Friday, 2017-08-18

*** stingaci has joined #openstack-keystone00:06
*** stingaci has quit IRC00:11
*** thorst has joined #openstack-keystone00:11
*** masuberu has joined #openstack-keystone00:17
*** masber has quit IRC00:20
*** stingaci has joined #openstack-keystone00:22
*** stingaci has quit IRC00:26
*** dave-mccowan has joined #openstack-keystone00:30
*** mjax has quit IRC00:32
*** mjax has joined #openstack-keystone00:32
*** mjax has quit IRC00:34
*** agrebennikov has joined #openstack-keystone00:38
*** stingaci has joined #openstack-keystone00:38
*** stingaci has quit IRC00:43
*** openstackgerrit has joined #openstack-keystone00:43
openstackgerritMerged openstack/keystoneauth master: Protect against missing interface attribute
*** edmondsw has joined #openstack-keystone00:55
*** aojea has joined #openstack-keystone01:08
*** zhurong has joined #openstack-keystone01:11
*** otleimat has quit IRC01:12
*** aojea has quit IRC01:14
*** zxy has joined #openstack-keystone01:15
*** lucasxu has joined #openstack-keystone01:20
*** lucasxu has quit IRC01:22
*** zzzeek has quit IRC01:23
*** zzzeek has joined #openstack-keystone01:24
*** r-daneel has quit IRC01:24
*** zzzeek has quit IRC01:25
*** zzzeek has joined #openstack-keystone01:25
*** guoshan has joined #openstack-keystone01:29
*** masber has joined #openstack-keystone01:34
*** masber has quit IRC01:34
*** masuberu has quit IRC01:34
*** thorst has quit IRC01:36
*** edmondsw has quit IRC01:40
*** markvoelker has joined #openstack-keystone01:41
*** dave-mccowan has quit IRC01:56
*** aselius has quit IRC01:57
*** zxy has quit IRC01:59
openstackgerritzhengliuyang proposed openstack/keystone master: Don't need set ephemeral user's domain when mapping
*** stingaci has joined #openstack-keystone02:13
*** markvoelker has quit IRC02:15
*** stingaci has quit IRC02:18
*** stingaci has joined #openstack-keystone02:44
*** stingaci has quit IRC02:49
*** stingaci has joined #openstack-keystone03:00
*** stingaci has quit IRC03:04
*** edmondsw has joined #openstack-keystone03:05
*** aojea has joined #openstack-keystone03:10
*** edmondsw has quit IRC03:11
*** markvoelker has joined #openstack-keystone03:12
*** aojea has quit IRC03:15
*** stingaci has joined #openstack-keystone03:16
*** stingaci has quit IRC03:20
*** nicolasbock_ has joined #openstack-keystone03:25
*** stingaci has joined #openstack-keystone03:32
*** stingaci has quit IRC03:36
*** thorst has joined #openstack-keystone03:36
*** thorst has quit IRC03:40
*** markvoelker has quit IRC03:46
*** stingaci has joined #openstack-keystone03:48
*** masber has joined #openstack-keystone03:49
*** agrebennikov has quit IRC03:50
*** stingaci has quit IRC03:52
*** masber has quit IRC03:53
*** mkrcmari__ has joined #openstack-keystone04:01
*** stingaci has joined #openstack-keystone04:03
*** stingaci has quit IRC04:08
*** aojea has joined #openstack-keystone04:11
*** aojea has quit IRC04:16
*** hoonetorg has joined #openstack-keystone04:18
*** stingaci has joined #openstack-keystone04:20
*** links has joined #openstack-keystone04:23
*** stingaci has quit IRC04:24
*** stingaci has joined #openstack-keystone04:36
*** stingaci has quit IRC04:41
*** markvoelker has joined #openstack-keystone04:43
*** gyee has quit IRC04:45
*** prashkre has joined #openstack-keystone04:49
*** stingaci has joined #openstack-keystone04:51
*** edmondsw has joined #openstack-keystone04:54
*** stingaci has quit IRC04:55
*** edmondsw has quit IRC04:58
*** stingaci has joined #openstack-keystone05:07
*** masber has joined #openstack-keystone05:09
*** stingaci has quit IRC05:11
*** markvoelker has quit IRC05:16
*** stingaci has joined #openstack-keystone05:23
*** stingaci has quit IRC05:27
*** zhurong has quit IRC05:38
*** stingaci has joined #openstack-keystone05:38
*** zhurong has joined #openstack-keystone05:42
*** stingaci has quit IRC05:43
openstackgerritzhengliuyang proposed openstack/keystone master: Update parameters in sp and idp
*** stingaci has joined #openstack-keystone05:54
*** stingaci has quit IRC05:58
*** aojea has joined #openstack-keystone06:12
*** markvoelker has joined #openstack-keystone06:13
*** aojea has quit IRC06:16
*** stingaci has joined #openstack-keystone06:25
*** stingaci has quit IRC06:30
*** aojea has joined #openstack-keystone06:37
*** rcernin has joined #openstack-keystone06:41
*** stingaci has joined #openstack-keystone06:42
*** edmondsw has joined #openstack-keystone06:42
*** jidar has left #openstack-keystone06:43
*** kukacz has joined #openstack-keystone06:43
*** kukacz_ has joined #openstack-keystone06:44
*** markvoelker has quit IRC06:46
*** stingaci has quit IRC06:46
*** edmondsw has quit IRC06:46
*** kukacz has quit IRC06:48
*** stingaci has joined #openstack-keystone06:57
*** stingaci_ has joined #openstack-keystone06:59
*** stingaci has quit IRC06:59
*** stingaci_ has quit IRC07:11
*** tesseract has joined #openstack-keystone07:13
*** namnh has joined #openstack-keystone07:18
*** namnh has quit IRC07:18
*** namnh has joined #openstack-keystone07:19
*** namnh has quit IRC07:20
*** pcaruana has quit IRC07:32
*** markvoelker has joined #openstack-keystone07:43
*** stingaci has joined #openstack-keystone07:46
*** stingaci has quit IRC07:47
*** stingaci has joined #openstack-keystone07:47
*** aojea has quit IRC07:49
*** pcaruana has joined #openstack-keystone07:54
*** ioggstream has joined #openstack-keystone08:01
*** aojea has joined #openstack-keystone08:03
*** nicolasbock_ has quit IRC08:14
*** markvoelker has quit IRC08:16
*** masber has quit IRC08:26
*** Adri2000 has left #openstack-keystone08:39
*** markvoelker has joined #openstack-keystone09:14
*** markvoelker has quit IRC09:47
*** aojea has quit IRC09:54
*** pcaruana has quit IRC10:02
*** edmondsw has joined #openstack-keystone10:18
*** pcaruana has joined #openstack-keystone10:22
*** edmondsw has quit IRC10:22
*** markvoelker has joined #openstack-keystone10:44
*** guoshan has quit IRC10:46
*** zhurong has quit IRC11:01
*** ayoung has quit IRC11:11
*** ayoung has joined #openstack-keystone11:17
*** markvoelker has quit IRC11:17
*** mvk has joined #openstack-keystone11:32
*** mkrcmari__ has quit IRC11:35
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy master: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements
*** thorst has joined #openstack-keystone11:59
*** raildo has joined #openstack-keystone12:02
*** edmondsw has joined #openstack-keystone12:06
*** edmondsw has quit IRC12:11
*** prashkre has quit IRC12:13
*** prashkre has joined #openstack-keystone12:16
*** aojea has joined #openstack-keystone12:18
*** rcernin has quit IRC12:21
*** markvoelker has joined #openstack-keystone12:25
*** edmondsw has joined #openstack-keystone12:27
openstackgerritSamuel Pilla proposed openstack/python-keystoneclient master: Add project tags to keystoneclient
*** prashkre_ has joined #openstack-keystone12:30
*** prashkre has quit IRC12:30
*** dave-mccowan has joined #openstack-keystone12:31
*** raildo has quit IRC12:35
*** rcernin has joined #openstack-keystone12:38
*** raildo has joined #openstack-keystone12:38
*** Dinesh_Bhor has quit IRC12:39
*** catintheroof has joined #openstack-keystone12:40
*** catinthe_ has joined #openstack-keystone12:41
*** catintheroof has quit IRC12:41
*** prashkre_ has quit IRC12:47
*** jaosorior has quit IRC13:05
*** lucasxu has joined #openstack-keystone13:08
knikollalbragstad: few questions about the global-roles patches when you're here.13:19
*** gokhan has joined #openstack-keystone13:34
*** david-lyle has joined #openstack-keystone13:35
*** dklyle has quit IRC13:36
*** sjain has joined #openstack-keystone13:38
lbragstadknikolla: go for it14:02
knikollalbragstad: any reason to global_token (string) vs is_global (bool) ?14:02
lbragstadknikolla: that's a good question14:03
lbragstadi went back and forth on that when i original wrote this14:03
lbragstadi suppose the controller and manager layers could using booleans and everything gets converted to a 'global' token when in the backend14:04
*** lwanderley has joined #openstack-keystone14:05
knikollalbragstad: that would be more clear i think.14:06
*** efried is now known as fried_rice14:06
knikollai only did a high level pass of the patches though.14:06
lbragstadknikolla: that's fine14:06
knikollatoday should finally have time to do a proper review :)14:06
*** lucasxu has quit IRC14:07
lbragstadknikolla: do you think it's fine that drivers or out-of-tree backends do the conversion of is_global -> global_token then?14:07
*** kukacz has joined #openstack-keystone14:07
lbragstadiirc that was the reason why i passed the global_token directly from the manager14:07
knikollaAren't we killing out of tree assignment?14:08
knikollaOr is that for token?14:09
openstackgerritLance Bragstad proposed openstack/keystone master: Implement manager logic for global roles
*** kukacz_ has quit IRC14:11
openstackgerritLance Bragstad proposed openstack/keystone master: Implement global role assignments for users
lbragstadknikolla:  i think that was out-of-tree resource drivers14:12
knikollalbragstad: true. For domains.14:12
lbragstadknikolla: let me rework those patches and see if it helps14:16
*** david-lyle has quit IRC14:16
*** dklyle has joined #openstack-keystone14:16
knikollalbragstad: getting coffee and doing a proper review now14:18
lbragstadanyone here ever watch Silicon Valley?14:19
knikollalbragstad: i watched half first episode.14:25
knikolladoesn't really count14:25
lbragstadwe just started watching it last night14:26
*** dansmith is now known as superdan14:26
knikollaheard it's good14:27
lbragstadyeah - it's pretty funny14:28
*** itlinux has joined #openstack-keystone14:28
lbragstadi was apprehensive to start it - but so far it's good14:28
*** aojea has quit IRC14:28
knikollalbragstad: i'll give it another shot.14:29
knikollalbragstad: so in the sql case, global roles are stored with target=global_token14:32
lbragstadyeah - the target is 'global' in that case14:33
lbragstadinstead of being a project or domain id14:33
*** itlinux has quit IRC14:36
*** itlinux has joined #openstack-keystone14:37
knikollalbragstad: i think it's better to let drivers decide how to store global roles.14:37
lbragstadknikolla: so converting the boolean to something if they want to?14:38
*** lwanderley has quit IRC14:38
lbragstadand persisting it that way14:38
knikollathey can still ignore the string if they want14:38
openstackgerritLance Bragstad proposed openstack/keystone master: Implement backend logic for global roles
lbragstadknikolla: ^ pushing the boolean into the backend14:39
knikollalbragstad: good that you also fixed the `targets = ['global']` to `[GLOBAL_TOKEN]`14:40
*** lwanderley has joined #openstack-keystone14:40
lbragstadknikolla: yeah14:41
lbragstadnot quite sure why i didn't do that in the first place14:41
knikollalbragstad: when does queens open up for dev?14:43
lbragstadknikolla: it's open14:44
knikollalbragstad: approved ^^14:45
lbragstadi'll repropose the global roles spec to queens today14:46
knikollaalso lift the -2 from project-tags patches14:46
*** lwanderley has quit IRC14:46
openstackgerritMerged openstack/keystone-specs master: Create Queens directory for specs
openstackgerritLance Bragstad proposed openstack/keystone master: Implement manager logic for global roles
openstackgerritLance Bragstad proposed openstack/keystone master: Implement manager logic for global roles
*** itlinux has quit IRC14:56
lbragstadknikolla: good call - done14:58
*** david-lyle has joined #openstack-keystone15:04
*** dklyle has quit IRC15:04
*** davechen has quit IRC15:08
*** links has quit IRC15:10
*** otleimat has joined #openstack-keystone15:14
*** aselius has joined #openstack-keystone15:15
*** john89 has joined #openstack-keystone15:16
*** spilla has joined #openstack-keystone15:23
lbragstadayoung: curious if you have a follow up to ?15:24
lbragstador know if the author hangs out in IRC?15:24
ayounglbragstad, I sent Jose an email but have not heard back from him.  I can p[ing Tim Bell on Twitter, though...that is always effective?15:24
lbragstadwhen in doubt - always twiiter15:25
lbragstadayoung: thank you15:26
openstackgerritGage Hugo proposed openstack/keystone master: Add new tags attribute to project
* lbragstad goes to refills coffee15:27
lbragstadknikolla: i'll repropose the controller bits when i get back15:27
knikollalbragstad: sounds good.15:27
lbragstadknikolla: a more critical eye on the testing of that layer would be good15:27
knikollalbragstad: coffee makes for very critical eyes15:28
knikollaand i've had a lot of it15:28
*** gyee has joined #openstack-keystone15:28
knikollalbragstad: what was the consensus on list dedups?
*** david-lyle has quit IRC15:37
*** dklyle has joined #openstack-keystone15:37
*** dklyle has quit IRC15:44
*** david-lyle has joined #openstack-keystone15:46
*** swain has joined #openstack-keystone15:48
lbragstadknikolla: i tested a few different implementations that dedup lists of dictionaries and timed them15:55
*** sapd has quit IRC15:55
knikollalbragstad: have the results handy?15:56
lbragstadknikolla: sure - let me run them quick15:57
knikollalbragstad: cool. let me rerun that with larger lists and see if that changes anything.16:00
knikollalbragstad: while we don't expect anyone to have more than a few roles on the same project. people might have a lot of projects where they have roles.16:00
knikollaso the scenario changes a bit16:00
lbragstadknikolla: feel free to elaborate on the gist16:00
lbragstador add more test cases to it16:00
*** prashkre has joined #openstack-keystone16:05
*** spilla has quit IRC16:08
*** pcaruana has quit IRC16:12
*** tesseract has quit IRC16:12
*** rcernin has quit IRC16:12
knikollalbragstad: the dict method starts becoming faster at n=516:14
lbragstadknikolla: nice16:14
openstackgerritOctave Orgeron proposed openstack/keystone master: Enables MySQL Cluster support for Keystone
knikollamodify the range loop16:15
*** markvoelker has quit IRC16:16
lbragstadknikolla: i left a note on gagehugo's review16:22
openstackgerritOctave Orgeron proposed openstack/keystone master: Enables MySQL Cluster support for Keystone
lbragstadknikolla: you're results would be helpful, too16:22
*** aojea has joined #openstack-keystone16:24
*** stingaci has quit IRC16:25
*** itlinux has joined #openstack-keystone16:29
*** itlinux has quit IRC16:31
*** aojea has quit IRC16:31
lbragstadknikolla: nice16:31
*** ioggstream has quit IRC16:32
knikollalbragstad: since projects for dedup will be in the range of tens, it makes sense to optimize.16:33
lbragstadknikolla: yeah - i'm good with that16:33
gagehugoknikolla lbragstad nice!16:35
*** mvk_ has joined #openstack-keystone16:36
*** Guest75213 is now known as med_16:37
*** med_ has quit IRC16:37
*** med_ has joined #openstack-keystone16:37
*** mjax has joined #openstack-keystone16:38
*** itlinux has joined #openstack-keystone16:38
*** mvk_ has quit IRC16:38
*** prashkre has quit IRC16:39
*** mvk has quit IRC16:39
*** mvk has joined #openstack-keystone16:40
*** mvk_ has joined #openstack-keystone16:43
*** catinthe_ has quit IRC16:43
*** catintheroof has joined #openstack-keystone16:45
*** mvk has quit IRC16:46
*** sjain has quit IRC16:50
gagehugolbragstad knikolla we would have to use dedup_by_dict_values for projects since a list cannot be hashed so list_comprehension won't work and the list is not guaranteed to be in order so "project in unique_projects" won't work either if the tags are the same but out of order16:51
knikollacheck your emails for talk approval notifications for sydney16:51
knikollagagehugo: yeah, we should use the dict method.16:51
gagehugowill do, thanks for putting that example together16:52
lbragstadgagehugo: a containment check does a deep copy comparison though16:54
lbragstadso order shouldn't matter16:54
lbragstadi think?16:54
lbragstadbut dedup_by_dict_values is more performant16:55
gagehugolbragstad idk, the test originally was failing even though it was the same project, but the tags were returned out of order16:57
lbragstadweird, i figured a deep copy comparison would catch that!16:57
lbragstadoh - wait.. it is16:58
lbragstadit doesn't consider the lists to be the same if they are ordered differently16:58
gagehugothe list messes it all up16:58
gagehugofor anything else in the object, it works fine16:59
*** itlinux has quit IRC17:03
*** lucasxu has joined #openstack-keystone17:06
*** stingaci has joined #openstack-keystone17:18
lbragstadknikolla: double checking here - but global roles don't make any sense with inheritance do they?17:18
lbragstadglobal role assignment should only be direct role assignments17:19
knikollalbragstad: yes17:19
knikollalbragstad: or implied?17:19
lbragstadinheritance - specifically17:21
lbragstadi can kinda think of cases where implied roles make sense globally17:21
*** stingaci has quit IRC17:22
knikollai agree about inheritance. i was thinking ahead.17:25
knikollalbragstad: so in terms of implication. "project/domain -> global", "global -> global" kinda make sense17:28
lbragstadknikolla: for implied roles or inherited roles17:29
lbragstadimplied right?17:29
knikollaimplied yes. i'm thinking out loud.17:29
lbragstadi was more thinking 'admin' implies 'member' which implies 'observer'17:30
knikollahmmm.. let me refresh my implied roles.17:31
lbragstadand assigning Jane 'admin' globally means that her effective assignments would include 'admin, 'member', and 'observer' through expanding the implied roles17:31
knikollalbragstad: yes. global -> global. right?17:32
lbragstadbut i'm not sure i completely understand what you mean by global -> global17:32
lbragstador are you saying the following should be possible:17:33
knikollalbragstad: i was thinking if there was any use case where we want to be able to imply a global role from a non global role.17:33
lbragstad'admin' implies 'member' on Project A17:33
lbragstador 'admin' on Project A implies 'observer' globally17:33
knikollathe second17:34
*** itlinux has joined #openstack-keystone17:34
lbragstadmy knee jerk reaction is to say that's dangerous17:34
lbragstadis there a use case floating around from something like that?17:35
knikollaexcept for making the transition smoother17:35
knikollanothing pops into my mind17:35
lbragstadyeah - so for the transition they can either do something like ^ with implied roles17:36
lbragstador grant the users who need global rights a role globally17:36
knikollalet's only allow global implies global then. unless someone brings a plausible use case.17:37
lbragstadi agree17:38
lbragstadiirc we have similar constraints on global roles and domain roles17:39
lbragstadwhere you can't have one imply the other17:39
lbragstadknikolla: well - we technically have global roles17:42
lbragstadbut you just can't assign them globally17:42
lbragstadwhen you create a role, it's available for use by any project or domain17:42
lbragstadbut we also have domain role which are only available for assignment within that domain17:42
lbragstaddomain roles*17:42
knikollalbragstad: oh right.17:42
lbragstadi want to say we have a restriction somewhere in the implied roles API that prevents you from having a domain role imply a "global" role or vice versa17:43
knikollalbragstad: in my mind they're just "normal" roles, haha.17:43
lbragstadknikolla: right17:43
lbragstadknikolla: "well, you see, they're global roles, but they're not..."17:43
knikollalbragstad: "the good, the bad and the ugly: the three types of keystone roles"17:44
knikolla(after we add global global)17:44
lbragstadone global to rule them all17:44
* lbragstad is now officially confused17:45
lbragstadthe inherited + implied + global stuff is going to take a *lot* of testing17:48
*** lucasxu has quit IRC17:48
knikollalbragstad: hmmm... the thing i said about three types of roles is actually wrong.17:48
knikollaas we're allowing global role assignment with "normal" roles. right?17:48
knikollanormal as in non-domain roles.17:49
lbragstadknikolla: correct17:49
lbragstadknikolla: keystone doesn't have the ability to create per project roles17:49
knikollalbragstad: yep. it's just that they need to have a project/domain target.17:50
knikollawhen assigned17:50
*** juliandemille has joined #openstack-keystone17:51
lbragstadknikolla: you mean global roles today?17:51
juliandemilleHello everyone, I've been having some issues with Keystone on a CentOS 7 system and would like to know how to troubleshoot it17:53
knikollalbragstad: i think i have a pretty clear idea now.17:53
*** itlinux has quit IRC17:54
knikollalbragstad: got myself confused mostly by repeatedly reading bp/global-roles and assuming that they'd be a different type rather than just a different assignment.17:55
lbragstadknikolla: ideally, we could go through and attempt to apply a consistent pattern to the assignment API17:55
lbragstadwhen creating a role you can specific a domain, a project, or None17:55
lbragstadwhich denotes where that role can be used17:56
lbragstadNone means that it can be used by all projects and all domains (hence being global)17:56
lbragstadwhen creating a role assignment - you can grant a role to three scopes, a domain, a project, or None17:56
lbragstadNone is effectively global17:56
lbragstadthen its all a matter of validation17:56
lbragstadif the role is project-specific, make sure it matches the project in the assignment17:57
juliandemilleThe error log is at this pastebin:
lbragstadjuliandemille: looks like you need to install memcached17:57
lbragstador python-memcached17:57
lbragstadknikolla: the same thing would apply for domain roles and domain role assignments17:58
juliandemille@lbragstad Pip claims python-memcached is installed, and Yum claims memcached is installed17:58
knikollalbragstad: hmmm.. that would require a lot of work on the policy side.17:58
lbragstadknikolla: it would17:59
lbragstadknikolla: the nice part would be that if you build the API to accept generalized targets (regardless of global, domain, or project) you can reuse all of it to implement global roles, global role assignments, domain roles, domain role assignments, project roles, and project role assignments17:59
knikollalbragstad: that is true. #v418:00
lbragstadjuliandemille: actually - it looks like it's tripping over a backend import18:02
juliandemillelbragstad: How can I debug that?18:02
lbragstadjuliandemille: are you specifying anything in particular in your config?18:02
lbragstador are you relying on default?18:03
juliandemillelbragstad: I just configured the SQL options18:03
lbragstadjuliandemille: which release are you using?18:03
juliandemillelbragstad: Ocata18:04
lbragstadjuliandemille: and you're specifying your backends like `driver = sql`?18:04
*** stingaci has joined #openstack-keystone18:04
*** itlinux has joined #openstack-keystone18:05
lbragstadjuliandemille: what are you using for a token driver?18:06
juliandemilleLet me check18:06
lbragstadwhat about provider?18:08
lbragstad`keystone.conf [token] provider`18:08
juliandemilleThat line is commented out18:09
*** stingaci has quit IRC18:09
*** mvk_ has quit IRC18:10
lbragstadjuliandemille: it seems to be complaining about:18:13
lbragstadsuper(PersistenceManager, self).__init__(CONF.token.driver)18:13
lbragstadand fails in importutils because it can't load that backend18:13
juliandemilleShould I uncomment it? 'provider = fernet'18:14
lbragstadjuliandemille: well - fernet is the default token provider and sql is the default token driver (which isn't used if fernet is in place)18:14
lbragstadso you could try commenting those out and see what happens using the defaults that are registered in code18:15
*** itlinux has quit IRC18:16
juliandemilleThat throws this error in mod_wsgi:
*** swain has quit IRC18:18
lbragstadjuliandemille: oh - run `keystone-manage fernet_setup`18:19
*** lucasxu has joined #openstack-keystone18:20
lbragstadjuliandemille: can you paste a copy of your config with sensitive stuff redacted?18:20
juliandemillelbragstad: In a minute, yes18:20
*** stingaci has joined #openstack-keystone18:20
juliandemilleAfter running fernet_setup, I got a 401 Unauthorized18:21
lbragstadjuliandemille: you got a 401 when doing what?18:21
lbragstadjust authenticating or validating a token?18:21
juliandemilleTrying the `openstack service create` command18:21
lbragstadwell - we might be past the module issue18:22
lbragstadwhat was the error specifically?18:22
lbragstadthe logs might have more info18:22
juliandemille2017-08-18 14:20:58.594 21745 WARNING keystone.common.wsgi [req-ca081ac6-97ed-4dcb-9375-b2726b163790 - - - - -] Authorization failed. The request you have made requires authentication. from ::118:23
lbragstadthat could be caused by a number of things18:23
lbragstadyou could check to make sure you have the right role to make that request18:24
lbragstadcan you do an `openstack token issue`?18:24
juliandemilleI'm currently using the admin token. How can I make sure it's configured correctly?18:24
*** stingaci has quit IRC18:24
lbragstadjuliandemille: the admin token as in the configuration file?18:25
juliandemillelbragstad: Yes18:25
lbragstadjuliandemille: you're bootstrapping your deployment, right?18:25
juliandemillelbragstad: Bootstrapping it?18:25
lbragstadjuliandemille: does your keystone deployment consist of any information outside of a user?18:25
lbragstaddoes it contain service or endpoints for other things yet?18:26
juliandemillelbragstad: No, it's brand new18:26
lbragstadjuliandemille: we built a utility to help with that and it doesn't require the ADMIN token18:26
openstackgerritGage Hugo proposed openstack/keystone master: Refactor removal of duplicate projects/domains
lbragstadjuliandemille: see the note here -
*** user1911 has joined #openstack-keystone18:28
lbragstadjuliandemille: it essentially boils down to the fact there are two different ways to bootstrap a new keystone deployment18:28
lbragstadthe first, and original, way was to use the ADMIN token and special middleware that would allow you to make *any* request to keystone so long as you knew the shared secret18:28
lbragstadbut... that is a large security vulnerability18:29
lbragstadso we introduced a second way, which is `keystone-manage bootstrap`18:29
lbragstadand it must be done from a keystone-node (not via the API)18:29
juliandemilleOkay, I ran the bootstrap, but I'm still getting a 401 when using the new credentials18:30
lbragstadjuliandemille: are you using an rcfile to source your envs?18:30
lbragstador passing them on the commandline?18:30
juliandemilleCommand line18:30
lbragstadjuliandemille: here is an example of the vars that i use -
user1911@juliandemille: if you set insecure_debug = true in keystone.conf it will tell you why it's failing18:32
lbragstadcan you double check that the vars you're passing on the command line match what bootstrap just created?18:32
*** catinthe_ has joined #openstack-keystone18:33
lbragstad`keystone-manage bootstrap` should have left you with an admin user, admin project, ensured the default domain is in place, and optionally an identity service with endpoints18:33
*** catinth__ has joined #openstack-keystone18:33
juliandemille__init__() got an unexpected keyword argument project_name18:33
juliandemilleNo trace is appearing18:34
lbragstadyou're getting that when you do an `openstack token issue`?18:34
*** catintheroof has quit IRC18:35
lbragstadjuliandemille: sounds like an issue with openstackclient18:35
user1911did you set the identity api version to 3?18:35
user1911--os-identity-api-version 318:36
lbragstador that ^18:36
*** catinthe_ has quit IRC18:37
lbragstadwhat version of python-openstackclient are you using?18:38
lbragstadjuliandemille: can you authenticate via curl and see if that works?18:40
juliandemillelbragstad: How can I do that?18:41
clarkbyou can also pass the debug flag to osc which should show you the curl equivalent requests18:41
lbragstadclarkb: ++18:41
lbragstadi always forget about that18:41
user1911@lbragstad: could i ask you some qq's?18:42
lbragstaduser1911: sure18:42
lbragstadclarkb: we got that race condition with password updates fixed18:42
user1911so i was looking at this line on the keystone policy file:
user1911 "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)18:42
clarkblbragstad: oh nice, have a link to the patch? curious what the problem was18:42
user1911where it says domain_id:admin_domain_id... isn't the only way to get the domain_id from the domain token?18:43
user1911since project tokens don't seem to have a domain_id associated with them18:43
*** john89 has quit IRC18:44
lbragstaduser1911: yeah - that seems specific to domain_scoped tokens18:44
lbragstadprojects belong to domains though, too18:44
user1911ok that seems unusual to me, since i can't seem to do much with domain tokens18:44
user1911since i assume they don't have a service catalog associated with them18:45
lbragstaduser1911: they do18:45
lbragstaduser1911: you can get a domain scoped token that has a service catalog18:45
user1911oh really?18:45
lbragstadbut - most of openstack doesn't really understand domain scoped tokens yet18:45
lbragstadwe have a lot of policy work to get that realized consistently across the rest of the projects18:45
user1911does that include the openstack client as well?18:46
*** prashkre has joined #openstack-keystone18:46
user1911i'll usually get an error like "service catalog was empty"18:46
user1911if I try to run keystone stuff with a domain token18:46
lbragstad(e.g. listing instances with a project scoped token means something different from listing instances with a domain scoped token)18:46
user1911ok understand that18:47
juliandemilleArgsAlreadyParsedError (HTTP 500) from wsgi18:47
lbragstaduser1911: the openstackclient might omit the service catalog when asking for domain-scoped tokens18:47
user1911ahh that would make sense18:47
lbragstadthe token api has a ?nocatalog query parameter18:48
*** itlinux has joined #openstack-keystone18:49
user1911I see18:49
lbragstadalso - there have been issues with that specific policy file18:49
lbragstadand i don't think it's a drop in replacement for the default policy file18:49
lbragstadcc edmondsw knows more about that though18:50
user1911yes we've been trying to test it as a replacement to our current policy file18:50
juliandemillelbragstad: HTTP 500: ArgsAlreadyParsedError from mod_wsgi18:50
edmondswlbragstad what's the question?18:51
openstackLaunchpad bug 1466485 in OpenStack Identity (keystone) "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Expired]18:51
lbragstadedmondsw: user1911 had some questions on the v3 policy we have in tree18:51
user1911yes, specifically
lbragstadedmondsw: specifically where domain_id:admin_domain_id is used -
edmondswreading back18:52
lbragstaduser1911: beat me to the punch!18:52
lbragstaduser1911: is your nick randomly generated?18:52
edmondswyes, the domain_id bit there is for domain-scoped tokens18:52
lbragstadedmondsw: oh - that makes sense18:53
edmondswthat domain_id:admin_domain_id was a precursor to the is_admin_project:True thing, I believe, and not great18:53
user1911@lbragstad: no i picked it myself :)18:53
edmondswI actually removed it in my customization :)18:53
user1911and yes it's a reference to a shady group of ppl18:53
juliandemillelbragstad: After bruteforcing it, I got a 40118:53
lbragstadedmondsw: oh - that makes sense - i was going to say i haven't heard about that in a while18:54
user1911@edmondsw: so it would make sense if we dropped the domain_id bit?18:54
edmondswuser1911 I think so, but let me check something...18:55
lbragstaduser1911: to the best of my knowledge, i'm not sure it's used18:55
user1911I can see it being used in the future18:57
lbragstadbut i'll deter to edmondsw for clarification :)18:58
edmondswuser1911 I am really dredging my memory hear, but I think a few years ago we had the idea of using admin_domain where you had to configure each OpenStack service to know what that was, and that's a mess...18:58
edmondswso we pretty much dropped that in favor of is_admin_project where keystone is the only thing that needs to know what that is18:59
lbragstadjuliandemille: is there anything more specific in the keystone logs?18:59
edmondswuser1911 I believe it's left just for backward compatibility, so I would not use it if I were you18:59
juliandemilleAuthorization failed18:59
edmondswgoing into a mtg now...18:59
user1911@edmondsw: thanks a lot. that clarified quite a bit19:00
edmondswuser1911 np19:00
user1911thanks @lbragstad for the help too!19:00
lbragstaduser1911: anytime!19:00
*** user1911 has quit IRC19:03
*** markvoelker has joined #openstack-keystone19:05
*** lucasxu has quit IRC19:06
*** stingaci has joined #openstack-keystone19:07
juliandemillelbragstad: No additional info from Keystone, just unauthorized19:08
*** stingaci has quit IRC19:11
lbragstadjuliandemille: and you're sure the information specified on the command line matches what you supplied to bootstrap and what bootstrap created?19:12
juliandemilleFairly sure, let me make sure the bootstrap worked19:13
*** itlinux has quit IRC19:15
*** itlinux has joined #openstack-keystone19:18
juliandemilleYes, I am19:18
*** stingaci has joined #openstack-keystone19:22
juliandemillelbragstad: Bootstrap worked correctly, and I am 100% sure I'm passing the right information19:25
lbragstadif you turn debug logging in keystone does that give you more information?19:26
*** ducttape_ has quit IRC19:26
*** ducttape_ has joined #openstack-keystone19:26
*** stingaci has quit IRC19:30
juliandemillelbragstad: How can I do that?19:33
lbragstadsetting that option to True in your keystone configuration file19:35
juliandemilleThat just gave me a 50019:37
juliandemilleNope, the same bug19:37
lbragstadjuliandemille: yeah - i expected it to give you a little more information in your keystone log file19:40
juliandemilleNothing useful there19:41
*** stingaci has joined #openstack-keystone19:41
*** stingaci has quit IRC19:46
*** cfriesen_ has joined #openstack-keystone19:58
*** stingaci has joined #openstack-keystone19:58
*** edmondsw has quit IRC19:59
cfriesen_has anyone ever considered extending the API to deal more efficiently with many regions?  ie scoping the initial authorization such that the returned endpoints correspond only to a particular region?   Otherwise I could see the endpoint list getting *very* long if there are many regions.19:59
*** stingaci has quit IRC20:02
*** stingaci has joined #openstack-keystone20:14
*** stingaci has quit IRC20:18
*** itlinux has quit IRC20:22
*** aselius has quit IRC20:23
*** otleimat has quit IRC20:23
*** itlinux_ has joined #openstack-keystone20:29
*** stingaci has joined #openstack-keystone20:30
*** kukacz_ has joined #openstack-keystone20:33
*** stingaci has quit IRC20:34
openstackgerritLance Bragstad proposed openstack/keystone master: Implement global role assignments for users
ayounglbragstad, ooooh goody!20:36
ayounglbragstad, are they going to look in the token validation response?20:36
ayoungScope: Global?20:37
ayoungGlobal tokens?20:37
*** kukacz has quit IRC20:37
lbragstadayoung: yeah - something like that20:38
lbragstadayoung: not entirely sure yet - still working those bits out20:38
lbragstadi think i'm going to propose two different ways of getting them though20:38
ayounglbragstad, so long as getting a global scoped token is different from an unscoped token, I think we are ok20:38
ayoungmake it a deliberate action20:38
lbragstadayoung: yeah - that's one of the proposals20:38
ayoungand, just like we can't go from project scoped to project scoped, we can't go from global to project20:38
ayoungWill global roles show up on a project scoped token?20:39
*** stingaci has joined #openstack-keystone20:40
lbragstadayoung: i don't think so?20:40
lbragstadthey will show up when you ask for your role assignments20:41
*** stingaci_ has joined #openstack-keystone20:42
*** stingaci has quit IRC20:46
ayounglbragstad, maybe it is something people can explicitly ask for:  project scoped + global roles.20:47
*** itlinux_ has quit IRC20:48
*** stingaci has joined #openstack-keystone20:48
lbragstadayoung: yeah - possibly20:49
lbragstadayoung: the scoping bits are going to require some thought20:49
lbragstadbesides the obvious cases20:50
ayounglbragstad, also, we need to think what the policy enforcement is going to look like20:50
ayoungI am almost tempted to call them something other than roles20:50
ayounglike clusterroles in kubernetes20:51
ayoungthat way, policy would be:20:51
ayoungglobalrole: admin  or (role: admin and project: proejct)20:51
*** stingaci_ has quit IRC20:52
lbragstadthat's still coupling the scope check i policy - no?20:52
*** stingaci has quit IRC20:53
*** itlinux has joined #openstack-keystone20:58
*** edmondsw has joined #openstack-keystone20:59
*** prashkre has quit IRC21:00
*** dave-mccowan has quit IRC21:01
juliandemillelbragstad: I've given up, so I reinstalled following the manual's instructions, but now the python-openstackclient doesn't understand project environment variables21:03
lbragstadjuliandemille: did you install the same version of python-openstackclient?21:04
*** edmondsw has quit IRC21:04
juliandemillelbragstad: Both 3.8.2 and 3.12.0 didn't work21:04
*** dave-mccowan has joined #openstack-keystone21:12
*** thorst has quit IRC21:13
*** dave-mccowan has quit IRC21:15
lbragstadjuliandemille: the #openstack-sdks channel might have more information on that21:16
lbragstadsounds like an issue with python-openstackclient21:16
openstackgerritSamuel Pilla proposed openstack/python-keystoneclient master: Add project tags to keystoneclient
*** superdan is now known as dansmith21:19
*** catintheroof has joined #openstack-keystone21:22
*** catinth__ has quit IRC21:25
*** jmlowe_ has joined #openstack-keystone21:28
*** jmlowe has quit IRC21:29
*** thorst has joined #openstack-keystone21:30
*** thorst has quit IRC21:31
*** juliandemille has quit IRC21:32
*** itlinux has quit IRC21:33
*** juliandemille has joined #openstack-keystone21:34
*** aselius has joined #openstack-keystone21:37
*** kukacz_ is now known as kukacz21:40
openstackgerritLance Bragstad proposed openstack/keystone master: Implement global role assignments for groups
openstackgerritLance Bragstad proposed openstack/keystone master: Implement global role assignments for groups
openstackgerritLance Bragstad proposed openstack/keystone master: Implement global role assignments for users
*** kukacz__ has joined #openstack-keystone21:49
*** kukacz has quit IRC21:53
*** kukacz__ has quit IRC21:53
*** catintheroof has quit IRC21:57
*** lbragstad has quit IRC21:59
*** raildo has quit IRC22:19
*** thorst has joined #openstack-keystone22:31
*** thorst has quit IRC22:36
*** ducttap__ has joined #openstack-keystone22:46
*** edmondsw has joined #openstack-keystone22:48
*** ducttape_ has quit IRC22:50
*** edmondsw has quit IRC22:52
*** stingaci has joined #openstack-keystone23:12
*** ducttape_ has joined #openstack-keystone23:14
*** ducttap__ has quit IRC23:18
*** thorst has joined #openstack-keystone23:37
*** thorst has quit IRC23:41

Generated by 2.15.3 by Marius Gedminas - find it at!