Thursday, 2017-08-03

*** http_GK1wmSU has joined #openstack-keystone00:03
*** http_GK1wmSU has left #openstack-keystone00:05
*** kbaegis has quit IRC00:07
*** kaisers2 has joined #openstack-keystone00:09
*** kaisers1 has quit IRC00:10
openstackgerritMerged openstack/keystone master: Clarify documentation on whitelists and blacklists
openstackgerritMerged openstack/keystone master: Handle auto-generated domains when creating IdPs
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata
*** aselius has quit IRC00:26
*** dstepanenko has joined #openstack-keystone00:37
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements
*** Shunli has joined #openstack-keystone00:40
*** dstepanenko has quit IRC00:42
*** zhurong has joined #openstack-keystone00:46
*** Adri2000 has quit IRC00:56
*** Adri2000 has joined #openstack-keystone00:57
*** mjax has quit IRC01:00
*** mjax has joined #openstack-keystone01:06
*** mjax has quit IRC01:07
*** mjax has joined #openstack-keystone01:07
*** lucasxu has joined #openstack-keystone01:09
*** lucasxu has quit IRC01:10
*** henrynash has quit IRC01:24
*** ducttape_ has joined #openstack-keystone01:25
*** namnh has joined #openstack-keystone01:31
*** aselius has joined #openstack-keystone01:31
*** thorst_afk has quit IRC01:37
*** ducttape_ has quit IRC01:38
*** otleimat has quit IRC02:06
*** rajalokan has joined #openstack-keystone02:06
*** jrist has joined #openstack-keystone02:11
openstackgerritMerged openstack/keystone master: Remove duplicate configuration sections
*** mjax has quit IRC02:16
*** mjax has joined #openstack-keystone02:18
*** dstepanenko has joined #openstack-keystone02:25
*** dstepanenko has quit IRC02:30
*** mjax has quit IRC02:31
*** rajalokan has quit IRC02:43
*** dikonoor has joined #openstack-keystone02:54
*** nicolasbock__ has joined #openstack-keystone03:14
*** kbaegis has joined #openstack-keystone03:15
*** masuberu has joined #openstack-keystone03:18
*** dstepanenko has joined #openstack-keystone03:20
*** masber has quit IRC03:22
*** dstepanenko has quit IRC03:24
*** dikonoo has joined #openstack-keystone03:24
*** kbaegis has quit IRC03:27
*** dikonoor has quit IRC03:28
*** thorst_afk has joined #openstack-keystone03:38
*** aselius has quit IRC03:41
*** thorst_afk has quit IRC03:52
*** links has joined #openstack-keystone03:54
*** dstepanenko has joined #openstack-keystone04:25
*** dikonoo has quit IRC04:57
*** mjax has joined #openstack-keystone05:04
*** mjax has quit IRC05:05
*** prashkre has joined #openstack-keystone05:07
*** dikonoo has joined #openstack-keystone05:12
*** aojea has joined #openstack-keystone05:33
*** aojea has quit IRC05:33
*** aojea has joined #openstack-keystone05:33
*** robcresswell has quit IRC05:41
*** aojea_ has joined #openstack-keystone05:46
*** aojea has quit IRC05:48
*** thorst_afk has joined #openstack-keystone05:49
*** dims has quit IRC05:52
*** thorst_afk has quit IRC05:53
*** ayoung has quit IRC05:54
*** dims has joined #openstack-keystone05:54
*** tobberydberg has joined #openstack-keystone06:00
*** dikonoo has quit IRC06:02
*** aojea_ has quit IRC06:03
*** aojea has joined #openstack-keystone06:03
*** ayoung has joined #openstack-keystone06:04
*** josecastroleon has joined #openstack-keystone06:08
*** phalmos has quit IRC06:10
*** hoonetorg has quit IRC06:12
*** dikonoor has joined #openstack-keystone06:14
*** rcernin has joined #openstack-keystone06:19
*** dstepanenko has quit IRC06:20
*** hoonetorg has joined #openstack-keystone06:25
*** pcaruana has joined #openstack-keystone06:48
*** aojea_ has joined #openstack-keystone06:57
*** dstepanenko has joined #openstack-keystone06:59
*** aojea has quit IRC06:59
*** aojea has joined #openstack-keystone07:02
*** aojea_ has quit IRC07:04
*** aojea_ has joined #openstack-keystone07:07
*** amrith has quit IRC07:09
*** Dinesh_Bhor has quit IRC07:10
*** aojea has quit IRC07:10
*** amrith has joined #openstack-keystone07:16
*** amrith is now known as Guest4629207:16
*** Dinesh_Bhor has joined #openstack-keystone07:16
*** tesseract has joined #openstack-keystone07:17
*** thorst_afk has joined #openstack-keystone07:22
*** thorst_afk has quit IRC07:27
*** robcresswell has joined #openstack-keystone07:41
*** dstepanenko has quit IRC08:12
*** openstackgerrit has quit IRC08:18
*** ioggstream has joined #openstack-keystone08:26
*** dstepanenko has joined #openstack-keystone08:28
*** henrynash has joined #openstack-keystone08:38
*** markvoelker has quit IRC08:39
*** ducttape_ has joined #openstack-keystone08:40
*** ducttape_ has quit IRC08:44
asettlelbragstad: I have not been keeping up with the service catalog spec08:56
asettleI'll review today08:57
*** kbaegis has joined #openstack-keystone09:01
*** dims has quit IRC09:04
*** dims has joined #openstack-keystone09:08
rcerninping keystone, ayoung nkinder jdennis we can see one service spamming the logs with "Authorization failed for token" yet its for particular user and it's repeating, since the user never authenticate successfuly we will never see the request the user is sending. Is there a way for us to either *)disable this logging for authorization failed for this user(nobody complains) *)find out the problem why09:16
rcerninthe token is deleted in the db in the time the user requested it? *)is this common behaviour?09:16
rcerninBZ for the same bug 1477930 in openstack-keystone "OpenStack user repeatedly reports "Authorization failed for token ..." in neutron/server.log" [Unspecified,New] - Assigned to jdennis09:20
*** edmondsw has joined #openstack-keystone09:22
*** thorst_afk has joined #openstack-keystone09:23
*** dstepanenko has quit IRC09:23
*** dikonoor has quit IRC09:25
*** Shunli has quit IRC09:27
*** thorst_afk has quit IRC09:28
*** henrynash has quit IRC09:43
*** henrynash has joined #openstack-keystone09:44
*** henrynash has quit IRC09:46
*** dikonoor has joined #openstack-keystone09:52
*** dstepanenko has joined #openstack-keystone09:56
*** dstepanenko has quit IRC10:00
*** aditipuntambekar has joined #openstack-keystone10:07
*** dikonoor has quit IRC10:25
*** dstepanenko has joined #openstack-keystone10:26
*** zhurong has quit IRC10:38
*** markvoelker has joined #openstack-keystone10:40
*** nicolasbock__ has quit IRC10:54
*** dikonoor has joined #openstack-keystone10:55
*** raildo has joined #openstack-keystone11:03
*** maestropandy has joined #openstack-keystone11:06
maestropandyPlease vote (+3) for our presentation submitted for openstack sydney 2017. Today last day for voting, requesting all to vote. OpenStack cloud storage - Advanced performance tuning & operational best practices with Ceph  ##### Docker Networking over OpenStack Cloud – Challenges, Solutions & Road-map >>
*** markvoelker has quit IRC11:13
*** maestropandy has left #openstack-keystone11:14
*** kbaegis has quit IRC11:17
*** lwanderley has joined #openstack-keystone11:27
*** maestropandy has joined #openstack-keystone11:28
*** dstepanenko has quit IRC11:44
*** maestropandy has quit IRC11:46
*** maestropandy has joined #openstack-keystone11:47
*** maestropandy has left #openstack-keystone11:47
*** dstepanenko has joined #openstack-keystone11:49
*** dstepanenko has quit IRC11:51
*** prashkre has quit IRC11:52
*** prashkre has joined #openstack-keystone11:52
*** dikonoor has quit IRC11:53
*** dstepanenko has joined #openstack-keystone11:54
*** namnh has quit IRC12:01
*** thorst_afk has joined #openstack-keystone12:03
*** david-lyle has quit IRC12:07
*** markvoelker has joined #openstack-keystone12:10
bhagyashris Hi, All I need some guidance regarding how to use /etc/cinder/logging_sample.conf to set some config options related to the logger and how to access in the project so depending on that I want to log the message. In short usecase of logging_sample.conf.12:13
bhagyashris I want to make the user define logger as configurable12:13
*** markvoelker has quit IRC12:33
*** markvoelker has joined #openstack-keystone12:33
*** catintheroof has joined #openstack-keystone12:36
*** ducttape_ has joined #openstack-keystone12:40
*** maestropandy has joined #openstack-keystone12:42
*** maestropandy has left #openstack-keystone12:43
*** ducttape_ has quit IRC12:45
*** lwanderley has quit IRC12:45
ayoungrcernin, nope.  There is not enough information on the Keystone side to see what the request was for, but there should be in the log of the calling service....which is either Nova or Heat, I'm guessing.12:46
*** lwanderley has joined #openstack-keystone12:46
ayoungor...looking at the BZ, it is Neutron12:46
*** zhurong has joined #openstack-keystone12:46
ayoungjdennis' analysis in the BZ looks correct.12:48
*** dstepanenko has quit IRC13:00
*** links has quit IRC13:06
*** josecastroleon has quit IRC13:08
*** josecastroleon has joined #openstack-keystone13:08
*** lucasxu has joined #openstack-keystone13:11
*** prashkre has quit IRC13:12
rcerninayoung: yes but client never reaches with request the neutron or does it when the keystone does not validate its request.13:14
rcerninjdennis: ayoung: that DB connection comment is correct, on the otherside this was just one example, sorry for not including the others, they dont contain the lost connection to MySQL and yet the Authorization is failed. Thank you for taking look.13:17
*** aditipuntambekar has quit IRC13:19
*** dikonoor has joined #openstack-keystone13:22
*** dstepanenko has joined #openstack-keystone13:29
*** dikonoor has quit IRC13:34
*** dikonoor has joined #openstack-keystone13:35
*** dstepanenko has quit IRC13:43
*** dstepanenko has joined #openstack-keystone13:46
*** prashkre has joined #openstack-keystone13:48
*** ducttape_ has joined #openstack-keystone13:54
*** spzala has joined #openstack-keystone13:56
*** efried has joined #openstack-keystone13:58
*** openstackgerrit has joined #openstack-keystone13:58
openstackgerritLance Bragstad proposed openstack/keystone master: use the show-policy directive to show policy settings
*** dikonoor has quit IRC14:03
*** sjain has joined #openstack-keystone14:06
*** aojea_ has quit IRC14:07
morganlbragstad: can we add to the topic: please do not advertise your summit talks individually (or something similar)14:10
rcerninpeople should know this, it was already posted in ML wasn't it?14:12
*** josecastroleon has quit IRC14:15
*** zhurong has quit IRC14:17
*** josecastroleon has joined #openstack-keystone14:18
*** aselius has joined #openstack-keystone14:19
*** lucasxu has quit IRC14:22
*** sjain has quit IRC14:27
*** mjax has joined #openstack-keystone14:29
*** mjax has quit IRC14:30
*** thorst_afk has quit IRC14:30
*** sjain has joined #openstack-keystone14:31
*** thorst_afk has joined #openstack-keystone14:32
*** thorst_afk has quit IRC14:37
*** sjain has quit IRC14:37
*** thorst_afk has joined #openstack-keystone14:42
*** lwanderley has quit IRC14:45
*** kbaegis has joined #openstack-keystone14:49
*** dstepanenko has quit IRC14:52
*** prashkre has quit IRC14:53
openstackgerrithuanzhangzhao proposed openstack/keystone master: fix bug 1087674
openstackbug 1087674 in OpenStack Identity (keystone) "A bug for test(ignore it)" [Undecided,Invalid] - Assigned to huanzhangzhao (yujiamayi)14:56
bretonwhat is going on in that bug15:00
*** thorst_afk has quit IRC15:00
*** thorst_afk has joined #openstack-keystone15:01
cmurphyclearly important work15:06
*** kbaegis has quit IRC15:07
*** otleimat has joined #openstack-keystone15:10
*** prashkre has joined #openstack-keystone15:10
gagehugolbragstad do we want to bump to Pike?15:10
lbragstadgagehugo: pike? or queens?15:11
gagehugoIf it's by release, then Pike?15:11
lbragstadgagehugo: sure - that sounds good15:12
lbragstadgagehugo: what came out of the security meeting?15:12
lbragstadi'm reading luke's comment15:12
gagehugoluke offered to take a look at it, I'm going to attend the meeting @ 12 CST and ask more15:12
lbragstadoh - cool15:13
lbragstadi'll try and linger15:13
jdennisis there a way to have paste log each request and where it's dispatching to?15:16
*** tobberyd_ has joined #openstack-keystone15:16
*** tobberydberg has quit IRC15:20
*** tobberyd_ has quit IRC15:22
*** dstepanenko has joined #openstack-keystone15:25
*** dstepanenko has quit IRC15:30
morganbreton: nice token ;)15:30
*** rmascena has joined #openstack-keystone15:41
bretoni have no idea how i typed that15:41
morganor similar15:42
bretonprobably i was just trying to switch windows in irssi on a semi-dead ssh15:42
morganweird lag today on irccloud :(15:42
*** raildo has quit IRC15:43
prashkrelbragstad: Hi. I have a query on As per implementation of /v3/auth/tokens/OS-PKI/revoked API, it is returning signed response of revoked tokens for PKI/UUID because they are persisted in keystone.token table.15:49
openstackLaunchpad bug 1696308 in OpenStack Identity (keystone) "list revoked tokens API returns 500 when pki_setup is not run" [Wishlist,Triaged] - Assigned to Nisha Yadav (ynisha11)15:49
prashkrelbragstad: But why does the same API doesn't take care of non-persistent Fernet tokens whose information about revocations are persisted in keystone.revocation_event table?15:49
prashkreHere is the flow of API, if you want to take a look at it.15:51
bretonprashkre: i think because nobody cares about that part15:51
lbragstadprashkre: the OS-PKI/revoked API is suppose to return a list of token IDs that are considered revoked15:52
bretonprashkre: fernet tokens are always checked at keystone by keystonemiddleware15:52
lbragstadit's impossible for keystone to return that list when it doesn't store the tokens15:52
bretonwell, that too.15:53
lbragstadin order for fernet to comply with that api like PKI or UUID, keystone would have to write a non-persistent token to a backend somewhere15:53
lbragstadwhich kind of defeats the purpose15:53
bretonlbragstad: pki were written to backend :p15:53
lbragstadbreton: is that a question?15:53
bretonlbragstad: no15:53
lbragstadoh - yes15:53
lbragstad"massive" pki tokens were written to backends15:54
bretonit was fun.\15:54
lbragstadthat's one way to put it15:54
lbragstadalso - when you think about the situation from a middleware perspective15:54
lbragstadmiddleware makes a call to keystone to fetch a list of revoked tokens, right?15:55
*** ducttape_ has quit IRC15:55
lbragstadthen is iterates over that list to compare the current PKI token against the entire list and if it finds a match, it fails the request15:55
lbragstad(makes sense)15:55
lbragstadwith fernet, that isn't really possible for the reasons stated above ^15:55
lbragstadinstead - the middleware just puts the token on the wire and validates it against keystone using GET /v3/auth/tokens15:56
*** spzala has quit IRC15:56
lbragstadeither way - a request to keystone happens15:56
prashkrelbragstad: how does a user rely on his token got revoked?. I guess there should be an API, to get atleast some information about the token like audit_ids which are being persisted in revocation_event table for fernet tokens.15:56
lbragstadso the "performance" argument of offline validation isn't as appealing as it seems15:56
lbragstadprashkre: sorry - are you asking how a user gets their token revoked? or why?15:57
prashkrelbragstad: yes.15:57
lbragstadhow - got it15:58
lbragstadthat's a good question15:58
lbragstadkeystone has a revocation backend, right?15:58
lbragstadand to the rest of keystone, it's considered the self.revoke_api15:58
lbragstadthere are certain places in keystone where the revocation api is invoked to persist a revocation event about "something"15:59
lbragstadthat something could be a password change, for example15:59
lbragstadwhen a user changes their password, the identity API will call the revocation API and say "hey, persist a revocation event that invalidates all tokens from this user before this timestamp"16:00
lbragstadany cases in keystone where we have business logic that relies on, or should, invalidate tokens, the revocation API is used in that way16:00
lbragstadthen - during the token validation process, authentication context is compared to the existing revocation events stored by keystone to see if there is a match16:01
lbragstadif there is - then the token being validated is considered revoked or invalid16:01
*** ducttape_ has joined #openstack-keystone16:01
*** ducttape_ has quit IRC16:01
lbragstadif not - then the validation continues processing16:01
*** ducttape_ has joined #openstack-keystone16:02
lbragstad^ that's the code that handles those checks in the validate token API16:04
*** tobberydberg has joined #openstack-keystone16:04
*** david-lyle has joined #openstack-keystone16:07
*** thorst_afk has quit IRC16:08
*** tobberydberg has quit IRC16:09
prashkrelbragstad: yeah got it. thanks for explaining on this. But from the user/client perspective, how does he will get to know that token is revoked because when revoked token is used for with any API, they get the generic message "Unauthorized or requires authentication",16:09
lbragstadright - a user has to ask keystone if the token is revoked16:10
lbragstadthere isn't really a way to have keystone tell a user how a token is revoked - some that might be considered a security vulnerability16:10
prashkreok. do we API to check that token is revoked?16:10
prashkreok got it.16:11
*** rcernin has quit IRC16:12
*** dave-mccowan has joined #openstack-keystone16:14
*** thorst_afk has joined #openstack-keystone16:15
prashkrelbragstad: can we have keystone API to tell that your token is revoked or not to user, instead of how a token is revoked?.. because there is no way for user to ask keystone.16:15
lbragstadprashkre: we don't really expose the revocation API to end users16:16
lbragstadprashkre: instead - the revocation API is used internally to keystone16:16
*** jmlowe has quit IRC16:20
*** tobberydberg has joined #openstack-keystone16:22
prashkrelbragstad: sorry too many questions from my side. but curious to know. why the revocation_list API for PKI is exposed to end users?16:22
*** tobberydberg has quit IRC16:25
*** tobberydberg has joined #openstack-keystone16:26
edmondswprashkre because there's no distinction between end users and services, and the other services have to call that to handle revocations16:27
edmondswnow, if we had a service role...16:27
edmondswoh, reading back, maybe you're talking about a different API than I am...16:29
edmondswor different than lbragstad...16:30
lbragstadprashkre: that api was exposed to services - explicitly middleware16:30
edmondswlbragstad I think we're talking about
lbragstadbut it was never officially protected16:31
lbragstadit was exposed so that service could check if a PKI to was invalid or not16:31
lbragstadinstead of having to pass the token back to keystone to validate it16:31
lbragstadwell - it was never explicitly protected such that only service users could access it16:32
lbragstad( I don't think)16:32
morganrevocation list or rev-event?16:32
morganrevocation list (PKI tokens, uuid, old-shool) was always protected16:32
lbragstadthere's the man with all the context ^16:33
morganrevocation events was not protected, and then had to be for a $security_bug$16:33
lbragstadmorgan: did we ever make it so that *only* service users could call it though?16:33
morganno, anyone who was admin could call it16:33
lbragstadah - ok, so we're on the same page16:33
edmondswmorgan I think we broke revocation, at least the way it used to work16:33
morganit was admin/policy(v3) protected, usually services16:33
lbragstadeven thought he intended use case behind that api was to have service call it16:33
morganrevocation list is dead now16:34
morganrevocation events are used internally, public api is not really usable16:34
morgannever was leveraged by middleware/etc16:34
morganin short, best bet: validate the token with keystone16:34
morganthat is how you know if it has been revoked or not (allowing for the ?allow_expired QS to ignore expiry only)16:35
edmondswclients (via keystonemiddleware I believe) cache tokens that they've already validated, and you can configure them to, when someone tries to use a token that's in the cache, first check it against the revocation list16:35
edmondswhow does that work with revocation events?16:35
edmondswI don't think it is, today16:35
morganedmondsw: no and it only sort-of worked with the revocation-list16:35
edmondswat least not with the same conf options16:35
morganthe revocation list had all the same issues as a CRL16:35
morganand then some, plus it was largely cached as well16:35
morgannot really a win.16:35
edmondswso we're just calling that dead? were those conf options removed?16:36
morganbasically, we state (and it is assumed) if you cache in the middleware you have exposure of $cache_time$ for a token to be valid even if revoked16:36
morganno conf options are not removed, the revocation-list is not populated with fernet tokens16:36
morgancan't be16:36
morganand we don't do PKI tokens and uuid tokens we should stop populating that list16:37
edmondswhow are folks supposed to know that the conf options no longer work?16:37
lbragstadyeah - that'd be the same as persisting a non-persistent token16:37
morganread the release notes and docs?16:37
morgani mean... it *is* documented16:37
edmondswwhy wouldn't we remove the conf options, at least deprecate them, if they're now meaningless?16:37
prashkreedmondsw: morgan: so when a token is revoked, the specific token is being invalidated in the cache at
morganif we are trying to solve willfully not looking at docs, we're doing something wrong16:37
prashkrebut i think so it is now working.16:38
edmondswif we're not using deprecation warnings, we're doing something wrong16:38
morganedmondsw: because we are slow to remove things.16:38
morganedmondsw: in middleware we can just drop the options16:38
morganwith no warnings16:38
morganin keystone we can't change anything because apis cannot be removed **(v2 is a special case)16:38
morganprashkre: cache for keystone is different than cache for keystonemiddleware16:39
morganthe cache's do not share a cache namespace/keyspace16:39
morganeven if the memcache servers are shared16:39
edmondswright, I'm not talking about keystone16:40
edmondswlet me go find those options, maybe they even were removed16:40
morganthe PKI options were removed16:41
morganthe rest of the options regarding keystone that materially impact the APIs working cannot be removed16:41
morganand the revocation list never worked without PKI options16:41
edmondswyou mean the revocation list options, which worked for UUID as well as PKI (despite some comments saying otherwise)?16:41
*** oomichi has quit IRC16:41
*** jmlowe has joined #openstack-keystone16:41
morganthey never worked unless you put the PKI options in place16:42
morganbecause it had to be signed16:42
morgan(code wise)16:42
morganso it would 500 error16:42
edmondswthey never worked unless you setup signing certs... i.e. signing certs weren't really PKI-specific16:42
morganthey were used for 2 things16:42
edmondswbut if you setup signing certs, it worked fine16:42
morgan1) rev list16:42
edmondswwith uuid16:42
morgan2) pki token signing16:42
morganthe rev list was implemented with PKI16:42
edmondswrev list also worked for uuid16:42
morganthe rev list was never meant to be used with uuid16:42
morganthe only reason the rev list was implemented was PKI off-line validation16:43
edmondswthat's not what I was told, and we used it with uuid for several releases16:43
edmondswworked just fine16:43
prashkremorgan: could you please point me the caching of tokens in keystonemiddleware.16:43
morganthe intention was explicitly for you to validate with keystone for uuid16:43
morganprashkre: sec.16:43
morganedmondsw: then you were told wrong and/or made assumptions16:43
morganit may have worked16:44
morganif was unintentional16:44
morganthe rev list now should always be empty16:44
*** oomichi has joined #openstack-keystone16:44
morganwhich does not break the API contract16:44
edmondswyep... alrighty then16:44
morganif it isn't always empty... we have an issue (uuid tokens should also be deprecated imo)16:44
morganand the signed bits for the rev list... well, we can only do so much there. i don't know how to solve it if it wasn't "fixed" (probably breaking API contract)16:45
morgankeystone should never do actual ASYM key signing16:45
morganit's bad news for keystone in it's architecture16:45
morgansym encryption is ok as long as it is very narrowly used (aka fernet, credential store)16:46
morganeven then, i would prefer that to be handled async from the main keystone process (would require massive overhaul, not worth it]16:46
morganprashkre: if you look here16:47
morganprashkre: anyone who uses keystonemiddleware can use and set memcache servers16:47
edmondswI can't find check_revocations_for_cached and revocation_cache_time anymore, so it looks like those were cleaned up properly16:47
morganedmondsw: cool. good to know16:47
morganprashkre: if those are set in the config group for keystone middleware (keystone_authtoken?), it will cache the token validation for
morgancache time16:48
morganwhich is in seconds.16:48
*** ioggstream has quit IRC16:49
morganthere is also a memcache pool set of options16:49
*** tobberydberg has quit IRC16:49
prashkremorgan: thanks. will explore on your pointers.16:49
morganthat is your actual ksm deployment docs16:50
*** tobberydberg has joined #openstack-keystone16:51
edmondswmorgan I lied... check_revocations_for_cached and revocation_cache_time are still in keystonemiddleware, but marked deprecated16:53
edmondswlbragstad we should remove these16:54
morganedmondsw: ah yeah looking now, they are deprecated16:54
edmondswat least for queens16:54
*** pcaruana has quit IRC16:54
edmondswprobably too late for pike16:54
morganeh, if they are "deprecated_for_removal" they shouldn't show up in samples16:54
morganand can be removed or not.16:54
edmondswif they don't work, I'd rather they just didn't exist, at least in queens when it will have been 2 releases of deprecation16:55
morganif they aren't deprecated for removal16:55
morganwe could just drop them or move them to deprecated for removal16:55
morganall the same really.16:55
edmondswdeprecation to me means "still works, but don't use it"... and that's not the case here16:55
morganthen, they shouldn't even be in samples16:56
*** tobberydberg has quit IRC16:56
morganand could be dropped16:56
morganrelated, i have no idea if the memcache protect stuff even remotely works anymore16:56
morganpycrypto is ... dead last i heard16:56
*** tobberydberg has joined #openstack-keystone16:56
*** spzala has joined #openstack-keystone16:56
*** spzala has quit IRC17:01
*** efried has quit IRC17:01
*** rcernin has joined #openstack-keystone17:02
edmondswmorgan what "memcache protect stuff"?17:03
*** tobberydberg has quit IRC17:05
morganedmondsw: encrypt/hmac the data stored in memcache17:07
morganbecause, in theory, that is privledged information and people were worried about memcache being accessed by non-openstack services17:07
*** lwanderley has joined #openstack-keystone17:08
*** mjax has joined #openstack-keystone17:08
*** spzala has joined #openstack-keystone17:09
edmondswmorgan didn't realize we were doing that17:14
*** tobberydberg has joined #openstack-keystone17:14
edmondswnot finding any references to Crypto in the code...17:14
lbragstadwe swapped pycrypto with pyca/cryptography i think17:14
morganah we did17:15
lbragstadlamt: did that work17:15
*** tobberydberg has quit IRC17:16
*** ducttape_ has quit IRC17:17
*** rmascena has quit IRC17:20
*** ducttape_ has joined #openstack-keystone17:22
morganlbragstad: thats not very many people making it to the PTG =/17:23
*** lwanderley has quit IRC17:23
lbragstadhrybacki: you're going to be attending, right ?17:24
*** tobberydberg has joined #openstack-keystone17:26
*** tobberydberg has quit IRC17:26
*** lwanderley has joined #openstack-keystone17:26
*** ducttape_ has quit IRC17:26
*** tobberydberg has joined #openstack-keystone17:26
*** ducttape_ has joined #openstack-keystone17:29
*** tobberydberg has quit IRC17:31
*** lwanderley has quit IRC17:32
*** ducttap__ has joined #openstack-keystone17:32
*** ducttape_ has quit IRC17:33
*** tesseract has quit IRC17:49
lbragstadeasy review that closes a bug -
lbragstadand makes documentation easier to render17:49
* hrybacki reads17:50
hrybackiI am! (On holiday and being bad about checking things lbragstad )17:50
lbragstadhrybacki: awesome - holiday are made for not checking work17:51
lbragstadhrybacki: I'll add you to the etherpad so that we have an accurate count17:51
hrybackilbragstad: thanks!17:53
* hrybacki slides back into the abyss17:54
*** rmascena has joined #openstack-keystone17:55
lbragstadmorgan: edmondsw fwiw - this has some overlap with what we were all just talking about17:58
openstackLaunchpad bug 1696308 in OpenStack Identity (keystone) "list revoked tokens API returns 500 when pki_setup is not run" [Wishlist,Triaged] - Assigned to Nisha Yadav (ynisha11)17:58
edmondswlbragstad yup, that's the one I pinged you about the other day18:01
*** tobberydberg has joined #openstack-keystone18:02
*** spzala has quit IRC18:05
*** tobberyd_ has joined #openstack-keystone18:07
*** tobberydberg has quit IRC18:08
*** kbaegis has joined #openstack-keystone18:13
*** kbaegis has quit IRC18:13
*** tobberyd_ has quit IRC18:15
*** vint_bra1 has joined #openstack-keystone18:20
*** vint_bra has quit IRC18:21
*** masber has joined #openstack-keystone18:57
*** masuberu has quit IRC18:59
*** vint_bra1 has quit IRC19:17
*** vint_bra has joined #openstack-keystone19:18
morgani guess we can just make that return an empty list and unsigned19:22
morganoh gah. this is terrible19:25
openstackgerritMerged openstack/keystone master: use the show-policy directive to show policy settings
morganin v2, i think we just need to break this (sadly)19:25
*** spzala has joined #openstack-keystone19:27
*** spzala has quit IRC19:27
*** spzala has joined #openstack-keystone19:27
prashkrelbragstad: could you please take a look at edmondsw comment on
*** spzala has quit IRC19:27
*** prashkre has quit IRC19:28
morganoooh thats rough19:28
*** gyee has joined #openstack-keystone19:29
*** tobberydberg has joined #openstack-keystone19:31
*** prashkre has joined #openstack-keystone19:31
*** spzala has joined #openstack-keystone19:35
*** prashkre has quit IRC19:35
*** prashkre has joined #openstack-keystone19:36
*** sjain has joined #openstack-keystone19:44
*** efried has joined #openstack-keystone19:48
*** harlowja has quit IRC19:57
*** ducttap__ has quit IRC20:01
*** ducttape_ has joined #openstack-keystone20:02
*** ducttap__ has joined #openstack-keystone20:09
*** ducttape_ has quit IRC20:09
*** ducttap__ has quit IRC20:12
*** prashkre has quit IRC20:14
*** prashkre_ has joined #openstack-keystone20:14
*** ducttape_ has joined #openstack-keystone20:15
*** kbaegis has joined #openstack-keystone20:15
*** lwanderley has joined #openstack-keystone20:19
*** lwanderley has quit IRC20:22
*** lwanderley has joined #openstack-keystone20:27
openstackgerritMerged openstack/keystone-specs master: Bump support for federated attributes to backlog
openstackgerritMerged openstack/keystone-specs master: Bump application credentials to backlog
*** kbaegis has quit IRC20:35
*** ducttape_ has quit IRC20:50
*** dstepanenko has joined #openstack-keystone20:50
*** ducttape_ has joined #openstack-keystone20:51
openstackgerritSamriddhi proposed openstack/keystone master: Updated URLs in docs
*** dstepanenko has quit IRC20:55
openstackgerritSamriddhi proposed openstack/keystone master: Updated URLs in docs
*** lwanderley has quit IRC21:03
*** lwanderley has joined #openstack-keystone21:05
*** thorst_afk has quit IRC21:10
*** thorst_afk has joined #openstack-keystone21:12
*** sjain has quit IRC21:15
*** harlowja has joined #openstack-keystone21:15
*** lwanderley has quit IRC21:16
*** thorst_afk has quit IRC21:17
*** aojea has joined #openstack-keystone21:17
*** tobberydberg has quit IRC21:18
*** jmlowe has quit IRC21:18
*** lwanderley has joined #openstack-keystone21:18
*** tobberydberg has joined #openstack-keystone21:19
*** rmascena has quit IRC21:19
*** tobberydberg has quit IRC21:23
*** aojea_ has joined #openstack-keystone21:23
*** aojea has quit IRC21:24
*** aojea has joined #openstack-keystone21:28
*** aojea_ has quit IRC21:30
*** thorst_afk has joined #openstack-keystone21:30
*** aojea_ has joined #openstack-keystone21:32
*** thorst_afk has quit IRC21:34
*** aojea has quit IRC21:35
*** aojea has joined #openstack-keystone21:37
*** gyee has quit IRC21:38
mjaxlbragstad: hey, mind if I ask you a couple of questions today as well? I'm looking at the issue_token method in, and putting together some information about how it works based on the implementation in in the keystone/token/providers folder, and wanted to get some clarifications21:38
lbragstadmjax: sure thing21:38
lbragstadi can try to help21:38
*** aojea_ has quit IRC21:40
mjaxI noticed that the method in constructs the token in a json format and sends that as the token_data21:40
mjaxis this required? Or can I define my token as just a string and pass that around21:40
lbragstadmjax: which part are you referencing specifically?21:42
*** aojea_ has joined #openstack-keystone21:42
lbragstadwe use token_data *a lot* in that module21:43
*** lwanderley has quit IRC21:43
*** aojea has quit IRC21:45
mjaxhmm it might be better if I start with asking about token_data itself21:45
lbragstadmjax: well - the tl;dr is that token data is kind of a mess21:46
lbragstadit's a big dictionary that essentially turns into the token response21:46
lbragstad(represented in the response body from the server to the client)21:46
lbragstadmjax: this is the manager or the top level api -
*** aojea has joined #openstack-keystone21:47
lbragstadwhich is defined in keystone/token/provider.py21:47
lbragstadthat ^ class is going to be calling into your token provider implementation at these points:
lbragstadfor example ^21:48
mjaxI see, so that should help me with understanding how the token_data flows around in openstack?21:48
lbragstadmjax: what path are you going to work on first?21:49
lbragstadauthenticate or validate?21:49
lbragstadauthenticate is handled by athenz, right?21:49
lbragstadok - wanna walk through the token validate flow then?21:49
mjaxthat would be a big help21:49
*** aojea_ has quit IRC21:50
lbragstadhere is essentially where we start21:50
lbragstadthe basic flow goes -> -> -> backend.py21:50
*** thorst_afk has joined #openstack-keystone21:50
lbragstadthe v3 routers for auth are in /keystone/auth/routers but the v3 path eventually ends up in keystone/token/controllers.py21:51
lbragstad(first confusing bit and an antipattern compared to how the rest of keystone is structured ^)21:51
mjaxso what does do21:52
lbragstadrouters is responsible for mapping the path and request to the proper controller method21:52
lbragstadit simply routes traffic21:52
lbragstadthe controller is responsible for some validation and "web-like" things21:53
lbragstadthe and layers are responsible for business logic21:53
lbragstadand the backends are responsible for backend things21:53
lbragstadit's a pretty straightforward tiered application21:53
lbragstadat we get a couple pieces of info21:53
lbragstadand we're routing stuff to the auth controller -
lbragstadand for GET /v3/auth/tokens we're routing to
*** sjain has joined #openstack-keystone21:54
lbragstadwhich passes the token_id to the actual subsystem that understands tokens here -
*** thorst_afk has quit IRC21:55
lbragstadonce we're in the token provider API we start having to deal with authentication context and the token itself21:56
*** aojea has quit IRC21:56
lbragstadthis calls which goes down into the driver (e.g. your token provider) and validates the token21:56
mjaxfor the validate token in keystone, when is that used?21:57
mjaxas in, is it when the middleware makes a call to keystone to validate the user?21:57
lbragstadkeystonemiddleware will make a GET /v3/auth/tokens call to the identity service21:58
*** aojea has joined #openstack-keystone21:58
lbragstadthat's when the ^ above path runs21:58
mjaxis that the only time that we need validate_token in keystone?21:58
lbragstaddepends on how you plan to use keystone - if you're exposing it externally then users might want to validate tokens against the identity endpoint (or something like that)21:59
*** prashkre_ has quit IRC21:59
lbragstadin typical openstack deployment (the authenticate and validate APIs are the most used APIs in the deployment)21:59
mjaxI'm curious about your previous pki implementation, since the keystone middleware didn't need to make any call to keystone for validation22:00
lbragstadpki had it's issues22:00
mjaxwhat did you use validate_token in keystone for that implementation?22:00
lbragstadbut the gist of the idea was to have a token format that leverage asymmetric signing to be able to distribute the public keys to each service so the service could validate the token22:00
*** phalmos has joined #openstack-keystone22:01
lbragstadbut - PKI tokens were also validateable against the identity service22:01
lbragstadthere was a configuration option in keystonemiddleware to either validate the token online (against the identity service) or to attempt to validate it offline by checking the signature of the token22:01
*** phalmos has quit IRC22:02
mjaxso in my use case, with the athens token, validating the token is technically unnecessary in keystone and I could just do a pass for now in that method?22:02
lbragstadmjax: if you're not going to have keystonemiddleware make the request - then you don't need to modify keystone22:03
lbragstadyou only have to teach keystone about athens tokens if you expect it to validate them22:03
*** aojea_ has joined #openstack-keystone22:03
mjaxI see, but where do I add code in order to do that?22:04
mjaxI thought that I needed to write a token provider but is that not the case?22:04
lbragstadmjax: that would be in keystonemiddleware which is in a separate project22:04
lbragstadkeystonemiddleware is suppose to run in front of the openstack service22:04
mjaxI guess i'm having some trouble understanding how the overall flow should work22:06
mjaxlets say that a user makes a call to nova boot22:06
*** aojea has quit IRC22:06
mjaxnormally, the user has to be authenticated by keystone is that right?22:07
lbragstadmjax: so - a user needs a token to do anything in nova, right?22:07
lbragstadin normal flows - they get that token from keystone22:08
*** aojea has joined #openstack-keystone22:08
lbragstadand then build their request to nova and pass that token in the request22:08
lbragstadthis is true for all services that want to be protected by keystonemiddleware22:08
lbragstadnova (or the service) is configured via Paste to run middleware that validates that token22:09
lbragstad(this helps reduce duplication and having each service roll their own token validation mechanism)22:09
lbragstadso - as the request comes in to nova it will get processed by keystonemiddleware
lbragstadwhich will pull the token off the request and do one of two things22:10
lbragstad1.) it will validate it against the keystone *server*22:10
*** aojea_ has quit IRC22:10
lbragstad2.) validate it offline depending on the token type (this isn't really used anymore since PKI tokens were the only upstream token format that relied on this)22:11
mjaxso what do you think about keystone being the one to request an athens token, and then pass that token in the request to nova?22:11
lbragstadwouldn't the user already have asked athens for a token?22:12
mjaxpossibly, but I think we still want to incorporate keystone in our flow. From what it sounds like though, if we externally get the token, we can bypass keystone completely, and only need to modify keystone middleware?22:13
*** spzala has quit IRC22:13
*** aojea_ has joined #openstack-keystone22:13
lbragstadmjax: yes - depending on what the goal of your deployment is22:14
lbragstadmjax: this might help you understand the role of keystonemiddleware22:14
lbragstadspecifically -
lbragstadmjax: i gotta run for a bit - but ping me if you have additional questions or if something doesn't make sense22:16
mjaxI'll definitely take a look at that22:16
*** aojea has quit IRC22:16
mjaxlbragstad: thanks for your help all the time! I'll definitely need to ask more later. Really thankful for how responsive you are22:17
*** aojea has joined #openstack-keystone22:18
openstackgerritSamriddhi proposed openstack/keystone master: Fill in content in User Documentation
lbragstadmjax: anytime - that's what we're here for22:21
*** aojea_ has quit IRC22:21
*** edmondsw has quit IRC22:23
*** aojea has quit IRC22:26
*** edmondsw has joined #openstack-keystone22:26
*** phalmos has joined #openstack-keystone22:29
*** edmondsw has quit IRC22:31
*** henrynash has joined #openstack-keystone22:33
*** phalmos has quit IRC22:33
*** vint_bra has quit IRC22:37
*** dstepanenko has joined #openstack-keystone22:38
*** ducttape_ has quit IRC22:40
*** dstepanenko has quit IRC22:42
openstackgerritSamriddhi proposed openstack/keystone master: Fill in content in CLI Documentation
*** ducttape_ has joined #openstack-keystone22:46
*** efried is now known as efried_zzz22:50
*** ducttape_ has quit IRC22:51
*** dave-mccowan has quit IRC22:51
mjaxlbragstad: I think the reason why we want to use keystone in order to issue tokens is because it means that we don't have to configure each openstack component in our deployment22:51
mjaxeven if we assume that the user already has an athens token ready, it would mean modifying nova, glance, etc separately to look for it, which isn't as maintainable22:52
*** sjain has quit IRC22:57
*** rcernin has quit IRC22:58
*** spzala has joined #openstack-keystone23:13
*** spzala has quit IRC23:17
*** ducttape_ has joined #openstack-keystone23:22
*** thorst_afk has joined #openstack-keystone23:26
*** jmlowe has joined #openstack-keystone23:27
*** ducttape_ has quit IRC23:27
*** thorst_afk has quit IRC23:32
*** ducttape_ has joined #openstack-keystone23:34
*** ducttape_ has quit IRC23:39
*** edmondsw has joined #openstack-keystone23:54
*** edmondsw has quit IRC23:58

Generated by 2.15.3 by Marius Gedminas - find it at!