Monday, 2016-06-20

*** dave-mccowan has joined #openstack-keystone		00:01
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware: Pass X_IS_ADMIN_PROJECT header from auth_token https://review.openstack.org/331374	00:25
*** Nakato has quit IRC		00:30
*** Nakato has joined #openstack-keystone		00:31
*** sdake has joined #openstack-keystone		00:43
*** EinstCrazy has joined #openstack-keystone		00:48
*** dave-mccowan has quit IRC		00:52
*** roxanaghe has joined #openstack-keystone		00:54
stevemar	jamielennox: o/	00:57
jamielennox	stevemar: yo	00:57
stevemar	jamielennox: mornin!	00:57
jamielennox	ahh, mondays	00:59
*** roxanaghe has quit IRC		00:59
*** jinquan has left #openstack-keystone		01:01
*** EinstCrazy has quit IRC		01:06
openstackgerrit	Merged openstack/keystoneauth: Add entrypoint for Federated Kerberos https://review.openstack.org/331388	01:08
*** sdake has quit IRC		01:29
stevemar	jamielennox: thanks for reviewing the novaclient session patch	01:31
jamielennox	stevemar: no worries - i'm not sure what they'll do with it	01:31
jamielennox	stevemar: i was hoping it would drive everyone to deprecate the old options and just adopt the common ones	01:32
jamielennox	but i can see from a nova first perspective they just want things to work as they used to	01:32
jamielennox	and i guess it's still better than them doing their own auth	01:32
*** gus_ is now known as gus		01:46
*** davechen has joined #openstack-keystone		02:02
*** TxGVNN has joined #openstack-keystone		02:11
*** EinstCrazy has joined #openstack-keystone		02:24
*** dave-mccowan has joined #openstack-keystone		02:29
*** yarkot1 has joined #openstack-keystone		02:30
*** EinstCrazy has quit IRC		02:49
*** roxanaghe has joined #openstack-keystone		02:56
*** EinstCrazy has joined #openstack-keystone		02:56
*** roxanaghe has quit IRC		03:00
-openstackstatus- NOTICE: static.openstack.org (which hosts logs.openstack.org) is currently migrating due to a hardware failure. It should be back up shortly.		03:10
*** sheel has joined #openstack-keystone		03:15
*** davechen has quit IRC		03:25
*** EinstCrazy has quit IRC		03:35
*** roxanaghe has joined #openstack-keystone		03:43
*** dave-mccowan has quit IRC		03:45
*** links has joined #openstack-keystone		03:56
*** jaosorior has joined #openstack-keystone		04:13
*** markvoelker has joined #openstack-keystone		04:18
*** markvoelker has quit IRC		04:22
*** links has quit IRC		05:10
-openstackstatus- NOTICE: static.openstack.org (which hosts logs.openstack.org and tarballs.openstack.org among others) is currently being rebuilt. As jobs can not upload logs they are failing with POST_FAILURE. This should be resolved soon. Please do not recheck until then.		05:21
*** ChanServ changes topic to "static.openstack.org (which hosts logs.openstack.org and tarballs.openstack.org among others) is currently being rebuilt. As jobs can not upload logs they are failing with POST_FAILURE. This should be resolved soon. Please do not recheck until then."		05:21
*** EinstCrazy has joined #openstack-keystone		05:24
*** links has joined #openstack-keystone		05:26
*** davechen has joined #openstack-keystone		05:30
*** roxanaghe has quit IRC		06:00
*** roxanaghe has joined #openstack-keystone		06:01
*** roxanaghe has quit IRC		06:06
*** rcernin has joined #openstack-keystone		06:13
*** markvoelker has joined #openstack-keystone		06:18
*** markvoelker has quit IRC		06:23
*** pcaruana has joined #openstack-keystone		06:24
*** henrynash has joined #openstack-keystone		06:30
*** ChanServ sets mode: +v henrynash		06:30
*** EinstCrazy has quit IRC		06:35
*** EinstCrazy has joined #openstack-keystone		06:35
*** EinstCrazy has quit IRC		06:45
openstackgerrit	Liam Young proposed openstack/keystone: Correct domain_id and name constraint dropping https://review.openstack.org/329855	06:46
*** EinstCrazy has joined #openstack-keystone		06:47
*** EinstCrazy has quit IRC		06:54
*** EinstCrazy has joined #openstack-keystone		07:02
*** roxanaghe has joined #openstack-keystone		07:03
*** EinstCrazy has quit IRC		07:04
*** roxanaghe has quit IRC		07:07
*** links has quit IRC		07:08
*** EinstCrazy has joined #openstack-keystone		07:08
*** real56 has joined #openstack-keystone		07:13
*** real56 has quit IRC		07:13
*** real56 has joined #openstack-keystone		07:14
*** real56 has quit IRC		07:16
*** real56 has joined #openstack-keystone		07:17
*** jed56 has joined #openstack-keystone		07:18
*** links has joined #openstack-keystone		07:21
*** real56 has quit IRC		07:24
*** real56 has joined #openstack-keystone		07:24
*** real56 has quit IRC		07:27
*** real56 has joined #openstack-keystone		07:28
*** real56 has quit IRC		07:31
*** amoralej\|off is now known as amoralej		07:31
*** ebarrera has joined #openstack-keystone		07:32
*** real56 has joined #openstack-keystone		07:32
*** real56 has quit IRC		07:35
*** real56 has joined #openstack-keystone		07:37
*** jaosorior is now known as jaosorior_lunch		07:41
*** belmoreira has joined #openstack-keystone		07:43
*** davechen has left #openstack-keystone		07:45
*** real56 has quit IRC		07:45
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	07:45
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move scope into _OidcBase https://review.openstack.org/330463	07:45
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: refactor unit tests https://review.openstack.org/330966	07:45
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: add discovery document support https://review.openstack.org/330464	07:45
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: remove grant_type argument https://review.openstack.org/330465	07:45
*** real56 has joined #openstack-keystone		07:46
*** real56 has quit IRC		07:47
*** real56 has joined #openstack-keystone		07:48
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type https://review.openstack.org/330006	07:49
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move scope into _OidcBase https://review.openstack.org/330463	07:49
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: add discovery document support https://review.openstack.org/330464	07:49
openstackgerrit	Alvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: remove grant_type argument https://review.openstack.org/330465	07:49
*** real56 has quit IRC		07:53
*** real56 has joined #openstack-keystone		07:53
*** real56 has quit IRC		07:56
*** real56 has joined #openstack-keystone		07:57
*** pnavarro has joined #openstack-keystone		07:58
*** zzzeek_ has quit IRC		08:00
*** real56 has quit IRC		08:00
*** mvk_ has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** real56 has joined #openstack-keystone		08:01
*** real56 has quit IRC		08:03
*** real56 has joined #openstack-keystone		08:03
*** real56 has quit IRC		08:06
*** real56 has joined #openstack-keystone		08:06
*** agireud has quit IRC		08:06
*** agireud has joined #openstack-keystone		08:12
*** bjornar_ has joined #openstack-keystone		08:13
*** real56 has quit IRC		08:14
*** real56 has joined #openstack-keystone		08:14
*** EinstCrazy has quit IRC		08:16
*** EinstCrazy has joined #openstack-keystone		08:16
*** real56 has quit IRC		08:17
*** agireud has quit IRC		08:17
*** real56 has joined #openstack-keystone		08:18
*** markvoelker has joined #openstack-keystone		08:19
*** real56 has quit IRC		08:20
*** EinstCrazy has quit IRC		08:21
*** real56 has joined #openstack-keystone		08:22
*** markvoelker has quit IRC		08:24
openstackgerrit	Andrew Liu proposed openstack/keystone: Added cache for sql id mapping driver https://review.openstack.org/328820	08:26
*** mvk_ has joined #openstack-keystone		08:27
*** agireud has joined #openstack-keystone		08:28
*** permalac has joined #openstack-keystone		08:33
*** mvk_ has quit IRC		08:56
*** real56 has quit IRC		08:57
*** roxanaghe has joined #openstack-keystone		09:00
*** mvk has joined #openstack-keystone		09:02
*** roxanaghe has quit IRC		09:05
openstackgerrit	Martin Schuppert proposed openstack/keystone: When create user using API it is possible to use a domain_id which does match the created domain_id's. in e.g. liberty this breaks cli keystone v2 user list actions. https://review.openstack.org/331567	09:18
openstackgerrit	Kseniya Tychkova proposed openstack/oslo.policy: Apache Fortress support prototype https://review.openstack.org/237521	09:24
openstackgerrit	Martin Schuppert proposed openstack/keystone: Verify domain_id when create_user is being called https://review.openstack.org/331567	09:24
*** nisha has joined #openstack-keystone		09:26
*** TxGVNN has quit IRC		09:26
*** TxGVNN has joined #openstack-keystone		09:26
*** jaosorior_lunch is now known as jaosorior		09:27
*** real56 has joined #openstack-keystone		09:29
openstackgerrit	henry-nash proposed openstack/keystone-specs: Support hierarchical project naming https://review.openstack.org/318605	09:30
*** nisha has quit IRC		09:32
*** nisha has joined #openstack-keystone		09:32
openstackgerrit	henry-nash proposed openstack/keystone-specs: Support hierarchical project naming https://review.openstack.org/318605	09:38
*** TxGVNN has quit IRC		10:09
*** TxGVNN has joined #openstack-keystone		10:09
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	10:10
openstackgerrit	henry-nash proposed openstack/keystone-specs: Support hierarchical project naming https://review.openstack.org/318605	10:16
*** markvoelker has joined #openstack-keystone		10:20
*** markvoelker has quit IRC		10:24
*** TxGVNN has quit IRC		10:29
*** henrynash has quit IRC		10:30
*** rcernin is now known as rcernin\|lunch		10:37
*** ChanServ changes topic to "Newton Deadlines: http://releases.openstack.org/newton/schedule.html \| Midcycle (July 20-22, San Jose, CA) wiki https://wiki.openstack.org/wiki/Sprints/KeystoneNewtonSprint \| Meeting Etherpad https://etherpad.openstack.org/p/keystone-weekly-meeting"		10:38
-openstackstatus- NOTICE: static.openstack.org is back up. If you have POST_FAILURE and are missing logs from your CI jobs, please leave a 'recheck'.		10:38
*** amakarov_away is now known as amakarov		10:44
*** samueldmq has joined #openstack-keystone		10:56
nisha	hey everyone :)	11:00
samueldmq	morning keystone	11:02
samueldmq	nisha: hi :)	11:02
*** roxanaghe has joined #openstack-keystone		11:02
nisha	samueldmq, hi	11:04
nisha	I was working on the documentation	11:04
samueldmq	nisha: nice! anything I can help ?	11:06
nisha	samueldmq, good as of now, will let you know :)	11:07
*** roxanaghe has quit IRC		11:08
* samueldmq nods		11:08
*** daemontool has joined #openstack-keystone		11:22
*** nisha has quit IRC		11:25
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	11:26
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 domains https://review.openstack.org/331629	11:26
*** yolanda has joined #openstack-keystone		11:29
*** nisha has joined #openstack-keystone		11:30
*** rodrigods has quit IRC		11:30
*** rodrigods has joined #openstack-keystone		11:30
*** nisha has quit IRC		11:34
samueldmq	nisha: look my comment in the patch	11:34
*** julim has joined #openstack-keystone		11:35
samueldmq	oops :)	11:35
*** nisha has joined #openstack-keystone		11:35
samueldmq	nisha: look my comment in the patch	11:36
nisha	samueldmq, sure	11:37
samueldmq	nisha: it's looking awesome, there is only one suggestion on the way you organize the patches	11:37
nisha	samueldmq, is it because I reviewed both the commits together, or because I had switched to tests branch first	11:40
*** dgonzalez has quit IRC		11:40
samueldmq	nisha: what branches you see when you run git branch ?	11:42
nisha	* domain-python-docs	11:42
nisha	domains/client-functional-test	11:42
nisha	master	11:42
nisha	in this order	11:42
samueldmq	nisha: just a sec, brb	11:43
nisha	but I did git commit for client-functional-test branch first	11:43
nisha	then switched the branch	11:43
nisha	oh, sorry wait, I ran git rebase -i master after that, before git branch	11:44
nisha	samueldmq,	11:44
*** dgonzalez has joined #openstack-keystone		11:44
nisha	I didn't remove any commit though	11:45
*** rcernin\|lunch is now known as rcernin		11:53
*** henrynash has joined #openstack-keystone		11:53
*** ChanServ sets mode: +v henrynash		11:53
*** raildo-afk is now known as raildo		11:55
*** henrynash has quit IRC		11:56
*** daemontool_ has joined #openstack-keystone		11:59
*** daemontool has quit IRC		12:02
samueldmq	nisha: back	12:02
nisha	new comments on the doc patch	12:03
*** roxanaghe has joined #openstack-keystone		12:03
samueldmq	nisha: so, when you are in a branch X and you do 'git checkout -b Y', a new branch Y is created and X is its parent :)	12:04
samueldmq	nisha: you probably created docs branch when you were in the tests branch, so tests is the parent of doc	12:05
nisha	samueldmq, didn't know that thanks	12:05
samueldmq	nisha: I'd like the see the reverse, so it makes more sense	12:05
nisha	yup :)	12:05
*** dave-mccowan has joined #openstack-keystone		12:06
samueldmq	nisha: in the tests change, you can see that 'Commit' attribute (e2368b0f8b7aa845cf8d8c60720d91ee416f7c12) corresponds to the 'Parent(s)' attribute in the docs change	12:06
samueldmq	to reflect what I just said	12:06
nisha	samueldmq, thanks	12:07
*** roxanaghe has quit IRC		12:08
nisha	samueldmq, I will do the req changes, following the comment	12:08
samueldmq	nisha: sure :)	12:09
samueldmq	nisha: I personally prefer to have different branches locally	12:09
samueldmq	nisha: and work rebasing them when necessary, I find it easier than working in a single branch with multiple commits	12:09
nisha	so, that there are no children, both branch are separate parents?	12:10
samueldmq	no, there are children and parents	12:11
samueldmq	the first change (the docs) will point to master as its parent	12:11
samueldmq	the second change (the tests) will point to docs as its parent	12:11
nisha	hmm, got it	12:11
samueldmq	master -> docs -> tests	12:11
samueldmq	currently it is : master -> tests -> docs	12:12
nisha	Also, as I modified the client.fixtures.py, so users/client-functional-tests branch is also appearing	12:12
*** markvoelker has joined #openstack-keystone		12:12
*** agireud has quit IRC		12:13
samueldmq	nisha: go to 'domain-python-docs ' branch and do, git rebase -i master	12:13
*** daemontool has joined #openstack-keystone		12:13
*** daemontool_ has quit IRC		12:14
samueldmq	nisha: there will be a parent commit 'Add domain functional tests' during rebase, remove it, so the former will be rebased only on master	12:14
nisha	hmm, done, so shall I remove both the user tests and domain tests now?	12:14
*** amoralej is now known as amoralej\|lunch		12:14
samueldmq	nisha: user tests ?	12:15
*** DinaBelova has quit IRC		12:15
*** ekarlso has quit IRC		12:15
samueldmq	nisha: user tests is already in master, you won't touch it	12:15
*** basilAB has quit IRC		12:15
*** links has quit IRC		12:16
*** rodrigods has quit IRC		12:16
*** agireud has joined #openstack-keystone		12:16
nisha	samueldmq, I see 3 branches when I do git rebase -i master	12:16
samueldmq	nisha: only leave the last one (the docs)	12:16
nisha	samueldmq, cool	12:16
*** rodrigods has joined #openstack-keystone		12:16
samueldmq	nisha: now you have both the tests and the docs depending on master	12:17
samueldmq	nisha: switch to the tests branch, and rebase on the docs	12:17
samueldmq	so you'll have master -> docs -> tests	12:17
samueldmq	nisha: :)	12:17
nisha	samueldmq, great :)	12:17
*** jlvillal has quit IRC		12:18
*** DinaBelova has joined #openstack-keystone		12:18
*** hoonetorg has quit IRC		12:19
*** jlvillal has joined #openstack-keystone		12:19
*** julim has quit IRC		12:20
*** basilAB has joined #openstack-keystone		12:21
*** jaosorior has quit IRC		12:22
*** jaosorior has joined #openstack-keystone		12:22
*** gordc has joined #openstack-keystone		12:26
*** links has joined #openstack-keystone		12:26
*** pauloewerton has joined #openstack-keystone		12:28
*** mvk has quit IRC		12:28
*** hoonetorg has joined #openstack-keystone		12:29
*** henrynash has joined #openstack-keystone		12:29
*** ChanServ sets mode: +v henrynash		12:29
*** dancn` is now known as dancn		12:36
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests https://review.openstack.org/324769	12:38
*** david-lyle has quit IRC		12:39
*** henrynash__ has joined #openstack-keystone		12:41
*** ChanServ sets mode: +v henrynash__		12:41
*** david-lyle has joined #openstack-keystone		12:42
henrynash__	nisha: ping	12:42
breton_	wow	12:43
breton_	rodrigods: nice stuff ^	12:43
rodrigods	breton_, :) waiting for the devstack plugin	12:44
*** henrynash has quit IRC		12:44
*** henrynash__ is now known as henrynash		12:44
*** henrynash is now known as 7F1ABLER7		12:44
*** henrynash_ is now known as 92AAAZ3WR		12:44
*** jaosorior has quit IRC		12:45
breton_	rodrigods: yep, will push it this week	12:45
nisha	92AAAZ3WR, hey	12:47
7F1ABLER7	nisha: sorry, ignore my ping…looked up the wrong author! Sorry!	12:47
nisha	np :)	12:47
samueldmq	7F1ABLER7 is that your new nickname henrynash?	12:47
samueldmq	;)	12:47
7F1ABLER7	blimey, where did that come from!	12:47
7F1ABLER7	(kind of catchy, no?_	12:48
rodrigods	breton_, awesome	12:48
samueldmq	7F1ABLER7: yes, I just need to type 7<tab> now, thanks	12:48
7F1ABLER7	(i’m really not getting the hang of this irc bouncer thing…I’m guessing that assigned it to me when I rejoined, or sometghing like that)?	12:50
samueldmq	7F1ABLER7: I think the whole issue starts because there are 2 henrynash connected	12:50
samueldmq	henrynash and henrynash_	12:51
samueldmq	henrynash had quit and things started to mess up	12:51
*** aurelien__ has joined #openstack-keystone		12:51
7F1ABLER7	samueldmq: hmm, yes, although that’s been like this for a bit….	12:52
*** jaosorior has joined #openstack-keystone		12:52
7F1ABLER7	I’ll quite again....	12:52
*** 7F1ABLER7 has quit IRC		12:52
*** henrynash has joined #openstack-keystone		12:52
*** ChanServ sets mode: +v henrynash		12:52
henrynash	test	12:52
samueldmq	henrynash: cool	12:52
henrynash	hey…I”m me again!	12:52
henrynash	(not great, but just me)	12:53
samueldmq	henrynash: now I trust you. there were a few guys hanging out here sayign there were you	12:53
raildo	henrynash: haha	12:53
samueldmq	they*	12:53
henrynash	samueldmq: never trust anyone claiming to be henrynaash…not even me!	12:54
*** henrynash has quit IRC		12:54
dims	LOL	12:54
samueldmq	heheh	12:54
*** nisha has quit IRC		12:55
*** nisha has joined #openstack-keystone		12:56
-openstackstatus- NOTICE: OpenID login from review.o.o is experiencing difficulties, possibly due to transatlantic network performance issues. Things are being investigated		12:58
*** ChanServ changes topic to "OpenID login from review.o.o is experiencing difficulties, possibly due to transatlantic network performance issues. Things are being investigated"		12:58
*** aurelien__ has quit IRC		12:59
*** permalac_ has joined #openstack-keystone		12:59
*** ekarlso has joined #openstack-keystone		12:59
*** permalac has quit IRC		12:59
*** links has quit IRC		13:00
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: Validate impersonation in trust redelegation https://review.openstack.org/330045	13:01
*** roxanaghe has joined #openstack-keystone		13:04
*** ktychkova has quit IRC		13:04
*** ktychkova has joined #openstack-keystone		13:06
lbragstad	o/	13:07
*** roxanaghe has quit IRC		13:09
*** mvk has joined #openstack-keystone		13:11
*** jefrite has quit IRC		13:11
*** timcline has joined #openstack-keystone		13:11
*** shewless has joined #openstack-keystone		13:11
shewless	dstanek: Morning... let me know when you're around :) Or if anyone else can help me with a weird keystone federation problem (federation works but not the first try)	13:11
*** ChanServ changes topic to "Newton Deadlines: http://releases.openstack.org/newton/schedule.html \| Midcycle (July 20-22, San Jose, CA) wiki https://wiki.openstack.org/wiki/Sprints/KeystoneNewtonSprint \| Meeting Etherpad https://etherpad.openstack.org/p/keystone-weekly-meeting"		13:12
-openstackstatus- NOTICE: OpenID logins are back to normal		13:12
*** edmondsw has joined #openstack-keystone		13:15
*** timcline has quit IRC		13:16
*** amoralej\|lunch is now known as amoralej		13:18
*** rderose has joined #openstack-keystone		13:18
*** belmoreira has quit IRC		13:25
*** nisha_ has joined #openstack-keystone		13:26
*** pnavarro has quit IRC		13:26
*** henrynash has joined #openstack-keystone		13:28
*** ChanServ sets mode: +v henrynash		13:28
*** henrynash has quit IRC		13:28
*** henrynash has joined #openstack-keystone		13:28
*** ChanServ sets mode: +v henrynash		13:28
*** julim has joined #openstack-keystone		13:29
openstackgerrit	Alexander Makarov proposed openstack/keystone: Create V10 driver for assignent backend https://review.openstack.org/331670	13:29
*** julim has quit IRC		13:29
*** nisha has quit IRC		13:29
*** belmoreira has joined #openstack-keystone		13:30
*** permalac__ has joined #openstack-keystone		13:30
*** permalac_ has quit IRC		13:30
dstanek	shewless: here	13:32
dstanek	shewless: is this a public node that i can try?	13:32
shewless	dstanek: no it's not public. but we could try something like gotomeeting if you want.	13:33
dstanek	shewless: i think that would be too hard :-(	13:34
dstanek	shewless: so you hit horizon which redirects you to keystone and then to the IdP or does it fail before that?	13:34
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 domains https://review.openstack.org/331629	13:35
shewless	dstanek: I hit horizon.. then I end up on the IdP where I login with my credentials.. then I end up with a "page not found error"	13:35
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	13:35
shewless	dstanek: At that point if I go back to horizon and try again it works	13:35
*** jefrite has joined #openstack-keystone		13:36
dstanek	shewless: so what you need to figure out is if at that point it fails trying to mod_shib or after.	13:37
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove TestAuth https://review.openstack.org/330240	13:39
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move more project scoped token behavior to TokenAPITests https://review.openstack.org/330219	13:39
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove test_validate_v2_unscoped_token_with_v3_api https://review.openstack.org/330220	13:39
openstackgerrit	Lance Bragstad proposed openstack/keystone: Refactor test_validate_v2_scoped_token_with_v3_api https://review.openstack.org/330221	13:39
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move last few TestAuth tests to TokenAPITests https://review.openstack.org/330239	13:39
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move external auth and bind test to TokenAPITests https://review.openstack.org/330222	13:39
openstackgerrit	Merged openstack/keystone: Integration tests cleanup https://review.openstack.org/330537	13:39
shewless	dstanek: okay. the shib logs aren't printing any errors.. just logging that a new session is created.	13:40
amakarov	samueldmq, o/	13:41
*** EinstCrazy has joined #openstack-keystone		13:42
samueldmq	amakarov: hi	13:42
*** henrynash has quit IRC		13:42
shewless	dstanek: so keystone is responsible for ensuring this page exists right: /v3/auth/OS-FEDERATION/websso/saml2	13:43
amakarov	samueldmq, as I understood the idea, we do support driver versions for 2 releases	13:43
amakarov	samueldmq, or I can just change/document interface?	13:43
amakarov	and that's it	13:44
shewless	dstanek: what could mod_shib be doing? Not telling keystone that it's authenticated?	13:44
samueldmq	amakarov: yes, the driver versions we have created/published already	13:44
samueldmq	rderose: hi, is this right ? ^	13:44
amakarov	rderose, greetings! Please help me understand current situation about drivers	13:45
rderose	samueldmq: well what I described in the spec was to notify operators in Newton and completely drop support in O	13:46
amakarov	because if I can just change the driver interface without all this driver versioning magic it will save me a lot of code	13:46
rderose	amakarov: ^	13:46
*** henrynash has joined #openstack-keystone		13:46
*** ChanServ sets mode: +v henrynash		13:46
dstanek	shewless: that page first hits mod_shib - so you see a session created when you get the 404?	13:46
samueldmq	rderose: so we don't create new versions of the drivers right ?	13:47
rderose	samueldmq amakarov: right	13:47
shewless	dstanek: yes I do.	13:47
amakarov	rderose, thank you	13:47
rderose	amakarov: np	13:47
*** ddieterly has joined #openstack-keystone		13:48
*** ddieterly is now known as ddieterly[away]		13:48
samueldmq	rderose: in the code, perhaps we should create a new class (e.g RoleDriver) inheriting from the latest version we support as of now (e.g RoleDriverV8)	13:49
shewless	dstanek: I cranked the debug in shibboleth... I dunno.. everything looks okay the last thing it says is this.. which is after the session is created (well actually it's pretty much the same time as the session is created): DEBUG Shibboleth.SSO.SAML2 [1]: ACS returning via redirect to: https://mycloud.foo.com/v3/auth/OS-FEDERATION/websso/saml2?origin=https://foo.sandvine.com/auth/websso/	13:49
*** yolanda has quit IRC		13:49
samueldmq	rderose: so we go from there, making only changes to RoleDriver (unversioned) itself	13:49
shewless	sorry: DEBUG Shibboleth.SSO.SAML2 [1]: ACS returning via redirect to: https://mycloud.foo.com/v3/auth/OS-FEDERATION/websso/saml2?origin=https://mycloud.foo.com/auth/websso/	13:49
rderose	samueldmq: yeah, that sounds reasonable to me.	13:50
*** henrynash has quit IRC		13:50
samueldmq	rderose: nice. amakarov ^ in the case you need it	13:50
raildo	samueldmq: so this issue will impact this patch too, right? https://review.openstack.org/#/c/305315/	13:51
patchbot	raildo: patch 305315 - keystone - Create V9 driver for identity backend	13:51
*** EinstCrazy has quit IRC		13:51
*** raddaoui has joined #openstack-keystone		13:52
samueldmq	raildo: yes, commented there too! nice catch, thanks	13:52
raildo	samueldmq: yw	13:53
*** roxanaghe has joined #openstack-keystone		13:54
dstanek	shewless: sounds like maybe that's being passed to keystone... but you don't see any logs there right?	13:54
*** richm has joined #openstack-keystone		13:54
*** ddieterly[away] is now known as ddieterly		13:55
*** walharthi has joined #openstack-keystone		13:55
*** nisha__ has joined #openstack-keystone		13:56
shewless	dstanek: correct.. no logs from keystone.. I can try and crank the debug on keystone	13:56
shewless	dstanek: sorry 1 log: "GET /v3/auth/OS-FEDERATION/websso/saml2?origin=https://mycloud.foo.com/auth/websso/ HTTP/1.1" 302 2007 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"	13:57
shewless	dstanek: that's in keystone_access-public.log.. so maybe apache..	13:57
dstanek	shewless: does that redirect happen when you get the 404?	13:58
shewless	dstanek: yes..	13:59
*** nisha_ has quit IRC		13:59
dstanek	shewless: and that's the url in the browser when you see the 404?	14:00
*** _sigmavirus24 is now known as sigmavirus24		14:00
*** sigmavirus24 has joined #openstack-keystone		14:00
shewless	dstanek: yes this is the url in my browser: https://mycloud.foo.com/v3/auth/OS-FEDERATION/websso/saml2?origin=https://mycloud.foo.com/auth/websso/	14:01
shewless	dstanek: FYI cranking the debug level in keystone.conf didn't give me any more information	14:01
*** yolanda has joined #openstack-keystone		14:01
*** woodster_ has joined #openstack-keystone		14:02
dstanek	shewless: when you get the 404 what happens if you refresh?	14:02
*** bjornar_ has quit IRC		14:03
shewless	dstanek: a refresh gives me the same 404 error	14:03
shewless	dstanek: want to try teamviewer now? :)	14:04
*** sheel has quit IRC		14:05
openstackgerrit	Nisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	14:05
*** daemontool has quit IRC		14:10
dstanek	shewless: what is teamviewer?	14:11
dstanek	shewless: does that URL map to anything in Apache?	14:11
*** slberger has joined #openstack-keystone		14:11
shewless	dstanek: yes it maps to <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2"> .. shib stuff... .. </Location>	14:14
*** mwheckmann has joined #openstack-keystone		14:19
*** jrist has joined #openstack-keystone		14:20
*** darosale has joined #openstack-keystone		14:21
*** jrist has quit IRC		14:22
*** jrist has joined #openstack-keystone		14:22
*** jefrite has quit IRC		14:24
shewless	dstanek: I tried messing around with that apache line but I can't get the behaviour to change. Any recommendations on how I would dig deeper? I tried increasing the debug level of both shibd and keystone with no success	14:24
*** nisha__ is now known as nisha_		14:25
*** BjoernT has joined #openstack-keystone		14:29
*** jorge_munoz has joined #openstack-keystone		14:33
*** tonytan4ever has joined #openstack-keystone		14:34
*** julim has joined #openstack-keystone		14:34
ktychkova	shewless: have you configured sso_callback_template ?	14:35
*** amakarov has quit IRC		14:35
*** pnavarro has joined #openstack-keystone		14:36
*** amakarov has joined #openstack-keystone		14:37
shewless	ktychkova: I copied the sso_callback_template from git.. but it might be incorrect	14:38
*** phalmos has joined #openstack-keystone		14:38
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes https://review.openstack.org/314284	14:38
shewless	ktychkova: I have this in keystone.conf: sso_callback_template = /etc/keystone/sso_callback_template.html	14:38
shewless	I'll paste the contents of that file	14:39
shewless	ktychkova: http://paste.ubuntu.com/17594996	14:39
ktychkova	shewless: and you have template in /etc/keystone with that name, right? If so - it is not template issue	14:40
*** jefrite has joined #openstack-keystone		14:41
shewless	ktychkova: yes I ran pastebinit /etc/keystone/sso_callback_template.html to generate the paste link	14:42
shewless	ktychkova: file is owned by root.. not sure if that matters....?	14:43
*** nisha_ has quit IRC		14:44
*** henrynash has joined #openstack-keystone		14:44
*** ChanServ sets mode: +v henrynash		14:44
*** ddieterly is now known as ddieterly[away]		14:45
*** belmoreira has quit IRC		14:46
*** ddieterly[away] is now known as ddieterly		14:47
*** belmoreira has joined #openstack-keystone		14:47
*** ayoung has quit IRC		14:48
dstanek	ktychkova: the wierd problem is that it works the second time.	14:50
dstanek	shewless: do you see a 404 or 302 in the apache log for the request?	14:50
dstanek	shewless: actually can you paste the apache log?	14:51
shewless	dstanek: I'll paste the log..	14:52
*** real56 has quit IRC		14:52
ktychkova	dstanek: sorry, probably I missed sometheng, what do you by 'it works the second time'?	14:53
*** yolanda has quit IRC		14:54
shewless	dstanek: http://paste.ubuntu.com/17595666	14:56
shewless	ktychkova: Once I've established a session with the IDP I can login successfully from horizon. If I try a new browser/new PC or if i restart shibd then the problem happens	14:56
stevemar	o/	15:00
*** jefrite has quit IRC		15:00
*** adrian_otto has joined #openstack-keystone		15:04
openstackgerrit	Merged openstack/keystone: Validate impersonation in trust redelegation https://review.openstack.org/330045	15:08
*** real56 has joined #openstack-keystone		15:10
dstanek	stevemar!	15:10
stevemar	dstanek: ahoy	15:10
*** adrian_otto1 has joined #openstack-keystone		15:12
dstanek	shewless: what's the timestamp for the 302 you were getting?	15:13
*** adrian_otto has quit IRC		15:15
*** adrian_otto has joined #openstack-keystone		15:15
dstanek	shewless: also testshib doesn't need your SP to be public?	15:15
*** adu has joined #openstack-keystone		15:16
*** jorge_munoz_ has joined #openstack-keystone		15:16
shewless	dstanek: No testshib doesn't require the SP to be public. Your web browser just needs to be able to talk to both sides (which mine can). I'll check the timestamp	15:17
*** jorge_munoz has quit IRC		15:18
*** jorge_munoz_ is now known as jorge_munoz		15:18
*** adrian_otto1 has quit IRC		15:18
shewless	dstanek: do you mean the first log here: http://paste.ubuntu.com/17595666/	15:19
dstanek	shewless: oh, i thought you were saying there was a log entry from keystone. those are all apache	15:21
dstanek	shewless: i have no idea what the issue here is. seems like a mod_shib problem	15:22
dstanek	shewless: do you have a full log? first request being broken and the second not?	15:22
dstanek	shewless: also it's wierd to see the request for the dashboard js file from the 404	15:24
*** tonytan4ever has quit IRC		15:24
shewless	dstanek: The only thing in keystone is the log saying the session is created	15:25
shewless	dstanek: which logs do you want? I'll get them for you	15:25
shewless	dstanek: I can go through the effort to try mellon.. Logically I'm not sure how this is a mod_shib problem. If you could tell me what it's doing wrong maybe I can fix it.. for example is it redirecting to the wrong page? or redirecting at the wrong time?	15:26
henrynash	(test)	15:30
dstanek	shewless: i have no idea what's wrong with your setup	15:30
dstanek	shewless: it's not that it's redirecting afaict, it's that your getting a 404 on that URL.	15:30
*** belmoreira has quit IRC		15:30
dstanek	shewless: what in the keystone log only for the 404 request?	15:30
*** bapalm has joined #openstack-keystone		15:31
dstanek	shewless: also if you can replicate on a public VM it would be easier to test/help	15:33
shewless	dstanek: I can get you access to this machine if you want to use teamviewer or some other screen share tech where I can give you control.	15:33
shewless	dstanek: sorry there is nothing in the keystone log. I mean the shibboleth logs the new session info	15:34
*** slberger has quit IRC		15:34
*** henrynash has quit IRC		15:37
*** ebarrera has quit IRC		15:40
*** pcaruana has quit IRC		15:45
*** ddieterly is now known as ddieterly[away]		15:46
*** gyee has joined #openstack-keystone		15:50
*** ChanServ sets mode: +v gyee		15:50
*** adrian_otto has quit IRC		15:50
*** ddieterly[away] is now known as ddieterly		15:53
*** rcernin has quit IRC		15:55
*** adrian_otto has joined #openstack-keystone		15:55
*** TxGVNN has joined #openstack-keystone		15:56
*** jaosorior has quit IRC		15:58
*** adrian_otto has quit IRC		16:00
*** jaosorior has joined #openstack-keystone		16:01
openstackgerrit	Merged openstack/python-keystoneclient: Improve docs for v3 domains https://review.openstack.org/331629	16:03
*** nisha_ has joined #openstack-keystone		16:03
*** ddieterly is now known as ddieterly[away]		16:05
*** ddieterly[away] is now known as ddieterly		16:06
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	16:08
*** daemontool has joined #openstack-keystone		16:14
*** adu has quit IRC		16:24
*** pushkaru has joined #openstack-keystone		16:25
*** mvk has quit IRC		16:33
*** yolanda has joined #openstack-keystone		16:33
*** julim has quit IRC		16:35
*** slberger has joined #openstack-keystone		16:35
dstanek	shewless: if keystone isn't logging anything then there's a pretty good chance the request isn't getting to it	16:38
*** ayoung has joined #openstack-keystone		16:38
*** julim has joined #openstack-keystone		16:38
*** ChanServ sets mode: +v ayoung		16:38
*** timcline has joined #openstack-keystone		16:40
*** timcline has quit IRC		16:40
*** timcline has joined #openstack-keystone		16:41
shewless	dstanek: okay I'm trying to get mod mellon to work now.. back to the drawing board	16:42
*** amakarov has quit IRC		16:47
*** amakarov has joined #openstack-keystone		16:47
shewless	dstanek or someone can you help me determine what goes in MellonEndpointPath in my apache config?	16:49
mwheckmann	shewless: I can help with that. give me a minute so I can pull up my config.	16:49
openstackgerrit	Merged openstack/python-keystoneclient: Add domain functional tests https://review.openstack.org/329598	16:49
shewless	mwheckmann: thanks. I'm using /v3/OS-FEDERATION/identity_providers/[my "identity provider name" using openstack provider list]/protocols/saml2/auth	16:50
*** dan_nguyen has joined #openstack-keystone		16:50
mwheckmann	shewless: that's good, but just add "/mellon" to the end of that. That config tells Apache to send any request to that location to mod_auth_mellon	16:51
*** ddieterly is now known as ddieterly[away]		16:52
*** ddieterly[away] is now known as ddieterly		16:52
shewless	mwheckmann: I tried it with /mellon but I get an error in apache saying it can't find that page :/	16:52
shewless	mwheckmann: actually same error without the /mellon part too	16:53
*** rcernin has joined #openstack-keystone		16:53
shewless	if /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth/mellon is in apache (MellonEndpointPath) does it need to be configured anywhere else in keystone?	16:54
mwheckmann	shewless: when do get that error?	16:54
*** ddieterly is now known as ddieterly[away]		16:54
shewless	mwheckmann: when I try to click "connect" from the horizon dashboard	16:55
mwheckmann	shewless: are you following: http://docs.openstack.org/developer/keystone/federation/federated_identity.html + http://docs.openstack.org/developer/keystone/federation/mellon.html	16:55
mwheckmann	you should if you aren't	16:55
shewless	mwheckmann: yes I am	16:55
mwheckmann	good	16:55
shewless	mwheckmann: been trying to get shib to work for over a week. Got it mostly working except for one final bug.. now trying to switch to mellon to see if it's a bug in shib.	16:56
*** richm has quit IRC		16:59
mwheckmann	shewless: I'm assuming you have a proper <Location> entry for /v3/.... in your Apache conf?	17:00
stevemar	lbragstad: your massive test patch ready to go?	17:02
lbragstad	I had one of them fail but a few are ready	17:02
mwheckmann	shewless: maybe you can put your Apache config + Horizon settings up somewhere so I can look at them?	17:02
lbragstad	stevemar starts here - https://review.openstack.org/#/c/330219/2	17:02
patchbot	lbragstad: patch 330219 - keystone - Move more project scoped token behavior to TokenAP...	17:03
*** nisha_ has quit IRC		17:03
shewless	mwheckmann: will do	17:03
*** ddieterly[away] is now known as ddieterly		17:03
shewless	mwheckmann: horizon = local_settings.py?	17:04
*** pushkaru has quit IRC		17:04
mwheckmann	shewless: yes, local_settings	17:04
*** jaosorior has quit IRC		17:05
shewless	mwheckmann: wsgi-keystone-public.conf: http://paste.ubuntu.com/17602577	17:05
stevemar	lbragstad: this one is failing :O https://review.openstack.org/#/c/330222/2	17:06
patchbot	stevemar: patch 330222 - keystone - Move external auth and bind test to TokenAPITests	17:06
lbragstad	stevemar yeah - i'm debuggging it locally	17:06
shewless	mwheckmann: local_settings.ph: http://paste.ubuntu.com/17602644	17:06
stevemar	lbragstad: i +A'ed the earlier parts of the chain	17:07
lbragstad	stevemar sweet - thank you	17:07
stevemar	np!	17:07
mwheckmann	shewless: so it looks like you have some <Location> entries with regex matching and others that are strict. I would replace the pattern matching for strict matching. At least to begin with. Keep the config as simple as possible to get it working at first.	17:17
*** rcernin has quit IRC		17:18
mwheckmann	e.g replace ".*?" by your actual IDP name string	17:18
*** amakarov has quit IRC		17:19
shewless	mwheckmann: okay I tried that and restarted apache2. I still seem to be getting the same error	17:20
mwheckmann	and use "Location" instead of LocationMatch, get rid of the "~"	17:21
mwheckmann	can you paste the actual Apache error?	17:21
mwheckmann	shewless the other thing that I was going to mention is that I actually included all the Mellon* configs in each <Location> section. i.e everything that I have in "/v3"	17:22
shewless	mwheckmann: Using Location and no "~" now. Here is the address bar at the time of problem. I'll post the apache log too	17:23
mwheckmann	I did it to be safe, but maybe it's actually required. I know it seems redundant	17:23
shewless	mwheckmann: okay.. do you have 4 location sections?	17:23
shewless	mwheckmann: https://mycloud.foo.com/v3/OS-FEDERATION/identity_providers/foo_provider/protocols/saml2/auth/mellon/login?ReturnTo=https%3A%2F%2Fmycloud.foo.com%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fmycloud.foo.com%2Fauth%2Fwebsso%2F&IdP=https%3A%2F%2Fidp.testshib.org%2Fidp%2Fshibboleth	17:23
mwheckmann	yes,I have a total of 4 if you include the plain "/v3"	17:24
shewless	mwheckmann: apache logs : http://paste.ubuntu.com/17603711	17:24
*** spandhe has joined #openstack-keystone		17:24
mwheckmann	shewless: Add all the Mellon* statements to all location sections	17:26
mwheckmann	and then reload apache	17:26
shewless	mwheckmann: Okay I tried that - same error (Added the Mellon* statments and restarted apache)	17:26
mwheckmann	can put up the new config again?	17:27
shewless	mwheckmann: http://paste.ubuntu.com/17603911	17:27
*** tqtran has joined #openstack-keystone		17:29
*** ddieterly is now known as ddieterly[away]		17:30
mwheckmann	shewless: foo_provider != foo_providers	17:30
*** KevinE has joined #openstack-keystone		17:31
shewless	mwheckmann: where do I have "foo_providers"?	17:31
shewless	everywhere I look I only see "foo_provider"	17:32
*** TxGVNN has quit IRC		17:34
shewless	dstanek: I think maybe I was hitting this problem when I was using shibboleth: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTroubleshootingCommonErrors#NativeSPTroubleshootingCommonErrors-HTTPPOSTformdataislostwhenShibbolethsessionexpiredordoesnotexistyet	17:35
dstanek	shewless: could be. i generally just use ansible to setup my SP	17:36
*** timcline has quit IRC		17:38
shewless	dstanek: but you don't have postdata in your shibboleth2.xml so I guess that's probably not it..	17:38
*** mvk has joined #openstack-keystone		17:38
*** ametts has joined #openstack-keystone		17:39
dstanek	shewless: postdata?	17:40
shewless	dstanek: the suggestion that shib recommends to solve the problem is to add an option to the config.. an option which you don'thave.. so likely not the problem	17:41
shewless	mwheckmann: what did you mean foo_provider != foo_providers ?	17:42
*** arunkant has joined #openstack-keystone		17:42
dstanek	shewless: i don't think that was it. doesn't seem like it would result in a 404	17:43
shewless	dstanek: do you use ansible to create your openstack environment in general or just to configure the SP?	17:44
mwheckmann	shewless: you are correct. My eyes cheated me because you have "identity_providers" followed by "foo_providers"	17:45
mwheckmann	well without that final 's'	17:45
dstanek	shewless: both - although my environment is for development	17:45
shewless	mwheckmann: fair enough. Does the config look okay? I'm just having a heck of time getting federation to work	17:46
shewless	mwheckmann: what is your entityID set to in your mellon metaData?	17:49
*** mvk_ has joined #openstack-keystone		17:50
*** browne has joined #openstack-keystone		17:52
shewless	mwheckmann: I get slightly further if I change the address bar that fails and add :5000 to it... this port 5000 stuff is confusing	17:52
*** rcernin has joined #openstack-keystone		17:53
dstanek	shewless: port 5000 is just keystone	17:53
*** mvk has quit IRC		17:53
shewless	dstanek: yes I know.. but I keep hitting situations where the url is missing the port 5000 part.. I guess I'm doing something wrong but I don't know what	17:54
*** mvk has joined #openstack-keystone		17:54
*** mkrcmari__ has joined #openstack-keystone		17:55
shewless	dstanek, mwheckmann: the address bar says: https://mycloud.foo.com/v3/OS-FEDERATION/identity_providers/sandvine_provider/protocols/saml2/auth/mellon/login. If I change it to http:// and add :5000 it gets me to the IDP page. my entityID is http://mycloud.foo.com:5000" so I'm not sure why it's going to https:// without port 5000	17:56
*** mvk_ has quit IRC		17:57
*** mvk has quit IRC		17:57
shewless	mwheckmann: do you have a "SingleLoginService" setting in your metadata? I don't but I'm wondering if I should add one	17:57
mwheckmann	shewless: I was about to send you the same thing. I noticed that it wasn't going to port 5000 and your vhost config is on port 5000. That being said, you do get a wsgi error oddly enough	17:58
mwheckmann	so I was thinking you had a reverse proxy in front sending it to 5000	17:58
*** mkrcmari__ has quit IRC		18:01
shewless	mwheckmann: I have no idea why it's sending me to that https:// URL without the port 5000. Where is that configured?	18:02
mwheckmann	it shoud be hitting /v3/auth/OS-FEDERATION/.... and not /v3/OS-FEDERATION since the latter is mapped to a WSGI script alias.	18:02
mwheckmann	that explains why the error you get is a WSGI error	18:03
*** spandhe has quit IRC		18:03
mwheckmann	(in addition to the port problem)	18:03
shewless	mwheckmann: did I mess up the apache config?	18:03
mwheckmann	no the apache config looks good AFAICT	18:03
*** spandhe has joined #openstack-keystone		18:05
shewless	mwheckmann: I think it's because I set "UseCanonicalName true"	18:05
openstackgerrit	Roxana Gherle proposed openstack/keystone: /services?name=<name> API fails when using list_limit https://review.openstack.org/331790	18:05
*** daemontool has quit IRC		18:06
mwheckmann	shewless: I was wondering about that one. I don't use it	18:06
shewless	mwheckmann: yes.. that was causing that particular problem.. it's better without it.. but still not quite working..	18:06
*** mkrcmari__ has joined #openstack-keystone		18:06
shewless	mwheckmann: now I'm getting Error processing authn response. Lasso error: [-432] Status code is not success	18:09
shewless	mwheckmann: which I think has something to do with the keys perhaps	18:09
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move external auth and bind test to TokenAPITests https://review.openstack.org/330222	18:09
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move last few TestAuth tests to TokenAPITests https://review.openstack.org/330239	18:10
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove TestAuth https://review.openstack.org/330240	18:10
mwheckmann	shewless: sounds liek progress. At least the request is being routed to mod_auth_mellon now	18:10
shewless	mwheckmann: yes.	18:11
mwheckmann	Unfortunaly, I can't help much debugging your actuall Mellon setup. I'll I can say is that it works well for me out of the box on CentOS 7 (latest) with the included mod_auth_mellon	18:12
dstanek	shewless: hmm...you may want to try to get a public node. it would be much easier to help debug	18:13
*** BjoernT is now known as Bjoern_zZzZzZzZ		18:13
mwheckmann	shewless: I also suggest that you use the SAML tracer Firefox plugin. It helps a lot for debugging	18:13
dstanek	mwheckmann: ++ any of the tracing plugins would be helpful	18:14
stevemar	clenimar: hey there, thanks for helping out with the migration to keystoneauth!	18:14
*** jed56 has quit IRC		18:15
clenimar	stevemar: :)	18:15
openstackgerrit	Merged openstack/keystone: Move more project scoped token behavior to TokenAPITests https://review.openstack.org/330219	18:15
clenimar	stevemar: glad to help...	18:16
openstackgerrit	Merged openstack/keystone: Remove test_validate_v2_unscoped_token_with_v3_api https://review.openstack.org/330220	18:16
stevemar	clenimar: i very much appreciate it	18:16
*** Bjoern_zZzZzZzZ is now known as BjoernT		18:17
openstackgerrit	Merged openstack/keystone: Refactor test_validate_v2_scoped_token_with_v3_api https://review.openstack.org/330221	18:17
*** haplo37_ has joined #openstack-keystone		18:19
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move external auth and bind test to TokenAPITests https://review.openstack.org/330222	18:20
openstackgerrit	Lance Bragstad proposed openstack/keystone: Move last few TestAuth tests to TokenAPITests https://review.openstack.org/330239	18:20
openstackgerrit	Lance Bragstad proposed openstack/keystone: Remove TestAuth https://review.openstack.org/330240	18:21
*** darosale has quit IRC		18:25
*** ddieterly[away] has quit IRC		18:30
lbragstad	stevemar the latest series ^ fixes the issue.. I had a merge conflict with jamielennox request/context patch	18:36
*** ddieterly has joined #openstack-keystone		18:36
lbragstad	the remaining refactor is all passing locally for me	18:36
*** pooja has joined #openstack-keystone		18:44
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Complete RBAC in keystone https://review.openstack.org/325326	18:45
pooja	Hi, I am new to keystone and had some questions regarding the SSO federation support. AFAIK keystone maps SSO users to groups and has role assignments on these groups. Is there any support for identifying these SSO users as users (and not groups) in keystone to support something per-user quotas in nova. Appreciate any insight into this. Thanks!	18:46
*** timcline has joined #openstack-keystone		18:51
*** EinstCrazy has joined #openstack-keystone		18:54
*** EinstCrazy has quit IRC		18:59
*** jaugustine has joined #openstack-keystone		18:59
*** real56 has quit IRC		19:03
lbragstad	pooja keystone is in the process of supporting concrete role assignment for federated users, so instead of assigning roles to groups and mapping federated users into those groups, you could assign roles to the federated user directly	19:06
lbragstad	that is currently something we are working on for Newton	19:06
notmorgan	pooja: you can map users to "exisiting" users in keystone as well. There is also currently work being done on what is called "shadow users", which will provide more directly exactly what you're asking for	19:06
lbragstad	s/we/rderose/	19:06
notmorgan	pooja: what lbragstad said	19:07
*** alex_xu has quit IRC		19:07
*** alex_xu has joined #openstack-keystone		19:09
*** jaugustine has quit IRC		19:25
*** ddieterly is now known as ddieterly[away]		19:28
*** amoralej is now known as amoralej\|brb		19:33
*** dan_nguyen has quit IRC		19:33
mwheckmann	anyone here able to help with a federation domain mapping problem?	19:42
*** gyee has quit IRC		19:45
*** dan_nguyen has joined #openstack-keystone		19:46
*** pushkaru has joined #openstack-keystone		19:48
*** pushkaru has quit IRC		19:49
*** pushkaru has joined #openstack-keystone		19:50
dstanek	mwheckmann: did anyone answer your question?	19:54
*** richm has joined #openstack-keystone		19:54
mwheckmann	dstanek: nope	19:54
*** EinstCrazy has joined #openstack-keystone		19:55
mwheckmann	I actually sent an email to the operators list about it a while back, but it didn't really get any traction: http://lists.openstack.org/pipermail/openstack-operators/2016-June/010694.html	19:55
dstanek	mwheckmann: you should just ask here and someone will probably answer it	19:56
mwheckmann	dstanek: I basically have federation working nicely. Group mappings work. The problem is that users that come in from Federation are in the special "Federated" domain and even if I map a user into a group that has admin role, the v3 sample policy.json doesn't work. I can't make someone domain admin because they are not in the domain.	19:57
*** maxabidi has joined #openstack-keystone		19:59
*** EinstCrazy has quit IRC		19:59
*** ddieterly[away] is now known as ddieterly		20:00
mwheckmann	dstanek: In fact, I'm not even sure if this can work at all with Mitaka. I might need to wait for the per domain mappings feature: https://review.openstack.org/#/c/324055/2/specs/keystone/newton/shadow-mapping.rst	20:01
patchbot	mwheckmann: patch 324055 - keystone-specs - Mapping shadow users into projects and roles	20:01
*** jaugustine has joined #openstack-keystone		20:01
mwheckmann	If someone could confirm my suspicion...	20:02
notmorgan	stevemar: wow, i just read the scroll back and feel like I've successfully swapped most keystone knowledge out	20:04
notmorgan	stevemar: it's only taken ~5 weeks.	20:04
rodrigods	mwheckmann, you can map to an existing user, in a domain that is not "Federated"	20:04
stevemar	notmorgan: keep it thaat way :)	20:05
mwheckmann	rodrigods: You mean that I would have to pre-create all my users before they sign in for the first time?	20:05
rodrigods	mwheckmann, you do that by specifying the user type as "local"	20:05
rodrigods	yes, if you don't want them to map to the federated domain	20:05
notmorgan	stevemar: i don't think i can :(. If i plan on going to the midcycle here :P	20:05
mwheckmann	rodrigods: you mean in the "local" section, I specify the local type?	20:06
mwheckmann	Can you paste an example somewhere?	20:06
rodrigods	mwheckmann, sure... think this is the best source we have about mapping rules: http://docs.openstack.org/developer/keystone/mapping_combinations.html#output	20:06
mwheckmann	yup, I'm familiar with that page	20:07
mwheckmann	rodrigods: except that I believe that that section describes the "output" of a succesful mapping. I think I even tried specifying the user domain but it kept refusing my mapping.	20:09
mwheckmann	I will try again right now	20:09
dstanek	mwheckmann: rodrigods: can't you just specify the group in the local section of a mapping? or will that not work?	20:10
rodrigods	mwheckmann, dstanek the user will be in the same domain as the group?	20:11
rodrigods	i'd need to 2x check the code	20:11
mwheckmann	yes, ideally	20:12
*** mvk_ has joined #openstack-keystone		20:12
*** mvk_ has quit IRC		20:13
mwheckmann	This is what I get when I add "type" to the local section: "Additional properties are not allowed (u'type' was unexpected)"	20:14
*** mvk_ has joined #openstack-keystone		20:14
rodrigods	mwheckmann, what happens if you specify a domain_id?	20:14
*** pumarani__ has joined #openstack-keystone		20:14
*** mkrcmari__ has quit IRC		20:15
*** pushkaru has quit IRC		20:15
mwheckmann	rodrigods: That's what I have now. The user still gets dropped into the "Federated" domain :(	20:15
*** maxabidi has quit IRC		20:15
*** KevinE has quit IRC		20:16
mwheckmann	rodrigods: I even tested that with the user pre-created in the appropriate domain :(	20:17
pooja	Thanks lbragstad and notmorgan for sharing that info!	20:17
rodrigods	mwheckmann, interesting...	20:17
pooja	So with stable-mitaka, is the partial support for shadow-users already implemented to the point that I can see a user-id being assigned in keystone for an authenticated SSO user?	20:18
mwheckmann	pooka: yes, a shadow user is even created. The users shows up in a user list. Domain is set to "None"	20:19
*** tonytan4ever has joined #openstack-keystone		20:19
rodrigods	mwheckmann, dstanek, found it: https://github.com/openstack/keystone/blob/master/keystone/federation/utils.py#L591-L606	20:20
rodrigods	mwheckmann, it checks by user type	20:20
mwheckmann	ok.. still not sure that I understand.	20:21
rodrigods	mwheckmann, if you are not being able to set the type in the user entry	20:22
rodrigods	it must be a bug	20:22
pooja	Okay, great! Also when I upgraded from liberty to mitaka, I see ArgsAlreadyParsedError errors when registering cli opts during app startup. Could the httpd/keystone.py script deprecation be causing this?	20:22
rodrigods	because we rely in that parameter to check if we are going to map to the Federated domain (if user is ephemeral) or not	20:22
mwheckmann	I agree it must be a bug then	20:23
*** amoralej\|brb is now known as amoralej		20:25
mwheckmann	I'm going to play around with a few things	20:26
rodrigods	mwheckmann, ++	20:28
*** rcernin has quit IRC		20:31
*** pumarani__ has quit IRC		20:32
*** gyee has joined #openstack-keystone		20:33
*** ChanServ sets mode: +v gyee		20:33
mwheckmann	rodrigods: Well this is embarrassing: I'm running a version I pulled from Delorean a few days before the official Mitaka release. I thought I was missing only a few very minor unrelated commits. However, it turns out that the release I'm running is from early March and I'm missing for example: https://github.com/openstack/keystone/commit/e4e16cefab34d81c155b4814338a648e0a64b1b9	20:35
mwheckmann	it's 9.0.0b4	20:35
rodrigods	mwheckmann, it happens :)	20:36
mwheckmann	I'm going to upgrade my container and try this out again.	20:36
*** daemontool has joined #openstack-keystone		20:38
*** jaugustine has quit IRC		20:44
lbragstad	does anyone know of an openstack service that deploys auth_token in the "delegated mode"? http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#authentication-component-delegated-mode	20:46
*** daemontool has quit IRC		20:49
*** jaugustine has joined #openstack-keystone		20:50
*** yolanda has quit IRC		20:52
*** timcline has quit IRC		20:55
*** timcline has joined #openstack-keystone		20:56
*** Anticime1 is now known as Anticimex		20:57
*** pnavarro has quit IRC		20:58
gyee	lbragstad, yes, Swift does	20:59
lbragstad	gyee ah	20:59
*** julim has quit IRC		20:59
gyee	they set 'delay_auth_decision' to true	20:59
*** haplo37_ has quit IRC		21:00
*** timcline has quit IRC		21:00
*** raildo is now known as raildo-afk		21:02
*** amoralej is now known as amoralej\|off		21:05
*** jaugustine has quit IRC		21:07
*** jaugustine has joined #openstack-keystone		21:08
*** slberger has quit IRC		21:09
*** pauloewerton has quit IRC		21:10
*** mwheckmann has quit IRC		21:12
*** roxanaghe has quit IRC		21:15
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware: Clean up middleware architecture https://review.openstack.org/331842	21:15
*** roxanaghe has joined #openstack-keystone		21:16
*** pushkaru has joined #openstack-keystone		21:20
*** slberger has joined #openstack-keystone		21:25
*** walharthi has quit IRC		21:30
*** BjoernT has quit IRC		21:32
*** ddieterly is now known as ddieterly[away]		21:39
*** EinstCrazy has joined #openstack-keystone		21:42
*** pushkaru has quit IRC		21:43
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware: Clean up middleware architecture https://review.openstack.org/331842	21:43
*** ddieterly[away] is now known as ddieterly		21:44
*** timcline has joined #openstack-keystone		21:45
*** EinstCrazy has quit IRC		21:47
*** slberger has left #openstack-keystone		21:49
*** timcline has quit IRC		21:50
*** pushkaru has joined #openstack-keystone		21:53
*** tonytan4ever has quit IRC		21:54
*** sigmavirus24 is now known as sigmavirus24_awa		22:04
*** tonytan4ever has joined #openstack-keystone		22:05
*** edmondsw has quit IRC		22:07
*** pooja has quit IRC		22:10
*** ddieterly is now known as ddieterly[away]		22:12
*** pushkaru has quit IRC		22:14
dstanek	dolphm: thanks for the merge! trying to clean up my dev stuff and all of the open loops i have	22:14
*** phalmos has quit IRC		22:15
*** jaugustine has quit IRC		22:19
*** ametts has quit IRC		22:27
openstackgerrit	guang-yee proposed openstack/keystone: Make sure to use InnoDB as the DB engine https://review.openstack.org/331872	22:29
*** gordc has quit IRC		22:34
*** ddieterly[away] is now known as ddieterly		22:35
*** timcline has joined #openstack-keystone		22:40
openstackgerrit	Merged openstack/keystone: Move external auth and bind test to TokenAPITests https://review.openstack.org/330222	22:42
*** EinstCrazy has joined #openstack-keystone		22:43
*** timcline has quit IRC		22:44
openstackgerrit	Merged openstack/keystone: Move last few TestAuth tests to TokenAPITests https://review.openstack.org/330239	22:46
openstackgerrit	Merged openstack/keystone: Remove TestAuth https://review.openstack.org/330240	22:46
*** tonytan4ever has quit IRC		22:48
*** timcline has joined #openstack-keystone		22:51
*** woodburn has quit IRC		22:55
*** timcline has quit IRC		22:56
*** ddieterly is now known as ddieterly[away]		22:57
openstackgerrit	Brant Knudson proposed openstack/keystone: Test out the new isoformat function (WIP) https://review.openstack.org/331883	22:58
*** gyee has quit IRC		22:58
*** ddieterly[away] is now known as ddieterly		23:02
*** roxanaghe has quit IRC		23:08
*** roxanaghe has joined #openstack-keystone		23:08
*** ddieterly has quit IRC		23:17
*** EinstCrazy has quit IRC		23:32
*** shoutm has joined #openstack-keystone		23:37
*** sdake has joined #openstack-keystone		23:38
*** iurygregory_ has joined #openstack-keystone		23:39
*** sdake_ has joined #openstack-keystone		23:42
*** sdake has quit IRC		23:43
*** dan_nguyen has quit IRC		23:45
*** timcline has joined #openstack-keystone		23:46
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Password strength requirements https://review.openstack.org/320586	23:48
*** timcline has quit IRC		23:50
*** chlong has joined #openstack-keystone		23:51
*** chlong is now known as chlong\|rhce_trng		23:52
*** slberger has joined #openstack-keystone		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!