Wednesday, 2017-11-15

« Tuesday, 2017-11-14 Index Thursday, 2017-11-16 »
*** phalmos_ has quit IRC00:02
*** nkinder has quit IRC00:20
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements  https://review.openstack.org/51978100:24
*** aojea has joined #openstack-keystone00:28
*** wes_dillingham has quit IRC00:31
*** aojea has quit IRC00:33
*** nkinder has joined #openstack-keystone00:34
*** wes_dillingham has joined #openstack-keystone00:35
*** markvoelker has quit IRC00:37
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements  https://review.openstack.org/51980300:40
*** raildo has quit IRC00:45
*** prashkre has joined #openstack-keystone01:05
*** limestone has quit IRC01:21
*** gyee_ has quit IRC01:23
*** aojea has joined #openstack-keystone01:28
*** aojea has quit IRC01:33
*** wes_dillingham has quit IRC01:34
*** panbalag has left #openstack-keystone01:35
*** prashkre has quit IRC01:35
*** markvoelker has joined #openstack-keystone01:37
*** prashkre has joined #openstack-keystone01:38
*** prashkre has quit IRC01:49
*** links has joined #openstack-keystone02:03
*** threestrands has joined #openstack-keystone02:07
*** dinesh_ has joined #openstack-keystone02:11
*** itlinux has joined #openstack-keystone02:12
*** itlinux has quit IRC02:17
*** AlexeyAbashkin has joined #openstack-keystone02:22
*** AlexeyAbashkin has quit IRC02:26
*** aojea has joined #openstack-keystone02:29
*** aojea has quit IRC02:33
*** bigjools has quit IRC02:40
*** aselius has quit IRC02:47
*** bigjools has joined #openstack-keystone02:48
*** bigjools has quit IRC02:48
*** bigjools has joined #openstack-keystone02:48
*** dinesh_ has quit IRC02:55
-openstackstatus- NOTICE: Due to an unexpected outage with Zuul (1 hour), you'll need to recheck any jobs that were in progress. Sorry for the inconvenience.02:56
*** dave-mccowan has quit IRC03:09
*** itlinux has joined #openstack-keystone03:15
*** aojea has joined #openstack-keystone03:30
*** aojea has quit IRC03:34
*** rcernin has quit IRC03:34
*** rcernin has joined #openstack-keystone03:36
*** sticker has quit IRC04:24
*** annp has joined #openstack-keystone04:29
*** aojea has joined #openstack-keystone04:31
*** aojea has quit IRC04:35
*** namnh has joined #openstack-keystone04:41
*** magicboiz has quit IRC04:46
*** AlexeyAbashkin has joined #openstack-keystone05:22
*** jaosorior has quit IRC05:24
*** AlexeyAbashkin has quit IRC05:26
*** itlinux has quit IRC05:27
*** aojea has joined #openstack-keystone05:31
*** aojea has quit IRC05:36
*** dikonoo has quit IRC06:25
*** dikonoo has joined #openstack-keystone06:25
*** daidv has joined #openstack-keystone06:26
*** aojea has joined #openstack-keystone06:32
*** namnh has quit IRC06:33
*** threestrands has quit IRC06:34
*** aojea has quit IRC06:37
*** nsingh has joined #openstack-keystone06:40
*** sticker has joined #openstack-keystone06:42
*** niraj_singh has quit IRC06:43
*** dikonoo has quit IRC06:46
*** namnh has joined #openstack-keystone06:51
*** jaosorior has joined #openstack-keystone06:57
*** aojea has joined #openstack-keystone06:57
*** aojea has quit IRC06:58
*** aojea has joined #openstack-keystone06:58
*** aojea has quit IRC06:59
*** spectr has joined #openstack-keystone07:13
*** rcernin has quit IRC07:20
*** hoonetorg has quit IRC07:30
*** spectr has quit IRC07:38
*** hoonetorg has joined #openstack-keystone07:43
*** pcaruana has joined #openstack-keystone07:51
*** belmoreira has joined #openstack-keystone07:53
*** adriant has quit IRC07:58
*** john5223 has quit IRC07:58
*** hemna has quit IRC07:59
*** hemna has joined #openstack-keystone08:04
*** john5223 has joined #openstack-keystone08:06
*** adriant has joined #openstack-keystone08:12
*** tesseract has joined #openstack-keystone08:17
*** magicboiz has joined #openstack-keystone08:22
*** zhurong has joined #openstack-keystone08:23
*** Jack_Iv has joined #openstack-keystone08:29
*** Jack_Iv has quit IRC08:33
*** Jack_Iv has joined #openstack-keystone08:33
*** AlexeyAbashkin has joined #openstack-keystone08:37
*** zenpwner has joined #openstack-keystone09:08
openstackgerritDirk Mueller proposed openstack/keystone master: Remove keystone v2/tokenauth example  https://review.openstack.org/52001409:09
openstackgerritMerged openstack/keystone master: Update cache doc  https://review.openstack.org/51921509:17
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Limits API  https://review.openstack.org/45570909:24
*** magicboiz has quit IRC09:39
*** belmoreira has quit IRC10:01
*** belmoreira has joined #openstack-keystone10:06
*** annp has quit IRC10:13
*** zenpwner has quit IRC10:15
*** namnh has quit IRC10:17
*** daidv has quit IRC10:23
*** magicboiz has joined #openstack-keystone10:30
*** KwozyMan has joined #openstack-keystone10:37
*** daidv has joined #openstack-keystone10:41
*** daidv has quit IRC10:52
*** magicboiz has quit IRC10:57
*** magicboiz has joined #openstack-keystone11:04
*** mvk has quit IRC11:05
*** daidv has joined #openstack-keystone11:09
*** daidv has quit IRC11:12
*** daidv has joined #openstack-keystone11:27
*** daidv has quit IRC11:31
*** mvk has joined #openstack-keystone11:32
*** magicboiz has quit IRC11:33
*** sticker_ has joined #openstack-keystone11:36
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Limits API  https://review.openstack.org/45570911:37
*** sticker has quit IRC11:40
*** Jack_Iv has quit IRC11:41
*** daidv has joined #openstack-keystone11:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements  https://review.openstack.org/51978111:45
*** magicboiz has joined #openstack-keystone12:08
*** sticker_ has quit IRC12:32
*** KwozyMan has quit IRC13:08
*** wes_dillingham has joined #openstack-keystone13:09
*** jdennis has quit IRC13:22
*** links has quit IRC13:22
*** links has joined #openstack-keystone13:24
*** edmondsw has joined #openstack-keystone13:28
*** markvoelker has quit IRC13:29
*** markvoelker has joined #openstack-keystone13:29
*** jdennis has joined #openstack-keystone13:38
*** panbalag has joined #openstack-keystone13:52
*** links has quit IRC13:53
lbragstado/13:53
*** panbalag has left #openstack-keystone13:53
lbragstadjust a heads up - i'll be out for the next hour13:53
lbragstadhourish13:53
*** dave-mccowan has joined #openstack-keystone14:01
*** ayoung has quit IRC14:03
*** dave-mccowan has quit IRC14:13
*** dave-mccowan has joined #openstack-keystone14:20
*** belmoreira has quit IRC14:23
*** dave-mcc_ has joined #openstack-keystone14:24
*** dave-mccowan has quit IRC14:25
*** links has joined #openstack-keystone15:11
*** evgenyf has joined #openstack-keystone15:28
evgenyfHi folks, is anybody available for a identity v3 question/issue?15:29
lbragstadevgenyf: sure - feel free to ask, someone is usually around to answer15:30
evgenyfquestion: I use identity v3. I have domain and two projects inside. I also have a user in this domain who has admin role on the domain. I do "openstack project list --domain <my domain uuid>" and get "You are not authorized to perform the requested action: identity:list_projects (HTTP 403)"15:35
*** KwozyMan has joined #openstack-keystone15:36
evgenyfThe polisy for identity:list_projects says cloud admin or rule:admin_and_matching_domain_id15:36
evgenyfadmin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s15:37
evgenyfthe issue is with domain_id probably, because once I remove it, it works15:37
evgenyfsuggestions ?15:37
*** dave-mcc_ has quit IRC15:38
lbragstadSamYaple: https://review.openstack.org/#/c/520112/15:40
lbragstadevgenyf: so the call works once you remove the domain_id:%(domain_id)s from the policy?15:41
evgenyflbragstad: yes15:43
lbragstaddoes your user have a role assignment on the projects?15:44
lbragstadthe projects inside the domain?15:44
evgenyflbragstad: I tried it both ways, with just admin on domain. and with admin on domain and all projects15:45
lbragstadok15:46
lbragstadbut you're using the openstackclient in all cases, right?15:46
evgenyflbragstad: yes, I have two projects under the domain15:46
evgenyflbragstad: Yes, I use openstackclient15:46
lbragstadok15:46
evgenyfI also do it via openstack4J java library which works over REST15:47
lbragstadif you get a domain-scoped token, can you list the projects against the API directly?15:47
lbragstadGET /v3/projects with the domain-scoped token15:47
lbragstadthe reason why i ask is because openstackclient might be getting a project-scoped token for the request15:48
lbragstadinstead of a domain-scoped one15:48
evgenyflbragstad: I did not try it by myself, but saw somebody did it and it did not work until the domain_id=<uuid> was added, hence GET /v3/projects?domain_id=...15:48
*** belmoreira has joined #openstack-keystone15:49
lbragstadhm15:49
lbragstadlet me see if i can recreate locally15:50
evgenyflbragstad: I use NEWTON15:50
*** magicboiz has quit IRC15:53
evgenyflbragstad: please see this link, it says that once the domain_id placeholder was changed to a hard-coded domain uuid - it worked. In my case it did not. link# https://ask.openstack.org/en/question/69418/not-authorized-to-list-projects-with-keystone-v3/15:54
lbragstadevgenyf: just to confirm, this is in your policy file? http://paste.openstack.org/show/626411/15:56
lbragstaddoes that match what you have?15:56
*** phalmos has joined #openstack-keystone15:58
evgenyflbragstad: exactly15:59
*** dave-mccowan has joined #openstack-keystone15:59
*** itlinux has joined #openstack-keystone16:00
*** magicboiz has joined #openstack-keystone16:01
*** dave-mccowan has quit IRC16:02
*** magicboiz has quit IRC16:06
*** magicboiz has joined #openstack-keystone16:13
*** markvoelker_ has joined #openstack-keystone16:18
*** aselius has joined #openstack-keystone16:18
*** zhurong has quit IRC16:18
*** markvoelker has quit IRC16:20
*** ayoung has joined #openstack-keystone16:35
*** prashkre has joined #openstack-keystone16:42
*** panbalag has joined #openstack-keystone16:46
*** jmlowe has joined #openstack-keystone16:47
*** belmoreira has quit IRC16:53
*** phalmos_ has joined #openstack-keystone16:55
*** phalmos has quit IRC16:58
*** links has quit IRC17:00
*** dave-mccowan has joined #openstack-keystone17:01
*** tesseract has quit IRC17:03
*** phalmos_ has quit IRC17:07
*** jmlowe has quit IRC17:09
evgenyflbragstad: thanks for your time. can you please ping me if you have progress with this issue?17:10
lbragstadevgenyf: yep - i just got out of a meeting, but i should have some time this afternoon to try and recreate17:10
lbragstadevgenyf: do you want to open a bug report just in case?17:11
lbragstadevgenyf: that was i can update it with my finding and we can just close it if there isn't an issue17:11
lbragstadhttps://bugs.launchpad.net/keystone/+filebug17:12
*** d0ugal has quit IRC17:12
evgenyflbragstad: sure, thank you17:13
lbragstadevgenyf: thanks17:14
*** masber has quit IRC17:15
*** phalmos has joined #openstack-keystone17:16
prashkrelbragstad: Hi! It was long time back(almost 11hrs), I have cherry-picked(https://review.openstack.org/#/c/519846/) from master to stable/pike, I don't see workflow label updated or any errors reported.17:19
lbragstadprashkre: might need a recheck17:20
lbragstadprashkre: there was some issues with the gate recently i think17:20
lbragstadthere was a mailing list thread about it17:20
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Add scope_types to RuleDefault objects  https://review.openstack.org/51022217:20
lbragstadcc dims fixed the merge conflict &17:20
lbragstad^*17:21
evgenyflbragstad: the issue - link# https://bugs.launchpad.net/keystone/+bug/173250217:22
openstackLaunchpad bug 1732502 in OpenStack Identity (keystone) "project-list command does not work for a user with admin role on domain" [Undecided,New]17:22
prashkrelbragstad: are those issues with gate resolved or they still exist?17:24
lbragstadevgenyf: awesome - thanks!17:25
lbragstadprashkre: let me dig in the mailing list17:25
lbragstadprashkre: nevermind - it might have been specific to rally17:27
*** panbalag has quit IRC17:28
*** panbalag has joined #openstack-keystone17:28
*** AlexeyAbashkin has quit IRC17:29
prashkrelbragstad: thanks. posted recheck in comments.17:29
*** KwozyMan has quit IRC17:33
*** gyee_ has joined #openstack-keystone17:34
hrybackilbragstad: I forgot to ask if there was any push from operators about the read only roll stuff?17:45
*** magicboiz has quit IRC18:00
lbragstadhrybacki: not directly - but we did go over https://trello.com/c/C1INH5AI/7-define-default-roles as a group in the policy feedback session18:00
lbragstadwhich kinda gets into the read-only role stuff18:00
hrybackilbragstad: ack, okay thank you18:01
dims+2 lbragstad18:02
*** evgenyf has quit IRC18:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements  https://review.openstack.org/51978118:10
*** pcaruana has quit IRC18:11
*** aojea has joined #openstack-keystone18:15
*** mvk has quit IRC18:17
lbragstaddims: woo - thanks!18:18
SamYaplelbragstad: python3 here i come (now with less auth_uri)18:18
SamYaplefun times we live in18:18
*** samueldmq has quit IRC18:19
lbragstadmhmm18:19
*** samueldmq has joined #openstack-keystone18:19
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements  https://review.openstack.org/51980318:28
*** aojea has quit IRC18:31
*** Dave has quit IRC18:36
*** Dave has joined #openstack-keystone18:38
*** panbalag has quit IRC18:44
*** itlinux has quit IRC18:54
*** spilla has joined #openstack-keystone19:02
*** mvk has joined #openstack-keystone19:06
*** AlexeyAbashkin has joined #openstack-keystone19:13
edmondswlbragstad sorry for the slow review, but I finally looked at https://review.openstack.org/#/c/509909 and I think there's still some stuff we need to address there19:16
edmondswadded comments, even though it's already merged19:16
edmondsweasier to make them inline that way19:17
*** AlexeyAbashkin has quit IRC19:17
*** d0ugal has joined #openstack-keystone19:20
*** AlexeyAbashkin has joined #openstack-keystone19:22
*** AlexeyAbashkin has quit IRC19:26
*** itlinux has joined #openstack-keystone19:30
*** KwozyMan has joined #openstack-keystone19:30
*** KwozyMan has quit IRC19:46
*** nsingh has quit IRC20:15
*** nsingh has joined #openstack-keystone20:16
*** itlinux has quit IRC20:19
*** prashkre has quit IRC20:20
edmondswlbragstad replied again20:23
*** d0ugal_ has joined #openstack-keystone20:25
*** d0ugal has quit IRC20:26
openstackgerritRohan Arora proposed openstack/python-keystoneclient master: Add project tags to keystoneclient  https://review.openstack.org/48122320:30
*** panbalag has joined #openstack-keystone20:34
*** itlinux has joined #openstack-keystone20:40
*** d0ugal_ has quit IRC20:40
*** d0ugal has joined #openstack-keystone20:40
*** d0ugal has quit IRC20:40
*** d0ugal has joined #openstack-keystone20:40
*** wes_dillingham has quit IRC20:51
*** d0ugal has quit IRC20:52
*** itlinux has quit IRC21:00
*** McClymontS has joined #openstack-keystone21:02
*** McClymontS has quit IRC21:08
*** nkinder has quit IRC21:09
*** itlinux has joined #openstack-keystone21:20
odyssey4meI'm a bit rusty on federation and helping someone out with it - I seem to be missing something.21:20
odyssey4meIt's likely a config error - I wonder if someone who is currently familiar with it can help me sanity check some things.21:21
*** nkinder has joined #openstack-keystone21:22
odyssey4meI'm configuring a keystone SP with an Okta IDP and it appears that the IDP is redirecting back to keystone, but keystone is redirecting right back to the IDP and it's stuck in this loop.21:22
odyssey4methis is in the browser, so websso is involved too21:22
*** errr has joined #openstack-keystone21:28
*** threestrands has joined #openstack-keystone21:32
*** threestrands has quit IRC21:32
*** threestrands has joined #openstack-keystone21:32
*** itlinux has quit IRC21:42
lbragstadodyssey4me: hmm21:45
lbragstadodyssey4me: is this before or after the user authenticates to the IdP/21:46
odyssey4melbragstad after21:47
odyssey4meI see the redirect from horizon to keystone's /v3/auth/OS-FEDERATION... URL, that redirects to the identity provider's remote_ids, which redirects back to the same keystone URL and back and forth21:50
lbragstadstrange21:50
odyssey4meso this tells me that either keystone or the IDP are not configured right21:50
lbragstadi think - after authentication, keystone should be parsing the saml assertion but that's all done with apache21:51
lbragstadyou could double check your configuration against - https://www.youtube.com/watch?v=jwXenfEOSOk21:53
lbragstadwell - service provider configuration anyway21:53
lbragstadthe walkthrough cmurphy does there is super helpful21:53
odyssey4melooks like the auth flow in 15:32 is what I'm seeing21:56
lbragstadodyssey4me: do you have debug and insecure_debug enabled in your configuration?21:57
odyssey4mehmm, lemme try that21:58
lbragstadand does it ever fail or does it just continually loop?21:58
odyssey4meit just loops21:58
lbragstadthat's weird, i've never actually experienced that before21:58
odyssey4menothing's coming through to keystone - even with both debugs enabled22:00
odyssey4meso it looks like shib's blocking it22:00
lbragstadwhat about shib or apache logs?22:00
odyssey4meapache - definitely seeing the POST come back22:02
lbragstadi wonder if its tripping when validating the assertion22:02
odyssey4meshibd.log is quiet though - although I think we have to enable debug somehow?22:02
*** itlinux has joined #openstack-keystone22:11
odyssey4meok, keystone's apache is telling me that shib is denying it22:13
lbragstadi wonder what the reason is22:14
lbragstadinvalid saml22:14
lbragstador incorrect private keys/metadata22:14
*** AlexeyAbashkin has joined #openstack-keystone22:21
*** itlinux has quit IRC22:23
*** rcernin has joined #openstack-keystone22:23
*** AlexeyAbashkin has quit IRC22:26
*** mvk has quit IRC22:35
*** nkinder has quit IRC22:39
*** itlinux has joined #openstack-keystone22:44
*** spilla has quit IRC22:46
*** edmondsw has quit IRC22:46
*** d0ugal has joined #openstack-keystone22:50
*** nkinder has joined #openstack-keystone22:52
*** phalmos has quit IRC22:59
*** wes_dillingham has joined #openstack-keystone23:12
odyssey4melbragstad well, this is odd - if I tell the IDP the URL to post back to is https://myserver:5000/Shibboleth.sso/SAML2/POST instead of https://myserver:5000/v3/auth/OS-FEDERATION/websso/saml2 then it gets a session, but the browser gets redirected back to keystone's root instead of back to horizon23:13
*** jmlowe has joined #openstack-keystone23:13
*** itlinux has quit IRC23:15
*** dave-mccowan has quit IRC23:19
*** AlexeyAbashkin has joined #openstack-keystone23:20
*** jmlowe has quit IRC23:21
*** AlexeyAbashkin has quit IRC23:25
*** masber has joined #openstack-keystone23:30
*** jmlowe has joined #openstack-keystone23:33
*** jmlowe has quit IRC23:38
*** edmondsw has joined #openstack-keystone23:44
*** edmondsw has quit IRC23:55
*** edmondsw has joined #openstack-keystone23:57
« Tuesday, 2017-11-14 Index Thursday, 2017-11-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!