Tuesday, 2017-08-22

*** thorst has quit IRC00:02
*** catintheroof has quit IRC00:25
*** thorst has joined #openstack-keystone00:25
*** thorst has quit IRC00:26
*** Shunli has joined #openstack-keystone00:36
*** zhurong has joined #openstack-keystone00:45
*** zxy has joined #openstack-keystone00:50
*** sbezverk has joined #openstack-keystone01:07
*** thorst has joined #openstack-keystone01:26
*** thorst has quit IRC01:31
*** guoshan has joined #openstack-keystone01:39
*** thorst has joined #openstack-keystone01:51
*** thorst has quit IRC01:51
*** otleimat has quit IRC01:54
openstackgerritchenaidong1 proposed openstack/keystone master: Delete rundant code    _trustor_trustee_only has been called in function TrustV3::get_trust. It is not necessary to be called again.  https://review.openstack.org/49606502:19
openstackgerritchenaidong1 proposed openstack/keystone master: Delete rundant code  https://review.openstack.org/49606502:22
*** aselius has quit IRC02:22
openstackgerritchenaidong1 proposed openstack/keystone master: Delete redundant code  https://review.openstack.org/49606502:22
*** mjax has quit IRC02:24
*** mjax has joined #openstack-keystone02:25
*** mvk_ has quit IRC02:25
*** mjax has quit IRC02:28
*** catintheroof has joined #openstack-keystone02:30
*** mvk_ has joined #openstack-keystone02:36
*** thorst has joined #openstack-keystone02:52
*** mjax has joined #openstack-keystone02:54
*** mjax has quit IRC02:55
*** nicolasbock has quit IRC02:57
*** thorst has quit IRC02:57
*** catintheroof has quit IRC02:57
*** itlinux has joined #openstack-keystone03:04
*** ayoung has quit IRC03:08
SamYaplehey all. im looking for an idempotent way to make sure the users password is set to a certain value. does the api offer anyhting that will let me know if the users password matches a certain value?03:16
*** itlinux has quit IRC03:21
*** itlinux has joined #openstack-keystone03:35
*** itlinux has quit IRC03:36
*** dave-mccowan has quit IRC03:40
*** afanti has joined #openstack-keystone03:43
*** links has joined #openstack-keystone03:51
*** thorst has joined #openstack-keystone03:53
*** thorst has quit IRC03:59
*** itlinux has joined #openstack-keystone04:16
*** zxy has quit IRC04:19
*** itlinux has joined #openstack-keystone04:49
*** thorst has joined #openstack-keystone04:54
*** markvoelker has quit IRC04:54
*** thorst has quit IRC04:58
*** masber has quit IRC05:02
*** itlinux has quit IRC05:17
*** mvpnitesh has joined #openstack-keystone05:22
*** mkrcmari__ has joined #openstack-keystone05:28
*** links has quit IRC05:30
*** mvk_ has quit IRC05:31
*** links has joined #openstack-keystone05:33
*** hoonetorg has quit IRC05:34
*** edmondsw has joined #openstack-keystone05:42
*** zxy has joined #openstack-keystone05:44
*** zxy has quit IRC05:45
*** zxy has joined #openstack-keystone05:45
*** edmondsw has quit IRC05:47
*** zxy has quit IRC05:48
*** zxy has joined #openstack-keystone05:48
*** hoonetorg has joined #openstack-keystone05:49
*** masber has joined #openstack-keystone05:55
*** thorst has joined #openstack-keystone05:55
*** zxy has quit IRC05:58
*** zxy has joined #openstack-keystone05:59
*** thorst has quit IRC05:59
*** zxy has quit IRC06:05
*** zxy has joined #openstack-keystone06:06
*** hoonetorg has quit IRC06:14
*** hoonetorg has joined #openstack-keystone06:21
openstackgerritlu.li proposed openstack/keystone-specs master: Update "priviledged" to "privileged" in doc  https://review.openstack.org/49610706:23
*** zxy has quit IRC06:35
*** zxy has joined #openstack-keystone06:37
*** rcernin has joined #openstack-keystone06:45
*** pcaruana has joined #openstack-keystone06:45
*** jistr is now known as jistr|trng06:53
*** zxy has quit IRC06:54
*** markvoelker has joined #openstack-keystone06:55
*** thorst has joined #openstack-keystone06:56
*** thorst has quit IRC07:00
*** tesseract has joined #openstack-keystone07:20
*** ioggstream has joined #openstack-keystone07:21
*** belmoreira has joined #openstack-keystone07:29
*** markvoelker has quit IRC07:29
*** edmondsw has joined #openstack-keystone07:30
*** edmondsw has quit IRC07:35
-openstackstatus- NOTICE: Gerrit is going to be restarted due to slow performance07:36
-openstackstatus- NOTICE: Gerrit has been restarted successfully07:40
*** dikonoor has joined #openstack-keystone07:55
*** thorst has joined #openstack-keystone07:57
*** abhishek has joined #openstack-keystone08:00
*** thorst has quit IRC08:01
*** markvoelker has joined #openstack-keystone08:26
*** aojea has joined #openstack-keystone08:32
*** mvpnitesh has quit IRC08:36
*** mvpnitesh has joined #openstack-keystone08:37
*** mvk_ has joined #openstack-keystone08:39
*** mvpnitesh has quit IRC08:41
*** mvpnitesh has joined #openstack-keystone08:41
*** mkrcmari__ has quit IRC08:43
*** aojea has quit IRC08:44
*** mvpnitesh has quit IRC08:45
*** mvpnitesh has joined #openstack-keystone08:45
*** mvpnitesh has quit IRC08:49
*** mvpnitesh has joined #openstack-keystone08:50
*** mvpnitesh has quit IRC08:53
*** mvpnitesh has joined #openstack-keystone08:54
*** mkrcmari__ has joined #openstack-keystone08:54
*** mvk_ has quit IRC08:57
*** thorst has joined #openstack-keystone08:57
*** mvpnitesh has quit IRC08:58
*** mvpnitesh has joined #openstack-keystone08:58
*** markvoelker has quit IRC09:00
*** mvpnitesh has quit IRC09:02
*** thorst has quit IRC09:02
*** mvpnitesh has joined #openstack-keystone09:02
*** mvk has joined #openstack-keystone09:03
*** mkrcmari__ has quit IRC09:06
*** mvpnitesh has quit IRC09:06
*** mvpnitesh has joined #openstack-keystone09:06
*** mvpnitesh has quit IRC09:11
*** mvpnitesh has joined #openstack-keystone09:11
*** aojea has joined #openstack-keystone09:12
*** Shunli has quit IRC09:30
*** abhishek has quit IRC09:32
*** abhi89 has joined #openstack-keystone09:33
*** mvpnitesh has quit IRC09:38
*** mvpnitesh has joined #openstack-keystone09:39
*** faizy has joined #openstack-keystone09:40
*** mvpnitesh has quit IRC09:46
*** mvpnitesh has joined #openstack-keystone09:46
*** mvpnitesh has quit IRC09:54
*** nicolasbock has joined #openstack-keystone09:56
*** markvoelker has joined #openstack-keystone09:57
*** thorst has joined #openstack-keystone09:58
*** nicolasbock has quit IRC10:01
*** thorst has quit IRC10:03
*** nicolasbock has joined #openstack-keystone10:13
*** zhurong has quit IRC10:17
*** mvpnitesh has joined #openstack-keystone10:21
*** abhi89 has quit IRC10:22
*** markvoelker has quit IRC10:31
*** guoshan has quit IRC10:33
*** mvpnitesh has quit IRC10:51
*** zeus has quit IRC10:59
*** zeus has joined #openstack-keystone11:00
*** DinaBelova has quit IRC11:00
*** freerunner has quit IRC11:00
*** zeus is now known as Guest9069211:00
*** DinaBelova has joined #openstack-keystone11:00
*** htruta has quit IRC11:00
*** htruta has joined #openstack-keystone11:00
*** junbo has quit IRC11:01
*** Dinesh_Bhor has quit IRC11:01
*** kukacz has quit IRC11:01
*** Adobeman has quit IRC11:01
*** alex_xu has quit IRC11:02
*** Adobeman has joined #openstack-keystone11:03
*** vryzhenkin has joined #openstack-keystone11:04
*** Dinesh_Bhor has joined #openstack-keystone11:05
*** junbo has joined #openstack-keystone11:05
*** alex_xu has joined #openstack-keystone11:06
*** edmondsw has joined #openstack-keystone11:06
*** thorst has joined #openstack-keystone11:07
*** kukacz has joined #openstack-keystone11:07
*** edmondsw has quit IRC11:10
*** thorst has quit IRC11:11
*** lwanderley has joined #openstack-keystone11:24
*** markvoelker has joined #openstack-keystone11:28
*** raildo has joined #openstack-keystone11:34
*** gokhan has joined #openstack-keystone11:40
gokhanhi folks, we have a problem in our environment about keystone or mysql. When we reach 120 concurrent connections, we get an exception at this line: https://github.com/ContainX/openstack4j/blob/master/core/src/main/java/org/openstack4j/openstack/identity/v3/internal/UserServiceImpl.java#L5811:44
*** edmondsw has joined #openstack-keystone11:45
gokhancan help somebody identiffy the problem whether it is from keystone or mysql config11:45
*** mberktas has joined #openstack-keystone11:51
*** faizy has quit IRC11:55
*** faizy has joined #openstack-keystone11:57
*** faizy has quit IRC11:58
*** faizy has joined #openstack-keystone11:58
*** markvoelker has quit IRC12:01
*** aojea has quit IRC12:07
*** aojea has joined #openstack-keystone12:10
*** thorst has joined #openstack-keystone12:11
*** faizy has quit IRC12:15
*** abhi89 has joined #openstack-keystone12:17
*** abhi89 has quit IRC12:19
*** abhi89 has joined #openstack-keystone12:19
*** aojea has quit IRC12:21
*** lwanderley has quit IRC12:24
*** lwanderley has joined #openstack-keystone12:31
*** markvoelker has joined #openstack-keystone12:32
lbragstadgokhan: do you happen to have a trace or an error from keystone?12:33
*** dave-mccowan has joined #openstack-keystone12:33
*** aojea has joined #openstack-keystone12:36
mberktas@lbragstad, yes we have an exception stack trace, i will send a pastebin link in a minute12:39
*** rmascena has joined #openstack-keystone12:40
*** jmlowe has joined #openstack-keystone12:41
*** raildo has quit IRC12:42
mberktashere is the exception trace: http://paste.openstack.org/show/619023/12:42
mberktas@lbragstad ^^12:42
lbragstadmberktas: looks like you received a 503 from the server?12:43
lbragstaddo you have a trace trace from that?12:43
*** thorst is now known as thorst_afk12:49
mberktas@lbragstad : in apache2 error.log files we dont have any errors other than this: "[Wed Aug 16 19:48:38.933525 2017] [mpm_event:error] [pid 33627:tid 140064641460096] AH00485: scoreboard is full, not at MaxRequestWorkers"12:54
mberktasdo you think that this error is related to our problem?12:54
lbragstadyeah - it could see that causing a 50312:55
lbragstadlooks like the webserver is having a hard time supporting that many clients12:55
*** zhurong has joined #openstack-keystone12:57
mberktas@lbragstad : isn't 120 concurrent clients a bit low for apache2 running on a server having 48 cores and 256 GB ram?12:58
mberktasis this the result of a configuration parameter that we can increase?12:58
*** lwanderley has quit IRC13:03
*** aojea has quit IRC13:05
*** aojea has joined #openstack-keystone13:10
*** voelzmo has joined #openstack-keystone13:27
*** ayoung has joined #openstack-keystone13:36
kmalloclbragstad: mmmm so my convo went well today, will have some updates and possibly a high-level write up of the DHT keystone concept by the PTG13:38
* kmalloc needs more coffffeeeeeeeee13:39
*** gokhan has quit IRC13:43
ayoungkmalloc, DHT?  I thought that was still considered a controlled substance?13:45
kmallocayoung: yeah it probably is13:46
ayoungSriously, tho, what is DHT?13:46
kmallocdistributed hash table13:50
kmallocjust had a very nice convo about some concepts for global keystone data sets that can be validated directly at the endpoints. -- solving some of the "replication" and "project in every region" kind of issues that we keep getting asked about13:51
kmalloci'll have a brief for it in a week or so.13:51
kmallocand i plan to chat with a couple folks at the PTG once i've fleshed it out a bit more13:52
ayoungkmalloc, ah, that Blockchain quip you threw out last week?13:52
kmallocthat is part of it13:53
ayoungcool.  look forward to seeing it.  It makes sense to me13:53
*** lucasxu has joined #openstack-keystone13:54
ayoungkmalloc, its actually the exact opposite of PKI tokens.  It is PKI everything but the token13:54
*** aojea has quit IRC13:55
*** aojea has joined #openstack-keystone13:56
*** voelzmo has quit IRC14:01
*** sjain has joined #openstack-keystone14:02
*** jdennis has quit IRC14:04
*** dikonoor has quit IRC14:04
*** jdennis has joined #openstack-keystone14:04
lbragstadkmalloc: ack - i look forward to reading your writeup14:09
lbragstadkmalloc: you want some time at the ptg to go through it?14:09
kmallocit probably wont be more than a one-pager14:10
kmallocthere is a lot to cover before it's more in depth14:11
lbragstadkmalloc: are you planning on doing it on an etherpad?14:11
kmalloci'm going to chat with a couple people hallwaytrack14:11
kmallocnot really much else14:11
kmalloci don't want folks too excited about it / too dreamy until it becomes more real14:11
*** voelzmo has joined #openstack-keystone14:11
*** jmlowe has quit IRC14:13
*** zhurong has quit IRC14:19
*** links has quit IRC14:20
*** gagehugo has joined #openstack-keystone14:23
*** sjain has quit IRC14:36
*** aojea has quit IRC14:37
*** aojea has joined #openstack-keystone14:40
*** jmlowe has joined #openstack-keystone14:40
*** aojea has quit IRC14:54
*** aojea has joined #openstack-keystone14:55
lbragstadknikolla: gagehugo o/15:03
knikollalbragstad: o/15:04
*** aojea has quit IRC15:05
knikollaAlmost done reviewing the global role assignment stuff. Spent some time familiarizing myself with the assignment system and policy.15:05
lbragstadnice - that will be useful15:05
lbragstadknikolla: i plan on writing up a patch to do the scoping bits today and tomorrow15:05
lbragstadonce i get through a bunch of email and planning related stuff15:06
*** aojea has joined #openstack-keystone15:08
*** gyee has joined #openstack-keystone15:11
openstackgerritStephen Finucane proposed openstack/oslo.policy master: generator: Reimplement wrapping of 'description'  https://review.openstack.org/48564615:14
*** rcernin has quit IRC15:15
*** aselius has joined #openstack-keystone15:16
*** leitan has joined #openstack-keystone15:18
leitanHi guys, i have a quick question regarding keystone token caching15:18
leitanwere using fernet as token provider15:18
leitandoes the protected api need to share the same memcached backend with the keystone api, in order to "caching" works correctly ?15:19
lbragstadleitan: by protected API do you mean https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L315 ?15:20
leitanlbragstad: sorry, i mean the APi that its consuming keystone as the auth backend, nova, neutron, gnocchi15:21
leitanso basically if the client (gnocchi for example) need to share the same memcached as the keystone server itself15:21
lbragstadoh - so does keystone need to share the same memcache instance as the other services?15:21
leitanlbragstad: correct15:21
lbragstadleitan: it does not15:21
lbragstadleitan: it can run separately15:22
*** aojea has quit IRC15:22
lbragstadbut - having a pool of memcached servers for a single deployment is beneficial if you're deploying multiple keystone nodes15:22
lbragstadthe library that keystone uses to implement caching supports sharding across a cluster of memcached servers15:23
leitanlbragstad: perfect, thats what i tought, im getting a lot of timeouts from keystoneauth115:23
leitanlbragstad: yes i have that setup 3 memcached servers15:23
leitanlbragstad: so the question here is, why if its the same token, im going to ask keystone at every single request15:23
leitanprobably the reason of the timeouts is that im flooding keystone15:24
lbragstadleitan: you mean why does glance pass the token to keystone after nova just validated it against keystone?15:24
leitanim testing gnocchi, and im using the same token for stressing out the API15:24
leitanand i got a lot of urllib connection pool full, talking to keystone15:25
leitanso im asuming that is going to keystone for each request15:25
*** rderose has joined #openstack-keystone15:25
lbragstadyeah - each service has middleware running in front of it that ensures the token used to make the request is valid15:26
leitani just run a tcpdump and confirmed15:27
leitanthat is going to the 3535715:27
leitanis that correct ?15:27
lbragstadif 35357 is referring to the port keystone is running on - yes15:27
leitanlbragstad: yes, is there way to avoid gnocchi going to keystone everytime ? i thouht that caching will prevent this from happening15:28
lbragstadleitan: fwiw - there is caching functionality available in keystonemiddleware, too15:28
lbragstadleitan: there are two different types of caching15:28
lbragstadleitan: it sounds like the caching you want is caching in middleware15:28
lbragstadwhich makes it so that middleware doesn't have to put the token on the wire to validate it against an identity API server15:29
leitanmemcached_servers =,,
leitanendpoint_type = internal15:29
leitanmemcache_security_strategy = ENCRYPT15:29
leitanmemcache_secret_key = lalalala15:29
leitanlbragstad: yes i have that configured on the gnocchi side, pasted above15:29
leitanon the keystone_authtoken section15:29
leitanlbragstad: keystonemiddleware (4.14.0)15:30
lbragstadleitan: have you seen the middleware configuration guide? https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#configuration15:33
lbragstadthere are suggestions in there about improving performance with caching15:33
lbragstadalso - can you confirm the token is actually being stored in memcache?15:33
leitanlbragstad: i can do that15:34
leitanlbragstad: this is my authtoken middleware section on gnocchi -> http://paste.openstack.org/show/E4kQcechThMdPT6Qb3Uz/15:34
leitanlbragstad: for what i see on the middleware guide, i have everything i need configured there15:37
lbragstadleitan: can you confirm that keystonemiddleware is infact passing the token to memcached?15:41
leitanlbragstad: ill try it now15:41
leitanlbragstad: i see the gnocchi host talking with the 3 memcached when i run the benchmark, ill try to confirm if the key is there, but its encrypted15:46
lbragstadok - that's a good sign15:47
*** otleimat has joined #openstack-keystone15:50
*** nkinder has joined #openstack-keystone15:51
*** belmoreira has quit IRC15:55
*** afanti has quit IRC15:55
*** thorst_afk has quit IRC15:55
leitanlbragstad: well ... this is embarrasing15:56
lbragstadleitan: is every request to gnocchi using a different token?15:57
leitanlbragstad: no, same token15:57
*** thorst_afk has joined #openstack-keystone15:57
lbragstadleitan: oh - what did you find?15:57
leitanlbragstad: but ... gnocchi was poiting at old memcached servers ... , we changed our local memcached to elasticache ... seems that the jinja template for the memcached servers doesnt got updated15:57
lbragstadah - so it couldn't establish a connection to the new pool?15:58
leitanlbragstad: now i got 10x the performance15:58
lbragstadleitan: woo!15:58
leitanlbragstad: indeed15:58
leitanlbragstad: sorry to waste your time :(15:58
*** lwanderley has joined #openstack-keystone15:58
lbragstadleitan: sometimes rubber duck debugging is the best15:58
lbragstadleitan: no worries - glad you got it all squared away :)15:59
leitanlbragstad: sometimes you just need a listening shoulder15:59
leitanlbragstad: thanks !15:59
lbragstadleitan: anytime!15:59
* leitan feels ashamed15:59
lbragstadleitan: you fixed the issue - no shame in that15:59
*** thorst_afk has quit IRC16:01
*** tesseract has quit IRC16:04
*** thorst_afk has joined #openstack-keystone16:05
*** voelzmo has quit IRC16:06
*** catintheroof has joined #openstack-keystone16:10
openstackgerritMerged openstack/pycadf master: Adding gnocchi_api_audit_map.conf to pycadf  https://review.openstack.org/49342816:15
lbragstadi think we need to remove a couple things from the release notes for Pike https://docs.openstack.org/releasenotes/keystone/pike.html#b116:18
lbragstadwhy does it look like ocata release notes were rendered for Pike?16:18
*** vryzhenkin is now known as freerunner16:25
lbragstadhey team - looks like we're going to have to cut an RC316:37
*** pcaruana has quit IRC16:37
lbragstadif you look through the release notes, there are things listed because the release note was updated during the pike cycle16:37
lbragstadso release notes from ocata or newton are rendering for pike release notes16:38
lbragstadin order to fix - we'll have to do two things16:38
lbragstadbackport a patch to update the links for all stable releases16:38
lbragstadthat's #1 ^16:38
lbragstad#2 is to add a patch to stable/pike that ignores specific release notes, like horizon did here https://github.com/openstack/horizon/commit/85fe8f3b5fdf526302831107aee0c372ac5a9fec16:39
*** ducttap__ has joined #openstack-keystone16:39
lbragstadi'll start working on #1 now and ping when i have stable reviews up16:39
*** ducttape_ has quit IRC16:42
*** mvk_ has joined #openstack-keystone16:45
*** mvk has quit IRC16:48
lbragstadstevemar: kmalloc stable reviews https://review.openstack.org/#/q/topic:bug/171057216:54
kmalloclbragstad: +2/+A for all three16:56
lbragstadkmalloc: awesome - thank you17:00
lbragstadkmalloc: working on a patch to stable/pike to ignore the release notes that were updated in the pike release17:00
*** thorst_afk has quit IRC17:13
openstackgerritLance Bragstad proposed openstack/keystone master: Include a link in release note for bug 1698900  https://review.openstack.org/49632217:15
openstackbug 1698900 in OpenStack Identity (keystone) "DB check appears to not be working right" [High,Fix released] https://launchpad.net/bugs/1698900 - Assigned to Lance Bragstad (lbragstad)17:15
lbragstadkmalloc: since we have to roll a new rc - we should catch ^17:15
lbragstadkmalloc: stable review available here - https://review.openstack.org/#/c/496323/17:16
*** swain has joined #openstack-keystone17:30
knikollalbragstad: is one +2 enough for this? https://review.openstack.org/#/c/496322/17:33
lbragstadknikolla: sometime, even for trivial stuff I wait for another person to take a look, unless it's urgent17:35
lbragstadin this case i'd consider it urgent since it should be in the next rc candidate17:36
lbragstadwhich we have to cut this week17:36
knikollalbragstad: approved assuming morgan's +2 on the backport as a "second" review.17:36
lbragstadknikolla: ack - thanks for the review17:36
*** ioggstream has quit IRC17:46
lbragstadgagehugo: around?17:47
gagehugolbragstad o/17:47
lbragstadgagehugo: for https://bugs.launchpad.net/keystone/+bug/1652012 it looks like  https://review.openstack.org/#/c/438035/ merged but https://github.com/openstack/keystone/commit/4a82ab9065a659bbcb838240da113a0509f651aa was the revert?17:48
openstackLaunchpad bug 1652012 in OpenStack Identity (keystone) "token model assumes a token is is_admin_project" [Low,In progress] - Assigned to Gage Hugo (gagehugo)17:48
lbragstadshouldn't https://review.openstack.org/#/c/438035/ have been reverted, too?17:48
gagehugoI think it was?17:49
*** thorst_afk has joined #openstack-keystone17:49
lbragstadgagehugo: it's still in tree https://github.com/openstack/keystone/blob/682cfa5c6d135641797ec9e51299287e8191e858/releasenotes/notes/bug-1652012-b3aea7c0d5affdb6.yaml17:50
gagehugolbragstad hmm17:50
lbragstadgagehugo: it looks like a related patch was reverted17:51
lbragstadbut the patch that closes that bug is still in tree17:51
gagehugoyeah that note should have been removed17:51
*** mjax has joined #openstack-keystone17:52
openstackgerritLance Bragstad proposed openstack/keystone master: Revert "Change is_admin_project to False by default"  https://review.openstack.org/49633817:52
lbragstadgagehugo: ^17:52
lbragstadgagehugo: looks like we need a clean up patch that removes the release note17:54
lbragstadsince it looks like it was missed in the revert17:54
lbragstadgagehugo: can you propose that quick?17:54
lbragstadand I'll review17:54
lbragstadgagehugo: thanks17:54
gagehugoI was thinking it got set back to "False" accidentally somewhere since then17:54
lbragstadyeah - kinda confusing17:55
knikollathe number of reviews with topic 968696 is impressive17:55
openstackgerritMerged openstack/pycadf master: changed 'target_endpoint_type' value  https://review.openstack.org/49343817:55
*** sjain has joined #openstack-keystone17:57
openstackgerritGage Hugo proposed openstack/keystone master: Remove missing release note from previous revert  https://review.openstack.org/49634217:57
*** rmascena is now known as raildo17:58
lbragstad^ kmalloc17:59
*** Guest90692 is now known as zeus`18:01
*** lwanderley has quit IRC18:02
*** zeus` is now known as zeus18:02
*** zeus has quit IRC18:02
*** zeus has joined #openstack-keystone18:02
*** itlinux has joined #openstack-keystone18:06
*** ioggstream has joined #openstack-keystone18:09
*** ioggstream has quit IRC18:17
*** mvk_ has quit IRC18:18
*** thorst_a_ has joined #openstack-keystone18:18
*** ioggstream has joined #openstack-keystone18:19
*** thorst_afk has quit IRC18:20
*** rmcall has joined #openstack-keystone18:22
*** itlinux has quit IRC18:26
*** ducttape_ has joined #openstack-keystone18:26
*** ducttap__ has quit IRC18:29
*** raildo has quit IRC18:32
*** raildo has joined #openstack-keystone18:32
*** voelzmo has joined #openstack-keystone18:34
*** itlinux has joined #openstack-keystone18:42
*** sjain has quit IRC18:42
*** voelzmo has quit IRC18:46
*** ioggstream has quit IRC18:49
openstackgerritLance Bragstad proposed openstack/keystone master: Revert "Fix wrong links"  https://review.openstack.org/49636718:54
knikollalbragstad: that yeah. but we need to "ignore" the reverted notes from the "fix wrong links"19:00
*** rbrndt has joined #openstack-keystone19:01
lbragstadknikolla: oh.. yeah19:01
lbragstadi suppose19:01
knikollaas the files would be touched in master.19:02
knikollaat least if my understanding is correct.19:02
lbragstad#startmeeting keystone-office-hours19:02
openstackMeeting started Tue Aug 22 19:02:25 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.19:02
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:02
openstackThe meeting name has been set to 'keystone_office_hours'19:02
knikollao/ reporting for office hours19:03
lbragstadkmalloc: mind lifting your -2 here? https://review.openstack.org/#/c/496343/19:04
lbragstadwe'll need that based on how reno operates19:04
kmallocin pike?19:04
kmallocwe didn't land the pike change did we?19:04
kmallocjust the master one(s)?19:04
lbragstadwe need to ignore those release notes from rendering in pike release notes19:05
kmallocright, we landed the change in pike?!19:05
kmallocor just master19:05
lbragstadyes - let me grab the link19:05
kmallocwant to be sure.19:05
kmallocrelated: ugh19:05
*** abhi89 has quit IRC19:05
lbragstad#link https://github.com/openstack/keystone/commit/77500b3615ae94ea45837f3fc0d503c8aadcc46219:06
kmalloccan we just make this a tree of static files instead? [i know not today[]19:06
kmalloclbragstad: that landed in master 8 days ago19:06
kmallocstable/pike was already split19:06
kmallocnot landed.19:07
lbragstad^ they still render there for the pike notes19:07
lbragstadbecause those links changed19:07
kmallochow did the links change in the pike branch?19:08
kmallocwe didn't land the change19:08
kmallocsomething is broken in the rendering systme not in our repo then19:08
kmallocit's rendering from master not stable/pike19:08
kmallocland the ignore in master, we have to do that19:08
kmallocbut we shouldn't need to in pike19:08
kmallocif we do, something else is broken19:09
kmalloci think we horked this up becuase i think the reno is always rendered from master19:09
kmallocmeaning we are effecitvely broken19:09
kmallocon the docs page19:09
kmallocif we did not land a change to the release notes on stable/pike how are the changed links effecting the release notes19:11
kmallocthis really is not making sense.19:11
lbragstadkmalloc: want me to see if dhellmann will join us here?19:12
kmallocif those are rendering in pike and the fix landed in master we have a bigger problem.19:12
kmalloci am guessing things are not rendering from the right places19:12
lbragstadkmalloc: that would appear to be the case19:13
*** raildo has quit IRC19:16
*** itlinux has quit IRC19:21
*** ducttap__ has joined #openstack-keystone19:27
*** ducttape_ has quit IRC19:30
*** raildo has joined #openstack-keystone19:31
*** sbezverk has quit IRC19:35
*** sbezverk has joined #openstack-keystone19:37
*** ducttape_ has joined #openstack-keystone19:40
*** ducttap__ has quit IRC19:43
*** itlinux has joined #openstack-keystone19:47
*** portdirect is now known as tintin20:03
*** tintin is now known as portdirect20:04
*** rderose has quit IRC20:14
*** rmcall has quit IRC20:30
*** rmcall has joined #openstack-keystone20:31
*** lucasxu has quit IRC20:31
*** jmlowe has quit IRC20:32
*** MasterOfBugs has joined #openstack-keystone20:36
openstackgerritMerged openstack/keystone master: Include a link in release note for bug 1698900  https://review.openstack.org/49632220:37
openstackbug 1698900 in OpenStack Identity (keystone) "DB check appears to not be working right" [High,Fix released] https://launchpad.net/bugs/1698900 - Assigned to Lance Bragstad (lbragstad)20:37
*** ayoung has quit IRC20:38
*** jmlowe has joined #openstack-keystone20:41
*** jmlowe has quit IRC20:43
*** rcernin has joined #openstack-keystone20:50
*** flwang has quit IRC20:54
openstackgerritLance Bragstad proposed openstack/keystone master: Clarify documentation for release notes  https://review.openstack.org/49641720:55
lbragstadcc kmalloc ^20:56
lbragstadi also had to update https://review.openstack.org/#/c/496343/20:56
*** flwang has joined #openstack-keystone20:57
*** dave-mccowan has quit IRC20:58
openstackgerritMerged openstack/keystone master: Remove missing release note from previous revert  https://review.openstack.org/49634220:59
*** StefanPaetowJisc has joined #openstack-keystone20:59
*** itlinux has quit IRC20:59
lbragstadsweet - https://review.openstack.org/#/c/496343/ is the only thing we need for rc321:01
*** aojea has joined #openstack-keystone21:02
*** dave-mccowan has joined #openstack-keystone21:02
*** jmlowe has joined #openstack-keystone21:04
*** itlinux has joined #openstack-keystone21:06
mjaxAnyone know what the middleware module in keystone does? I'm having some trouble with understanding its functionality21:09
*** jmccrory has quit IRC21:13
*** jmccrory has joined #openstack-keystone21:14
lbragstadmjax: are you referencing https://github.com/openstack/keystone/tree/master/keystone/middleware or https://github.com/openstack/keystonemiddleware ?21:17
mjaxlbragstad: /keystone/keystone/middleware21:17
lbragstadmjax: ah - so that's "middleware" that runs in the paste pipeline in front of keystone21:18
mjaxlbragstad: is it mainly in charge of interacting with wsgi? Does it have any specific connection to keystonemiddleware?21:19
lbragstadmjax: no - not really, keystonemiddleware is a separate project that is designed to run in front of other services21:19
lbragstadmjax: for example json_body middleware runs in front of keystone21:20
lbragstadas noted in the paste pipeline21:20
lbragstadand following the entry point here - https://github.com/openstack/keystone/blob/master/setup.cfg#L19521:21
mjaxlbragstad: I see, was curious because of the shared name and the import in auth.py21:21
*** thorst_a_ has quit IRC21:21
lbragstadmjax: yeah - keystone/middleware is specific to keystone21:22
lbragstadkeystonemiddleware is a generic middleware for other openstack services to use21:22
lbragstad(e.g. keystonemiddleware is what sits in front of nova or cinder)21:22
*** aahh has joined #openstack-keystone21:23
*** thorst_afk has joined #openstack-keystone21:24
mjaxlbragstad:  thanks, got it. By the way is the /keystone/auth the first point where keystone tries to authenticate a user? Will services also authenticate from there21:24
lbragstadboth services and users interact with the same endpoint for authentication21:25
mjaxwhich endpoint is that?21:25
lbragstadeither /v2.0/tokens or /v3/auth/tokens21:26
lbragstadGET /v3/auth/tokens is validate token21:26
lbragstadand POST /v3/auth/tokens is authenticate for token21:26
mjaxhmm I see, will the token differ depending on whether its a service or user trying to authenticate21:26
lbragstadno - keystone doesn't know if it's a service or a user authenticating21:27
*** thorst_afk has quit IRC21:28
lbragstadservices like nova have a service account (e.g. a user named nova) that they use to make API requests21:28
mjaxright - how do the service account's password and credentials get set or passed? If I were to write an auth plugin that expects a password to an external SSO for that user, would I just have to include multiple case statements to catch the special case for users?21:32
lbragstadmjax: those are included in each services configuration file21:32
mjaxalso, it is /keystone/auth that handles the requests to the authentication endpoint right?21:33
mjaxoh so thats how it works!21:34
lbragstadmjax: as in how does nova authenticate to keystone?21:34
lbragstadnova uses the keystoneauth1 library to authenticate to keystone21:34
lbragstadand keystonemiddleware to run process tokens before they reach nova's api21:34
mjaxwhen you make a request to /auth/v3/tokens a json request body is passed in right? which module is in charge of breaking that down to do the authentication21:35
lbragstadthat's this endpoint21:37
lbragstadwhich routes the request based on the request method (GET, POST, etc.)21:37
lbragstadto the appropriate controller method21:37
lbragstadso when you do a POST /v3/auth/tokens you can see the router wire the call to authenticate_for_token()21:38
lbragstadwhich is found here - https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L10721:38
mjaxThat clears up a lot! Thank you21:39
lbragstadmjax: yep21:40
lbragstadfwiw - that pattern can be applied to all apis in keystone21:40
lbragstadtraffic comes in from the router -> controller -> core -> backend21:41
mjaxlbragstad: then the controller calls the corresponding core's methods which make use of the relevant backend? Makes sense21:42
lbragstadyep - it's a pretty straight forward app21:43
mjaxlbragstad: I'm still quite a newbie to dev and design patterns, so this is really helpful! Thanks again for going over it for me21:44
aahhhi , could someone shed some light on how to store users locally  who are authorized using a custom identity backend which is not implemented via a saml or oauth protocol21:50
lbragstadmjax: anytime!21:53
lbragstadaahh: what release are you using?21:54
aahh@lbragstad : ocata21:54
lbragstadaahh: are you familiar with shadow users?21:54
aahhnot yet , had been reading the specs docs on the ocata release. would be helpful on how its created and mapped21:55
lbragstadaahh: that works started in ocata21:55
lbragstadand continued into newton21:56
lbragstadbut the idea was that users should have some sort of reference stored within keystone regardless of where they authenticate from21:56
lbragstadmeaning they could be authenticated through federation using a SAML assertion of some sort, or an external LDAP instance21:56
lbragstadassuming the authentication is successful - a user reference is created for that user21:57
lbragstadand stored within keystone21:57
aahhcould you point to me the relevant files where this happens ??21:58
lbragstadaahh: yeah - so all of that should be pretty self contained in keystone's identity API21:58
lbragstadwhich is here - https://github.com/openstack/keystone/tree/3e8f16dec47907bdded68e58880779a74bbeffef/keystone/identity21:58
lbragstader - it starts there21:58
lbragstadaahh: from there you can see how the shadow_user_api is used in the business logic for identity - https://github.com/openstack/keystone/blob/3e8f16dec47907bdded68e58880779a74bbeffef/keystone/identity/core.py#L44221:59
lbragstadthe interfaces and backend for storing shadow users is kept here - https://github.com/openstack/keystone/tree/3e8f16dec47907bdded68e58880779a74bbeffef/keystone/identity/shadow_backends22:00
*** leitan has quit IRC22:01
*** catintheroof has quit IRC22:01
openstackMeeting ended Tue Aug 22 22:01:36 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:01
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-22-19.02.html22:01
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-22-19.02.txt22:01
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-22-19.02.log.html22:01
*** StefanPaetowJisc has quit IRC22:01
*** thorst_afk has joined #openstack-keystone22:02
lbragstadknikolla: i got a little swamped today - i'll plan to pickup the GR stuff tomorrow22:02
*** itlinux has quit IRC22:03
*** ayoung has joined #openstack-keystone22:03
*** thorst_afk has quit IRC22:06
*** thorst_afk has joined #openstack-keystone22:08
*** ducttap__ has joined #openstack-keystone22:16
*** edmondsw has quit IRC22:17
*** thorst_afk has quit IRC22:18
*** thorst_afk has joined #openstack-keystone22:18
*** ducttape_ has quit IRC22:19
*** swain has quit IRC22:20
*** thorst_afk has quit IRC22:22
*** rcernin has quit IRC22:32
*** ducttape_ has joined #openstack-keystone22:38
*** ducttap__ has quit IRC22:38
*** ducttap__ has joined #openstack-keystone22:43
*** ducttape_ has quit IRC22:46
*** itlinux has joined #openstack-keystone22:54
*** rbrndt has quit IRC22:57
*** rbrndt has joined #openstack-keystone22:57
*** rbrndt has quit IRC22:57
*** thorst_afk has joined #openstack-keystone23:00
*** aojea has quit IRC23:05
*** ducttape_ has joined #openstack-keystone23:23
*** ducttap__ has quit IRC23:26
*** efried has quit IRC23:42
*** itlinux has quit IRC23:47
*** dave-mccowan has quit IRC23:48
*** gyee has quit IRC23:53
*** edmondsw has joined #openstack-keystone23:55
*** efried has joined #openstack-keystone23:56
*** gyee has joined #openstack-keystone23:57

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!