Wednesday, 2016-06-22

jamielennoxayoung: ok, but i don't want to do multi hour operations with it00:00
ayoungI suspect 2 hours will be what we end up needing00:00
jamielennoxtrusts were abused for the timeout issue, hopefully we can improve that later00:00
ayoungthat is the problem that we are facing.00:00
jamielennoxbut something like a trust is still the right thing for really long lived operations00:01
jamielennoxbut we'll see00:01
ayoungyeah, but there are things like snapshot that are like 1hour + a few minutes00:01
*** ddieterly has joined #openstack-keystone00:01
ayoungandything that is routine should not need a database record to authorize it00:01
jamielennoxyea, so that i feel should be ok for a reservation00:01
jamielennoxbecause it's still the user's request00:02
ayoungI think we agree on everything but the name00:02
ayoungto me reservations mean "specific to a resource"00:02
ayoungand these are not00:02
jamielennoxayoung: define resource00:02
jamielennoxwords i see:00:06
jamielennoxheh, blessing00:07
notmorgani... wow00:09
notmorgantheasaurus much?00:09
jamielennoxi have no other ideas00:10
jamielennoxan authorization is the right word, but it's overused00:10
*** lucas____ has joined #openstack-keystone00:11
jamielennoxanyway - if someone has a better term i'm all ears00:12
*** markvoelker has joined #openstack-keystone00:12
jamielennoxayoung: also i'm back to being annoyed that you can't easily install ipa and ipsilon side by side00:13
*** markvoelker_ has joined #openstack-keystone00:13
*** rderose_ has joined #openstack-keystone00:14
*** markvoel_ has joined #openstack-keystone00:15
*** markvoelker has quit IRC00:15
*** lucas____ has quit IRC00:15
*** julim has joined #openstack-keystone00:17
*** rderose has quit IRC00:18
*** markvoelker_ has quit IRC00:19
*** roxanaghe has quit IRC00:22
amrithbknudson_, I'm throwing in the towel. making timeutils.isoformat() produce .000000 effectively defeats the claim that it is a wrapper on isoformat() with just one little tweak. The 'tweak' to make it do the .000000 is pretty much throwing in the towel and reinventing isotime(). I propose to abandon my patch ...00:25
*** rderose_ has quit IRC00:26
openstackgerritSam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authz
openstackgerritSam Leong proposed openstack/keystoneauth: Auth plugin for X.509 tokenless authz
*** catintheroof has joined #openstack-keystone00:47
*** edtubill has quit IRC00:57
*** davechen has joined #openstack-keystone00:59
*** gordc has quit IRC01:03
*** lucas____ has joined #openstack-keystone01:06
*** catintheroof has quit IRC01:07
*** lucas____ has quit IRC01:10
*** KevinE has quit IRC01:10
*** mserngawy_ has quit IRC01:10
*** raddaoui has quit IRC01:17
*** BjoernT has joined #openstack-keystone01:18
*** BjoernT has quit IRC01:28
*** ktychkova has quit IRC01:34
*** dan_nguyen has joined #openstack-keystone01:39
jamielennoxgyee, this x509 tokenless auth plugin, how will that work against a service other than identity?01:41
ayoungjamielennox, it won't01:50
*** toddnni_ has joined #openstack-keystone01:50
ayoungwe need all the other plumbing I've talked about to do that01:50
*** EinstCrazy has joined #openstack-keystone01:50
ayoungbasically, the remote service needs the ability to concoct an AuthCOntext from the X509:01:50
*** ddieterly has quit IRC01:51
*** toddnni has quit IRC01:51
*** toddnni_ is now known as toddnni01:51
ayoungit needs to look up the mapping, use that and something the user provides to get the set of roles that the user has on the project scoped to the resource.01:51
ayoungjamielennox, BTW...are you punting on the 968696 work?01:51
jamielennoxayoung: i don't know how x509 service to service would work - where is the service catalog coming from?01:52
ayoungjamielennox, like anything else, it would have to be queried from Keystone01:52
jamielennoxayoung: no, merged yesterday01:52
jamielennoxayoung: and the next one would be
ayoungjamielennox  thanks. that came up earlier this week01:53
ayoungwasn;'t sure if it was still making progress.01:53
jamielennoxayoung: yea, we've had a few where you have to wait for a release then fix in another library then wait01:53
stevemarayoung: slowly, lots of pieces to update01:53
jamielennoxbut with the context patch we need to figure out what the rule should look like in oslo_policy01:53
jamielennoxi admit to have wriitten the context patch without any idea how to do that01:54
jamielennoxbut i'm passing a boolean 'is_admin_policy' through to policy so we should be able to work with that01:54
ayoungso policy would be is_admin_project=True?01:55
jamielennoxi actually wasn't sure if a string would be better there for policy, but it should work with a bool01:55
*** stevemar has quit IRC01:56
jamielennoxayoung: so line 109 of
patchbotjamielennox: patch 331916 - oslo.context - Add is_admin_project to context01:56
jamielennoxthat's the standard policy dict01:56
jamielennoxall services will (eventually) pass at least those values through to policy enforce()01:57
jamielennox'is_admin_project' is a bool01:57
jamielennoxnow maybe we want a custom rule in oslo.policy?01:57
jamielennoxi can't do policy language off the top of my head to know how to match 'is_admin_project' missing or True01:58
jamielennoxif it appears like i've just completely missed something that was said please repeat it as i'm in a coffee shop and the connection is not exactly stable02:00
jamielennoxayoung: also refering to earlier, if you are using tokenless auth and you have to fetch a service catalog and such from keystone you are much better off using a federated IDP with an x509 credential02:01
*** iurygregory_ has quit IRC02:03
*** spandhe has quit IRC02:03
*** ddieterly has joined #openstack-keystone02:03
notmorganjamielennox: i think we've avoided using "a user authorization" as an article fairly well02:09
notmorganjamielennox: not sure if that matters, but we could probably use it in this context02:09
notmorganjamielennox: might be worth doing so.02:10
notmorganjamielennox: OR we name it something totally new / made up.02:11
notmorganjamielennox: that has no real bearing word-wise to authz things [ick]02:11
*** ddieterly has quit IRC02:14
*** jamielennox is now known as jamielennox|away02:16
*** jamielennox|away is now known as jamielennox02:17
*** jorge_munoz has quit IRC02:17
jamielennoxnotmorgan: like ticket?02:19
jamielennoxshow your id, give your money, get a ticket for one ride?02:19
*** browne has quit IRC02:21
openstackgerritMerged openstack/keystone: /services?name=<name> API fails when using list_limit
openstackgerritDavid Stanek proposed openstack/keystone: Use the ldap fixture to simplify tests
*** tonytan4ever has joined #openstack-keystone02:30
notmorganjamielennox: ticket would work too02:36
notmorganand fwiw, we're close enough to krb that it makes sense.02:36
*** stevemar has joined #openstack-keystone02:56
*** ChanServ sets mode: +o stevemar02:56
gyeejamielennox, x.509 can be used for server to service authentication, you don't even need mapping if you don't want to :-)03:02
jamielennoxgyee: how does a service with x509 know where the other services are?03:04
gyeeyou can either configure it, or lookup catalog from keystone03:05
gyeewe already have tokenless token validation, not too difficult to extend it to other operations03:06
gyeelike catalog lookup03:06
gyeeremember, mapping can take ALL environment variables into consideration, include METHOD and PATH03:07
gyeeand API is essentially identified by METHOD and PATH03:08
gyeeso you can controller which API to grant access by matching METHOD and PATH03:08
jamielennoxgyee: it's not going via mapping though because you don't get a token03:11
gyeejamielennox, I am drafting an abstract for Barcelona on all the wonderful things you can do we certificates, hopefully it will get selected03:11
gyeeso come to my session if it happens, I'll spill the beans :-)03:11
gyeejamielennox, take a look at the tokenless auth code03:12
jamielennoxgyee: i'm mostly not wanting to steer sam's tokenless auth patch wrong03:12
gyeethere's a mapping involved on the server side03:13
jamielennoxto me the only get_endpoint it would ever be asked for is the identity endpoint because that's what auth_token uses for user validation03:13
gyeewe can easily extend it to make it generic03:13
jamielennoxand i'm stuck on how and why you would change that for more services03:13
gyeeyou can use it for service to service03:13
gyeeauth context is constructed from identity headers, no?03:13
jamielennoxdoes it correctly set up X_SERVICE_BLAH headers? i'm pretty sure no03:14
gyeewe can easily translate certificate attributes into identity headers03:14
gyeeyes it can03:14
gyeeyou can do the trick at Apache or HAProxy03:14
jamielennoxso auth_token middleware scraps all incoming headers that might try and emulate what we pass down to services03:15
jamielennoxso you can't fake it at the apache level03:15
jamielennoxbut forgetting that i'm not worried about keystone03:15
jamielennoxit's every other service i'm not sure about03:15
jamielennoxon keystone side this is all easy03:15
jamielennoxbut how would a tokenless auth be used to talk to something not keystone?03:16
*** topol has joined #openstack-keystone03:16
*** ChanServ sets mode: +v topol03:16
gyeeI think we can find a way to tell auth_token to by pass scrapping headers03:16
gyeejamelennox, certificate contains a set of attributes, not different than SAML2 attributes03:17
jamielennoxgyee: that would involve auth_token/something on the (eg) nova service knowing how to do client cert validation?03:17
gyeewe just need a way to map those attributes into something meaningful to the service itself03:17
gyeecert validation is done by the front-end, where SSL terminates03:18
gyeeit is up to the application to decide what to do with it03:19
gyeeif cert is not trust, connection will not even go through03:19
jamielennoxok, i don't know how to deal with that from an auth_token sense03:19
jamielennoxor what's producing the catalog etc03:20
jamielennoxbut i think if for now we just fail to do anything but auth that's ok03:20
jamielennoxsorry fail to call anything but identity03:20
gyeethat's fine, we have something to start with03:21
gyeebut my point is we can easily extend it to other areas03:21
gyeewhen it comes to security, we have to consider the totality of the system, not just part of it03:21
gyeejamielennox, I have to bail, dinner time, ttyl, thanks for the code review03:23
jamielennoxgyee: cya03:23
gyeeI'll do more code reviews after a full belly03:23
*** gyee has quit IRC03:24
*** davechen has quit IRC03:24
*** EinstCrazy has quit IRC03:25
*** EinstCrazy has joined #openstack-keystone03:25
*** links has joined #openstack-keystone03:29
*** spandhe has joined #openstack-keystone03:41
*** spandhe_ has joined #openstack-keystone03:44
*** catintheroof has joined #openstack-keystone03:44
*** spandhe has quit IRC03:45
*** spandhe_ is now known as spandhe03:45
*** roxanaghe has joined #openstack-keystone03:46
*** dave-mcc_ has quit IRC03:48
*** tonytan4ever has quit IRC03:53
*** anush__ has joined #openstack-keystone03:58
*** anush__ has quit IRC04:00
*** richm has quit IRC04:00
*** anush__ has joined #openstack-keystone04:00
*** stevemar has quit IRC04:02
*** catintheroof has quit IRC04:02
*** EinstCrazy has quit IRC04:09
*** jaosorior has joined #openstack-keystone04:23
*** dan_nguyen has quit IRC04:25
*** sheel has joined #openstack-keystone04:30
*** rcernin has joined #openstack-keystone04:56
*** stevemar has joined #openstack-keystone05:02
*** ChanServ sets mode: +o stevemar05:02
*** stevemar has quit IRC05:07
*** KevinE has joined #openstack-keystone05:10
*** roxanaghe has quit IRC05:11
*** roxanaghe has joined #openstack-keystone05:12
*** KevinE has quit IRC05:15
*** rcernin has quit IRC05:16
*** roxanaghe has quit IRC05:17
*** lucas____ has joined #openstack-keystone05:30
*** chlong has quit IRC05:34
*** lucas____ has quit IRC05:35
openstackgerritAlex Xu proposed openstack/oslo.policy: Add note about not all APIs support policy enforcement by user_id
*** chlong has joined #openstack-keystone05:47
*** rcernin has joined #openstack-keystone05:55
*** TxGVNN has joined #openstack-keystone06:07
*** EinstCrazy has joined #openstack-keystone06:10
*** roxanaghe has joined #openstack-keystone06:18
*** roxanaghe has quit IRC06:22
*** yolanda has quit IRC06:29
openstackgerritSrushti Gadadare proposed openstack/keystone: Return BadRequest for 4 byte unicode characters
*** david-lyle_ has joined #openstack-keystone06:46
*** tesseract- has joined #openstack-keystone06:47
*** hugokuo_ has joined #openstack-keystone06:48
*** dmellado_ has joined #openstack-keystone06:52
*** jaosorior is now known as jaosorior_brb06:54
*** charz has joined #openstack-keystone06:54
*** dgonzalez_ has joined #openstack-keystone06:55
openstackgerritSwapnil Kulkarni (coolsvap) proposed openstack/keystone: [WIP] Testing latest u-c
openstackgerritSwapnil Kulkarni (coolsvap) proposed openstack/keystone: [WIP] Testing latest u-c
*** EinstCrazy has quit IRC07:01
*** EinstCrazy has joined #openstack-keystone07:02
*** yolanda has joined #openstack-keystone07:04
*** anush__ has quit IRC07:04
*** david-lyle has quit IRC07:04
*** dgonzalez has quit IRC07:04
*** rm_work has quit IRC07:04
*** dmellado has quit IRC07:04
*** charz_ has quit IRC07:04
*** david_cu has quit IRC07:04
*** hugokuo has quit IRC07:04
*** dgonzalez_ is now known as dgonzalez07:04
*** hugokuo_ is now known as hugokuo07:04
*** permalac_ has quit IRC07:06
*** EinstCrazy has quit IRC07:07
*** yolanda has quit IRC07:10
*** EinstCrazy has joined #openstack-keystone07:11
*** spandhe has quit IRC07:13
*** rm_work has joined #openstack-keystone07:14
*** spandhe has joined #openstack-keystone07:16
*** Dave has quit IRC07:18
henrynash_jamielennox: hi07:20
*** pcaruana has joined #openstack-keystone07:22
jamielennoxhenrynash_: hey07:23
henrynashhi….do you have a moment to talk about test_middleware and _middleware_failure class?07:24
jamielennoxhenrynash: sure, can do07:25
henrynashthis is tests/unit/test_middleware….07:25
*** chlong has quit IRC07:25
*** stevemar has joined #openstack-keystone07:26
*** ChanServ sets mode: +o stevemar07:26
jamielennoxoh, yep, i see it - i remember this one07:26
henrynash…and I note a comment of yous in the _middleware_failuer class on the fact that its a bit ugly!07:26
*** stevemar_ has joined #openstack-keystone07:27
*** ChanServ sets mode: +o stevemar_07:27
henrynashfor preparation for passing around versions in the request for microversioning, I have proposed that we pass teh request (that you added to teh controllers) back into render_response07:28
jamielennoxare you looking for whyh?07:28
*** amoralej|off is now known as amoralej07:28
*** davechen has joined #openstack-keystone07:28
*** davechen has left #openstack-keystone07:28
patchbothenrynash: patch 330720 - keystone - Pass request back into wsgi render_reponse07:28
henrynashall fine07:28
henrynashbut when I come to use this request in the wsgi response, the AuthContextMiddle tests blow up….07:29
jamielennoxyep, i had a brief look through that patch the other day, but i was waiting for some more info re whether we are still doing microversions first07:29
*** stevemar has quit IRC07:30
henrynashbasically any of the AuthContextMiddeleware tests un test_midleware end up calling wsgi.render_response….but I don’t knwo how they get to do that07:30
jamielennoxi think because the authcontext subclasses auth_token middleware07:31
jamielennoxand auth_token middleware doesn't expect a response to be passed07:31
*** ebarrera has joined #openstack-keystone07:32
*** stevemar_ has quit IRC07:32
henrynash(aorry, I meat the ended up calling wsgi.render_exception)07:32
henrynashI’m obviously missing something obvious, but can’t see the path to how they get tp using our wsgi methods in these tests07:33
henrynashall the other middle classes are derived rom wsgi.Application or something - so that makes sense…but not AuthContext07:34
jamielennoxhenrynash: via this decorator:
henrynashahh, damn, right07:36
jamielennoxit's annoying really, the proper thing to do is for middleware to render its own exceptions but that logic was already in place because it used to depend on wsgi.Middleware07:37
henrynashwould you rather have it refactored…I’d be Ok doing that if you want07:38
rakhmerovhi, is there anybody who can answer a couple questions about auth plugins?07:41
jamielennoxhenrynash: whatever works for you, i'm just saying don't worry too much about some current grand design07:42
jamielennoxhenrynash: i got caught because the request object is different at the middleware level to the core level07:42
henrynashok, thanks…you’ve solved my main headache…understanding how the error was getting there in the first place!07:42
jamielennoxhenrynash: when exectued as middleware its a auth_token.Request and when in core its a keystone.Request07:42
jamielennoxbecause i moved some of the logic onto the request object and it didn't work in all case07:43
henrynashyep, slowly worked my brain round all that as i debugged this!07:43
henrynashok, thanks…I’ll go mull on this...07:44
jamielennoxno worries07:44
*** wangqun has joined #openstack-keystone07:49
*** wangqun has quit IRC07:49
*** wangqun has joined #openstack-keystone07:49
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:02
*** EinstCrazy has quit IRC08:03
*** jaosorior_brb is now known as jaosorior08:05
*** EinstCrazy has joined #openstack-keystone08:05
*** M00nr41n has joined #openstack-keystone08:17
*** yolanda has joined #openstack-keystone08:18
*** henrynash has quit IRC08:18
*** spandhe has quit IRC08:19
*** dmk0202 has joined #openstack-keystone08:23
*** stevemar has joined #openstack-keystone08:27
*** ChanServ sets mode: +o stevemar08:27
*** pnavarro has joined #openstack-keystone08:28
*** stevemar_ has joined #openstack-keystone08:29
*** ChanServ sets mode: +o stevemar_08:29
*** stevemar has quit IRC08:32
*** stevemar_ has quit IRC08:34
*** Dave has joined #openstack-keystone08:36
*** rmizuno has joined #openstack-keystone08:37
*** bapalm has quit IRC08:37
*** bapalm has joined #openstack-keystone08:42
*** EinstCrazy has quit IRC08:44
*** vnogin has quit IRC08:45
*** ktychkova has joined #openstack-keystone08:51
*** mvk has joined #openstack-keystone08:52
*** jaosorior has quit IRC09:09
*** jaosorior has joined #openstack-keystone09:10
*** nisha has joined #openstack-keystone09:17
*** mvk has quit IRC09:35
*** nisha_ has joined #openstack-keystone09:37
*** BlackDex_ is now known as BlackDex09:40
*** nisha has quit IRC09:41
*** nisha_ is now known as nisha09:42
*** ryom has joined #openstack-keystone09:46
ryomThe reason why I am writing this email to you is I'd like to ask some questions about reseller 2nd phase in Newton.  I wished that is possible to ask at the IRC. But use e-mail by the time difference.  Previously, I asked you about the implementation in Newton cycle of the hierarchy of the project acting as domain at the IRC (6/1). At that time, I received an answer "doubt it" from you. I want to know more detail information09:47
*** ryom has quit IRC09:48
*** bapalm has quit IRC09:48
*** samueldmq has joined #openstack-keystone09:53
samueldmqmorning keystone09:53
*** ChanServ sets mode: +v samueldmq09:54
*** bapalm has joined #openstack-keystone09:54
*** mvk has joined #openstack-keystone09:56
*** daemontool has joined #openstack-keystone10:07
*** yolanda has quit IRC10:10
*** daemontool has quit IRC10:19
openstackgerritjingtao liang proposed openstack/keystone: Fix argument order for assertEqual to (expected, observed)
*** wangqun has quit IRC10:26
*** stevemar has joined #openstack-keystone10:31
*** ChanServ sets mode: +o stevemar10:31
*** stevemar has quit IRC10:36
samueldmqjamielennox: hi, you still around ?10:47
*** henrynash has joined #openstack-keystone10:48
*** ChanServ sets mode: +v henrynash10:48
samueldmqjamielennox: left a couple of comments/suggestions on the reservation spec10:53
* samueldmq is almost out of specs to review10:54
samueldmqand now it's time to look at
samueldmqhenrynash: hi, it seems to me there is no consensus on that yet10:57
samueldmqhenrynash: am I right ?10:57
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 projects
henrynashsamueldmq: no, there is no consensus yet….I’m going to write up the domain-centric alternative for comparison10:58
samueldmqhenrynash: which means ?10:59
samueldmqhenrynash: projects still unique within the domain ?11:00
henrynashsamuedlmq: I’m trying to think it through…..but the only way to make the domain-led version work is that we allow nested domains, and domain names ALWAYS are their full path to the root….otherwise a domain in one customer would prevent one of a similar name in anyother customer11:01
*** nisha_ has joined #openstack-keystone11:01
henrynashsamueldmq: …which wouldn’t break any compatibility, since domain names today are all top level domains11:02
*** nisha has quit IRC11:02
samueldmqhenrynash: great11:02
samueldmqhenrynash: we can't fix hierarchical projects because it's been there for a while11:02
henrynashbut would allow a customer (within their own domain), to create domains like prodcution, test, staging11:02
samueldmqhenrynash: but we can make it right (as we want) for hierarchical domains11:03
nisha_samueldmq, good morning11:03
samueldmqnisha_: good morning11:03
henrynashand by including the path, the name of a given domain is always (still) unique11:03
samueldmqnisha_: just saw your patch, there we go11:03
nisha_samueldmq, :)11:03
samueldmqhenrynash: right11:03
samueldmqhenrynash: I think we should be good on that, and everyone would agree11:04
samueldmqhenrynash: we document that, if you want to create siblings with the same name, that must be in different domains11:05
samueldmqhenrynash: because project names are still unique11:05
henrynashsamuedlmq: yes11:05
samueldmqhenrynash: I like this, looking forward to seeing the spec11:05
henrynashsamueldmq: I’m thinking that we need to add a flag to a domain (only useful for non root domains), that says whether it inherits users and groups from its parent (which will always be a domain), otherwise you’d have to replicate thing slike LDAP configs across the domains11:06
samueldmqhenrynash: it must be the parent setting the flag it wants to share its users11:06
henrynashsamuedlmq: good point11:07
samueldmqhenrynash: but I think that's a separate thing than the organisation -> token issuance we're talking about so far11:07
henrynashsamuedlmq: yep11:07
samueldmqhenrynash: maybe that even deserve its own spec11:07
*** henrynash has quit IRC11:09
*** chlong has joined #openstack-keystone11:21
*** ddieterly has joined #openstack-keystone11:23
samueldmqnisha_: reviewed11:32
nisha_samueldmq, looking thanks11:33
*** ddieterly has quit IRC11:33
*** rodrigods has quit IRC11:39
*** rodrigods has joined #openstack-keystone11:39
*** ddieterly has joined #openstack-keystone11:41
*** sigmavirus24 is now known as sigmavirus24_awa11:43
*** amoralej is now known as amoralej|lunch11:44
*** sdake has quit IRC11:48
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 projects
samueldmq(status:open project:openstack/keystone-specs label:Code-Review-0,self NOT label:Workflow-1) is now empty11:50
* samueldmq dances11:50
*** chlong has quit IRC11:51
samueldmqnisha_: see a couple of comments again :)11:54
nisha_samueldmq, sure11:56
samueldmqnisha_: let me know if you agree/disagree11:56
*** ddieterly has quit IRC11:59
*** sdake has joined #openstack-keystone12:03
*** raildo-afk is now known as raildo12:09
*** ramishra has joined #openstack-keystone12:09
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 projects
ramishraayoung: hi around?12:11
nisha_samueldmq, why is it showing conflicts with alongside the patch12:12
*** dave-mccowan has joined #openstack-keystone12:19
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 projects
*** d0ugal has quit IRC12:25
*** d0ugal has joined #openstack-keystone12:25
*** ddieterly has joined #openstack-keystone12:27
dstanekrodrigods: i just moved that comment with the code, but now that i read it i think it may be safe to just delete12:27
*** aurelien has joined #openstack-keystone12:27
rodrigodsdstanek, yeah, saw that12:27
rodrigodsmaybe in another patchset12:27
dstanekyeah, i have several more to push already. i've been cleaning out one of my old dev nodes12:29
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Improve docs for v3 projects
*** pauloewerton has joined #openstack-keystone12:34
*** nisha_ has quit IRC12:38
*** julim has quit IRC12:39
*** ddieterly has quit IRC12:42
*** sdake has quit IRC12:43
*** edmondsw has joined #openstack-keystone12:43
*** ramishra has quit IRC12:53
*** henrynash has joined #openstack-keystone12:55
*** ChanServ sets mode: +v henrynash12:55
*** lamt has joined #openstack-keystone13:01
*** julim has joined #openstack-keystone13:06
*** chlong has joined #openstack-keystone13:06
*** richm has joined #openstack-keystone13:06
*** permalac has joined #openstack-keystone13:07
*** links has quit IRC13:09
*** woodster_ has joined #openstack-keystone13:11
dstanekhenrynash: what if you also mark existng project (at the time of the upgrade/migration) somehow and allow them to be accessed both ways?13:12
dstanekthat is the equivalent of giving each exising heirarchical name a root level alias13:13
openstackgerritMerged openstack/keystone: Use the ldap fixture to simplify tests
henrynash_dstanek: yes, you could do that…(and I hiint at that in the summary), it’s just that then you have to remember which projects where created befpre and after the upgrade13:13
henrynash_i mean the user has to remember13:13
dstanekhenrynash_: i think the user should just always use fully path names after the upgrade. the hacks are just to allow old clients to work13:14
henrynash_dstanek: that’s exacty the proposal as it is currently!13:14
dstanekhenrynash_: i dont' read it like that. specifically where it talks about 3.6 clients13:15
*** aurelien has quit IRC13:16
dstanekfor example, creating new projects that are not hierarchical13:16
henrynash_dtsanek: creating a new project before or after the server is upgrdaed to Newton?13:18
henrynash_dstanek: ah, so you as suggesting that projects created after the upgrade are somehow returned to a 3.6 client without a path?13:19
henrynash_dstanek: this would work OK for projects created as top level ones, but how to distiquish between two projects of teh same name, one as a root project, one somewhere in the hierarchy…when talking to a 3.6 client?13:21
openstackgerritMerged openstack/keystone: Reduce setup overhead in auth_plugin tests
dstanekhenrynash_: hierarchical projects created before the upgrade are effectively root projects to old clients. ones created after would have their path returned to the client13:22
*** real56 has joined #openstack-keystone13:23
henrynash_dstanek: even though a new cleint might create another root project of the same name as the old one that is down the hierarchy somewhere….13:23
*** BigWillie has joined #openstack-keystone13:24
henrynash_dstanek: I did try these kind of approaches, but worrised about the confusion over which project was really being accessed….and would that mean that if I did a list projects I would see the old project as a root projects….or is this just an auth scoping mechanism13:24
dstanekyou'd have to enforce uniqueness there since there can be only one /test project (it's just that /blah/test has a /test "alias")13:25
*** topol has quit IRC13:26
dstaneki think it would be fine to show the path, even to old clients, it's just that the old client needs the ability to access it the old way13:26
henrynash_dstanek: ok, so effectively the top level poject space ould be special, since it could contain these “aliases”13:26
dstanekthe problem is that the current "hierarchical" projects have effectively 2 names. so that would be confusing13:26
henrynash_dstanek: interesting idea…….yes, I agree confuson certainly possible113:27
dstanekyes, special is a nice way to put it :-)13:27
*** tonytan4ever has joined #openstack-keystone13:27
kfox1111trying to do a juno -> mitaka upgrade. db_sync does nothing as far as I can tell.13:28
kfox1111version still 55.13:28
kfox1111cause this machine's keystone is older then juno.13:31
dstanekkfox1111: that predates my openstack involvement :-)13:32
dstanekhenrynash_: anyway, it was just a thought i had when walking through the review again before the meeting yesterday13:33
henrynash_dstaneK much apreciated….I’ll mull on it…and am writing up the “use domains for this” approach advocated by dolhm & notmorgan13:34
henrynash_dstanek: to see how that would work13:34
kfox1111yeah. the 55 to 66 or something migrations were removed.13:34
*** ddieterly has joined #openstack-keystone13:34
*** rderose has joined #openstack-keystone13:37
*** sdake has joined #openstack-keystone13:37
*** amoralej|lunch is now known as amoralej13:38
kfox1111ok. went to kilo first, then mitaka.13:38
kfox1111db sync's finished without error.13:38
*** jefrite has joined #openstack-keystone13:39
kfox1111db version is now 9013:40
kfox1111ok. but something failed.13:41
kfox1111ProgrammingError: (_mysql_exceptions.ProgrammingError) (1146, "Table 'keystone.federated_user' doesn't exist") [SQL: u'SELECT AS federated_user_id, federated_user.user_id AS federated_user_user_id, federated_user.idp_id AS federated_user_idp_id, federated_user.protocol_id AS federated_user_protocol_id, federated_user.unique_id AS federated_user_unique_id, federated_user.display_name AS federated_user_display_name, anon_1.user_id13:41
kfox1111ah. there are migrations beyond 90.13:43
kfox1111db_sync is exiting without printing anything. :/13:43
*** mwheckmann has joined #openstack-keystone13:43
*** lucas____ has joined #openstack-keystone13:45
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** ddieterly is now known as ddieterly[away]13:45
*** chlong has quit IRC13:49
*** walharthi has joined #openstack-keystone13:50
*** woodburn has joined #openstack-keystone13:50
*** BjoernT has joined #openstack-keystone13:52
*** phalmos has joined #openstack-keystone13:55
*** ddieterly[away] is now known as ddieterly13:55
*** phalmos_ has joined #openstack-keystone13:56
*** phalmos has quit IRC13:59
*** ametts has joined #openstack-keystone14:01
*** darosale has joined #openstack-keystone14:02
*** chlong has joined #openstack-keystone14:05
*** gordc has joined #openstack-keystone14:06
kfox1111ok. I think I got it fixed. it somehow deleted the constraint and couldn't then rerun. commented it out and things finished, and seems to be ok.14:06
*** timcline has joined #openstack-keystone14:07
*** timcline has quit IRC14:07
*** timcline has joined #openstack-keystone14:07
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** anush__ has joined #openstack-keystone14:15
*** henrynash has quit IRC14:16
dstanekkfox1111: how where you able to figure that out? it's troubling that you didn't get any indication of why/what error14:17
*** edtubill has joined #openstack-keystone14:17
ayoungnotmorgan, do we have caching for LDAP enabled?14:17
bknudson_caching happens in the manager not the driver14:18
walharthiHello! I am having some problems when trying to use keystone-to-keystone authentication14:18
walharthiI am using a scoped token to authenticate my request to the service provider but I am getting a 401 and keystone log in the service provider says “could not find token”. The token hasn’t expired nor was it revoked, and I my request contains the project id I used to scoped the token earlier. Any idea about what else could cause this?14:19
*** topol has joined #openstack-keystone14:22
*** ChanServ sets mode: +v topol14:22
*** sigmavirus24_awa is now known as sigmavirus2414:22
*** GB21 has joined #openstack-keystone14:24
*** nisha_ has joined #openstack-keystone14:24
*** phalmos_ has quit IRC14:24
*** phalmos has joined #openstack-keystone14:26
*** ddieterly is now known as ddieterly[away]14:30
*** ddieterly[away] is now known as ddieterly14:30
*** ddieterly is now known as ddieterly[away]14:31
*** ddieterly[away] is now known as ddieterly14:31
*** jorge_munoz has joined #openstack-keystone14:32
*** yolanda has joined #openstack-keystone14:32
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** KevinE has joined #openstack-keystone14:35
*** nisha__ has joined #openstack-keystone14:37
samueldmqdstanek: hi14:37
dstaneksamueldmq: hey14:38
samueldmqdstanek: just left a comment in 332729, perhaps the bug is invalid then14:38
dstaneksamueldmq: is that the assertEqual one?14:38
samueldmqdstanek: yes14:38
samueldmqdstanek: the bug says: "The test cases will produce a confusing error message if the tests ever fail, so this is worth fixing."14:38
samueldmqdstanek: and per your comment, the message isn't confusing14:39
dstaneki don't feel strongly about it either way. i don't see much utility, but on the other hand i submitted patches because it was an accepted bug14:39
*** nisha_ has quit IRC14:40
samueldmqdstanek: you submitted patches for it as well ?14:40
samueldmqdstanek: anyways, I think it doesn't hurt to have it14:41
samueldmqdstanek: I will mark the bug as wishlist14:41
dstaneksamueldmq: jas14:41
dstaneksamueldmq: loking up the source now14:41
*** ma91 has joined #openstack-keystone14:43
*** nisha__ is now known as nisha_14:44
*** ramishra has joined #openstack-keystone14:44
*** jaosorior has quit IRC14:47
*** david-lyle_ has quit IRC14:47
*** jaosorior has joined #openstack-keystone14:47
dstanekyeah, i don't think anything has changed. so see much value in that bug.14:48
*** tonytan4ever has quit IRC14:50
*** jorge_munoz_ has joined #openstack-keystone14:50
* samueldmq nods14:51
*** jorge_munoz has quit IRC14:51
*** jorge_munoz_ is now known as jorge_munoz14:51
*** timcline has quit IRC14:51
*** timcline has joined #openstack-keystone14:52
dstaneki can't believe the amount of people that are in downtown Cleveland right now14:52
*** tonytan4ever has joined #openstack-keystone14:53
*** timcline has quit IRC14:54
*** timcline has joined #openstack-keystone14:54
*** anush__ has quit IRC14:54
*** jistr is now known as jistr|mtg14:58
*** tonytan4ever has quit IRC14:58
KevinEdstanek: I heard them talking about it on the radio, sounds pretty crazy14:58
*** lucas____ has quit IRC14:59
dstanekKevinE: yesterday i was thinking i should go. i'm super glad that i didn't make that mistake14:59
*** ramishra has quit IRC14:59
*** lucas____ has joined #openstack-keystone14:59
*** jaugustine has joined #openstack-keystone15:01
*** jaosorior has quit IRC15:02
*** luca_____ has joined #openstack-keystone15:02
*** lucas____ has quit IRC15:02
*** lucas____ has joined #openstack-keystone15:04
*** lucas____ has quit IRC15:05
*** lucas____ has joined #openstack-keystone15:05
*** luca_____ has quit IRC15:07
*** permalac has quit IRC15:08
*** rcernin has quit IRC15:09
*** lucas____ has quit IRC15:10
*** timcline has quit IRC15:10
*** yolanda has quit IRC15:10
*** sdake has quit IRC15:10
*** bapalm has quit IRC15:10
*** robcresswell_ has joined #openstack-keystone15:10
*** bapalm has joined #openstack-keystone15:10
*** agireud has quit IRC15:10
*** yarkot1 has quit IRC15:10
*** hogepodge has quit IRC15:10
*** robcresswell has quit IRC15:10
*** yolanda has joined #openstack-keystone15:10
*** robcresswell_ is now known as robcresswell15:10
*** tesseract- has quit IRC15:10
*** timcline has joined #openstack-keystone15:10
*** yarkot1 has joined #openstack-keystone15:11
*** hogepodge has joined #openstack-keystone15:11
*** sdake_ has joined #openstack-keystone15:11
*** agireud has joined #openstack-keystone15:11
*** itisha has joined #openstack-keystone15:17
*** sdake has joined #openstack-keystone15:18
*** sdake_ has quit IRC15:19
*** lucas____ has joined #openstack-keystone15:19
*** luca_____ has joined #openstack-keystone15:20
*** pcaruana has quit IRC15:22
*** GB21 has quit IRC15:22
*** anush__ has joined #openstack-keystone15:23
shewlessayoung: do you remember that bug we were talking about regarding federated login showing the user "id" instead of the user "name" in some cases?15:23
*** anush__ has quit IRC15:23
*** GB21 has joined #openstack-keystone15:23
*** lucas____ has quit IRC15:24
*** rcernin has joined #openstack-keystone15:24
mwheckmannshewless: I thought I saw a commit fixing that. I'll double check later on to see if I'm still affected by it15:25
*** luca_____ has quit IRC15:25
*** ebarrera has quit IRC15:25
ayoungshewless, yep15:25
dstanekwalharthi: what kind of tokens are you using?15:27
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add project functional tests
walharthi@dstanek fernet tokens15:28
nisha_samueldmq, please have a look ^15:28
*** mwheckmann has quit IRC15:29
*** jistr|mtg is now known as jistr15:32
dstanekwalharthi: so you auth to one keystone and try to use the token on the other and get a "could not find token" error message?15:32
*** roxanaghe has joined #openstack-keystone15:32
shewlessayoung, mwheckmann, I'd love to get my hands on that fix if it's been delivered. Is there a ticket number I can use for reference?15:33
samueldmqnisha_: sure, looking15:33
walharthidstanek Yes. I used k2k to obtain a token from my sp but when I try to use the token, I get the error msg.15:34
dstanekwalharthi: do you have sample code to show what you are doing on the client side?15:35
*** dan_nguyen has joined #openstack-keystone15:35
*** roxanaghe has quit IRC15:36
*** pcaruana has joined #openstack-keystone15:36
*** timcline has quit IRC15:37
*** timcline has joined #openstack-keystone15:37
*** anush__ has joined #openstack-keystone15:41
*** tonytan4ever has joined #openstack-keystone15:41
*** spandhe has joined #openstack-keystone15:42
*** spandhe_ has joined #openstack-keystone15:43
*** pnavarro has quit IRC15:44
*** stevemar has joined #openstack-keystone15:44
*** ChanServ sets mode: +o stevemar15:44
*** spandhe has quit IRC15:47
*** spandhe_ is now known as spandhe15:47
*** catintheroof has joined #openstack-keystone15:49
*** chlong has quit IRC15:50
*** lucas____ has joined #openstack-keystone15:50
bknudson_dstanek: I wrote a sample program that shows logging the request ID using a hook --
dstanekbknudson_: nice.15:51
*** adu has joined #openstack-keystone15:51
*** lucas____ has quit IRC15:52
bknudson_sample output:
*** lucas____ has joined #openstack-keystone15:52
stevemarbknudson_: your link is missing an ID :)15:53
walharthidstanek that's the k2k token client15:54
*** lucas____ has quit IRC15:54
*** lucas____ has joined #openstack-keystone15:54
bknudson_stevemar: "Could not submit your paste because your paste contains spam."15:54
*** roxanaghe has joined #openstack-keystone15:54
bknudson_stevemar: dstanek:
stevemarbknudson_: you are always spamming things15:55
bknudson_it's so tasy15:55
shewlessayoung: do you recall the bug ID?15:56
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
bknudson_dstanek: you can also get the request time:
*** daemontool has joined #openstack-keystone16:00
*** slberger has joined #openstack-keystone16:01
*** lamt has quit IRC16:01
bknudson_I wonder what I'd get from ? I assume it wouldn't give the request IDs for fetching the token that occurs during the user list.16:02
patchbotbknudson_: patch 261188 - python-keystoneclient - Add wrapper classes for return-request-id-to-caller16:02
*** dmk0202 has quit IRC16:02
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT
bknudson_jamielennox: it would be nice if I could pass hooks into ksa Session.16:05
walharthidstanek that's how the token is obtained using the k2k token client . get_scoped_token() actually returns the token body not the id in the newer version16:05
bknudson_although, I guess I can't pass hooks into requests Session either.16:06
bknudson_maybe we could have a custom Response object that also has request ID16:06
dstanekwalharthi: have you tried my code at all against your setup? i'm curious to know if it works16:07
dstanekbknudson_: what would you do with the response object?16:08
*** roxanaghe has quit IRC16:08
bknudson_dstanek: would be nice to not require the user to know that the header is 'x-openstack-request-id' ... so hide that by automatically putting it into a .openstack_request_id property16:09
bknudson_or maybe it could be a kwarg on the callback or something16:10
*** roxanaghe has joined #openstack-keystone16:11
*** mwheckmann has joined #openstack-keystone16:12
*** dan_nguyen has quit IRC16:12
dstanekbknudson_: would it make sense to update my patch do add a ksc hook that returns a response object more like that? basically removing the return values16:12
*** gyee has joined #openstack-keystone16:13
*** ChanServ sets mode: +v gyee16:13
walharthidstanek yes, I got a 403 (You are not authorized to perform the requested action)16:13
bknudson_dstanek: if you can make it happen. I thought it would have to happen in keystoneauth and not keystoneclient.16:14
*** ddieterly is now known as ddieterly[away]16:14
*** phalmos has quit IRC16:14
*** tonytan4ever has quit IRC16:15
*** links has joined #openstack-keystone16:16
dstanekbknudson_: you don't want the honors?16:19
bknudson_dstanek: no, I need to work on other stuff today16:19
dstanekbknudson_: :-)16:19
*** ma91 has left #openstack-keystone16:19
dstanekbknudson_: i'm in the same boat, but i'll see what i can do16:20
bknudson_don't tell my boss I was messing around with this.16:20
*** jaugustine has quit IRC16:20
*** nisha__ has joined #openstack-keystone16:21
*** ddieterly[away] is now known as ddieterly16:22
*** nisha_ has quit IRC16:24
*** nisha__ is now known as nisha_16:25
* dstanek forgets that this conversation ever happened16:25
nisha_samueldmq, you wrote this in comment - Assert project parent is not None, it's always present in v316:25
nisha_can you please explain it a bit16:26
*** spandhe has quit IRC16:26
nisha_samueldmq, in create project, the attribute parent is optional, and by default gets None value16:26
shewlessayoung: I guess that means you haven't started on Dumb question: where can I find the code on my openstack install?16:28
openstackLaunchpad bug 1590426 in OpenStack Identity (keystone) "Keystone Federated Identity assertion name not included in token" [Undecided,New] - Assigned to Adam Young (ayoung)16:28
*** jaugustine has joined #openstack-keystone16:32
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** TxGVNN has quit IRC16:37
*** daemontool has quit IRC16:37
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** links has quit IRC16:40
*** rcernin has quit IRC16:40
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** pcaruana has quit IRC16:43
*** raddaoui has joined #openstack-keystone16:44
dstanekshewless: how did you install it?16:44
*** mfisch has joined #openstack-keystone16:45
*** mfisch has quit IRC16:45
*** mfisch has joined #openstack-keystone16:45
mfischstevemar: dolphm: can we get this backported to Mitaka?16:45
patchbotmfisch: patch 329855 - keystone - Correct domain_id and name constraint dropping (MERGED)16:45
mfischmy L->M upgrade breaks because of it16:46
mfisch2016-06-22 16:41:58.129 1 ERROR keystone OperationalError: (_mysql_exceptions.OperationalError) (1091, "Can't DROP 'ixu_user_name_domain_id'; check that column/key exists") [SQL: u'ALTER TABLE user DROP INDEX ixu_user_name_domain_id']16:46
*** jbell8 has joined #openstack-keystone16:46
*** jaugustine has quit IRC16:46
stevemarmfisch: i think i asked someone to backport it?16:49
stevemarmfisch: but yeah, do-able16:49
mfischthats what I was wondering16:49
mfischits not a 1click BP but if nobody is working on it I can16:49
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
mfischi'm about to jump on a plane, so steve I'll let you crack the whip!16:49
stevemarmfisch: oh fun, i'm about to eat lunch, i can look at it after16:50
shewlessdstanek: following the install guide more or less (have some custom ansible playbooks that replicate the install guide).  Seeing the code in /usr/lib/pythong2.7/dist-packages/  there is a bunch of keystone stuff. currently looking at the middleware16:50
mfischflying back to the miserable heat :(16:50
stevemaranyone else want to backport stuff? (so i can still +2 it :) )16:50
stevemarmfisch: hope dockercon was fun16:50
mfischyeah it was cool, I have a bunch of new things to play with now. foundation folks were here too16:51
mfischok ttyl thanks for the bp help16:52
stevemarmfisch: safe flight16:53
*** darosale_ has joined #openstack-keystone16:55
*** spandhe has joined #openstack-keystone16:56
*** darosale has quit IRC16:57
*** darosale_ is now known as darosale16:57
*** josecastroleon has quit IRC16:58
*** isd has joined #openstack-keystone17:08
samueldmqnisha_: hmm, you're correct17:09
*** sdake_ has joined #openstack-keystone17:09
samueldmqnisha_: in the case it's none, it's still present in the returned entity, isn't it ?17:09
nisha_samueldmq, yeah17:09
*** sdake has quit IRC17:10
*** mvk has quit IRC17:11
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add project functional tests
samueldmqnisha_: I think it's still set to the domain ID17:13
samueldmqnisha_: try self.assertNotNone(project.parent) and see if it works17:13
nisha_samueldmq,  assertIsNotNone above right17:14
nisha_samueldmq, I tried it gives error17:14
nisha_samueldmq, I did the rest of the changes you mentioned in comments17:16
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests
samueldmqnisha_: cool17:17
nisha_samueldmq, thanks, pushing the changes17:17
samueldmqnisha_: ++17:17
*** rcernin has joined #openstack-keystone17:20
*** phalmos has joined #openstack-keystone17:27
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add project functional tests
*** pauloewerton has quit IRC17:28
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
openstackgerritMerged openstack/python-keystoneclient: Improve docs for v3 projects
*** sdake_ has quit IRC17:29
*** henrynash has joined #openstack-keystone17:29
*** ChanServ sets mode: +v henrynash17:29
*** ddieterly is now known as ddieterly[away]17:36
*** pauloewerton has joined #openstack-keystone17:38
samueldmqdstanek: hi17:40
samueldmqdstanek: what is I don't see how cache invalidation is safer with that17:40
*** mvk has joined #openstack-keystone17:41
*** daemontool has joined #openstack-keystone17:41
*** daemontool has quit IRC17:44
openstackgerrithenry-nash proposed openstack/keystone-specs: Support nested domains to provide addional project namespaces
openstackgerrithenry-nash proposed openstack/keystone-specs: Support nested domains to provide addional project namespaces
openstackgerrithenry-nash proposed openstack/keystone-specs: Support nested domains to provide addional project namespaces
*** henrynash has quit IRC17:48
*** henrynash has joined #openstack-keystone17:49
*** ChanServ sets mode: +v henrynash17:49
*** henrynash has quit IRC17:50
*** nisha_ has quit IRC17:58
*** slberger1 has joined #openstack-keystone17:59
*** phalmos has quit IRC18:00
*** slberger has quit IRC18:01
openstackgerritMerged openstack/keystone: Fix argument order for assertEqual to (expected, observed)
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT
*** arunkant has quit IRC18:03
*** arunkant has joined #openstack-keystone18:06
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** josecastroleon has joined #openstack-keystone18:14
*** browne has joined #openstack-keystone18:17
*** david-lyle has joined #openstack-keystone18:19
*** amoralej is now known as amoralej|off18:21
*** anush__ has quit IRC18:22
*** anush__ has joined #openstack-keystone18:23
*** jbell8 has quit IRC18:25
*** samueldmq has quit IRC18:25
*** anush__ has quit IRC18:25
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** phalmos has joined #openstack-keystone18:30
openstackgerritMerged openstack/keystone: Change the remaining conf setup to use the fixture
*** ddieterly[away] has quit IRC18:36
*** GB21 has quit IRC18:37
*** slberger1 has quit IRC18:37
shewlessHello. I'm wondering how to use the openstack client (cli) as a federated user. I think I need a token for that? Can anyone confirm? I tried using the "" file (I guess password based) from horizon but that doesn't work18:42
stevemarshewless: that's currently a bit "underconstruction"18:43
*** josecastroleon has quit IRC18:43
stevemarshewless: the auth plugins for federation were all tossed into keystoneauth (from keystoneclient)18:43
stevemarshewless: but openstackclient (osc) was still using keystoneclient for all it's auth logic18:44
shewlessstevemar: hmm.. what does that mean for Mitaka?18:44
stevemarshewless: if you are willing to try the master branch of osc, we recently (just this week) merged a change to get OSC to use keystoneauth for it's auth logic18:44
*** ddieterly has joined #openstack-keystone18:45
*** tonytan4ever has joined #openstack-keystone18:45
dtroyerI'd be careful here, I'm still in the middle of sorting out all of the crap between ksc/ksa/occ and osc18:45
dtroyerksc/ksa shold be done18:45
stevemarshewless: for mitaka, your mileage may vary, authenticating as a federated user may work, depends on the plugin18:45
stevemarshewless: i think ECP (from what i read you are using shib right?) should work18:46
dtroyerI'm getting the fallout from that pushed back into osc-lib as we speak, then I have to reconcile all of the things o-c-c has grown in the last month18:46
stevemarjust gotta specify the right args18:46
shewlessstevemar: I am using shib18:46
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** sdake has joined #openstack-keystone18:47
*** jbell8 has joined #openstack-keystone18:47
stevemarshewless: you'll have to specify the idp and protocol and possibly more18:47
shewlessstevemar: what args do a specify? :) Also I could use the master branch of osc if needed.. that can be installed seperate from openstack anyways right?18:47
shewlessstevemar: like say I want to use openstack user list18:47
shewlessstevemar: so I do have to get an unscoped token somehow?18:49
stevemarshewless: i believe so, and then use the token to get a project listing18:51
*** slberger has joined #openstack-keystone18:51
shewlessstevemar: do you know where I can do some reading on this? How can I leverage the token in the osc? or can i?18:52
*** mvk_ has joined #openstack-keystone18:53
shewlessstevemar: I guess I export OS_TOKEN or something18:54
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** sdake_ has joined #openstack-keystone18:55
*** phalmos has quit IRC18:55
*** mvk has quit IRC18:55
*** sdake has quit IRC18:58
*** roxanaghe has quit IRC19:00
*** roxanaghe has joined #openstack-keystone19:02
*** mkrcmari__ has joined #openstack-keystone19:02
*** mvk_ has quit IRC19:02
isdHey all. I'm working on integrating keystone's auth middleware into a service, and am trying to debug a script that sets up keystone with some initial data for CI purposes. The script is here:
dstanekisd: what's the issue?19:04
isdOnce I've used that script to set things up, doing an `openstack user list` will intermittently actually list users as expected, or give me an error "Unable to establish connection to http://localhost:5000/v3/auth/tokens", or a similar error for /v3/users19:04
isdI'm at a bit of a loss as to what's going on19:05
*** adu has quit IRC19:05
isdThe server's logs report only 200/201 responses. I looked at the traffic with wireshark, and wasn't able to descern any obvious problems, though I have only a very loose familiarity with the HTTP api.19:07
stevemarisd: i think running keystone under uwsgi proper can be flakey if not tuned properly19:08
*** samueldmq has joined #openstack-keystone19:09
*** ChanServ sets mode: +v samueldmq19:09
dstanekisd: sounds like you can't connect to the server. does apache show your connection when you get that error?19:09
stevemarisd: this is the tuning we had to do to make it run in our CI
isdstevemar: thanks for the reference. I'll stare at that for a bit19:11
dstanekstevemar: aren't those keystone settings?19:11
isddstanek: It *is* connecting; the server is reporting responses, and wireshark agrees. Whatever it's on about it isn't talking about TCP.19:12
stevemardstanek: they don't look keystone-y to me19:12
isdIt does look like it's mucking with keystone.conf19:13
stevemarit should be mucking around with: KEYSTONE_PUBLIC_UWSGI_FILE19:13
isdErr, yeah, you're right, nevermind19:13
*** ddieterly is now known as ddieterly[away]19:13
stevemarisd: anywho, all of that is for the case where you are running *just* uwsgi (which I think you're doing) and not uwsgi+apache19:14
*** mkrcmari__ has quit IRC19:15
isdstevemar: correct19:15
isdwhich, honestly, I'm only doing because that's what the page I reference at the top of the script was doing. I have no attachment to uwsgi19:16
dstanekisd: oh, you're not running apache at all?19:16
stevemarisd: try looking at those settings, IIRC we were getting weird 401s when we had our CI running without them19:16
*** mvk has joined #openstack-keystone19:16
*** real56 has quit IRC19:16
stevemarisd: running under apache has given the best results19:16
*** timcline has quit IRC19:16
dstanekstevemar: isd's issue seems to be that the server just isn't responding on the port.19:17
isddstanek: no, that's not the case19:17
stevemardstanek: "doing an `openstack user list` will intermittently actually list users as expected, or give me an error"19:17
dstanekisd: i thought you said you were getting an "unable to establish connection"19:17
isdthe above is the message the cli is printing, but it *is* making a tcp connection, and an http request, and getting a (200 or 201) response19:18
dstanekthat's a "server not there" error19:18
*** josecastroleon has joined #openstack-keystone19:18
isdSo, crappy error message maybe, but wireshark makes it pretty clear it's not a simple connection issue.19:18
dstanekisd: so the server is returning 2xx responses and keystoneclient is choking on them?19:19
*** tqtran has joined #openstack-keystone19:19
isddstanek: as far as I can tell19:19
dstanekisd: just make sure you see a server log entry for each response. just because you only see 2xx doesn't mean your calls are successful19:19
tqtrangm everyone, when one of you have time, could you briefly take a look at ? we updating the rc download file and would love to have some keystone input.19:20
patchbottqtran: patch 331788 - horizon - Add valuable exports to openstack RC file download19:20
tqtranwhoa.... awesome19:20
*** jamielennox is now known as jamielennox|away19:21
isdhmm, I'm looking actually, and the one that gives an error about /v3/users never actually grabs that, page, just /v3/ and /v3/auth/tokens. it probably is some kind of connection issue, which points to uwsgi as the problem. I will stare at that config a bit.19:21
isdI know we're also already talking about sticking apache into the ci for other reasons, I'll talk with the folks working on that to see if we can't de-dup some effort.19:21
isdThanks for your help. I'll speak up if I have further questions.19:22
stevemartqtran: aren't interface and auth_type similar o_O19:22
stevemari thought we deprecated one19:22
*** tonytan4ever has quit IRC19:22
stevemaroh wait, auth_type is password or token or etc...19:24
stevemarinterface and endpoint_type**19:24
shewlessHey guys, I'm trying this to get an unscoped token.. but I'm getting a 302 error.. I think it's because my IDP is redirecting me to a webpage to enter the username and password...  Is there anyway for me to pass that info along in curl. I'm using this now: curl -X GET -D - http://localhost:5000/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth19:24
stevemartqtran: "To get url using service catalog endpoint_type parameter was changed to interface:"19:25
*** sheel has quit IRC19:25
*** spzala has joined #openstack-keystone19:26
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver
openstackgerritAlexander Makarov proposed openstack/keystone: Delegation parent discovery function
tqtranstevemar: thanks steve!19:29
stevemartqtran: np19:29
*** sdake has joined #openstack-keystone19:31
*** sdake_ has quit IRC19:33
*** ddieterly[away] is now known as ddieterly19:37
*** ddieterly is now known as ddieterly[away]19:38
*** josecastroleon has quit IRC19:47
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens
*** lucas____ has quit IRC19:48
*** timcline has joined #openstack-keystone19:50
*** mwheckmann has quit IRC19:50
*** mwheckmann has joined #openstack-keystone19:51
*** lucas____ has joined #openstack-keystone19:51
*** lucas____ has quit IRC19:52
*** rderose has quit IRC19:58
*** sdake_ has joined #openstack-keystone20:01
*** mvk_ has joined #openstack-keystone20:01
*** samueldmq has quit IRC20:04
isdstevemar: I copied some of those settings, and it seems to be working now. thank you very much.20:04
*** sdake has quit IRC20:04
*** mvk has quit IRC20:05
*** browne has quit IRC20:05
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Complete RBAC in keystone
stevemarisd: de nada20:09
stevemarmfisch: i backported that change for you20:09
patchbotstevemar: patch 332994 - keystone (stable/mitaka) - Correct domain_id and name constraint dropping20:10
*** lucas____ has joined #openstack-keystone20:10
stevemarhelping people ate up my day, i will review patches tomorrow o_O20:10
*** ddieterly[away] is now known as ddieterly20:10
*** stevemar has quit IRC20:14
*** lucas____ has quit IRC20:14
*** stevemar has joined #openstack-keystone20:14
*** ChanServ sets mode: +o stevemar20:14
*** henrynash has joined #openstack-keystone20:16
*** ChanServ sets mode: +v henrynash20:16
*** rderose has joined #openstack-keystone20:17
*** stevemar has quit IRC20:19
*** mwheckmann has quit IRC20:19
*** adu has joined #openstack-keystone20:22
*** rderose has quit IRC20:24
*** amakarov is now known as amakarov_away20:26
*** browne has joined #openstack-keystone20:29
*** sdake_ has quit IRC20:34
*** rderose has joined #openstack-keystone20:34
*** jbell8 has quit IRC20:39
*** josecastroleon has joined #openstack-keystone20:45
*** spandhe has quit IRC20:48
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** spandhe has joined #openstack-keystone20:50
*** jbell8 has joined #openstack-keystone20:54
*** stevemar has joined #openstack-keystone20:54
*** ChanServ sets mode: +o stevemar20:54
*** BigWillie has quit IRC20:54
*** spandhe has quit IRC20:55
*** rderose has quit IRC20:59
*** ddieterly is now known as ddieterly[away]21:01
*** spandhe has joined #openstack-keystone21:01
*** pauloewerton has quit IRC21:05
*** isd has left #openstack-keystone21:05
*** ddieterly[away] is now known as ddieterly21:05
*** julim has quit IRC21:05
*** yolanda has quit IRC21:06
*** pushkaru has joined #openstack-keystone21:11
*** josecastroleon has quit IRC21:15
*** edtubill has quit IRC21:19
*** timcline_ has joined #openstack-keystone21:26
*** sdake has joined #openstack-keystone21:28
*** yolanda has joined #openstack-keystone21:29
*** timcline has quit IRC21:29
*** roxanaghe has quit IRC21:34
*** roxanaghe has joined #openstack-keystone21:35
*** yolanda has quit IRC21:36
*** sdake_ has joined #openstack-keystone21:38
*** sdake has quit IRC21:39
*** henrynash has quit IRC21:39
*** rderose has joined #openstack-keystone21:39
*** walharthi has quit IRC21:40
*** itisha has quit IRC21:40
*** sigmavirus24 is now known as sigmavirus24_awa21:40
*** pushkaru has quit IRC21:44
*** anush__ has joined #openstack-keystone21:45
*** spzala has quit IRC21:48
*** jamielennox|away is now known as jamielennox21:48
*** spzala has joined #openstack-keystone21:48
*** ametts has quit IRC21:50
*** anush__ has quit IRC21:52
*** spzala has quit IRC21:53
*** anush__ has joined #openstack-keystone21:53
jamielennoxbknudson_: what would you want to do with hooks in ksa?21:55
bknudson_jamielennox: make the request ID available.21:55
jamielennoxbknudson_: why would you need to hook session for that?21:56
bknudson_jamielennox: what's the alternative?21:56
bknudson_to hooking session21:56
*** tqtran has quit IRC21:56
*** spzala has joined #openstack-keystone21:57
jamielennoxbknudson_: session returns a requests.Response object, so request-id is found by resp.headers['X-OpenStack-Request-id']21:57
jamielennox(i think that's the header name)21:58
bknudson_what if there were multiple responses for a call? (for example, if re-auth has to happen)21:58
jamielennoxso you won't get the auth resquest info - but are you interested in that? after the reauth the same request should be resubmitted with the same info22:01
bknudson_if there's a failure I want to be able to match the ID from the request with the ID in the logs22:01
*** adu has quit IRC22:02
bknudson_I also don't want to have to change every return in the keystoneclient22:02
bknudson_and every other client22:03
*** samueldmq has joined #openstack-keystone22:03
*** ChanServ sets mode: +v samueldmq22:03
*** anush__ has quit IRC22:05
jamielennoxi'm not sure you can get around changing the clients -they're stupidly broken22:06
*** lucas____ has joined #openstack-keystone22:06
jamielennoxumm, i guess we could add a hook to request()22:06
bknudson_that's what this does:
bknudson_we should be able to have a library that hides the detail of the "x-openstack-request-id" header.22:07
jamielennoxbknudson_: so if you add it to the session like that you would get it for every client that reused that session22:07
jamielennoxis that the plan?22:07
jamielennoxlike that would let you as a user track it, but isn't a good idea for doing on a per-client basis22:08
*** slberger has quit IRC22:08
bknudson_I think I'd just have separate sessions if I wanted different session config.22:08
jamielennoxas a user maybe, but it doesn't give you a solution for keystoneclient22:09
jamielennoxor other clients22:09
jamielennoxyou can't have keystoneclient adding hooks to a global session object because it will pick up more things than just that client's requests22:09
bknudson_why not? I can see all the requests that are made including the request IDs.22:09
bknudson_oh, I don't want keystoneclient to add hooks.22:09
jamielennoxbut we've done this for other things in like a cascading fashion, have session global hooks, have adapter hooks for clients and per request hooks and just join them together22:10
bknudson_I'm wondering if ksa can modify the hook22:10
jamielennoxbknudson_: modify?22:10
*** lucas____ has quit IRC22:11
*** ddieterly is now known as ddieterly[away]22:11
bknudson_I think what I'd like is, I should be able to add a response hook to the ksa Session, and when the callback is called, the request also has an openstack_request_id field.22:11
bknudson_so in my example program:
bknudson_in log_request, I can do r.openstack_request_id22:12
bknudson_instead of r.headers.get('x-openstack-request-id')22:12
bknudson_Not that big of an improvement, I guess.22:13
bknudson_but the point of libraries is to make it so I don't have to remember things like x-auth-token and x-openstack-request-id.22:13
jamielennoxbknudson_: so i don't think requests (unlike webob) lets you override the responseclass22:13
jamielennoxwould need to check22:13
bknudson_it could also be a kwarg?22:13
*** lucas____ has joined #openstack-keystone22:13
jamielennoxbknudson_: i don't want to open it as a user provided thing, but i'd be happy to subclass requests.Response with a ksa.Response22:14
bknudson_that would be cool22:14
*** browne1 has joined #openstack-keystone22:14
*** browne has quit IRC22:15
*** lucas____ has quit IRC22:18
jamielennoxbknudson_: so there's no current way to specify the class, and the response object is built from the adapter level which will make it hard to change22:19
jamielennoxbknudson_: so i don't think we can do a subclass22:19
jamielennoxhowever, the hook part i'd be ok with22:20
jamielennoxhook_cb(request, response) ?22:20
bknudson_it could be like ksa_session.session.hooks = {'openstack_response': log_request} ?22:21
*** sdake has joined #openstack-keystone22:21
*** roxanaghe has quit IRC22:21
bknudson_requests only defines the one hook as far as I can tell22:21
bknudson_the response already includes the request22:22
*** jorge_munoz has quit IRC22:22
*** roxanaghe has joined #openstack-keystone22:22
dstaneksamueldmq: howdy22:22
*** topol has quit IRC22:22
samueldmqdstanek: hi22:22
jamielennoxbknudson_: i don't think we would piggyback on the requests session22:22
dstaneksamueldmq: you bailed earlier before i got to answer you22:22
jamielennoxbtw you can provide a requests.session to a ksa.session22:23
jamielennoxr = requests.Session()22:23
jamielennoxk = keystoneauth1.Session(session=r)22:23
samueldmqdstanek: ah, my IRC bouncer is down, sorry22:23
bknudson_jamielennox: I did that
samueldmqdstanek: it was about the cache invalidation thing iirc22:23
jamielennoxso if the requests hooks are sufficient you can use them22:23
bknudson_I thought this was better22:23
dstaneksamueldmq: the goal of that cache invalidation patch was to shield us from any exceptions that happen when calling invalidate22:23
*** slberger has joined #openstack-keystone22:24
bknudson_jamielennox: I was worried I'd miss any requests that happen on ksa.Session creation but there weren't any.22:24
jamielennoxbknudson_: ok, i just mean that we would do our own hooking mechanism above requests22:24
dstaneksamueldmq: i notice you've been looking at some of my older patches. not sure if you noticed, but i've been slowly getting them updated22:24
bknudson_jamielennox: our own hooking mechanism works.22:24
*** sdake_ has quit IRC22:24
jamielennoxbknudson_: no session is only triggered on request22:24
samueldmqdstanek: hmm, so we wouldn't need to try/expect for cache invalidate/notifications ( we had a patch for that )22:25
jamielennoxok, so the only thing i would want to fix there is to do our own requests.Request.prepare_request() stuff in ksa22:25
samueldmqdstanek: yes, I am seeing you're updating them; I am just sticking -1's with minor comments/suggestions22:25
jamielennoxso that the hook interface had a request object instead of all the parameters it works with currently22:25
samueldmqdstanek: so I clean them up from my review list; you have a great amount of great things needing an update :)22:26
jamielennoxbknudson_: i tried that once before and there was an issue i got fixed upstream, so that should be ok now22:26
dstaneksamueldmq: don't i know it :-(22:26
samueldmqdstanek: it's great you're updating them, they're all great stuff, you will get that list empty soon  :)22:29
*** BjoernT has quit IRC22:30
*** sdake_ has joined #openstack-keystone22:31
*** sdake has quit IRC22:34
*** ddieterly[away] is now known as ddieterly22:34
*** darosale has quit IRC22:37
*** slberger has left #openstack-keystone22:37
*** samueldmq has quit IRC22:38
*** jamielennox is now known as jamielennox|away22:44
*** sdake_ has quit IRC22:49
*** timcline_ has quit IRC22:51
*** timcline has joined #openstack-keystone22:52
*** dan_nguyen has joined #openstack-keystone22:53
*** jamielennox|away is now known as jamielennox22:53
*** tqtran has joined #openstack-keystone22:54
*** timcline has quit IRC22:56
*** ddieterly is now known as ddieterly[away]22:57
*** tqtran has quit IRC22:58
*** rcernin has quit IRC23:00
*** jamielennox is now known as jamielennox|away23:05
*** stevemar has quit IRC23:06
*** stevemar has joined #openstack-keystone23:06
*** ChanServ sets mode: +o stevemar23:06
*** stevemar has quit IRC23:11
*** gyee has quit IRC23:11
*** edmondsw has quit IRC23:15
*** lucas____ has joined #openstack-keystone23:15
*** KevinE_ has joined #openstack-keystone23:16
*** KevinE_ has quit IRC23:18
*** lucas____ has quit IRC23:19
*** KevinE has quit IRC23:19
*** lucas____ has joined #openstack-keystone23:22
*** luca_____ has joined #openstack-keystone23:23
*** lucas____ has quit IRC23:24
*** sdake has joined #openstack-keystone23:24
*** samueldmq has joined #openstack-keystone23:26
*** ChanServ sets mode: +v samueldmq23:26
*** luca_____ has quit IRC23:28
*** iurygregory_ has joined #openstack-keystone23:29
*** lucas____ has joined #openstack-keystone23:30
*** lucas____ has quit IRC23:35
*** catintheroof has quit IRC23:35
*** lucas____ has joined #openstack-keystone23:35
openstackgerritChangBo Guo(gcb) proposed openstack/keystonemiddleware: Config: no need to set default=None By default
*** sdake has quit IRC23:42
*** lucas____ has quit IRC23:43
openstackgerritChangBo Guo(gcb) proposed openstack/keystonemiddleware: Config: no need to set default=None
*** dan_nguyen has quit IRC23:47
*** ddieterly has joined #openstack-keystone23:48
*** sheel has joined #openstack-keystone23:55
*** jamielennox|away is now known as jamielennox23:57
*** stevemar has joined #openstack-keystone23:59
*** ChanServ sets mode: +o stevemar23:59
*** tqtran has joined #openstack-keystone23:59
*** lmiccini has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!