TheIntern has quit IRC00:07
*** boris-42 has quit IRC00:12
*** stevemar has joined #openstack-keystone00:23
*** ChanServ sets mode: +v stevemar00:23
*** hogepodge has joined #openstack-keystone00:25
*** spandhe has joined #openstack-keystone00:26
*** ankita_wagh has quit IRC00:29
*** spandhe_ has joined #openstack-keystone00:29
*** spandhe has quit IRC00:31
*** spandhe_ is now known as spandhe00:31
*** woodster_ has quit IRC00:32
*** stevemar has quit IRC00:32
*** btully has quit IRC00:35
*** shaleh has quit IRC00:36
*** sigmavirus24 is now known as sigmavirus24_awa00:37
*** zzzeek has joined #openstack-keystone00:43
*** scorpio-xiatian has joined #openstack-keystone00:53
*** rm_work is now known as rm_work|away01:00
*** zzzeek has quit IRC01:08
jiaxi Please help me to review my patch set.  visit https://review.openstack.org/#/c/200512/01:09
*** jasonsb has quit IRC01:11
*** _cjones_ has quit IRC01:12
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-kerberos: Disable optional authentication for plugin  https://review.openstack.org/18832901:12
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-kerberos: Federated Kerberos plugin  https://review.openstack.org/17355801:12
*** woodster_ has joined #openstack-keystone01:25
jiaxi<jiaxi>  Please help me to review my patch set.  visit https://review.openstack.org/#/c/200512/01:32
*** afazekas has quit IRC01:34
*** jdandrea has quit IRC01:46
*** tobe_ has joined #openstack-keystone01:49
*** ankita_wagh has joined #openstack-keystone01:51
*** ankita_wagh has quit IRC01:52
*** ankita_wagh has joined #openstack-keystone01:53
*** lhcheng has joined #openstack-keystone01:57
*** ChanServ sets mode: +v lhcheng01:57
miguelgrinbergmarekd rodrigods: do you guys have an example openrc file for openstack client that does the ECP auth flow?02:02
*** amakarov has joined #openstack-keystone02:11
*** piyanai has joined #openstack-keystone02:19
*** richm has quit IRC02:20
*** ayoung has joined #openstack-keystone02:27
*** ChanServ sets mode: +v ayoung02:27
*** dims_ has quit IRC02:31
bigjoolsmiguelgrinberg: IIRC you need to add --os-auth-type v3unscopedsaml --os-identity-provider-url=<ecp endpoint> --os-identity-provider <idp in keystone>02:35
*** chlong-afk has quit IRC02:37
*** lhcheng has quit IRC02:37
*** chenhong has joined #openstack-keystone02:39
*** chlong has joined #openstack-keystone02:42
*** stevemar has joined #openstack-keystone02:44
*** ChanServ sets mode: +v stevemar02:44
bigjoolscan the same project be part of more than one domain?02:44
*** ayoung has quit IRC02:45
*** ankita_wagh has quit IRC02:47
*** stevemar has quit IRC02:49
*** hakimo has joined #openstack-keystone02:53
*** hakimo_ has quit IRC02:55
*** piyanai has quit IRC02:55
nigelbwah! hi bigjools :)02:58
bigjoolshey nigelb02:58
*** hakimo_ has joined #openstack-keystone03:10
*** hakimo has quit IRC03:10
*** boris-42 has joined #openstack-keystone03:14
*** Kennan has quit IRC03:20
*** Kennan has joined #openstack-keystone03:20
openstackgerritjiaxi proposed openstack/keystone: when creating a group without specifying a domain should return 400  https://review.openstack.org/20151103:25
*** hakimo has joined #openstack-keystone03:27
*** hakimo_ has quit IRC03:27
jiaxiPlease help me to review my patch set.  visit https://review.openstack.org/#/c/200512/03:28
*** woodster_ has quit IRC03:32
*** dims_ has joined #openstack-keystone03:32
*** dims_ has quit IRC03:37
*** hakimo_ has joined #openstack-keystone03:44
*** hakimo has quit IRC03:44
*** stevemar has joined #openstack-keystone03:46
*** ChanServ sets mode: +v stevemar03:46
*** geoffarnold has joined #openstack-keystone04:00
*** scorpio-xiatian has quit IRC04:01
*** hakimo has joined #openstack-keystone04:01
*** hakimo_ has quit IRC04:01
*** amakarov has quit IRC04:05
*** geoffarnold has quit IRC04:09
*** hakimo_ has joined #openstack-keystone04:18
*** hakimo has quit IRC04:18
*** fangzhou has quit IRC04:22
*** jasonsb has joined #openstack-keystone04:28
*** thedodd has joined #openstack-keystone04:33
*** tobe_ has quit IRC04:53
*** flwang has quit IRC05:00
*** stevemar_ has joined #openstack-keystone05:04
*** ChanServ sets mode: +v stevemar_05:04
*** ParsectiX has joined #openstack-keystone05:05
*** stevemar has quit IRC05:07
*** telemonster has quit IRC05:08
*** telemonster has joined #openstack-keystone05:08
*** blewis has joined #openstack-keystone05:10
*** blewis` has joined #openstack-keystone05:12
*** ankita_wagh has joined #openstack-keystone05:14
*** blewis has quit IRC05:15
*** browne has quit IRC05:16
*** thedodd has quit IRC05:17
*** ParsectiX has quit IRC05:18
*** dguerri` is now known as dguerri05:19
*** boris-42_ has joined #openstack-keystone05:20
*** diazjf1 has joined #openstack-keystone05:21
*** browne has joined #openstack-keystone05:21
*** Daviey_ has joined #openstack-keystone05:22
*** samuel-dmq has joined #openstack-keystone05:23
*** boris-42 has quit IRC05:23
*** Protux has quit IRC05:23
*** mancdaz has quit IRC05:23
*** Daviey has quit IRC05:23
*** samueldmq has quit IRC05:23
*** Protux has joined #openstack-keystone05:24
*** boris-42_ is now known as boris-4205:24
*** mancdaz has joined #openstack-keystone05:24
*** chenhong1 has joined #openstack-keystone05:27
*** browne has quit IRC05:27
*** chenhong has quit IRC05:28
*** markvoelker has joined #openstack-keystone05:41
*** markvoelker_ has joined #openstack-keystone05:44
*** markvoelker has quit IRC05:45
*** tobe_ has joined #openstack-keystone05:46
*** hrou has quit IRC05:52
jiaxiPlease help me to review my patch set.  visit https://review.openstack.org/#/c/200512/05:53
*** spandhe has quit IRC06:00
*** dims_ has joined #openstack-keystone06:00
*** stevemar_ has quit IRC06:03
*** stevemar has joined #openstack-keystone06:04
*** ChanServ sets mode: +v stevemar06:04
*** spandhe has joined #openstack-keystone06:04
*** stevemar_ has joined #openstack-keystone06:06
*** ChanServ sets mode: +v stevemar_06:06
*** dims_ has quit IRC06:06
*** ParsectiX has joined #openstack-keystone06:07
*** ig0r_ has joined #openstack-keystone06:08
*** stevemar has quit IRC06:09
ParsectiXGood Morning :)06:09
*** stevemar_ has quit IRC06:10
*** tobe_ has quit IRC06:16
openstackgerritDavid Stanek proposed openstack/keystone: Moves keystone.hacking into keystone.tests  https://review.openstack.org/20289506:26
*** tobe_ has joined #openstack-keystone06:31
*** dguerri is now known as dguerri`06:40
*** jaosorior has joined #openstack-keystone06:43
*** ig0r_ has quit IRC06:45
*** ig0r_ has joined #openstack-keystone06:50
*** belmoreira has joined #openstack-keystone06:51
*** ankita_wagh has quit IRC07:05
*** ankita_wagh has joined #openstack-keystone07:05
*** afazekas has joined #openstack-keystone07:06
*** bradjones has quit IRC07:08
*** bradjones has joined #openstack-keystone07:11
*** bradjones has quit IRC07:11
*** bradjones has joined #openstack-keystone07:11
*** boris-42 has quit IRC07:12
*** Pawel__ has joined #openstack-keystone07:23
*** fhubik has joined #openstack-keystone07:34
*** fhubik has quit IRC07:46
*** fhubik has joined #openstack-keystone07:48
*** dims_ has joined #openstack-keystone07:49
*** dims_ has quit IRC07:56
*** ankita_wagh has quit IRC08:00
*** rm_work|away is now known as rm_work08:04
*** fhubik is now known as fhubik_afk08:07
*** jistr has joined #openstack-keystone08:15
jiaxiPlease help me to review my patch set.  visit https://review.openstack.org/#/c/200512/08:19
*** chenhong has joined #openstack-keystone08:22
openstackgerritjiaxi proposed openstack/keystone: Invalid URLs are not suppressed when creating endpoint  https://review.openstack.org/20051208:23
*** blewis` has quit IRC08:23
*** chenhong1 has quit IRC08:24
*** fhubik_afk is now known as fhubik08:28
*** rletrocquer has joined #openstack-keystone08:29
*** blewis has joined #openstack-keystone08:31
*** kashyap has left #openstack-keystone08:32
*** pnavarro has joined #openstack-keystone08:39
*** markvoelker_ has quit IRC08:42
*** spandhe has quit IRC08:43
*** mhu has quit IRC08:53
*** mhu has joined #openstack-keystone08:56
*** markvoelker has joined #openstack-keystone08:57
*** fhubik is now known as fhubik_afk09:00
*** ParsectiX has quit IRC09:00
*** e0ne has joined #openstack-keystone09:01
*** markvoelker has quit IRC09:02
*** fhubik_afk is now known as fhubik09:04
*** ParsectiX has joined #openstack-keystone09:05
*** aix has joined #openstack-keystone09:07
*** markvoelker has joined #openstack-keystone09:12
*** Daviey_ is now known as Daviey09:14
*** dims_ has joined #openstack-keystone09:15
*** markvoelker has quit IRC09:17
*** dims_ has quit IRC09:20
*** tobe_ has quit IRC09:25
*** blewis` has joined #openstack-keystone09:25
*** markvoelker has joined #openstack-keystone09:26
*** blewis has quit IRC09:29
*** markvoelker has quit IRC09:31
*** Kennan2 has joined #openstack-keystone09:33
*** Kennan has quit IRC09:33
*** marzif_ has joined #openstack-keystone09:39
*** markvoelker has joined #openstack-keystone09:41
*** david8hu has quit IRC09:43
*** david8hu has joined #openstack-keystone09:43
*** markvoelker has quit IRC09:45
*** fhubik is now known as fhubik_afk09:52
*** piyanai has joined #openstack-keystone09:55
*** markvoelker has joined #openstack-keystone09:55
*** markvoelker has quit IRC10:00
*** dims_ has joined #openstack-keystone10:05
*** ParsectiX has quit IRC10:05
*** ParsectiX has joined #openstack-keystone10:06
*** markvoelker has joined #openstack-keystone10:07
*** markvoelker has quit IRC10:12
*** btully has joined #openstack-keystone10:14
*** ParsectiX has quit IRC10:15
*** rm_work is now known as rm_work|away10:19
*** btully has quit IRC10:19
*** markvoelker has joined #openstack-keystone10:22
*** openstackgerrit has quit IRC10:31
*** markvoelker has quit IRC10:32
*** openstackgerrit has joined #openstack-keystone10:32
*** fhubik_afk is now known as fhubik10:33
*** ParsectiX has joined #openstack-keystone10:35
*** jaosorior has quit IRC10:36
*** markvoelker has joined #openstack-keystone10:37
*** chenhong1 has joined #openstack-keystone10:37
*** chenhong has quit IRC10:38
*** lsmola has joined #openstack-keystone10:40
*** aix has quit IRC10:41
*** chenhong1 has quit IRC10:42
*** markvoelker has quit IRC10:42
*** aix has joined #openstack-keystone10:45
openstackgerritAlexey Miroshkin proposed openstack/keystone: Implement backend filtering on membership queries  https://review.openstack.org/17975810:51
*** markvoelker has joined #openstack-keystone10:51
*** markvoelker has quit IRC10:56
*** dims_ has quit IRC11:06
*** markvoelker has joined #openstack-keystone11:06
*** markvoelker has quit IRC11:11
*** piyanai has quit IRC11:19
*** fhubik has quit IRC11:19
*** markvoelker has joined #openstack-keystone11:19
*** piyanai has joined #openstack-keystone11:20
*** piyanai has quit IRC11:22
*** markvoelker has quit IRC11:24
*** pnavarro is now known as pnavarro|lunch11:29
*** markvoelker has joined #openstack-keystone11:32
*** alex_xu is now known as alexus11:34
*** markvoelker has quit IRC11:44
*** amakarov has joined #openstack-keystone11:45
*** josecastroleon has joined #openstack-keystone11:51
marekdmiguelgrinberg: there is no OSC wrapper around k2k11:53
marekdi can share my script with you if you need it.11:53
*** markvoelker has joined #openstack-keystone11:55
jiaxiPlease help me to review my patch set.  visit https://review.openstack.org/#/c/200512/11:55
*** bdossant has joined #openstack-keystone11:59
*** markvoelker has quit IRC12:00
*** pnavarro|lunch has quit IRC12:09
*** markvoelker has joined #openstack-keystone12:09
*** markvoelker has quit IRC12:13
*** markvoelker has joined #openstack-keystone12:16
*** markvoelker has quit IRC12:21
*** lsmola has quit IRC12:21
*** amakarov has quit IRC12:21
*** lsmola has joined #openstack-keystone12:23
*** jasonsb has quit IRC12:23
*** edmondsw has joined #openstack-keystone12:23
*** markvoelker has joined #openstack-keystone12:24
odyssey4memarekd I have some bad news :/12:24
odyssey4meit seems that I've uncovered some sort of bug12:24
*** dims_ has joined #openstack-keystone12:25
*** stevemar has joined #openstack-keystone12:25
*** ChanServ sets mode: +v stevemar12:25
odyssey4meI have a perfectly working SP setup that works against TestShib. With exactly the same configuration other than switching from http to https, I get a valid auth but keystone thinks that the user has no access to projects.12:26
*** stevemar has quit IRC12:29
*** markvoelker has quit IRC12:32
*** stevephone has joined #openstack-keystone12:35
*** stevephone has quit IRC12:37
*** markvoelker has joined #openstack-keystone12:39
*** piyanai has joined #openstack-keystone12:40
*** piyanai has quit IRC12:40
*** jiaxi has quit IRC12:43
*** markvoelker has quit IRC12:43
*** woodster_ has joined #openstack-keystone12:46
*** piyanai has joined #openstack-keystone12:51
*** amakarov has joined #openstack-keystone12:52
*** markvoelker has joined #openstack-keystone12:53
*** dims_ has quit IRC12:54
*** piyanai has quit IRC12:55
*** markvoelker has quit IRC12:58
*** browne has joined #openstack-keystone13:00
*** piyanai has joined #openstack-keystone13:00
*** jasonsb has joined #openstack-keystone13:00
*** piyanai has quit IRC13:00
*** samuel-dmq has quit IRC13:04
*** samueldmq has joined #openstack-keystone13:04
*** markvoelker has joined #openstack-keystone13:05
*** piyanai has joined #openstack-keystone13:06
*** markvoelker_ has joined #openstack-keystone13:07
marekdodyssey4me: can you introduce me a little bit more?13:07
odyssey4memarekd so I have a test setup which was configured to work with TestShib without SSL.13:08
odyssey4meThe keystone configs, mappings, etc are all there and were tested to be in a working state.13:08
*** markvoelker has quit IRC13:09
*** diegoadolfo has joined #openstack-keystone13:10
odyssey4meI then set keystone's public endpoint to be https, implemented the certificate, configured shibboleth2.xml to be aware of the changes (entityID, etc), reconfigured horizon to use the updated endpoint, etc13:10
odyssey4meI verified that the metadata showed all URL's in the content to be via https and verified that it was accessible via https13:11
odyssey4meI submitted the updated metadata to TestShib, then tried a login via WebSSO.13:11
odyssey4meI get a valid session to TestShib, WebSSO let's me through, but keystone thinks I have access to no projects.13:12
odyssey4mewhereas when I tested it without SSL I had access to a project.13:12
*** rdo has quit IRC13:13
*** lhcheng has joined #openstack-keystone13:14
*** ChanServ sets mode: +v lhcheng13:14
marekdodyssey4me: did you update metdatafile (same name) or updated another one?13:14
marekdodyssey4me: i suspect this might be something with repeated metadata file etc.13:14
odyssey4memarekd same name gave other errors, so I uploaded with a new name13:15
*** rdo has joined #openstack-keystone13:15
odyssey4methe error I'm seeing is exactly the same error I saw with my ADFS IdP - I decided to check the setup against TestShib to validate whether the issue was specific to ADFS or not13:15
*** jsavak has joined #openstack-keystone13:16
marekdodyssey4me: so you claim that switching between http and https has some impliations on keystone tokens?13:17
odyssey4mewhat makes no sense to me is that shibboleth has a valid session, but keystone seems to do something funky afterwards13:17
odyssey4memarekd it would seem that the protocol has an effect on the token somehow, yes - it looks to me like it never goes beyond a scoped token13:18
marekdodyssey4me: while switching from https->http did you restart shibd too?13:19
marekdodyssey4me: you can try that.13:19
*** Kiall has quit IRC13:20
odyssey4memarekd yep, I did - in fact I've done both a fresh build and a conversion back and forth13:20
*** stevemar has joined #openstack-keystone13:20
*** ChanServ sets mode: +v stevemar13:20
*** hrou has joined #openstack-keystone13:21
marekdodyssey4me: to me it looks more like a shib problem, not rally keystone...13:21
marekdodyssey4me: anyways, then it doesn't find a vali project what does it say in logS?13:21
*** Kiall has joined #openstack-keystone13:21
odyssey4melet me get a fresh set of logs quickly13:22
*** jecarey has joined #openstack-keystone13:24
*** stevemar has quit IRC13:25
odyssey4memarekd keystone log: http://paste.openstack.org/show/4CAyxMVchwDfRPUyUZmJ/13:26
odyssey4memarekd: shibd log: http://paste.openstack.org/show/Nk2DjgnCvvz5Cdcbtf6P/13:28
marekdodyssey4me: looking13:29
odyssey4memarekd the metadata is here if you'd like to inspect it: https://test1.pigeonbrawl.net:5000/Shibboleth.sso/Metadata13:29
*** kodoku has joined #openstack-keystone13:30
*** topol has joined #openstack-keystone13:32
*** ChanServ sets mode: +v topol13:32
*** markvoelker_ has quit IRC13:34
*** dguerri` has quit IRC13:37
*** jiaxi has joined #openstack-keystone13:37
*** kodoku has quit IRC13:38
*** anteaya has quit IRC13:38
*** dguerri` has joined #openstack-keystone13:40
*** dguerri` is now known as dguerri13:41
*** dguerri has joined #openstack-keystone13:41
*** zzzeek has joined #openstack-keystone13:41
*** anteaya has joined #openstack-keystone13:42
*** pnavarro|lunch has joined #openstack-keystone13:43
*** hakimo has joined #openstack-keystone13:43
*** hakimo_ has quit IRC13:43
*** stevemar has joined #openstack-keystone13:44
*** ChanServ sets mode: +v stevemar13:44
marekdodyssey4me: "2015-07-17 13:24:26.421 2435 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/local/lib/python2.7/dist-packages/keystone/middleware/core.py:200"13:44
marekdodyssey4me: i still think it's a matter of shibboleth not evicting sessions/cookies.13:45
*** dims_ has joined #openstack-keystone13:45
marekdand it's super strange for me that it doesn't do that after killing shibd daemon.13:45
bretongyee:13:46
jiaxiPlease spare some minutes in reviewing my patch set https://review.openstack.org/#/c/200512/13:46
jiaxithank you in advance13:46
odyssey4memarekd an issue on the SP or the IDP?13:47
marekdSP13:47
marekdi think13:47
*** Guest9887 has quit IRC13:48
marekdmorganfainberg: where should bugs against ksa-saml2 (or any ksa-* project) be filed? lanuchpad/bugs/keystonauth-saml2 or lanuchpad/bugs/keystoneauth ?13:48
*** stevemar has quit IRC13:48
odyssey4memarekd ok, perhaps a cookie is interfering here even though I'm doing a private browsing session - let me flush and try again13:49
*** markvoelker has joined #openstack-keystone13:49
morganfainbergmarekd: we should have an LP page, but we haven't been using it yet13:49
*** jaosorior has joined #openstack-keystone13:49
morganfainberghttps://launchpad.net/keystoneauth13:49
*** blewis has joined #openstack-keystone13:49
*** blewis is now known as Guest6246513:49
marekdok, so ksa subprojects are still handled by  https://launchpad.net/keystoneauth .13:49
*** raildo1 is now known as raildo13:51
*** stevemar has joined #openstack-keystone13:51
*** ChanServ sets mode: +v stevemar13:51
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Depend on keystoneauth  https://review.openstack.org/18685413:52
*** stevemar_ has joined #openstack-keystone13:52
*** ChanServ sets mode: +v stevemar_13:52
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Standardize federated auth token scoping  https://review.openstack.org/17722713:53
marekdlhcheng: ^^13:53
*** markvoelker has quit IRC13:54
*** stevemar has quit IRC13:55
*** pnavarro|lunch is now known as pnavarro13:56
*** jdandrea has joined #openstack-keystone13:56
lhchengmarekd: looking13:56
odyssey4memarekd fresh, whole new browser and the same result13:57
*** stevemar_ has quit IRC13:57
*** stevemar has joined #openstack-keystone13:58
*** ChanServ sets mode: +v stevemar13:58
*** ayoung has joined #openstack-keystone13:58
*** ChanServ sets mode: +v ayoung13:58
*** markvoelker has joined #openstack-keystone13:59
marekdmorganfainberg: odyssey4me wait, so you switched from https to http some time ago and you still have some problems with that? you are not being redirected to a IdP and the cookie is somewhere there?13:59
marekdmorganfainberg: sorry14:00
*** gyee has joined #openstack-keystone14:00
*** ChanServ sets mode: +v gyee14:00
odyssey4memarekd no - let me clarify - I took a working http setup and converted it to serve via https and now while the auth works, keystone doesn't seem to allow an unscoped token14:00
odyssey4memarekd I also did a fresh build immediately with an https setup, and had the same results14:01
marekdodyssey4me: and chance to try it myself?14:02
marekdodyssey4me: is this server available from the internet ?14:02
odyssey4memarekd yep, you can test directly to https://test1.pigeonbrawl.net14:02
lhchengayoung: https://review.openstack.org/#/c/202224/14:02
marekdodyssey4me: let me try then.14:03
odyssey4memarekd I can put your ssh key on the server too to look around if you like.14:03
marekdodyssey4me: what's idp name you configured?14:04
marekdin keystone14:05
*** sigmavirus24_awa is now known as sigmavirus2414:06
samueldmqayoung: ping - do you have any news on the dynamic policy ? I'd like to figure out the next step I can do in the next weeks :)14:07
*** markvoelker has quit IRC14:07
odyssey4metestshib-idp: https://idp.testshib.org/idp/shibboleth14:09
odyssey4memarekd ^14:09
ayoungsamueldmq, 1 sec14:09
samueldmqayoung: sure sir14:09
*** cinerama has quit IRC14:09
jiaxiWould you spare some minutes in reviewing my patch set https://review.openstack.org/#/c/200512/   ?14:09
*** jecarey has quit IRC14:09
*** jecarey has joined #openstack-keystone14:10
*** hakimo has quit IRC14:11
*** hakimo_ has joined #openstack-keystone14:11
*** ParsectiX has quit IRC14:12
*** rdo has quit IRC14:13
*** markvoelker has joined #openstack-keystone14:14
*** fangzhou has joined #openstack-keystone14:14
marekdodyssey4me: no no, idp name you added to keystone14:15
marekdi want to try link: keystone:5000/v3/OS-FEDERATION/identity_providers/{idp}/protocols/{saml2}/auth14:15
marekdand need idp name :-)14:16
odyssey4memarekd: testshib-idp14:17
*** markvoelker has quit IRC14:18
marekdodyssey4me: https://test1.pigeonbrawl.net:5000/v3/OS-FEDERATION/identity_providers/testship-idp/protocols/saml2/auth gives me 40414:19
marekdhttp 404 "Cannot find Identity Provider testshib-idp"14:20
marekdto be more specific14:20
odyssey4memarekd odd, it redirects me straight to testshib14:20
marekdthe link i just pasted?14:20
odyssey4meyep14:20
openstackgerritBrant Knudson proposed openstack/keystone: Cleanup logging in federation/idp.py  https://review.openstack.org/20304714:20
marekdodyssey4me: apparently you were not copy psting my link as i made typo :P14:21
odyssey4memarekd heh, I see that - this is the only idp so it'll redirect any auth request to it :p14:21
*** csoukup has joined #openstack-keystone14:22
marekdodyssey4me: so i got unscoped token14:22
marekdodyssey4me: i closed, opened by browser in private mode and had to auth again.14:23
odyssey4memarekd sounds like my experience so far14:23
*** mylu has joined #openstack-keystone14:24
lhchengmarekd: added comment to https://review.openstack.org/#/c/186854/ (missed a spot)14:24
*** mestery has quit IRC14:25
rodrigodsmarekd, stevemar ping... https://review.openstack.org/#/c/192438/ without this, the K2K plugin won't work =(14:28
*** markvoelker has joined #openstack-keystone14:28
marekdrodrigods: i will take a look later, ok ?14:31
rodrigodsmarekd, ok, thx14:31
rodrigodsjust to make sure it is in your review list :)14:32
*** rdo has joined #openstack-keystone14:32
*** Kennan2 has quit IRC14:32
*** markvoelker has quit IRC14:33
openstackgerritMarek Denis proposed openstack/keystoneauth-saml2: Depend on keystoneauth  https://review.openstack.org/18685414:33
*** Kennan has joined #openstack-keystone14:33
marekdlhcheng: again14:33
marekdrodrigods: it's starred :P14:36
*** piyanai has quit IRC14:36
openstackgerritBrant Knudson proposed openstack/keystone: Move constants out of federation.core  https://review.openstack.org/20070614:39
openstackgerritBrant Knudson proposed openstack/keystone: Federation API provides method to evaluate rules  https://review.openstack.org/19630814:39
*** TheIntern has joined #openstack-keystone14:40
*** mgarza_ has joined #openstack-keystone14:43
*** fangzhou has quit IRC14:45
*** fangzhou has joined #openstack-keystone14:46
*** markvoelker has joined #openstack-keystone14:50
*** diegoadolfo__ has joined #openstack-keystone14:51
*** diegoadolfo__ has quit IRC14:51
*** diegoadolfo has quit IRC14:52
*** gyee has quit IRC14:53
*** piyanai has joined #openstack-keystone14:54
*** markvoelker has quit IRC14:57
*** rdo has quit IRC14:57
*** markvoelker_ has joined #openstack-keystone14:57
*** markvoelker_ has quit IRC14:57
*** markvoelker has joined #openstack-keystone14:57
*** mestery has joined #openstack-keystone14:58
dstanekjiaxi: please be patient. there are lots of patches that we are working on and most of us are currently traveling14:59
*** rdo has joined #openstack-keystone14:59
dstanekmorganfainberg: http://paste.openstack.org/show/383928/15:02
*** bknudson has joined #openstack-keystone15:03
*** ChanServ sets mode: +v bknudson15:03
*** gyee has joined #openstack-keystone15:03
*** ChanServ sets mode: +v gyee15:03
samueldmqdstanek: what is that ? that's scaring, looks like the check isn't working properly15:04
*** jsavak has quit IRC15:05
morganfainbergdstanek: /me cries15:05
morganfainbergdstanek: yeah we need to *not* do that anymore :P15:05
dstanekmorganfainberg: i haven;t actually check to see if they are all valid15:05
dstaneksamueldmq: what do you mean?15:05
morganfainbergdstanek: the oauth1 is15:06
morganfainbergi just looked15:07
morganfainbergthye *probably* all are15:07
*** jsavak has joined #openstack-keystone15:07
openstackgerritBrant Knudson proposed openstack/keystone: Clean up notifications type checking  https://review.openstack.org/20073315:07
*** blewis` has quit IRC15:10
openstackgerritBrant Knudson proposed openstack/keystone: Remove unnecessary check from notifications.py  https://review.openstack.org/20306915:12
*** Pawel__ has quit IRC15:13
anteayamorganfainberg: if you want to support the multinode work, sdague is looking for reviews on this patch: https://review.openstack.org/#/c/199091/1215:18
*** shaleh has joined #openstack-keystone15:19
*** roxanaghe has joined #openstack-keystone15:21
morganfainberganteaya: cool15:21
anteaya:)15:22
*** jecarey has quit IRC15:23
*** fangzhou has quit IRC15:23
marekdroxanaghe: hello15:23
stevemarroxanaghe: http://specs.openstack.org/openstack/keystone-specs/specs/liberty/functional-testing.html << spec15:23
stevemarroxanaghe: https://review.openstack.org/#/c/151310/8 << first patch15:23
stevemarroxanaghe: the gate changes we would have to make: https://github.com/openstack-infra/project-config/blob/master/jenkins/jobs/keystone.yaml15:24
stevemarroxanaghe: https://github.com/openstack-infra/project-config/blob/master/jenkins/jobs/osc.yaml15:25
marekdodyssey4me: sorry, i am doing 5 things at the same itme.15:26
marekdtime15:26
odyssey4memarekd no problem, I realise that you're pressed for time15:26
*** rdo has quit IRC15:27
*** cinerama has joined #openstack-keystone15:27
*** rdo has joined #openstack-keystone15:27
stevemarroxanaghe: http://www.ibm.com/developerworks/cloud/library/cl-ldap-keystone/15:28
roxanaghestevemar, thanks15:28
*** janonymous_ has joined #openstack-keystone15:28
miguelgrinbergmarekd: so this script to wrap openstack client that you mentioned just does the ECP workflow and then sets env vars for endpoint and token for openstack client to use?15:31
samueldmqdstanek: I meant that paste, why does it say 'Undesirable "else" block found' when actually it has found a for block?15:32
marekdmiguelgrinberg: it's not for wrapping osc, it's for wrapping k2k auth plugin15:33
samueldmqdstanek: or are those codes using that for/else python construct?15:33
dstaneksamueldmq: that's my new check :-) no for-else and while-else15:33
openstackgerritMorgan Fainberg proposed openstack/keystone: Do not remove expired revocation events on "get"  https://review.openstack.org/20308515:33
samueldmqdstanek: great, I think a message telling 'Undesirable "for-else" block found' though15:34
samueldmqdstanek: instead of just telling 'else block'; but that's up to you to decide :)15:34
morganfainbergmfisch: what is your gerrit user?15:34
morganfainbergmfisch: want to tag you on a fix15:35
morganfainbergfor review15:35
morganfainbergmfisch, dolphm: re: revocation events - https://review.openstack.org/#/c/203085/15:35
morganfainbergand fixing for DB churn-y things15:35
morganfainbergin short - don't prune on get, prune on revocation issuance15:36
morganfainbergayoung: https://review.openstack.org/#/c/203085/15:37
*** mylu has quit IRC15:38
*** mylu has joined #openstack-keystone15:39
*** gyee has quit IRC15:41
ayounghttps://review.openstack.org/#/c/203085/115:42
ayoungbknudson, ^^15:42
*** mylu has quit IRC15:42
*** belmoreira has quit IRC15:43
*** mylu has joined #openstack-keystone15:45
*** mylu has quit IRC15:47
*** mylu has joined #openstack-keystone15:48
*** chlong has quit IRC15:49
*** raildo_ has joined #openstack-keystone15:49
*** btully has joined #openstack-keystone15:50
*** gyee has joined #openstack-keystone15:50
*** ChanServ sets mode: +v gyee15:50
*** ankita_wagh has joined #openstack-keystone15:51
*** bdossant has quit IRC15:53
*** jsavak has quit IRC15:54
*** jsavak has joined #openstack-keystone15:55
*** raildo_ has quit IRC15:58
*** afazekas has quit IRC15:58
*** tsymanczyk has quit IRC15:59
*** mestery has quit IRC16:01
*** mestery has joined #openstack-keystone16:01
marekdodyssey4me: can you give me project_id that federated user should be albe to use ?16:02
odyssey4memarekd sure, hold a minute16:02
odyssey4memarekd: c0cde3fd864045ce97f384614f7e317d16:02
*** eglute has quit IRC16:04
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Use marker for py3 test requirements  https://review.openstack.org/20310716:04
*** eglute has joined #openstack-keystone16:05
marekdodyssey4me: ok, i might miss something but..i can get unscoped and scoped token via CLI16:05
marekdodyssey4me: was it something you had problems with ?16:06
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Use marker for py3 test requirements  https://review.openstack.org/20310716:06
odyssey4memarekd ok, then the issue must be somewhere in the websso - when you try to use horizon it kicks out saying that it can't find any projects the user can access16:06
marekdlhcheng: ^^16:07
* marekd lhcheng to the rescue16:07
*** ankita_wagh has quit IRC16:10
lhchengodyssey4me: when you restarted apache, you got kicked out?16:12
*** Kiall has quit IRC16:12
*** Kiall has joined #openstack-keystone16:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/20228216:13
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/19725416:13
lhchengodyssey4me: if horizon is using in-memory session backend, restarting apache would cause all users to have invalid session16:14
*** rm_work|away is now known as rm_work16:14
odyssey4melhcheng no, you can try it yourself: hit https://test1.pigeonbrawl.net - use the testshib login method (federated via saml2)16:15
odyssey4meit'll kick you back, saying that the use has no access to any projects.16:15
odyssey4mewhen using websso without ssl on the keystone endpoint, it works fine - you get in and have access to projects.16:16
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/20313716:17
odyssey4melhcheng: Login failed: Unable to retrieve authorized projects.16:18
openstackgerritDavid Stanek proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314216:18
odyssey4melhcheng: but marekd has confirmed that retrieving a scope and unscoped token works just fine16:18
marekdlhcheng: yep16:18
dstaneksamueldmq: those are the loops that contain the construct16:18
lhchengodyssey4me: did you update the keystone conf too16:19
*** geoffarnold has joined #openstack-keystone16:19
lhchengodyssey4me:  [federation] trusted_dashboard = https://test1.pigeonbrawl.net.. >16:19
odyssey4melhcheng: two entries16:20
odyssey4me[federation]16:20
odyssey4meremote_id_attribute = Shib-Identity-Provider16:20
odyssey4metrusted_dashboard = https://104.130.5.125/auth/websso/16:20
odyssey4metrusted_dashboard = https://test1.pigeonbrawl.net/auth/websso/16:20
samueldmqdstanek: yes, but what I meant is: you saying an unexpected for-else or while-else construct was found could be better than just telling an else statement was found16:20
odyssey4melhcheng I just removed the first one to test, same result16:21
dstaneksamueldmq: so just a msg change? i don't think i can easily get the line of the else, but i'll look at that later16:21
samueldmqdstanek: just to be more specific. in fact, that's just a suggestion on the message, I like the fact you're creating those checks :)16:21
*** TheIntern has quit IRC16:22
dstaneksamueldmq: unfortunately i did this a 2am when i couldn't sleep so it can probably be done better16:22
samueldmqdstanek: even if you can't get to the line of the else, just saying for-else or while-else could be more specific :)16:22
dstaneksamueldmq: i'd love the ^ to point to the else16:22
samueldmqdstanek: yeah could be better :)16:22
*** _cjones_ has joined #openstack-keystone16:23
*** eglute has quit IRC16:23
*** eglute has joined #openstack-keystone16:24
samueldmqayoung: you around ?16:24
samueldmqayoung: still need to talk to you to figure out the next steps, let me know when you have some minutes :)16:25
*** jaosorior has quit IRC16:26
lhchengodyssey4me: looking at the horizon code, it fails at the point when it tries to use the federated unscoped token to get list of projects.16:29
odyssey4melhcheng notes that I did hit https://bugs.launchpad.net/horizon/+bug/1452232 but have applied the patch16:30
openstackLaunchpad bug 1452232 in OpenStack Dashboard (Horizon) ""NameError: global name '_' is not defined" on keystone authorization error" [Medium,Confirmed] - Assigned to Doug Fish (drfish)16:30
*** jistr has quit IRC16:31
lhchengodyssey4me: would you be able to test the federated token to call the list projects api?16:32
lhchengodyssey4me: yup, you got passed that bug16:32
*** eglute has quit IRC16:33
*** eglute has joined #openstack-keystone16:34
*** dims_ has quit IRC16:37
*** piyanai has quit IRC16:38
lhchengodyssey4me: curious, what session backend do you use for horizon?16:38
odyssey4melhcheng memcache for the cache backend, and cached_db for the session engine16:40
odyssey4meie django.core.cache.backends.memcached.MemcachedCache and django.contrib.sessions.backends.cached_db16:41
lhchengodyssey4me: cool, that should be fine16:41
odyssey4melhcheng it may be pertinent to note that this environment's also using uuid tokens16:42
odyssey4mebut I think you figured that out already :p16:42
*** stevemar has quit IRC16:42
lhchengodyssey4me: yup, uuid token should be fine16:43
*** stevemar has joined #openstack-keystone16:43
*** ChanServ sets mode: +v stevemar16:43
*** topol has quit IRC16:43
*** BrAsS_mOnKeY has quit IRC16:45
*** ankita_wagh has joined #openstack-keystone16:45
lhchengodyssey4me: might need to turn on debug on horizon, to see the response return by keystone when the federated token was used to get the list of projects16:46
*** gyee has quit IRC16:46
lhchengdo you see error in keystone?16:46
lhchengodyssey4me: heading out for lunch, brb16:47
*** amakarov has quit IRC16:47
*** tsymanczyk has joined #openstack-keystone16:47
odyssey4melhcheng debug's already on ;)16:47
lhchengdoes it show the api request made to keystone?16:48
*** stevemar has quit IRC16:48
odyssey4melhcheng no error in keystone, but we've learned that keystone swallows exceptions too well - so I may need to add more debugging statements to work through it16:48
*** roxanaghe has quit IRC16:48
*** fangzhou has joined #openstack-keystone16:49
odyssey4melhcheng this is an earlier log - I can get a fresh one if you like: http://paste.openstack.org/show/4CAyxMVchwDfRPUyUZmJ/16:50
odyssey4meenjoy lunch!16:50
*** diazjf1 has left #openstack-keystone16:51
*** sigmavirus24 has quit IRC16:52
*** sigmavirus24 has joined #openstack-keystone16:52
*** browne has quit IRC16:54
*** mylu has quit IRC16:54
*** stevemar has joined #openstack-keystone16:55
*** ChanServ sets mode: +v stevemar16:55
*** stevemar_ has joined #openstack-keystone16:56
*** ChanServ sets mode: +v stevemar_16:56
*** Ephur has joined #openstack-keystone16:57
openstackgerritMerged openstack/keystone: Log xmlsec1 output if it fails  https://review.openstack.org/20247716:57
*** sigmavirus24 has quit IRC16:57
*** stevema__ has joined #openstack-keystone16:58
*** ChanServ sets mode: +v stevema__16:58
*** piyanai has joined #openstack-keystone16:58
*** mylu has joined #openstack-keystone16:58
*** ankita_w_ has joined #openstack-keystone16:59
*** ankita_w_ has quit IRC17:00
*** stevemar has quit IRC17:00
*** sigmavirus24 has joined #openstack-keystone17:00
*** ankita_w_ has joined #openstack-keystone17:00
*** stevemar_ has quit IRC17:01
*** ankita_wagh has quit IRC17:02
*** stevema__ has quit IRC17:02
*** tsymanczyk has quit IRC17:02
*** BrAsS_mOnKeY has joined #openstack-keystone17:04
*** BrAsS_mOnKeY has quit IRC17:06
*** tsymanczyk has joined #openstack-keystone17:07
*** mylu has quit IRC17:10
*** spandhe has joined #openstack-keystone17:12
*** piyanai has quit IRC17:14
*** mylu has joined #openstack-keystone17:15
*** jasonsb has quit IRC17:17
*** jasonsb has joined #openstack-keystone17:17
*** mylu has quit IRC17:19
*** mylu has joined #openstack-keystone17:21
*** piyanai has joined #openstack-keystone17:22
*** jasonsb has quit IRC17:22
*** harlowja has quit IRC17:26
*** harlowja has joined #openstack-keystone17:26
*** mylu has quit IRC17:27
*** mylu has joined #openstack-keystone17:27
*** piyanai has quit IRC17:27
*** mylu has quit IRC17:28
*** mylu has joined #openstack-keystone17:30
dhellmannhey, folks, where is keystoneauth-saml2 on launchpad?17:31
dhellmannmorganfainberg: ^^17:31
*** ankita_wagh has joined #openstack-keystone17:32
morganfainbergdhellmann: uhmmmmmmmmm. Needs to be made i think17:32
*** ankita_w_ has quit IRC17:32
dhellmannmorganfainberg: ah, that explains why I can't import its release history :-)17:34
dhellmannno worries, I'll just ignore it for now17:34
*** mestery has quit IRC17:35
morganfainbergYeah. I dont thibk it was ever released either.17:35
dhellmanncool, we can deal with it when you're ready for a release17:35
dhellmannI'm just working on importing the release history into the releases repo17:35
*** eglute has quit IRC17:35
*** eglute has joined #openstack-keystone17:36
*** mestery has joined #openstack-keystone17:36
*** pnavarro has quit IRC17:41
*** e0ne has quit IRC17:44
*** boris-42 has joined #openstack-keystone17:44
*** mylu has quit IRC17:47
*** jasonsb has joined #openstack-keystone17:52
*** browne has joined #openstack-keystone17:52
*** mylu has joined #openstack-keystone17:56
*** piyanai has joined #openstack-keystone18:00
*** mylu has quit IRC18:01
*** mylu has joined #openstack-keystone18:02
*** ankita_wagh has quit IRC18:02
*** ankita_wagh has joined #openstack-keystone18:02
*** Kennan2 has joined #openstack-keystone18:04
*** Kennan has quit IRC18:05
*** tqtran has joined #openstack-keystone18:08
*** mestery has quit IRC18:10
*** btully has quit IRC18:11
*** piyanai has quit IRC18:14
*** TheIntern has joined #openstack-keystone18:19
*** amakarov has joined #openstack-keystone18:24
*** piyanai has joined #openstack-keystone18:28
*** e0ne has joined #openstack-keystone18:29
*** mestery has joined #openstack-keystone18:31
*** roxanaghe has joined #openstack-keystone18:31
*** jsavak has quit IRC18:31
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742718:31
*** jsavak has joined #openstack-keystone18:32
*** markvoelker has quit IRC18:32
lhchengodyssey4me: don't horizon log show the rest api made to keystone?18:38
lhchengodyssey4me: if debug is enabled, you should see the REST api made to /OS-FEDERATION/projects18:39
openstackgerrithenry-nash proposed openstack/keystone-specs: Move inherited assignments to core, and support new inheritance rules  https://review.openstack.org/20043418:42
morganfainbergTesting18:43
odyssey4melhcheng let me check18:43
*** gordc has joined #openstack-keystone18:47
marekdroxanaghe: can you link the patch here?18:47
bretonmorganfainberg: ping18:49
morganfainbergpong18:49
*** fangzhou has quit IRC18:49
bretonmorganfainberg: what does keystone/common/sql/migrate_repo/versions/050_fk_consistent_indexes.py do?18:49
bretonis it relevant now?18:50
morganfainbergit's an index rename18:50
morganfainbergjust to make things consistent18:50
morganfainbergbreton: if it's not being collapsed, it is relevant18:51
morganfainbergbut it's mostly historical18:51
morganfainbergafaict18:51
bretonit is collapsed18:51
bretonit's between i an j18:51
morganfainbergas long as the indexs in the collapse match the result18:51
morganfainbergfrom that, you're good18:51
morganfainbergshould be the defaults that was cleaning up a badly named/renamed table i think18:51
roxanaghemarekd, sure: https://review.openstack.org/#/c/180769/18:52
morganfainbergbreton: see the https://github.com/openstack/keystone/commit/ba6705a731f8a80f9d01e88ae3425a93d70e468818:52
bretonthe indexes are set only for mysql and only in migration. Original models were not changed in that commit18:52
odyssey4melhcheng odd, those debug lines should be in the error log for the vhost, right?18:52
bretonyep, https://review.openstack.org/#/c/84444/18:52
morganfainbergbreton: yeah bad rename where indexes no longer matched18:53
lhchengodyssey4me: yup18:53
bretonok, so I won't include it in the squashed migration18:53
lhchengodyssey4me: did you set this to DEBUG too: https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L391 ?18:53
morganfainbergbreton: yeah just include the correct indexes ;)18:54
*** henrynash has joined #openstack-keystone18:54
*** ChanServ sets mode: +v henrynash18:54
odyssey4melhcheng something isn't right, I'm only getting this output: http://paste.openstack.org/show/LhttHGFn6WC6BNqXplQx/18:57
*** mylu has quit IRC18:58
*** mylu has joined #openstack-keystone18:58
lhchengodyssey4me: that looks like the apache log file18:59
*** TheIntern has quit IRC18:59
lhchengodyssey4me: horizon have its own logfile, configured in your apache conf19:00
*** bknudson has quit IRC19:00
odyssey4melhcheng that's the log file specified in the vhost: ErrorLog  /var/log/horizon/horizon-error.log19:00
*** gyee has joined #openstack-keystone19:00
*** ChanServ sets mode: +v gyee19:00
odyssey4melhcheng with LogLevel  debug19:01
*** mylu has quit IRC19:02
odyssey4meah, hang on - other loggers are disabled - hang on a sec19:02
*** TheIntern has joined #openstack-keystone19:02
*** mylu has joined #openstack-keystone19:03
*** stevemar has joined #openstack-keystone19:03
*** ChanServ sets mode: +v stevemar19:03
*** fangzhou has joined #openstack-keystone19:03
htrutahenrynash: ping19:05
henrynashhtruta: hi19:05
odyssey4melhcheng there we go: http://paste.openstack.org/show/7LIzjZ09I8bRoVuOl7as/19:05
htrutaregarding your comment, I disagree that is_domain=true projects must have the parent_id as domain_id19:06
htrutaif I see that, I'd think that B's users are in its domain (A)19:06
htrutausing the example in the review19:06
htrutato see B in the list, I think the correct way would be GET /projects?parent_id=A19:07
henrynashhtruta: I’m probably being dumb, but I don’t see that19:07
henrynashhtruta: the users in B, will have a domain_id=project_id of B19:08
henrynashhtruta: so I won’t see the as being owned by A19:08
htrutathe morganfainberg statement was  "Projects acting as a domain are owned by the parent domain, not by their own domain"19:09
htrutaconceptually speaking, what difference does this owning make?19:09
henrynashhtruta: so if I say “what domain is B in?” what’s the answre?19:10
htrutahenrynash: I see that they're still owned by the parent, even though the domain_id is its own19:10
htrutaI guess B is a domain.19:10
lhchengodyssey4me: horizon is making call "http://test1.pigeonbrawl.net:5000/v3/OS-FEDERATION/projects"19:10
htrutais the answer19:10
henrynashhtruta: hmmm, I’d have said it’s in domain A19:11
lhchengodyssey4me: the keystone endpoint is not the https version19:11
htrutaI don't think it is19:11
lhchengodyssey4me: what's the endpoint in your keystone service catalog?19:11
henrynashhtruta: :-)19:11
htrutahenrynash: there is nothing from is_domain A that B uses19:11
htrutado you get my point?19:11
*** stevemar has quit IRC19:12
odyssey4melhcheng hmm, I see two endpoints - one http and one https - let me fix that19:12
*** btully has joined #openstack-keystone19:13
*** stevemar has joined #openstack-keystone19:13
*** ChanServ sets mode: +v stevemar19:13
henrynashhtruta: so when I want to control, by policy, if someone can create create a domain “below A”, I haev to wrote a different rule than for projects? (i.e. one that uses parent_id not domain_id ?)19:13
henrynashbrb19:13
odyssey4melhcheng so the publis endpoint is https, the others are http - it looks like it's redirecting19:14
htrutahenrynash: I think so. That's something I was discussing this week with rodrigods and raildo19:14
*** blewis has joined #openstack-keystone19:15
*** stevemar_ has joined #openstack-keystone19:15
*** ChanServ sets mode: +v stevemar_19:15
odyssey4melhcheng OPENSTACK_ENDPOINT_TYPE = 'publicURL' but it seems that keystone is referring the client to the internal endpoint19:16
*** blewis` has joined #openstack-keystone19:17
*** mylu has quit IRC19:17
*** btully has quit IRC19:17
*** stevemar has quit IRC19:17
henrynashback19:17
raildohenrynash: htruta I think that the parent_id is responsable to reflect the hierarchy information. Not the domain_id, so i think that doesn't make sense use the domain_id to point a parent domain.19:17
lhchengodyssey4me: oops, that call actually uses the setting in local_settings.py OPENSTACK_KEYSTONE_URL19:18
*** dims_ has joined #openstack-keystone19:18
lhchengodyssey4me: can you try updating that too19:18
henrynashsorry, brb (again!!!)19:18
raildohenrynash: np :P19:18
odyssey4melhcheng that's already set: OPENSTACK_KEYSTONE_URL = "https://test1.pigeonbrawl.net:5000/v3"19:19
*** afazekas has joined #openstack-keystone19:19
*** ankita_wagh has quit IRC19:19
*** stevemar_ has quit IRC19:20
*** ankita_wagh has joined #openstack-keystone19:20
*** blewis has quit IRC19:20
*** mylu has joined #openstack-keystone19:21
*** mylu has quit IRC19:23
*** edmondsw has quit IRC19:24
*** stevemar has joined #openstack-keystone19:24
*** ChanServ sets mode: +v stevemar19:24
*** mylu has joined #openstack-keystone19:25
henrynashback (again, again)19:25
henrynashraildo: so i guess I’m struggling with why we would treat a project acting as a domain different than a regaulr project….what’s the advantage of doing it differently (in terms of what domain_id is set to)19:26
henrynash?19:26
*** mylu has quit IRC19:28
*** flwang has joined #openstack-keystone19:28
*** mylu has joined #openstack-keystone19:29
*** dims__ has joined #openstack-keystone19:30
lhchengodyssey4me: if I make the call to "http://test1.pigeonbrawl.net:5000/v3/OS-FEDERATION/projects" it doesn't return anything19:31
lhchengodyssey4me: but I make the same call to https, it works fine19:31
lhchengodyssey4me: I'm using curl19:31
odyssey4melhcheng yep, that does seem to be the issue - I tested the curl from the debug as well19:31
lhchengodyssey4me: so I think we just need to figure out why horizon is using the http endpoint19:31
raildohenrynash: i don't see benefits in treat a project acting as a domain different than a project... but the idea with reseller is exactly work with it as a project and domain19:32
odyssey4melhcheng agreed - or why keystone is insisting on sending it to the internal endpoint19:32
raildohenrynash: hum... I don't know, I have to think more about it19:33
htrutahenrynash, raildo: we treat it different because it is different... it is also a domain19:33
*** dims_ has quit IRC19:34
htrutathe is_domain=True subproject won't have anything domain specific of the parent19:34
henrynashraildo: I guess a question to ask…what would break in the code you have written if we did set domain_id of B to the project_id of A19:34
lhchengodyssey4me: looking at the code, it might pull up the keystone endpoint from here19:34
lhchengodyssey4me: https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/views.py#L136-L13719:34
henrynash(assuming A is a project acting as a domain)19:34
openstackgerritDolph Mathews proposed openstack/keystone: Additional Fernet test coverage  https://review.openstack.org/19273919:36
htrutahenrynash: I suppose It breaks a lot of things19:36
henrynashhtruta: really??19:36
htrutabut surely would need to look further19:36
lhchengodyssey4me: perhaps keystone set the http_referrer when posting to horizon19:37
odyssey4melhcheng that is possible - keystone's SSL is being handled by a load balancer19:37
odyssey4meso it only knows about this from the catalogue19:37
htrutahenrynash: considering we move with that idea of yours, who'd be the domain_id of a root is_domain project? None of itself?19:38
*** jsavak has quit IRC19:38
htrutahenrynash: /s/of/or19:38
marekdodyssey4me: uh oh19:38
*** jsavak has joined #openstack-keystone19:38
henrynashhtruta: I guess that’s a good question, and my initial reaction is None19:38
marekdodyssey4me: is standard http handled by a lb ?19:39
htrutahenrynash: I think it does not make any sense19:39
odyssey4memarekd yes, both are handled by the same lb - just the public one has ssl offloading involved19:39
*** mylu has quit IRC19:39
marekdwhat's ssl offloading ?19:39
*** mylu has joined #openstack-keystone19:40
*** ankita_wagh has quit IRC19:40
henrynashhtruta: well, a domain object today has an ID, but not a domain_id…19:40
odyssey4memarekd when a specialised load balancer (like an F5, or haproxy in this case) handles the SSL encryption on behalf of the back-end http service19:40
odyssey4meso it's like a reverse proxy19:40
htrutahenrynash: but the domain_id is its own id19:41
htrutaand if it is a project and a domain, I think it can share the same id and domain_id19:41
henrynashhtruta: yep, which is the project ID in our new representation19:42
lhchengodyssey4me: you can try commenting out the code on https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/views.py#L136-L13719:42
lhchengodyssey4me: set auth_url=None19:43
lhchengjust to see if things would work19:43
*** TheIntern has quit IRC19:43
henrynashhtruta: here’s another way of saying this.  We could (conceptually) remove domain_id from all projects….and calculate it on-the-fly from a projects position in the hierarcy…and that works wether the project is acting as a domain or not….so if storing the domain_id is just saving us working it out, then (again) why is it different for the two types of project19:44
*** jsavak has quit IRC19:44
openstackgerritSteve Martinelli proposed openstack/keystone: Move cli.py into keystone.cmd  https://review.openstack.org/20322419:45
*** mylu has quit IRC19:45
*** jsavak has joined #openstack-keystone19:45
odyssey4melhcheng nope, doesn't work - it still gets referred to the internal endpoint19:46
odyssey4melhcheng REQ: curl -g -i -X GET https://test1.pigeonbrawl.net:5000/v3 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"19:46
odyssey4melhcheng RESP BODY: {"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://test1.pigeonbrawl.net:5000/v3/", "rel": "self"}]}}19:47
*** rm_work has quit IRC19:47
odyssey4meit really does persist :/19:47
*** blewis` has quit IRC19:47
*** ig0r_ has quit IRC19:47
htrutahenrynash: that is a good question19:47
*** rm_work has joined #openstack-keystone19:48
htrutahenrynash: but I still say that a domain is not part of another domain. it is isolated. but the is_domain is just a child of it19:48
htrutaB does not belong to A19:48
htrutaB is a child of A19:48
lhchengodyssey4me: isn't " https://test1.pigeonbrawl.net:5000/v3 " the external endpoint?19:49
odyssey4melhcheng yes19:49
odyssey4meit's the public endpoint in the catalog, and the configured endpoint for horizon to use19:49
odyssey4meso horizon requests from the right endpoint, but keystone responds with the wrong href19:50
lhchengodyssey4me: if the auth_url was set to None, horizon will fallback to OPENSTACK_KEYSTONE_URL (configured in the settings)19:50
odyssey4melhcheng horizon always seems to be behaving initially, but keystone seems to be responding with referrals to other endpoints19:50
*** mylu has joined #openstack-keystone19:51
henrynashhtruta: I wonder if this is just semantics…..can you point me at somthing that would be harder to do (or not work at all) if we used my model?19:51
htrutahenrynash: let me think19:51
lhchengodyssey4me: do you still get the same error?19:51
odyssey4melhcheng yes - the error is most likely due to the empty response from keystone19:52
lhchengodyssey4me: don't the GET /OS-federation/projects work now?19:52
odyssey4melhcheng nope19:52
*** piyanai has quit IRC19:53
*** jecarey has joined #openstack-keystone19:53
*** gyee has quit IRC19:57
openstackgerritBoris Bobrov proposed openstack/keystone: Migrations squash  https://review.openstack.org/20322919:58
*** amakarov has quit IRC20:00
*** jsavak has quit IRC20:04
breton+41, -47520:04
dolphmlbragstad: was there a change to move fernet provider's issue_v3_token() method somewhere else?20:04
*** c_soukup has joined #openstack-keystone20:05
raildohenrynash: I think that you won this time haha I don't see any issue20:07
henrynashraildo: well, let’s mull on it overnight20:07
raildohenrynash: ok20:07
htrutahenrynash: I don't see issue, either. just see it conceptually wrong20:07
htrutajust like I said, I don't see B in A20:07
htrutaI see B child of A20:08
*** csoukup has quit IRC20:08
*** geoffarnold has quit IRC20:09
henrynashhtruta: understand….it probably is a conceptual thing but I see it the other way :-)20:09
raildohenrynash: what you're saying is that I do GET projects/?domain=A.id, project B will be returned, right?20:09
henrynashraildo: yes20:10
stevemarmarekd: how are things there?20:10
*** piyanai has joined #openstack-keystone20:10
lhchengwho's the expert on Session object next to jamielennox?20:10
raildohenrynash: great20:10
henrynashlhcheng: there’s sessions object sitting next to jamielennox?20:10
stevemarhenrynash: hes a new contributor20:11
henrynashlhcheng: sorry, couldn’t resist20:11
lhchenghenrynash: lol20:11
henrynashlhcheng: it’s like the old joke: “what’s on TV”, answer: a bunch of flowers in a vase20:11
stevemarhenrynash: whats going on there? are things winding down?20:11
lhchenghe's going to do all the ksc work for jamie20:12
henrynashstevemar: yes, I think our brains are fried20:12
lhchenghenrynash: hah20:12
stevemarhenrynash: is the building still shaking?20:12
henrynashstevemar: I think that has stopped20:12
stevemarmarekd: are you alive?20:12
henrynashstevemar: the T-Rex only ate 4 of us20:13
stevemarhenrynash: um... depending on who the trex ate, my reply will be yay or nay20:13
stevemarthat morganfainberg guy....20:14
*** TheIntern has joined #openstack-keystone20:14
henrynashstevemar: tis the promised land for all PTLs20:14
stevemarso thats where dolphm went20:15
*** stevemar has quit IRC20:16
*** jsavak has joined #openstack-keystone20:17
dolphmwas stevemar not at the midcycle?20:17
lhchengodyssey4me: I think KSC is trying to be smart and uses discovery to figure out the keystone endpoint instead of the auth_url passed to it.20:18
lhchengodyssey4me: what's the value of "public_endpoint" in your keystone conf?20:18
odyssey4melhcheng: not value set, so it's the default20:21
*** ankita_wagh has joined #openstack-keystone20:22
odyssey4mehmm, it seems that may be an appropriate setting to use20:22
lhchengodyssey4me: yup20:22
*** henrynash has quit IRC20:23
odyssey4melhcheng yes! that's it :)20:29
*** stevemar has joined #openstack-keystone20:29
*** ChanServ sets mode: +v stevemar20:29
odyssey4mealright, now one more issue to resolve - for some reason the first time I auth it redirects to keystone's service URL instead of back to horizon20:29
odyssey4meif I, through the same session, try again - then it works20:29
lhchengodyssey4me: did you set the port too on the public_endpoint?20:30
odyssey4melhcheng yep, public_endpoint = https://test1.pigeonbrawl.net:5000 works, except that the redirect is wrong on the first auth attempt20:31
marekdstevemar: i am alive!20:32
*** dims__ has quit IRC20:34
morganfainbergLol20:34
*** stevemar has quit IRC20:34
*** flwang has quit IRC20:34
*** lsmola has quit IRC20:35
*** raildo has quit IRC20:35
*** piyanai has quit IRC20:36
lhchengodyssey4me: that might be on keystone side20:37
lhchengodyssey4me: after that, can you login to horizon now?20:38
odyssey4melhcheng yes, I can - and on the second auth I get redirected to the summary page and the project info shows correctly20:38
odyssey4methank you so much :)20:39
htrutahenrynash, morganfainberg: are you documenting any decisions of the midcycle?20:40
htrutais there an etherpad?20:40
*** stevemar has joined #openstack-keystone20:42
*** ChanServ sets mode: +v stevemar20:42
*** mylu has quit IRC20:42
*** mylu has joined #openstack-keystone20:42
*** e0ne has quit IRC20:43
*** piyanai has joined #openstack-keystone20:44
*** stevemar has quit IRC20:46
*** piyanai has quit IRC20:46
*** gordc has quit IRC20:47
*** piyanai has joined #openstack-keystone20:48
*** piyanai has quit IRC20:51
lhchengodyssey4me: \o/20:51
lhchengodyssey4me: glad it finally worked!20:52
lhchengI wonder if there some config issue on the callback of the IdP20:52
odyssey4memarekd thanks to lhcheng we've come to the bottom of keystone's behaviour - I was missing the public_endpoint setting to inform keystone that it should advertise itself at the https endpoint :)20:52
odyssey4memarekd do you perhaps have a similar reference config for keystone's apache setup for shibboleth? I'm still getting inconsistent redirects when successfully authing to the idp20:53
*** stevemar has joined #openstack-keystone20:53
*** ChanServ sets mode: +v stevemar20:53
odyssey4melhcheng the idp gets its info from the SP's metadata, and also uses referer info from the SP as I understand it20:53
*** pnavarro has joined #openstack-keystone20:54
lhchengodyssey4me: marekd just left, heading to the airport20:55
*** janonymous_ has quit IRC20:55
odyssey4me:/20:56
odyssey4meanyone else around that knows the mod_shib config well?20:57
*** mylu has quit IRC20:57
*** stevemar has quit IRC20:57
*** pnavarro has quit IRC20:58
*** edmondsw has joined #openstack-keystone20:59
*** stevemar has joined #openstack-keystone20:59
*** ChanServ sets mode: +v stevemar20:59
*** dims_ has joined #openstack-keystone21:00
*** geoffarnold has joined #openstack-keystone21:00
*** btully has joined #openstack-keystone21:01
*** stevemar has quit IRC21:04
*** btully has quit IRC21:05
*** jsavak has quit IRC21:05
*** jsavak has joined #openstack-keystone21:06
*** btully has joined #openstack-keystone21:07
*** pnavarro has joined #openstack-keystone21:08
lhchengodyssey4me: most of the folks are in transit now21:09
lhchengodyssey4me: need to wait til monday21:10
odyssey4melhcheng well, it can wait until next week then :)21:10
odyssey4methank you so much, and to marekd as well :)21:10
lhchengodyssey4me: you're welcome21:10
lhcheng:)21:10
*** jecarey has quit IRC21:12
*** htruta has quit IRC21:12
*** htruta has joined #openstack-keystone21:12
*** jsavak has quit IRC21:12
*** dguerri is now known as dguerri`21:12
*** ayoung has quit IRC21:16
*** roxanaghe has quit IRC21:25
*** geoffarnold has quit IRC21:26
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: clean up TokenAPITests  https://review.openstack.org/20325021:26
*** lhcheng has quit IRC21:27
*** fangzhou has quit IRC21:41
*** fangzhou has joined #openstack-keystone21:45
marekdodyssey4me: told ya it wasn't bug :P21:49
*** spandhe has quit IRC21:50
*** spandhe has joined #openstack-keystone21:50
*** spandhe has quit IRC21:50
*** pnavarro has quit IRC21:51
*** BrAsS_mOnKeY has joined #openstack-keystone21:52
odyssey4memarekd :) glad that it wasn't and I learned a few gotchas on the way which have been valuable lessons learned21:54
odyssey4meI should be able to try the fernet/federation/scoped keystone patch on Monday/Tuesday21:54
*** c_soukup has quit IRC21:58
marekdodyssey4me: thanks, i will try that too, once i get my office22:01
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314222:03
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests  https://review.openstack.org/20325822:03
*** piyanai has joined #openstack-keystone22:04
*** stevemar has joined #openstack-keystone22:04
*** ChanServ sets mode: +v stevemar22:04
*** hrou has quit IRC22:07
*** stevemar has quit IRC22:13
*** stevemar has joined #openstack-keystone22:15
*** ChanServ sets mode: +v stevemar22:15
*** fangzhou has quit IRC22:15
*** fangzhou has joined #openstack-keystone22:16
stevemarmarekd: ping22:18
*** zzzeek has quit IRC22:18
openstackgerritSteve Martinelli proposed openstack/keystone: Create a version package  https://review.openstack.org/20326222:19
marekdstevemar: i am here.22:19
marekdwhat's up?22:19
stevemarmarekd: \o/22:20
stevemaryou are alive!22:20
stevemarget through security?22:20
marekdnope, have some food iwant to eat22:20
marekdso i am going to wait a little.22:20
marekdfood like our hackathon yogurth :P22:20
*** zzzeek has joined #openstack-keystone22:21
*** fangzhou has quit IRC22:21
*** stevemar_ has joined #openstack-keystone22:22
*** ChanServ sets mode: +v stevemar_22:22
*** stevemar_ has quit IRC22:22
*** stevemar_ has joined #openstack-keystone22:23
*** ChanServ sets mode: +v stevemar_22:23
stevemar_marekd: garbage wifi in the airport22:23
marekdstevemar_: don't tell me...22:23
stevemar_marekd: i'm sure you're aware of it22:24
stevemar_marekd: https://review.openstack.org/#/c/203262/22:24
*** stevemar has quit IRC22:24
marekdstevemar_: always on watch :-)22:25
marekdi meant You :P22:25
stevemar_marekd: i didnt code enough @ BU22:26
stevemar_gotta make up for it at the airport22:26
*** piyanai has quit IRC22:26
marekdstevemar_: oh, shut up, you are all good.22:27
stevemar_marekd: <322:27
*** flwang has joined #openstack-keystone22:27
*** edmondsw has quit IRC22:28
marekdso this changes moves all the files that deal with /v2.0 and /v3 to separate directory, right?22:29
marekdstevemar_: ^^22:29
bretonlooks like it22:29
*** ankita_w_ has joined #openstack-keystone22:30
*** ankita___ has joined #openstack-keystone22:31
*** ankit____ has joined #openstack-keystone22:32
*** ankita___ has quit IRC22:32
stevemar_marekd:  yes sir!22:34
*** ankita_wagh has quit IRC22:34
stevemar_theres a lot of files just hanging out in the top level dir for some reason22:34
breton-1 :)22:34
*** ankita_w_ has quit IRC22:35
stevemar_breton: thanks for the migration squash :)22:35
bretonnp22:35
stevemar_its on my list of things to review22:36
*** henrynash has joined #openstack-keystone22:38
*** ChanServ sets mode: +v henrynash22:38
*** mgarza_ has quit IRC22:49
*** fangzhou has joined #openstack-keystone22:51
*** mylu has joined #openstack-keystone22:54
*** stevemar_ has quit IRC22:56
*** flwang has quit IRC22:59
*** ankita_wagh has joined #openstack-keystone23:00
marekdstevemar is gone.23:01
marekd?23:01
*** ankit____ has quit IRC23:03
*** hrou has joined #openstack-keystone23:05
*** ankita_w_ has joined #openstack-keystone23:10
*** mylu has quit IRC23:11
*** btully has quit IRC23:11
*** fangzhou has quit IRC23:12
*** stevemar has joined #openstack-keystone23:12
*** ChanServ sets mode: +v stevemar23:12
*** ankita_wagh has quit IRC23:13
*** fangzhou has joined #openstack-keystone23:16
*** flwang has joined #openstack-keystone23:17
marekdi ma about to go offline, the connection is too shabby23:30
openstackgerritSteve Martinelli proposed openstack/keystone: Create a version package  https://review.openstack.org/20326223:40
openstackgerritSteve Martinelli proposed openstack/keystone: Move cli.py into keystone.cmd  https://review.openstack.org/20322423:46
openstackgerritSteve Martinelli proposed openstack/keystone: Create a version package  https://review.openstack.org/20326223:47
*** ankita_w_ has quit IRC23:50
*** henrynash has quit IRC23:53
*** stevemar_ has joined #openstack-keystone23:58
*** ChanServ sets mode: +v stevemar_23:58
*** tqtran has quit IRC23:59
« Thursday, 2015-07-16 Index Saturday, 2015-07-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!