Wednesday, 2016-04-20

« Tuesday, 2016-04-19 Index Thursday, 2016-04-21 »
lbragstadrodrigods I have a question about the jsonschema related to the bug that you brought up in today's meeting00:00
dstaneki need to spend some time looking at all of the oslo.db changes we've made00:00
shalehmorgan: the 100 line code is cute. What it looks like you really ought to do is make Fernet be a new BaseTokenProvider with a no-crypto TokenFormatter. Then the FernetProvider can implement one with the crypto code.00:02
morganshaleh: i would just move pack/unpack down00:03
shalehmorgan: the fact that the UUIDMsgPack has no crypto because you override all of the pack/unpack which called crypto was easy to miss00:03
morganshaleh: and i would keep it isolated in fernet until the other code paths are dropped00:03
dstaneki need to spend some time looking at all of the oslo.db changes we've made00:03
morganshaleh: so the provider would own "pack/unpack" and but the formaters continue to liver where they do00:04
morganlive*00:04
shalehmorgan: I agree that a refactoring to one core code path is good00:04
rodrigodslbragstad, hi00:04
rodrigodslbragstad, was afk00:04
lbragstadrodrigods quick question00:04
morganshaleh: and once the other things are gone (after deprecation) we can shuffle fernet around a bit to be more generic. but i am trying to avoid 3 shuffles of code00:04
shalehmorgan: so for Fernet that means cypto would move from the TokenFormatter to the Provider proper?00:04
morganyep00:04
lbragstadrodrigods do you happen to know why we don't use two separate schemas for the federated protocol - https://github.com/openstack/keystone/blob/master/keystone/federation/schema.py#L107-L115 ?00:05
morganand and the two diverging classes would be use crypto, or store in DB00:05
morganvery simple inheritence00:05
morganinstead of override00:05
shalehwell, you could make that refactor now. Only fernet would use it. Then you could make your example UUIDMsgPack based on it00:05
rodrigodslbragstad, good question00:05
rodrigodshave no idea :)00:05
morganshaleh: i have a comment in the code to that effect (you might need to refresh), this is a WIP as a proof of what it would take :)00:05
morganshaleh: there are a few other things needed such as implementing the db migration, flushing of tokens, etc00:06
shalehmorgan: yes there is a comment about them moving but not about them being part of a refactor00:06
morganthe refactor for where pack/unpack/creation_time would go along those.00:06
shalehmorgan: +1 for planned direction00:07
morgan:)00:07
morganaw craptastic00:07
morgancomcast is implementing 250GB caps in my area.00:07
morganthis month alone i'm at 322GB00:07
morgan*sigh*00:07
shalehyuck00:07
shalehwhat is the overage typically?00:07
morgani am guessing i'm going to get forced onto "business" account00:08
lbragstadrodrigods you're proposing the we require mapping on protocol creation right?00:08
morganshaleh: my overage, i'm guessing 250-300GB /mo00:08
*** mylu has quit IRC00:08
shalehmorgan: no, is it locked? fee?00:08
morganover the "not-enforced" cap00:08
morganoh iirc its warn you twice and then shut off your internet00:08
morgani'd have to check00:08
morganbut in general..00:08
morganit doesn't matter which, it sucks.00:08
shalehagreed00:09
shalehthat is only 8gb a day00:09
morganmaybe i do need to reach out to my landlord and make sure she's ok if i have the fiber run.00:09
shaleheasy to reach with some streaming, some dvd downloads, etc.00:09
*** mylu has joined #openstack-keystone00:10
openstackgerritDavid Stanek proposed openstack/keystone: Bump the required tox version to 2.3.1  https://review.openstack.org/30808600:10
shalehdstanek: what does the new tox version give us?00:11
rodrigodslbragstad, a valid mapping -> existing mapping00:11
lbragstadrodrigods wouldn't we be able to do something like this - http://cdn.pasteraw.com/3wb778rcxx89yl2nyl908rcuqw7x7gm00:11
lbragstadoh...00:12
dstanekshaleh: relief from some of the common issues people have when starting development. also newest tox and pip (not sure which one as the cause) fixes bug 157220200:12
openstackbug 1572202 in OpenStack Identity (keystone) "testresources needs to be explicitly required for tests" [Undecided,In progress] https://launchpad.net/bugs/1572202 - Assigned to David Stanek (dstanek)00:12
lbragstadrodrigods so - technically ^ that would still be required but you want to make it so the federation manager checks that the mapping that was passed into the protocol is in-fact a valid mapping00:12
rodrigodslbragstad, exactly00:12
lbragstads/valid mapping/valid mapping id/00:12
rodrigodsotherwise, it will fail upon authentication00:13
rodrigods"mapping not found"00:13
lbragstadrodrigods ah ha - ok that makes sense00:13
rodrigodslbragstad, seems to break the API :(00:13
*** josecastroleon has quit IRC00:13
*** timonwong has joined #openstack-keystone00:14
rodrigodsbut i really think that the correct way of handling is checking if the mapping exists, i can't create a domain after i create a project00:14
*** browne has quit IRC00:15
lbragstadrodrigods hmm - we should probably still separate the schema for the protocols though http://cdn.pasteraw.com/3wb778rcxx89yl2nyl908rcuqw7x7gm00:15
lbragstadto follow convention with the rest of the jsonschema stuff in keystone00:15
*** stingaci_ has quit IRC00:15
rodrigodslbragstad, ++00:16
rodrigodsi agree00:16
*** josecastroleon has joined #openstack-keystone00:16
openstackgerritLance Bragstad proposed openstack/keystone: Separate protocol schema  https://review.openstack.org/30808800:18
lbragstadrodrigods ^00:18
lbragstadwip00:18
rodrigodslbragstad, added myself there00:18
rodrigodslet's wait our huge zuul queue00:19
*** browne has joined #openstack-keystone00:19
*** sdake has quit IRC00:21
*** fawadkhaliq has joined #openstack-keystone00:25
*** sdake has joined #openstack-keystone00:25
*** alex_xu has quit IRC00:26
*** alex_xu has joined #openstack-keystone00:27
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30518700:37
*** mylu has quit IRC00:38
*** sdake has quit IRC00:38
*** sdake has joined #openstack-keystone00:38
*** tellesnobrega_af is now known as tellesnobrega00:44
*** josecastroleon has quit IRC00:46
*** doug-fish has quit IRC00:46
*** maestro2 has quit IRC00:46
*** alex_xu has quit IRC00:47
*** tellesnobrega is now known as tellesnobrega_af00:48
*** shaleh has quit IRC00:48
*** stingaci has joined #openstack-keystone00:48
*** doug-fish has joined #openstack-keystone00:49
*** alex_xu has joined #openstack-keystone00:49
*** tellesnobrega_af is now known as tellesnobrega00:50
*** josecastroleon has joined #openstack-keystone00:51
*** fawadkhaliq has quit IRC00:56
*** fawadkhaliq has joined #openstack-keystone00:57
lbragstadmfisch dolphm just timed myself with the newly added slides - 21 minutes00:59
lbragstadthat's more talking than I do in a year01:00
mfischlbragstad: 21m just for you?01:00
lbragstadmfisch yeah01:00
morganmfisch: rough to be second billing to lbragstad01:00
morganmfisch: :P01:01
mfischlbragstad: BTW I'm invited to the RAX VIP tent01:01
mfischbut now the sales guy wants to meet with me01:01
* morgan doesn't get invited to VIP anything (and isn't really too upset about that)01:01
mfischno free lunches at these things01:01
* morgan plans food and cocktails instead.01:02
mfischI should tell the sales guy that if he wants to close the deal we need Lance and Dolph there01:02
morganmfisch: and dstanek01:02
lbragstadmfisch ++01:02
mfischis dstanek RAX?01:02
morganmfisch: (gotta toss dstanek under the bus)01:02
lbragstadmfisch yup01:02
*** browne has quit IRC01:02
morganmfisch: you should also demand claco be there01:02
mfischIm going to send him a list of names for mirantis folks I want to meet and see what happens01:03
morganLOL01:03
lbragstadhaha01:03
mfisch"Hey Nate can we outsource only keystone to Lance?"01:04
mfischI knew I'd met this guy before he was at Canonical!01:04
mfischhe's a nice guy01:04
lbragstadoh - I know him01:05
lbragstadyeah - he's nice01:05
morganmfisch: you should also include random folks you want to meet from cisco01:06
morganmfisch: in that list01:06
mfischI have a guy at Cisco who'd do that for me01:06
mfischhe probably bought a boat after we stood up openstack01:06
*** dave-mccowan has joined #openstack-keystone01:07
bigjoolshey folks, is there any protection against someone doing a user list against a domain configured with the LDAP id provider?01:09
*** tellesnobrega is now known as tellesnobrega_af01:09
*** ayoung has joined #openstack-keystone01:09
*** ChanServ sets mode: +v ayoung01:09
morganbigjools: was talking with cburgess about this earlier, -- i think the best bet is a filter for a specific group you add people to (not the entire DN) - and/or issue a 403 on "user-list"01:10
bigjoolsAh Chet beat me to it01:10
morganbigjools: ;)01:10
bigjools:)01:11
bigjoolsif only he'd spilled the beans...!01:11
morganbigjools: i'm still of the opinion user-list (list every single user?! are you nutty?!) is kindof an insane query to make regardless of the backend01:11
bigjoolsI agree 100%01:12
morganbigjools: 403! use policy.json to prevent it!01:12
bigjoolsapparently Horizon needs user lists somewhere?01:12
morgan;)01:12
bigjoolsyeah01:12
* morgan looks around and whispers "fix horizon" :P01:12
morganto not do that.01:12
bigjoolsI also agree 100% with that :)01:12
morganbigjools: we are in the process of rewriting the ldap driver in pure python (using ldap3 lib instead of python-ldap)01:13
bigjoolsoh nice01:13
bigjoolsI might try to connect someone here with you then because he's making some changes on our old driver01:13
morganbigjools: roxanaghe and knikolla are leading that charge - so going to connect cburgess with them as well so it's possible to get things like better filtering support in for bad apis like user-list01:13
bigjoolsperfect01:14
dstanekmorgan: keep me out of this01:14
morganboth rodrigods and knikolla are fantasti!01:14
morganfantastic*01:14
morganand doing a good job on ldap3 things.01:14
morgandstanek: but you're RAX, here let me find a bus... ;) i hear it stretches out ones back to be tossed under the wheels for sales things with mfisch ;)01:15
dstanekmfisch: just walk in and say "i'm looking to buy a cloud, what colors do you have in stock?"01:16
bigjoolssnork :)01:16
lbragstad"I would like one with extra fluff, please"01:16
lbragstad"I would also like to make sure it fits in a carry-on"01:17
morgan"I am looking to buy a cloud, and ship it to SoCal, I hear they need the rain"01:17
dstanekand make sure you get a name brand. generics always taste like they are missing sugar.01:17
morganoh so dstanek don't buy a macbook 12 and try and put linux on it.01:18
morgandstanek: kernel can't work with the trackpad or keyboard01:18
lbragstaddstanek looked at those x1 gen 4s... they're spendy01:18
morgandstanek: no SPI device support even in 4.601:18
morganlbragstad: dude my x1c gen 4 will be arriving while i'm at the summit (to PDX) =/01:18
dstanekmorgan: planning on putting some flavor of linux on it?01:19
morgandstanek: tumbleweed or 16.04 on the x1c01:19
morgandstanek: i'd have it now except i was "smart" and ordered the NVMe drive01:20
morgan=/01:20
dstanekmorgan: cool. if it works ok for you i'll go ahead and pick one up for myself01:20
morganI *HAVE* a spare NVMe drive at home.01:20
morgandstanek: the 3rd gen worked perfectly before01:20
morganand i have it on good authority the 4th gen works very well01:20
dstanekmorgan: yeah, that's what i understand. i wanted to make sure it's the same for the 4th01:21
dstanekthe last think i was it a brick while i wait for a driver update01:21
*** josecastroleon has quit IRC01:21
morgani am going to put a Samsung 950 pro in it01:22
morganand see which benchmarks better01:22
morganmy guess is the 950 will01:22
morganbut then again, it *might* be a 950 in there already01:22
*** dan_nguyen has quit IRC01:25
openstackgerritTin Lam proposed openstack/python-keystoneclient: Updated example in README  https://review.openstack.org/30810301:25
*** EinstCrazy has joined #openstack-keystone01:26
*** tellesnobrega_af is now known as tellesnobrega01:33
*** lhcheng has quit IRC01:34
*** mylu has joined #openstack-keystone01:35
*** rderose has quit IRC01:36
*** stingaci has quit IRC01:36
*** josecastroleon has joined #openstack-keystone01:51
*** mylu has quit IRC01:55
*** mylu has joined #openstack-keystone01:58
*** EinstCra_ has joined #openstack-keystone02:00
openstackgerritMerged openstack/keystone: Remove support for generating ssl certs  https://review.openstack.org/30679502:01
openstackgerritMerged openstack/keystone: update deprecation warning for falling back to default domain  https://review.openstack.org/29482202:01
openstackgerritMerged openstack/keystone: add missing deprecation reason for eventlet option  https://review.openstack.org/30781402:02
*** EinstCrazy has quit IRC02:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30518702:04
morganstevemar: do you want to fix the proposal bot again?02:11
morganstevemar: so we can push that through? or let it sit for a bit?02:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30811102:12
dstanekmorgan: i didnt' realize that it could get broken02:13
morgandstanek: the extras is broken02:14
morgandstanek: it strips them off the test-requirements.txt02:14
morganso every proposal to keystone is broken.02:14
morganjamielennox is/was working on a fix02:14
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30811102:14
dstanekmorgan: ah, i see what you mean02:15
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30811102:16
*** josecastroleon has quit IRC02:20
*** sdake_ has joined #openstack-keystone02:20
*** browne has joined #openstack-keystone02:23
*** sdake has quit IRC02:23
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add migration to make service type unique  https://review.openstack.org/30759302:24
*** gyee has quit IRC02:27
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add migration to make service type unique  https://review.openstack.org/30759302:29
*** dave-mcc_ has joined #openstack-keystone02:31
*** dave-mccowan has quit IRC02:32
*** sdake_ has quit IRC02:36
*** KarthikB has joined #openstack-keystone02:43
*** sekrit is now known as CIA02:44
*** KarthikB_ has joined #openstack-keystone02:44
*** dave-mcc_ has quit IRC02:47
*** KarthikB has quit IRC02:47
*** sdake has joined #openstack-keystone02:48
*** richm has quit IRC02:50
*** fawadkhaliq has quit IRC02:53
mfischlbragstad: dolphm: my intro is 1.5m later section 12.5m02:54
mfischthats 35m without dolph :(02:54
*** KarthikB_ has quit IRC02:55
*** KarthikB has joined #openstack-keystone02:55
stevemarmorgan: i think jamie's fix is merging/gating, wait for that to get fixed i guess02:56
*** lhcheng has joined #openstack-keystone03:02
*** ChanServ sets mode: +v lhcheng03:02
*** KarthikB has quit IRC03:09
*** links has joined #openstack-keystone03:21
*** mylu has quit IRC03:38
*** ayoung has quit IRC03:40
*** mylu has joined #openstack-keystone03:59
*** mylu has quit IRC04:00
*** doug-fish has quit IRC04:01
*** stingaci has joined #openstack-keystone04:03
*** ekarlso has quit IRC04:11
*** andreaf has quit IRC04:11
*** mylu has joined #openstack-keystone04:14
*** stingaci has quit IRC04:18
*** andreaf has joined #openstack-keystone04:21
openstackgerritMerged openstack/keystoneauth: Fix H405, D105, D200, and D203 PEP257  https://review.openstack.org/30801604:21
*** ekarlso has joined #openstack-keystone04:25
*** timonwong has quit IRC04:28
*** fawadkhaliq has joined #openstack-keystone04:28
*** timonwong has joined #openstack-keystone04:33
*** markvoelker has quit IRC04:34
*** markvoelker has joined #openstack-keystone04:35
*** sdake has quit IRC04:36
*** markvoelker has quit IRC04:40
morganstevemar: woo, almost have my home VPN server up and running04:44
stevemarnice04:44
morganstevemar: debating on keeping it running on 443 or if 1194 is "ok" enough04:44
morgan1194 is probably "ok"04:45
*** maestro1 has joined #openstack-keystone04:45
morganstevemar: ... i also *may* have it all running in a docker container ;)04:47
*** rderose has joined #openstack-keystone04:52
*** rderose has quit IRC04:53
*** stingaci has joined #openstack-keystone04:54
*** mylu has quit IRC04:57
*** dan_nguyen has joined #openstack-keystone04:59
*** doug-fish has joined #openstack-keystone05:02
*** stingaci has quit IRC05:04
*** dan_nguyen has quit IRC05:05
*** doug-fish has quit IRC05:07
openstackgerritSteve Martinelli proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30518705:15
*** stingaci has joined #openstack-keystone05:17
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/30777205:19
*** Nirupama has joined #openstack-keystone05:30
stevemarmorgan: have an opinion on https://review.openstack.org/#/c/305347/ ?05:31
patchbotstevemar: patch 305347 - keystone (stable/liberty) - Allow user list without specifying domain05:31
openstackgerritMerged openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/30777205:34
*** sdake_ has joined #openstack-keystone05:37
*** chip_ has joined #openstack-keystone05:49
*** murali has joined #openstack-keystone05:52
*** chip_ has quit IRC05:52
muraliHello05:53
muraliCan anyone be able to check this05:53
muralihttps://ask.openstack.org/en/question/91260/keystone-authentication-error-in-devstack/05:53
*** chip_ has joined #openstack-keystone05:53
*** stingaci has quit IRC06:01
*** stingaci has joined #openstack-keystone06:02
lhchengmurali: are you logging in as new user?06:11
lhchengmurali: maybe the new user doesn't have any roles assigned to any projects06:11
muraliNo its preexisting user only06:12
muraliI can be able do openrc and get some other cli-clients working06:12
muralibut keystone is not working06:12
*** ericksonsantos has quit IRC06:13
*** maestro2 has joined #openstack-keystone06:14
*** clenimar has quit IRC06:14
*** maestro1 has quit IRC06:14
* stevemar waves at lhcheng :)06:14
stevemargnite!06:15
* lhcheng waves back at stevemar06:15
* lhcheng is still alive 06:15
lhchenglol06:15
lhchenggnite!06:15
*** chip_ has quit IRC06:16
lhchengmurali: are you using keystone v2 or v3 on cli-clients?06:19
*** rcernin has joined #openstack-keystone06:21
*** raildo is now known as raildo-afk06:25
lhchengmurali: does your devstack have the latest code from master?06:27
muraliI am using liberty version06:27
muraliIt was working fine before06:27
muralihttp://paste.openstack.org/show/494730/06:27
muraliSee above link - I can get user details06:27
muraliBut it gives error for tenant-list06:28
lhchengwhat's the error?06:28
lhchenghorizon internally calls the list tenants, so that might be the same root cause06:29
muraliAn unexpected error prevented the server from fulfilling your request: Expecting ',' delimiter: line 1 column 20 (char 19) (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-188a46e5-5463-4ca8-9485-e50c1e90ce25)06:29
muraliThis is the error06:29
bigjoolsmorgan: policy block on list_users breaks anything that wants to use find() :(06:30
muraliOhh06:31
lhchengmurali: the error looks bad, has the data in db been updated manually?06:32
muraliNo not at all06:32
lhchengmurali: you found the problem? :)06:32
lhchengmurali: from the log file, looks like it failed while trying to a query on projects06:35
muraliOk I will check Db once again06:35
muraliThanks for your time everyone06:36
*** zqfan has joined #openstack-keystone06:37
lhchengmurali: I am guessing maybe the "extra" field have some invalid json blob.06:37
muraliOk will check it06:38
*** e0ne has joined #openstack-keystone06:38
muraliYup right06:39
muralithere is invalid blob data06:40
muraliNow its fine06:40
muraliThanks everyone06:40
*** murali has quit IRC06:40
*** e0ne has quit IRC06:43
*** e0ne has joined #openstack-keystone06:44
*** e0ne_ has joined #openstack-keystone06:45
*** sheel has joined #openstack-keystone06:47
*** tesseract has joined #openstack-keystone06:47
*** e0ne has quit IRC06:48
*** tesseract is now known as Guest6708206:48
*** lhcheng has quit IRC06:50
*** e0ne_ has quit IRC06:50
*** jaosorior has joined #openstack-keystone06:57
*** permalac has joined #openstack-keystone07:00
*** chmouel has joined #openstack-keystone07:15
*** jlvillal has quit IRC07:22
*** jlvillal has joined #openstack-keystone07:22
*** kevinbenton has quit IRC07:23
*** kevinbenton has joined #openstack-keystone07:26
*** fhubik has joined #openstack-keystone07:28
*** henrynash has quit IRC07:29
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/30518707:35
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30811107:38
*** fawadkhaliq has quit IRC07:45
*** fawadkhaliq has joined #openstack-keystone07:45
*** stingaci has quit IRC07:54
*** stingaci has joined #openstack-keystone07:55
*** browne has quit IRC07:56
*** pece has joined #openstack-keystone07:57
*** zzzeek has quit IRC08:00
*** stingaci has quit IRC08:00
*** fawadkhaliq has quit IRC08:02
*** jdennis has quit IRC08:03
*** jdennis has joined #openstack-keystone08:03
*** zzzeek has joined #openstack-keystone08:04
*** maestro2 has quit IRC08:05
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/30684808:10
*** jistr has joined #openstack-keystone08:18
*** fhubik has quit IRC08:20
*** pece has quit IRC08:21
openstackgerritMerged openstack/python-keystoneclient: Updated example in README  https://review.openstack.org/30810308:21
openstackgerritMerged openstack/keystone: Use messaging notifications transport instead of default  https://review.openstack.org/30119308:22
*** maestro1 has joined #openstack-keystone08:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30811108:26
*** rdo_ has quit IRC08:34
*** rdo has joined #openstack-keystone08:36
*** mhickey has joined #openstack-keystone08:38
*** david-lyle has quit IRC08:59
*** david-lyle has joined #openstack-keystone09:00
*** henrynash has joined #openstack-keystone09:08
*** ChanServ sets mode: +v henrynash09:08
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/30822709:35
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/30684810:10
*** EinstCra_ has quit IRC10:13
*** doug-fish has joined #openstack-keystone10:26
*** doug-fish has quit IRC10:31
bretonmorning, keystone10:32
*** maestro1 has quit IRC10:39
*** jaosorior has quit IRC10:52
*** jaosorior has joined #openstack-keystone10:53
*** tellesnobrega is now known as tellesnobrega_af10:54
*** chaitu has joined #openstack-keystone10:55
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests  https://review.openstack.org/30229910:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests  https://review.openstack.org/30750810:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests  https://review.openstack.org/30544410:58
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests  https://review.openstack.org/30350210:58
*** LZ has joined #openstack-keystone10:59
rodrigodsbknudson, ping... the functional tests job is failing because we don't have any11:06
chaituI'm following this blog "http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo"11:06
chaituWe configured both IdP and SP.  We are trying to "Get a unscoped token from the SP using a SAML assertion generated by the Keystone IdP"11:06
chaituWe are getting an error after running python script . Here is the script here http://paste.openstack.org/show/494766/11:06
chaituThis is the issue we are facing "http://paste.openstack.org/show/494767/"11:06
chaituPlease help us11:06
rodrigodsbknudson, should we try to add a sample one, or just wait to have a real one?11:06
rodrigodschaitu, looking11:06
*** LZ has quit IRC11:07
*** LZ has joined #openstack-keystone11:08
chaitushibboleth logs in SP (var/log/shibboleth/sibd.log ) http://paste.openstack.org/show/494769/11:08
rodrigodschaitu, there is a problem with your mapping11:08
rodrigodsprobably you created a protocol using the wrong mapping_id11:08
chaiturodrigods, This is my mapping file http://paste.openstack.org/show/494770/11:10
*** doug-fish has joined #openstack-keystone11:11
rodrigodschaitu, your mapping_id is incorrect, seems that you don't have created a mapping with ID "idp_1_mapping"11:11
rodrigodsyou can create it right now11:11
rodrigodsusing the rules you just passed11:12
chaituThis is my mapping list http://paste.openstack.org/show/494771/11:14
rodrigodschaitu, and your protocol list?11:15
*** samueldmq has joined #openstack-keystone11:17
*** ChanServ sets mode: +v samueldmq11:17
chaiturodrigods: here is protocol list http://paste.openstack.org/show/494772/11:18
samueldmqkeystoners: good morning!11:19
chaiturodrigods: This is how we created mapping http://paste.openstack.org/show/494774/11:20
rodrigodschaitu, hmm looks that you don't have a group with ID "federated", can you list the groups11:20
*** josecastroleon has joined #openstack-keystone11:22
chaiturodrigods: Here is the gropu list http://paste.openstack.org/show/494775/11:22
chaiturodrigods: group**11:22
rodrigodschaitu, so you need to provide the domain_id in the mapping11:23
rodrigodslike:11:23
rodrigodshttp://paste.openstack.org/show/494777/11:23
rodrigodschaitu, not like that... because "federated" is the name11:25
*** trown|outtypewww is now known as trown11:25
rodrigodschaitu, http://paste.openstack.org/show/494778/ or http://paste.openstack.org/show/494779/11:26
*** gordc has joined #openstack-keystone11:26
*** TxGVNN has joined #openstack-keystone11:32
chaiturodrigods: Is that fine with this http://paste.openstack.org/show/494780/11:35
chaiturodrigods: I used above mapping rule I got this error http://paste.openstack.org/show/494781/11:36
rodrigodschaitu, probably you already have a user with the same name you are trying to mapping11:38
rodrigodschaitu, do a test, create a user to be your mapped user - like "mapped_user", and change your mapping to:11:39
rodrigodshttp://paste.openstack.org/show/494782/11:39
*** gordc has quit IRC11:40
*** gordc has joined #openstack-keystone11:41
chaiturodrigods: This is how i created mapping http://paste.openstack.org/show/494783/11:47
chaiturodrigods: here is my error when i used that mapping http://paste.openstack.org/show/494785/11:49
*** daemontool has joined #openstack-keystone11:50
rodrigodschaitu, add mapped_user to federated group and add the entry in the local part of the mapping11:55
rodrigodschaitu, http://paste.openstack.org/show/494786/11:55
*** stacker has joined #openstack-keystone11:56
chaiturodrigods: This works for us........ Thanks a lot12:00
rodrigodschaitu, glad to help, sorry for the bunch of tentative - i just woke up12:02
*** raildo-afk is now known as raildo12:10
chaiturodrigods: Oh I see ...It's ok12:14
bretonguys12:14
bretoncould you please run `tox -e py27 keystone.tests.unit.test_cli.CliNoConfigTestCase.test_cli` locally on your computer?12:14
rodrigodsbreton, running12:15
bretonwith the latest master12:15
*** csoukup has joined #openstack-keystone12:17
bretontests from change I276c671a0da78e3d1d2aa7336e55f65be41d8cca don't pass12:18
*** markvoelker has joined #openstack-keystone12:18
chaiturodrigods: I tried list the federated project list using this script http://paste.openstack.org/show/494791/12:19
chaiturodrigods: I got an error http://paste.openstack.org/show/494790/12:20
rodrigodsbreton, i've run locally in a devstack, locally it worked in the devstack it didn't12:22
rodrigodsand in a devstack*12:22
*** samueldmq has quit IRC12:30
*** samueldmq has joined #openstack-keystone12:32
*** ChanServ sets mode: +v samueldmq12:32
*** iurygregory has joined #openstack-keystone12:37
*** links has quit IRC12:46
*** dave-mccowan has joined #openstack-keystone12:46
*** tellesnobrega_af is now known as tellesnobrega12:52
*** pauloewerton has joined #openstack-keystone12:59
*** trown is now known as trown|brb13:00
* breton shrugs13:00
*** aimeeU has joined #openstack-keystone13:02
*** bj0rnar has joined #openstack-keystone13:03
openstackgerritRon De Rose proposed openstack/keystone: Move the assignment abstract base class out of core  https://review.openstack.org/29963513:03
openstackgerritRon De Rose proposed openstack/keystone: WIP - Move the assignment abstract base class out of core  https://review.openstack.org/29963513:03
bj0rnarWhen using keystonemiddleware and keystone_authtoken, how can I force services to use internal endpoint or auth_url .. they seem to be picking up public endpoint atm13:04
*** csoukup has quit IRC13:11
*** richm has joined #openstack-keystone13:15
*** timonwong_ has joined #openstack-keystone13:16
*** pnavarro has joined #openstack-keystone13:17
*** agireud has quit IRC13:17
*** dansmith has quit IRC13:17
*** trown|brb is now known as trown13:19
*** timonwong has quit IRC13:19
*** dansmith has joined #openstack-keystone13:20
*** dansmith is now known as Guest6476713:20
samueldmqstevemar: could you re approve patch 307409?13:20
patchbotsamueldmq: https://review.openstack.org/#/c/307409/ - keystone - Remove comments mentioning eventlet13:20
*** agireud has joined #openstack-keystone13:21
bknudsonrodrigods: the functional test is a non-voting job, so not a big deal. It should work on a review to add functional tests.13:22
rodrigodsbknudson, cool13:22
bknudsonfor some reason I thought we had added some functional tests already13:23
*** maestro1 has joined #openstack-keystone13:23
rodrigodsbknudson, not yet... the first ones are https://review.openstack.org/#/c/30229913:24
bknudsonrodrigods: that one's failing the functional test job, too.13:25
rodrigodsbknudson, yeah... fixing it right now13:25
rodrigodsactually, i've already fixed, now i'm rebasing everything13:25
dstanekrodrigods: well, let's get those merged then :-)13:28
rodrigodsdstanek, o/13:28
rodrigodswill submit new patches in a couple of minutes13:28
dstanekrodrigods: is it safe for me to take a pass at that review or do you have changes coming?13:28
dstanekrodrigods: k, let me know13:29
rodrigodsdstanek, ok13:29
dstaneki just added myself to the review, but with the amount of review email i get i'll probably miss it13:29
bknudsondstanek: star it13:29
rodrigodsdstanek, as soon as i submit a new patchset i'll ping you13:29
bknudsonthen have a query to show your starred reviews: https://review.openstack.org/#/q/status:open+is:starred+label:Verified%253D1+-label:Workflow%253D-1+-label:Code-Review%253D2%252Cself,n,z13:30
dstanekbknudson: already did. that's how it gets on my trello board. but that job won't run for another hour or so13:30
rodrigodsbknudson, dstanek, do you use gerrit or other tool for reviewing?13:31
rodrigodslike gerty13:31
bknudsonapprently there's also a flag for "reviewed" that doesn't show up in the gerrit ui anywhere, that might be handy.13:31
dstanekonce it gets there i'll move it to the top13:31
rodrigodsgertty*13:31
bknudsonstill using gerrit. I haven't figured out gertty yet.13:31
dstaneki use gertty sometimes, but mostly gerrit. i organized my work in trello though13:31
bknudsonevery time I use it I'm wondering if it's downloading changes or what it's doing.13:31
rodrigodsgertty is useful for airplanes :P13:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests  https://review.openstack.org/30229913:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests  https://review.openstack.org/30750813:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests  https://review.openstack.org/30544413:32
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests  https://review.openstack.org/30350213:32
rodrigodsbknudson, dstanek ^ done :)13:32
dstanekonly if you know ahead of time :-) i once tried to update on old gerrty instance at the airport and i didn't have enough time to download before boarding13:32
dstanekrodrigods: great thanks13:33
dstanekrodrigods: did you have to rename the plugin?13:34
*** Nirupama has quit IRC13:34
rodrigodsdstanek, rename how? to be keystone_tempest_plugin instead of tempest_plugin13:34
rodrigods?13:34
*** tellesnobrega is now known as tellesnobrega_af13:36
dstanekdidn't you say something yesterday about keystone being in the name?13:36
rodrigodsdstanek, yeah... i tried to use just "tempest_plugin"13:36
rodrigodsbut turns out that the "tox -e all-plugin" command matches the folder name13:37
dstanekah, i see so i *needs* to be keystone_tempest_plugin13:37
rodrigodsyeah13:37
*** mou1 has joined #openstack-keystone13:37
rodrigodswe can try to fix that in tempest, but for now it works like that13:37
*** edmondsw has joined #openstack-keystone13:38
*** sc68cal has joined #openstack-keystone13:39
sc68calanyone around to chat about https://bugs.launchpad.net/python-keystoneclient/+bug/1571833 ?13:39
openstackLaunchpad bug 1571833 in python-keystoneclient "Usage example in the README does not work" [Low,Fix released] - Assigned to Tin Lam (tl3438)13:39
sc68calFixing the README is one way to fix, but I think the issue is, what happened that broke such a basic example of using the python-keystoneclient API?13:39
sc68calbecause obviously any apps that did it using the old way in the README obviously were broken by whatever changed13:40
*** samueldmq has quit IRC13:41
bknudsonv3 came out 2 years ago, so docs for v2 client are not a priority13:41
openstackgerritRon De Rose proposed openstack/keystone: Move the assignment abstract base class out of core  https://review.openstack.org/29963513:41
bj0rnarI am seeing a problem that for example glance (keystone middleware) tries to validate tokens against the endpoint it finds in /v3 .. problem is, when using keystone behind a proxy, I need to set public_endpoint ... Is there any fix for this? I mean.. auth_uri is set to public_endpoint and auth_url to internal .. it starts by going correctly to auth_url, but then (because of public_endpoint) continues to my public_endpoint that does not even e13:41
bj0rnarxist at this stage (runs in openstack itself)13:41
*** samueldmq has joined #openstack-keystone13:41
sc68calbknudson: is v2 API deprecated?13:42
bknudsonmost of the v2 api is deprecated in keystone13:42
sc68calwhat release was the deprecation13:43
bknudsonmitaka13:43
*** samueldmq has quit IRC13:43
sc68calThat doesn't really cut it. Just because you deprecated it, this release, doesn't really absolve the main issue, that at some point in the past the API you give out to app developers was horribly broken13:44
bknudsonok. but given I've got limited time to work on things, given the choice I'm going to work on something else.13:45
dstaneksc68cal: who is saying that we don't have to deal with the bug?13:45
bknudsonluckily it's open source so others can work on it if they want to.13:45
sc68caldstanek: I reported the bug, really I guess I should have been more specific - the issue is that anyone who developed an application, and was directly using the python-keystoneclient API, they got some weird errors like I did13:46
sc68calfixing the README is fine and good, but it doesn't hit the core issue, which is that app developers were broken by some change in python-keystoneclient13:46
mou1Hello. Are anybody familiar with fernet token generation code?13:46
dstaneksc68cal: do you know what is actually happening in your sample?13:48
sc68caldstanek: not really. I just followed the example for creating a keystone client object, then when trying to call any of the methods it just 404's out13:48
sc68calmost likely due to some sort of issue where the old way that was published doesn't auth correctly?13:49
sc68calI provided a username, tenant, auth_url, etc... to the constructor13:49
dstaneksc68cal: if you don't have time to look at it, i can probably look in the next day or two13:49
sc68caldstanek: thanks. I'm not familiar with the internals of keystoneclient13:50
*** ayoung has joined #openstack-keystone13:50
*** ChanServ sets mode: +v ayoung13:50
mrhillsmanmorning13:51
*** links has joined #openstack-keystone13:52
sc68calbknudson: I'd just like to say, yes it is open source, but breaking people in this fashion isn't really a good thing13:53
bknudsonI'm not convinced that we broke anything. The docs have always had problems.13:53
sc68calso then why does creating a keystone client object with the args I used not work?13:54
bknudsonI don't know.13:54
dstaneksc68cal: i don't think anyone is saying that it is or that anything was done on purpose. it's just it's marked as low priority (because it's easy to fix your code to do it the keystoneauth way).13:54
dstaneksc68cal: if we know that this wouldn't still be a bug :-) it would be either marked as invalid or fixed13:55
sc68caldstanek: ack. thanks. I'll be arond if there's anything I can help with13:56
openstackgerritRon De Rose proposed openstack/keystone: Move the assignment abstract base class out of core  https://review.openstack.org/29963513:58
*** samueldmq has joined #openstack-keystone13:59
openstackgerrityolanda.robla proposed openstack/keystoneauth: Create custom serializer for keystoneauth and betamax  https://review.openstack.org/30593714:03
*** jaosorior has quit IRC14:09
*** jaosorior has joined #openstack-keystone14:09
*** ametts has joined #openstack-keystone14:11
ayoungsc68cal, you need to learn that when something goes wrong in Keystone to blame it on me.14:13
*** TxGVNN has quit IRC14:13
*** TxGVNN has joined #openstack-keystone14:13
*** sigmavirus24_awa is now known as sigmavirus2414:15
*** jaosorior has quit IRC14:16
*** csoukup has joined #openstack-keystone14:18
*** pnavarro has quit IRC14:20
*** spzala has quit IRC14:22
*** real56 has joined #openstack-keystone14:23
*** spzala has joined #openstack-keystone14:23
*** spzala has quit IRC14:27
sc68calayoung: heh. it's not about blame. This stuff is complex, and there's always little unintended side-effects14:28
*** tellesnobrega_af is now known as tellesnobrega14:29
*** mylu has joined #openstack-keystone14:31
*** pushkaru has joined #openstack-keystone14:31
*** real56 has quit IRC14:32
*** real56 has joined #openstack-keystone14:33
*** slberger has joined #openstack-keystone14:33
*** mou has joined #openstack-keystone14:34
*** mou1 has quit IRC14:34
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subsets of roles  https://review.openstack.org/18697914:35
morganstevemar: ping14:36
morganstevemar: actually.14:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/30837114:37
*** slberger1 has joined #openstack-keystone14:37
*** slberger has quit IRC14:38
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subsets of roles  https://review.openstack.org/18697914:38
ayoungmorgan, def want to discuss https://review.openstack.org/#/c/186979/  ^^  at the summit.  It should be relatively clear, now that we have implied roles, how to implement without breaking Fernet's size limits.14:39
patchbotayoung: patch 186979 - keystone-specs - Tokens with subsets of roles14:39
morganayoung: sure.14:39
*** jaosorior has joined #openstack-keystone14:40
*** real56 has quit IRC14:40
*** mrhillsman has quit IRC14:41
*** sdake_ has quit IRC14:42
*** roxanagh_ has joined #openstack-keystone14:44
raildoayoung: what do you think on split the fernet token as default provider patch in small patches?14:45
ayoungraildo, oh yeah.14:45
ayoungraildo, want to get it working to see what the scope of it is first14:45
*** sdake_ has joined #openstack-keystone14:45
ayoungwe can, however, chip off pieces that are already identified if we want to drive on with them raildo14:45
raildoayoung: sure, I'm finishing the summit talks and after that I'll start to work on it :)14:46
bknudsonI finally need to learn some ansible.14:50
*** navidp has joined #openstack-keystone14:50
morganbknudson: ansible is awesome14:50
bknudsonno complaints so far... I need to find the modules.14:50
bknudsonI'm reading "Ansible: Up and Running" safari book online.14:51
ayoungbknudson, what are you trying to do?14:51
bknudsonayoung: at this point just learning, I'm going to write a playbook for https://review.openstack.org/#/c/264398/10/doc/source/project-setup/python.rst (and then +2 when it works)14:51
patchbotbknudson: patch 264398 - project-team-guide - Improve docs on setting up development environment14:51
*** roxanagh_ has quit IRC14:51
*** phalmos has joined #openstack-keystone14:52
bknudsoneventually I'm going to deploy a public cloud.14:52
ayoungbknudson, so jamielennox and I spent a good deal of time in Ansible develpment for a Keystone based proof of concept last summer14:53
ayounghttps://github.com/admiyo/rippowam14:53
ayoungbut We didn't use ansible to do the Openstack calls to set up the cluster.14:53
ayoungThat was due to Ansible 1 not supportting Keystone v3, but Shade does that nicely now.14:53
dolphmanyone have any idea why adding an tox environment to [tox] envlist would cause it to install dependencies differently? the tox documentation doesn't associate any behaviors with envlist beyond which environments are run when you run "tox" itself cc- dstanek14:54
ayoungbknudson, so I'd recommend using ansible in a venv and running with ansible2, not stock ansible 1 which is what most distros have at the moment14:54
bknudsony, I did pip install in a venv.14:54
bknudsonit's ansible 2.0.2.014:55
dstanekdolphm: what is happening exactly? master (keystone) had a recent change that changes the way we install deps14:55
dolphmdstanek: i don't *think* this is related to that, as i'm workon on stable/liberty at the moment14:55
ayoungbknudson, cool.  Ther tripleo-quickstart is a decently organized example of a non-trivial Ansible setup14:56
dstanekdolphm: are you getting the wrong deps?14:56
ayounghttps://github.com/redhat-openstack/tripleo-quickstart14:56
bknudsonayoung: once I learn the basics hopefully this will make sense.14:56
dolphmdstanek: sort of. i'm trying to fix the two broken jobs here: https://review.openstack.org/#/c/307318/14:56
patchbotdolphm: patch 307318 - keystone (stable/liberty) - Keystone jobs should honor upper-constraints.txt14:56
ayoungbknudson, start with running ansible -m setup14:56
ayoungbknudson, actually, start with creating an inventory file for your remote hosts, and then running14:57
ayoungansible -i <your file> <somehost> -m setup14:57
ayoungthat is like, Ansible hello world.\14:57
dolphmdstanek: tony breed's comment (anyone know his irc nick?) was helpful to get the releasenotes job working again, but to get cover working, this is my diff: http://cdn.pasteraw.com/7cnwh57rabhhtgr0qbydxmg32h4a28u14:57
ayoungGets the set of things that the remote system knows about14:57
*** henrynash has quit IRC14:58
bknudsondolphm: tonyb14:58
bknudsonayoung: right, I need to figure out the inventory file.14:58
stevemarmorgan: o/14:58
ayoungbknudson, OK...so you have an ip address for the remote host?14:58
morganstevemar: see PM14:59
ayoungbknudson, or even a hostname?14:59
bknudsonoh, hosts is the inventory file!14:59
ayoungyep14:59
ayoungbknudson, simplest one is something like this14:59
ayoung[ipa]14:59
ayoungipa.ayoung.oslab.test14:59
ayoungnow ipa is the host group  with one host in it, with the FQDN ipa.ayoung.oslab.test14:59
*** Guest64767 is now known as dansmith15:00
*** henrynash has joined #openstack-keystone15:00
*** ChanServ sets mode: +v henrynash15:00
ayoungso I have that in15:00
ayoung~/.ossipee/deployments/ayoung.oslab/inventory.ini15:00
*** wxy has quit IRC15:00
ayoungI can do15:00
bknudson`ansible keystone-dev -m setup` -- worked15:00
*** henrynash has quit IRC15:01
dolphmbknudson: (thanks, pinged tonyb in #openstack-dev) cc- dstanek15:01
ayoungwell I could if the host were up...15:01
dstanekdolphm: it looks like you are missing parts of the original patch15:01
dolphmdstanek: right, this is my diff on top of the current patchset in gerrit15:01
bknudsonayoung: now I need to create a directory "workspace"15:02
dolphmdstanek: i can upload the whole thing, but i'd -1 it myself :P15:02
bknudsonas you can see I'm starting with the basics.15:02
dstanekdolphm: did you have to remove the install_command lines for some reason?15:02
dolphmdstanek: i did not remove any15:02
ayoungbknudson, while you can always do a shell command...15:02
bknudsonwe should switch devstack to ansible.15:02
bknudsonayoung: there must be a module for it?? How do I find modules I want?15:03
ayounghttp://docs.ansible.com/ansible/list_of_files_modules.html15:03
dolphmbknudson: but we're still trying to switch it to chef15:03
dstanekdolphm: the original patch has install_command lines for cover and release notes https://review.openstack.org/#/c/306846/4/tox.ini15:03
patchbotdstanek: patch 306846 - keystone - Keystone jobs should honor upper-constraints.txt (MERGED)15:03
dolphmdstanek: the complete change https://review.openstack.org/#/c/307318/15:03
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT  https://review.openstack.org/28552115:03
patchbotdolphm: patch 307318 - keystone (stable/liberty) - Keystone jobs should honor upper-constraints.txt15:03
stevemarbknudson: the point of devstack was to be more user-friendly / self-documenting - and not pick a specific deployment tool over another15:03
ayoungbknudson, you are then going to call virtualenv on it?15:03
bknudsonstevemar: the problem is it's not self-documenting anymore15:03
dolphmdstanek: erm, i have no idea how i dropped those originally...15:04
bknudsonayoung: I'm going to git clone keystone into it!15:04
ayounggit?15:04
bknudsonthen tox - e py2715:04
dstanekbknudson: make it a submodule of itself and see what happens :-)15:04
ayounghttp://docs.ansible.com/ansible/file_module.html15:05
ayoung- file: path=/etc/some_directory state=directory mode=075515:05
bknudsonayoung: ah, neat15:05
*** BjoernT has joined #openstack-keystone15:05
ayounghttp://docs.ansible.com/ansible/git_module.html15:05
bknudsonayoung: how'd you find that? You've got them all memorized?15:05
* dolphm is just going to start this backport over again15:05
*** gagehugo has joined #openstack-keystone15:05
*** amit213 has quit IRC15:06
ayoungbknudson, so I think google tracks what I qurey, but really it was just google searches for  "ansible mkdir " and "ansible git"15:06
bknudsonayoung: makes sense. thanks!15:06
ayoungI knew that there were modules for both those, since I've worked with them in the past.  Ansible documetnation is pretty good15:07
*** jaugustine has joined #openstack-keystone15:07
ayoungbknudson, so you are going to want to organizat this stuff into a playbook15:07
ayoungits a kindof deep directory structure, looks roughly like this:15:08
ayoungprojectname/playbooks/roles/15:08
ayoungand then under roles you would probably only have one to start, but build up a few over time15:08
ayoungso for rippowam:15:08
*** amit213 has joined #openstack-keystone15:08
ayoungwe did not have a playbooks top level driectory, and things got messy.15:09
*** phalmos has quit IRC15:09
ayoungquickstart is a little cleaner15:09
bknudsonok, makes sense.15:10
ayoungbknudson, follow this guide http://docs.ansible.com/ansible/playbooks_best_practices.html15:10
*** mylu has quit IRC15:10
*** mylu has joined #openstack-keystone15:11
*** raddaoui has joined #openstack-keystone15:11
*** phalmos has joined #openstack-keystone15:11
bknudsonsuccess, created a directory.15:12
*** pnavarro has joined #openstack-keystone15:13
ayoungbknudson, sounds like you are rolling.  THe ansible command line is rarely used, almost always it is ansible-playbook15:14
*** mylu has quit IRC15:14
bknudsonI assume the goal is you can re-run the ansible playbook and it works if you ran before15:14
ayoungbknudson, yes, and the modules are designed to not redo work if it is in the right state15:15
*** mylu has joined #openstack-keystone15:15
ayoungso if the dir exists, it will not recreate it15:15
rodrigodsdstanek, can you check the reply here: https://review.openstack.org/#/c/302299/9/keystone_tempest_plugin/services/identity/base_clients.py ?15:15
patchbotrodrigods: patch 302299 - keystone - Add identity providers integration tests15:15
rodrigodsdstanek, (thanks for the review, btw)15:15
bknudsony, but if i have to run a command it needs to work (e.g., mkdir -p)15:16
dstanekrodrigods: sure15:16
*** stingaci has joined #openstack-keystone15:17
*** e0ne has joined #openstack-keystone15:18
stevemardolphm: lol @ "Apparently I'm terrible at backporting."15:19
*** gagehugo has quit IRC15:20
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Restructure endpoint policy abstract driver  https://review.openstack.org/30737315:21
openstackgerritayoung proposed openstack/keystone: Make all fixture project_ids into uuids  https://review.openstack.org/30668115:21
*** stingaci has quit IRC15:21
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200615:21
*** mylu_ has joined #openstack-keystone15:22
openstackgerritCristian Sava proposed openstack/keystone: Customize config file location when run as wsgi app.  https://review.openstack.org/28821615:22
morganstevemar: ooooh15:23
*** mylu has quit IRC15:23
stevemarmorgan: approved ^15:24
morganstevemar: NICE15:24
ayoungrodrigods, can't generate the uuids inline for the Proj_id patch15:25
morganstevemar: is that something we want to try and backport - it seems like a viable mitaka backport (border bug vs feature, but tending bug-ish)15:25
rodrigodsayoung, the perf issue?15:25
ayoungsince they are global vars, each time the python module is imported, the import will regen15:25
ayoungtwo different imports will have two different values15:25
rodrigodsyeah15:25
*** spzala has joined #openstack-keystone15:25
rodrigodsgot it15:25
ayoungpossibly not a problem now, but might be in the future...15:25
ayounggoing to roll back the change15:25
*** gagehugo has joined #openstack-keystone15:26
openstackgerritayoung proposed openstack/keystone: Make all fixture project_ids into uuids  https://review.openstack.org/30668115:26
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/30811115:28
*** jaosorior has quit IRC15:29
*** spzala has quit IRC15:30
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for endpoint policy drivers  https://review.openstack.org/21200615:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/30841415:30
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests  https://review.openstack.org/30229915:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests  https://review.openstack.org/30750815:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests  https://review.openstack.org/30544415:31
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests  https://review.openstack.org/30350215:31
*** links has quit IRC15:32
*** browne has joined #openstack-keystone15:33
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Restructure policy abstract driver  https://review.openstack.org/30737915:34
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Create unit tests for the policy drivers  https://review.openstack.org/21295715:36
*** josecastroleon has quit IRC15:36
*** josecastroleon has joined #openstack-keystone15:37
*** samueldmq has quit IRC15:40
*** mylu_ has quit IRC15:44
*** mylu has joined #openstack-keystone15:44
*** pauloewerton has quit IRC15:45
*** iurygregory has quit IRC15:45
*** timcline has joined #openstack-keystone15:48
*** mylu has quit IRC15:48
ayoungrodrigods, where do I start with reviews?15:51
*** rderose has joined #openstack-keystone15:51
*** tellesnobrega is now known as tellesnobrega_af15:51
morganayoung: wait what with the global and import?15:51
morganoh15:51
morgani see15:51
morganayoung: uhmm...15:51
morganayoung: actually, wait what is the concern?15:52
*** stingaci has joined #openstack-keystone15:52
ayoungmorgan, so if, say test_v3 and test_v3_auth both imported the file, the uuids generate would be different...I think?15:52
morganayoung: import compile happens exactly 1 time in a program15:52
morganit's safe to do what you were doing15:53
*** mylu has joined #openstack-keystone15:53
ayoungmorgan, it was on this version:  https://review.openstack.org/#/c/306681/3/keystone/tests/unit/default_fixtures.py15:53
patchbotayoung: patch 306681 - keystone - Make all fixture project_ids into uuids15:53
*** tellesnobrega_af is now known as tellesnobrega15:53
ayoungmorgan,  but its not a compile, is it.  The code itself is run on each import, I think15:53
*** gyee has joined #openstack-keystone15:54
*** ChanServ sets mode: +v gyee15:54
morganayoung: http://paste.openstack.org/show/494843/15:54
*** spzala has joined #openstack-keystone15:54
ayoungmorgan, I just feel more comfortable with making constants constant15:54
dstanekayoung: only if you do magic. the normal import only executes the code once15:54
morganayoung: import time happens exactly once unless you do a lot of magic15:54
morganwe do exactly waht you were doing in a number of cases15:54
ayoungmorgan, dstanek, so, any preference which way to do it?15:54
morganayoung: i prefer the global and have it random per test15:55
morganbut thats me.15:55
*** iurygregory has joined #openstack-keystone15:55
morganas long as it's a consistent format15:55
morganbut i'm ok with it either way15:55
morgani wouldn't block either choice.15:55
*** spzala_ has joined #openstack-keystone15:55
morganayoung: the fact import executes once is also partly why mutable default args are so bad.15:56
*** raildo is now known as raildo-afk15:56
*** mylu has quit IRC15:57
dstanekayoung: i think i'm also OK with either version15:57
ayoungrodrigods, ^^15:58
*** spzala has quit IRC15:58
ayounglets get that one in, then, as it will allow for full testing of Fernet15:58
*** mylu has joined #openstack-keystone15:58
*** maestro1 has quit IRC16:00
*** pushkaru has quit IRC16:01
openstackgerrityolanda.robla proposed openstack/keystoneauth: Create custom serializer for keystoneauth and betamax  https://review.openstack.org/30593716:01
*** pushkaru has joined #openstack-keystone16:01
*** lhcheng has joined #openstack-keystone16:02
*** ChanServ sets mode: +v lhcheng16:02
*** jaugustine has quit IRC16:06
*** spzala_ has quit IRC16:07
*** spzala has joined #openstack-keystone16:07
*** josecastroleon has quit IRC16:07
*** spzala_ has joined #openstack-keystone16:08
*** dan_nguyen has joined #openstack-keystone16:10
*** spzala_ has quit IRC16:11
*** spzala_ has joined #openstack-keystone16:12
*** spzala has quit IRC16:12
*** josecastroleon has joined #openstack-keystone16:13
*** pushkaru has quit IRC16:17
*** pushkaru has joined #openstack-keystone16:17
*** TxGVNN has quit IRC16:17
*** pushkaru has quit IRC16:17
arunkantstevemar: Hi Steve..how can I get attention to this review: https://review.openstack.org/#/c/279828/ ?16:20
patchbotarunkant: patch 279828 - keystonemiddleware - Adding audit middleware specific notification driv...16:20
*** jistr has quit IRC16:22
*** haneef__ has quit IRC16:24
*** rderose has quit IRC16:25
*** spzala_ has quit IRC16:26
*** pumaranikar has quit IRC16:31
*** tellesnobrega is now known as tellesnobrega_af16:31
openstackgerritMerged openstack/keystone: Remove comments mentioning eventlet  https://review.openstack.org/30740916:34
ayoungsudo dnf install https://kojipkgs.fedoraproject.org//packages/python-tox/2.3.1/1.fc24/noarch/python-tox-2.3.1-1.fc24.noarch.rpm16:34
dstanekarunkant: i think there is just a lot going on now16:35
ayoungin case any of you were wondering how to run tox on Fedora for Keystone now that we've bumpted the version16:35
dstanekarunkant: i'll add it to my list16:35
arunkantdstanek: thanks.16:36
*** nkinder has quit IRC16:37
*** stingaci_ has joined #openstack-keystone16:37
*** nkinder has joined #openstack-keystone16:37
*** stingaci has quit IRC16:38
*** spzala has joined #openstack-keystone16:39
*** mylu has quit IRC16:40
*** raildo-afk is now known as raildo16:41
*** pumaranikar has joined #openstack-keystone16:41
*** pauloewerton has joined #openstack-keystone16:42
*** spzala has quit IRC16:43
*** josecastroleon has quit IRC16:43
*** stingaci_ has quit IRC16:44
*** spzala has joined #openstack-keystone16:45
*** david-nesher has joined #openstack-keystone16:45
*** mhickey has quit IRC16:46
*** Guest67082 has quit IRC16:46
*** spzala has quit IRC16:49
*** spzala has joined #openstack-keystone16:50
sigmavirus24yolanda: did you see my message about https://github.com/sigmavirus24/betamax/pull/104 ?16:51
*** mylu has joined #openstack-keystone16:52
*** roxanagh_ has joined #openstack-keystone16:53
*** spzala has quit IRC16:55
*** evrardjp has joined #openstack-keystone16:55
*** jasonsb has joined #openstack-keystone16:56
*** navidp has quit IRC17:00
openstackgerritBrant Knudson proposed openstack/keystone: Add other-requirements.txt  https://review.openstack.org/30847717:01
openstackgerritBrant Knudson proposed openstack/keystone: Add other-requirements.txt  https://review.openstack.org/30847717:01
*** spzala has joined #openstack-keystone17:02
morgansigmavirus24: i'm so happy we have someone working on leveraging the betamax fixture :)17:04
sigmavirus24morgan: me too. It's driving 3 year old feature requests in betamax17:04
morganhehehe17:04
morgan^_^17:05
*** navidp has joined #openstack-keystone17:05
sigmavirus24(granted, feature requests that I made to reach parity with Ruby's VCR but no one really needed until lately)17:05
*** stingaci has joined #openstack-keystone17:05
sigmavirus24Not sure I'll get that pull request completed before this weekend though, so I didn't want yolanda rushing into using a custom serializer for the work in keystoneauth17:06
*** spzala has quit IRC17:07
*** maestro1 has joined #openstack-keystone17:09
mylurodrigods: hi I run into some weird issues do you have a second to help me look at it?17:11
*** navidp has quit IRC17:12
evrardjphello guys17:14
evrardjpI'm trying to setup my keystone with a self signed cert right now and I have some issues17:14
evrardjphttp://paste.openstack.org/show/494860/17:14
evrardjpIt's more the fact I don't understand the process (yet) and I'd be happy to learn17:14
*** maestro1 has quit IRC17:15
evrardjpI wonder why I'm that often redirected to the admin interface17:16
evrardjpis that normal?17:16
*** josecastroleon has joined #openstack-keystone17:19
dstanekarunkant: i did a quick first pass17:19
arunkantdstanek: Thanks..will address the comments soon.17:20
*** clenimar has joined #openstack-keystone17:22
*** trown is now known as trown|lunch17:27
*** real56 has joined #openstack-keystone17:27
*** BjoernT is now known as Bjoern_zZzZzZzZ17:29
*** Bjoern_zZzZzZzZ is now known as BjoernT17:31
*** maestro1 has joined #openstack-keystone17:32
*** jasonsb has quit IRC17:32
*** yarkot has joined #openstack-keystone17:32
*** jasonsb has joined #openstack-keystone17:32
odyssey4mestevemar if you can help get the right person in contact with evrardjp I'd appreciate it - we need to understand whether keystone has a bug (unlikely), it's working as designed (possible), or whether we're configuring something badly (entirely possible)17:33
dstanekodyssey4me: is there a bug report i can look at?17:34
evrardjpmore likely a configuration issue, because I can adapt it to make it work17:34
evrardjphttp://paste.openstack.org/show/494860/17:34
odyssey4medstanek not at this stage - just trying to understand whether this is by design or now17:34
odyssey4me*not17:34
evrardjpnot a bug17:34
gyeeevrardjp, that's the expected behavior17:34
gyeeit will pick the admin endpoint by default17:34
gyeetry setting the interface param to public17:35
gyeeclient.Client(interface="public", ...)17:35
odyssey4megyee is that the same as using OS_ENDPOINT_TYPE=publicURL when using the CLI ?17:36
gyeeopenstack --os_interface=public17:36
gyeeright17:36
odyssey4meor does the client perhaps ignore the env var for a subset of commands?17:37
gyeeI don't think client uses env var17:37
*** jasonsb has quit IRC17:37
gyeejust the CLI17:37
dstanekodyssey4me: ksc doesn't use those vars at all17:37
*** pnavarro has quit IRC17:38
dstanekthat's purely an osc thing iiuc17:38
lbragstaddolphm mfisch down to 16:3017:38
mfischlbragstad: like this?17:38
mfischhttps://www.youtube.com/watch?v=j2egGfd5j_k17:38
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/30837117:38
mfischyou might be too young to remember that ^17:38
evrardjpI'll paste you something17:39
dstanekmfisch: yesssssss!17:39
lbragstadmfisch lol pretty much17:39
dstanekmfisch: i used to have a huge collection17:39
evrardjphttp://paste.openstack.org/show/494863/17:40
*** spzala has joined #openstack-keystone17:40
odyssey4megyee ^17:41
odyssey4mehmm, so perhaps the ksc isn't receiving the right parameter (ie bug in OSC)17:41
*** tellesnobrega_af is now known as tellesnobrega17:41
*** sdake__ has joined #openstack-keystone17:41
evrardjphowever this works: http://paste.openstack.org/show/494864/17:42
evrardjpwhen querying internally17:42
gyeeI mean "openstack --os-interface public"17:42
gyeenot --os-interface=public17:42
gyeesorry17:42
evrardjpit doesn't change a thing17:43
*** sdake__ has quit IRC17:43
*** sdake_ has quit IRC17:43
*** sdake_ has joined #openstack-keystone17:45
dolphmmfisch: <3 micro machines17:45
stevemarmfisch: well that was weird17:45
evrardjpI do too TBH, it makes me hate that17:45
evrardjptoo many words per second17:45
evrardjpwe didn't get the budget for a 10 minute ad, so let's stick to 30 seconds...17:46
evrardjpanyway17:46
dolphmstevemar: do you know why the cover and releasenotes jobs don't respect constraints like the other jobs do? https://review.openstack.org/#/c/306846/4/tox.ini17:47
patchbotdolphm: patch 306846 - keystone - Keystone jobs should honor upper-constraints.txt (MERGED)17:47
evrardjpgyee it doesn't seem related to the os-interface at all17:47
evrardjpit's an endpoint issue, that looks weird17:47
evrardjpso we did something wrong in the configuration17:47
*** josecastroleon has quit IRC17:48
stevemardolphm: let me see...17:49
*** josecastroleon has joined #openstack-keystone17:50
gyeeevrardjp, try "openstack token issue --debug" to see if the service catalog is returned17:50
dstanekdolphm: someone said it's an infra limitation. not implemented i think17:50
evrardjpgyee with the os-interface set to public?17:50
gyeeevrardjp, doesn't matter for token issue17:51
evrardjpinternally/externally?17:51
evrardjpok17:51
gyeetoken issue only cares about auth-url17:51
dolphmdstanek: oh, so it'll work on my box with the constraints, but not in jenkins?17:51
stevemardolphm: yeah, what dstanek said... i think its got to do with infra17:51
stevemardolphm: possible17:52
dolphmthat might explain some things17:52
dstanekdolphm: i would guess that it'll execute the tests, but not do the enforcement17:52
dolphmdstanek: but only in jenkins?17:52
evrardjphttp://paste.openstack.org/show/494868/17:52
dstanekdolphm: i don't think anything will evaluate that environment variable, but i'm not sure how the sausage is made17:53
*** sdake__ has joined #openstack-keystone17:53
*** jed56 has quit IRC17:53
*** daemontool has quit IRC17:53
bknudsonin ansible, can I run some commands with sudo and some commands without?17:54
dolphmdstanek: lol okay17:54
rodrigodsayoung, hmm was afk17:54
evrardjpbknudson yes17:54
bknudsonI should find an ansible forum.17:54
evrardjpsudo:17:54
rodrigodsayoung, so use uuid.uuid4().hex?17:54
dstanekdolphm: https://specs.openstack.org/openstack/openstack-specs/specs/requirements-management.html17:54
evrardjpit is now named become17:54
rodrigodsmylu, hi, was afk17:54
rodrigodsmylu, what issues are you facing?17:54
bknudsonI tried sticking become: root on the task and it doesn't seem to work.17:54
dstanekbknudson: yep17:54
evrardjpgyee so token doesn't seem to work externally17:54
mylurodrigods: no worries I actually just sent you an email to explain it17:55
bknudsonohhh, it's become: yes , not root.17:55
dstanekand become_user i think17:55
evrardjpbknudson become: yes, become_user: root17:55
evrardjpyes or True17:55
bknudsonright, thanks.17:55
evrardjpyw17:55
mylurodrigods: in short the issue is i can get a unscoped token with curl command but not with tempest, even if they r requesting with the same headers and url17:55
evrardjpI'd be happy if you get an idea of how to fix that :D17:56
*** sdake_ has quit IRC17:57
*** pumaranikar has quit IRC17:57
*** pumaranikar has joined #openstack-keystone17:57
rodrigodsmylu, replying your email17:58
*** spzala has quit IRC17:59
odyssey4megyee does 'token issue' get a scoped or unscoped token? from evrardjp's paste it looks like it's failing hard18:00
gyeescoped, last paste is showing http instead of https endpoint?18:01
gyeeso http endpoint works but not https18:01
odyssey4megyee yeah, so the http endpoint is inside18:01
*** spzala has joined #openstack-keystone18:01
odyssey4meso the second paste is from an internal host, whereas the first is from an external host18:02
odyssey4meevrardjp do the scond one but make sure it uses the public endpoint, not internal18:03
evrardjpI don't know what scoped or unscoped means, but yes, that's it18:03
mylurodrigods: awesome thanks!18:04
*** edtubill has joined #openstack-keystone18:04
*** spzala has quit IRC18:06
gyeeevrardjp, when using https endpoint for token issue, do you see the /auth/token call in /var/logs/apache2/keystone_access.log?18:09
evrardjpI'll check that right away18:10
bknudsonI screwed up my vm by making it too small. Luckily I've got an ansible script so I don't have to enter all those commands again.18:12
*** spzala has joined #openstack-keystone18:13
*** sdake__ has quit IRC18:14
*** navidp has joined #openstack-keystone18:15
*** spzala has quit IRC18:18
*** mylu has quit IRC18:18
*** browne has quit IRC18:19
*** spzala has joined #openstack-keystone18:19
*** josecastroleon has quit IRC18:19
*** navidp has quit IRC18:20
*** josecastroleon has joined #openstack-keystone18:21
evrardjpgyee I don't know if it helps: http://paste.openstack.org/show/494870/18:21
gyeedoesn't appear your auth token call made it to the keystone app18:23
*** spzala has quit IRC18:24
*** spzala has joined #openstack-keystone18:24
gyeeevrardjp, can you check this? grep -i SSL /etc/apache2/sites-available/keystone18:25
gyeeand paste me the output?18:25
*** ayoung has quit IRC18:25
gyeemake sure your SSLVerifyClient is set to optional18:25
evrardjpit's not18:25
*** mylu has joined #openstack-keystone18:25
evrardjpSSLVerifyClient isn't there18:25
evrardjplet me check18:26
evrardjpjust to be sure18:26
*** yolanda has quit IRC18:26
evrardjpyes it's not there18:26
evrardjpI'll add it and come back to you18:27
*** yolanda has joined #openstack-keystone18:29
evrardjpwait I just thought before doing something stupid18:29
evrardjpyou mean I have to passthrough SSL to my server right?18:29
openstackgerritMerged openstack/keystone: Customize config file location when run as wsgi app.  https://review.openstack.org/28821618:30
*** real56 has quit IRC18:30
*** mylu has quit IRC18:30
evrardjpbecause what we did is configure HTTP in the backend, and HTTPs termination on our load balancer18:30
evrardjpif this isn't possible this is something we should be aware of18:31
*** real56 has joined #openstack-keystone18:32
*** mylu has joined #openstack-keystone18:32
bknudsonevrardjp: are you setting public_endpoint and admin_endpoint in keystone.conf?18:32
bknudsonthat will cause keystone to return whatever you want it to when keystone returns the versions response.18:32
evrardjpwe have admin_endpoint in keystone.conf18:33
bknudsonthere's also a setting for the header to use from the proxy (if you're notting setting *_endpoint: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n8318:34
gyeeevrardjp, no, if your keystone is listening on non-ssl, you need to terminate ssl at the LB and do non-ssl to keystone18:34
bknudsonwhat is admin_endpoint set to?18:34
evrardjpbknudson the internal http address18:34
gyeeevrardjp, you using haproxy?18:35
bknudsonif you want people using the internal http address then that's correct.18:35
evrardjpgyee yes18:35
*** mylu has quit IRC18:35
evrardjpbknudson my workaround was to use the public URL there18:35
evrardjpwhich isn't I think the best practice18:35
gyeeso make sure the keystone url at the backend section is non-ssl18:35
*** daemontool has joined #openstack-keystone18:35
bknudsonthat sounds like the correct thing to do rather than a workaround?18:35
evrardjpgyee that's ok18:35
bknudsonI don't know your network setup so I can't give good advice here anyways.18:36
gyeebknudson, that's a typical production deployment, terminates SSL at the proxy/lb18:36
*** mylu has joined #openstack-keystone18:36
gyeeand do non-ssl to the keystone instances18:36
evrardjpyes we terminate at haproxy, and do no-ssl to keystone18:36
bknudsonhe's saying he's got an internal http address, whatever that is?18:36
evrardjpin haproxy the backend in http18:37
evrardjpand we have http-request set-header X-Forwarded-Port %[dst_port]18:37
evrardjpand the server in the backend is well in http18:37
bknudsonwhy wouldn't you set the admin_endpoint to HAProxy?18:37
evrardjpso you mean expose the admin_endpoint to the public?18:38
gyeeevrardjp, what's your keystone backend looks like in /etc/haproxy/haproxy.cfg?18:39
bknudsonif you want public to be able to create users and do other admin ops then that makes sense.18:39
*** woodster_ has joined #openstack-keystone18:39
evrardjpgyee which one? admin or public?18:39
bknudsonI guess I'm wondering why this is a problem if users aren't doing admin ops18:40
evrardjpI'll paste them both18:40
gyee"server keystone-public <ip>:5000 check"18:40
gyeesomething like that?18:40
evrardjpyes18:40
*** maestro1 has quit IRC18:40
evrardjphttp://paste.openstack.org/show/494871/18:41
gyeewhat about frontend?18:41
evrardjpI removed the checks18:41
evrardjpfor a cleaner log18:41
evrardjpbut I can put them back18:41
*** mylu has quit IRC18:41
evrardjpthe haproxy nodes hold the vip for public and admin interface18:42
evrardjpit binds to it and redirects to the appropriate server in http18:42
evrardjpthe admin is in an internal net on 172.29 range18:43
evrardjpapparently here we also configured the admin on the public vip18:43
evrardjpwhich is not great but that's another topic18:43
gyeecan you add "verify optional" to the bind line18:44
gyeejust in case18:44
evrardjpfor the public vip right18:44
evrardjpok18:44
gyeebind 104.239.168.236:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS verify optional18:44
*** mylu has joined #openstack-keystone18:45
evrardjpI'm new to this self sign thingy18:45
evrardjpI used to have certificates for free :p18:45
*** sigmavirus24 is now known as sigmavirus24_awa18:45
gyeecertificates are never *free*18:46
evrardjptrue18:46
gyeeit may be zero CapEx, but definitely not zero OpEx18:46
bknudsonhttps://letsencrypt.org/18:46
*** trown|lunch is now known as trown18:46
evrardjpgyee in our case it was shared opex18:46
gyeestill, not zero opex18:47
evrardjptrue18:47
evrardjpverify optional doesn't work let me check the doc one sec18:47
*** doug-fish has quit IRC18:47
bknudsonone thing I don't get about the ansible docs is the examples: http://docs.ansible.com/ansible/command_module.html#examples18:48
bknudsonthat's not even valid yaml.18:48
bknudson(the args: form)18:49
evrardjpok so18:50
evrardjpI added verify none18:50
bknudsonoh, maybe I'm supposed to leave off the name:?18:50
*** josecastroleon has quit IRC18:50
evrardjpnope you can keep it18:50
evrardjpshow me I'll help you :D18:51
*** browne has joined #openstack-keystone18:51
evrardjpgyee so it's added, but it doesn't work better18:51
*** josecastroleon has joined #openstack-keystone18:51
bknudsonhere's the sample: https://etherpad.openstack.org/p/keystone-dev-ansible (see line 58)18:52
gyeeevrardjp, lets try curl18:52
gyeecurl -k https://ip:500018:53
evrardjpgyee /v3 ?18:54
gyeesure18:55
evrardjphttp://paste.openstack.org/show/494875/18:55
*** e0ne has quit IRC18:55
gyeeyour configuration appear to be fine18:56
evrardjpv3 : http://paste.openstack.org/show/494876/18:56
*** sigmavirus24_awa is now known as sigmavirus2418:56
gyeeconfiguration appear to be correct18:57
evrardjpand thanks for your time everyone already18:57
evrardjpgood news18:57
evrardjpit's a good start for the users to do a openstack server list18:57
evrardjp:D18:57
*** yolanda has quit IRC18:58
*** tqtran has joined #openstack-keystone19:00
gyeecan you try authenticate via curl?19:01
evrardjpI have to learn that first19:02
gyeehttp://docs.openstack.org/developer/keystone/api_curl_examples.html19:02
evrardjpfaster than my google19:02
gyeehah19:02
evrardjpuser or admin?19:02
gyeeuser19:03
evrardjplet's try some user with _member_ role only19:03
*** woodburn has quit IRC19:03
gyeedoes't matter about the user19:03
gyeejust want to see the call get routed properly19:03
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf  https://review.openstack.org/27982819:04
evrardjpok I got everything19:04
evrardjpwant to see?19:05
*** rcernin has quit IRC19:05
evrardjpsorry for the rudimentary aspect of this paste19:06
evrardjpif I had a beautifier...19:06
*** aimeeU has quit IRC19:06
*** doug-fis_ has joined #openstack-keystone19:07
evrardjpsolved now19:10
*** mylu has quit IRC19:10
evrardjpso the issue isn't keystone itself, it's the user?19:10
*** lhcheng has quit IRC19:11
gyeeregardless, we have a usability bug in keystoneauth119:12
evrardjpnah it should work19:12
evrardjpI agree19:13
gyeefailed authentication is not the same as can't get endpoint19:13
bknudsonpython -m json.tool19:13
evrardjpbut it's always a question of endpoint19:13
evrardjpopenstack server list needs to know the endpoint19:14
evrardjpright?19:14
evrardjpfor user interactions I mean19:14
gyeeit only need the auth-url19:14
bknudsonopenstack server list needs to know the nova endpoint and the auth endpoint19:14
gyeeeverything else is discovered from service catalog19:14
bknudsonthe admin endpoint doesn't matter19:14
*** sheel has quit IRC19:15
evrardjpbknudson I agree the admin endpoint shouldn't matter19:15
evrardjpthat's what I wrote in the first paste19:15
gyeeadmin endpoint does matter if you perform keystone v3 operations19:16
gyeeit select the admin endpoint by default19:16
evrardjpohoh19:16
evrardjpthat's it19:16
evrardjpso I should use admin endpoint as a public thingy19:16
evrardjpor not?19:16
gyeewe did tried to make public endpoint as default, but not sure if that patch has landed yet19:17
bknudsonwe probably tried to change it and it broke somebody so we had to undo it.19:18
bknudsonthat's typically what happens whenever we try to do the right thing.19:18
evrardjpso what's the best solution for my case?19:18
*** real56 has quit IRC19:18
gyeeevrardjp, that's the conversation you need to have with your security team19:18
gyeewhich API to expose to the public19:18
bknudsonthere's probably setup you could do in apache to reject all requests to /v2.0 if you want to make only v3 public.19:19
evrardjpso v3 operations imposes the actions that I have to expose to the public if they want to make simple calls like openstack server list19:19
gyeefor openstack server list, you do not need keystone admin endpoint19:20
*** mylu has joined #openstack-keystone19:20
bknudsongyee: you think it's the keystoneclient lib that's doing this?19:20
bknudsonusing the admin endpoint for auth?19:20
gyeebknudson, don't think so19:20
bknudsonso, openstack CLI?19:21
*** edtubill has quit IRC19:21
evrardjpgyee apprently yes because it first needs to find the nova endpoint in the service catalog19:21
gyeeopenstack CLI should be using Session from keystoneauth1 by now19:21
*** josecastroleon has quit IRC19:21
evrardjpand the service catalog is only accessed through admin? or am I wrong?19:21
gyeeno19:21
bknudsonok, then keystoneauth is using admin for auth?19:21
gyeeyou'll get the service catalog from token auth19:22
gyeebknudson, no, it should use auth_url19:22
evrardjpgyee which is fine because it worked with curl19:22
evrardjpnow i get it19:22
bknudsony, that's weird. wonder why in this case it's hitting admin?19:22
bknudsonunless auth url is set to the admin endpoint?19:23
*** yolanda has joined #openstack-keystone19:23
evrardjpbknudson in my openstack client the auth url is set to public19:23
evrardjpis set to the public ip19:23
bknudsonexport OS_AUTH_URL=http://localhost:5000/v2.019:23
evrardjpport 500019:23
bknudsonthat's weird. I think we'll have to trace keystoneauth and see what it's doing.19:24
evrardjpit's becoming a little late for me19:24
evrardjpI'll stop for today and come back tomorrow19:24
*** lhcheng has joined #openstack-keystone19:25
*** ChanServ sets mode: +v lhcheng19:25
evrardjpI really thank you for your time19:25
evrardjpso we should check at what would be the cause of the pain in openstack cli I guess19:25
evrardjpI can help you reproduce that I can deploy plenty of stuff :D19:25
*** roxanagh_ has quit IRC19:26
evrardjpa comma is missing in the last phrase, but I guess you understood19:26
evrardjpanyway19:26
evrardjpI'm off19:26
evrardjpthanks!19:26
gyeeno problem19:26
gyeebknudson, only thing I can think off would be if they have proxy set on the box where CLI is running19:27
gyeeevrardjp, check your http_proxy and http_proxy env var19:27
bknudsonanything's possible.19:27
bknudsonor maybe they're using an older version that has a bug19:28
odyssey4megyee hmm, nope - no proxy... but keystone does have an LB in front of it19:28
gyeehaproxy config seem fine19:28
odyssey4mekeystone.conf has secure_proxy_ssl_header set19:28
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT  https://review.openstack.org/28552119:29
gyeeversion discovery looks fine19:29
gyeeit correctly return the https url in href19:29
openstackgerritMerged openstack/keystone: Updating sample configuration file  https://review.openstack.org/30841419:30
evrardjpodyssey4me you take over this?19:30
evrardjpI'm willing to come back home to continue this conversation19:31
odyssey4meevrardjp have a good night - relax, we can continue tomorrow19:31
evrardjpit's fine I can continue to get it working19:31
evrardjpI just want to come back safe home, you know the neighborhood ;)19:31
*** rcernin has joined #openstack-keystone19:32
odyssey4mehaha, for sure19:32
*** e0ne has joined #openstack-keystone19:33
*** ametts has quit IRC19:33
gyeeodyssey4me, bknudson, this is an opportunity for us to start a Keystone run book19:40
bknudsonAdd run book to http://docs.openstack.org/developer/keystone/19:41
gyeelike if something goes wrong, how to troubleshoot19:41
odyssey4megyee yeah, that would be very useful to all projects actually19:41
gyeesome of that stuff can even be automated19:41
gyeelike run_diagnostic or something19:42
gyeewe can start with the common scenario, like <client> -- https --> <proxy/lb cluster> -- http --> <Keystone instances>19:43
*** manjeets has left #openstack-keystone19:43
*** woodburn has joined #openstack-keystone19:49
bknudsonbtw, here's the ansible script to set up to run keystone: https://gist.github.com/brantlk/e9ce45d6b709774ae8ac44543732560819:50
bknudsonbased on these docs: https://review.openstack.org/#/c/264398/10/doc/source/project-setup/python.rst19:50
patchbotbknudson: patch 264398 - project-team-guide - Improve docs on setting up development environment19:50
evrardjphey again20:00
evrardjpwhat did I miss ?20:00
*** edtubill has joined #openstack-keystone20:07
*** csoukup has quit IRC20:12
*** rderose has joined #openstack-keystone20:12
*** comstud has quit IRC20:14
*** stingaci has quit IRC20:15
*** browne has quit IRC20:21
*** timcline_ has joined #openstack-keystone20:22
*** roxanagh_ has joined #openstack-keystone20:25
*** lhcheng has quit IRC20:25
*** browne has joined #openstack-keystone20:26
*** stingaci has joined #openstack-keystone20:29
*** doug-fish has joined #openstack-keystone20:30
*** doug-fi__ has joined #openstack-keystone20:31
*** doug-f___ has joined #openstack-keystone20:32
*** mylu has quit IRC20:33
*** doug-fis_ has quit IRC20:33
*** doug-fish has quit IRC20:34
*** doug-fish has joined #openstack-keystone20:35
*** doug-fi__ has quit IRC20:35
openstackgerritRon De Rose proposed openstack/keystone: Move the assignment abstract base class out of core  https://review.openstack.org/29963520:35
*** doug-f___ has quit IRC20:37
*** stacker has quit IRC20:40
*** navidp has joined #openstack-keystone20:41
*** pumaranikar has quit IRC20:45
*** doug-fish has quit IRC20:50
openstackgerritArun Kant proposed openstack/keystonemiddleware: Adding audit middleware specific notification driver conf  https://review.openstack.org/27982820:51
*** doug-fis_ has joined #openstack-keystone20:52
*** trown is now known as trown|outtypewww20:53
*** spzala has quit IRC20:54
*** mylu has joined #openstack-keystone20:55
*** daemontool has quit IRC20:56
*** mylu has quit IRC20:56
*** navid_ has joined #openstack-keystone20:57
*** mylu has joined #openstack-keystone20:59
*** navidp has quit IRC21:01
*** spzala has joined #openstack-keystone21:01
*** mylu has quit IRC21:02
*** navid_ has quit IRC21:05
*** spzala has quit IRC21:06
*** spzala has joined #openstack-keystone21:07
*** lhcheng has joined #openstack-keystone21:08
*** ChanServ sets mode: +v lhcheng21:08
*** pauloewerton has quit IRC21:08
*** navidp has joined #openstack-keystone21:10
*** mylu has joined #openstack-keystone21:10
dstanekrderose: this is following the same pattern that you've been doing right?21:12
dstanekrderose: https://review.openstack.org/#/c/307379/221:12
patchbotdstanek: patch 307379 - keystone - Restructure policy abstract driver21:12
*** spzala has quit IRC21:12
*** spzala has joined #openstack-keystone21:13
rderosedstanek: yes, exactly21:13
rderosenice :)21:13
*** xek has quit IRC21:16
*** spzala has quit IRC21:18
*** spzala has joined #openstack-keystone21:19
*** lhcheng has quit IRC21:20
*** e0ne has quit IRC21:20
*** spzala has quit IRC21:25
*** spzala has joined #openstack-keystone21:26
*** gagehugo has quit IRC21:26
*** browne has quit IRC21:26
*** sdake_ has joined #openstack-keystone21:28
*** xek has joined #openstack-keystone21:29
*** spzala has quit IRC21:30
*** browne has joined #openstack-keystone21:32
*** spzala has joined #openstack-keystone21:32
*** spzala has quit IRC21:36
*** spzala has joined #openstack-keystone21:38
*** e0ne has joined #openstack-keystone21:41
*** spzala has quit IRC21:43
*** lhcheng has joined #openstack-keystone21:44
*** ChanServ sets mode: +v lhcheng21:44
*** spzala has joined #openstack-keystone21:45
*** sdake_ has quit IRC21:45
*** mylu has quit IRC21:46
*** sdake_ has joined #openstack-keystone21:47
*** e0ne has quit IRC21:51
*** vgridnev_ has joined #openstack-keystone21:55
*** roxanagh_ has quit IRC21:57
*** spzala has quit IRC21:57
*** henrynash has joined #openstack-keystone22:00
*** ChanServ sets mode: +v henrynash22:00
*** vgridnev_ has quit IRC22:00
*** spzala has joined #openstack-keystone22:00
*** navidp has quit IRC22:03
openstackgerritRodrigo Duarte proposed openstack/keystone: Add identity providers integration tests  https://review.openstack.org/30229922:04
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests  https://review.openstack.org/30750822:04
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests  https://review.openstack.org/30544422:04
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests  https://review.openstack.org/30350222:04
*** roxanagh_ has joined #openstack-keystone22:05
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests  https://review.openstack.org/30750822:05
*** timcline_ has quit IRC22:13
*** mylu has joined #openstack-keystone22:15
*** sigmavirus24 is now known as sigmavirus24_awa22:15
*** doug-fis_ has quit IRC22:17
*** mylu has quit IRC22:17
*** lhcheng has quit IRC22:18
*** phalmos has quit IRC22:22
*** gordc has quit IRC22:23
*** mylu has joined #openstack-keystone22:24
*** edmondsw has quit IRC22:24
*** timcline_ has joined #openstack-keystone22:25
*** dan_nguyen has quit IRC22:25
*** gyee has quit IRC22:25
*** lhcheng has joined #openstack-keystone22:27
*** ChanServ sets mode: +v lhcheng22:27
*** edtubill has quit IRC22:28
*** dan_nguyen has joined #openstack-keystone22:29
*** timcline_ has quit IRC22:30
*** ayoung has joined #openstack-keystone22:33
*** ChanServ sets mode: +v ayoung22:33
*** spzala has quit IRC22:37
*** slberger1 has left #openstack-keystone22:46
*** krotscheck is now known as krotscheck_dcm22:57
*** edtubill has joined #openstack-keystone22:58
*** henrynash has quit IRC22:59
*** stingaci has quit IRC23:08
*** stingaci has joined #openstack-keystone23:13
*** dan_nguyen has quit IRC23:15
*** spzala has joined #openstack-keystone23:18
*** dan_nguyen has joined #openstack-keystone23:19
*** mylu has quit IRC23:20
*** mylu has joined #openstack-keystone23:20
*** stingaci has quit IRC23:21
*** spzala has quit IRC23:23
*** rderose has quit IRC23:27
*** roxanagh_ has quit IRC23:30
*** BjoernT has quit IRC23:31
*** mylu has quit IRC23:38
*** mylu has joined #openstack-keystone23:38
*** jamielennox is now known as jamielennox|away23:51
*** sdake__ has joined #openstack-keystone23:58
« Tuesday, 2016-04-19 Index Thursday, 2016-04-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!