Tuesday, 2017-01-10

*** edmondsw has quit IRC00:02
dstanekdolphm: ++ not in a project about security00:08
openstackgerritJohn Dennis proposed openstack/keystone: Fix keystone-manage mapping_engine tester  https://review.openstack.org/41816500:10
*** agrebennikov has quit IRC00:15
*** oomichi has quit IRC00:17
*** catintheroof has joined #openstack-keystone00:18
*** oomichi has joined #openstack-keystone00:19
*** catintheroof has quit IRC00:23
*** catintheroof has joined #openstack-keystone00:25
*** jaugustine_ has quit IRC00:27
openstackgerritMorgan Fainberg proposed openstack/keystone: Add user_mfa_rules table  https://review.openstack.org/41816600:28
*** jaugustine has quit IRC00:28
morganstevemar: ^ here we go, about to start on the code surrounding the rules themselves. APIs will be the last bit(s)00:29
morganadriant: ^00:29
*** richm has quit IRC00:32
*** catinthe_ has joined #openstack-keystone00:32
*** richm has joined #openstack-keystone00:32
*** guoshan has joined #openstack-keystone00:34
*** catintheroof has quit IRC00:34
morganmordred: did you ever get around to the example with the ksa fixture? if not i can brew up some local tests easily, but a concrete example is going to take be a good bit longer00:37
morganbecause i would like https://review.openstack.org/#/c/362473/ to land.00:37
*** jmccrory has quit IRC00:37
*** jmccrory_ has joined #openstack-keystone00:37
*** rm_work has quit IRC00:38
*** rm_work has joined #openstack-keystone00:38
*** guoshan has quit IRC00:38
mordredmorgan: nope. because I suck00:38
*** jmccrory_ is now known as jmccrory00:39
morgani also worry about landing it before we have a real concrete test of them.00:39
adriantmorgan: fantastic, will take a look at it tomorrow00:39
morganadriant: tomorrow i'll have more code for it00:40
morganadriant: some of the actual work around authentication. i can't work too late tonight, have to swing by the airport to pick someone up.00:41
adriantmorgan: I'm not in the mindset for Keystone code anyway, so looking at it tomorrow sounds better :)00:42
morgangood stuff00:43
openstackgerritEric Brown proposed openstack/keystone: Bump API version and date  https://review.openstack.org/41816700:53
*** thorst has joined #openstack-keystone01:01
*** spzala has quit IRC01:01
*** oomichi has quit IRC01:07
*** liujiong has joined #openstack-keystone01:08
*** oomichi has joined #openstack-keystone01:08
*** thorst has quit IRC01:17
*** thorst has joined #openstack-keystone01:20
*** hoangcx has joined #openstack-keystone01:21
*** hoangcx_ has joined #openstack-keystone01:23
*** gyee has quit IRC01:24
*** david-lyle has joined #openstack-keystone01:31
*** thorst has quit IRC01:32
*** david-lyle has quit IRC01:37
openstackgerritEric Brown proposed openstack/keystone: Invalid parameter name on interface  https://review.openstack.org/39987001:40
stewie925hello guys01:45
stewie925I have installed keystone service in openstack controller node, but when I tried to create the keystone service I am getting the following error:01:48
stewie925Unable to establish connection to http://controller:35357/v2.0/OS-KSADM/services01:48
*** markvoelker has quit IRC01:48
*** guoshan has joined #openstack-keystone01:49
*** esp has quit IRC01:49
*** catinthe_ has quit IRC01:52
*** richm has quit IRC01:52
*** adrian_otto has quit IRC01:56
stevemardstanek: dolphm i would agree with not adding untested code in a security project, duh. but as the code stands right now we write *everything* when in debug mode. the only issue here is do we write application/json and application/text responses to debug, or just application/json02:00
stevemardstanek: dolphm i would like to release new versions of the library tomorrow, so how about i patch master to remove application/text? would that be better?02:01
stevemardstanek: dolphm unless samueldmq convinces you otherwise :)02:02
*** hoangcx has quit IRC02:08
*** hoangcx_ has quit IRC02:08
*** browne has quit IRC02:25
morganstevemar: only application/json imo02:31
morgancc dolphm dstanek ^02:32
mordredjamielennox (or morgan I guess :) ) - endpoint_type vs. interface ... which one is "correct" and which one is legacy?02:59
*** chris_hultin is now known as chris_hultin|AWA03:00
jamielennoxmordred: use interface=03:01
jamielennoxbut some of the clients butcher it03:01
jamielennoxif you have the choice call it interface03:01
mordredjamielennox: cool.03:01
mordredjamielennox: I currently have:03:02
mordred            if service_key in ('image', 'key-manager', 'identity'):03:02
mordred                interface_key = 'interface'03:02
mordred            else:03:02
mordred                interface_key = 'endpoint_type'03:02
mordredso I think it's time to make a pass through the clients to see which ones I can use interface with now03:02
*** tqtran has quit IRC03:02
mordredand maybe swap the logic so that I'm listing ones we have to use endpoint_type for03:02
*** stewie925 has quit IRC03:02
jamielennoxmordred: want to do it as a big bug and associate the ones that do't?03:03
mordredjamielennox: ooh. that's a great idea03:03
morganmordred: what jamielennox said.03:04
*** stewie925 has joined #openstack-keystone03:05
*** woodster_ has quit IRC03:05
mordred# Backwards compat for people assing in endpoint_type03:06
mordredthat's the best comment ever03:06
stevemarjvarlamova: apologizing in advanced, i referred to you as julya in a comment, my mistake :)03:06
*** stewie925 has quit IRC03:06
*** adrian_otto has joined #openstack-keystone03:09
*** adrian_otto has quit IRC03:16
morganmordred: lol03:18
*** adrian_otto has joined #openstack-keystone03:18
mordredjamielennox: remote:   https://review.openstack.org/418192 Swap the order of interface and endpoint_type03:19
mordredjamielennox: I'll get the bug written up - but I'm landing now03:19
*** esp has joined #openstack-keystone03:20
stevemarjamielennox: did you have an opinion on the whole application/json vs application/text of https://review.openstack.org/#/q/I93b6fff73368c4f58bdebf8566c4948b50980cee,n,z03:22
jamielennoxstevemar: hmm, that's not right is it, text is text/plain?03:23
jamielennoxi never remember03:23
jamielennoxi don't know who/what uses application/text03:23
jamielennoxi think it was just something samueldmq and i were talking about and i never checked03:23
stevemarokay, i can fix it in master03:24
jamielennoxstevemar: it'd be interesting to know what we should actually print03:24
jamielennoxi'm also ok with dropping it right back to json and seeing who complains and adding things back as required03:24
stevemarlets start with application/json and peel the onion from there03:24
stevemarjamielennox: do you have time to do it? i'm heads down in some TC business03:25
jamielennoxstevemar: yea, ok, that shouldn't take long03:25
stevemari also don't want to fix 4 patches sigh03:25
stevemar2 on master, 2 in stable/newton and 2 in stable/mitaka03:25
stevemari guess we can just chain propose those03:25
jamielennoxergh, hits me with that after i agree03:27
stevemarjamielennox: fix it in ksa/ksc and i'll get the stables going03:28
*** adrian_otto has quit IRC03:29
*** adrian_otto has joined #openstack-keystone03:30
*** udesale has joined #openstack-keystone03:30
*** edmondsw has joined #openstack-keystone03:34
*** edmondsw has quit IRC03:38
*** esp has quit IRC03:47
openstackgerritJamie Lennox proposed openstack/keystoneauth: Only log application/json in session to start  https://review.openstack.org/41819403:47
jamielennoxstevemar: ^03:47
*** markvoelker has joined #openstack-keystone03:48
*** nicolasbock has quit IRC03:53
*** links has joined #openstack-keystone03:54
*** dave-mccowan has quit IRC03:55
*** tqtran has joined #openstack-keystone04:01
stevemarjamielennox: thanks, lgtm, pretty simple patch04:02
stevemari just realized i proposed backports without making you create a release note :O04:02
stevemari suppose we can omit it, just this one time...04:02
*** tqtran has quit IRC04:03
*** guoshan has quit IRC04:05
jamielennoxwasn't there a release note from the original?04:05
stevemarjamielennox: yes, the original said applicaiton/text though :)04:08
openstackgerritJamie Lennox proposed openstack/keystoneauth: Only log application/json in session to start  https://review.openstack.org/41819404:11
jamielennoxstevemar: update reno04:11
*** links has quit IRC04:21
*** links has joined #openstack-keystone04:22
stevemarjamielennox: i probably won't bother to update the backports with the updated reno :P04:23
jamielennoxoh, i didn't realize you'd done the others already04:24
*** cburgess has quit IRC04:25
*** cburgess has joined #openstack-keystone04:25
*** adrian_otto1 has joined #openstack-keystone04:35
*** diazjf has joined #openstack-keystone04:37
*** adrian_otto has quit IRC04:37
openstackgerritEric Brown proposed openstack/keystone: Invalid parameter name on interface  https://review.openstack.org/39987004:41
*** dikonoor has joined #openstack-keystone04:43
*** dikonoor has quit IRC04:48
*** adrian_otto1 has quit IRC05:00
*** adrian_otto has joined #openstack-keystone05:02
*** itisha has quit IRC05:02
*** markvoelker_ has joined #openstack-keystone05:12
*** adrian_otto has quit IRC05:12
*** markvoelker has quit IRC05:15
*** markvoelker has joined #openstack-keystone05:17
*** adriant has quit IRC05:20
*** markvoelker_ has quit IRC05:20
*** guoshan has joined #openstack-keystone05:21
*** diazjf has quit IRC05:21
*** guoshan has quit IRC05:27
*** AlexeyAbashkin has joined #openstack-keystone05:27
openstackgerritMerged openstack/keystone: [api-ref] Clean up OS-EP-FILTER association docs  https://review.openstack.org/41753305:37
*** portdirect has joined #openstack-keystone05:41
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Only log application/json in session to start  https://review.openstack.org/41819405:45
*** guoshan has joined #openstack-keystone06:03
*** zzzeek has quit IRC06:06
*** zzzeek has joined #openstack-keystone06:10
openstackgerritMerged openstack/keystone: listing revoke events should be admin only  https://review.openstack.org/41684106:12
*** AlexeyAbashkin has quit IRC06:24
*** pcaruana has quit IRC06:26
openstackgerritEric Brown proposed openstack/keystone: Invalid parameter name on interface  https://review.openstack.org/39987006:29
*** dikonoor has joined #openstack-keystone06:44
*** udesale has quit IRC07:01
*** AlexeyAbashkin has joined #openstack-keystone07:09
*** tesseract has joined #openstack-keystone07:13
*** rcernin has joined #openstack-keystone07:17
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947207:33
*** aloga has quit IRC07:42
*** aloga has joined #openstack-keystone07:42
*** voelzmo has joined #openstack-keystone07:43
*** hoonetorg has quit IRC07:48
*** brad[] has quit IRC07:50
*** voelzmo has quit IRC07:50
*** brad[] has joined #openstack-keystone07:50
*** voelzmo has joined #openstack-keystone08:01
*** pcaruana has joined #openstack-keystone08:09
*** namnh has joined #openstack-keystone08:27
*** xek has joined #openstack-keystone08:27
*** nishaYadav has joined #openstack-keystone08:45
*** rcernin has quit IRC08:54
*** tesseract has quit IRC08:54
*** pcaruana has quit IRC08:55
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:02
*** tqtran has joined #openstack-keystone09:05
*** tqtran has quit IRC09:06
*** tesseract has joined #openstack-keystone09:07
*** rcernin has joined #openstack-keystone09:08
*** pcaruana has joined #openstack-keystone09:08
*** nishaYadav has quit IRC09:15
*** mvk has quit IRC09:34
*** rcernin has quit IRC09:34
*** dobson has quit IRC09:35
*** pcaruana has quit IRC09:35
*** tesseract has quit IRC09:35
*** dobson has joined #openstack-keystone09:36
*** rderose has quit IRC09:37
*** rdopiera has quit IRC09:37
*** Alex_Oughton has quit IRC09:37
*** masber has quit IRC09:37
*** bapalm has quit IRC09:37
*** david_cu has quit IRC09:37
*** rybridges2 has quit IRC09:37
*** stevemar has quit IRC09:37
*** freerunner has quit IRC09:37
*** rakhmerov has quit IRC09:37
*** sigmavirus has quit IRC09:37
*** andreykurilin has quit IRC09:37
*** clayg has quit IRC09:37
*** rakhmerov has joined #openstack-keystone09:37
*** andreykurilin has joined #openstack-keystone09:37
*** AlexOughton has joined #openstack-keystone09:37
*** stevemar has joined #openstack-keystone09:37
*** clayg has joined #openstack-keystone09:37
*** rybridges2 has joined #openstack-keystone09:37
*** rdopiera has joined #openstack-keystone09:37
*** freerunner has joined #openstack-keystone09:37
*** masber has joined #openstack-keystone09:37
*** bapalm has joined #openstack-keystone09:38
*** rderose has joined #openstack-keystone09:38
*** asettle has joined #openstack-keystone09:38
*** hogepodge has quit IRC09:38
*** christophler has quit IRC09:38
*** jefrite has quit IRC09:38
*** christophler has joined #openstack-keystone09:38
*** hogepodge has joined #openstack-keystone09:39
*** openstack has joined #openstack-keystone14:26
*** jascott1 has joined #openstack-keystone14:27
*** jlopezgu has joined #openstack-keystone14:30
*** markvoelker has quit IRC14:34
*** jperry has joined #openstack-keystone14:35
lbragstadsamueldmq i have a bunch of stuff locally that I didn't get a chance to push yesterday14:39
openstackgerritSteve Martinelli proposed openstack/keystoneauth: Add a full listing of all auth plugins and there options  https://review.openstack.org/41834714:40
lbragstadsamueldmq how does https://review.openstack.org/#/c/410949 not comply with the spec?14:40
samueldmqlbragstad: spec should be https://review.openstack.org/418410 to comply with what you implemented14:41
samueldmqlbragstad: the projects is immediatly inside local in the spec, while in the impl it's inside a match (which in turn is immediatly inside local)14:42
lbragstadhmm - i see14:42
lbragstadcc dstanek ^14:42
*** lamt has joined #openstack-keystone14:43
*** adrian_otto has joined #openstack-keystone14:44
*** nishaYadav has joined #openstack-keystone14:45
*** nishaYadav is now known as Guest3357314:45
dstaneksamueldmq: lbragstad: lol, i just reviewed that14:46
samueldmqdstanek: yeah, responded :)14:46
*** markvoelker has joined #openstack-keystone14:48
lbragstadsamueldmq dstanek give me about 15 minutes to wrap something up quick and I should be free to work through some of those things14:49
samueldmqlbragstad: sure, take your time14:49
dstaneksamueldmq: in the spec the 'project' and 'user' are at the same level. are you saying that we didn't implement it that way?14:50
samueldmqdstanek: yes14:51
samueldmqdstanek: in the spec they are not inside the same {}14:51
samueldmqdstanek: and in your impl it is. that's my patch to make the spec compliant (if that's correct to say), because I think it makes more sense as you've implemented14:51
dstaneksamueldmq: that actually doesn't matter. i believe that in the code all local dicts are effectively combined14:52
samueldmqis different than:14:53
samueldmq{local:[{matchrule1, apply_these_projs_and_roles1},{matchrule2, apply_these_projs_and_roles2}]}14:53
samueldmqdstanek:  ^ you see the difference ?14:53
*** BigWillie has joined #openstack-keystone14:53
*** adrian_otto has quit IRC14:53
*** links has quit IRC14:54
dstaneksamueldmq: local doesn't have matchrules though right?14:54
samueldmqdstanek: by matchrule I mean "user": {": "{0}"}, for example14:55
samueldmq"user": { "name": "{0}" }14:56
samueldmqso you could say that user with name {0} gets project X with roles 1 and 214:56
samueldmqand user with name {1} gets project Y with role 114:56
samueldmqin the same mapping14:57
*** adrian_otto has joined #openstack-keystone14:57
dstaneksamueldmq: give me a few to show you what i mean. i have a meeting starting in 2 minutes14:57
samueldmqdstanek: sure14:57
dstaneksamueldmq: the short, short is that i believe [{user: {}}, {project: []}] is no different than [{user: {}, projects: []}]14:58
samueldmqdstanek: kk they seem different to me, maybe I just do not understand completely how the engine works14:59
*** stewie925 has joined #openstack-keystone14:59
*** jaosorior has joined #openstack-keystone15:00
stewie925hello guys, have a question with Openstack installation of Keystone15:02
stevemardikonoor: o/15:02
*** jgrassler has quit IRC15:03
stewie925I am installing Openstack Kilo version and followed the instructions to a T for Keystone install (http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-install.html)15:03
stewie925but when I tried to create the keystone service I am getting the following error:15:04
stewie925ERROR: openstack No connection adapters were found for '=http://controller:35357/v2.0/OS-KSADM/services'15:04
stevemardikonoor: hmm, based on what i'm reading here: http://docs.openstack.org/project-team-guide/i18n.html -- it sounds like i think we have everything in place15:08
*** markvoelker has quit IRC15:09
dikonoorstevemar: But the locale directory is missing in keystonemiddleware..15:09
stevemardikonoor: looking at https://translate.openstack.org/iteration/view/keystonemiddleware/master there are no translations for python files, just release notes15:09
dikonoorstevermar: yes right15:10
stevemardikonoor: maybe we're missing some of the infra pieces, i was going to double check that15:10
dikonoorstevermar: ok15:10
stevemardikonoor: the things to do are written here: http://docs.openstack.org/infra/system-config/translate.html15:11
* stevemar keeps getting new emails15:12
*** markvoelker has joined #openstack-keystone15:12
*** adrian_otto has quit IRC15:12
*** lennyb has joined #openstack-keystone15:12
dikonoorstevermar: I will go through and check from my end15:12
*** edtubill has joined #openstack-keystone15:14
*** chris_hultin|AWA is now known as chris_hultin15:14
*** AlexeyAbashkin has quit IRC15:15
*** AlexeyAbashkin has joined #openstack-keystone15:16
*** raj_singh has joined #openstack-keystone15:17
*** sheel has quit IRC15:17
*** AlexeyAbashkin has quit IRC15:19
*** markvoelker has quit IRC15:21
*** ravelar has joined #openstack-keystone15:24
*** diazjf has joined #openstack-keystone15:30
dstanekstewie925: you are using an invalid URL and requests is logging that error since it has no protocol handlers for '=http'15:31
dstanekknikolla: did you get your stuff worked out yesterday?15:31
knikolladstanek: rderose says permissions come from the group, so i'll try that today.15:33
dstanekknikolla: what about my note on blacklists?15:34
*** agrebennikov has joined #openstack-keystone15:35
*** links has joined #openstack-keystone15:35
knikolladstanek: i'll keep investigating today. got caught up in meetings yesterday after we discussed.15:35
knikollaif i find proof of a bug i'll open a report.15:36
dstaneksamueldmq: done with my meeting...let me whip up a quick test15:36
*** BigWillie has quit IRC15:36
dstanekknikolla: so the short answer is that you are using blacklists incorrectly15:37
*** spzala has joined #openstack-keystone15:38
*** diazjf has quit IRC15:38
openstackgerritMerged openstack/keystoneauth: Only log application/json in session to start  https://review.openstack.org/41819415:39
*** belmoreira has quit IRC15:40
knikolladstanek: what is the correct way?15:40
knikolladstanek: rderose: btw, groups fixed the permissions.15:41
dstanekknikolla: ok, so i don't blacklist is what you think it is.15:44
dstanekit's really more of a filter15:44
dstanekknikolla: if you look at https://github.com/openstack/keystone/blob/master/keystone/tests/unit/contrib/federation/test_utils.py#L701 you'll see it's intended use15:44
dstaneki think you want something more like https://github.com/dstanek/ansible-role-keystone-sp/blob/master/templates/mapping.json.j2#L19 (although not_any_of is exactly what you'd want to use)15:45
dstanekknikolla: ^ from yesterday15:45
*** mvk has quit IRC15:45
knikolladstanek: any_one_of or not_any_one_of don't allow passing that attribute through {0} or {1}15:45
*** adrian_otto has joined #openstack-keystone15:45
knikolladstanek: documentation refers to using blacklist or whitelist in that case15:45
rderoseknikolla: nice! glad, you got it working with groups :)15:46
dstanekknikolla: blacklist and whitelist are filters and their result is always a list which is not what you want for username15:46
dstanekyour mapping can be done with not_any_of right?15:47
knikolladstanek: oh, that explains the empty list as username yesterday. it matched admin and subtracted admin, resulting in [].15:48
*** adrian_otto has quit IRC15:49
dstanekknikolla: exactly.15:50
knikolladstanek: yes. i tried with not_any_of and it worked now.15:50
dstaneki'll look at the documentation today and see how i can fix it15:51
knikollathis bit of documentation confused me: empty, blacklist and whitelist are the only conditions that can be used in direct mapping ({0}, {1}, etc.)15:51
samueldmqdstanek: kk15:51
samueldmqdstanek: even if it behaves like that, I don't think it should, I understand those mappings differently, as they're written differently15:52
knikolladstanek: that piece is actually right though. when i use not_any_of and come with that username, it rejects me with 401. but when i come with another user not part of the not_any_of list it gives me this error15:53
knikollakeystoneauth1.exceptions.http.InternalServerError: Local section in mapping keystone-idp-mapping refers to a remote match that doesn't exist (e.g. {0} in a local section)15:53
stevemardolphm: around?15:53
dstanekknikolla: yes, another wart of our current mapping version. you need another remote dict to capture the direct mapping15:54
stevemarsomeone want to port https://review.openstack.org/#/c/418194/ to keystoneclient?15:54
*** Guest33573 is now known as nishaYadav15:54
dolphmstevemar: o/15:54
stevemardolphm: is https://review.openstack.org/#/c/418194/ good enough to you, sorry it already merged15:55
knikolladstanek: so i need another rule?15:56
dolphmstevemar: yep! if you merge that into the backports, i'll +215:57
*** adrian_otto has joined #openstack-keystone15:57
stevemardolphm: OK15:57
dstanekknikolla: yes another remote with just the 'type' specified15:58
dolphmstevemar: i.e. i think it should be merged with https://review.openstack.org/#/c/418091/15:58
dolphmstevemar: rather than proposed separately15:58
*** markvoelker has joined #openstack-keystone15:58
stevemardolphm: eh15:59
knikolladstanek: thank you! that worked!15:59
*** phalmos has joined #openstack-keystone15:59
dstanekknikolla: np16:01
nishaYadavstevemar, samueldmq hey!16:04
samueldmqnishaYadav: hello16:04
nishaYadavsamueldmq, i am stuck at something for a while now, can you please look?16:05
nishaYadavsamueldmq, I am trying to set up an LDAP back end with DevStack but getting this error when I run ./stack.sh http://paste.openstack.org/show/594431/16:05
samueldmqnishaYadav: look at what ? you apch ?16:05
samueldmqyour patch*16:05
nishaYadavsamueldmq, no, not a patch yet :(16:06
samueldmqok, looking16:06
nishaYadavsamueldmq, I read this link for help http://serverfault.com/questions/765744/openldap-no-such-object-32 but seeing this file https://github.com/openstack-dev/devstack/blob/master/files/ldap/manager.ldif.in I think configured backened databse is hdb, so, this doesn’t seem to be the issue.16:06
openstackgerritRichard Avelar proposed openstack/keystone: WIP add query for unique_id in list_users  https://review.openstack.org/41472016:06
*** AlexOughton has quit IRC16:06
*** AlexOughton has joined #openstack-keystone16:07
samueldmqnishaYadav: I am not really familiar with LDAP in devstack16:07
samueldmqafaict it supported installing and configuring openldap16:07
samueldmqnot sure if it needed an update or not16:07
stevemardikonoor: looks like keystonemiddleware is all setup, i don't know what else there is to do :\16:07
stevemardikonoor: want to jump on #openstack-infra and we can ask there?16:08
nishaYadavsamueldmq, oh, okay, should I ask on #openldap channel?16:08
samueldmqnishaYadav: I don't know, are you trying to use devstack code to set it up ?16:08
samueldmqyes, you are16:09
*** jaugustine has joined #openstack-keystone16:09
samueldmqnishaYadav: I don't think the issue is with openldap, but in the way devstack scripts are configuring the ldap itself16:09
samueldmqtake a look at the devstack code and try to understand it, it may require an update16:10
nishaYadavsamueldmq, Oh, actually I got in touch with rodrigods regarding LDAP testing, he told me that this issue needs to be fixed first16:10
samueldmqyes, so I think this is something related to devstack configuring LDAP, not an openldap bug16:10
nishaYadavsamueldmq, alright, so I need to fix this in the ldap file? this one https://github.com/openstack-dev/devstack/blob/master/lib/ldap16:12
openstackgerritDavid Stanek proposed openstack/keystone: Adds tests showing how mapping locals are handled  https://review.openstack.org/41846016:12
dstaneksamueldmq: lbragstad: ^16:12
samueldmqnishaYadav: you should start looking at the function failing in your paste16:12
samueldmqnishaYadav: start debugging from there and try to understand why ti's failing16:12
nishaYadavsamueldmq, hmm I will try again16:13
*** yarkot has joined #openstack-keystone16:13
nishaYadavsamueldmq, thanks :)16:13
samueldmqdstanek: kk that current  behavior is okay16:16
samueldmqdstanek: for me, where you scope projects/roles would determine to what users/groups it applies16:16
dstaneksamueldmq: i don't know why we did that. maybe we were just trying to be too smart?16:17
samueldmqdstanek: until now, it really doesn't matter because the mapping will result on users/groups16:17
samueldmqwhen we add scoping, we need to be precise on where/for whom apply it16:17
samueldmqdstanek: maybe, we should just have a right way to do it :(16:17
dstaneksamueldmq: the locals dictionary should have a projects key at the same level as the user key. the projects key is a list that may also contain roles16:18
samueldmqdstanek: yes, but who get those roles assigned on those projects ?16:18
*** rcernin has quit IRC16:18
samueldmqfor me, the answer would be, depends on where the projects/roles is defined in the dict16:18
dstaneksamueldmq: the user. there is only one user in a local section16:19
rodrigodssamueldmq, ++ regarding the issue of devstack configuring openldap, not the issue being in openldap itself16:19
samueldmqdstanek: so one mapping *always* map to a single user or group ?16:19
stewie925dstanek: hello16:21
stewie925dstanek: thank you so much for your input, I made the change and I am still getting an error trying to create the keystone service16:22
stewie925I have created http://paste.openstack.org/show/594440/ showing the keystone configuration and the OS_* settings, as well as the '--debug' results of my openstack service create run16:22
*** dikonoor has quit IRC16:23
samueldmqdstanek: if that's true (one mapping *always* map to a single user or group), I agree with you it doesn't matter where we put the projects/roles.16:24
*** jaugustine has quit IRC16:39
dstaneksamueldmq: each rule maps to a single user and each mapping has multiple rules16:41
lbragstadstevemar we didn't amend any keystone release notes to fix this and not track them in the bug - did we? https://bugs.launchpad.net/keystone/+bug/164050416:43
openstackLaunchpad bug 1640504 in openstack-manuals "release notes and config guide missing new settings for Newton" [Undecided,Fix released] - Assigned to guoshan (guoshan)16:43
stevemarlbragstad: we can't really amend release notes16:47
nishaYadavrodrigods, hey, you around?16:47
rodrigodshey nicolasbock16:47
rodrigodsoops nishaYadav16:47
*** thiagolib has joined #openstack-keystone16:47
nicolasbockHi rodrigods16:49
rodrigodsnicolasbock, sorry, autocomplete issue :) was trying to ping nishaYadav16:50
nicolasbockrodrigods, well, nishaYadav is almost like nicolasbock ;)16:50
nishaYadavrodrigods,  I tried setting up LDAP back end with DevStack and got the expected error. I tried to find fix the issue but need some help.16:50
rodrigodsnicolasbock, ni<tab> :)16:51
nicolasbockrodrigods, :)16:51
rodrigodsnishaYadav, ok... what is your doubt16:51
*** links has quit IRC16:52
nishaYadavrodrigods, I ran the command $sudo ldapsearch -H ldapi:// -Y EXTERNAL -b 'cn=config' -s one  dn and only found mdb databases in the result. So, I guess the problem is that I can't modify the hdb database because there isn't one present.16:54
nishaYadavrodrigods, I asked on #openldap channel for help then and got this advice,  basically, your choices are to drop your current config and re-initialize with that suse-base-config; or to adapt the manager.ldif to work with your existing setup16:55
nishaYadavrodrigods, what do you think the issue is?16:55
*** tqtran has joined #openstack-keystone16:55
rodrigodsnishaYadav, ok... you went much further than i was aware in the issue :)16:56
rodrigodsnishaYadav, do you know what that line in ldap/lib tries to accomplish?16:56
rodrigodsnishaYadav, but sounds like that adapting manager.ldif is the correct approach16:57
nishaYadavrodrigods, oh, i dont really understand the ldap modify command :(16:57
nishaYadavrodrigods, I read some docs but EXTERNAL wasn't used in most16:58
rodrigodsnishaYadav, the first step is to understand it and try to figure out what it is failing16:58
rodrigodsso you can replace with something that works16:58
nishaYadavrodrigods, should I be reading more about ldap or how keystone uses openldap or the purpose of all commands in ldap file inside lib?17:00
nishaYadavrodrigods, considering I haven't worked on ldap before17:01
dstanekstewie925: is 'controller' resolvable?17:01
rodrigodsnishaYadav, you should understand what ldapmodify does and what each argument being passed to it means17:01
rodrigodsnishaYadav, also... understanding basic ldap is useful, but anything really high level should be enough17:01
stewie925dstanek: hi could you rephrase the question? sorry17:02
rodrigodsnishaYadav, keystone uses ldap like everyone else, as a user storage solution17:02
nishaYadavrodrigods, hmm17:02
nishaYadavrodrigods, I will search and read more then17:03
rodrigodsnishaYadav, understanding the meaning of the line "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $tmp_ldap_dir/manager.ldif" is critical to fix it17:03
rodrigodsnishaYadav, i can try to learn and explain to you, but don't have much time right now17:03
nishaYadavrodrigods, hmm and we need to use this file manager.ldif and not any other file right?17:03
stewie925dstanek: I created a multinode openstack and I was able to test that the controller can communicate with network and compute nodes and vice-versa17:04
nishaYadavrodrigods, that's alright, I will try myself again. Thanks for helping :)17:04
*** voelzmo has quit IRC17:08
openstackgerritRichard Avelar proposed openstack/keystone: WIP add query for unique_id in list_users  https://review.openstack.org/41472017:09
*** gyee has joined #openstack-keystone17:13
*** diazjf has joined #openstack-keystone17:13
*** david-lyle has joined #openstack-keystone17:13
dstanekstewie925: can the machine you are running the client on resolve the 'controller' domain name? 'ping controller' from it17:13
stewie925dstanek - yes I can ping controller17:14
stewie92564 bytes from controller ( icmp_seq=1 ttl=64 time=0.024 ms17:14
*** jose-phillips has joined #openstack-keystone17:15
*** nishaYadav has quit IRC17:16
*** diazjf has quit IRC17:17
*** asettle has quit IRC17:18
stewie925also I am wondering... if I made a change to the /etc/keystone/keystone.conf, how do I make sure that keystone is picking up the new values?17:18
stewie925I tried to run "sudo service keystone restart" and its giving me "stop: Unknown instance:  keystone start/running, process 10959"17:19
stewie925although I assume that the 'openstack service create' does not look at the keystone.conf yet17:20
*** browne has joined #openstack-keystone17:24
*** pcaruana has quit IRC17:25
stewie925dstanek: or maybe I need to refresh the OS_TOKEN value hourly?17:27
*** tqtran has quit IRC17:30
*** tqtran has joined #openstack-keystone17:30
samueldmqdstanek: so yes that's my poitn, the project/role should belong to a rule rather than to the mapping17:31
*** tesseract has quit IRC17:31
*** rreimberg has joined #openstack-keystone17:32
dstanekstewie925: you are probably running keystone under apache so you'd have to restart that17:39
stewie925yes I had already restarted apache217:40
dstaneksamueldmq: it does belong to a rule17:40
samueldmqdstanek: in your patch yes, in the spec no17:41
samueldmqdstanek: in the spec it is defined at a higher level, so we don't know what user the project/roles apply to17:41
dstaneksamueldmq: it's defined in the locals list right?17:41
*** chris_hultin is now known as chris_hultin|AWA17:42
dstanekstewie925: can you connect to that port from the client box17:42
dstanekstewie925: the problem in your log is 'ConnectionRefused: Unable to establish connection to http://controller:35357/v2.0/OS-KSADM/services'17:42
samueldmqdstanek: yes, but in your patch, it's inside the locals->user, so we know it's for that user17:42
samueldmqif we have multiple local{user} and local{projects} we don't know what local{user} that apply, or to all ?17:43
dstaneksamueldmq: https://review.openstack.org/#/c/410949/9/keystone/tests/unit/mapping_fixtures.py17:44
dstaneksamueldmq: the outcome of a local block is a single user. there cannot be more than one17:44
samueldmqdstanek: ah okay, so a single porject or group17:45
samueldmqso it doesn't matter where projects is.... we shoul ddocument/test that17:46
dstaneksamueldmq: a local block can render to a user plus some optional thing. list of group name, list of group ids and not a list of projects17:46
dstaneksamueldmq: those local tests i submitted earlier show how it works17:46
*** esp has joined #openstack-keystone17:47
samueldmqdstanek: ++17:48
stewie925dstanek: I ran "netstat -anp | grep 35357" and it returned "tcp6       0      0 :::35357                :::*                    LISTEN      10398/apache2 "17:54
dstanekstewie925: that means it's listening, but doesn't mean that your client can connect. try 'curl http://controller:35357' from the client box17:55
*** spilla has joined #openstack-keystone17:55
stewie925dstanek: # curl http://controller:35357 <HTML> <HEAD><TITLE>Redirection</TITLE></HEAD> <BODY><H1>Redirect</H1></BODY> </HTML>17:56
*** chrisplo has joined #openstack-keystone17:58
stevemarping for meeting agrebennikov, amakarov, annakoppad, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, spilla, srwilkers, StefanPaetowJisc,18:00
stevemarstevemar, topol18:00
*** jaugustine has joined #openstack-keystone18:01
openstackgerritMerged openstack/keystoneauth: Add a full listing of all auth plugins and there options  https://review.openstack.org/41834718:01
*** Guest34220 is now known as medberry18:04
*** medberry has quit IRC18:04
*** medberry has joined #openstack-keystone18:04
*** medberry is now known as med_18:04
*** AlexeyAbashkin has joined #openstack-keystone18:09
*** mvk has joined #openstack-keystone18:10
openstackgerritMerged openstack/keystone: Invalid parameter name on interface  https://review.openstack.org/39987018:10
openstackgerritMerged openstack/keystone: Bump API version and date  https://review.openstack.org/41816718:11
*** stewie925 has quit IRC18:19
*** ravelar has quit IRC18:19
*** ravelar has joined #openstack-keystone18:20
*** asettle has joined #openstack-keystone18:20
openstackgerritTin Lam proposed openstack/keystone: Filtering invalid resources should return 400 Bad Request  https://review.openstack.org/41731518:20
*** stewie925 has joined #openstack-keystone18:26
stewie925dstanek: sorry I got disconnected18:26
dstanekstewie925: if you confirm that your client machine can make the connection?18:26
stewie925dstanek: so I set up my controller node with ip addr  in the /etc/hosts18:27
stewie925and on the same controller node, I thought I'd run 'curl'  but I got access denied, Your credentials could not be authenticated: "Credentials are missing. You will not be permitted access until your credentials can be verified."18:29
dstanekstewie925: that's because you need to authenticate18:29
stewie925I do have OS_TOKEN set up18:29
dstanekstewie925: if you are making a curl request you'll have to provide the token in a header. the environment variable is something our client uses18:31
stewie925oh ... thank you - let me run again18:31
*** chris_hultin|AWA is now known as chris_hultin18:34
*** erhudy has joined #openstack-keystone18:41
rderosestevemar: you have time to discuss that PCI patch?18:52
morgandolphm: you smoking meats much or was that lbragstad that was doing that?18:54
morgani know one of you SAT folks were18:54
stevemarrderose: i do not unfortunately, i'm leaving in 10 minutes for a doctor's appointment18:54
rderosestevemar: okay, np18:54
lbragstadmorgan i had a couple feeble attempts - i'd refer to dolphm though18:54
stevemarrderose: i'll be around in the evening or tomorrow. i'm never away for too long18:55
rderosestevemar: sounds good18:55
dolphmmorgan: i'm trying to make it a sunday ritual18:55
ravelarmorgan: dolphm bbq is great!18:55
morganlbragstad, dolphm: because I sent some of these https://www.winecountrycraftsman.com/shop/products/296/bbq-staves-wine-soaked-oak-for-bbq-smokers.php over to mordred, waiting to see how they work. but passing along the option :)18:55
dolphmmorgan: https://twitter.com/dolphm/status/81492972267313152018:55
morganit sounds like a damn tasty thing.18:55
morgandolphm: ooooooh yesssssssss18:55
lbragstadmorgan nice!18:56
dolphmmorgan: i have about 10 pounds of chopped up wine barrel at home :D18:56
dolphmmorgan: for exactly that reason18:56
morgandolphm: niiice18:56
dolphmmorgan: i haven't decided what to do with it just yet18:56
morgandolphm: yeah, it sounds just amazing to add to a smoker/bbq18:56
lbragstadmorgan stevelle does a bunch of bbq stuff, too18:57
dolphmmorgan: my experiment for this weekend is to smoke bone-in ribeyes .. that might be the perfect pairing18:57
morganoh yes18:57
lbragstaddolphm i've heard that's good18:57
morganesp. if the staves are from red wine barrels18:57
morganchard might not be strong enough18:57
morgandolphm: let me know how the bone-in ribeye smoking goes18:57
* morgan would get a smoker but... no place for it at the new seattle residence18:58
dolphmmorgan: will do18:58
*** voelzmo has joined #openstack-keystone18:58
morgani might need to visit san antonio and sample the smoked foods.18:58
dolphmmorgan: you *can* smoke indoors18:58
morganugh. no, no i can't :P18:58
dolphmmorgan: totally can18:58
lbragstadtea leaves help18:59
morgan*I* can't :P18:59
dolphmmorgan: do you have an oven?18:59
morganas in, not going to try because i don't want the house to smell like smoked meats. (also limited space)18:59
morganoven is small18:59
morganit's nice but the inside is a bit wimpy space wise.19:00
dolphmmorgan: smelling like smoked meats is better than the alternative19:00
morganand also not super consistent in heat =/19:00
morganwhen cooking it's a lot of manually checking temp and adjusting. it's a bit finacky19:00
morganbut in short. i'll just wait till i buy my place/move in 18mo and build/get a real smoker19:01
morganand by then i can get lots of "what not to do" from you and mordred ^_^19:01
morganlbragstad: yep. still needs lots of adjusting to get right. sadly.19:02
morganoven is a bit weird.19:02
morgantends to be too hot. actually.19:02
*** d0ugal has quit IRC19:04
stewie925dstanek: would it be possible to redo the keystone install without having to trash the controller box?19:10
*** itisha has joined #openstack-keystone19:11
dstanekstewie925: do you know the problem now?19:11
stewie925dstanek: am pretty stumped here :(19:12
stewie925I am able to connect to the keystone db and all19:12
stewie925its just that I can't run this 'openstack service create keystone'19:12
dolphmstevemar: morgan: lbragstad: stable branch dashboard, inbox-zero style (things you've reviewed disappear) http://cdn.pasteraw.com/bchm66gu7rd0jf9pj2o22hmwqylrmw019:12
dolphmstevemar: morgan: lbragstad: source- https://github.com/dolph/dotfiles/blob/master/gerrit-dashboards/stable.dash19:13
stewie925using the configuration i listed in http://paste.openstack.org/show/594440/19:13
stewie925dstanek - let me rerun those curl commands and I'll share the results with you via a pastebin link19:14
stewie925dstanek: let me rerun those curl commands and I'll share the results with you via a pastebin link19:14
*** ravelar has quit IRC19:14
lbragstaddolphm very nice - thanks!19:14
*** chrisplo_ has joined #openstack-keystone19:15
lamtstewie925 : "ConnectionRefused: Unable to establish connection to http://controller:35357/v2.0/OS-KSADM/services" <- you will probably need to change that controller to the actual node19:15
stewie925lamt: thank you - how do I do that19:16
*** esp has left #openstack-keystone19:16
*** chrisplo has quit IRC19:17
*** voelzmo has quit IRC19:19
gagehugostewie925: hosts file but I think you have that already19:19
*** d0ugal has joined #openstack-keystone19:20
dstanekstewie925: the way i read you error is that the machine running that command can't connect to the URL you want to use19:25
dstanekthat's why i was asking about dns resolution and such19:25
stewie925dstanek: yeah thats right :(19:25
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389819:30
*** voelzmo has joined #openstack-keystone19:34
*** pcaruana has joined #openstack-keystone19:37
*** ravelar has joined #openstack-keystone19:39
*** jaugustine has quit IRC19:41
*** jaugustine has joined #openstack-keystone19:45
*** AlexeyAbashkin has quit IRC19:46
*** odyssey4me has quit IRC19:46
*** odyssey4me has joined #openstack-keystone19:46
*** asettle has quit IRC19:46
*** asettle has joined #openstack-keystone19:47
*** asettle has quit IRC19:51
*** voelzmo has quit IRC19:57
*** voelzmo_ has joined #openstack-keystone19:57
*** stewie925 has quit IRC19:58
*** spzala has quit IRC20:00
*** voelzmo_ has quit IRC20:01
*** AlexeyAbashkin has joined #openstack-keystone20:05
*** browne has quit IRC20:17
*** adrian_otto has quit IRC20:20
*** voelzmo has joined #openstack-keystone20:21
*** spzala has joined #openstack-keystone20:23
*** asettle has joined #openstack-keystone20:24
*** voelzmo has quit IRC20:25
*** AlexeyAbashkin has quit IRC20:27
*** chris_hultin is now known as chris_hultin|AWA20:27
*** chris_hultin|AWA is now known as chris_hultin20:32
*** stewie925 has joined #openstack-keystone20:39
*** raildo has quit IRC20:48
morgandolphm: thnx!20:48
dstanekstewie925: get any closer to a solutin20:48
*** AlexeyAbashkin has joined #openstack-keystone20:50
stewie925dstanek: hi , am still looking... but i have my suspicions :|20:51
*** browne has joined #openstack-keystone20:54
*** adriant has joined #openstack-keystone20:54
dstanekstewie925: in my mind you have a server running keystone and a different server/vm/laptop running client commands and those commands are failing right?20:57
*** dave-mccowan has quit IRC21:03
stewie925dstanek: hi , actually I am running both from the same box21:05
*** htruta has quit IRC21:08
*** htruta` has joined #openstack-keystone21:08
*** eglute has quit IRC21:08
*** eglute has joined #openstack-keystone21:08
dstanekstewie925: now that's pretty weird that the box has trouble talking to itself21:12
stewie925yeah it has a split personality21:12
morganstewie925, dstanek: i've seen that type of stuff when the ebtables are wacky and containers and networking can muck with ebtables in strange ways21:21
*** voelzmo has joined #openstack-keystone21:29
*** voelzmo has quit IRC21:29
*** AlexeyAbashkin has quit IRC21:31
*** jose-phillips has quit IRC21:32
*** jose-phillips has joined #openstack-keystone21:34
*** thiagolib has quit IRC21:38
*** AlexeyAbashkin has joined #openstack-keystone21:41
*** AlexeyAbashkin has quit IRC21:47
*** pcaruana has quit IRC21:48
*** rdo has quit IRC21:48
*** chrome0 has joined #openstack-keystone21:57
*** chrome0 has quit IRC22:02
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389822:03
*** spilla has quit IRC22:08
*** adrian_otto has joined #openstack-keystone22:09
*** rdo has joined #openstack-keystone22:11
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389822:11
*** edtubill has quit IRC22:23
*** edmondsw has quit IRC22:27
*** edmondsw has joined #openstack-keystone22:27
*** voelzmo has joined #openstack-keystone22:30
*** voelzmo has quit IRC22:35
*** edmondsw has quit IRC22:37
*** thorst has quit IRC22:45
*** edtubill has joined #openstack-keystone22:46
*** adrian_otto has quit IRC22:46
*** pepperingranivor has quit IRC22:47
*** asettle has quit IRC22:51
*** dave-mccowan has joined #openstack-keystone23:05
*** jaugustine has quit IRC23:08
*** jperry has quit IRC23:09
*** asettle has joined #openstack-keystone23:12
*** asettle has quit IRC23:12
openstackgerritLance Bragstad proposed openstack/keystone: Implement shadow mapping  https://review.openstack.org/41589523:22
lbragstaddstanek ^23:22
*** jraim has quit IRC23:22
*** briancurtin has quit IRC23:22
stewie925dstanek: morgan:  I compiled some info on my keystone config and the curl commands that I ran:  http://paste.openstack.org/show/594476/23:23
lbragstaddstanek gotta run to a family supper for a bit - i'll check back in later though23:23
*** morgan has quit IRC23:23
*** jraim has joined #openstack-keystone23:26
*** jaosorior has quit IRC23:27
*** thorst has joined #openstack-keystone23:31
*** thorst has quit IRC23:35
*** morgan_ has joined #openstack-keystone23:38
*** chris_hultin is now known as chris_hultin|AWA23:41
*** stephen-la has joined #openstack-keystone23:46
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object  https://review.openstack.org/41862423:46
stephen-ladoes anyone know if its still possible to use devstack scripts for going back to liberty release?23:46
*** chris_hultin|AWA is now known as chris_hultin23:46
stephen-laCloning into '/opt/stack/keystone'...23:47
stephen-la+ git checkout stable/liberty23:47
stephen-laseems to fail everytime now on keystone23:47
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object  https://review.openstack.org/41862423:48
*** lamt has quit IRC23:49
*** chris_hultin is now known as chris_hultin|AWA23:51
adriantmorgan_, stevemar: although the new MFA spec mostly supersedes it as a overall MFA replacement, I'm curious if the password+totp plugin is still useful to allow simple MFA without needing ALL the various libraries and pieces changed/updated/upgraded to play nice with the proper MFA changes we're doing.23:52
morgan_adriant: i don't see why we would support both modes in-tree23:53
morgan_adriant: the library additons will be minimal.23:53
morgan_(or non-existant)23:53
morgan_and changed bits/peices are mostly in the auth line(s).23:53
adriantbut to actually use it we need to change horizon, osclient, etc23:54
adriantwith the password+totp one, it doesn't interfere with the proper MFA rules, but allows 'it just works' basic MFA by attaching the passcode to the password.23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!