Tuesday, 2017-01-17

« Monday, 2017-01-16 Index Wednesday, 2017-01-18 »
*** dikonoor has joined #openstack-keystone00:07
*** catintheroof has joined #openstack-keystone00:11
*** jerrygb has quit IRC00:18
*** david-lyle has joined #openstack-keystone00:19
*** thorst has joined #openstack-keystone00:19
*** thorst has quit IRC00:21
*** jerrygb has joined #openstack-keystone00:34
*** jose-phillips has quit IRC00:40
*** hoangcx has joined #openstack-keystone00:41
*** david-lyle has quit IRC00:43
*** chris_hultin is now known as chris_hultin|AWA00:48
stevemarjamielennox: we did, to keystoneauth-saml2, and keystoneclient :)00:49
stevemargagehugo: damn!00:49
stevemarjamielennox: oh ffs... http://logs.openstack.org/40/420940/2/check/gate-rally-dsvm-neutron-existing-users-rally/d62a957/console.html#_2017-01-16_21_49_37_64418300:54
stevemar"Content-Type is set to application/json; charset=UTF-8. Only application/json responses"00:54
jamielennoxstevemar: wtf requests should handle trimming the charset away from content type.01:04
jamielennoxThough maybe it should be starts with so you can get json+xyz01:07
*** catintheroof has quit IRC01:09
*** edtubill has joined #openstack-keystone01:11
stevemarjamielennox: yeah, or "in"01:11
*** chris_hultin|AWA is now known as chris_hultin01:12
stevemareh, startswith is probably better01:12
*** jerrygb has quit IRC01:13
*** edtubill has quit IRC01:15
*** thorst has joined #openstack-keystone01:22
*** trananhkma has quit IRC01:24
*** thorst has quit IRC01:27
*** chris_hultin is now known as chris_hultin|AWA01:37
*** thorst has joined #openstack-keystone01:42
*** thorst has quit IRC01:43
*** chris_hultin|AWA is now known as chris_hultin01:55
*** chris_hultin is now known as chris_hultin|AWA01:58
*** dikonoor has quit IRC02:01
*** nicolasbock has quit IRC02:03
*** jerrygb has joined #openstack-keystone02:14
*** stingaci has joined #openstack-keystone02:22
*** jamielennox is now known as jamielennox|away02:25
*** stingaci has quit IRC02:26
*** tqtran has quit IRC02:33
*** edtubill has joined #openstack-keystone02:42
*** thorst has joined #openstack-keystone02:44
*** thorst has quit IRC02:48
*** woodster_ has quit IRC02:55
*** spzala has quit IRC02:57
*** jamielennox|away is now known as jamielennox03:03
*** jose-phillips has joined #openstack-keystone03:13
*** jose-phillips has quit IRC03:14
*** jose-phillips has joined #openstack-keystone03:14
*** jose-phillips has quit IRC03:17
*** jose-phillips has joined #openstack-keystone03:18
*** jose-phillips has quit IRC03:19
*** jose-phillips has joined #openstack-keystone03:20
*** diazjf has quit IRC03:20
*** jose-phillips has quit IRC03:21
*** jose-phillips has joined #openstack-keystone03:21
*** jose-phillips has quit IRC03:27
*** edmondsw has joined #openstack-keystone03:31
*** links has joined #openstack-keystone03:32
*** edmondsw has quit IRC03:36
*** v1k0d3n has joined #openstack-keystone04:07
*** v1k0d3n has quit IRC04:11
*** sheel has joined #openstack-keystone04:13
*** antwash has quit IRC04:20
*** jlwhite has quit IRC04:21
*** jrist has quit IRC04:27
*** jrist has joined #openstack-keystone04:39
*** thorst has joined #openstack-keystone04:45
*** thorst has quit IRC04:50
*** jerrygb has quit IRC05:08
*** v1k0d3n has joined #openstack-keystone05:14
*** jlwhite has joined #openstack-keystone05:20
*** antwash has joined #openstack-keystone05:20
*** stingaci has joined #openstack-keystone05:20
openstackgerritTin Lam proposed openstack/python-keystoneclient: Fix response body being omitted in debug mode incorrectly  https://review.openstack.org/42107605:22
*** v1k0d3n has quit IRC05:25
*** stingaci has quit IRC05:25
*** dikonoor has joined #openstack-keystone05:26
*** dikonoor has quit IRC05:31
*** david-lyle has joined #openstack-keystone05:33
*** david-lyle has quit IRC05:44
*** Jack_I has joined #openstack-keystone05:45
*** david-lyle has joined #openstack-keystone05:53
*** Jack_V has joined #openstack-keystone05:53
*** Jack_I has quit IRC05:57
*** david-lyle has quit IRC06:24
*** tqtran has joined #openstack-keystone06:33
*** edtubill has quit IRC06:35
*** tqtran has quit IRC06:35
openstackgerritMerged openstack/keystone: Drop type in filters  https://review.openstack.org/41945106:41
*** richm has quit IRC06:42
openstackgerritMerged openstack/keystoneauth: Use comma as separator in ECP Accept HTTP header  https://review.openstack.org/42097006:43
*** thorst has joined #openstack-keystone06:46
openstackgerritTin Lam proposed openstack/python-keystoneclient: Fix response body being omitted in debug mode incorrectly  https://review.openstack.org/42107606:47
*** thorst has quit IRC06:50
*** tesseract has joined #openstack-keystone07:16
*** voelzmo has joined #openstack-keystone07:25
*** voelzmo has quit IRC07:25
*** voelzmo has joined #openstack-keystone07:27
*** edtubill has joined #openstack-keystone07:35
*** stingaci has joined #openstack-keystone08:01
*** dmellado has quit IRC08:02
*** dmellado has joined #openstack-keystone08:04
*** thorst has joined #openstack-keystone08:47
*** Jack_I has joined #openstack-keystone08:48
*** Jack_V has quit IRC08:49
*** thorst has quit IRC08:52
*** Jack_V has joined #openstack-keystone08:52
*** Jack_I has quit IRC08:56
openstackgerritbighnaraj mishra proposed openstack/python-keystoneclient: added oslo_log removing logging library  https://review.openstack.org/42114008:56
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** rha has quit IRC09:03
*** mvk has quit IRC09:30
*** mvk has joined #openstack-keystone10:06
*** hoangcx has quit IRC10:10
*** jose-phillips has joined #openstack-keystone10:15
*** haplo37_ has quit IRC10:19
*** haplo37_ has joined #openstack-keystone10:19
*** mvk has quit IRC10:32
*** mvk has joined #openstack-keystone10:47
*** thorst has joined #openstack-keystone10:48
*** thorst has quit IRC10:52
*** pnavarro has joined #openstack-keystone10:58
*** ayoung has joined #openstack-keystone11:12
*** ChanServ sets mode: +v ayoung11:12
*** richm has joined #openstack-keystone11:13
*** aloga has quit IRC11:20
*** aloga has joined #openstack-keystone11:20
*** rha has joined #openstack-keystone11:27
*** mvk has quit IRC11:28
*** jose-phillips has quit IRC11:39
*** jose-phillips has joined #openstack-keystone11:40
*** mvk has joined #openstack-keystone11:41
asettleHey - is there anyone here that can help me triage a proposed bug in the manuals setup for keystone?11:56
asettleThe Newton installation guide refers to delete the sqlite keystone.db file11:56
asettleBut the reportee advises to hash "connection = sqlite:////var/lib/keystone/keystone.db" line in [database] in kesytone.conf before populating sql.11:56
asettleTHere has been other references to this solution too11:56
asettleUnfortunately I concede defeat - I don't know enough to triage this appropriately11:56
asettleIf anyone can help: https://bugs.launchpad.net/openstack-manuals/+bug/1654701?comments=all11:56
openstackLaunchpad bug 1654701 in openstack-manuals "connection = sqlite line in [database] section in keystone.conf" [Undecided,New]11:56
stevemarasettle: why is someone using sqlite for their install *confused*11:57
asettlestevemar: well... to be fair, I don't know! But not the only one: https://github.com/AJNOURI/COA/issues/3111:58
asettleI've never seen anything like it before, hence why conceding defeat.11:58
stevemarasettle: oh, i think i get it12:01
asettle\o/ yes?!12:01
*** nicolasbock has joined #openstack-keystone12:01
stevemarasettle: i think by "hash" he means "comment out" -- to literally put a '#' in front of the sample connection string?12:01
stevemar"i've tried positioning the ** connection= sql...etc ** line above the ** connection = sqlite..etc **"12:01
stevemarbut that may not work since oslo.config may take the last argument you use12:02
stevemar:)12:02
asettleRight, so he's suggesting commenting it out, and then populate sql.12:02
stevemaryeah12:02
asettleSo, this isn't really something we should be suggesting in the manuals. I wonder - have you seen any suggest something like this before??12:03
stevemari thought by "hash" he meant to encrypt or sign the password12:03
stevemarasettle: nope :\12:03
asettleMight have to request further info. He's basically suggesting that leaving the sqlite line in affects keystone db.12:04
asettleHe's continuously just receiving internal server errors.12:04
*** rdopiera has left #openstack-keystone12:05
stevemarhmm, we don't default it to https://github.com/openstack/keystone/blob/stable/mitaka/etc/keystone.conf.sample#L54912:05
stevemarto anything*12:05
stevemarasettle: getting an internal server error makes sense, he's specifying to connect to a database that ain't there12:06
asettleI'm guessing (wildly) that it's an isolated issue on his personal setup.12:06
stevemar(i'm assuming the install guide says to use mysql instead of sqlite?)12:06
asettle(Let me check)12:06
asettle(because I don't trust hte off the top of my head approach rn)12:07
stevemarlooks like it: http://docs.openstack.org/newton/install-guide-ubuntu/keystone-install.html12:07
asettleWow you fast12:07
stevemarstep1 `mysql -u root -p  ` :P12:07
stevemarmy google fu!12:07
asettleIn that case, yes.12:07
asettleHahhaha12:07
stevemarpardon, screaming child12:07
asettleAll yours.12:07
stevemarback12:08
stevemarmornings are fun12:08
asettleSaid no one ever.12:08
stevemar"connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone "12:08
stevemarhmmm12:08
stevemarasettle: maybe one of the packages he installed is defaulting the the value to sqlite?12:09
stevemarcause we dont, and the install guide doesn't mention to do that12:09
asettleI'm guessing so, I might just comment and ask.12:09
stevemari can ask in the bug i guess12:09
asettleThanks for helping me out, stevemar :)12:09
asettleActually, yeah - if you're okay with commenting on that one stevemar that would be really helpful12:10
stevemarhmm, ubuntu install guide too12:10
stevemarsure12:10
asettleThanks for your help :) I appreciate you helping me.12:10
asettleMy keystone knowledge is pretty sad. dolphm and lbragstad have tried to help me a few times :P12:10
stevemarasettle: those two are good sources for keystone knowledge :)12:11
asettleThey areeee :)12:11
asettleI am a federation master!* (terms and conditions may apply)12:11
*** links has quit IRC12:12
*** iurygregory has joined #openstack-keystone12:13
*** jose-phillips has quit IRC12:14
*** tesseract has quit IRC12:23
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Fix response body being omitted in debug mode incorrectly  https://review.openstack.org/42107612:30
stevemarjamielennox: https://review.openstack.org/#/c/421076/12:31
stevemarasettle: good good, i can redirect all my federationy questions to you :)12:32
*** catintheroof has joined #openstack-keystone12:32
stevemarbreton: is https://review.openstack.org/#/c/294535/ fully baked?12:32
stevemari know nothing of osprofiler12:33
stevemarbreton: i +2'ed it, if you are confident about it you may +W it, the code won't interfere with keystone,  but i don't know if the osprofiler/rally bits are 100% correct12:34
*** lamt has quit IRC12:41
*** Jack_I has joined #openstack-keystone12:46
*** thorst has joined #openstack-keystone12:46
*** Jack_V has quit IRC12:48
asettlestevemar: don't hold your breath for amazing responses :p12:56
*** links has joined #openstack-keystone12:58
*** links has quit IRC13:01
*** dave-mccowan has joined #openstack-keystone13:02
*** edmondsw has joined #openstack-keystone13:03
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Fix response body being omitted in debug mode incorrectly  https://review.openstack.org/42107613:05
*** lamt has joined #openstack-keystone13:11
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add test for header in Saml2 plugin  https://review.openstack.org/42126513:18
asettlestevemar: I have another one if you have the time? A posed question within a bug that I cannot answer :(13:18
bretonstevemar: it looks correct, it doesn't break me, but i am not sure that it produces the results a user expects.13:18
asettlehttps://bugs.launchpad.net/openstack-manuals/+bug/165585313:18
openstackLaunchpad bug 1655853 in openstack-manuals ""systemd:openstack-keystone" resource agent seems not exist" [Undecided,New]13:18
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add test for header in Saml2 plugin  https://review.openstack.org/42126513:19
bretonstevemar: > So I am wondering if "systemd:httpd" is the correct resource agent for HA keystone here.13:19
bretonoh13:19
bretonasettle: > So I am wondering if "systemd:httpd" is the correct resource agent for HA keystone here.13:19
bretonasettle: it probably is.13:19
rodrigodsstevemar, ^ tests for the keystoneauth saml2 bug in the headers13:19
bretonasettle: we use httpd for running keystone13:20
asettlebreton: did you file this bug? :)13:21
bretonasettle: nope13:21
asettleCOincidence?13:21
bretonasettle: i have just opened in the browser and looked at the contents :)13:22
asettleHahaha oh right, sorry. I was just super confused for a second.13:22
asettleDon't mind me.13:22
asettlehttpd it is.13:22
asettleThank you for responding breton :)13:23
stevemarasettle: yeah, as breton said "systemd:httpd" is probably the right value instead of "systemd:openstack-keystone"13:23
asettle:) thanks team13:24
stevemari think "systemd:openstack-keystone" is from when we were using eventlet? i think the HA guide was the guide that needed the most updates iirc13:24
stevemarso it would make sense that it had an old eventlet value13:24
asettleI'll have a look13:25
asettleIt doesn't ref, from a cursory glance: http://docs.openstack.org/ha-guide/13:26
stevemarasettle: may have to bug someone from red hat or who knows systemd / pacemaker a bit more13:32
asettle... hmmmm jamielennox is an ex-hatter ;)13:33
asettleThanks stevemar - appreciate it.13:34
asettleGetting a tonne of random bugs lately.13:34
stevemarasettle: you're more than welcomed to bug us here13:39
stevemarpun intened13:39
stevemarheyooo13:39
asettleHurr hurrr :p13:39
asettleDon't give up your day job aye :p13:39
stevemarjamielennox: another one for you: https://review.openstack.org/#/c/419724/213:41
stevemarasettle: womp womp13:41
asettleLucky jamielennox13:41
asettleMy gosh I have another.13:43
asettleKeystone is *popular* today13:43
stevemar:D13:43
asettlehttps://bugs.launchpad.net/openstack-manuals/+bug/163298313:43
openstackLaunchpad bug 1632983 in openstack-manuals "improvement in Checklist in Security Guide" [Undecided,New]13:43
asettleThere was a subsequent patch: https://review.openstack.org/#/c/413398/2 which was shot down in flames13:43
stevemarasettle: yeah, before i could even comment on it, it was abandoned13:44
openstackgerritRodrigo Duarte proposed openstack/keystoneauth: Add test for header in Saml2 plugin  https://review.openstack.org/42126513:44
asettleAs Stanek noted, I have absolutely no idea why this change is being made stevemar13:44
rodrigodsstevemar, ^ minor fix13:44
asettleIt's a question, 'is it recommended' so, guessing the short answer was 'no'.13:45
*** markvoelker has joined #openstack-keystone13:45
stevemarasettle: with my bug smashing hat on, if the patch was abandoned then i'd mark the bug as invalid / wontfix13:46
asettleCoolio hoolio13:46
asettleWE GOT THIS13:46
stevemarasettle: with my bug reporter hat on, maybe they think root is always more secure than a 'keystone' user? what if i don't have root :O13:47
asettle*gasp*13:47
asettleWhat IF13:47
* asettle closes as a wont fix :p13:47
stevemarsmash those bugs13:48
asettleSince we're on this train, I wasn't able to replicate this guys problem: https://bugs.launchpad.net/openstack-manuals/+bug/163696513:48
openstackLaunchpad bug 1636965 in openstack-manuals "Install and configure in Installation Guide" [Medium,New]13:48
asettleMaybe you guys have seen it before13:48
asettleKeystone, again.13:48
stevemarasettle: that looks liberty and older13:51
stevemarthe whole "admin_" bits in the auth token section is old skool13:51
stevemarnow we use the non prefixed ones, cause we're sane13:52
asettleDefinitely is liberty and older.13:52
asettleThat branch is deadsies.13:53
asettleBut just wanted to check this wasn't an issue further along.13:53
asettleIn *open* branches13:53
stevemarasettle: nah13:54
asettleCoolio hoolio :) will be closing. THanks for that :D13:54
asettleThis has been most productive! THank you stevemar and breton13:54
asettleWe get a lot of bugs that are configuration questions that I simply do not have the expertise to answer.13:55
stevemarnp :)13:58
*** dikonoor has joined #openstack-keystone14:11
dikonoorstevemar: Hi Steve..This is around https://review.openstack.org/#/c/391405/14:13
*** jperry has joined #openstack-keystone14:13
*** jerrygb has joined #openstack-keystone14:14
dikonoorstevemar: Can't find Eric Brown around..As part of this, few revocation attributes like check_revocations_for_cached and revocation_cache_time have been deprecated14:16
dikonoorstevemar: These were deprecated because PKI is not longer supported but I am not completely sure if this flow is associated only with PKI.14:17
stevemardikonoor: oh? you can propose a revert or undeprecate the options14:17
bretondikonoor: where do you see the messages that you posted in https://bugs.launchpad.net/bugs/1657014 ?14:17
openstackLaunchpad bug 1657014 in keystonemiddleware "Incorrect deprecation warning for revocations" [Undecided,New]14:17
stevemarat least they are not removed :)14:17
dikonoorstevemar: I have opened https://bugs.launchpad.net/keystonemiddleware/+bug/1657014 for this.14:17
stevemardikonoor: he's usually online as browne14:18
dikonoorstevemar: They come from keystonemiddleware at the time of token validation14:18
dikonoorstevemar: ok..Let me talk to browne and check with him if I am missing something14:19
bretondikonoor: i still think that we deprecated them correctly14:20
bretondikonoor: for example, check_revocations_for_cached is used only to check revocations that were fetched from keystone, which happens only for PKI14:20
bretondikonoor: revocation_cache_time is used to cache revocations lists, which exist only for PKI14:22
dikonoorbreton : but there's nothing in the keystonemiddleware that specifically checks if the tokens are of PKI formats.. So the revocation flows gets invoked for other token formats as well..like fernet14:23
bretondikonoor: you are right. However, no revocation lists are generated for non-PKI tokens. So if a deployment uses Fernet, revocation lists will always be empty.14:24
bretondikonoor: and that revocation check flow will always return that the token is valid14:25
dikonoorbreton: ok..I was under the impression that the revoked tokens gets cached for all token formats. Also, in our performance tests we found that increasing the revocation cache time value from 10 to 30 with fernet token improved the performance significantly14:29
dikonoorbreton: sorry..if was not fernet..it was uuid14:30
bretondikonoor: hmmmm14:34
bretonso what happens is that revocation lists are fetched anyway14:34
bretonand always are empty14:34
bretonbut the request still happens and takes some time14:35
bretondikonoor: you should file a bugreport about this. Or modify the existing one14:35
dikonoorbreton: ok..so setting it from 10 to 30 just increases the time interval and thus the performance..14:36
*** tqtran has joined #openstack-keystone14:36
*** lucasagomes has joined #openstack-keystone14:37
*** lucasagomes has left #openstack-keystone14:37
*** tqtran has quit IRC14:38
dikonoorbreton: modify the existing one so that keystonemiddleware revocation flow doesn't happen for non-pki ?14:38
bretonhmm...14:39
bretondikonoor: actually, if check_revocations_for_cached is False the call to keystone should not happen14:40
bretondikonoor: and it is False by default14:40
bretondikonoor: what is it in your config?14:40
dikonoorbreton: check_revocations_for_cache is set to True in my config :)14:41
bretondikonoor: try commenting it out14:42
dikonoorbreton: Thanks for pointing that out..Let me comment and try it out..14:44
*** lamt has quit IRC14:52
*** dikonoor has quit IRC14:53
*** lamt has joined #openstack-keystone14:58
lbragstadstevemar I see we released our libraries last week - but I noticed that the fix from jdennis wasn't included in keystoneauth14:58
lbragstadis that something we want to release this week in order to include it?14:58
*** ravelar has joined #openstack-keystone15:02
rodrigodslbragstad, i would say yes15:05
*** jaosorior has joined #openstack-keystone15:06
lbragstadrodrigods yeah - thats kinda what I was thinking, too15:06
rodrigodslbragstad, would be nice to include this too: https://review.openstack.org/#/c/421265/15:09
lbragstadrodrigods nice! I was just working on writing some tests for that15:10
*** edtubill has quit IRC15:10
rodrigodslbragstad, :)15:10
*** jaugustine has joined #openstack-keystone15:10
lbragstadrodrigods i'll review15:11
lbragstadrodrigods let's see if we can get this merged today15:11
*** pcaruana has quit IRC15:15
dstanekstevemar: are you still interested in https://review.openstack.org/#/c/374482/12 ?15:17
*** david-lyle has joined #openstack-keystone15:24
lbragstadrodrigods that test looks good - i had just one comment inline with my change in a diff15:28
*** david-lyle has quit IRC15:29
*** david-lyle has joined #openstack-keystone15:29
openstackgerritMerged openstack/python-keystoneclient: Fix response body being omitted in debug mode incorrectly  https://review.openstack.org/42107615:29
*** edtubill has joined #openstack-keystone15:30
openstackgerritSamuel Pilla proposed openstack/keystoneauth: Correctly Omit Response Body in Debug Mode  https://review.openstack.org/42131915:30
*** david-lyle has quit IRC15:34
stevemardstanek: i am, but if it doesn't get merged i won't sweat it15:42
*** david-lyle has joined #openstack-keystone15:42
dstanekstevemar: cool. i was thinking about ways to organized the tests to make it work. if i get around to it i may hack on it15:45
stevemardstanek: failing to remove code isn't the worst thing for an end user15:45
stevemardstanek: i would love that15:45
stevemarthe tests made removing the code nearly impossible15:45
rodrigodslbragstad, are you ok to push the button there? i think you have a good suggestion but left in the way it is since the order in which the values appear is not important15:47
*** mvk has quit IRC15:51
lbragstadrodrigods yeah - I think it helps readability though for reviewers. I can propose a follow on patch15:53
*** adrian_otto has joined #openstack-keystone15:55
*** david-lyle has quit IRC15:55
morgano/15:58
*** erhudy has joined #openstack-keystone15:58
*** chris_hultin|AWA is now known as chris_hultin15:59
*** sheel has quit IRC16:07
*** david-lyle has joined #openstack-keystone16:07
*** spzala has joined #openstack-keystone16:11
knikollao/16:15
*** agrebennikov has joined #openstack-keystone16:23
*** jaosorior has quit IRC16:26
*** diazjf has joined #openstack-keystone16:27
*** stingaci has quit IRC16:44
*** stingaci has joined #openstack-keystone16:44
*** stingaci has quit IRC16:44
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object  https://review.openstack.org/41862416:48
*** diazjf has quit IRC16:51
*** diazjf has joined #openstack-keystone16:53
openstackgerritGage Hugo proposed openstack/keystone: Allow user to change own expired password  https://review.openstack.org/40402217:00
morganstevemar: i'll be proposing the next bit for the MFA bit today17:03
*** oomichi has joined #openstack-keystone17:03
morganwhich hopefully should cover the auth paths17:03
morganthen it'll be the API and serialization/deserialization stuff17:03
morganstevemar: sorry it took so long to get going but you know... $stuff$17:04
morganand holidays17:04
stevemarmorgan: its all good17:04
morgani tried to remove AuthContext from the plugins but we did some bad design work under the hood17:06
morgani'll need to add some TODOs to make auth plugins run as functional programming instead of with side-effects (like mucking with authcontext itself)17:06
morganwe should pass the information needed to the plugin and look at the respoinse not assume the plugin will set values17:07
samueldmqHey hey keystoners17:07
morganon a shared memory object17:07
morgansamueldmq: hey! how goes?17:07
samueldmqIs keystone meeting in 1 hour?17:07
*** jaosorior has joined #openstack-keystone17:07
stevemarsamueldmq: yep17:07
stevemarbetter eat your lunch now17:07
* morgan is drinking cup of coffee #417:07
samueldmqmorgan: hey, pretty good. In LCA this week17:07
morgansamueldmq: NICE17:08
morganLCA good stuff :)17:08
*** jrist has quit IRC17:08
morganstevemar: btw Linux Fest NW has a CFP open17:08
*** phalmos has joined #openstack-keystone17:09
*** stingaci has joined #openstack-keystone17:09
*** voelzmo has quit IRC17:10
samueldmqmorgan: yeah, its my first time at LCA and I've got a talk. Pretty excited17:12
samueldmqAlso, this conf is awesome17:12
morganLCA is fun.17:12
morgani honestly just don't wnat to be on a plane that long17:13
morgansooooo17:13
morgani don't submit papers17:13
*** jrist has joined #openstack-keystone17:13
stevemari found out on friday last week that i have to fly out on friday of this week17:13
stevemar#headsup17:14
* samueldmq waves at stevemar17:14
stevemaro/17:14
samueldmqo/17:14
stevemarsamueldmq: will you be at the meeting or at LCA?17:14
samueldmqstevemar: both17:15
morganstevemar: where are you flying to?17:15
stevemarmorgan: miami17:15
samueldmqMeeting is in 45 min (5am)17:15
morganstevemar: thats not too bad17:15
stevemarsamueldmq: hehe, enjoy the conf17:16
morganstevemar: it'll be warm(ish) [you're going to be sitting on the beach with topol right? and taunting everyone with the warm weather]17:16
stevemarmorgan: he won't be there :P17:16
samueldmqstevemar: and yes, this is 4 AM here and I AM jetlagged17:16
morganstevemar: hah17:16
samueldmqstevemar: thanks17:16
*** mvk has joined #openstack-keystone17:17
openstackgerritLance Bragstad proposed openstack/keystone: Implement federated auto-provisioning  https://review.openstack.org/41589517:21
*** david-lyle_ has joined #openstack-keystone17:26
*** stingaci has quit IRC17:28
*** phalmos has quit IRC17:33
*** david-lyle_ has quit IRC17:34
morganstevemar: ping17:36
morgandolphm: ^ you too (see next line)17:36
morganstevemar, dolphm: we need to figure out how to get a real threat analaysis published for keystoneauth and keystonemiddleware (preferably for this release)17:37
morganstevemar, dolphm: i'm saying this with my VMT hat on. those two libraries are not covered by the VMT and really *need* to be. We should be setting the bar for other projects (since we're a security project) and leading here17:38
morganthis is a *really* important priority.17:38
openstackgerritMerged openstack/keystoneauth: Add test for header in Saml2 plugin  https://review.openstack.org/42126517:38
morgancc fungi ^17:40
morganthe core of it is, we need a reputable 3rd party to do a publically publishable threat analysis17:40
morganwe need keystone to be done too, but that can be delayed a little17:40
morgan(since it is a much bigger surface area and is currently grandfathered in)17:40
fungithe security team has a threat analysis process/template which should make a lot of it fairly straightforward too17:40
*** browne has joined #openstack-keystone17:41
fungihttp://git.openstack.org/cgit/openstack/security-analysis/17:41
morganI'm going to send an email to the -dev list shortly (once i can sign it via gpg) requesting folks to step up on this front17:41
fungi(and any concerns with that process can also be fixed as identified, of course)17:41
morganbut keystone shouldn't need that prompting and we should be able to solicit from ibm, redhat, rackspace somethingon this front17:41
morganfungi: ++17:41
* morgan will put this on the meeting agenda for today as well.17:42
*** arunkant has joined #openstack-keystone17:42
fungii'll try to lurk the meeting while i'm prepping for my own17:43
morganfungi: it's added i'll toss your name on it as well so you get a ping when we discuss it17:45
fungithanks17:47
* morgan is out of coffee17:49
morganmordred: do I grind more coffee and make another french press ... or suffer w/o ;)17:49
morgan:P17:49
*** spilla has joined #openstack-keystone17:52
*** stingaci has joined #openstack-keystone17:55
mordredmorgan: always make another17:58
mordredmorgan: oh, I just got a new burr grinder that I'm pretty pleased with17:58
mordredmorgan: the Capresso Infinity - it does a good job on the grind consistency. the mechanical timer for grinding is worthless - but if you just weigh your beans before putting them in the hopper it's great17:59
*** stingaci has quit IRC17:59
mordredsamueldmq: enjoy LCA! I'm sad I'm not there this year, but yes, it's my favorite conference18:00
*** david-lyle_ has joined #openstack-keystone18:00
morganmordred: i am eyeing the Baratza Vario18:01
morganmordred: it's pretty freaking awesome18:01
morganmordred: i have the preciso but i don't like it a ton.18:01
morgani'll also upgrade the vario to the steel burrs instead of ceramic for longevity18:01
samueldmqmordred: thanks, yes it's a great conference, I am loving it18:04
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987418:07
*** Jack_I has quit IRC18:11
*** Jack_I has joined #openstack-keystone18:17
*** diazjf has quit IRC18:20
stevemarzzzeek: o/18:26
zzzeekstevemar: heya18:26
stevemarzzzeek: gagehugo has a question about autodoc + sqlalchemy + hybrid_property decorator :)18:26
zzzeekstevemar: hmmmm18:26
stevemari'm not sure what the status of it all is? https://bitbucket.org/zzzeek/sqlalchemy/issues/3653/support-docstrings-on-hybrid-attributes i see your name all over this issue :D18:26
gagehugoyes18:27
zzzeekstevemar: http://docs.sqlalchemy.org/en/latest/changelog/migration_11.html#hybrid-properties-and-methods-now-propagate-the-docstring-as-well-as-info18:27
stevemarzzzeek: oh you mean just add a docstring to https://github.com/openstack/keystone/blob/8f038adac7c728d3fd2eb751cd8eb2cb6e209aff/keystone/identity/backends/sql_model.py#L55 and other hybrid properties?18:28
*** spzala has quit IRC18:28
zzzeekstevemar: yes but also you need sqlalchemy 1.118:28
gagehugozzzeek: ah18:29
stevemaruh oh, are we capped at something silly18:29
*** spzala has joined #openstack-keystone18:29
*** chris_hultin is now known as chris_hultin|AWA18:29
zzzeekprobably capped at 1.0.x still though that should change soon18:29
stevemargah SQLAlchemy>=1.0.10,<1.1.0  # MIT18:29
gagehugoheh18:29
stevemar*shakes fist*18:29
gagehugois there a reason we are capped?18:29
zzzeekgagehugo: because I break a ton of shit every 1.x :)18:30
gagehugozzzeek: heh18:30
zzzeekgagehugo: openstack is ready for SQLA 1.1 just needs people to turn cranks18:30
gagehugostevemar zzzeek: so maybe ignore the file for now with a nice detailed TODO when updated18:30
gagehugozzzeek: ok18:30
*** spzala has quit IRC18:33
*** edtubill has quit IRC18:33
stevemargagehugo: sure, you can also add the docstrings and test it locally with sqla 1.118:37
*** tqtran has joined #openstack-keystone18:38
stevemargagehugo: or add the docstrings in a review and let other lazy people like me test it locally :D18:38
gagehugostevemar: good point18:38
*** tqtran has quit IRC18:40
* dstanek wishes Fedora would jump on the LXD bandwagon...18:41
stevemargagehugo: i'm playing with your doc patches now18:41
dstanekayoung: ^ can you make it happen :-D18:42
ayoungdstanek, I'm just gettimng up to speed with all the issues.  Done just enough docker and containers stuff to hurt myself so far18:42
dstanekayoung: lxd is lxc+rest interface - canonical's new thing - the rpm for it isn't an official one :-( so i won't install on my laptop18:46
ayoungdstanek, has anyone proposed it as a Fedora package yet?18:46
ayoungdstanek, needs a package maintainer18:47
*** david-lyle has quit IRC18:47
ayoung"lift and shift”  Heh18:48
dstanekayoung: no idea - there is one on COPR that i use on VMs right now, but i usually just stick to the older style lxc18:48
ayounghttp://noblecotactical.com/blog/difference-between-shift-fire-vs-lift-fire18:49
ayounglift and shift is such a bad term18:49
ayoungdstanek, we are pretty much in bed with kubernetes these days18:49
*** markvoelker has quit IRC18:49
ayoungnot sure the tie in between that and lxd18:50
*** david-lyle_ has quit IRC18:50
*** phalmos has joined #openstack-keystone18:57
stevemarzzzeek any idea what i'm not doing correctly here? http://paste.openstack.org/show/595260/ cc gagehugo18:58
stevemarzzzeek: i added docstrings to the properties that were mentioned, but still the same error18:59
*** Jack_I has quit IRC18:59
gagehugostevemar: yeah, its the same issue as current18:59
gagehugostevemar: only the password_* properties are having issues19:00
*** spzala has joined #openstack-keystone19:00
zzzeekstevemar: shrugs, guess it doesnt work19:00
*** spzala has quit IRC19:00
*** Jack_I has joined #openstack-keystone19:00
zzzeekstevemar: sphinx changes a lot which is annoying19:00
*** spzala has joined #openstack-keystone19:00
lamtgagehugo stevemar : tried it with SQLAlchemy==1.1.4 - it failed for me too19:00
lbragstadspilla o/19:01
spillao/19:01
spillaSo stevemar thats the fix, just wanted to know if its still an issue19:01
morganzzzeek: yeah i agree.19:02
spillalaunchpad searches came up dry so I wanted to see if anyone was aware of it19:02
morganzzzeek: once i have some runway, i'm going to start spending some more time again on dogpile19:02
zzzeekstevemar: i think it's those "return None"19:03
zzzeekstevemar: basically, these hybrids won't work at the SQL expression level19:03
morganzzzeek: i feel like we can make some cleanup and ease the interfaces up (also directly support pymemcache for many reasons)19:03
morganzzzeek: anyway just a heads up i'm not ignoring it :)19:03
zzzeekmorgan: dogpile is so way on the back burner for me :)19:03
morgani know19:04
*** tqtran has joined #openstack-keystone19:04
zzzeekstevemar: sphinx docuemntation works at the class level.  so here, if I say MyModel.password_created_at, that should return a SQL expression that's valid, not None19:04
morganthat is why i want to circle up on it and get some cleanup in19:04
morganso there is just less to do in the future :)19:04
zzzeekstevemar: the change in 1.1 wraps SQL experssions in an object that provides __doc__19:04
*** Jack_V has joined #openstack-keystone19:05
*** Jack_I has quit IRC19:06
zzzeekstevemar: change in plans.   is .local_user defined at the class level ?  I think your hybrid is actualyl throwing an AttributeError19:08
*** Jack_I has joined #openstack-keystone19:09
*** Jack_V has quit IRC19:11
gagehugofor the password_* properties yeah19:11
*** Jack_I has quit IRC19:11
*** Jack_I has joined #openstack-keystone19:12
*** jose-phillips has joined #openstack-keystone19:14
*** Jack_V has joined #openstack-keystone19:14
*** Jack_I has quit IRC19:17
stevemarzzzeek: yep, they are class level19:21
stevemarzzzeek: looks like its just the ones that return None19:22
zzzeekstevemar: I'm not able to reproduce a problem when returning None19:22
stevemarzzzeek: and when returning False19:22
stevemarhmm but the "domain_id" doesn't barf19:23
zzzeekstevemar: http://paste.openstack.org/show/595265/19:23
zzzeekstevemar: just type User.password_ref at a pdb19:24
zzzeekstevemar: im installing deps so i can try19:24
zzzeekstevemar: http://paste.openstack.org/show/595266/19:25
zzzeekstevemar: if these attrs aren't meant to be called at the class level there is no reason to use @hybrid_property, just use @property19:25
gagehugoadding http://paste.openstack.org/show/595267/ to User doesn't barf either19:26
*** lamt has quit IRC19:27
stevemarzzzeek: gagehugo yeah, using @property definitely works... and AFAICT we don't call it at the class level19:34
stevemarzzzeek: gagehugo we only use it once we get the reference19:34
zzzeekstevemar: the class level thing is the only point of hybrid_property :)19:34
zzzeekhence....."hybrid".....19:35
gagehugointeresting19:35
stevemarzzzeek: not sure since i didn't write the code, maybe rderose knows why he used them :) maybe he had future plans?19:36
zzzeekstevemar: not sure, my impression is it's one of those, "saw it in X, looked idiomatic == sold" kinds of things :)19:36
stevemarhehe19:38
rderosereading...19:39
stevemareek: so it's only necessary to add hybrid if using it like (in this example): User.password_expires_at ?19:40
stevemarugh19:40
stevemarzzzeek: ^19:40
stevemarfailing at typing today19:40
zzzeekstevemar: yes.   the purpose of hybrid is so that you can use your attribute at the class level in a query19:40
zzzeekstevemar: at the instance level, it is identical to @property19:40
stevemarmorgan: samueldmq rodrigods lbragstad can someone punt https://review.openstack.org/#/c/421319/ through?19:41
zzzeekstevemar / rderose since these attributes don't even work at the class level and aren't tested for that, they should be @property19:41
*** tqtran has quit IRC19:41
rodrigodsstevemar, done19:42
morganrodrigods: beat me to it19:42
openstackgerritSteve Martinelli proposed openstack/keystone: switch @hybrid_property to @property  https://review.openstack.org/42146819:43
*** lucas has joined #openstack-keystone19:44
morganstevemar: i';m closing all kilo and liberty targeted bugs19:50
morganstevemar: FYI19:50
*** david-lyle has joined #openstack-keystone19:50
*** chris_hultin|AWA is now known as chris_hultin19:51
stevemarmorgan: there were kilo and liberty targetted bugs?19:52
*** diazjf has joined #openstack-keystone19:52
morganyep19:53
stevemarmorgan: did you have an opinion on https://review.openstack.org/#/c/419724/ ?19:53
morganmost in "fix committed" state, marking as released19:53
morganoh that should be fine19:53
stevemarmorgan: ah, thought i caught all of those19:53
morganthe oslo.log thing19:53
stevemaryeah19:53
morganlet me 2x check19:54
morganin middleware it's fine19:54
stevemarmorgan: already approved :P19:54
stevemarright, i -1'ed the client one19:54
morganin ksa i would say no nope not happening, never19:54
morganbut for ksm it's fine19:54
stevemari -2'ed the client one19:54
morganwait, why does client matter?19:55
morganksc should be fine?19:55
morganor was it for middleware in ksc (thought we deleted that stuff)19:55
stevemarmorgan: while you're around: https://review.openstack.org/#/c/421411/119:55
*** Jack_V has quit IRC19:55
stevemarmorgan: there was a separate review for adding oslo.log to ksc19:56
morganahhh19:56
stevemarmorgan: https://review.openstack.org/#/c/421140/119:56
stevemarsorry, i skipped ahead :)19:56
morganhehe19:56
morganok all kilo/liberty bugs closed19:57
morganfor keystone server19:57
morganhaven't looked at ksa/ksm/ksc bugs19:57
morganlooking at undecided for keystone server19:57
morganmost look like not RC candidtates19:57
stevemarmorgan: one more while you're around: https://review.openstack.org/#/c/392442/19:57
morganonly exception is the LDAP utf-8 one, but that could be a backport19:57
morganbrb19:58
stevemarmorgan: there are two ldap ones that would be nice to fix, one for hebrew characters, another for chinese19:58
stevemarmorgan: and... another19:58
stevemarhttps://review.openstack.org/#/c/304489/19:58
morganstevemar: same fix i think19:59
openstackgerritRichard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users  https://review.openstack.org/41472020:00
stevemarmorgan: prob20:00
morganstevemar: -1 on the region pop one20:01
morgani'll fix it20:01
stevemarmorgan: i think one is related to user name the other is the actual dn20:01
morganbut it should be .pop(region, None)20:01
morgannot .get20:01
morganwe don't want that in the ref itself being passed to the api backend20:01
stevemarah20:01
morganwill cuase some non-derministic behavior20:01
openstackgerritMorgan Fainberg proposed openstack/keystone: Handling of 'region' parameter as None  https://review.openstack.org/30448920:03
morganstevemar: ^20:03
*** tqtran has joined #openstack-keystone20:03
morganstevemar: we may want oslo.log in ksc fwiw20:04
morganbut i'm ok with the -2 for now20:04
stevemarmorgan: i don't see a reason to pull in all that crap20:05
*** tqtran has quit IRC20:05
morganmostly we avoided it before because session etc etc etc20:05
morganbut we can revisit later20:05
*** adrian_otto has quit IRC20:06
stevemarmorgan: you can punt it through...20:06
morganoh the one i fixed? i'll wait for CI response20:06
morganwant to make sure it passes, i expect it to20:07
morganbut yanno20:07
stevemarmorgan: and one more since you're involved in kSA: https://review.openstack.org/#/c/392442/20:08
morganyeah i hadn't looked at the code yet20:09
morganwas on the open tabs list20:09
morganhnmm20:10
morgani would like to gate that on if logger is in debug mode20:10
morganbecause ksa is super sensitive to extra workloads20:10
morganoh wait20:10
morgannvm that is in the logger i am hoping the logger isn't dumb and still does the str replace if the logger isn't in debug20:10
morganok we're good it isn't dumnb20:11
morganthough we could circumvent the whole logic if logger isn't in debug20:12
morganstevemar: ok approved20:13
stevemar\o/20:17
morganstevemar: so... i think we should tag the ldap fix for chinese and hebrew20:19
morganfor RC otherwise the undecideds all look safe to punt on20:20
morganexcept the security bugs need a PTL sweet (there are 2)20:20
morgansweep*20:20
morganalso this https://bugs.launchpad.net/keystone/+bug/1644862 is an odd one20:20
openstackLaunchpad bug 1644862 in OpenStack Identity (keystone) mitaka "domain ldap tls_cacertfile "forgotten" in multidomain configuration" [Undecided,New]20:20
stevemarmorgan: i've wanted to fix the LDAP ones for a while20:20
morganlets tag as RC potential and see if we can get some eyes on it *cough* ayoung *cough* lbragstad *cough*20:21
morganalso https://bugs.launchpad.net/keystone/+bug/1654409 ... another odd one20:21
openstackLaunchpad bug 1654409 in OpenStack Identity (keystone) "Duplicate users (federated and sql) results in 401" [Undecided,New]20:21
lbragstadmorgan will look after the TC meeting20:21
* dstanek gets ready for another round of reviews before his next meeting20:22
dstanekmorgan: stevemar: lbragstad: is there anything i can help with or should i just go to next-review?20:24
morgannext-review is probably sufficient atm20:25
morganbknudson: since you're busy i'm dropping you from coresec for now and adding lbragstad since he's going to help with security analysis20:27
morganbknudson: when you're back/have more time happy to re-add you.20:27
bknudsonmorgan: ok, makes sense20:27
bknudsonshould get more people involved in security20:28
morgan:)20:28
morgani am also dropping gyee (cc stevemar ) from coresec20:28
bknudsonas long as we can trust them.20:28
morganbknudson: ++20:29
morganwell coresec should be a small group. but we should have people invovled20:29
morganand interested in security20:29
stevemarbknudson: are you implying that lbragstad can't be trusted? cause i think you're right20:30
morganlbragstad: you're now on keystone-coresec20:30
stevemar:)20:30
morganstevemar: i'm positive lbragstad can't be trusted20:30
morganstevemar: ;)20:30
lbragstadlol20:31
bknudsonthrow some fake vulnerability reports at him and see if they leak.20:31
lbragstad<.<20:31
lbragstad>.>20:31
dstanekmorgan: i can vouch that lbragstad can't be trusted20:31
morgandstanek: ^_^20:31
*** woodster_ has joined #openstack-keystone20:32
stevemarbknudson: i can confirm that lbragstad is the leaker20:38
lbragstadstevemar it *depends*20:40
* lbragstad slaps knee 20:40
stevemarlbragstad: dnc and trump team gonna be looking for you20:40
lbragstadwell - i don't think i'm hiding20:41
knikollaspilla: around?20:45
dstanekstevemar: did he leak the pee-pee story?20:46
spillahello knikolla20:46
openstackgerritRon De Rose proposed openstack/keystone: Add queries for federated attributes in list_users  https://review.openstack.org/41472020:46
morganstevemar: please go look at https://bugs.launchpad.net/keystoneauth/+bug/1638978 (cc lbragstad dstanek ayoung )20:46
openstackmorgan: Error: malone bug 1638978 not found20:46
stevemarFYI PTL self-nomination period starts in ~1d https://governance.openstack.org/election/20:46
knikollaspilla: hi. was going through https://review.openstack.org/#/c/403898 and have a few questions20:46
morgan^^ Remember what i said, don't make dolphm or myself come out of retirement! Nominate yourself for the role if you're interested!20:47
spillaknikolla fire away :)20:48
knikollaspilla: so if no operator is provided, and just the date, the syntax is password_expires_at=<date> ?20:51
spillacorrect20:51
*** severion has joined #openstack-keystone20:51
knikollaspilla: in core.py, you're still splitting on the first ':', so that will probably not work20:52
dstanekmorgan: would that be so bad?20:52
morgandstanek: lol20:52
knikollaspilla: actually it will, but the try/catch structure is very confusing.20:53
knikollaspilla: before i posted my review i wanted to get a better understanding of it.20:54
spillaknikolla: I agree. It was the best I could come up with, and something lbragstad mentioned should be looked at to see if it cna be smplified20:55
spillaEssentially it will split on the first colon. If the timestamp at that point is not valid, it'll throw a ValueError and pass to the next try.20:56
*** phalmos has quit IRC20:56
knikollaspilla: It can be simplified, I have a few ideas on how.20:56
spillaknikolla yes please :D20:57
spillaI've been pondering it for a while, any help is appreciated20:57
dstanekmorgan: can't discuss here other than to say 'not a big deal'20:59
knikollaspilla: just give me a moment to gather my thoughts.21:00
spillaFor sure!21:01
*** adrian_otto has joined #openstack-keystone21:02
morgandstanek: comment on the bug :) thnx21:03
dstanekmorgan: already did21:04
dstanekspilla: what are you trying to do?21:04
*** phalmos has joined #openstack-keystone21:04
openstackgerritRichard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users  https://review.openstack.org/41472021:04
*** adrian_otto1 has joined #openstack-keystone21:07
spilladstanek: with the try/except loveliness?21:07
dstanekspilla: i wasn't following the conversation. just saw the very end. what are you trying to do?21:08
*** dave-mccowan has quit IRC21:09
spillaSimplify the keystone/identity/core.py changes on t/keystoneauth/+bug/1638978 (cc lbragstad dstanek ayoung )21:09
spilla<openstack> morgan: Error: malone bug 1638978 not found21:09
spilla<stevemar> FYI PTL self-nomination period starts in ~1d https://governance.openstack.org/election/21:09
spilla<knikolla> spilla: hi. was going through https://review.openstack.org/#/c/40389821:09
*** adrian_otto has quit IRC21:09
spillawoops21:09
spillacopied too much21:09
spillaSimplify changes on keystone/identity/core.py https://review.openstack.org/#/c/40389821:10
*** stewie925 has joined #openstack-keystone21:10
knikolladstanek: there's a very confusing try/catch that should be simplified.21:11
morganstevemar: ok i need to run, have an appointment at 2:3021:12
morganneed to take care of a couple things before going21:12
morganwill be back a bit later and shall continue with some triaging21:12
morganksa/ksm is almost all triaged now21:12
stevemarmorgan: https://review.openstack.org/#/c/304489/ is ready, zuul is happy21:14
dstanekspilla: i commented on that review21:14
openstackgerritSteve Martinelli proposed openstack/keystone: switch @hybrid_property to @property  https://review.openstack.org/42146821:14
stevemarrderose: addressed your comment in https://review.openstack.org/#/c/421468/21:14
dstanekspilla: knikolla: which try is confusing?21:14
rderosestevemar: cool, on it21:15
stevemarbreton: kick 304489 please21:15
edmondswstevemar, has there ever been talk of moving SSH keypairs from nova into keystone?21:16
edmondswseems like a much better place to keep them...21:16
dstanekedmondsw: not barbican?21:17
lbragstaddstanek ++21:17
stevemaredmondsw: i'm sure someone has brought it up, along with quotas :P21:17
edmondswdstanek, I'm thinking knowledge of, not storage location21:17
edmondswi don't really care what the backend is21:17
knikollaspilla: could this work? http://paste.openstack.org/show/BctSI1UCoftoeNr4gvBb/21:18
edmondswkeypairs are tied to a user, and users belong to keystone21:18
knikollaspilla: arrr… typo: i meant if ':' in filter_['value'][2:3]21:19
openstackgerritMerged openstack/keystonemiddleware: Removes unnecessary utf-8 coding  https://review.openstack.org/41942021:19
dstanekedmondsw: what does knowledge of mean?21:19
openstackgerritMerged openstack/keystonemiddleware: use oslo.log instead of logging  https://review.openstack.org/41972421:19
spillaokay, that was my first question21:19
edmondswdstanek metadata21:20
edmondswdstanek maybe store the keys themselves, too... could support multiple backends, one being db, one being barbican, etc. where the key is actually stored21:20
*** chris_hultin is now known as chris_hultin|AWA21:20
spillaknikolla: I think this should work, I'll give it a test. Much more understandable21:21
dstanekedmondsw: i would be -2 on storing any new secrets like that21:21
*** lamt has joined #openstack-keystone21:21
edmondswif there's a reason to store in barbican... in my use case I don't have barbican, and I wouldn't want to set it up just for this21:21
dstanekyou can store it in credentials if you are not too worried about security :-) although we do encrypt those now so it's not as bad as it used to be21:22
edmondswdstanek they're not really secrets... just public keys21:23
edmondswdstanek, at least that's all I'd propose we keep... nova calls it keypairs because they let you generate in nova, in which case you can download the private key, but that seems silly21:23
edmondswdstanek just allow upload of the public key, make them generate the keypair separately and never tell OpenStack the private key21:24
*** pnavarro has quit IRC21:24
edmondswI think that's what most people do with the current solution anyway21:24
*** portdirect is now known as portdirect_away21:30
browneanother place to keep public keys is on the ldap server21:31
openstackgerritRichard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users  https://review.openstack.org/41472021:31
brownebut yes, i don't think nova should be managing public keys21:32
*** adriant has joined #openstack-keystone21:32
*** severion has quit IRC21:39
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389821:41
spillaknikolla: thanks for the help! :)21:41
knikollaspilla: anytime :)21:42
*** spzala has quit IRC21:44
*** andreykurilin has joined #openstack-keystone21:46
*** edtubill has joined #openstack-keystone21:46
andreykurilinhi folks! Can anyone help me with trying to figure out how to setup keystoneclient to use public endpoint for creating users and tenants?21:47
andreykurilinjamielennox ^21:48
jamielennoxAssuming you're using sessions it should just be passing interface='public' to client creation21:50
bretonjamielennox: doesn't it use public by default?21:51
jamielennoxMost clients do, we had some backwards compatibility issues initially on ksc that would use admin by default - but i did think we fixed that21:52
andreykurilinit is how we initialize kc - https://github.com/openstack/rally/blob/master/rally/osclients.py#L217-L32321:53
andreykurilinmain method create_client21:53
andreykurilinit calls get_session21:54
andreykurilinour customer said that he used "auth_url": "https://example.com:5000/v3/" with endpoint_type="public" (these variables are located in self.credential object)21:55
jamielennoxThere's some redundancy there, the password plugin knows how to handle v2/v3 differences, but shouldn't matter21:55
andreykurilinhttp://paste.openstack.org/show/595281/ see first to lines of the log21:55
jamielennoxEndpoimt type is old, but i think it would work, i would need to check21:56
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987421:56
jamielennoxTry changing to interface21:56
andreykurilinjamielennox: unfortunately, I'm not keystone guru and write it as it works for me:)21:56
stevemarmorgan: if you've got more energy in you: https://review.openstack.org/#/q/topic:bug/165698121:57
jamielennoxI'm at a conference so can't do much debugging right now, but can probably look in a couple of hours, but unfortunately because of all the compatibility stuff there are old options in client creation that are accepted but ignored21:58
andreykurilinI'll ask our customer to try change endpoint_type to interface..21:58
*** spilla has quit IRC21:58
*** d0ugal has quit IRC21:59
*** d0ugal has joined #openstack-keystone21:59
*** d0ugal has quit IRC21:59
*** d0ugal has joined #openstack-keystone21:59
*** thorst has quit IRC21:59
andreykurilinit would be really nice if some of you, guys will help us to optimise our code about keystoneclient creation22:00
jamielennoxEver thought about using os-client -config?22:01
*** harlowja has quit IRC22:01
jamielennoxIt's certainly not perfect, but they've give through a lot of this already22:01
andreykurilin1) os-client -config appeared after we use rally.osclients module for a long time 2) not sure how difficult it will be to integrate with os-client-config, since we need to provide a unified way for setting credentials for different systems(not only openstack)22:04
*** adrian_otto1 has quit IRC22:04
andreykurilinchanging endpoint_type to inteface helped22:05
*** adrian_otto has joined #openstack-keystone22:06
*** tqtran has joined #openstack-keystone22:06
jamielennoxAwesome22:06
*** portdirect_away is now known as portdirect22:07
*** tqtran has quit IRC22:08
openstackgerritMerged openstack/keystoneauth: Log request-id for each api call  https://review.openstack.org/39244222:09
openstackgerritLance Bragstad proposed openstack/keystone: Implement federated auto-provisioning  https://review.openstack.org/41589522:10
gagehugosamueldmq: When you get a chance, can you take another look at https://review.openstack.org/#/c/42017122:12
andreykurilinjamoelennox: long time ago(at the start of the summer) I made a big change and a big number of patch-sets and rebases lost changing endpoint_type to interface:( this change was included even in commit message. `KeystoneClient uses "interface", but Rally transmits "endpoint_type" which is silently ignored by kc.`22:13
bretonstevemar: do we really need the backports?22:13
bretonstevemar: for response body being ommited22:13
bretonstevemar: keystone added utf-8 bit only in Ocata22:14
stevemarbreton: yeah, i was wondering about that, i figured it wouldn't hurt?22:14
lbragstadrderose i'm reading through http://docs.openstack.org/developer/keystone/federation/federated_identity.html#mapping-combinations and I think some of that might be outdated with the move towards shadow users22:14
stevemarbreton: incase we do some weirdness with webob in mitaka/newton22:14
stevemarlbragstad: oh yeah, that needs to be revamped entirely22:15
lbragstadstevemar I assume that's probably the best place for shadow mapping examples to live, too?22:15
samueldmqgagehugo: done22:16
stevemarlbragstad: yep22:16
rderoselbragstad: yeah, any reference to ephemeral user is not correct22:16
rderoselbragstad: although I'm not seeing that in Mapping Combinations22:16
lbragstadhmm - there is a lot of that then ;)22:16
rderoselbragstad: what are you referring to?22:16
lbragstadrderose http://docs.openstack.org/developer/keystone/federation/federated_identity.html#output22:16
rderoselbragstad: gotcha22:17
*** catintheroof has quit IRC22:20
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987422:24
*** thorst has joined #openstack-keystone22:24
*** thorst has quit IRC22:24
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987422:26
openstackgerritRichard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users  https://review.openstack.org/41472022:26
*** thiagolib has quit IRC22:28
gagehugosamueldmq: thanks!22:29
*** ravelar has quit IRC22:33
samueldmqgagehugo: np22:40
gagehugostevemar: last check seems borked at the gate https://review.openstack.org/#/c/421319/22:41
gagehugofailed both times22:41
*** edtubill_ has joined #openstack-keystone22:41
*** edmondsw has quit IRC22:42
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987422:44
*** diazjf has quit IRC22:44
*** edtubill has quit IRC22:44
*** thorst has joined #openstack-keystone22:46
*** edtubill_ has quit IRC22:47
*** adrian_otto has quit IRC22:49
*** david-lyle has quit IRC22:51
*** spzala has joined #openstack-keystone22:52
*** thorst has quit IRC22:53
openstackgerritLance Bragstad proposed openstack/keystone: Add documentation for auto-provisioning  https://review.openstack.org/42157322:55
*** spzala has quit IRC22:56
*** phalmos has quit IRC23:03
*** jaugustine has quit IRC23:03
*** david-lyle has joined #openstack-keystone23:03
*** spzala has joined #openstack-keystone23:04
*** jperry has quit IRC23:05
bretongagehugo: 2017-01-17 22:38:01.086 3935 ERROR keystone.common.wsgi [req-fcd9a85f-7a99-4c46-9445-7e97b6700db5 a151cbd7ef60430f94252db7fb1da7e7 eb4315a00a774ca089e06f7f3048714c - default default] (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on '127.0.0.1' ([Errno 111] Connection refused)") [SQL: u'SELECT 1']23:05
bretoni think it is the same problem we talked about recently23:06
lbragstadbreton yeah - it looks like an oom issue23:06
lbragstadbreton gagehugo I've been trying to track it here - https://bugs.launchpad.net/keystone/+bug/165685023:10
openstackLaunchpad bug 1656850 in OpenStack Identity (keystone) "mysql OOM: DBConnectionError while validating tokens in CI runs" [High,Confirmed]23:10
*** david-lyle has quit IRC23:10
*** lamt has quit IRC23:15
*** chris_hultin|AWA is now known as chris_hultin23:19
*** asettle has quit IRC23:20
*** edmondsw has joined #openstack-keystone23:25
*** lucas has quit IRC23:28
*** lucas has joined #openstack-keystone23:28
lbragstadstevemar what are the chances we could get henry's opinion on the mailing list post from last week?23:29
*** edmondsw has quit IRC23:30
jamielennoxstevemar: did you look at the application/json printing thing?23:30
*** lucas has quit IRC23:37
*** dave-mccowan has joined #openstack-keystone23:51
*** spzala has quit IRC23:58
« Monday, 2017-01-16 Index Wednesday, 2017-01-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!