Wednesday, 2017-10-18

« Tuesday, 2017-10-17 Index Thursday, 2017-10-19 »
*** jmlowe has quit IRC00:19
-openstackstatus- NOTICE: due to unscheduled restart of zuulv3.o.o you will need to 'recheck' your jobs that were last running. Sorry for the inconvenience.00:32
*** rmcallis has joined #openstack-keystone00:33
*** aojea has joined #openstack-keystone00:47
*** aojea has quit IRC00:51
*** markvoelker_ has quit IRC00:53
*** markvoelker has joined #openstack-keystone00:54
*** thorst has joined #openstack-keystone00:57
*** markvoelker has quit IRC00:58
*** thorst has quit IRC01:02
*** thorst has joined #openstack-keystone01:03
*** thorst has quit IRC01:08
*** AlexeyAbashkin has joined #openstack-keystone01:23
*** AlexeyAbashkin has quit IRC01:27
*** aojea has joined #openstack-keystone01:48
*** aojea has quit IRC01:52
*** thorst has joined #openstack-keystone02:03
*** thorst has quit IRC02:08
*** Shunli has joined #openstack-keystone02:18
*** AlexeyAbashkin has joined #openstack-keystone02:23
*** AlexeyAbashkin has quit IRC02:27
*** pramodrj07 has quit IRC02:29
*** MasterOfBugs has quit IRC02:29
*** dave-mccowan has quit IRC02:44
*** namnh has joined #openstack-keystone02:46
*** chlong has quit IRC02:47
*** dave-mccowan has joined #openstack-keystone02:48
*** nicolasbock has quit IRC02:53
*** namnh has quit IRC02:56
*** namnh has joined #openstack-keystone02:57
*** thorst has joined #openstack-keystone03:04
*** wes_dillingham has quit IRC03:06
*** thorst has quit IRC03:09
*** jmlowe has joined #openstack-keystone03:12
*** openstackgerrit has quit IRC03:22
*** AlexeyAbashkin has joined #openstack-keystone03:23
*** chrome0 has quit IRC03:25
*** AlexeyAbashkin has quit IRC03:27
*** chrome0 has joined #openstack-keystone03:31
*** rmcallis has quit IRC03:37
*** links has joined #openstack-keystone03:46
*** aojea has joined #openstack-keystone03:49
*** aojea has quit IRC03:54
*** rmcallis has joined #openstack-keystone04:11
*** rmcallis has quit IRC04:44
*** zsli_ has joined #openstack-keystone04:47
*** dave-mccowan has quit IRC04:47
*** Shunli has quit IRC04:50
*** aojea has joined #openstack-keystone04:50
*** aojea has quit IRC04:54
*** thorst has joined #openstack-keystone05:05
*** hyakuhei has quit IRC05:05
*** thorst has quit IRC05:10
*** josecastroleon has quit IRC05:10
*** josecastroleon has joined #openstack-keystone05:11
*** jmlowe has quit IRC05:28
*** markvoelker has joined #openstack-keystone05:35
*** markvoelker_ has joined #openstack-keystone05:37
*** markvoelker has quit IRC05:39
*** markvoelker_ has quit IRC05:46
*** markvoelker has joined #openstack-keystone05:47
*** markvoelker has quit IRC05:50
*** markvoelker has joined #openstack-keystone05:50
*** markvoelker has quit IRC05:51
*** aojea has joined #openstack-keystone05:51
*** aojea has quit IRC05:55
*** cfriesen has quit IRC06:32
*** belmoreira has joined #openstack-keystone06:40
*** pcaruana has joined #openstack-keystone06:45
*** markvoelker has joined #openstack-keystone06:45
*** thorst has joined #openstack-keystone06:58
*** josecastroleon has quit IRC06:59
*** josecastroleon has joined #openstack-keystone07:01
*** ioggstream has joined #openstack-keystone07:02
*** thorst has quit IRC07:03
*** tesseract has joined #openstack-keystone07:17
*** belmoreira has quit IRC07:26
*** hoonetorg has joined #openstack-keystone07:32
*** wasmum has joined #openstack-keystone07:34
*** aojea has joined #openstack-keystone07:38
*** aojea has quit IRC07:48
*** AlexeyAbashkin has joined #openstack-keystone07:57
*** ppiela_ has joined #openstack-keystone08:04
*** ppiela has quit IRC08:04
*** akrzos has quit IRC08:07
*** akrzos has joined #openstack-keystone08:09
*** openstackgerrit has joined #openstack-keystone08:22
openstackgerritShan Guo proposed openstack/keystone master: Remove v2.0 assignment schema  https://review.openstack.org/51296408:22
*** clayton_ has joined #openstack-keystone08:27
*** clayton has quit IRC08:28
*** clayton_ is now known as clayton08:28
*** jrist has quit IRC08:30
*** mnaser has quit IRC08:30
*** Trident has joined #openstack-keystone08:36
*** aojea has joined #openstack-keystone08:44
*** mnaser has joined #openstack-keystone08:47
*** aojea has quit IRC08:48
*** david-lyle has quit IRC08:53
*** thorst has joined #openstack-keystone08:59
*** thorst has quit IRC09:04
*** zsli_ has quit IRC09:30
*** aojea has joined #openstack-keystone09:45
*** sapd__ has quit IRC09:45
*** sapd_ has joined #openstack-keystone09:45
*** sapd_ has quit IRC09:47
*** sapd_ has joined #openstack-keystone09:48
*** aojea has quit IRC09:49
*** AlexeyAbashkin has quit IRC09:49
*** mvk has quit IRC09:50
*** aojea has joined #openstack-keystone10:45
*** aojea has quit IRC10:50
*** AlexeyAbashkin has joined #openstack-keystone10:55
*** thorst has joined #openstack-keystone11:00
*** chlong has joined #openstack-keystone11:01
*** namnh has quit IRC11:04
*** thorst has quit IRC11:05
*** jrist has joined #openstack-keystone11:09
*** zzzeek has quit IRC11:10
*** zzzeek has joined #openstack-keystone11:14
*** dave-mccowan has joined #openstack-keystone11:31
*** dave-mcc_ has joined #openstack-keystone11:35
*** dave-mccowan has quit IRC11:37
*** nicolasbock has joined #openstack-keystone11:40
*** aojea has joined #openstack-keystone11:46
*** belmoreira has joined #openstack-keystone11:50
*** aojea has quit IRC11:50
*** thorst has joined #openstack-keystone11:52
*** mvk has joined #openstack-keystone12:07
*** Dinesh_Bhor has quit IRC12:09
*** ppiela_ has quit IRC12:10
*** wes_dillingham has joined #openstack-keystone12:14
*** edmondsw has joined #openstack-keystone12:21
*** raildo has joined #openstack-keystone12:26
*** dave-mcc_ is now known as dave-mccowan12:29
*** jhesketh_ has joined #openstack-keystone12:38
*** jhesketh has quit IRC12:43
*** links has quit IRC12:44
*** clayton has quit IRC12:45
*** aojea has joined #openstack-keystone12:47
*** panbalag has joined #openstack-keystone12:47
*** panbalag has left #openstack-keystone12:48
*** clayton has joined #openstack-keystone12:49
*** aojea has quit IRC12:51
*** tommylikehu has quit IRC13:02
*** tommylikehu has joined #openstack-keystone13:03
*** belmoreira has quit IRC13:04
*** rmcallis has joined #openstack-keystone13:15
*** lbragstad has joined #openstack-keystone13:16
*** ChanServ sets mode: +o lbragstad13:16
*** rmcallis has quit IRC13:19
*** panbalag has joined #openstack-keystone13:31
lbragstadwxy_: let me know if/when you want to visit with sdague about the unified limits stuff13:32
*** rmascena has joined #openstack-keystone13:32
*** clenimar has joined #openstack-keystone13:35
*** raildo has quit IRC13:35
*** rmascena is now known as raildo13:40
dims@lbragstad : wxy_ : i'd like to listen in too, ping me too please13:47
lbragstaddims: will do!13:47
lbragstadit'll be exciting to see that stuff work into the release :)14:05
lbragstadin queens rather14:05
knikollao/14:08
dimshey knikolla14:15
*** ppiela has joined #openstack-keystone14:15
dimswhen are you reaching sydney knikolla ?14:16
knikolladims: i think on sunday14:16
knikollai leave on friday and arrive on sunday. sounds like a fun trip.14:17
knikollareturn flight on thursday evening.14:18
*** rmascena has joined #openstack-keystone14:18
*** raildo has quit IRC14:20
*** ioggstream has quit IRC14:27
*** ppiela_ has joined #openstack-keystone14:28
*** ppiela has quit IRC14:28
*** ioggstream has joined #openstack-keystone14:29
*** erlon has joined #openstack-keystone14:32
*** david-lyle has joined #openstack-keystone14:38
*** phalmos has joined #openstack-keystone14:38
*** iogg has joined #openstack-keystone14:39
*** ioggstream has quit IRC14:39
dimsknikolla : ack, i reach sat. return thu as well14:45
*** aojea has joined #openstack-keystone14:48
*** josecastroleon has quit IRC14:50
*** chlong has quit IRC14:52
*** aojea has quit IRC14:53
*** josecastroleon has joined #openstack-keystone14:53
*** rmascena is now known as raildo14:56
*** cfriesen has joined #openstack-keystone14:56
*** catintheroof has joined #openstack-keystone15:13
*** pcaruana has quit IRC15:19
*** tesseract has quit IRC15:20
*** McClymontS has quit IRC15:26
*** rmcallis has joined #openstack-keystone15:27
*** rmcallis has quit IRC15:27
gagehugoo/15:32
*** panbalag has quit IRC15:32
lbragstado/15:42
*** panbalag has joined #openstack-keystone15:49
*** aojea has joined #openstack-keystone15:49
*** aojea has quit IRC15:54
*** jmlowe has joined #openstack-keystone15:54
*** links has joined #openstack-keystone15:55
gagehugoptg in Dublin huh16:02
raildogagehugo, yeap, Feb. 26th, right?16:06
ayoungOooh.  Dublin!16:09
gagehugoyeah16:10
*** panbalag has left #openstack-keystone16:14
*** alex_xu has quit IRC16:24
*** links has quit IRC16:28
*** alex_xu has joined #openstack-keystone16:31
*** markvoelker has quit IRC16:32
*** markvoelker has joined #openstack-keystone16:33
magicboizayoung: ping16:34
magicboizayoung: can I ask you for some help with x509+federation?16:34
ayounghttps://blogs.gnome.org/markmc/2014/02/20/naked-pings/16:34
ayoungthe second request is much gooderer.16:34
ayoungmagicboiz, happy to help16:35
ayoungcmurphy can you tell gyee that I need him in here?  Heh Heh.16:35
magicboizayoung: sorry, I'm not used to IRC convention (not yet :) )16:35
ayoungmagicboiz, Its OK.  I treat it as a teachable moment.16:36
magicboizayoung: I'me getting error like this: "Cannot find "remote_id_attribute" in configuration group mapped. Trying default location in group federation."16:36
magicboizayoung: I have created a idP to reflect my x509 CA16:36
magicboizayoung: mapped rules16:36
ayoungmagicboiz, paste your mapping file please.  http://paste.openstack.org/16:36
magicboizayoung: I've linked idp and mapped rules...16:36
magicboizok16:36
*** markvoelker has quit IRC16:38
magicboizayoung: https://pastebin.com/LdgZfs0V16:38
magicboizayoung: this is my CA cert (public): https://pastebin.com/U0And87t16:41
magicboizCN is "devstackca"16:41
ayoungmagicboiz, I don't think it your  CA cert is used in the rules, only the client cert16:41
magicboizayoung: I think you're right, but why?16:42
ayoungthe anyoneof syntax looks funny, too16:42
ayoungone sec...16:42
magicboizayoung: this is the keystone_error.log: https://pastebin.com/xj5NW9ik16:42
*** mvk has quit IRC16:42
*** gyee has joined #openstack-keystone16:43
gyeeayoung, you were looking for me?16:43
ayounggyee, !16:43
ayoungYes, yes I was...we have magicboiz here trying to do Federation with X50916:43
ayoungAFAIK you are the only one that has every tested that16:44
gyeeyes16:44
ayoungcmurphy, you ROCK!16:44
ayounggyee, mapping file is:  https://pastebin.com/LdgZfs0V16:44
cmurphy:)16:44
ayoungerror log is  https://pastebin.com/xj5NW9ik16:44
ayoungmagicboiz, I suspect you should drop the anyoneof rule and just get it working for a single cert with a known value16:45
ayoungyour mapping is too complex for my simple mind16:45
ayoungonce you have that working, try it with one that is the next level of complexity16:46
magicboizayoung: I've got it from here: https://docs.hpcloud.com/hos-4.x/helion/security/horizon_ssl_auth.html16:46
gyeehttp://files.meetup.com/1675038/X.509_Authn_Authz.pdf16:46
gyeemy slides from the talk16:46
gyeelet me check the mapping16:46
ayoungmagicboiz, ah!16:46
ayoungthere is a config value you need to add in the file16:46
ayoungunder federation, gyee has remote_id_attribute16:47
ayoungremote_id_attribute = SSL_CLIENT_I_DN_CN16:47
ayoungI hate that16:47
*** AlexeyAbashkin has quit IRC16:47
gyeeyes, you need to set remote_id_attribute16:48
ayounggyee, you rock...those slides are going to help magicboiz much more than I am16:48
* ayoung goes for more coffee16:48
gyeeno problem16:48
magicboizayoung: yes, I think that param is already set in my keystone.conf:16:48
magicboizstack@ubuntu:~$ grep remote_id_attribute /etc/keystone/keystone.conf16:48
magicboizremote_id_attribute = SSL_CLIENT_I_DN_CN16:48
magicboizgyee: Your config is pretty similar to mine16:48
ayoungCould not map any federated user properties to identity values16:49
ayoung/opt/stack/keystone/keystone/federation/utils.py  line 53816:49
ayoungmagicboiz, the heavy artillery is breaking out the remote debugger:16:49
magicboizgyee: your "any_one_of" in mapped rules is more complex than mine (which is empty)16:49
ayounghttps://adam.younglogic.com/2015/02/debugging-openstack-with-rpdb/16:50
*** aojea has joined #openstack-keystone16:50
gyeemagicoiz, that's because how the cert is parsed16:51
gyeei.e. SSL is terminated at HAProxy or Apache16:51
gyeethe RDNs of the cert subject DN may get re-ordered16:52
magicboizgyee: do you find any issue in my mapped file?16:52
knikollaayoung: oooo rpdb, that looks amazing16:52
magicboizgyee: I'm testing with devstack WITHOUT tls16:53
magicboizayoung: rpdb that sound pretty complex for me :)16:53
ayoungknikolla, it has saved me on more than one occasion. Caveat that multiple trips through the same code path are not a food idea.16:53
ayoungmagicboiz, nah...just shows you what is going on in a running system16:53
gyeeany_one_of cannot be empty I think16:53
*** wes_dillingham has quit IRC16:53
ayoungthink of it like getting an X-Ray while you are in the middle of a road race :)16:53
gyeeotherwise, it match nothing16:53
ayounggyee, he can just drop that stanza, right?16:54
knikollaayoung: i used to pdb, but that got tricky with everything running through apache16:54
magicboizayoung: :)16:54
ayoungan empty block is not the same as the absence of that block16:54
gyeetypically in a production env, SSL is terminated at HAProxy or one of the first layer LBs16:54
*** aojea has quit IRC16:54
magicboizgyee: ok, so I should try with any_one_of = "C = ES, ST = Madrid, L = Madrid, O = devstackca, CN = devstackca"??16:55
gyeethe SSL certificate attributes are passed via headers16:55
magicboizgyee: yes I know, but now I'm trying to setup a PoC with devstack.16:55
gyeejust enable logging of the headers at Apache16:56
magicboizThe problem with devstack+TLS is that configures a TLS apache proxy for every (fxx) service (keystone, horizon, neutron...)16:56
gyeeand you'll see what they look like16:56
magicboizgyee: so I had to enable SSL/443 on sites-enabled/keystone.conf16:56
gyeeyes16:56
magicboizgyee: according to logs, they're passed ok (i think): https://pastebin.com/xj5NW9ik16:57
magicboiz'SSL_CLIENT_S_DN': [u'CN=castillo,O=devstackca,L=Madrid,ST=Madrid,C=ES']16:57
kmallocwow, gyee lives!16:58
gyeegood!16:58
magicboizso it might be "any_one_of" which is empty and not matching anything...16:58
gyeethat's what you need in any_one_of16:58
magicboizok let me try....16:58
gyeewow kmalloc is Morgan?16:58
*** jmlowe has quit IRC16:58
kmallocgyee: yep16:59
gyeekmalloc sound too C++ish :-)17:01
gyeeI remember the alloc malloc days17:01
kmallocgyee: kernel malloc is too C++ish?17:04
gyeeahh17:05
kmallocgyee: https://people.netfilter.org/rusty/unreliable-guides/kernel-hacking/routines-kmalloc.html17:07
kmalloc;)17:07
kmallocoops: https://www.kernel.org/doc/htmldocs/kernel-api/API-kmalloc.html17:07
magicboizgyee: something has changed, now I'me getting "Could not find domain: devstackca."17:08
magicboizI was trying with domain "federated_users"...17:08
gyeegood17:08
gyeethat means mapping is workig17:09
gyeeyou mapped the O rdn to domain17:09
gyeeO=devstackca17:09
gyeeif you want to make user to federated_user domain, you need to change to map17:09
gyee"domain": {"name": "federated_users"}17:10
gyeetypically, the information on the cert dictates what domain the user belongs to17:11
*** rha has quit IRC17:14
magicboizgyee: ok. I think that problem is solved. great!17:14
gyeegood :-)17:15
magicboizgyee: Now, after keystone "executes" sso_callback_template.html, I'me get redirected to horizon login window, but i get "Login failed: You are not authorized for any projects or domains."17:16
magicboizarrgh17:16
kmallocmagicboiz: that sounds like the user doesn't have a grant on a project17:17
kmallocwhich is a totally different issue (and possibly not related to your setup of SSO/Certs)17:17
gyeeyep, like kmalloc said17:18
magicboizkmalloc: checking pdf from gyee I found some diffs in my configs vs his configs....let me double check...17:18
*** iogg has quit IRC17:18
gyeemy slides are outdated17:19
magicboizFor example: OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False (in my config)17:19
*** rha has joined #openstack-keystone17:19
*** rha has quit IRC17:19
*** rha has joined #openstack-keystone17:19
gyeenow that keystone support auto project creation, I'll need to update the slides17:19
magicboizgyee: those slides are pure honey :)17:19
gyeehahahah17:19
magicboizshould be included in official keystone doc!!17:20
gyeethey are mostly there, in bits and pieces17:21
* lbragstad heads to lunch17:22
*** aojea has joined #openstack-keystone17:22
rybridgesHello all. Have a question. I am wondering if there is any kind of batch API available in the python keystoneclient in the ocata version. For example, let's say I want to create 100 projects, is there some API that I can use to create all of those projects in one call rather than doing 1 call per project?17:25
ayounggyee, that was pretty cool.  Well done.17:25
ayoungrybridges, nope.  And I kindof wanted one, too.17:26
gyeeayoung, thanks17:26
ayoungnever quite figured out how to do batch with REST17:26
rybridgesThanks ayoung. So there are no batch API for any keystone operations at this time then?17:26
gyeedo it with Ansible17:26
ayounggyee, still one call at a time.  Pay for the round trip.17:26
gyeeI am a big fan of Ansible now17:26
gyeeayoung, I am about to do a POC with Ansible Tower17:27
ayounggyee, as am I...BTW, I am now A Solutions Architect, which is Salesese for Sales Engineer.  Which means I get to work with Ansible as part of my Day job17:27
ayoungTower that is17:27
gyeenice17:27
ayoungI get to learn and play with all our cloud techs: cloudforms, ansible, openstack, openshift, rhv17:28
gyeethat sound like a dream job!17:28
ayounggyee, more travel.17:29
ayoungjust started, and 90 days trainup, so I won't really know what it is like until after the turn of the year17:30
ayoungbut one thing I want to do is gather up real user stories from customers and have honest feedback.  Turn them into real reqs17:30
gyeethat's very important, it's an eye opener when we write code versus writing production-ready code17:31
ayoungyep17:31
gyeethings seem easy for developers could be a daily struggle for operation guys17:32
ayounggyee, I know...people find work-arounds, the go on about their job, and it never gets communicated upstream.17:32
gyeehope you enjoy travel more than I do these days :-)17:34
gyeethem seats on the plane seem to be getting smaller and smaller17:34
gyeeeither that or I am getting wider :-)17:35
ayoungHoping to keep the travel mostly limited to the North East.  My Region is New England.  SO far they've sent me to RDU17:36
magicboizgyee: got it. User was not correctly related with project.17:38
magicboizgyee, ayoung: thanks so much guys!!17:38
gyeeyou're welcome17:39
ayoungI'm pretty impressed.  I though that was going to be worse.17:39
magicboizayoung: jajaja without debugger!!17:39
gyeeayoung, in a production system, you'll have to jump through hoops to run rpdb17:40
gyeethat's assuming customers security people let you17:40
ayoungyep, but you should be testing out the X509 setup in development first I'd hope17:40
magicboizgyee: if I set remote_id_attribute in keystone.conf, can I add another sso idP (a keycloack server for example)?17:40
gyeemagicboiz, yes, remote_id_attriute is per provider, afaik17:41
ayoungwe really need to do away with that config value17:41
ayoungall per protocol stuff should be per protocol.  Doy17:41
gyeeayoung, agree, that should come from mapping as well perhaps17:41
magicboizgyee: remote_id_attribute is set under [federation] section.....17:43
*** wes_dillingham has joined #openstack-keystone17:44
ayounglet me see how that is used. I think we can do away with it.17:44
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/federation/utils.py#n27617:46
ayoungremote_id_parameter = CONF[protocol]['remote_id_attribute']17:46
gyeemagicboiz, you can configure remote_id_attribute under the protocol section17:46
gyeethat'll overwrite the default one17:47
ayoungso at a minimum, yeah, you should be able to do it per protocol...although 2 different X509 configs are not going co-exist that way17:47
gyeeright17:47
magicboizayoung: great. I need a domain with x509 idP and another domain with ldap or sso/saml217:47
ayoungmagicboiz, so, try adding an [X509] section to your config file and move the value there, and make sure we ain't broke nuffin17:48
*** mvk has joined #openstack-keystone17:48
ayoungplease to be removing it from the [federation] section or you will get a false reading17:48
ayoungsuggest you remove it first, make sure it is broken, then add to the [X509] part and ensure it works...you know, to keep from fooling yourself17:49
magicboizayoung: well, I have defined as "mapped" actually17:49
magicboizayoung: ok17:49
ayoungah, yeah...17:49
ayoungyou are going to want to distinguish between the two protocols.  THey can both be implemented with mapped17:50
gyeeyou shouldn't call protocol "mapped"17:50
gyeemapped is very generic17:50
*** catinthe_ has joined #openstack-keystone17:53
*** catintheroof has quit IRC17:53
magicboizok, adding section:17:55
magicboiz[mapped]17:55
magicboizremote_id_attribute = SSL_CLIENT_I_DN_CN17:55
magicboizdid the trick17:55
magicboiz:)17:55
gyeeyay17:55
*** lbragstad has quit IRC17:56
ayoungmagicboiz, you might be OK with that, if the other plugin you use is not 'mapped'17:57
ayoungI don't think we enforce the strings that are used for the protocol name, either17:58
*** catintheroof has joined #openstack-keystone17:59
magicboizayoung:17:59
magicboizayoung: ok17:59
magicboizI do really LOOOVE when I launch the cirros instance and I can ping 8.8.8.817:59
magicboizjajajajaja17:59
ayoungheh17:59
gyeeto paraphrase the operation people, you nightmare just got started :-)18:01
*** catinthe_ has quit IRC18:01
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/auth.py18:04
ayoungok...so I think we are way too restrictive there18:04
ayoungmagicboiz, you might have to cheat.  You can mess with both the external and the mapped options...I don't think you can add an X509 option.  Which is not right18:05
*** catinthe_ has joined #openstack-keystone18:05
ayoungwe need ALL of the Federation information wrapped up in the protocol object  of the Federated data.  None of it should come from config.18:05
ayoungI'm going to open a bug on this,.18:06
magicboizayoung: ok... I quit from now....until tomorrow :)18:06
gyeewe got x509 and saml working at the same time18:06
magicboizayoung, gyee : thanks again for your effort helping me :)18:06
magicboizbye18:07
*** catintheroof has quit IRC18:07
gyeeno problem18:07
ayounggyee, yep, probably by using different names of the plugins.18:07
ayoungsaml, X509, and Kerberos should all be implemented via mapped, but we need a config value for each18:07
gyeeayoung, you may be right that we can't use the same plugin for two different protocols18:07
ayoungand, since we can't dynamically name a config section, I bet you set one of them in the [federation] section and the other in [mapped]18:08
gyeebut the name is just artificial right?18:08
gyeeyou can have different names using the same "class"18:08
ayounggyee, sort of.  look at the link I just posted and tell me how you read it18:09
ayounghttps://bugs.launchpad.net/keystone/+bug/172464518:11
openstackLaunchpad bug 1724645 in OpenStack Identity (keystone) "remote_id_attribute config options prevents multiple protocol variations for Federation" [Undecided,New]18:11
gyeeayoung, I can double check with our QA to see if anything had changed. But we got both x509 and saml working at the same time18:14
*** catintheroof has joined #openstack-keystone18:14
ayounggyee, try to get 2 different X509 setups working side by side, or 2 SAML18:14
ayoungwith different mappings, etc18:15
gyeeoh that may not work18:15
*** catinthe_ has quit IRC18:15
ayoungyou can use the same IdP, but use different attributes from the assertions18:15
ayoungwe need to move remote_id_attribute from the config file to the protocol object.18:15
gyeeyeah, that's good poit18:15
*** lbragstad has joined #openstack-keystone18:16
*** ChanServ sets mode: +o lbragstad18:16
gyeeayoung, I don't see it as a problem though18:17
gyeefor x509, unless we want to different attributes as IDs, which doesn't make much sense, we don't need two different ID mapping18:18
*** AlexeyAbashkin has joined #openstack-keystone18:19
kmallocyou can somewhat do dynamic configs, but it's wonky18:20
kmallocnot recommended from a usability standpoint18:21
gyeekmalloc, maybe zookeeper or consul or something18:22
kmallocnah, we could do it in oslo.config if we needed. but ugh. lets not do that18:22
kmallocnow, we could provide the config in a delimited manner (and a list config) where we can stack most of the config on a line and split it apart... again not super usable18:23
*** AlexeyAbashkin has quit IRC18:24
gyeemaybe we don't need protocol? just provider and mapping is good enough?18:24
gyeenevermind, I wasn't thinking :-)18:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone master: Delete users before deleting domains  https://review.openstack.org/50634018:27
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone master: Delete users before deleting domains  https://review.openstack.org/50634018:29
*** raildo has quit IRC18:29
*** aojea has quit IRC18:30
samueldmqlbragstad: cmurphy ^18:30
lbragstadsamueldmq: sweet - thanks!18:31
samueldmqlbragstad: ++ I added a question in the patch18:31
samueldmqI am not sure how to test the migration18:31
*** raildo has joined #openstack-keystone18:33
*** raildo has quit IRC18:44
*** markvoelker has joined #openstack-keystone18:44
ayounggyee, I'm not sure you are wrong there...what does the protocol object have on it if not this...looking18:48
kmallocsamueldmq: -1, added a comment on how to test the migration18:55
kmallocsamueldmq: but the -1 is for the test and verifying that in all cases re-adding the FK (if it exists) wont break anything18:56
samueldmqkmalloc: comments appreciated. I will follow your suggestions19:00
samueldmqkmalloc: regarding the delete with cascade I will leave as an improvement, we can do that consistently for other things too19:00
samueldmqfor now I think just fixing the issue is fine19:01
samueldmqbut I like the suggestion too.19:01
*** ppiela has joined #openstack-keystone19:04
*** ppiela_ has quit IRC19:04
cfriesenlbragstad: I've abandoned https://review.openstack.org/#/c/505345/, but while testing it I noticed something interesting.  When I had a large number of endpoints (260) the code at http://paste.openstack.org/show/624015/  would hang.  It works fine with 13 endpoints.19:06
cfriesenThe "openstack" client seemed to work fine with the larger number of endpoints.19:07
cfriesenIs there something wrong with that code, or should I open a keystone bug?19:09
*** aojea has joined #openstack-keystone19:16
*** AlexeyAbashkin has joined #openstack-keystone19:19
*** aojea has quit IRC19:21
*** AlexeyAbashkin has quit IRC19:24
*** raildo has joined #openstack-keystone19:52
*** wes_dillingham has quit IRC19:52
lbragstadcfriesen: that code looks ok to me20:00
lbragstadand you said openstackclient was behaving fine with that many endpoints?20:00
*** gema has quit IRC20:06
*** gyee has quit IRC20:07
*** gema has joined #openstack-keystone20:08
*** gema has quit IRC20:08
*** gema has joined #openstack-keystone20:08
*** openstackgerrit has quit IRC20:17
*** blake has joined #openstack-keystone20:32
*** blake is now known as Guest8782920:32
*** Guest87829 is now known as blake20:35
*** openstackgerrit has joined #openstack-keystone20:36
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Specification for system roles  https://review.openstack.org/46476320:36
cfriesenlbragstad: yes, I ran "openstack endpoint list" no problem20:38
cfriesenthis is with the stable/pike branch of devstack20:39
lbragstadcfriesen: so - it's limited to either keystoneauth or python-keystoneclient20:41
lbragstadhaving to deal with a bunch of endpoints20:41
cfriesenseems like it, yes20:42
lbragstadas far as i know - ksa deals with the endpoints in that situation20:42
lbragstadif you want to open a generic bug against keystoneauth, i'll see if someone more experienced with the library can take a look20:43
lbragstadgeneric as in just reported the slow down20:43
lbragstadcc mordred efried cmurphy ^20:44
efriedosc isn't going through ksa?20:45
cfrieseninterestingly, with two regions it works, but with three it doesn't20:46
cfriesenit just hangs indefinitely at the last line20:46
efriedcfriesen Cool, let's get a bug with a repro.20:46
efriedcfriesen How long have you left it?20:46
efriedAnd how long does it take with 260x2?20:47
cfriesenwith 260 endpoints its maybe 5 seconds to run "openstack endpoint list"20:48
cfriesenwith 39 endpoints it's 1.9 seconds.20:49
cfriesenbut the python code seems to hang indefinitely....I've left it for over a minute.20:49
*** lkwan has quit IRC20:50
*** raildo has quit IRC20:52
*** catintheroof has quit IRC20:53
*** catintheroof has joined #openstack-keystone20:54
*** sbezverk has quit IRC20:54
*** raildo has joined #openstack-keystone20:54
*** catintheroof has quit IRC20:58
*** raildo has quit IRC20:58
*** rmascena has joined #openstack-keystone20:58
cfriesenhmm...seems to be the third keystone endpoint that is causing the problem.20:59
*** blake has quit IRC21:00
*** raildo has joined #openstack-keystone21:02
*** rmascena has quit IRC21:02
cfriesenbug opened: https://bugs.launchpad.net/keystone/+bug/172468621:03
openstackLaunchpad bug 1724686 in OpenStack Identity (keystone) "authentication code hangs when there are many endpoints" [Undecided,New]21:03
*** thorst has quit IRC21:04
cfriesenokay, looks like it is specifically three or more keystone admin endpoints that trigger it, the public endpoints don't matter21:07
*** gyee has joined #openstack-keystone21:10
*** gyee has quit IRC21:10
*** gyee has joined #openstack-keystone21:11
*** gyee has quit IRC21:11
*** john5223 has quit IRC21:14
*** john5223 has joined #openstack-keystone21:15
*** AlexeyAbashkin has joined #openstack-keystone21:19
*** AlexeyAbashkin has quit IRC21:24
*** phalmos has quit IRC21:29
*** jmlowe has joined #openstack-keystone21:39
openstackgerritMerged openstack/keystone master: Deleting an identity provider doesn't invalidate tokens  https://review.openstack.org/51287221:41
*** edmondsw has quit IRC21:44
*** rmascena has joined #openstack-keystone21:45
*** raildo has quit IRC21:47
*** openstackgerrit has quit IRC21:48
*** edmondsw has joined #openstack-keystone21:50
*** rmascena has quit IRC21:51
*** edmondsw has quit IRC21:54
*** edmondsw has joined #openstack-keystone21:56
*** markvoelker_ has joined #openstack-keystone21:57
*** edmondsw_ has joined #openstack-keystone21:58
*** panbalag has joined #openstack-keystone21:59
*** edmondsw has quit IRC22:00
*** markvoelker has quit IRC22:00
*** edmondsw_ has quit IRC22:02
*** lbragstad has quit IRC22:03
*** dave-mccowan has quit IRC22:11
kmallocsamueldmq: i don't think we can change the behavior for a cascade actually22:14
kmallocsamueldmq: the more i read it22:14
*** jmlowe has quit IRC22:16
*** gyee has joined #openstack-keystone22:17
*** raildo has joined #openstack-keystone22:20
*** lbragstad has joined #openstack-keystone22:22
*** ChanServ sets mode: +o lbragstad22:22
*** med_ has quit IRC22:23
*** Guest34657 has quit IRC22:23
*** brad[] has quit IRC22:23
*** med_ has joined #openstack-keystone22:23
*** mfisch has joined #openstack-keystone22:23
*** brad[] has joined #openstack-keystone22:23
*** mfisch has quit IRC22:23
*** mfisch has joined #openstack-keystone22:23
*** med_ is now known as Guest9906022:23
*** edmondsw has joined #openstack-keystone22:32
*** jmlowe has joined #openstack-keystone22:33
*** edmondsw has quit IRC22:36
*** nicolasbock has quit IRC22:43
*** raildo has quit IRC22:54
*** dave-mccowan has joined #openstack-keystone23:06
*** ppiela has quit IRC23:08
*** lbragstad has quit IRC23:09
*** AlexeyAbashkin has joined #openstack-keystone23:19
*** AlexeyAbashkin has quit IRC23:23
*** thorst has joined #openstack-keystone23:32
*** thorst has quit IRC23:36
« Tuesday, 2017-10-17 Index Thursday, 2017-10-19 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!