Wednesday, 2016-06-29

« Tuesday, 2016-06-28 Index Thursday, 2016-06-30 »
*** markvoelker has quit IRC00:01
*** markvoelker has joined #openstack-keystone00:02
*** markvoelker has quit IRC00:02
*** markvoelker has joined #openstack-keystone00:02
openstackgerritSteve Martinelli proposed openstack/keystone: Remove the sample config from the git tree  https://review.openstack.org/33523600:04
*** fangxu has quit IRC00:13
*** edmondsw has quit IRC00:19
*** jefrite has joined #openstack-keystone00:27
*** julim has quit IRC00:27
*** tqtran has quit IRC00:34
*** fangxu has joined #openstack-keystone00:43
*** spzala has joined #openstack-keystone01:01
*** spzala has quit IRC01:06
stevemaranyone want to punt https://review.openstack.org/#/c/330822/2 through?01:10
patchbotstevemar: patch 330822 - keystone - Use request.params instead of context['query_string']01:10
*** mwheckmann has joined #openstack-keystone01:17
*** gabriel-bezerra has quit IRC01:18
*** ericksonsantos has quit IRC01:18
*** clenimar has quit IRC01:18
*** iurygregory has quit IRC01:18
*** openstack has joined #openstack-keystone01:22
*** raildo is now known as raildo-afk01:27
*** raildo-afk is now known as raildo01:27
*** ddieterly has quit IRC01:28
*** EinstCrazy has joined #openstack-keystone01:30
*** ericksonsantos has joined #openstack-keystone01:30
*** clenimar has joined #openstack-keystone01:30
*** tqtran has joined #openstack-keystone01:31
*** iurygregory has joined #openstack-keystone01:31
jamielennoxi probably shouldn't01:31
*** gabriel-bezerra has joined #openstack-keystone01:33
*** wangqun has joined #openstack-keystone01:34
ayoungstevemar, jamielennox I'll look01:35
*** tqtran has quit IRC01:36
ayoungI like +2ing things01:36
ayoungjamielennox, what is  host = urllib.parse.unquote_plus(origin)01:37
jamielennoxayoung: unquote_plus?01:38
ayoungjamielennox, yeah,  was buried in that review01:39
*** woodster_ has quit IRC01:39
notmorganjamielennox: some in-line comments +3 though01:39
ayoungI it just looks weird.  It was in the origian01:39
notmorgancc stevemar ^01:39
jamielennoxayoung: Like unquote(), but also replace plus signs by spaces, as required for unquoting HTML form values.01:39
ayoungah01:39
jamielennoxmakes sense01:39
jamielennoxif that was in the review though it just got moved around01:40
jamielennoxnotmorgan: thanks01:40
notmorganjamielennox: but the in-line comments should be looked at and addressed in a followup01:40
ayoungjamielennox, have all the changes gone through for is_admin_project getting exposed to the services?01:40
notmorganmostly comments and fix your OMG WHY ARE WR WRITING TO THE DICT note01:40
jamielennoxayoung: no, i still need someone core on oslo.context to approve the patch there01:41
ayounggah01:41
jamielennoxnotmorgan: i replied to the comments from stevemar which overlap yours01:41
ayoungOK...I'll beat people up on that01:41
notmorganhehe01:41
jamielennoxbut i can do the fixups in code01:41
notmorganyeah. the pop one - just a cleanup/less code ifyou use pop(key, default)01:42
jamielennoxoh, the dict one - i've got no idea on that01:42
notmorganjamielennox: yeah we should work on fixing that01:42
jamielennoxit's either to prevent some subtle bug, or just a really dumb way to do things01:42
notmorganwe should never write to the QS.01:42
notmorganin fact, we should make params a frozen object01:43
jamielennoxand those two things are hard to distinguish01:43
notmorganif we need domain_id passed through, pass it through directly, don't rely on QS state that was munged with after the request was parsed.01:43
jamielennoxayoung: have you had a chance to look at the olso.policy side of that and figure out what you want the rule to look like?01:45
ayoungjamielennox, I figured just is_admin_project=True01:45
jamielennoxit'll work like that?01:46
ayounghave not tested it, but there is not a way to specify namespace for context, I think it works by default01:46
ayoungjamielennox, to be honest, I'll run it in the debugger once it merges and look01:46
ayoungjamielennox, lets look at another rule for comparison01:47
jamielennoxayoung: that's been my thing as well01:47
*** ddieterly has joined #openstack-keystone01:47
jamielennoxpassing a bool should be really simple to use, but i'm not really up to date on my policy language01:47
jamielennoxand i don't konw who to bug from oslo01:48
*** dan_nguyen has joined #openstack-keystone01:48
jamielennoxayoung: did you get a saml env up?01:48
ayoungjamielennox, I'm in TripHellO land with that01:49
jamielennoxayoung: i spent like a full day on messing with ansible and cannot figure out how to install ipsilon, ipa, and keystone in apache on the same box01:49
ayoungreally?01:49
ayoungthat does not seem like it would be too bad01:49
ayoungdo Keystone last01:49
*** TxGVNN has joined #openstack-keystone01:49
jamielennoxi know how to do it, but using the ipa-server-install and ipsilon-install just polute the crap out of apache configs01:49
ayoungNah01:50
jamielennoxlike those things should know how to co-exist01:50
ayoungall Keystone needs beyond that is 2 files for virtual envs01:50
ayoungthey are on separate ports,  should not touch any other config01:50
jamielennoxipa and ipsilon don't do vhosts01:50
ayoungDoes not matter01:50
ayounglet them do what they want01:50
ayoungthen run Keystone on 5000 and 3535701:51
*** dan_nguyen has quit IRC01:51
ayoungyou only need a vhost for them, leave IPA and Ipsilon as-is01:51
notmorganjamielennox: docker!01:53
jamielennoxwon't that end up with everything exposed on all ports?01:53
jamielennoxnotmorgan: yea, if i worked for redhat having a dockerized ipa and ipsilon would be on my priorities i think...01:53
ayoungjamielennox, nope...I can past the ones from the tripleo install one sec01:53
ayoungjamielennox, http://paste.openstack.org/show/523872/01:54
notmorganjamielennox: if ipa/ipsilon only occupy port 80/443 in the vhost, then no.01:54
ayoungjamielennox, try that01:54
*** mwheckmann has quit IRC01:54
notmorganayoung: don't you need a listen directive too somewhere?01:55
ayoungnotmorgan, yep. We put it in01:55
notmorganor is vhost with a port implicit listen?01:55
ayoung /etc/httpd/conf/ports.conf01:55
ayoungListen 192.0.2.1:3535701:55
ayoungListen 192.0.2.1:500001:55
ayoungListen 8001:55
ayoungListen 804201:55
ayoungLet me see what the IPA server has01:55
ayoungnss.conf has Listen 44301:57
ayoungso I think it can go anywhere.  Put it at the top of01:57
ayoung/etc/httpd/conf.d/10-keystone_wsgi_admin.conf01:57
*** mwheckmann has joined #openstack-keystone01:59
jamielennoxok, i'll have another look at that02:01
jamielennoxthis is where i started talking you about official ansible stuff for deploying IPA02:02
*** EinstCra_ has joined #openstack-keystone02:02
*** spzala has joined #openstack-keystone02:03
*** ddieterly has quit IRC02:04
*** davechen has joined #openstack-keystone02:05
*** EinstCrazy has quit IRC02:05
*** shewless has quit IRC02:06
*** spzala has quit IRC02:08
ayoungjamielennox, is there such a beast?02:13
*** fangxu has quit IRC02:13
ayoungI know the RH CI team is starting o check roles into individual repos, complete with setuptool support02:14
ayounghttps://github.com/redhat-openstack/ansible-role-tripleo-inventory  for example is the inventory02:14
openstackgerritMerged openstack/keystone: Revert "Install necessary files in etc/"  https://review.openstack.org/32615202:19
ayoungjamielennox, wrote this a long time ago...not sure if you would find it helpful http://adam.younglogic.com/2014/04/nss-horizon/02:20
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494302:20
jamielennoxayoung: sorry, was elsewhere02:20
jamielennoxayoung: no there is no such beast - i would like there to be though02:20
ayoungjamielennox, NP...I'm kindof in and out02:21
ayoungjamielennox, that is what I am saying...write it as a stand alone role02:21
ayoungthey end up putting the roles under /usr/local/share/ansible/roles and there is a config option that you set that tells ansible to look for roles there02:22
jamielennoxayoung: so ipsilon would probably be not that hard because ipsilon-install is not that complicated02:23
jamielennoxayoung: ipa install would be difficult and it would really need to be maintained by someone close to it02:23
ayoungyeah02:23
ayoungthe thing about IPA is the need for a FQDN that resolves02:24
openstackgerritRon De Rose proposed openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494302:24
ayoungundercloud.ayoung-dell-t1700.test02:24
jamielennoxayoung: you can always just make that required to the role02:24
jamielennoxor default to ansible_fqdn02:24
ayoungyeah...and script the conversion form FQDN to REALM for IPA02:25
ayoungbeyond that, IPA install is pretty easy02:25
jamielennoxyea, that's not hard to do02:25
ayounghttp://adam.younglogic.com/2015/06/install-freeipa-ansible/02:25
jamielennoxayoung: there is a lot of apache config and stuff that gets dropped02:26
jamielennoxayoung: then theres dogtag conf which means java, and other stuff02:26
jamielennoxand figuring out how to scale it, like LDAP on a different box02:26
ayoungyeah, but ipa-server-install covers all that02:26
ayoungthe Java stuff comes in via packagin02:26
ayoungreplication is part of IPA02:26
jamielennoxin my mind this is a replacement for ipa-server-install02:27
ayoungHeh02:27
jamielennoxhence, difficult02:27
ayoungYou don't have enough time to redo that02:27
jamielennoxayoung: right, and it's pointless unless someone from the IPA team is maintaining it02:27
ayoungJust earlier today I said "I wonder what IPA server install would look like if we started it today.  Probably be in ansible":02:27
ayoungjamielennox, look in email at the thread titled Re: [openstack-dev] [cinder] [keystone] cinder quota behavior differences after Keystone mitaka upgrade02:29
ayoungI think it might be a context issue?02:29
ayoungnah, forget it02:29
ayoungnot in the token not oslo-context02:29
jamielennoxlooking at -dev is on my immediate todo :)02:30
jamielennoxthere's a message there about the cross project policy that i haven't seen to and procrastinating on02:30
jamielennoxayoung: sigh, yea, that seems like we broke an API02:31
*** raddaoui has joined #openstack-keystone02:32
jamielennoxbut i think it might be something cinder has to figure out02:34
*** spzala has joined #openstack-keystone02:34
*** code-R has joined #openstack-keystone02:37
*** sheel has joined #openstack-keystone02:48
*** bj0rnar has quit IRC02:48
openstackgerritMerged openstack/keystone: Use request.params instead of context['query_string']  https://review.openstack.org/33082202:48
*** bj0rnar has joined #openstack-keystone02:50
*** gyee has quit IRC03:02
*** jamielennox is now known as jamielennox|away03:07
*** jamielennox|away is now known as jamielennox03:07
*** rderose has quit IRC03:09
*** richm has quit IRC03:15
*** rderose has joined #openstack-keystone03:15
*** diazjf has joined #openstack-keystone03:22
*** diazjf has quit IRC03:24
*** imcsk8 has quit IRC03:26
*** imcsk8 has joined #openstack-keystone03:26
*** diazjf has joined #openstack-keystone03:26
*** tqtran has joined #openstack-keystone03:32
*** mwheckmann has quit IRC03:33
*** TxGVNN has quit IRC03:35
*** tqtran has quit IRC03:36
*** spzala has quit IRC03:42
*** spzala has joined #openstack-keystone03:43
*** rderose has quit IRC03:43
*** spzala has quit IRC03:47
*** diazjf has quit IRC03:49
*** TxGVNN has joined #openstack-keystone03:58
*** roxanaghe has joined #openstack-keystone04:00
*** gnuoy has quit IRC04:01
*** links has joined #openstack-keystone04:22
*** roxanaghe has quit IRC04:26
*** dan_nguyen has joined #openstack-keystone04:28
*** markvoelker has quit IRC04:31
*** code-R has quit IRC04:34
*** dan_nguyen has quit IRC04:35
*** spzala has joined #openstack-keystone04:43
*** spzala has quit IRC04:48
*** browne has quit IRC04:50
*** rcernin has joined #openstack-keystone04:53
*** pcaruana has quit IRC04:58
*** roxanaghe has joined #openstack-keystone04:59
*** dan_nguyen has joined #openstack-keystone05:01
*** spzala has joined #openstack-keystone05:01
*** spzala has quit IRC05:06
*** dan_nguyen has quit IRC05:06
*** M00nr41n has quit IRC05:06
*** code-R has joined #openstack-keystone05:09
*** dan_nguyen has joined #openstack-keystone05:10
*** code-R_ has joined #openstack-keystone05:12
*** code-R has quit IRC05:15
*** darosale has joined #openstack-keystone05:15
*** code-R has joined #openstack-keystone05:17
*** code-R_ has quit IRC05:17
*** code-R has quit IRC05:17
*** dan_nguyen has quit IRC05:28
*** markvoelker has joined #openstack-keystone05:32
*** vgridnev_ has joined #openstack-keystone05:32
*** rcernin has quit IRC05:33
*** GB21 has joined #openstack-keystone05:35
*** markvoelker has quit IRC05:37
*** roxanaghe has quit IRC05:43
*** GB21 has quit IRC05:44
*** EinstCra_ has quit IRC05:55
*** EinstCrazy has joined #openstack-keystone05:57
*** spzala has joined #openstack-keystone06:02
*** davechen has quit IRC06:04
*** davechen has joined #openstack-keystone06:05
*** rcernin has joined #openstack-keystone06:06
*** spzala has quit IRC06:07
*** chrisshattuck has quit IRC06:08
*** M00nr41n has joined #openstack-keystone06:08
*** henrynash has joined #openstack-keystone06:09
*** ChanServ sets mode: +v henrynash06:09
*** ygl has joined #openstack-keystone06:10
yglHi All06:10
yglis there anyone here ?06:11
*** GB21 has joined #openstack-keystone06:13
ygli need some hep with keystone06:13
ygl*help06:13
yglcan anyone help me please ?06:13
*** pcaruana has joined #openstack-keystone06:16
*** pcaruana is now known as pcaruana|afk|06:19
*** M00nr41n has quit IRC06:22
*** M00nr41n has joined #openstack-keystone06:23
*** markvoelker has joined #openstack-keystone06:33
*** M00nr41n has quit IRC06:33
*** aloga_ has joined #openstack-keystone06:34
*** M00nr41n has joined #openstack-keystone06:34
*** pnavarro has joined #openstack-keystone06:35
*** markvoelker has quit IRC06:37
*** pnavarro has quit IRC06:41
*** pcaruana|afk| is now known as pcaruana06:49
*** aloga_ has quit IRC06:53
*** jed56 has joined #openstack-keystone06:53
*** TxGVNN has quit IRC06:54
*** belmoreira has joined #openstack-keystone06:56
*** raddaoui has quit IRC06:57
pcaruanaygl, exactly what kind of deployment you have? broker? load balancers are the commands timing out always againt the same controller node?07:03
*** spzala has joined #openstack-keystone07:03
yglpcaruana: its a ha proxy07:03
yglpcaruana: DEBUG:keystoneclient.session:Request returned failure status: 50007:04
yglpcaruana: but it is working sometimes07:04
*** jpena|off is now known as jpena07:04
pcaruanaygl. if you simplify the test against one particular node.. including just curling the request, do you observe the same issue?  what broker you are using? to be use the messages are being consumed.07:05
yglpcaruana: how to check the broker07:05
yglpcaruana: the curl is giving empty results07:06
pcaruanabroker i what is using for the amqp.. rabbitmq or similars07:07
yglpcaruana: it is rabbitmq07:07
*** spzala has quit IRC07:08
*** tesseract- has joined #openstack-keystone07:09
pcaruanaygl if you can use a pastebin kind.. are you geting the 500 exeptions using OS_TOKEN variables? having a pastebin for the basic configuratio and the rabbitmqctl report can give an idea.. also confirming this was working before for you or it's just  new deployment that never worked?07:09
*** amoralej|off is now known as amoralej07:10
yglpcaruana: its  a new deployment07:13
openstackgerritShan Guo proposed openstack/keystone: API Change Tutorial doc code modify  https://review.openstack.org/33534107:14
*** danpawlik has joined #openstack-keystone07:14
*** imcsk8 has quit IRC07:16
*** imcsk8 has joined #openstack-keystone07:16
*** tlbr has quit IRC07:17
*** tlbr has joined #openstack-keystone07:19
*** darosale has quit IRC07:22
pcaruanaygl http://pastebin.com/rYHidmDj07:24
yglpcaruana: the curl is not giving any output07:25
openstackgerritAndreas Jaeger proposed openstack/python-keystoneclient: Update other-requirements.txt for Xenial  https://review.openstack.org/33534507:27
openstackgerritAndreas Jaeger proposed openstack/keystone: Update other-requirements for Xenial  https://review.openstack.org/33534607:29
*** GB21 has quit IRC07:30
*** henrynash has quit IRC07:33
*** markvoelker has joined #openstack-keystone07:34
pcaruanaygl is really the admin token working for you? if you are not able to do a simple keystone --debug token-get. chekc both env| grep -i os for confirming your variables .. when failing the most simple things are.. user not exist, password is wrong, detaul tenant is not valid one.. the admin token  is a better way  openstack --os-token ADMIN --os-url.. still asumming your configuration is ok (bakends, passwords, etc), and the db07:34
pcaruanawas created and synced correctly.. wihtout having ouputs we are just guessing about it07:34
yglpcaruana: but it is working once in 6 times. i am getting the output07:35
pcaruanaygl, well bypassing the haproxy is a good test to isolate the cause, like having one particular node slower than others07:37
yglpcaruana: ok07:38
*** markvoelker has quit IRC07:38
*** EinstCrazy has quit IRC07:39
*** EinstCrazy has joined #openstack-keystone07:40
pcaruanaygl, unfortunally there is not shortcut as being the difference game. you need to track all the keystone nodes, who is processing correctly the request and comparing againt the other ones..07:49
pcaruanasomething has to be different between the good request and the others.07:50
yglpcaruana: ok07:50
yglpcaruana: thanks for ur help07:51
*** ygl has quit IRC07:51
*** EinstCrazy has quit IRC07:52
*** pnavarro has joined #openstack-keystone07:53
*** EinstCrazy has joined #openstack-keystone07:53
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Imported Translations from Zanata  https://review.openstack.org/33535007:56
openstackgerritDave Chen proposed openstack/keystone: API Change Tutorial doc code modify  https://review.openstack.org/33534107:57
*** zzzeek has quit IRC08:00
*** tlbr has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** tqtran has joined #openstack-keystone08:00
*** mvk has joined #openstack-keystone08:02
*** tlbr has joined #openstack-keystone08:03
*** tlbr has quit IRC08:04
*** spzala has joined #openstack-keystone08:04
*** tqtran has quit IRC08:05
*** tlbr has joined #openstack-keystone08:07
*** vgridnev_ has quit IRC08:08
*** spzala has quit IRC08:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** davechen has left #openstack-keystone08:15
*** wanghua has joined #openstack-keystone08:29
*** GB21 has joined #openstack-keystone08:31
*** markvoelker has joined #openstack-keystone08:34
*** real56 has joined #openstack-keystone08:38
*** markvoelker has quit IRC08:38
*** dmk0202 has joined #openstack-keystone08:39
*** maestropandy has joined #openstack-keystone08:46
*** chlong has quit IRC09:04
*** spzala has joined #openstack-keystone09:06
*** pece has joined #openstack-keystone09:08
*** EinstCrazy has quit IRC09:10
*** spzala has quit IRC09:11
*** EinstCrazy has joined #openstack-keystone09:11
*** imcsk8 has quit IRC09:12
*** imcsk8 has joined #openstack-keystone09:12
*** EinstCra_ has joined #openstack-keystone09:14
*** spzala has joined #openstack-keystone09:16
*** real56 has quit IRC09:17
*** chlong has joined #openstack-keystone09:17
*** EinstCrazy has quit IRC09:17
*** spzala has quit IRC09:20
*** EinstCra_ has quit IRC09:31
*** EinstCrazy has joined #openstack-keystone09:31
*** GB21 has quit IRC09:35
*** mvk has quit IRC09:35
*** mvk has joined #openstack-keystone09:36
*** GB21 has joined #openstack-keystone09:53
*** nisha_ has joined #openstack-keystone10:11
*** spzala has joined #openstack-keystone10:16
*** janonymous has joined #openstack-keystone10:17
janonymoushello10:17
janonymouswhen i deleted my trust entry from keystone database and ran `db sync` tables were not recreated again.. how can i create them10:18
janonymous?10:18
janonymous@dstanek: ping10:21
*** nisha__ has joined #openstack-keystone10:21
*** spzala has quit IRC10:22
*** TxGVNN has joined #openstack-keystone10:22
*** nisha_ has quit IRC10:25
*** wangqun has quit IRC10:34
*** markvoelker has joined #openstack-keystone10:36
*** LarsErikP has joined #openstack-keystone10:37
*** GB21 has quit IRC10:38
LarsErikPhi! Does anyone have experience with using a large AD as LDAP backend i keystone? I've created at keystone domain with Active Directory as backend, and I've synced in over 100.000 users. I'm having issues with user listing...10:39
openstackgerritJamie Lennox proposed openstack/keystone: Implement Views and convert credentials  https://review.openstack.org/33542310:39
LarsErikPi.e "openstack user list --domain MY-AD" takes forever, and will eventually timeout and/or pretty much eat all the RAM in my server :-/10:40
LarsErikPsame goes for user listing in horizon10:40
*** markvoelker has quit IRC10:40
dstanekjanonymous: pong10:40
dstanekLarsErikP: IIRC using listing with LDAP isn't a good thing; i don't use LDAP all that much though10:41
LarsErikPdstanek: it's not that i really need to list users that often, but i.e project creation in horizon is impossible, because it tries to list all users in the the LDAP-catalog..10:44
*** bjornar_ has joined #openstack-keystone10:44
*** jefrite has quit IRC10:46
*** GB21 has joined #openstack-keystone10:48
*** EinstCrazy has quit IRC10:55
*** spzala has joined #openstack-keystone11:18
*** spzala has quit IRC11:23
janonymousdstanek: I deleted trust with curl but the entry was still not deleted from database, so i manually dropped the trust table but after running db_sync tables were not recreated11:25
dstanekjanonymous: you dropped the while table instead of deleting the record?11:25
dstanekjanonymous: tables won't be recreated by the sync. it remember the revision of the schema that you are currently on and runs migrations to bring it up to date.11:26
janonymousdstanek: Ohkay i understand my mistake, i created the schema manually for now, but can you tell me a proper way to do it ..11:28
*** rodrigods has quit IRC11:28
*** rodrigods has joined #openstack-keystone11:28
janonymousi mean recreate table now..11:29
*** ddieterly has joined #openstack-keystone11:34
*** markvoelker has joined #openstack-keystone11:37
janonymousdstanek: Thanks! , hv to leave now...11:38
*** markvoelker has quit IRC11:41
*** ddieterly has quit IRC11:41
*** ayoung has quit IRC11:43
*** fifieldt has quit IRC11:47
jamielennoxhenrynash_: what do you think about doing your pass request to response builder like: https://review.openstack.org/33542311:48
*** ddieterly has joined #openstack-keystone11:50
* jamielennox disappears11:50
dstanekjanonymous: maybe restore from backup?11:51
dstanekjanonymous: keystone doesn't provide disaster recovery tools11:51
*** nisha_ has joined #openstack-keystone11:52
*** nisha__ has quit IRC11:56
*** fifieldt has joined #openstack-keystone12:02
*** tqtran has joined #openstack-keystone12:02
EmilienMstevemar: https://bugs.launchpad.net/python-openstackclient/+bug/159724612:03
openstackLaunchpad bug 1597246 in python-openstackclient "User show fails with "--domain default" after https://review.openstack.org/#/c/311206/" [Undecided,New]12:03
*** nisha__ has joined #openstack-keystone12:05
*** pece has quit IRC12:05
stevemarEmilienM: thank you for the bug, i'll start peeking into it today12:05
*** tqtran has quit IRC12:06
*** nisha_ has quit IRC12:06
*** ddieterly has quit IRC12:07
*** markvoelker has joined #openstack-keystone12:08
*** GB21 has quit IRC12:08
*** wangqun has joined #openstack-keystone12:11
*** GB21 has joined #openstack-keystone12:11
*** pnavarro has quit IRC12:17
*** samueldmq has joined #openstack-keystone12:19
*** ChanServ sets mode: +v samueldmq12:19
*** spzala has joined #openstack-keystone12:19
samueldmqgood morning keystone12:19
stevemaro/12:19
samueldmqstevemar: o/12:20
*** nisha__ has quit IRC12:20
*** nisha__ has joined #openstack-keystone12:22
*** spzala has quit IRC12:24
*** nisha__ is now known as nisha_12:24
nisha_samueldmq, morning12:24
samueldmqnisha_: morning, how are you ?12:24
samueldmqnisha_: I am looking at your patches now :-)12:25
*** ddieterly has joined #openstack-keystone12:30
*** pnavarro has joined #openstack-keystone12:31
*** gordc has joined #openstack-keystone12:37
*** ddieterly is now known as ddieterly[away]12:41
*** amoralej is now known as amoralej|lunch12:41
alogasamueldmq: hi there12:44
alogasamueldmq: yesterday I was off the office when you replied me :(12:44
samueldmqaloga: hi12:45
alogasamueldmq: "samueldmq | aloga: so is it wrong setting scope=profile as the default for all those 3 classe s? "12:45
alogasamueldmq: yes12:45
alogathe correct should be, at least, "openid"12:45
samueldmqaloga: so there is a bug ?12:46
alogasamueldmq: no12:47
alogasamueldmq: at least, all the providers I have tested give a valid response to a "scope='profile'"12:47
*** jsavak has joined #openstack-keystone12:47
alogaeven if the standard says that the "openid" scope is mandatory12:47
samueldmqaloga: what if we change the default to openid ?12:48
samueldmqaloga: what would that change to others ? would that break anything ?12:48
*** edmondsw has joined #openstack-keystone12:48
alogasamueldmq: I would say "openid profile"12:49
samueldmqaloga: sure12:49
samueldmqaloga: do we expect that to break something ?12:49
alogasamueldmq: I don't think so12:50
alogasamueldmq: AFAIK, the "openid" scope only means that the request is going to be an "openid" request12:50
samueldmqaloga: what if we: i) open a bug saying even though the behavior is correct, we're not followig the specs12:51
samueldmqii) change the default scope to 'openid scope' in that patch (so all 3 classes get that ) ?12:51
alogasamueldmq: yes, that's perfect12:51
*** wangqun has quit IRC12:52
samueldmqaloga: nice, thanks!12:52
*** EinstCrazy has joined #openstack-keystone12:53
alogasamueldmq: however, I do not know what to do with users not providing "openid" on their scope12:53
alogasamueldmq: i.e. a user doing scope='email' instead of scope='openid email'12:53
alogasamueldmq: should we allow the former, or raise an error?12:53
alogasamueldmq: adhering to the OpenID specification, "openid" MUST be present, otherwise the behaviour of the server is unspecified: it may work but it may fail as well12:54
samueldmqaloga: unfortunately I don't have a lot of knowledge on openid :(12:54
samueldmqaloga: I think we could get a good feedback from stevemar and jamielennox12:55
alogasamueldmq: IMO we should allow the user to pass whatever scope they want, if the server copes with it, that's fine, if the server returns an error, we return it to the user12:55
samueldmqaloga: looks good, we should keep supporting what we have today12:56
alogasamueldmq: great12:56
samueldmqaloga: if one specifies scope='profile' it's okay, as it is today12:56
samueldmqaloga: scope='email', the same12:56
alogasamueldmq: yes, great12:56
samueldmqaloga: if they specify scope='openid profile' or scope='openid email', that should be work too12:56
alogawe're on the same track then12:56
samueldmqcool12:57
samueldmqbrb12:57
*** rderose has joined #openstack-keystone12:58
*** samueldmq has quit IRC12:58
*** richm has joined #openstack-keystone13:01
*** GB21 has quit IRC13:02
*** woodster_ has joined #openstack-keystone13:05
*** real56 has joined #openstack-keystone13:06
*** real56 has left #openstack-keystone13:07
openstackgerritMerged openstack/keystone: API Change Tutorial doc code modify  https://review.openstack.org/33534113:07
stevemari'm thinking about just pushing in the API ref changes13:08
*** pauloewerton has joined #openstack-keystone13:08
openstackgerritMerged openstack/python-keystoneclient: Update other-requirements.txt for Xenial  https://review.openstack.org/33534513:09
*** samueldmq has joined #openstack-keystone13:10
*** ChanServ sets mode: +v samueldmq13:10
*** spzala has joined #openstack-keystone13:11
*** M00nr41n has quit IRC13:11
*** code-R has joined #openstack-keystone13:17
*** nisha__ has joined #openstack-keystone13:17
*** lamt has joined #openstack-keystone13:17
*** sdake has joined #openstack-keystone13:17
openstackgerritMerged openstack/oslo.policy: Imported Translations from Zanata  https://review.openstack.org/33535013:20
*** nisha_ has quit IRC13:21
*** code-R_ has joined #openstack-keystone13:21
*** sdake_ has joined #openstack-keystone13:22
*** sdake has quit IRC13:22
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000613:22
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: fix OpenID scope management  https://review.openstack.org/33046313:22
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: add discovery document support  https://review.openstack.org/33046413:22
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: remove grant_type argument  https://review.openstack.org/33046513:22
*** code-R has quit IRC13:24
*** ddieterly has joined #openstack-keystone13:24
openstackgerritMerged openstack/keystone: Update other-requirements for Xenial  https://review.openstack.org/33534613:26
*** sdake has joined #openstack-keystone13:26
*** sdake_ has quit IRC13:27
*** henrynash has joined #openstack-keystone13:32
*** ChanServ sets mode: +v henrynash13:32
*** samueldmq has quit IRC13:34
*** links has quit IRC13:36
*** haneef has joined #openstack-keystone13:36
*** amoralej|lunch is now known as amoralej13:37
*** gordc has quit IRC13:38
*** ddieterly is now known as ddieterly[away]13:40
*** code-R_ has quit IRC13:41
*** code-R has joined #openstack-keystone13:41
*** ayoung has joined #openstack-keystone13:42
*** ChanServ sets mode: +v ayoung13:42
*** ayoung has quit IRC13:42
*** ayoung has joined #openstack-keystone13:42
*** ChanServ sets mode: +v ayoung13:42
*** jaugustine has joined #openstack-keystone13:44
*** raddaoui has joined #openstack-keystone13:54
*** ddieterly[away] is now known as ddieterly13:55
*** ametts has joined #openstack-keystone13:56
*** samueldmq has joined #openstack-keystone13:57
*** ChanServ sets mode: +v samueldmq13:57
*** pece has joined #openstack-keystone14:01
*** ravelar159 has joined #openstack-keystone14:03
*** jaugustine has quit IRC14:03
*** henrynash has quit IRC14:05
*** nisha__ is now known as nisha_14:06
*** ravelar159 has quit IRC14:07
*** ravelar159 has joined #openstack-keystone14:07
*** chrisshattuck has joined #openstack-keystone14:07
openstackgerritDavid Stanek proposed openstack/keystone: Remove test_backend_ldap skips for missing tests  https://review.openstack.org/33551414:10
openstackgerritDavid Stanek proposed openstack/keystone: Adds a skip method to identify useless skips  https://review.openstack.org/33551514:10
openstackgerritDavid Stanek proposed openstack/keystone: Use skip_test_overrides in test_backend_ldap  https://review.openstack.org/33551614:10
openstackgerritDavid Stanek proposed openstack/keystone: Updated tests that claimed to be blocked by bugs  https://review.openstack.org/33551714:10
*** nkinder has joined #openstack-keystone14:11
*** henrynash has joined #openstack-keystone14:11
*** ChanServ sets mode: +v henrynash14:11
*** ddieterly is now known as ddieterly[away]14:12
*** tonytan4ever has joined #openstack-keystone14:12
breton_rderose: i am afraid that https://review.openstack.org/#/c/284943/ is again -114:13
patchbotbreton_: patch 284943 - keystone - Concrete role assignments for federated users14:13
breton_(who uses my nick? let me kick him...)14:14
rderosebreton_: of course :)14:15
rderosebreton_: what's the problem?14:15
*** ravelar_159 has joined #openstack-keystone14:15
*** breton_ is now known as breton14:15
*** woodburn has quit IRC14:15
bretonthat's better14:15
bretonrderose: group role assignment are broken14:16
*** sdake has quit IRC14:16
rderosebreton: hmm... can you describe the test case?14:17
*** sdake has joined #openstack-keystone14:17
*** sdake has quit IRC14:17
*** ravelar159 has quit IRC14:18
bretonrderose: http://paste.openstack.org/show/524058/ mapping14:18
bretonrderose: openstack role add --group remote_people --group-domain Default --domain Default admin14:19
bretonrderose: openstack role add --group remote_people --group-domain Default --project admin admin14:19
breton(i've issues role add for both domain and project to be sure, this is not test case specific)14:19
*** sdake has joined #openstack-keystone14:19
bretonrderose: and horizon gives me ""14:20
bretonLogin failed: Unable to retrieve authorized projects.14:20
*** ddieterly[away] is now known as ddieterly14:20
*** nisha_ has quit IRC14:21
rderosebreton: but no issues via the cli?14:21
*** mwheckmann has joined #openstack-keystone14:21
bretonrderose: in keystone log there is http://paste.openstack.org/show/524059/14:21
*** nisha_ has joined #openstack-keystone14:22
bretonrderose: i have not tested via cli and probably will not -- i don't have a ECP-enabled idp configured.14:22
bretonnow let me check if concrete role assignment works14:23
rderosebreton: okay, thanks14:23
bretonrderose: http://paste.openstack.org/show/524062/ is this expected?14:25
*** henrynash has quit IRC14:27
rderosebreton: are you talking about this message > 'No user with a name or ID of 'bbobrov@mirantis.com' exists.'14:27
openstackgerritMartin Schuppert proposed openstack/keystone: Verify domain_id when get_domain is being called  https://review.openstack.org/33156714:27
bretonrderose: yes14:28
bretonrderose: i see this message even though the name is in the list14:28
*** shauavik has joined #openstack-keystone14:29
shauavikHi I am looking for some help with setting up keystone using https (ssl)14:29
shauavikI really cannot find any document that lays out how to do it14:30
rderosebreton: and 'bbobrov@mirantis.com' is a federated user?14:30
*** dan_nguyen has joined #openstack-keystone14:30
bretonrderose: yes.14:30
bretonrderose: i was able to create the assignment by specifying id, but it doesn't work by name.14:31
*** jorge_munoz has joined #openstack-keystone14:32
dstanekshauavik: have you setup apache to use SSL?14:32
rderosebreton: hmm...  it should work by using the display name, which is your email address, right?14:32
bretonrderose: yep14:32
rderosebreton: okay, I'll dig into that as well14:33
shauavikNo I have not14:34
*** jsavak has quit IRC14:34
shauavikI am looking for steps to set it up14:34
dstanekshauavik: apache ssl?14:35
shauavikno14:35
dstanekshauavik: how are you running keystone?14:35
shauavikthe complete thing like all services and apache on ssll is required that too14:35
shauavikI have test setup on a single node14:36
*** maestropandy has quit IRC14:36
shauavikRDO setup14:36
dstanekshauavik: the first step is to get things running behind apache using SSL14:36
shauavikok14:36
shauavikso before even adding a keystone endpoint, I will have to setup apache to use ssl14:37
dstanekthen you have to make sure your catalog is updated if you change services from http to https14:37
*** jsavak has joined #openstack-keystone14:37
shauavikok14:37
bretonrderose: here is the full trace if you want: http://paste.openstack.org/show/524068/14:37
dstanekshauavik: doesn't matter all that much. just get it running behind apache14:38
bretonrderose: osc trace i mean14:38
shauavikok14:39
shauavikthanks +dstanek14:40
shauavikI will first try setting apache with ssl and then move ahead14:41
dstanekshauavik: you're welcome14:41
bretonrderose: i tried removing group role assignment and left only the concrete one. Still getting ""14:41
bretonLogin failed: Unable to retrieve authorized projects.14:41
bretondammit, when will i learn that pasting doesn't work.14:42
rderosebreton: hmm... and policy.json should have changed from 'identity:list_projects_for_groups' to 'identity:list_projects_for_user'14:43
rderosebreton: so that is probably not it14:44
*** aloga_ has joined #openstack-keystone14:45
bretonrderose: maybe that's the reason. I have not updated /etc/keystone/policy.json.14:45
bretonrderose: let me check14:45
rderosebreton: yeah, try that14:45
*** henrynash has joined #openstack-keystone14:46
*** ChanServ sets mode: +v henrynash14:46
rderosebreton: for both projects and domains 'identity:list_domains_for_groups' to 'identity:list_domains_for_user'14:46
* breton remembers recent rant by notmorgan about code-as-config14:48
*** jorge_munoz_ has joined #openstack-keystone14:48
*** jorge_munoz has quit IRC14:48
*** jorge_munoz_ is now known as jorge_munoz14:48
*** ravelar_159 has quit IRC14:48
bretonrderose: it worked!14:51
rderosebreton: awesome!!!14:51
bretonrderose: both concrete and group assignments14:51
bretonso the only issue is inability to create an assignment by name14:51
rderosebreton: sweet!!!14:51
*** bjornar_ has quit IRC14:52
rderosebreton: okay, will dig into that14:52
*** nkinder has quit IRC14:52
rderosebreton: thanks for all your help on testing this btw (and patience) :)14:52
*** KevinE has joined #openstack-keystone14:55
bretonrodrigods: stevemar: what's your opinion on the fact that merging concrete role assignments will require editing policy.json file on existing installation?14:57
rodrigodsbreton, that's tricky14:58
rodrigodsi have the same concern14:58
rodrigodsbut not sure if it is ok since it has a release note14:58
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [credential] documentation  https://review.openstack.org/33470214:59
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [domain_config] documentation  https://review.openstack.org/33554514:59
*** ravelar159 has joined #openstack-keystone15:00
*** timcline has joined #openstack-keystone15:01
openstackgerritAlexander Makarov proposed openstack/keystone: Performance oriented functional test for HMT  https://review.openstack.org/33514415:05
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT  https://review.openstack.org/28552115:06
stevemarbreton: i think that is OK, usually ops go through that on upgrade15:07
stevemarbreton: whats the result of `openstack role assignment list --names` for http://paste.openstack.org/show/524079/15:08
*** danpawlik has quit IRC15:08
stevemarbreton: it may be that we need to enhance the lookup code to work for federated user name15:10
stevemarbreton: rderose if we really want to be careful with the policy file thing... we could always add 2 new lines and keep the old ones15:10
stevemarand have list_projects_for_group point to list_projects_for_user15:11
rderosebreton rodrigods stevemar: the error 'No user with a name or ID of 'bbobrov@mirantis.com' exists.', I believe is because get_user_by_name method is not pulling the federated displayname15:11
*** chrisshattuck has quit IRC15:11
openstackgerritAlexander Makarov proposed openstack/keystone: Performance oriented functional test for HMT  https://review.openstack.org/33514415:11
rderosebreton rodrigods stevemar: but as breton points out, it does work successfully with ID15:11
*** tesseract- has quit IRC15:12
rderosebreton rodrigods stevemar: I'm okay with the policy.json change because those methods are really pointing to deprecated API methods. And if an operator is not using those API methods, that wouldn't be impacted by the change.15:12
*** chrisshattuck has joined #openstack-keystone15:13
rderosebreton rodrigods stevemar: I talked to dolphm regarding this and he was in favor of making the name changes15:13
*** rcernin has quit IRC15:14
rderosestevemar: add 2 lines and keep the old methods?15:14
*** sheel has quit IRC15:15
rderosestevemar: I think we should just change it.  It could be confusing later on if we keep it (maybe)15:16
*** catintheroof has joined #openstack-keystone15:16
*** pcaruana has quit IRC15:17
rodrigodsrderose, hmm interesting bug on get project by name15:17
rodrigodsuser*15:17
rodrigodssignal we need another test :)15:17
catintheroofguys, quick question, in keystone, does anyone knows (i didnt look the code) if the userid hash when using LDAP driver for identity uses the domainid that the user belongs to to build it ?15:18
rderoserodrigods: yep15:19
rderoserodrigods: it never ends :)15:19
rderoserodrigods: but we are getting close :)15:19
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716915:21
*** marekd has joined #openstack-keystone15:24
*** gordc has joined #openstack-keystone15:25
*** ChanServ sets mode: +v marekd15:25
rderoserodrigods: yeah, this is going to be tough15:25
rderoserodrigods: domain and displayname are unique within the federated_user table, but searching for the displayname in the local_user table is problematic15:27
rderoserodrigods: this probably something we can solve when we implement account linking15:28
bknudson_I wrote a load tester using the twisted library -- https://github.com/brantlk/keystone_performance/blob/master/keystone_performance/load_test_twisted.py15:28
bknudson_seems to work pretty well.15:28
rderoserodrigods: you should not be inputting the displayname here: openstack role add --user '<displayname>' --project admin admin15:30
*** code-R has quit IRC15:30
rderoserodrigods: as this is intended to be the local username; not the federated displayname15:30
rderoserodrigods: what do you think?15:30
*** rcernin has joined #openstack-keystone15:31
*** code-R has joined #openstack-keystone15:31
*** pcaruana has joined #openstack-keystone15:32
*** darosale has joined #openstack-keystone15:34
*** code-R has quit IRC15:35
*** bjornar_ has joined #openstack-keystone15:42
*** belmoreira has quit IRC15:43
*** Nakato has quit IRC15:43
rderosestevemar rodrigods breton: left a comment here: https://review.openstack.org/#/c/284943/15:44
patchbotrderose: patch 284943 - keystone - Concrete role assignments for federated users15:44
rderosestevemar rodrigods breton: let me know what you think15:44
*** Nakato has joined #openstack-keystone15:45
*** david-lyle has quit IRC15:46
*** phalmos has joined #openstack-keystone15:46
*** sheel has joined #openstack-keystone15:49
*** bjornar_ has quit IRC15:52
rodrigodsrderose, looking15:53
catintheroofhi! does anyone knows how keystone builds the user id if the identity backend is ldap ?15:54
rodrigodsrderose, can you point me to the federated user model? so i can understand what is "displayname"15:55
rderoserodrigods: sure, just a sec15:55
*** ravelar159 is now known as hi15:56
*** hi is now known as Guest2915315:56
*** Guest29153 is now known as jaceitr15:56
rodrigodscatintheroof, uuid.uuid4().hex15:56
rodrigodsit is the same way for SQL15:56
*** jaceitr is now known as ravelar15915:57
rodrigodsactually, this is done in the layer above15:57
rderoserodrigods: https://review.openstack.org/#/c/279162/15:57
patchbotrderose: patch 279162 - keystone - Shadow users - Shadow federated users (MERGED)15:57
*** ddieterly is now known as ddieterly[away]15:57
*** ravelar159 has quit IRC15:57
rderoserodrigods: displayname added as part of adding the federated_user table: https://review.openstack.org/#/c/279162/68/keystone/common/sql/migrate_repo/versions/094_add_federated_user_table.py15:58
patchbotrderose: patch 279162 - keystone - Shadow users - Shadow federated users (MERGED)15:58
catintheroofrodrigods, so ... if i use the same replicated LDAP all over the world with different keystone installations, but the assignment backend is local to that keystone, despite the identity backend, the user id will be different right ?15:58
*** ravelar159 has joined #openstack-keystone15:58
*** jacelc has joined #openstack-keystone15:58
*** ravelar159 has quit IRC15:58
*** jacelc has quit IRC15:58
*** phalmos has quit IRC15:59
rodrigodscatintheroof, if you use the same LDAP backend for identity, and local backends for assignment?15:59
catintheroofrodrigods, yeahp15:59
rodrigodsrderose, where ¨shadow_federated_user" is called?15:59
rodrigodscatintheroof, the user_id will be the same16:00
*** jaugustine has joined #openstack-keystone16:00
*** ddieterly[away] is now known as ddieterly16:01
rodrigodsrderose, found it16:01
catintheroofrodrigods, hmmm that doesnt happen in a lab with 3 keystones with local SQL assignment but pointing to the same openldap, the users are regognized to be part of the same domain (using domain specific drivers) but the user ID are all different on 3 keystones16:01
catintheroofrodrigods, what could be the reason ? the domain names are the same on 3 keystones, but of course the domain ids are differnet because assignment are local to that keystone16:02
rderoserodrigods: cool, let me know if you have any questions16:03
*** tqtran has joined #openstack-keystone16:03
*** jsavak has quit IRC16:04
*** GB21 has joined #openstack-keystone16:04
catintheroofrodrigods, would help me a lot if you help me understand if the different user ID are right or should be the same16:05
*** jsavak has joined #openstack-keystone16:05
*** nisha_ has quit IRC16:06
rodrigodscatintheroof, the user id should be the same, maybe there is something wonky in your config... can't think of reason why they would be different16:06
*** haplo37_ has joined #openstack-keystone16:07
*** diazjf has joined #openstack-keystone16:07
rodrigodscatintheroof: maybe bknudson_, ayoung or henrynash can help you, since they have more knowledge of LDAP and domain specific backends16:07
*** pnavarro has quit IRC16:07
*** fangxu has joined #openstack-keystone16:08
catintheroofrodrigods, what i dont understand is ... if it gets calculated by keystone by the time it gets read on the LDAP, why is wrong that every keystone is generating a different ID ?16:08
*** tqtran has quit IRC16:08
henrynashcatintheroof: hi...16:08
catintheroofhenrynash, hi !16:08
*** GB21 has quit IRC16:08
rodrigodsrderose, so display name is mapped to name when querying a user?16:08
henrynashcatintheroof: so this is a question about the userID generated by keystone for a user in LDAP?16:09
rodrigodshenrynash, yes!16:09
catintheroofhenrynash, exactly, and not only that, using the SAME LDAP backend on 3 different keystone that have the identity backend local and not replicated, te user ids are all different16:10
*** roxanaghe has joined #openstack-keystone16:10
henrynashcatintheroof: is the domain_id the same in each case?16:10
rderoserodrigods: it's mapped to the user, in the sense that it's part of the user model16:10
catintheroofhenrynash, rodrigods one thing to notice is that the user already exists on ldap, is not created by kesytone16:10
rderoseuser -> federated_user (1:many)16:11
rodrigodsrderose, right... so if I do a GET v3/users, how the federated users are displayed?16:11
henrynashcatintheroof: the algorithim is that the domain_id and local_id in the LDAP record are hashed together to create the userID keystone exports16:12
rderoserodrigods: yes, because of this: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql_model.py#L5416:12
*** fangxu has quit IRC16:12
catintheroofhenrynash, what i thought .. .so if the domain name are the same across keystones, but ids are different i will never get the same user id16:12
catintheroofhenrynash, that's why i should replicate identity backend also, right ç?16:13
henrynashcatintheroof: it’s teh domain_id not the domain name...16:13
catintheroofhenrynash, yeah, the domain id are all different across all three keystones16:13
rderoserodrigods: if username is null, show the federated displayname16:13
*** fangxu has joined #openstack-keystone16:13
rodrigodsrderose, right... so the for someone querying keystone's API, doesn't matter if it is a federated_user displayname or a user name, correct?16:14
henrynashcatintheroof: and bu design we did NOT want you to end up with teh same user_id….since in the non-fedrated case, we do not support this16:14
*** phalmos has joined #openstack-keystone16:14
*** shewless has joined #openstack-keystone16:14
*** EinstCrazy has quit IRC16:15
*** roxanaghe has quit IRC16:15
catintheroofhenrynash, but if i replicate not only the ldap backend but also the identity (sql) backend across 3 keystones, that would work right, regarding having the same ids all across ?16:15
rderoserodrigods: true, but that wasn't the original intent for the displayname16:15
stevemarEmilienM: amoralej fyi: https://review.openstack.org/#/c/335577/16:15
patchbotstevemar: patch 335577 - osc-lib - Attempt to find resource by ID, without kwargs16:15
rderoserodrigods: displayname: Ron De Rose, username: rderose16:15
EmilienMstevemar: man you're too fast16:16
*** phalmos has quit IRC16:16
rderoserodrigods: I think this was something we were going to fix with account linking16:16
stevemarEmilienM: i should have had it done yesterday!16:16
henrynashcatintheroof: do you replicats the resource (sql) backend as well?16:16
amoralejgreat stevemar16:16
henrynashcatintheroof: if you did that, I think it would work16:16
*** code-R has joined #openstack-keystone16:16
henrynashcatintheroof: if that’s really what you want to do16:16
rodrigodsrderose, do you see the issue? because for someone who is consuming keystone's API, i don't care how it is stored internally16:17
EmilienMstevemar: it's already tomorrow in some timezones, so you're good16:17
rodrigodsi want to use the field "name" to query the user16:17
rodrigodsso if you show to me, name = "foo" and i query using it and nothing returns, it is an API inconsistency16:17
*** fangxu has quit IRC16:18
rodrigodsrderose, guess it is a bug not related to concrete role asssignments16:18
rderoserodrigods: I do see the issue, but I think it's small16:18
rodrigodsrderose, i prefer to see as a bad issue, but not related to concrente role assignments16:19
rderoserodrigods: And I'm concerned about treating the displayname as the username. Just think we should think this through some more.16:19
*** code-R_ has joined #openstack-keystone16:20
*** david-lyle has joined #openstack-keystone16:20
*** andreykurilin has quit IRC16:20
rderoserodrigods: agree.16:20
rodrigodsrderose, stevemar, breton ^ think the displayname <-> name is a bug not related to concrete role assignments16:20
*** roxanaghe has joined #openstack-keystone16:21
*** david-lyle has quit IRC16:21
*** phalmos has joined #openstack-keystone16:21
*** david-lyle has joined #openstack-keystone16:21
*** jaugustine has quit IRC16:21
*** ddieterly is now known as ddieterly[away]16:22
*** david-lyle has quit IRC16:22
*** browne has joined #openstack-keystone16:22
*** code-R has quit IRC16:23
shewlessdstanek or anyone else: I have SSO working but at some point down the road I lost my project mapping somehow.  In my keystone logs I see "[wsgi:error] [pid 8596:tid 140538404390656] Unable to retrieve project list"16:23
*** david-lyle has joined #openstack-keystone16:23
*** raildo is now known as raildo-afk16:23
shewlessThe log has a stacktrace which I will pastebin..16:23
*** dan_nguyen has quit IRC16:24
shewlessany help would be appreciated. I have a group created and a project created and my user has a role that is mapped to both16:24
*** gagehugo has joined #openstack-keystone16:25
shewlessHere is the error stacktrace: http://paste.ubuntu.com/18107929/16:25
*** david-lyle has quit IRC16:25
*** david-lyle has joined #openstack-keystone16:25
openstackgerritAlexander Makarov proposed openstack/keystone: Performance oriented unit test for HMT  https://review.openstack.org/33514416:25
openstackgerritAlexander Makarov proposed openstack/keystone: Closure table for HMT  https://review.openstack.org/28552116:25
stevemarrderose: breton i posed the question about renaming policy.json targets to some ops in #openstack-ops16:26
stevemarwaiting for a reply, i think it's OK16:26
stevemardolphm: notmorgan  ^16:26
*** raildo-afk is now known as raildo16:26
*** pushkaru has joined #openstack-keystone16:27
*** vgridnev_ has joined #openstack-keystone16:28
*** phalmos has quit IRC16:28
rodrigodsrderose, left a comment there16:29
rderoserodrigods: cool and thanks for your help on reviewing this patch16:30
rodrigodsnp :)16:31
catintheroofhenrynash, yeahp ! everything but the identity !16:31
*** dmk0202 has quit IRC16:31
*** itisha has joined #openstack-keystone16:31
*** browne has quit IRC16:33
*** jorge_munoz has quit IRC16:33
henrynashcatintheroof: so you are saying that the domain entities are being replcated…and yet the user_ids are still different?16:34
henrynashsecret2me16:34
henrynashoops16:34
raildohenrynash: not a secret anymore16:34
henrynash(ignore that)16:34
catintheroofhenrynash, no no ! im saying that IF i replicate everything (which i just tested) that user id are the same (and also projects !)16:35
henrynashcatintheroof: ok, right, that’s what I would expect16:35
*** pcaruana has quit IRC16:36
catintheroofhenrynash, thank you so much for the support !16:37
*** jaugustine has joined #openstack-keystone16:37
henrynashcatintheroof: np, you’re welcome16:38
*** rcernin has quit IRC16:45
shewlesshenrynash: if you have a minute have you ever seen this stack trace before: http://paste.ubuntu.com/18107929/16:45
henrynashshewless: looking16:45
*** ddieterly[away] is now known as ddieterly16:48
henrynashshewless: not exactly, this is from what …a request issued by an authenticated federated user, or form an attempt of a federated use to autehtniacte16:49
henrynash?16:49
*** jpena is now known as jpena|off16:50
shewlesshenrynash: so this is from my "connecting/logging" from horizon.  So I login as a federated user.. it allows me to login just fine but I'm not associated with any projects from what I can tell16:51
*** jaugustine has quit IRC16:51
henrynashshewless: federated user or “stored in keystone” suer?16:51
shewlesshenrynash: federated user16:52
henrynashshewless: I’d check the mapping to ensure the project/groups or whatever exist16:53
shewlesshenrynash: yes I have the mapping hard coded to a local group. http://paste.ubuntu.com/18109826/. I verified that group is associated with teh project I care about.16:55
*** fifieldt has quit IRC16:55
*** jacelc has joined #openstack-keystone16:55
*** jacelc is now known as ravelar15916:55
shewlesshenrynash: IE "openstack role assignment list --role user --group default_group" shows me that the group in the mapping is mapped to a project. and that project exists and is enabled16:56
henrynashshewless: hmm, curious16:57
*** timcline has quit IRC16:58
*** timcline has joined #openstack-keystone16:59
henrynashshewless: I’m not sure of the issue without further debug….I need to drop off, but wil lbe back on later…maybe someone more experienced with federation and keystoneauth might be abe to help while I am away?17:01
*** vgridnev_ has quit IRC17:01
shewlesshenrynash: don't know if it's related but I had to enable SSL on port 5000.. but I didn't do it on the keystone admin side17:01
*** krotscheck is now known as krotscheck_vaca17:01
*** krotscheck_vaca is now known as krot_vaca_jul1917:01
shewlesshenrynash: okay thanks anyways17:01
*** timcline has quit IRC17:03
*** pushkaru has quit IRC17:07
*** sdake_ has joined #openstack-keystone17:08
*** spandhe has joined #openstack-keystone17:08
*** mvk has quit IRC17:08
*** sdake has quit IRC17:10
*** ravelar159 has quit IRC17:11
*** diazjf has quit IRC17:11
*** rderose has quit IRC17:14
*** jsavak has quit IRC17:15
*** jsavak has joined #openstack-keystone17:15
*** dmk0202 has joined #openstack-keystone17:16
openstackgerritAlexander Makarov proposed openstack/keystone: Add failed auth attempts logic to meet PCI-DSS  https://review.openstack.org/32402917:18
dstanekshewless: still no luck, huh...17:21
*** fangxu has joined #openstack-keystone17:22
*** ddieterly is now known as ddieterly[away]17:25
*** timcline has joined #openstack-keystone17:28
shewlessdstanek: no.. I thought I was out of the woods. I'm sure this worked in the past..17:28
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848817:29
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver  https://review.openstack.org/29131817:29
*** timcline_ has joined #openstack-keystone17:30
*** pushkaru has joined #openstack-keystone17:31
*** timcline has quit IRC17:32
*** timcline_ has quit IRC17:34
*** tqtran has joined #openstack-keystone17:36
*** gyee has joined #openstack-keystone17:37
*** ChanServ sets mode: +v gyee17:37
*** gyee has quit IRC17:37
*** julim has joined #openstack-keystone17:38
shewlessdstanek: I think it's because I had to add SSL to port 5000. I think there are some things (like in nova.conf) that have "http://" urls to keystone.. they likely need to be updated to https17:39
shewlessdstanek: though I'm not sure why I'm able to login but the projects don't load17:39
*** amoralej is now known as amoralej|off17:42
*** spzala has quit IRC17:43
*** spzala has joined #openstack-keystone17:43
*** tqtran has quit IRC17:43
*** rcernin has joined #openstack-keystone17:44
*** timcline has joined #openstack-keystone17:45
*** ayoung has quit IRC17:47
shewlessdstanek: I'm at a loss17:47
*** ayoung has joined #openstack-keystone17:47
*** ChanServ sets mode: +v ayoung17:47
*** spzala has quit IRC17:48
shewlessdstanek: I updated nova/neutron/heat/glance to use https for port 5000 (auth_uri) but that didn't change a thing17:48
shewlessdstanek: for whatever reason I get this wsgi:error Unable to retrieve project list17:48
dstanekshewless: you're able to get a token?17:48
shewlessdstanek: let me try that17:49
*** diazjf has joined #openstack-keystone17:49
*** spzala has joined #openstack-keystone17:50
*** chlong has quit IRC17:52
shewlessdstanek: How would I get a token? I can certainly login using horizon..17:52
shewlessdstanek: tried this and got a 401 error.. "curl -u my_user -X GET -L https://mycloud.foo.com:5000/v3/OS-FEDERATION/identity_providers/my_provider/protocols/saml2/auth"17:52
dstanekshewless: if you logged in then you should get a token. what action is causeing the error?17:53
dstanekshewless: federation is not as easy at that :-(17:53
*** gyee has joined #openstack-keystone17:53
*** ChanServ sets mode: +v gyee17:53
*** browne has joined #openstack-keystone17:54
*** pece has quit IRC17:54
shewlessdstanek: I'm logged in.  But as I log in I can see that error logged to apache/keystone.17:55
*** sdake_ has quit IRC17:55
shewlessdstanek: once I login if I click the projects tab on the left I don't see any projects associated with my user name17:56
*** darosale has quit IRC17:56
dstanekshewless: and the group you are mapping to has roles on the projects?17:56
*** permalac has quit IRC17:57
shewlessdstanek: yes I believe so. if I check with "openstack role assignment list --role user --group default_group" right?17:58
ayoungwho is working on Rolling upgrades?  bknudson_ ?18:00
*** mvk has joined #openstack-keystone18:00
bknudson_I haven't been working on it.18:00
dstanekxek: mostly18:00
bknudson_yes, xek18:01
dstanekayoung: xek mostly18:01
ayoungxek, let me know when you want to talk rolling upgrades.  Just had fascinating discussion about it IRL18:01
ayoungdstanek, bknudson_ what do you think of the idea that we group our migrations into two types:  pre and post18:02
*** jaugustine has joined #openstack-keystone18:02
ayoungpre are "OK to run with Mitaka Code"  and post are "require Newton code to run"18:02
bknudson_makes sense, in a way.18:02
bknudson_oh... not sure how that would work?18:02
ayoungits a little strange for people that want to follow master, but that should still be OK18:02
ayoungit just means that the DB migrations might come in out of order18:03
bknudson_we're going to follow master18:03
ayoungso we need to think about that too,18:03
ayoungif we make each migration idempotent, like Ansible tasks, we can rerun them multiple times18:03
ayoungwith no serious impact other than cycles18:03
ayoungmaybe Alembic is the way to go here18:04
dstanekwhy would you rerun them?18:04
ayoungdstanek, say  we use Alchemey and have 2 groups, pre and post18:04
*** jsavak has quit IRC18:04
ayoungnow we come up with a new one that should go in pre18:04
ayoungbut someone following master has already run some of the "post" ones18:04
*** jsavak has joined #openstack-keystone18:05
ayoungwe want them to run it, too, to get the new behavior18:05
ayoungsay we have 2 sets of unrealated changes. One is for revocations, one is for domains18:05
bknudson_so what's been suggested in the past is having only additive changes in one group, and then have "cleanup" changes in another group.18:05
bknudson_maybe this is the idea of pre / post?18:05
ayoungdomains has Migrations D1 and D2  with D1 in pre, and D2 in post.  Revoke has R1 and R218:05
ayoungFeature for domains goes in first, so D1 goes into Pre, D2 goes into post18:06
dstanekayoung: i'd have to think about that. my short, short verision is: pull an instance out and update the code, use that instance to run additive schema changes (will work with old and new code), update all the code everywhere run migrations to add RI, not nulls, FKs, etc18:06
ayoungnow bknudson_ you want the Revoke feature,  So you need to run R1. We can't strictly order that with D218:06
henrynashayoung:  I am working on them18:07
ayoungdstanek, yeah..exactly that model18:07
ayounghenrynash, cool18:07
dstanekayoung: that's the model i'd like to discuss at mid-cycle18:07
ayoungdstanek, ++18:07
ayoungdstanek, so we need an intermediate state where it is safe to run M and N servers at the same time18:07
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/33344518:08
henrynashayoung: ++18:08
ayoungdstanek, I was thinking a process like:  Migrate to Pre. Start brining up N servers.  Bring down M servers. Migrate to Post18:08
henrynashayoung: I don’t know if we need the migrate to pre necessaryily (upgrading the first server could do that), but conceptaully I agree18:09
henrynashayoung: I am building the migrate to post as a WIP right now18:09
ayounghenrynash, right, it is not "necsarry" right now, as we don18:09
ayoung't know what the migrations are going to be18:09
ayoungit might, and probably will be necessary18:09
henrynashayoung: agreed18:09
ayoungan example is "a new column with a reasonable default value"18:09
ayoungwe need that in place before running the N code18:10
ayoungbut the M code will quite happily run with the new, default column18:10
henrynashayoung: yes18:10
bknudson_ayoung: can you give an example of something that would happen in "migrate to post"?18:10
henrynashayoung: should have a WIP post phase in a few days or so18:10
ayoungthe post migration is "update the column to match the domain-specific-data-for-that -resource"18:10
ayoungbknudson_, only from expireinec,e not current work18:11
dstanekayoung: i don't think you can bring up N servers until the first set of migrations runs18:11
ayoungwe had data migrations when going from v2 to v3 catalogs18:11
ayoungdstanek, correct18:11
ayoungdstanek, that is the "pre" migrations18:11
ayoungpre happesn with M based servers only18:11
dstanekbknudson_: see my definition above18:11
henrynashbknudson_, ayoung: https://bugs.launchpad.net/keystone/+bug/159650018:11
openstackLaunchpad bug 1596500 in OpenStack Identity (keystone) "Passwords created_at attribute could remain unset during rolling upgrade" [Undecided,New] - Assigned to Henry Nash (henry-nash)18:11
dstanekbknudson_: FKs, not nulls, etc18:11
dstanekhenrynash: ++ exactly that18:12
bknudson_dstanek: so we'd run for a while without FKs, not NULLs, etc?  The post migration might fail.18:12
ayoungwe need to account for failure recover18:13
ayoungy18:13
ayoungI think we also need to be able to have the new code in "compat mode"18:13
henrynashbknudson_: the post phase would have to set the values required (i.e. in the case I mention setting it to now() ) is fine18:13
ayoungthat means it knows it is running along side M servers18:13
*** fangxu has quit IRC18:13
henrynash..set any roes added during the rolling migrate phase that got written via non-upgrade dsevres18:13
dstanekbknudson_: we would have to set proper defaults18:14
bknudson_I'm more worried about the FKs, since without the FK the referenced row might be removed.18:15
dstanekayoung: i think compat mode just adds complexity. they can run side by side for most changes18:15
dstanekbknudson_: yep, depending on what we are doing there would be a small about of time where things could get out of sync18:16
*** julim has quit IRC18:16
henrynashbknudson_: agreed, it can’t (at least not easily) cope with all cases…without tempotatu scaffolding created by interi code…..18:16
ayoungdstanek, we define the superset of mechanisms, and only use them if required18:17
shewlessdstanek: maybe this is a bit of a red herring18:17
ayoungRoe...Herring... http://www.shakespeare-navigators.com/romeo/T24.html18:17
shewlessdstanek: I can actually login and create instances.. and my neighbour can too... I certainly get that error in the logs but maybe I don't care?18:17
bknudson_would it be OK for operations against the old servers to fail for a while?18:18
bknudson_or to disable updates to the old servers?18:18
shewlessdstanek: do you know if it is possible to get a token from the command line? I haven't been able to figure that out.. then I could list projects18:18
dstanekshewless: if you don't care then i don't care :-)  you should probably find out why you can't get a projects list though18:18
bknudson_I assume we'd be fine as long as we could issue / validate tokens.18:18
dstanekshewless: i think only from a python script.18:19
*** ddieterly[away] is now known as ddieterly18:19
dstanekbknudson_: i don't mind a read-only mode18:20
shewlessdstanek: well I do care because I assume it'll bite me in the ass later.. :P18:20
dstanekwe would still have to be careful about moving/renaming things that are necessary for tokens18:20
*** jorge_munoz has joined #openstack-keystone18:20
shewlessdstanek: is there a precanned python script I can use?18:20
dstanekshewless: does the group you are mapping to have roles on any projects?18:20
dstanekshewless: i gave you an example a week or two ago :-P.   I'll have to look for it in a bit18:21
shewlessdstanek: oh? hmm. maybe at the time I wasn't ready for it. I wish I could "grep" that eavesdrop log.18:21
shewlessdstanek: regarding roles: I think so but to be honest I don't know how to check18:21
bknudson_If it would make things a lot easier I think we should consider a no-updates mode.18:22
shewlessI was doing these 3 commands for every user: 1: "openstack group create Ego --domain my_domain" 2:"openstack project create Ego --domain my_domain" 3:"openstack role add user --group Ego --project Ego"18:22
*** tqtran has joined #openstack-keystone18:23
shewlessdstanek: is " openstack role add user " wrong?18:23
*** timcline has quit IRC18:26
*** timcline has joined #openstack-keystone18:27
shewlessdstanek: I think I have it right. For role "user" I have several "group and project" mappings18:27
shewlessdstanek: since I want each user in the end to come in on their own group and get their own project. This seems to be functioning.. it's just that blasted error18:27
dstanekshewless: are you getting that error in the keystone or horizon log?18:31
*** timcline has quit IRC18:31
*** jaugustine has quit IRC18:31
*** dmk0202 has quit IRC18:32
shewlessdstanek: it's in apache2 - I think it's keystone..18:34
shewlessdstanek: but not sure how to check18:34
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848818:34
*** dmk0202 has joined #openstack-keystone18:34
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver  https://review.openstack.org/29131818:34
*** dmk0202 has quit IRC18:37
openstackgerritRoxana Gherle proposed openstack/keystone: Fix the username value in federated tokens  https://review.openstack.org/33561718:37
*** henrynash has quit IRC18:38
shewlessdstanek: maybe it's horizon18:40
dstanekwhich log is it in?18:40
shewlessdstanek: I checked the pid logged by the wsgi:error and the pid belongs to apache2 (user horizon)18:40
*** jsavak has quit IRC18:40
shewlessdstanek: /var/log/apache2/error.log18:40
*** dan_nguyen has joined #openstack-keystone18:41
openstackgerritDavid Stanek proposed openstack/keystone: Extracted common ldap setup and use in the filter tests  https://review.openstack.org/33406318:42
openstackgerritDavid Stanek proposed openstack/keystone: Reduce domain specific config setup duplication  https://review.openstack.org/33406218:42
*** ayoung has quit IRC18:44
*** ayoung has joined #openstack-keystone18:44
*** ChanServ sets mode: +v ayoung18:44
*** diazjf has quit IRC18:46
*** diazjf has joined #openstack-keystone18:46
openstackgerritDavid Stanek proposed openstack/keystone: Removes duplicate ldap test setup  https://review.openstack.org/33406418:47
*** julim has joined #openstack-keystone18:47
*** jacelc has joined #openstack-keystone18:47
*** jacelc is now known as ravelar15918:47
*** jaugustine has joined #openstack-keystone18:50
*** henrynash has joined #openstack-keystone18:54
*** ChanServ sets mode: +v henrynash18:54
*** sheel has quit IRC18:55
*** jaugustine has quit IRC18:56
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [DEFAULT] documentation  https://review.openstack.org/33466918:56
*** jaugustine has joined #openstack-keystone18:56
*** darosale has joined #openstack-keystone18:57
*** julim has quit IRC18:58
shewlessdstanek: FYI every time I click on pretty much anything in the horizon gui it logs the "Unable to retrieve project list"19:00
*** notmyname has quit IRC19:01
shewlessdstanek: weird?19:01
*** stevemar has quit IRC19:02
*** slberger has joined #openstack-keystone19:03
*** stevemar has joined #openstack-keystone19:03
openstackgerritDolph Mathews proposed openstack/keystone: Rename [DEFAULT] keystone.conf module to keystone.conf.default  https://review.openstack.org/33562819:03
*** notmyname has joined #openstack-keystone19:04
*** fangxu has joined #openstack-keystone19:09
*** timcline has joined #openstack-keystone19:10
dstanekshewless: what is happening in the keystone log when you see that?19:10
*** fangxu has quit IRC19:11
*** sdake has joined #openstack-keystone19:14
*** timcline has quit IRC19:14
*** spandhe has quit IRC19:15
*** aloga_ has quit IRC19:15
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [domain_config] documentation  https://review.openstack.org/33554519:16
shewlessdstanek: on login I see a warning:  Could not find domain: Federated19:16
*** mwheckmann has quit IRC19:16
shewlessdstanek but otherwise nothing (like when I click on stuff)19:16
shewlessdstanek: that could not find domain might be a problem?19:17
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [credential] documentation  https://review.openstack.org/33470219:18
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [endpoint_filter] documentation  https://review.openstack.org/33563619:20
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [endpoint_policy] documentation  https://review.openstack.org/33563819:20
*** roxanaghe has quit IRC19:23
dstanekshewless: possibly. what is you keystone log level set to?19:24
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [eventlet_server] documentation  https://review.openstack.org/33564219:25
openstackgerritSteve Martinelli proposed openstack/keystone: update a config option deprecation message  https://review.openstack.org/33564319:26
openstackgerritSteve Martinelli proposed openstack/keystone: update a config option deprecation message  https://review.openstack.org/33564319:27
stevemardolphm: https://review.openstack.org/#/c/335643/19:28
patchbotstevemar: patch 335643 - keystone - update a config option deprecation message19:28
dolphmstevemar: awesome19:28
*** mwheckmann has joined #openstack-keystone19:30
stevemarlbragstad: can you review https://review.openstack.org/#/c/332493/19:32
patchbotstevemar: patch 332493 - keystone - Correct use of isotime19:32
*** jsavak has joined #openstack-keystone19:34
*** pushkaru has quit IRC19:35
*** henrynash has quit IRC19:35
*** catintheroof has quit IRC19:43
*** henrynash has joined #openstack-keystone19:47
*** ChanServ sets mode: +v henrynash19:47
openstackgerritDavid Stanek proposed openstack/keystone: Remove test_backend_ldap skips for missing tests  https://review.openstack.org/33551419:48
openstackgerritDavid Stanek proposed openstack/keystone: Adds a skip method to identify useless skips  https://review.openstack.org/33551519:48
openstackgerritDavid Stanek proposed openstack/keystone: Use skip_test_overrides in test_backend_ldap  https://review.openstack.org/33551619:48
openstackgerritDavid Stanek proposed openstack/keystone: Updated tests that claimed to be blocked by bugs  https://review.openstack.org/33551719:48
openstackgerritDavid Stanek proposed openstack/keystone: Update the nosetests test regex for legacy tests  https://review.openstack.org/33564919:48
notmorgandstanek: woo.19:50
*** ddieterly is now known as ddieterly[away]19:56
*** henrynash has quit IRC19:56
*** Guest20454 is now known as mgagne19:58
*** mgagne has joined #openstack-keystone19:58
dstaneknotmorgan: ?19:58
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716919:59
*** ChanServ sets mode: +o stevemar20:04
*** timcline has joined #openstack-keystone20:04
*** diazjf has quit IRC20:05
*** timcline has quit IRC20:09
*** aloga_ has joined #openstack-keystone20:09
*** pnavarro has joined #openstack-keystone20:12
*** aloga_ has quit IRC20:13
dstaneknonameentername: you around?20:16
dstanekdolphm: i find the encrypted credentials implementation a little strange and wanted to get your take on it20:17
dolphmdstanek: how so?20:18
dolphm(it's been a several weeks since i've reviewed it, but i believe i +2'd it at some point)20:19
*** julim has joined #openstack-keystone20:19
*** ddieterly[away] is now known as ddieterly20:19
dstanekdolphm: the keys in config file seems strange20:20
dstanekdolphm: to rotate keys you have to orchestrate two different config file changes plus a migration20:21
dolphmdstanek: that's correct - but i don't expect the rotation strategy to look anything like what we'd recommend for fernet tokens either20:23
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/33344520:23
dolphmdstanek: IF you ever need to rotate tokens, yeah, it's not a super graceful process20:23
dolphmdstanek: but the major difference is that ciphertext is NEVER exposed directly to clients20:23
dolphmdstanek: they're just used to encrypt things at rest in the backend20:23
dolphm#iamnotacryptoexpert20:24
*** stevemar_ has joined #openstack-keystone20:24
*** ChanServ sets mode: +o stevemar_20:24
dolphmrotate *keys*, sorry20:24
dstanekit seems like one of those things that will bite operators because of the fact that you do it infrequently. when you need to it's likely a compromise situation and you have to figure out how the while thing works again20:26
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [federation] documentation  https://review.openstack.org/33566120:26
dstanekdolphm: also doesn't PCI dictate having to change these types of secrets too?20:26
dolphmdstanek: agree, and good question20:26
dolphmdstanek: i'm not sure, but i'd have to imagine yes :-/20:27
dolphmdstanek: maybe pick this up in our code review time tomorrow?20:28
dstanekdolphm: sounds good to me20:28
*** roxanaghe has joined #openstack-keystone20:28
dolphmdstanek: i'm not sure werner has attended one20:28
notmorgandstanek: seeing the proposed patches20:29
dstaneknotmorgan: ah, i unwound what used to be test_backend_ldap...you're welcome20:30
*** aloga_ has joined #openstack-keystone20:31
notmorgan:)20:34
*** timcline has joined #openstack-keystone20:35
*** timcline has quit IRC20:35
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716920:35
*** timcline has joined #openstack-keystone20:36
*** tonytan4ever has quit IRC20:40
notmorgandolphm: so.. yes PCI requires those secrets to be changed/rotated in some ways20:42
notmorganbut it's not as common20:42
notmorganthe "at rest" part is tricky because the keys themselves need to be securely stored...20:42
notmorganas well -- ugh, yay NSS!20:43
notmorganayoung: ^ ;)20:43
notmorganwhen you're retrofitting crypto into a current system you end up with weird compromises. :(20:43
dstaneknotmorgan: yeah, we used to have a thing called the 'keymaster' and instances would negotiate for keys and only store them in RAM disk20:44
notmorgandstanek: right. ideally you need to isolate the keys from the main keystone config. thnkfully we can load multiple config files.20:44
notmorgandstanek: also, what happens when you encrypt the data and the keys fail to load? keystone needs to validate the key is "good" somehow? or potentially it is writing bad/corrupted data/unreadable data20:45
notmorgandstanek: so do we need a canary entry?20:45
dstaneknotmorgan: i'm hoping the fernet library craps itself if you try to encrypt with a bad key20:45
notmorganalso, concerns about what crypto we support out of the box, since bad crypto is easy to do.20:45
notmorgandstanek: i mean the credentials backend20:46
notmorgannot fernet - fernet is fine imho20:46
dstaneknotmorgan: the patch uses fernet as the default provider for the credentials backend20:46
nonameenternamedstanek: did you have a question?20:46
notmorgannonameentername: ^ just some thoughts20:46
notmorgannonameentername: not that the credential crypto spec is bad, just things to consider when working on it :)20:47
dstaneknonameentername: yeah ^. dolphm and i were talking about discussing it more tomorrow20:47
dstaneknotmorgan: this goes back the the whole 'let barbican do it' argument20:48
notmorgani wish PKI was faster/less painful.20:48
notmorgandstanek: our crendential backend has been historically terrible20:48
notmorgandstanek: however, barbican has weird issues/limits that make it hard to fit into the model we have built20:48
nonameenternameyeah, I think moving forward credentials should not be stored in keystone20:49
nonameenternamebut meanwhile they are we should not store them in plain text20:49
dstaneknotmorgan: agreed, but something we may need to figure out20:49
notmorganbasically they need to support a "service" owner vs a "tenant" owner like they do now, unless we just 100% bail on keystone acting as a proxy here [100% fine with that, but we have some things that need to know how to get the things from barbican]20:49
nonameenternameI think keystone should not have them at all since that's what Barbican is designed to do20:50
notmorgannonameentername: right - now we just need to deal with "how does one lookup the relevant secret from barbican in keystone's context"20:51
notmorgansince keystone doesn't have the authz from the user yet20:51
nonameenternameyeah, keystone would have to get credentials from Barbican somehow20:52
notmorganand barbican stores things by tenant iirc20:52
notmorganwhich gives us some weird things to work out.20:52
dstanekcould you have a keystone_service tenant that owns all the secrets (i have no idea what barbican's data model looks like)20:53
nonameenternameI don't know, I would have to look at Barbican to understand how it works20:54
*** dmk0202 has joined #openstack-keystone20:54
woodster_dstanek: nonameentername redrobot Barbican does store secrets via tenant/project ID20:55
*** aloga_ has quit IRC20:56
* woodster_ so you could have a service tenant if you wanted20:56
* woodster_ apologizes for missing context potentially20:56
*** haplo37_ has quit IRC20:59
*** raildo is now known as raildo-afk21:03
dstanekwoodster_: nope, that's what i was asking :-)21:08
dstanekwoodster_: we have credentials stored in keystone on behalf of the user and keystone must access them without the user authenticating21:08
woodster_dstanek: did the user put the keys there, or did keystone?21:10
*** jsavak has quit IRC21:11
stevemar_bknudson_: so it seems like patch 332493 is good?21:12
patchbotstevemar_: https://review.openstack.org/#/c/332493/ - keystone - Correct use of isotime21:12
stevemar_bknudson_: based on your results21:12
dstanekwoodster_: in the case of TOTP the user will. they tell keystone a secret for the TOTP auth so they must be authenticated and the secret must be associated with them somehow. when the user auths with TOTP then won't be authed yet and keystone will need to pull that secret as part of the algorithm for validating the one time codes21:12
*** jaugustine has quit IRC21:12
bknudson_stevemar_: maybe? I don't know if fernet wants to have .000000Z rather than 703495Z ?21:13
stevemar_dolphm: lbragstad ^21:14
bknudson_but it should work the way it is.21:14
stevemar_bknudson_: you're supposed to know everything21:14
bknudson_not sure if we want to actually change the v2 behavior.21:14
bknudson_I think it's more correct with the change since it matches the spec21:15
bknudson_but there's also the argument that it's been working the old way for a long time so better not to change it.21:16
*** dan_nguyen has quit IRC21:16
woodster_dstanek: oh I see. Yeah it seems Keystone would need to store their secret under keystone's service tenant. Keystone could add the user's ID to the secret if the user needs to be able to access that secret later.21:17
*** fangxu has joined #openstack-keystone21:17
bknudson_I'm leaning towards don't change it.21:18
* woodster_ reminds me of impersonation/trusts discussions of long ago21:19
*** ayoung has quit IRC21:20
openstackgerritMerged openstack/keystone: Improve keystone.conf [DEFAULT] documentation  https://review.openstack.org/33466921:21
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [identity] documentation  https://review.openstack.org/33567321:25
*** dan_nguyen has joined #openstack-keystone21:26
*** gagehugo has quit IRC21:26
*** dan_nguyen has quit IRC21:32
*** ravelar159 has quit IRC21:33
*** pauloewerton has quit IRC21:36
*** spandhe has joined #openstack-keystone21:43
*** tqtran has quit IRC21:45
*** tqtran has joined #openstack-keystone21:46
*** ddieterly is now known as ddieterly[away]21:47
openstackgerritMerged openstack/keystone: Rename [DEFAULT] keystone.conf module to keystone.conf.default  https://review.openstack.org/33562821:48
openstackgerritMerged openstack/keystone: update a config option deprecation message  https://review.openstack.org/33564321:48
*** gordc has quit IRC21:49
openstackgerritDolph Mathews proposed openstack/keystone: Improve keystone.conf [identity_mapping] documentation  https://review.openstack.org/33568121:52
*** rcernin has quit IRC21:54
*** spzala has quit IRC21:55
*** spzala has joined #openstack-keystone21:55
*** spzala has quit IRC22:00
*** pnavarro has quit IRC22:02
*** dmk0202 has quit IRC22:08
*** itisha has quit IRC22:10
*** rderose has joined #openstack-keystone22:10
notmorganbknudson_: shouldn't want .000000z22:13
notmorganideally we should drop microseconds across the board not just floor them22:13
notmorganbknudson_: aiui the format fernet uses is sans decimal.22:14
*** spzala has joined #openstack-keystone22:14
notmorganbknudson_: i would *like* to see us drop subseconds everywhere, period.22:15
bknudson_notmorgan: the identity API spec specifies the format has microseconds.22:15
*** ddieterly[away] is now known as ddieterly22:15
notmorganbknudson_: then we need to fix that.22:15
bknudson_v4 here we come.22:15
notmorganbknudson_: legitimately, we should NEVEr have included microseconds, it was a bad choice to get "unique" data in the tokens22:16
notmorganand a poor one22:16
notmorganwe need to unwind that so everything works like it should.22:16
*** ametts has quit IRC22:16
notmorganand no, not V4, SPLIT AUTH OFF CRUD22:16
notmorganand then work on auth as it's own thing22:17
notmorganbecause this whole AUTH must be the same version as the CRUD interface is absurd22:17
bknudson_ok. somebody needs to work on the code22:17
*** chlong has joined #openstack-keystone22:17
notmorganit's on my long long list, but i am limited by keystone not being my job.22:17
notmorganactually it is towards the top of my list for keystone things.22:18
notmorgani just need to sit down one afternoon and do it.22:19
notmorganit's not crazy difficult code.22:19
bknudson_first you'll need to refactor the auth provider interface.22:19
notmorgannot a lot.22:19
bknudson_figure out how to handle the service catalog22:19
notmorganbasically my thoughts are /auth and ... /catalog?22:20
notmorganand then wire everything up to be hooked into the new code location -- the new code location will allow specification of an auth-version22:21
bknudson_microversioning?22:21
notmorganwhich if not supplied is <base whateveR> -- just like microversions but separate22:21
notmorganyeah22:21
notmorganbasically auth itself is not a Openstack-Verson XXX thing22:21
notmorganbut i would add version into the auth-request body22:21
bknudson_what about validation?22:22
notmorgansame thing. specify the version you want when validating.22:22
notmorganwe will format it for you22:22
bknudson_right, but not in the body22:22
notmorganbut i don't want it to be tied to the explicit API microversion supported22:22
notmorgansince you may want CRUD interface 23, but auth-format v322:23
notmorgansince api-microversions are the entire API surface22:23
bknudson_so we'd have microversion on the v2.0 api ?22:23
notmorganV2.0 would remain as it is and be unsupported in new auth formating22:23
bknudson_the first microversion should be remove v2 API22:24
notmorganV3 and formats extending beyond V3 will be supported under /auth22:24
bknudson_it would just be nice if everybody didn't use v2 all the time.22:25
notmorganso maybe we make it OpenStack-Auth-Format? or OpenStack-Auth-Version22:25
notmorganthe idea is that auth should work with any form of the CRUD api.22:25
notmorganso make the formats we return better.22:25
notmorganand allow iterating on it without needing to version the entire API22:26
notmorganand KSM can learn the new formats since it's opaque to the underlying services.22:26
notmorgan[it also lets us explore things like OAuth2 if we really wanted to as a "format"]22:27
bknudson_auth-token middleware? It just uses the auth plugins22:27
notmorganright, but it "knows" the format of the response22:27
notmorganif we fix/optimize/solve issues with the format22:27
notmorganwe can make KSM learn it.22:27
notmorganolder KSMs will just consume what they do today22:27
notmorgannewer will be smarter.22:27
bknudson_would be nice to drop support for v2 in auth-token middleware22:27
*** ayoung has joined #openstack-keystone22:27
*** ChanServ sets mode: +v ayoung22:27
notmorganyes.22:27
notmorgani agree22:28
*** chrisshattuck has quit IRC22:28
notmorgani think we legitimately are close to being able to do so22:28
notmorganfwiw22:28
bknudson_why couldn't we?22:28
*** chrisshattuck has joined #openstack-keystone22:28
notmorgani think we need to just ensure it works in a gate job as expected.22:28
notmorgani think the blocker is nova->neutron fwiw.22:28
*** mwheckmann has quit IRC22:29
*** darosale has quit IRC22:29
bknudson_I meant auth-token middleware talking to keystone v222:29
notmorganbut a gate job would solve it. [also 100% of the v3 conversion headache has been the tight coupling of auth to crud versions]22:29
notmorganbknudson_: so like i said, a gate job, make sure we don't have someone still leaning on the bad config options in ksm outside of the ksm block22:30
bknudson_there probably is something out there setting the auth_token version to v2.022:30
notmorganyeah.22:30
notmorgani think the v3-only gate thing really is going to be when we can do that22:31
notmorganunfortunately22:31
openstackgerritMerged openstack/keystonemiddleware: Refactor API tests to not run middleware  https://review.openstack.org/33429422:35
*** stevemar_ has quit IRC22:38
*** sdake_ has joined #openstack-keystone22:42
stevemarbknudson_: did you book a hotel for barcelona yet?22:44
*** sdake has quit IRC22:45
*** edmondsw has quit IRC22:46
*** ddieterly is now known as ddieterly[away]22:47
*** ddieterly[away] has quit IRC22:47
*** sdake_ has quit IRC22:49
*** KevinE has quit IRC22:51
*** code-R_ has quit IRC22:52
bknudson_stevemar: I don't think so.22:56
bknudson_stevemar: oh, actually, I did22:57
bknudson_Holiday Inn Express BARCELONA - CITY 22@22:57
*** setuid has quit IRC22:58
*** dan_nguyen has joined #openstack-keystone22:58
*** setuid has joined #openstack-keystone23:01
*** setuid has joined #openstack-keystone23:01
*** sdake has joined #openstack-keystone23:01
*** sdake has quit IRC23:04
*** chrisshattuck has quit IRC23:06
*** jamielennox is now known as jamielennox|away23:13
openstackgerritRoxana Gherle proposed openstack/keystone: Fix the username value in federated tokens  https://review.openstack.org/33561723:17
*** slberger has left #openstack-keystone23:19
*** roxanaghe has quit IRC23:22
openstackgerritEric Brown proposed openstack/keystone: Exclude releasenotes from pep8  https://review.openstack.org/33571023:22
openstackgerritMerged openstack/keystone: Concrete role assignments for federated users  https://review.openstack.org/28494323:24
stevemarbknudson_: 2km away23:24
stevemaroof23:24
*** dan_nguyen has quit IRC23:25
*** code-R has joined #openstack-keystone23:28
*** iurygregory_ has joined #openstack-keystone23:35
*** jamielennox|away is now known as jamielennox23:51
jamielennoxbknudson_: you have oslo.context core!23:53
jamielennoxexcellent, now i know who to come to23:53
« Tuesday, 2016-06-28 Index Thursday, 2016-06-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!