Thursday, 2018-07-05

« Wednesday, 2018-07-04 Index Friday, 2018-07-06 »
*** edmondsw has joined #openstack-keystone01:13
*** edmondsw has quit IRC01:18
*** annp has joined #openstack-keystone01:55
*** gongysh has joined #openstack-keystone02:12
*** edmondsw has joined #openstack-keystone03:02
*** gongysh has quit IRC03:04
*** edmondsw has quit IRC03:06
*** jmlowe has quit IRC03:10
openstackgerritwangxiyuan proposed openstack/keystone master: Strict two level limit model  https://review.openstack.org/55769603:20
openstackgerritwangxiyuan proposed openstack/keystone master: Add project_id filter for listing limit  https://review.openstack.org/57933003:20
openstackgerritwangxiyuan proposed openstack/keystone master: Add show hierarchy filter  https://review.openstack.org/57933103:20
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Update project depth check  https://review.openstack.org/58025803:20
*** zzzeek has quit IRC04:40
*** zzzeek has joined #openstack-keystone04:43
*** edmondsw has joined #openstack-keystone04:51
*** edmondsw has quit IRC04:55
*** zzzeek has quit IRC05:10
*** zzzeek has joined #openstack-keystone05:11
*** sonuk has joined #openstack-keystone05:36
*** sonuk_ has quit IRC05:38
*** nicolasbock has joined #openstack-keystone05:49
*** martinus__ has joined #openstack-keystone05:50
*** josecastroleon has joined #openstack-keystone06:10
openstackgerritwangxiyuan proposed openstack/keystone master: Strict two level limit model  https://review.openstack.org/55769606:55
openstackgerritwangxiyuan proposed openstack/keystone master: Add project_id filter for listing limit  https://review.openstack.org/57933006:55
openstackgerritwangxiyuan proposed openstack/keystone master: Add show hierarchy filter  https://review.openstack.org/57933106:55
openstackgerritwangxiyuan proposed openstack/keystone master: Update project depth check  https://review.openstack.org/58025806:55
*** ispp has joined #openstack-keystone07:09
*** ispp has quit IRC07:20
*** peereb has joined #openstack-keystone07:22
*** kashyap has left #openstack-keystone07:22
*** ispp has joined #openstack-keystone07:26
openstackgerritAdrian Turjak proposed openstack/keystone master: Implement auth receipts spec  https://review.openstack.org/57228607:27
*** amoralej|off is now known as amoralej07:29
*** ispp has quit IRC07:39
*** rcernin has quit IRC07:54
*** ispp has joined #openstack-keystone08:00
*** apdibbo has joined #openstack-keystone08:19
*** tosky has joined #openstack-keystone08:27
*** edmondsw has joined #openstack-keystone08:28
*** edmondsw has quit IRC08:32
*** ispp has quit IRC08:55
openstackgerritAdrian Turjak proposed openstack/keystone master: Implement auth receipts spec  https://review.openstack.org/57228609:14
openstackgerritAdrian Turjak proposed openstack/keystone master: Implement auth receipts spec  https://review.openstack.org/57228609:22
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add project hierarchical tree check when Keystone start  https://review.openstack.org/58033109:33
*** ispp has joined #openstack-keystone09:50
*** vishakha has quit IRC10:03
*** vishakha has joined #openstack-keystone10:17
*** annp has quit IRC10:25
*** annp has joined #openstack-keystone10:26
*** annp has quit IRC10:38
*** annp has joined #openstack-keystone10:49
*** annp has quit IRC10:54
*** amoralej is now known as amoralej|lunch11:04
*** edmondsw has joined #openstack-keystone11:29
*** lifeless has quit IRC11:45
*** gongysh has joined #openstack-keystone11:53
*** edmondsw has quit IRC12:07
*** edmondsw has joined #openstack-keystone12:13
*** edmondsw_ has joined #openstack-keystone12:16
*** edmondsw has quit IRC12:19
*** jmlowe has joined #openstack-keystone12:28
openstackgerritwangxiyuan proposed openstack/keystone master: Add project hierarchical tree check when Keystone start  https://review.openstack.org/58033112:30
*** vishakha has quit IRC12:31
*** raildo has joined #openstack-keystone12:32
knikollao/12:44
*** vishakha has joined #openstack-keystone12:46
*** jmlowe has quit IRC12:51
*** gongysh has quit IRC12:53
*** vishakha has quit IRC12:55
*** jmlowe has joined #openstack-keystone13:00
*** vishakha has joined #openstack-keystone13:08
*** amoralej|lunch is now known as amoralej13:28
*** rmascena has joined #openstack-keystone13:57
*** raildo has quit IRC13:59
*** ispp has quit IRC14:08
*** ispp has joined #openstack-keystone14:09
*** rmascena is now known as raildo14:11
*** rmascena has joined #openstack-keystone14:13
*** raildo has quit IRC14:16
*** rmascena is now known as raildo14:24
gagehugoo/14:25
*** mriedem has joined #openstack-keystone14:36
mriedemriddle me this,14:36
mriedemwe're debating in #openstack-placement that keystone project/user ids have to be uuids or not14:36
mriedemi didn't think they had to be uuids14:37
*** itlinux has quit IRC14:40
ayoungAnyone interested in co-presenting at the Summit?  I have an idea for a talk. Tentatice title "Pushing Keystone over the Edge" on dealing with the multi-site issues14:43
ayoungmriedem, define "have to"14:43
ayoungI made them work as DNs back in early LDAP days, but that is yucky14:44
ayoungwe assign UUIDs or things that look like them to Federated Ids that come in14:44
ayoungI wanted them to be sha256 hashes, which are longer14:44
openstackgerritKristi Nikolla proposed openstack/keystone master: Copy shibboleth logs in v3 functional jobs  https://review.openstack.org/58040114:45
*** sonuk has quit IRC14:46
openstackgerritKristi Nikolla proposed openstack/keystone-tempest-plugin master: Keystone to Keystone tests  https://review.openstack.org/58004114:46
mriedemayoung: is it safe to assume that project and user ids in openstack are UUIDs14:51
mriedemor can they be other things based on how the deployment is configured14:51
mriedembecause a few years ago sdague asserted they don't have to be uuids and some deployments didn't make them uuids14:51
mriedemor they encoded domain-specific things in the project id for some deployments14:51
*** ayoung has quit IRC14:52
*** testovich has quit IRC14:52
knikollamriedem: for projects, unless they are using their own custom made driver, yes. for users, not. ldap users don't have UUIDs.14:55
knikollabf97c38af9e3a2db2f63190683180b138c57f393a2ebea70287698e1fc427072 | demo14:56
*** ayoung has joined #openstack-keystone15:03
mriedemknikolla: ack thanks15:04
openstackgerritKristi Nikolla proposed openstack/keystonemiddleware master: Document endpoint interface and region behavior  https://review.openstack.org/50539615:13
openstackgerritKristi Nikolla proposed openstack/keystonemiddleware master: Document endpoint interface and region behavior  https://review.openstack.org/50539615:13
*** fiddletwix has quit IRC15:15
openstackgerritKristi Nikolla proposed openstack/keystone master: Only upload SP metadata to testshib.org if IDP id is testshib  https://review.openstack.org/54547115:18
*** peereb has quit IRC15:22
*** itlinux has joined #openstack-keystone15:25
*** martinus__ has quit IRC15:30
*** gyee has joined #openstack-keystone15:31
apdibboHi, I am having an issue with Keystone and LDAP, is anyone around who could give me a few  pointers? When active directory users are authenticating through keystone we are getting a 504 timeout. tracing through the logs it looks like it is authenticating against ldap but the clients receive a "ConnectFailure: Unable to establish connection to https://openstack.nubes.rl.ac.uk:5000/v3/auth/tokens: ('Connection aborted.',15:41
apdibboBadStatusLine("''",))"15:41
*** dtruong has joined #openstack-keystone15:55
*** jmlowe has quit IRC16:01
*** mriedem has left #openstack-keystone16:20
*** apdibbo_ has joined #openstack-keystone16:30
*** ispp has quit IRC16:32
*** apdibbo has quit IRC16:33
*** apdibbo_ has quit IRC16:35
openstackgerritStephen Finucane proposed openstack/keystone master: Replace support matrix ext with common library  https://review.openstack.org/52780816:38
*** s10 has joined #openstack-keystone16:56
*** amoralej is now known as amoralej|off17:03
*** s10 has quit IRC17:05
*** jmlowe has joined #openstack-keystone17:44
*** pcichy has quit IRC18:11
*** nicodemus_ has joined #openstack-keystone18:12
nicodemus_Hello!18:13
nicodemus_I'm trying to configure Keystone as a SP using a third-party IdP18:13
nicodemus_but when horizon redirects to the OS-FEDERATION url, keystone logs tht it's "missing entity ID from environment"18:15
nicodemus_I'm having trouble understanding exactly how to tell keystone the ID of the entity I want to use... has anyone had such issue?18:16
*** s10 has joined #openstack-keystone18:16
cmurphynicodemus_: that error could have a lot of different causes but the gist is that horizon is trying to redirect to a keystone federation endpoint but it's failing to go through the apache saml mod which means it's failing to set the right headers in the apache request18:26
cmurphythe first thing to check is that remote_id_attribute is set correctly in keystone.conf18:26
cmurphythe next thing is to look at the <Location ..> directives in the vhost and make sure they're correct18:27
cmurphyand then also check that the OPENSTACK_KEYSTONE_URL in horizon's local_settings.py is correct18:27
nicodemus_cmurphy: so when horizon does the redirect to keystone, the request should contain a specific header telling keystone which identity-provider to use? Is that correct?18:34
cmurphynicodemus_: not exactly, when horizon does the redirect to keystone it should be redirecting to one of the paths protected by <Location ...> directives in the apache vhost, and the apache mod will set the needed headers before passing it on to keystone18:36
*** pcichy has joined #openstack-keystone18:36
nicodemus_I see. I've configured the remote_id_attribute in keystone.conf as per https://docs.openstack.org/keystone/pike/advanced-topics/federation/federated_identity.html (I'm using mellon, so the attribute is set to MELLON_IDP)18:37
nicodemus_but it's unclear the effect that variable would have18:39
cmurphythat setting just tells keystone how to process the data that apache is passing to it18:42
cmurphyif you're using mellon then you should have some pieces in your keystone vhost that look something like this http://paste.openstack.org/show/725136/18:43
cmurphybut the paths need to match the routes you're actually using, for example you may or may not have your keystone using a /identity endpoint and you need to make sure the idp and protocol parts of the path match what you configured18:44
nicodemus_I see... so the <Location ...> stanza shouldn't have the MellonSPPrivateKeyFile directives? Those I've configured in the <Location /v3> section18:47
cmurphynicodemus_: no those are correct to have there, for example this has worked for me in the past http://paste.openstack.org/show/725137/18:49
cmurphysorry i just clipped it out because that's usually not the tricky part18:49
nicodemus_thanks cmurphy ! That's quite helpful18:55
nicodemus_much obliged18:55
cmurphyyou're welcome, hope you work it out18:55
*** Chealion has quit IRC19:21
*** Chealion has joined #openstack-keystone19:24
nicodemus_cmurphy: let me ask you yet another question (that might be obvious)19:29
nicodemus_in the last paste, there's a <Location...> that goes on the vhost conf on keystone, and another <Location...> that goes on the horizon vhost?19:30
cmurphynicodemus_: no, sorry that comment is misleading, they're all for keystone19:31
nicodemus_oh, ok19:32
nicodemus_so horizon simply does a redirect, and all the mellon magic happens in keystone19:32
nicodemus_do you by any chance know which header would mellon include in the header? I'm trying to validate if mellon is in fact doing something or not19:33
cmurphynicodemus_: I think it will literally be 'MELLON_IDP', and if it's working properly you should be able to see it in the keystone debug logs19:36
nicodemus_Got it. Thanks again !!19:37
cmurphynp19:37
*** lifeless has joined #openstack-keystone19:39
*** jmlowe has quit IRC19:40
*** jmlowe has joined #openstack-keystone19:59
*** pcichy has quit IRC20:05
*** aojea_ has joined #openstack-keystone20:19
*** dmellado has quit IRC20:28
*** mchlumsky has quit IRC20:36
*** raildo has quit IRC20:40
*** aojea_ has quit IRC20:56
openstackgerritKristi Nikolla proposed openstack/keystone master: Copy shibboleth logs in v3 functional jobs  https://review.openstack.org/58040120:59
*** jmlowe has quit IRC20:59
*** jmlowe has joined #openstack-keystone21:00
*** aojea has joined #openstack-keystone21:01
nicodemus_cmurphy: I'm making progress! But still have another doubt regarding the traffic flow21:06
nicodemus_I'm being redirected to the SAML host for login, but after using valid credentials there's a "bad request" page waiting for me.21:07
nicodemus_Once the SAML host receives the credencials, it is supposed to do a callback to horizon, or to keystone?21:07
cmurphynicodemus_: i have a diagram for you http://www.gazlene.net/demystifying-keystone-federation.html#websso-with-keystone-and-horizon21:11
cmurphyit should call back to keystone at that point21:11
nicodemus_Wonderful! Many thanks !!21:11
cmurphyis the bad request coming from keystone? or horizon? or the idp?21:11
nicodemus_It's clear21:11
nicodemus_it comes from keystone21:12
cmurphyif you turn on insecure_debug = true in keystone.conf it should give you a clear error message of what went wrong21:12
nicodemus_I see that I have an encrypted SAML response, but when it's POSTed to keystone on an URL that ends with 'auth/mellon/postResponse' I get the 400 error - bad request. Perhaps Keystone isn't able to decrypt the response?21:16
cmurphyit should be able to decrypt it because exchanging the service provider's public key with the identity provider is part of uploading its metadata21:19
nicodemus_Perhaps if the user that configures the IdP didn't configure my metadata properly, I should expect a 400 error21:20
nicodemus_(I didn't mention that I'm not configuring the IdP)21:20
cmurphyyou might try setting it up with testshib.org and if you can get that working then you can compare to your idp21:22
cmurphythe regular apache logs might have more information on mellon-specific errors if the keystone logs don't have anything21:23
nicodemus_certanly, there's an error in the apache logs21:23
nicodemus_http://paste.openstack.org/show/725149/21:24
*** itlinux has quit IRC21:24
cmurphyhmm I've never seen that one, but https://github.com/UNINETT/mod_auth_mellon/issues/112 seems to indicate that something might be wrong in the MellonIdPMetadataFile file21:27
nicodemus_Looks like it21:27
nicodemus_Do you know if the 'MellonIdP' value in the apache vhost for keystone should be the entityID from the metadata of the IdP?21:30
cmurphyI don't think so, I just use "IDP". From the docs I think it's setting the name of the header, as in MELLON_IDP21:34
cmurphyit's the name of the header that will have the entityID as its value21:34
*** rcernin has joined #openstack-keystone22:00
*** nicolasbock has quit IRC22:17
adriantcmurphy: you still about?22:17
*** aojea has quit IRC22:23
*** nicodemus_ has quit IRC22:30
*** aojea_ has joined #openstack-keystone22:39
*** edmondsw_ has quit IRC22:40
*** edmondsw has joined #openstack-keystone22:41
*** edmondsw has quit IRC22:45
*** aojea_ has quit IRC22:55
*** rcernin has quit IRC22:58
*** rcernin has joined #openstack-keystone23:01
*** tosky has quit IRC23:01
* kmalloc tries to vacation... keeps looking at code23:03
adriantkmalloc: I was home sick yesterday... still followed up on code review23:07
adriantTrying to keep away from work when stuff is a little time sensitive is hard, and also work/life balance is a thing so many people suck at!23:09
*** aojea has joined #openstack-keystone23:16
*** aojea has quit IRC23:21
openstackgerritMorgan Fainberg proposed openstack/keystone master: Flesh out and add testing for flask_RESTful scaffolding  https://review.openstack.org/57819023:40
openstackgerritMorgan Fainberg proposed openstack/keystone master: Make keystone.server.flask more interesting for importing  https://review.openstack.org/57992823:40
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix keystone.common.rbac_enforcer.__init__.py exporting  https://review.openstack.org/57993023:40
openstackgerritMorgan Fainberg proposed openstack/keystone master: Do not use flask.g imported as g  https://review.openstack.org/57998523:40
*** aojea has joined #openstack-keystone23:46
*** aojea has quit IRC23:50
« Wednesday, 2018-07-04 Index Friday, 2018-07-06 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!