Wednesday, 2017-05-17

« Tuesday, 2017-05-16 Index Thursday, 2017-05-18 »
*** markvoelker has quit IRC00:01
*** markvoelker has joined #openstack-keystone00:02
*** markvoelker has quit IRC00:04
*** jrist has joined #openstack-keystone00:04
*** markvoelker has joined #openstack-keystone00:04
*** d0ugal has quit IRC00:17
*** thorst has joined #openstack-keystone00:25
*** thorst has quit IRC00:27
*** shuyingya has joined #openstack-keystone00:36
*** shuyingya has quit IRC00:41
*** piliman974 has quit IRC00:44
*** thorst has joined #openstack-keystone00:57
*** harlowja has quit IRC01:08
*** d0ugal has joined #openstack-keystone01:13
morganhey01:15
*** thorst has quit IRC01:16
morganlbragstad servers that run many many many threads01:16
morganlbragstad: where we might run into issues with exaughsting the memcache server sockets available01:17
morganlbragstad Eventlet hits that because it spins up a connection per greenlet.01:18
*** gyee has quit IRC01:22
*** oomichi has quit IRC01:25
*** oomichi has joined #openstack-keystone01:25
*** gyee has joined #openstack-keystone01:26
*** dave-mccowan has quit IRC01:28
*** thorst has joined #openstack-keystone01:31
*** thorst has quit IRC01:33
*** shuyingya has joined #openstack-keystone01:43
*** gongysh has joined #openstack-keystone01:47
*** dave-mccowan has joined #openstack-keystone01:52
*** shuyingy_ has joined #openstack-keystone02:14
*** thorst has joined #openstack-keystone02:18
*** shuyingya has quit IRC02:18
*** thorst has quit IRC02:19
*** prashkre has joined #openstack-keystone02:26
*** thorst has joined #openstack-keystone02:29
*** thorst has quit IRC02:29
*** gyee has quit IRC02:35
*** shuyingy_ has quit IRC02:40
*** shuyingya has joined #openstack-keystone02:41
*** dave-mccowan has quit IRC02:42
*** Shunli has joined #openstack-keystone02:44
*** nicolasbock has quit IRC02:51
*** shuyingya has quit IRC02:59
*** thorst has joined #openstack-keystone03:00
*** shuyingya has joined #openstack-keystone03:00
*** prashkre has quit IRC03:08
*** shuyingy_ has joined #openstack-keystone03:13
*** oomichi has quit IRC03:14
*** shuyingya has quit IRC03:17
*** thorst has quit IRC03:18
*** oomichi has joined #openstack-keystone03:19
*** shuyingy_ has quit IRC03:20
*** shuyingya has joined #openstack-keystone03:20
openstackgerritMerged openstack/keystonemiddleware master: Remove log translations  https://review.openstack.org/44784103:30
*** dikonoor has joined #openstack-keystone03:42
*** links has joined #openstack-keystone03:43
*** zsli_ has joined #openstack-keystone03:49
*** links has quit IRC03:51
*** Shunli has quit IRC03:52
*** links has joined #openstack-keystone03:55
*** shuyingy_ has joined #openstack-keystone04:13
*** thorst has joined #openstack-keystone04:15
*** gongysh has quit IRC04:15
*** shuyingya has quit IRC04:16
*** namnh has joined #openstack-keystone04:16
*** thorst has quit IRC04:20
*** shuyingy_ has quit IRC04:21
*** links has quit IRC04:24
*** dikonoor has quit IRC04:32
*** harlowja has joined #openstack-keystone04:33
*** dikonoor has joined #openstack-keystone04:50
*** gongysh has joined #openstack-keystone04:53
*** aojea has joined #openstack-keystone04:56
*** aojea has quit IRC05:00
*** links has joined #openstack-keystone05:06
*** shuyingya has joined #openstack-keystone05:10
*** shuyingy_ has joined #openstack-keystone05:11
*** shuyingya has quit IRC05:15
openstackgerritrocky proposed openstack/keystone master: Change info and baseclass of LDAPServerConnectionError  https://review.openstack.org/46350605:15
*** thorst has joined #openstack-keystone05:16
openstackgerritrocky proposed openstack/keystone master: Change info and baseclass of LDAPServerConnectionError  https://review.openstack.org/46350605:17
*** thorst has quit IRC05:21
*** dikonoor has quit IRC05:26
*** dikonoor has joined #openstack-keystone05:43
*** pcaruana has joined #openstack-keystone05:48
*** harlowja has quit IRC05:54
*** prashkre has joined #openstack-keystone05:54
*** tobberydberg has joined #openstack-keystone05:56
*** thorst has joined #openstack-keystone06:17
*** rcernin has joined #openstack-keystone06:18
*** thorst has quit IRC06:22
*** henrynash has joined #openstack-keystone06:27
openstackgerritrocky proposed openstack/keystone master: Migrate render_token_data_response to keystone.common.controller  https://review.openstack.org/46495606:30
*** gongysh has quit IRC06:31
*** gongysh has joined #openstack-keystone06:44
*** henrynash has quit IRC06:44
*** belmoreira has joined #openstack-keystone06:51
*** mgagne has quit IRC06:53
*** mgagne has joined #openstack-keystone06:56
*** mgagne is now known as Guest2410306:56
*** rcernin has quit IRC06:57
*** rcernin has joined #openstack-keystone07:13
*** thorst has joined #openstack-keystone07:18
*** thorst has quit IRC07:22
*** aojea has joined #openstack-keystone07:28
*** rcernin has quit IRC07:29
*** rcernin has joined #openstack-keystone07:35
*** rcernin has quit IRC07:35
*** rcernin has joined #openstack-keystone07:35
*** jaosorior_away is now known as jaosorior07:48
*** gongysh has quit IRC07:56
*** tobberyd_ has joined #openstack-keystone07:56
*** tobberydberg has quit IRC07:59
*** zzzeek has quit IRC08:00
bretonjamielennox: turns out there is already a plugin for that08:00
*** prashkre has quit IRC08:01
bretonjamielennox: keystoneauth1.identity.access.AccessInfoPlugin08:01
bretonjamielennox: you wrote it in 2014!08:03
*** zzzeek has joined #openstack-keystone08:04
*** thorst has joined #openstack-keystone08:18
*** thorst has quit IRC08:23
*** dikonoo has joined #openstack-keystone08:24
*** dikonoor has quit IRC08:24
*** gongysh has joined #openstack-keystone08:34
*** prashkre has joined #openstack-keystone08:49
bretonjamielennox: well, actually no, it reuires to already have AccessInfo08:54
*** tobberyd_ has quit IRC09:12
*** tobberydberg has joined #openstack-keystone09:13
*** gongysh has quit IRC09:14
*** gongysh has joined #openstack-keystone09:15
*** thorst has joined #openstack-keystone09:19
bretonfg09:27
breton:(09:27
*** jdennis has quit IRC09:27
*** jdennis1 has joined #openstack-keystone09:27
*** zsli_ has quit IRC09:30
*** thorst has quit IRC09:39
*** shuyingy_ has quit IRC09:46
*** links has quit IRC09:48
*** stingaci has joined #openstack-keystone09:56
*** links has joined #openstack-keystone10:00
*** johnthetubaguy has left #openstack-keystone10:05
*** dikonoo has quit IRC10:12
*** faizy has joined #openstack-keystone10:14
*** Daviey_ is now known as Daviey10:15
*** stingaci has quit IRC10:28
*** stingaci has joined #openstack-keystone10:30
*** namnh has quit IRC10:30
*** thorst has joined #openstack-keystone10:35
*** thorst has quit IRC10:40
openstackgerritrocky proposed openstack/keystone master: Migrate render_token_data_response to keystone.common.controller  https://review.openstack.org/46495610:52
-openstackstatus- NOTICE: gerrit is being restarted to help stuck git replication issues10:53
*** nicolasbock has joined #openstack-keystone10:54
*** links has quit IRC11:05
*** raildo has joined #openstack-keystone11:07
*** gongysh has quit IRC11:18
*** gongysh has joined #openstack-keystone11:18
*** gongysh has quit IRC11:19
*** gongysh has joined #openstack-keystone11:19
*** gongysh has quit IRC11:19
*** gongysh has joined #openstack-keystone11:20
*** gongysh has quit IRC11:20
*** links has joined #openstack-keystone11:22
*** prashkre has quit IRC11:27
bretonwhat do you think about changing the Token plugin so that it would not re-authenticate using the token, but instead just fetch token's data?11:34
*** prashkre has joined #openstack-keystone11:35
*** henrynash has joined #openstack-keystone11:36
bretonfor mistral i had to do this: https://review.openstack.org/#/c/465521/111:38
*** henrynash has quit IRC11:40
*** thorst has joined #openstack-keystone11:46
*** gongysh has joined #openstack-keystone11:49
*** chlong has quit IRC11:57
*** gongysh has quit IRC11:58
openstackgerritJose Castro Leon proposed openstack/keystone master: Fix ec2tokens validation in v2 after regresion in metadata_ref removal  https://review.openstack.org/46553012:03
*** prashkre has quit IRC12:28
openstackgerritJose Castro Leon proposed openstack/keystoneauth master: Parameter to tune mutual authentication in kerberos  https://review.openstack.org/45533012:34
*** ma9_ has joined #openstack-keystone12:37
*** stingaci has quit IRC12:39
*** stingaci has joined #openstack-keystone12:40
*** xuhaigang has quit IRC12:40
*** edmondsw has joined #openstack-keystone12:41
jamielennoxbreton: i'm not really here - the problem with fetching the token is that lots of people actually use that to rescope12:43
*** stingaci has quit IRC12:44
jamielennoxso if you were to fetch the existing data you would have to compare it to the scope parameters you were given and see if it actually does what you want12:44
jamielennoxand given that keystone will happily rescope a token to a new token in the same project with the same expiry - it never really made much difference if you fetched it, or just rescoped it to what you actually needed12:45
*** jrist has quit IRC12:47
*** xuhaigang has joined #openstack-keystone12:52
openstackgerritEric Fried proposed openstack/keystone-specs master: Block sphinx 1.6.1  https://review.openstack.org/46554312:53
openstackgerritEric Fried proposed openstack/keystone-specs master: Outline policy goals  https://review.openstack.org/46034412:53
bretonjamielennox: well, it matters -- because trust-scoped tokens cannot be rescoped. But i got your point.12:56
*** lamt has joined #openstack-keystone12:58
*** jrist has joined #openstack-keystone13:14
*** chlong has joined #openstack-keystone13:16
openstackgerritGaëtan Trellu proposed openstack/keystoneauth master: [adapter.py] Add application/json header  https://review.openstack.org/46555513:27
openstackgerritGaëtan Trellu proposed openstack/keystoneauth master: Sorry, first review. I'm discovering the process.  https://review.openstack.org/46555913:34
*** thorst is now known as thorst_afk13:36
openstackgerritGaëtan Trellu proposed openstack/keystoneauth master: [adapter.py] Add application/json header  https://review.openstack.org/46555513:38
*** zzzeek has quit IRC13:43
*** piliman974 has joined #openstack-keystone13:43
openstackgerritTin Lam proposed openstack/keystonemiddleware master: Replace pycrypto with cryptography  https://review.openstack.org/45194113:43
*** ducttape_ has joined #openstack-keystone13:45
*** lamt has quit IRC13:47
*** ducttape_ has quit IRC13:48
*** ducttape_ has joined #openstack-keystone13:48
*** stingaci has joined #openstack-keystone13:48
*** zzzeek has joined #openstack-keystone13:49
*** jdennis1 is now known as jdennis13:49
*** jdennis has quit IRC13:50
*** jdennis has joined #openstack-keystone13:50
*** jdennis has quit IRC13:50
*** jdennis has joined #openstack-keystone13:51
*** ma9_ has left #openstack-keystone13:51
*** johnthetubaguy has joined #openstack-keystone13:53
*** stingaci has quit IRC13:53
*** lamt has joined #openstack-keystone13:53
*** Adri2000 has joined #openstack-keystone13:58
Adri2000hello13:58
Adri2000I've got a keystone ocata with a domain configured on an active directory backend. issue is: listing users in groups returns empty lists - listing users works, listing groups works, but listing groups' contents doesn't14:01
Adri2000any idea where I should look?14:02
*** shuyingya has joined #openstack-keystone14:06
knikollaAdri2000: check that your group_member_attribute is set correctly in keystone.conf14:06
*** shuyingya has quit IRC14:09
Adri2000knikolla: it's set to "member". when I do ldapsearch on a group, I see a list of "member" attributes, making references to the DN of users14:11
Adri2000I'm not sure how keystone is supposed to make the link, between the DN referenced in the "member" attributes of the group and the users themselves14:11
*** shuyingya has joined #openstack-keystone14:11
Adri2000how should I set user_id_attribute and user_name_attribute? cn? dn? samaccountname?14:12
*** ducttape_ has quit IRC14:14
*** shuyingya has quit IRC14:14
*** neal has joined #openstack-keystone14:20
knikollaAdri2000: what ldap are you using? cn should be fine for id.14:20
lbragstadrm_work: GET /v3/auth/projects should give you a list of projects you have a role assignment one14:20
lbragstadon*14:20
Adri2000knikolla: active directory :(14:21
lbragstadmorgan: thanks for the info - is it possible to place a number on *many*?14:21
nealhello Keystone.14:21
knikollaAdri2000: go through https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html14:22
knikollathere's a couple of tips and suggestions for active directory14:22
morganlbragstad: no, because you can modify memcached params to mitigate it some.14:22
morganlbragstad: in short, something running threads in the very high numbers though, with threads counting in the 100s or more probably14:23
neali have a question about "Allow retrieving an expired token", does openstack provide an api handle it?14:23
*** stingaci has joined #openstack-keystone14:27
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Add policy roadmap for security  https://review.openstack.org/46273314:28
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Specification for global roles  https://review.openstack.org/46476314:29
knikollaneal: what do you mean by api handle?14:30
lbragstadneal are you asking if keystone support the ability to validate expired tokens?14:31
lbragstadsupports*14:31
*** stingaci has quit IRC14:31
bretonneal: service user needs to pass ?allow_expired=1 to keystone when validating a token14:31
*** Guest24103 is now known as mgagne14:32
*** mgagne has quit IRC14:32
*** mgagne has joined #openstack-keystone14:32
*** gyee has joined #openstack-keystone14:33
nealtks breton. but when i access other api,like nova,cinder, i just send api request to other component(nova,cinder) rathan than keystone, how can i pass the ?allow_expired to keystone.14:37
*** ducttape_ has joined #openstack-keystone14:38
*** dave-mccowan has joined #openstack-keystone14:38
lbragstadneal: that logic is done in keystonemiddleware - since that's what sits in front of the services and handles token validation on behalf of the service14:38
knikollaneal: you don't have to do anything as a user sending a token if the service has been configured correctly. however keep in mind that allow_expired only works for tokens sent from a service to another service, ex. when nova sends a request with your token to cinder to fetch a volume. so you cannot initiate an operation with an expired token, it only help with long running operations during which the token might expire after y14:41
knikollaou initiate the request.14:41
neal@lbragstad: tku.14:42
*** henrynash has joined #openstack-keystone14:44
*** ducttape_ has quit IRC14:46
lbragstadneal: we have some additional documentation on it14:47
lbragstadneal: let me grab that for you14:47
lbragstadneal: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html14:47
nealknikolla: thu. but i think lots of a 3rd party component also have long running operations. now my components only have the admin's username and password, it also have the user token, i use user token to do some action(this action may be an long running operations), so i need to use expired token if token expire during long opertions. so in this scenario, how can i hanle it?14:48
neal@lbragstad: 3ku. i'll check it.14:48
lbragstadneal: does your third party component have or require it's own service user?14:49
lbragstadneal: if your third party component needs to validate a token and it has it's own service user and that user has the service role assigned to it, then it should be able to validate expired user tokens using a service token14:50
lbragstadneal: that's exactly how keystonemiddleware works in front of nova for example14:50
*** ducttape_ has joined #openstack-keystone14:52
*** tobberyd_ has joined #openstack-keystone14:52
*** tobberydberg has quit IRC14:52
knikollaneal: basically when forwarding the request, your service should add an x-service-token header which contains a token with the service role in it. the service role is defined in the service configuration for the middleware.14:54
neal@lbragstad: if i don't have , i could add it in user list and assign right role to it?14:54
*** ducttape_ has quit IRC14:54
*** links has quit IRC14:55
*** ducttape_ has joined #openstack-keystone14:55
*** tobberyd_ has quit IRC14:56
nealknikolla: tku. what u said is just i want.14:58
nealknikolla: where can i find the configuration instruction about Service conf of the middleware?14:59
ayoungPolicy meeting now?15:00
gagehugoI think in an hour15:00
knikollaneal: https://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html15:01
gagehugoor my DST is still off15:01
knikollathere's a section with the default configuration file. the comments on each configuration option are pretty detailed. look for the service_token_roles section.15:01
knikollaoption*15:01
knikollaneal: ^^15:01
neal@knikolla:tks for your help....15:02
ayounghttps://www.timeanddate.com/worldclock/fixedtime.html?hour=16&min=00&sec=015:02
ayoung1 hour15:02
*** rcernin has quit IRC15:04
*** piliman974 has quit IRC15:08
*** spilla has joined #openstack-keystone15:09
*** prashkre has joined #openstack-keystone15:09
lbragstadgagehugo: knikolla proper fix for the PBR/sphinx issues we ran into yesterday - https://review.openstack.org/#/c/465489/215:13
lbragstadayoung: gagehugo johnthetubaguy edmondsw yep - it's in an hour15:14
lbragstader - 45 minutes15:14
*** tobberydberg has joined #openstack-keystone15:19
knikollalbragstad: cool15:20
*** henrynash has left #openstack-keystone15:21
*** tobberydberg has quit IRC15:24
*** piliman974 has joined #openstack-keystone15:24
knikollalbragstad: is it gonna be a hangout meeting or irc?15:40
gagehugolbragstad nice15:40
lbragstadknikolla: either or?15:41
knikollalbragstad: either is fine for me. came prepared with laptop and headphones.15:43
*** stingaci has joined #openstack-keystone15:45
*** prashkre has quit IRC15:47
lbragstadsounds good - we can see what kind of attendance we get and go from there15:49
*** prashkre has joined #openstack-keystone15:52
*** aojea has quit IRC16:02
lbragstadayoung: are you going to come policy with us?16:02
*** rderose has joined #openstack-keystone16:09
*** gyee_ has joined #openstack-keystone16:11
*** pcaruana has quit IRC16:11
*** neal has quit IRC16:15
*** jaosorior is now known as jaosorior_away16:17
*** belmoreira has quit IRC16:20
*** gyee has quit IRC16:20
*** stingaci has quit IRC16:32
*** stingaci has joined #openstack-keystone16:32
*** harlowja has joined #openstack-keystone16:32
*** stingaci has quit IRC16:37
*** prashkre has quit IRC16:39
*** prashkre has joined #openstack-keystone16:55
prashkreayoung: Hi. Could you pls take a min to review this https://review.openstack.org/#/c/465395/17:02
ayoungprashkre, think a fix for that just went in17:02
ayoungknikolla, ^^17:02
knikollaayoung: prashkre: that is the backport of my fix. you need someone with +2 on stable.17:03
ayoungprashkre, knikolla added the stable-main-core group to the review17:04
ayoungheh, dolphm still in that group17:05
prashkreayoung: knikolla: thank you!17:05
ayounglbragstad, johnthetubaguy gagehugo would it make more sense to make this work in Nova first?17:06
ayounggagehugo, could do the work, but johnthetubaguy could provide guidance.17:06
gagehugocould yeah17:06
ayoungonce we have it there, we extract into oslo- and duplicate in the other projects17:06
johnthetubaguyI think keystone and nova together makes some sense17:07
johnthetubaguythis is blocked for this cycle in Nova though17:07
ayoungdoes not have to work *everywhere* in order to move to oslo-db, just shake out the logic in a few API calls17:07
johnthetubaguyspec has missed the deadline17:07
ayoungits a bug fix17:07
ayoungWhich some clown moved from Critical to Wishlist17:07
johnthetubaguyI am confused, I have to go cook now, lets catch up later17:07
ayoungjohnthetubaguy, and by Clown, I mean sdague whom I do not really think is a clown17:08
ayounghttps://bugs.launchpad.net/keystone/+bug/968696/comments/5517:09
openstackLaunchpad bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] - Assigned to Gage Hugo (gagehugo)17:09
*** aojea has joined #openstack-keystone17:15
*** aojea has quit IRC17:19
*** harlowja has quit IRC17:26
lbragstadayoung: johnthetubaguy yeah - let's sync up later, ping when you're available17:29
*** jamielennox is now known as jamielennox|away17:59
*** aojea has joined #openstack-keystone18:00
*** jamielennox|away is now known as jamielennox18:05
*** aojea has quit IRC18:21
*** aojea has joined #openstack-keystone18:31
*** ayoung has quit IRC18:41
openstackgerritFelipe Monteiro proposed openstack/keystone-specs master: Patrole (RBAC) Keystone Gating  https://review.openstack.org/46467818:41
openstackgerritFelipe Monteiro proposed openstack/keystone-specs master: Patrole (RBAC) Keystone Gating  https://review.openstack.org/46467818:46
*** catintheroof has joined #openstack-keystone18:59
*** prashkre has quit IRC19:00
*** raildo has quit IRC19:05
*** mordred has quit IRC19:05
*** mordred has joined #openstack-keystone19:07
*** piliman974 has quit IRC19:18
openstackgerritGage Hugo proposed openstack/keystone master: Prep for is_admin_project check for scoped operations  https://review.openstack.org/46267019:30
openstackgerritGage Hugo proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations  https://review.openstack.org/25763619:30
*** tobberydberg has joined #openstack-keystone19:31
*** jose-phillips has quit IRC19:34
*** clenimar has joined #openstack-keystone19:34
*** harlowja has joined #openstack-keystone19:39
*** stingaci has joined #openstack-keystone19:40
*** piliman974 has joined #openstack-keystone19:41
*** jose-phillips has joined #openstack-keystone19:46
*** jose-phillips has quit IRC19:52
*** harlowja has quit IRC19:53
*** harlowja has joined #openstack-keystone19:57
*** harlowja has quit IRC20:00
*** raildo has joined #openstack-keystone20:12
*** raildo has quit IRC20:19
*** lamt has quit IRC20:33
*** lamt has joined #openstack-keystone20:35
*** jose-phillips has joined #openstack-keystone20:39
*** ducttape_ has quit IRC20:45
*** ducttape_ has joined #openstack-keystone20:45
*** stingaci has quit IRC20:47
*** aojea has quit IRC20:50
*** chlong has quit IRC20:52
*** catintheroof has quit IRC21:01
*** thorst_afk has quit IRC21:03
*** jrist has quit IRC21:04
*** spilla has quit IRC21:26
*** edmondsw has quit IRC21:27
*** edmondsw has joined #openstack-keystone21:28
*** edmondsw_ has joined #openstack-keystone21:31
*** edmondsw has quit IRC21:32
*** edmondsw_ has quit IRC21:36
*** stingaci has joined #openstack-keystone21:48
*** tobberydberg has quit IRC21:49
*** stingaci has quit IRC21:53
*** thorst_afk has joined #openstack-keystone22:00
*** harlowja has joined #openstack-keystone22:02
*** stingaci has joined #openstack-keystone22:05
*** ducttape_ has quit IRC22:07
*** stingaci has quit IRC22:09
*** ducttape_ has joined #openstack-keystone22:11
*** harlowja has quit IRC22:18
*** rderose has quit IRC22:19
*** thorst_afk has quit IRC22:20
rm_workhey hey22:30
rm_worktrying to distinguish between auth_url and auth_uri in [keystone_authtoken], anyone have a link to a good resource on this?22:31
rm_workgooging around now22:31
rm_workI don't even see auth_url mentioned in docs22:32
rm_workdid someone invent this at some point and it made it into our example config and is now stuck like old gum under the seat in a movie theater?22:32
rm_workseems so22:33
rm_workpossibly got copied from [service_auth] which is used by ... I'm not sure what22:33
rm_workyeah ok I think I answered my own question, but would be awesome if someone wanted to confirm that "auth_url" isn't a real thing and only to use "auth_uri"22:36
*** erhudy has quit IRC22:55
*** lamt has quit IRC22:57
rm_workThis page has "identity_uri": https://docs.openstack.org/admin-guide/identity-auth-token-middleware.html22:58
rm_workWhat does providing both that and auth_uri do?22:58
*** piliman974 has quit IRC22:58
rm_workTHIS: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L19123:00
rm_workSeems to show "auth_url"!23:00
rm_workand is completely different option names from ANYTHING in the docs above23:00
rm_workthe actual options file seems to show "auth_uri" being correct: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L3123:02
rm_workbut, since that's the public endpoint and not the admin endpoint, that can't be what the service uses to actually check tokens, right? :/23:04
rm_workeverything I see seems to contradict everything else, I could use some advice T_T23:04
*** lbragstad has quit IRC23:10
rm_workThe example here uses yet a different combination of things: http://www.jamielennox.net/blog/2015/02/23/v3-authentication-with-auth-token-middleware/23:15
rm_worknow we've got "project_name" instead of "admin_tenant_name"23:15
rm_workwhich I can't even find when searching the keystone_middleware github project23:16
rm_workjamielennox: advice?23:16
*** dikonoor has joined #openstack-keystone23:19
rm_worktrying to follow the code, I've ended up ... here? https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/_plugins/identity/v3.py23:20
*** thorst_afk has joined #openstack-keystone23:20
*** ducttape_ has quit IRC23:25
*** thorst_afk has quit IRC23:41
rm_workjamielennox: your guide is the most useful/accurate one i've found so far -- using those things, it seems to actually *work*, unlike any of the actual openstack docs... though I'm still unsure what auth_uri is for23:41
rm_worksince it seems to work with only auth_url23:42
rm_workOH I need to just read the text of your article more closely, derp23:42
*** piliman974 has joined #openstack-keystone23:44
*** tobberydberg has joined #openstack-keystone23:50
*** tobberydberg has quit IRC23:54
jamielennoxrm_work: whoa, sorry, just got here23:55
rm_worklol no worries, I have a tendency to just spit out words :P23:55
rm_workthanks for the good blog post though23:56
rm_workthe configs recommended in the openstack deploy guides just *don't work*23:56
jamielennoxso auth_uri is a poorly named variable - but really all it does is when you get a 401 Unauthorized it puts it in to the headers as the place to go for auth23:56
jamielennoxwhich AFAIK no client actually respects23:56
rm_worklol ... yeah23:56
jamielennoxauth_url is a required field of most of the auth plugins23:56
rm_workthe config docs all say use "admin_tenant_name" not "project_name"23:56
rm_workwhich ... doesn't work23:57
jamielennoxreally? which ones23:57
rm_workhttps://docs.openstack.org/admin-guide/identity-auth-token-middleware.html23:57
jamielennoxi... where does that even come from?23:57
rm_workit was somewhere else too, looking...23:58
jamielennoxauth_strategy=keystone? that's a purely nova thing i think we tried to deprecate23:58
rm_workah it's in my own project's example config23:58
rm_workyeah my project does have that too23:58
jamielennoxas was putting config into paste.ini23:58
rm_workbut that isn't actually keystone_middleware related23:58
jamielennoxthat whole file is basically wrong23:58
rm_workyes.23:58
rm_workseems so23:58
rm_workalso "admin_user" and "admin_password"23:59
rm_workdon't work23:59
« Tuesday, 2017-05-16 Index Thursday, 2017-05-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!