Tuesday, 2018-07-17

« Monday, 2018-07-16 Index Wednesday, 2018-07-18 »
*** rcernin_ has joined #openstack-keystone00:04
*** rcernin has quit IRC00:04
*** linkmark has quit IRC00:13
* jamielennox can't believe flask is actually happening 01:01
kmallocjamielennox: hehe01:08
kmallocmnaser: hold on. let me read that question01:08
kmallocmnaser: both keystones need to be able to validate the token.01:09
kmallocmnaser: it's totally fine to have a local replica/master that can issue tokens and that you can then use to speak to $_ENDPOINT01:09
kmallocmnaser: keystoneauth should handle that just fine as long as the token is valid01:10
kmallocjamielennox: i was sick of dealing with webob weirdness01:10
jamielennoxnot having v2 will have helped01:10
kmallocyes01:10
kmallocthat made it a lot easier01:10
jamielennoxi had it prototyped out at one point, but the v2 controller was a disaster01:10
kmallocbut... realistically, it's not that much more work to wire up APIs01:10
jamielennoxv3 controller, also not great01:11
jamielennoxbut yea01:11
kmallocwhat is awesome, the controller is dying01:11
kmallocwhat is not awesome, a lot of that code is not dying...has been "ported" to flask01:11
kmallocwhat is most awesome... @protected is finally on it's last leg01:11
jamielennoxso the blocker there was always unwrapping policy01:12
jamielennox:)01:12
kmalloctook me ~8 days to rewrite @protected01:12
jamielennoxagain, prototypes but getting that to work across v2/v3 was just a mess01:12
kmallocbut we have docstrings now.01:12
kmallocand a generally better interface01:12
kmallocstill pretty opaque01:12
kmallocbut, way more usable01:12
jamielennoxyea, that's what i found with protected, the layers went so deep01:13
jamielennoxand no one was willing to touch the reviews for it01:13
kmallocjamielennox: https://review.openstack.org/#/c/576639/2301:14
kmallocsomehow i got that landed.01:14
kmallocnow i am just fighting with circular imports that don't show up in unit tests.01:14
kmallocwhich is kindof driving me batty01:14
jamielennoxlol, that there is just trust01:14
jamielennoxcan't validate that01:14
openstackgerritVu Cong Tuan proposed openstack/ldappool master: Switch to stestr  https://review.openstack.org/58130701:14
kmallocjamielennox: well, i wrote a bunch of tests for it too01:15
kmallocand it seemed to mirror @protected01:15
jamielennoxreturn flask.request.environ.get(context.REQUEST_CONTEXT_ENV, None) - feels like that should be easier01:16
kmallocso far so good01:16
jamielennoxbut at least it's using context01:16
kmallocjamielennox: yeah, well flask doesn't really talk "oslo context"01:16
jamielennoxright01:16
kmalloci figured that was better than the alternative... subsclassing flask.request or some such01:16
kmallocsorry flask.Request01:16
jamielennoxwas just thinking i did a bunch of stuff to get ksm in front of keystone and it was passing down a usable context01:16
kmallocyep, and it does.01:17
jamielennoxbut yea, i've no idea what that would look like in flask01:17
kmalloctotally doable01:17
kmallocbut flask's contexts are a bit less structured.01:17
kmalloci might revisit and squash all the middleware to "before_request"functions once the apis are moved01:17
kmallocso we only legit load middleware from non-local packages01:17
jamielennoxeh, i trust you, and you're aware of all that stuff so i'm not criticizing from the sidelines01:18
kmallochehe, i didn't take it as criticism01:18
kmalloconce all the APIs are in-fact flask native, we'll be solid to do stuff like that. but right now we're mostly doing weird dispatching to the old mappers for everything but discovery (/ and /v3) and /credentials once trhe newest patch lands.01:19
*** stewie925 has quit IRC01:30
lbragstad+1 for the context bits01:32
lbragstadi'm at least happy that the policy enforcement stuff is easier to grok post-flask01:34
kmalloclbragstad: ok so... i have no idea how in the hell this is getting a circular import01:39
kmallocand that it doesn't happen in test01:39
*** sapd has joined #openstack-keystone01:39
kmallocheck, i can't duplicate this with raw import in a venv01:39
*** mvk_ has quit IRC01:39
lbragstadis this still in the credentials patch?01:40
*** mvk_ has joined #openstack-keystone01:42
kmallocyepo01:43
lbragstadhmm01:44
kmalloclbragstad: http://logs.openstack.org/50/582450/4/check/tempest-full/d8c524c/controller/logs/screen-keystone.txt.gz#_Jul_16_22_31_06_04027601:44
lbragstadso - it's affecting tempest and not unit tests?01:44
kmallocyep02:02
*** mvk_ has quit IRC02:02
kmallocand i can't even make it fail with direct imports of the modules02:02
kmallocand my local commit is the same as the one in gerrit02:03
* kmalloc shrugs.02:03
kmalloci'll poke at it more in a little bit02:03
*** mvk_ has joined #openstack-keystone02:03
*** dave-mccowan has joined #openstack-keystone02:07
*** dave-mcc_ has joined #openstack-keystone02:24
*** dave-mccowan has quit IRC02:25
lbragstadthat's weird02:27
openstackgerritMerged openstack/keystone master: Filter by entity_type in get_domain_mapping_list  https://review.openstack.org/57244602:38
openstackgerritMerged openstack/keystone master: Increase test coverage of entity_type id mapping query  https://review.openstack.org/58269202:38
*** flwang1 has quit IRC02:41
*** flwang1 has joined #openstack-keystone02:42
kmallocYep, totally weird.02:58
*** lbragstad has quit IRC03:05
*** abhi89 has joined #openstack-keystone03:14
*** dave-mcc_ has quit IRC03:30
openstackgerritwangxiyuan proposed openstack/keystone master: Strict two level limit model  https://review.openstack.org/55769604:00
openstackgerritwangxiyuan proposed openstack/keystone master: Add project_id filter for listing limit  https://review.openstack.org/57933004:00
openstackgerritwangxiyuan proposed openstack/keystone master: Add include_limits filter  https://review.openstack.org/57933104:00
openstackgerritwangxiyuan proposed openstack/keystone master: Update project depth check  https://review.openstack.org/58025804:00
openstackgerritwangxiyuan proposed openstack/keystone master: Add project hierarchical tree check when Keystone start  https://review.openstack.org/58033104:00
*** flwang1 has quit IRC04:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move Credentials API to Flask Native  https://review.openstack.org/58245004:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow class-level definition of API URL Prefix  https://review.openstack.org/58272604:58
*** nelsnelson has quit IRC05:05
kmalloclbragstad[m]: i think i found the issue. looks like it is working now.05:20
*** rcernin_ has quit IRC05:25
*** rcernin has joined #openstack-keystone05:26
*** links has joined #openstack-keystone05:33
*** nelsnelson has joined #openstack-keystone05:41
*** alex_xu has quit IRC05:59
*** alex_xu has joined #openstack-keystone06:02
*** s10 has joined #openstack-keystone06:35
*** alex_xu has quit IRC06:36
*** alex_xu has joined #openstack-keystone06:36
*** martinus__ has joined #openstack-keystone06:37
*** s10 has quit IRC06:38
*** tesseract has joined #openstack-keystone06:48
*** ispp has joined #openstack-keystone06:59
*** peereb has joined #openstack-keystone07:04
*** rcernin has quit IRC07:11
*** AlexeyAbashkin has joined #openstack-keystone07:22
*** ispp has quit IRC07:28
openstackgerritMerged openstack/ldappool master: Switch to stestr  https://review.openstack.org/58130707:32
*** tosky has joined #openstack-keystone07:38
*** gongysh has joined #openstack-keystone07:57
*** ispp has joined #openstack-keystone08:15
*** alex_xu has quit IRC08:45
*** alex_xu has joined #openstack-keystone08:46
*** hoonetorg has quit IRC08:47
openstackgerritDirk Mueller proposed openstack/ldappool master: Bump to hacking 1.1.x  https://review.openstack.org/58316208:52
*** flwang1 has joined #openstack-keystone08:53
openstackgerritDirk Mueller proposed openstack/ldappool master: Switch to python-ldap again  https://review.openstack.org/58316408:55
*** ispp has quit IRC09:02
*** hoonetorg has joined #openstack-keystone09:04
openstackgerritTuan Do Anh proposed openstack/keystone master: Change "a SQL" to "an SQL"  https://review.openstack.org/57943209:16
*** annp has quit IRC09:18
*** annp has joined #openstack-keystone09:26
*** mvk_ has quit IRC09:56
*** abhi89 has quit IRC10:09
*** mvk_ has joined #openstack-keystone10:26
*** gongysh has quit IRC10:36
openstackgerritDao Cong Tien proposed openstack/keystone master: Adds doc8 check to pep8  https://review.openstack.org/58319610:44
*** ispp has joined #openstack-keystone10:55
*** sapd has quit IRC11:03
*** mvk_ has quit IRC11:09
*** mvk_ has joined #openstack-keystone11:09
*** d0ugal has quit IRC11:15
*** dave-mccowan has joined #openstack-keystone11:18
*** d0ugal has joined #openstack-keystone11:18
*** d0ugal has quit IRC11:18
*** d0ugal has joined #openstack-keystone11:18
*** sapd has joined #openstack-keystone11:20
*** abhi89 has joined #openstack-keystone11:33
openstackgerritwangxiyuan proposed openstack/keystoneauth master: [WIP]Add netloc and version check for version discovery  https://review.openstack.org/58321511:46
*** edmondsw has joined #openstack-keystone12:06
*** ispp has quit IRC12:22
*** gongysh has joined #openstack-keystone12:30
*** lbragstad has joined #openstack-keystone12:31
*** ChanServ sets mode: +o lbragstad12:31
*** nels has joined #openstack-keystone12:34
*** nelsnelson has quit IRC12:36
*** raildo has joined #openstack-keystone12:40
*** lbragstad has quit IRC12:41
*** raildo has quit IRC12:45
*** raildo has joined #openstack-keystone12:46
*** raildo has quit IRC12:50
*** raildo has joined #openstack-keystone12:52
*** peereb has quit IRC12:56
*** tosky has quit IRC12:56
*** tosky has joined #openstack-keystone12:56
*** raildo has quit IRC13:00
*** raildo has joined #openstack-keystone13:00
*** raildo has quit IRC13:03
*** raildo has joined #openstack-keystone13:03
*** ispp has joined #openstack-keystone13:17
*** aning_ has left #openstack-keystone13:24
*** aning_ has joined #openstack-keystone13:24
*** raildo has quit IRC13:35
*** raildo has joined #openstack-keystone13:36
*** raildo has quit IRC13:37
knikollao/13:37
evrardjphello folks13:38
*** raildo has joined #openstack-keystone13:39
devxHola!13:39
*** raildo has quit IRC13:41
evrardjpso I have a question about the state of keystone tempest testing...13:42
evrardjpwhere are we in the migration from https://github.com/openstack/tempest/tree/master/tempest/api/identity to https://github.com/openstack/keystone-tempest-plugin/tree/master/keystone_tempest_plugin/services/identity13:42
evrardjpis it the plan to not port everything to the keystone tempest plugin (and keep things in tempest)? or is there a plan to move things around?13:43
evrardjpI am asking this because I see commits like https://github.com/openstack/tempest/commit/7d2b636a30057ed8db8cfd4fe2248f509b3570f1#diff-5c9acbc10dc9d27b47985cd74ab100f6 happening .13:44
cmurphyevrardjp: the plan was never to remove any of keystone's tests from tempest13:45
cmurphythe plugin is just for the weird keystone things like ldap and saml testing13:45
evrardjpok13:46
evrardjpthanks for the clarification!13:46
cmurphyno problem13:46
evrardjp.buffer 813:46
evrardjpwoops13:46
*** ispp has quit IRC13:48
*** ispp has joined #openstack-keystone13:50
*** gongysh has quit IRC13:52
*** ispp has quit IRC13:52
mordredlbragstad[m], cmurphy: ftr - the ksa bug about internal urls and version discovery is 100% caused by the fact that none of the client libs ever actually did version discovery but instead just hardcoded url manipulations14:00
kmallocmordred: ouch14:00
*** gongysh has joined #openstack-keystone14:01
kmallocmordred: sigh.14:01
*** ispp has joined #openstack-keystone14:01
mordredkmalloc: yah.14:01
kmallocmordred: that makes me... sad.14:01
kmalloclike... super sad14:01
mordredwe have a workaround/fix in sdk14:01
mordredthat I think my suggestion is going to be pushing down into ksa14:01
mordredeven though it's ... sad14:01
*** ispp has quit IRC14:02
cmurphyI think wxy already proposed a potential fix https://review.openstack.org/58321514:02
mordredoh good14:04
mordredcmurphy: yes - that's basically the approach we have in sdk14:05
mordredhrm. I say we have a fix - I think we defer to ksa now :)14:07
* kmalloc needs to wake up.14:07
*** raildo has joined #openstack-keystone14:07
* cmurphy puts a cat near kmalloc's dog14:08
kmallocwe have not introduced nori to ... cats yet14:10
kmallocwe don't want her to lose that first interaction quite yet :P14:10
kmallocand... with the cats near by... it wont go well for her :P14:10
* kmalloc tags wxy's change ^ for review.14:11
kmalloclooks pretty straightforward.14:11
mordredkmalloc, cmurphy: I like it - and I think the tests that are broken are actually broken tests (or tests that show the brokenness) - so I think just fixing them is correct14:12
cmurphywxy: ^14:12
kmallocyep.14:13
kmallocthat was my quick gander14:13
kmalloci'll prob. pick it up and play clenaup if wxy doesn't have time. otherwise I'll provide review for it.14:13
*** quackrabbit has joined #openstack-keystone14:18
*** spilla has joined #openstack-keystone14:20
*** jmlowe has joined #openstack-keystone14:36
*** s10 has joined #openstack-keystone14:37
*** d0ugal has quit IRC14:37
*** ispp has joined #openstack-keystone14:38
*** ispp has quit IRC14:39
*** d0ugal has joined #openstack-keystone14:44
*** abhi89 has quit IRC14:55
*** lbragstad has joined #openstack-keystone14:57
*** ChanServ sets mode: +o lbragstad14:57
*** josecastroleon has joined #openstack-keystone14:58
*** josecastroleon has quit IRC14:59
*** ispp has joined #openstack-keystone15:03
*** d0ugal has quit IRC15:03
*** wxy| has joined #openstack-keystone15:06
*** abhi89 has joined #openstack-keystone15:08
lbragstadkmalloc: looks like you figured out the import thing?15:09
lbragstadwas it https://review.openstack.org/#/c/582450/4..5/keystone/server/flask/__init__.py ?15:09
*** jmlowe has quit IRC15:09
kmallocI don't know why I couldn't dupe it outside of tempest15:09
lbragstadif not - i do have a devstack ready to go15:09
kmallocBut it works now.15:09
lbragstadhuh...15:09
kmallocI know what was broken... But being unable to dupe it was weird.15:12
lbragstadand it was failing keystone tempest only though?15:13
kmallocyep15:13
kmallocwell it was failking to standup keystone in tempest15:13
kmalloci am sure i could have duplicated if i was standing up a whole keystone15:14
*** d0ugal has joined #openstack-keystone15:14
kmallocbut the fact that straight import statements didn't duplicate it was weird.15:14
kmallocand that unit tests worked15:14
lbragstadyeah...15:15
*** dgonzalez has left #openstack-keystone15:15
openstackgerritMorgan Fainberg proposed openstack/keystone master: [WIP] Move Trusts to Flask Native  https://review.openstack.org/58327815:15
kmalloclbragstad: ^ checkpoint for trusts moving15:15
kmallocjust so i don't lose my place. it was a lot of stash/stash pop :P15:16
*** jmlowe has joined #openstack-keystone15:18
kmalloclbragstad: but short of a few minor things trusts should be ready soon too15:18
lbragstadgoing through the pre-requisite patches right now15:18
lbragstadleading up to the credentials API15:19
kmallocyep.15:19
kmallocthese are a LOT less dense to go through now that we landed the bulk of the base code work15:19
*** errr has joined #openstack-keystone15:22
errrwhen using shibboleth federation and having websso enabled in horizon what generates the url for when I select my idp from the horizon dashboard vs logging in with a local account?15:24
kmalloclbragstad: i'm thinking application credentials, catalog, s3, ec2, revoke, auth, domain, project, group, user is about the order for conversion15:24
kmalloctoss in oauth1 and policy somewhere in there15:24
lbragstadkmalloc: that seems reasonable...15:25
kmalloclimit may move last just since we're iterating on it right now15:25
lbragstaderrr: i believe the IDP url is setup via keystone's configuration file15:25
*** d0ugal has quit IRC15:26
errrlbragstad: I have grepped for what is "wrong" with my url and cant find it in any of the files15:26
lbragstadhmmm15:26
errrlbragstad: for example mine is adding "okta" there and it should be "saml2" and if I manually change it to that in my browser things work15:27
* lbragstad double checks something quick15:27
lbragstaderrr: have you checked shibboleth configs?15:32
errryes15:33
errrlbragstad: so right now my url is :5000/v3/auth/OS-FEDERATION/websso/okta and it needs to be :5000/v3/auth/OS-FEDERATION/websso/saml2 and I grepped for "okta" and "websso" but I cant find that in there15:33
*** s10 has quit IRC15:33
*** s10 has joined #openstack-keystone15:35
*** abhi89 has quit IRC15:37
*** r-daneel has joined #openstack-keystone15:37
lbragstaderrr: what about your horizon configuration?15:38
*** jistr is now known as jistr|afk15:38
lbragstadhttps://docs.openstack.org/keystone/pike/advanced-topics/federation/federated_identity.html#horizon-changes15:38
errrlbragstad: so this url is generated with out horizon being involved but I have made the relevant changes there15:39
lbragstadwhat do you idp resources look like in keystone?15:40
*** felipemonteiro has joined #openstack-keystone15:41
errrlbragstad: from openstack identity provider list ?15:42
lbragstadyeah15:42
errr| okta | True    | fe2fb222a44a40ca8592b8f8ced6ae15 | None        |15:42
errrI have another working system which has the same output for that command but it creates the correct url with the 'saml2' in it instead of 'okta'15:43
lbragstadhmm15:43
knikollaerrr: do you have multiple idps?15:44
errrknikolla: no just 1 for now.15:44
knikollaerrr: in the horizon config, there is a config for websso choices, with (idp, protocol) pairings15:48
knikollahttps://github.com/CCI-MOC/MOCOSPpuppet/blob/3d902da487fb4eac19fb3035c02bf76b3d141782/horizon/templates/local_settings.py.erb#L602-L60315:48
knikollahorizon uses that to create figure out the url that it redirects you15:49
errrha!15:49
errroh man. I totally missed that and I thought I had it15:49
errrbut you are right I am missing that from my config15:50
knikollaerrr: https://github.com/openstack/horizon/blob/3e0da5b91c28acdf86f5c33278623ac856e223c5/openstack_auth/utils.py#L189-L21015:50
knikollafull docs here15:50
errrI mean I have it.. but I had okta there and not saml2 which is what my working system has15:51
knikollacool!15:52
errrbouncing services now. i hope this works :D15:52
*** jmlowe has quit IRC15:53
errrsweet it works. Now I can figure out what else I have wrong. Probably the audience redirect or something but at least now I get my idp login page. Thanks for the help15:56
*** d0ugal has joined #openstack-keystone15:56
*** tesseract has quit IRC15:57
lbragstadthanks knikolla15:58
*** jmlowe has joined #openstack-keystone15:58
openstackgerritwangxiyuan proposed openstack/keystoneauth master: Add netloc and version check for version discovery  https://review.openstack.org/58321515:59
knikolla:)16:00
*** dklyle has quit IRC16:00
wxy|s10: https://review.openstack.org/583215 a quick fix, could you take a try to check it works or not?16:02
mordredwxy|: that patch lgtm16:12
s10wxy: It works for the access to the internal endpoints from the controller nodes. I will check, if it works well for public endpoints from outside the cloud.16:14
wxy|s10: sure16:17
s10wxy: it works for public endpoints.16:17
*** d0ugal has quit IRC16:18
*** harlowja has joined #openstack-keystone16:18
wxy|mordred: :)16:19
mordred\o/16:20
*** links has quit IRC16:24
*** dklyle has joined #openstack-keystone16:28
*** d0ugal has joined #openstack-keystone16:30
*** spilla has quit IRC16:31
*** gongysh has quit IRC16:35
*** spilla has joined #openstack-keystone16:41
*** mvk_ has quit IRC16:46
kmalloclol, OS-TRUST != OS-TRUSTS *facepalm*16:47
*** jmlowe has quit IRC16:48
*** jmlowe has joined #openstack-keystone16:51
*** AlexeyAbashkin has quit IRC16:59
lbragstad#startmeeting keystone-office-hours17:01
openstackMeeting started Tue Jul 17 17:01:51 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.17:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.17:01
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"17:01
*** ChanServ changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"17:01
openstackThe meeting name has been set to 'keystone_office_hours'17:01
lbragstadi have to step away for lunch17:06
*** fiddletwix has joined #openstack-keystone17:06
*** ispp has quit IRC17:06
* gagehugo goes to grab lunch as well17:09
openstackgerritwangxiyuan proposed openstack/keystoneauth master: Add netloc and version check for version discovery  https://review.openstack.org/58321517:09
*** lbragstad has quit IRC17:11
*** wxy| has quit IRC17:11
* kmalloc just ate17:19
kmallocbreakfast.17:19
*** felipemonteiro_ has joined #openstack-keystone17:26
*** felipemonteiro has quit IRC17:30
*** jistr|afk is now known as jistr17:30
*** mvk_ has joined #openstack-keystone17:35
cmurphyso with this one https://review.openstack.org/#/c/578008/ I'm unclear on why this option isn't automatically exposed by keystoneauth and wondering if we should be exposing it there rather than registering it in keystonemiddleware17:41
openstackgerritMerged openstack/ldappool master: Bump to hacking 1.1.x  https://review.openstack.org/58316217:44
*** s10 has quit IRC17:44
*** spilla_ has joined #openstack-keystone17:46
*** spilla has quit IRC17:46
*** r-daneel has quit IRC17:50
*** spilla_ has quit IRC17:51
*** mchlumsky has quit IRC17:51
*** mchlumsky has joined #openstack-keystone17:51
*** harlowja has quit IRC17:54
*** spilla has joined #openstack-keystone17:58
mnaserdoes the validate token endpoint speak to the db at all when using fernet?18:04
*** pcichy has quit IRC18:14
kmallocmnaser: yes.18:19
kmallocmnaser: the fernet data is very limited and relies on the db to look up the values18:19
mnaserah, i thought they can be validated on their own18:19
mnaserusing the private key18:19
kmallocnope. that was a feature of PKI tokens, but the token data was so large we exploded HTTP request handling18:20
mnaseryeah i remember those times18:20
kmallocFernet tokens are "live" validated, meaning direct lookup in the db18:20
kmallocit also means if a user's roles change, the validation payload would change, it reflects the current state of the DB plus or minus some delta depending on caching18:21
* kmalloc kicks the trust controller ... hard.18:21
kmallocok ok.. what in the heck... i am getting a non-iso time back... but afaict i'm only emitting iso time into the dat astruct18:22
kmallochow am i dropping the 'Z'...18:22
kmalloc*glare*18:22
cmurphythat sounds like a familiar bug18:23
kmallocyeah18:24
kmalloci am not seeing how the Z is being dropped18:24
kmallocit's... weird.18:24
*** jistr is now known as jistr|off18:25
*** r-daneel has joined #openstack-keystone18:27
kmallocahhh found it18:31
kmallocbadly name variables18:31
kmalloccmurphy: "trust" vs "new_trust" *eyeroll*18:31
*** r-daneel has quit IRC18:32
cmurphykmalloc: badly named variables changed the time format?18:32
kmallocyeah18:32
*** harlowja has joined #openstack-keystone18:32
kmalloci was re-normalizing the input data18:33
kmallocnot the "after store in the db" data18:33
cmurphyah18:33
kmallocnew_trust = providers.trust_api.create_trust()18:33
kmallocthen normalize_expires_at(trust)18:33
kmallocwhoope18:33
kmallocwhoopse*18:33
kmalloci renamed "new_trust" to "return_trust"18:33
kmallocjust to make it easier to see and behold, normalizing the correct ref makes the difference18:34
cmurphy++18:34
*** lbragstad has joined #openstack-keystone18:47
*** ChanServ sets mode: +o lbragstad18:47
*** mchlumsky has quit IRC18:55
*** mchlumsky has joined #openstack-keystone18:56
*** imacdonn has joined #openstack-keystone18:56
lbragstadmnaser: are you having some issues with fernet tokens?18:57
mnaserlbragstad: no, just trying to think of the cleanest way to architect this solution. Our keystone is based out in Montreal and we’re opening a region in the Silicon Valley18:59
mnaserSo trying to make sure the latency doesn’t break the world :)18:59
*** pcichy has joined #openstack-keystone19:00
lbragstadoh...19:01
lbragstadsure19:01
lbragstadi assume both are writeable?19:02
lbragstadsince token validation is read-only, the validation process should be immediate19:05
*** ksavich_ has joined #openstack-keystone19:09
*** s10 has joined #openstack-keystone19:10
kmalloclbragstad: damn19:15
kmalloclbragstad: looks like we need a handler that explicitly does a 404 not a 405 when a method is not implemented =/19:16
kmalloclbragstad: since our contract is crappy and 404s in those cases.19:16
lbragstadbah19:16
kmalloclbragstad: though... realistically that *isnt* really part of our api19:16
kmallocPATCH /v3/OS-TRUST/trusts/<trust_id> isn't really part of the API.19:16
kmallocbut...19:17
kmallocit requires me to "change" a test.19:17
kmallocso... what is your opinion here19:17
kmallocI'm personally ok with moving to a 405 in this case19:17
kmallocwe just explicitly test for a 404.19:17
kmallocif someone tries to patch a trust, it's a rando-40419:18
lbragstadif we end up going in that direction, i'd like to do it all at once for all 404s like that19:18
kmallocok i'll add a TODO explicitly in the PATCH implementation19:18
lbragstadi assume you're just talking about trusts?19:18
kmallocyeah for now19:18
kmallocsince we are migrating apis piece-meal i think a 404->405 for these cases is fine as we go19:19
kmallocftr: "put" will 405 for trusts19:19
kmallocand we don't check for that19:19
lbragstadhmm19:19
kmallocwe're highly inconsistent here19:20
*** tosky has quit IRC19:20
kmallocand it's not something that is "API" specific19:20
kmallocit's not like PATCH for trust ever did anything19:20
kmallocit does mean we need to implement a GET/POST/PUT/PATCH/DELETE for every resource that blindly 404s19:21
kmallocunless it is overidden. it feels weird to do that, esp. since we test for some of these cases but not really all/many/consistently any of them19:21
kmalloclbragstad: i'll defer to your call here though.19:22
kmallocso: quick check on options (pick one)19:22
kmalloc1) Implement explicit 404 where we test for it19:22
lbragstadthe explicity implementation would be nice19:23
kmalloc2) Implement explicit 404 everywhere19:23
kmallocfor un-defined methods19:23
kmalloc3) allow 405 to pass through for unimplemented methods19:23
* kmalloc prefers #319:23
lbragstad#2 makes things 405 -> 40419:23
kmalloc#2 is closest to what we have now.19:23
lbragstadhow much harder would it be to do #2 over #3?19:24
kmalloc#3 makes some things 404->405, but they aren't part of our API, it happens to be magic it happens19:24
kmalloc#2 is just defining a base class and if someone doesn't use it, it will 40519:24
kmalloc405 is the MOST correct error to pass through in these cases.19:25
lbragstadi agree there19:25
kmallocit mostly was an accident we got 404s because of how our system was implemented19:25
lbragstadi'm wondering what a client is going to do when they've been dealing with 404s and now they get a 40519:25
kmallocthey've been using an invalid/not part of the API already :P19:25
kmallocit could have resulted in any number of things.19:26
kmalloclet me check if tempest tries patching trusts.19:26
kmalloci think that will answer my question on "is this part of the api"19:26
kmallocyeah tempest doesn't even try to patch a trust19:27
kmallocso, revised order of preference: #3 -> 405s, #1 -> explicit 404 if we test for it, #2 blanket 40419:28
*** flwang1 has quit IRC19:29
lbragstadfrom an API guidelines perspective, going from 404 -> 405 is allowed?19:29
kmalloci'd contest this isn't part of the API19:30
kmallocPATCH is not implemented for Trusts.19:30
kmallocsame with PUT19:30
kmallocif patch was implemented, it wouldn't be allowed19:30
kmallocbut since it's an unimplemented method, it isn't part of the API.19:31
kmallocit is the responsibility of the underlying server to handle it.19:31
*** s10 has quit IRC19:32
lbragstadok19:33
lbragstadin that case i think i'm fine with #319:33
kmallocyeah.19:34
kmallocyou know me, i'm pretty strict on the not breaking the contract19:34
kmalloc;)19:34
kmalloci'm proposing it as 40519:34
kmallocbut we can reverse course if needed19:34
*** fiddletwix has quit IRC19:34
*** fiddletwix has joined #openstack-keystone19:35
lbragstadbut 405 seems like the most correct thing in this context19:35
kmallocyep19:36
lbragstadat least based on my interpretation of the RFC19:37
kmallocexactly19:37
kmalloci'll make sure to add a note in the review for the reviewers19:37
lbragstad++19:37
lbragstad^ kinda would be nice in a separate patch.. but19:37
lbragstader - that'd be a reason for it...19:37
kmalloci have to separate out some patches anyway19:37
lbragstadbut calling it out in the review might be fine19:37
kmalloci'll split that19:38
kmalloci have a bug in RBACEnforcer, Json_home population, and something else19:38
kmallocso this is being split into 2-3 patches anyway19:38
lbragstadok19:41
*** fiddletwix has quit IRC19:42
*** fiddletwix has joined #openstack-keystone19:43
*** kfox1111 has joined #openstack-keystone19:45
kfox1111question. does keystone support osprofiler and how far back does its support go?19:45
lbragstadyes - we've had that support since like newton i think19:48
kfox1111ok. cool. thanks.19:48
lbragstad 639e36adbfa0f58ce2c3f31856b4343e9197aa0e19:50
lbragstadhttps://review.openstack.org/#/c/103368/19:51
kfox1111nice. :)19:52
kmalloclbragstad: bah20:05
kmalloclbragstad: i found a bug in our json_home test...20:05
kmalloci think.20:05
kmallocah just "obseved" expected is wonky20:07
kmallocnvm20:07
*** quackrabbit has quit IRC20:09
lbragstadi have to relocate quick20:20
mnaserlbragstad: i think i am okay with only 1 of the keystones being write-able20:20
mnaserso auth happens in that one location, always.20:20
lbragstadah20:20
lbragstadbut validate should be able to happen in both20:21
mnaseryes20:21
mnaserand the idea is validate being able to happen to the closer datacenter (this is really to avoid latency in the openstack apis)20:21
lbragstadwell - let me know if there is anything we can do to improve that upstream20:21
*** AlexeyAbashkin has joined #openstack-keystone20:22
mnaserwell i'm just wondering how 'bad' it would be if i had a 70ms latency between keystone/openstack (while using memcache anyways)20:22
mnasermemcache being local obviously20:22
mnaser75ms rtt that is20:23
kmallocnot terrible, but... sub-ideal imo20:26
kmalloclike... nothing should break overtly20:26
kmalloca keystone validate is not "fast"20:27
kmallocbut i worry about a non-local memcache in general20:27
*** lbragstad has quit IRC20:28
mnaseroh there will be a local memcache20:29
mnaserbut i suspect not a lot of clients reuse tokens besides openstack services20:29
kmallocah20:29
kmalloclbragstad[m]: should have trusts pushed up in a moment20:30
*** raildo has quit IRC20:31
imacdonnspeaking of memcache, I have a topic for discussion, but I don't want to interrupt, so let me know when you guys are done ;)20:32
errrIm having some trouble getting logged into Horizon using keystone shibboleth federation. When I successfully auth with my IDP I get redirected https://aio.mrice.internal:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=https://aio.mrice.internal/dashboard/auth/websso/ and it tells me 401 The request you have made requires authentication.20:35
errrany idea what I may have missed in my setup thats keeping this from working?20:35
cmurphyerrr: if you turn on insecure_debug in keystone.conf it will tell you specifically what went wrong (remember to turn it off in production)20:36
errrcmurphy: thanks20:36
*** raildo has joined #openstack-keystone20:38
imacdonnso my problem has to do with exceeding memcached's maximum connections limit .., caused by neutron-server, which uses keystonemiddleware20:39
errrwow. that helped a ton. Thanks again cmurphy20:39
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move trusts to flask native dispatching  https://review.openstack.org/58327820:39
openstackgerritMorgan Fainberg proposed openstack/keystone master: Correctly pull input data for enforcement  https://review.openstack.org/58335620:39
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow for 'extension' rel in json home  https://review.openstack.org/58335720:39
openstackgerritMorgan Fainberg proposed openstack/keystone master: Trusts do not implement patch.  https://review.openstack.org/58335820:39
kmallocimacdonn: ok i can focus now that those patches are pushed20:39
kmallocimacdonn: yep, i've seen that in the past. the correct answer is, unfortunately, to use the memcache-pool20:40
kmallocimacdonn: the issue is eventlet creates a new connection per-green-thread20:40
kmallocimacdonn: and doesn't cleanup it's connections well20:40
imacdonnkmalloc: yes, exactly .. gleaned from comments in https://bugs.launchpad.net/fuel-ccp/+bug/165307120:40
openstackLaunchpad bug 1653071 in fuel-ccp "Lack of free connections to memcached cause keystone middleware to stall" [High,Fix released] - Assigned to Fuel CCP Bug Team (fuel-ccp-bugs)20:40
kmallocimacdonn: i'll need to check to make sure memcachepool has been implemented for ksm20:40
kmallocimacdonn: it might be only in oslo_cache, and ksm is not on oslo_cache (if i remember correctly) yet20:41
imacdonnkmalloc: there's a config option "memcache_use_advanced_pool", but I've not been able to make much sense of it20:41
kmallocthis is one of the major reasons keystone dropped eventlet and all greenlet/greenthread based handling.20:41
kmallocimacdonn: ah that would be the option.20:41
kmallocimacdonn: it... is not a good piece of code. (and i apologize for that)20:41
kmallocimacdonn: python-memcache is sortof a trainwreck on some fronts and we eat it badly because of it.20:42
kmallocour solution(s): migrate to oslo-cache and implement a better backend for dogpile that is not based on python-memcached20:42
kmallocit's been a long term goal.20:42
imacdonnkmalloc: Heh. OK, well at least it's good to know I'm not missing something stupid20:42
kmallocnope. that advanced pool is the only real solution20:43
kmallocit basically builds a shared set of memcache connections20:43
kmallocbut since python-memcache uses threadlocal natively and we stack on top of that, it is prone to being more fragile than we'd like20:43
kmallocand we have had to reference internal interfaces20:43
imacdonnso there are a couple of bugs related to that - https://bugs.launchpad.net/keystonemiddleware/+bug/1748160 and https://bugs.launchpad.net/keystonemiddleware/+bug/174756520:44
openstackLaunchpad bug 1748160 in keystonemiddleware "memcache_use_advanced_pool = True doesn't work when use oslo.cache" [Undecided,Fix released] - Assigned to wangxiyuan (wangxiyuan)20:44
openstackLaunchpad bug 1747565 in keystonemiddleware "AttributeError when use memcache_use_advanced_pool = True in Ocata" [Undecided,Fix released] - Assigned to wangxiyuan (wangxiyuan)20:44
imacdonnI tried back-porting the fixes, and also tried updating middleware to 5.x in my Queens environment20:44
kmalloclbragstad[m], knikolla: damn so close. -333, +337, would have been aweseme if it was +333/-33320:45
imacdonnbut I can't get it to work .. it doesn't seem to make any connections to memcached ... and then things start sporadically hanging20:45
kmallocimacdonn: updating middleware beyond the release is a recipe for disaster, since ksm needs to lean on the libs in that nova/neutron/etc do20:45
imacdonnkmalloc: yeah, I figured, but had to try it (in a lab env)20:45
kmallocright20:45
kmallochm.20:45
aning_Hi, for fernet keys, are there any ways to generate them other than keystone-manage fernet_setup?20:46
imacdonnso I guess I can try upping the max connections limit, but it's icky :/20:46
kmallocyeah20:48
*** martinus__ has quit IRC20:48
kmallocimacdonn: you're on Queens?20:48
imacdonnkmalloc: yes20:48
kmallocimacdonn: hmm.20:48
kmalloci really want to re-write that20:48
* kmalloc wishes he could write more code faster20:48
imacdonnkmalloc: actually, maybe the problem env is Pike20:48
kmallocstil.20:49
kmallocstill*20:49
imacdonnyeah, it's Pike ... but I haven't found anything that obviously makes it better in Queens20:49
kmallocyeah. i just don't know i can offer some "here is an alternative solution" but it likely wont be straightforward20:50
kmallocand migth require replacing part of ksm's code20:50
*** raildo has quit IRC20:50
imacdonnpart of my concern is that I don't have a good handle on how the connections are accumulating, so I don't know what I need to set the limit to20:50
imacdonn(as a workaround) ... or maybe they'll just keep multiplying? :/20:51
*** AlexeyAbashkin has quit IRC20:54
*** d0ugal has quit IRC20:58
*** d0ugal has joined #openstack-keystone21:00
*** d0ugal has quit IRC21:00
*** d0ugal has joined #openstack-keystone21:00
*** spilla has quit IRC21:03
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow for 'extension' rel in json home  https://review.openstack.org/58335721:04
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move trusts to flask native dispatching  https://review.openstack.org/58327821:04
openstackgerritMorgan Fainberg proposed openstack/keystone master: Use oslo_serialization.jsonutils  https://review.openstack.org/58337321:04
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add pycadf initiator for flask resource  https://review.openstack.org/58337421:04
kmallocimacdonn: it's just because eventlet and it's backend suck at this part21:05
kmallocthe accumulation is mostly dead connections that haven't been cleaned up21:05
kmallocthe answer is ... set it obnoxiously high21:06
kmallocif changing on the memcache side21:06
imacdonnyes, I guess that's all I can do .... unless I can shorten the lifetime21:06
kmallocyou can take a look at netstat and see what you have21:06
imacdonn# (Optional) Number of seconds a connection to memcached is held unused in the21:06
imacdonn# pool before it is closed. (integer value)21:06
imacdonn#memcache_pool_unused_timeout = 6021:06
imacdonnnot sure if that comes into play or not21:07
kmallocthat only applies when using the advanced pool21:07
imacdonnooh21:07
*** flwang1 has joined #openstack-keystone21:07
imacdonnis the advanced pool stuff documented somewhere? I haven't found anything that even mentions if, other than config comments21:07
imacdonnI'm going to try again to patch the two bugs in Queens... but when I tried that before, it seemed it wasn't making any connections to memcached at all21:09
imacdonnside question ... how can I turn on debug logging for this?21:09
imacdonn(from a client like neutron)21:09
kmallocin pike the memcachepool is here https://github.com/openstack/keystonemiddleware/blob/stable/pike/keystonemiddleware/auth_token/_memcache_pool.py21:11
kmallocqueens moves to oslo_cache21:11
kmallocpatching / backporting is going tombe really hairy21:11
kmalloctotally different code bases21:11
imacdonnif I can get the pool to work on Queens, it'd be good incentive to upgrade ... want to get that done anyway21:12
kmallocaye21:12
kmallocso queens is very different21:13
kmallocman.. our docs suck21:14
kmalloci'm so very sorry21:14
imacdonnheh21:14
kmallocso, i think the answer is configure memcache, then do the advanced_pool=true option21:18
kmallocyou have a number of tunables for ksm in the pool21:18
kmallocmost are sane-ish defaults21:19
imacdonnOK, so I went back to the Queens version of ksm, and encountered the two bugs mentioned above ... so applied the patches .... and now I'm back to no connections, and things are hanging21:19
kmallocweird.21:19
kmallocvery weird.21:19
kmallocipv4 or ipv6?21:20
imacdonnthe hosts have v6 addresses, but they're not being used21:21
kmallocright21:21
imacdonnor, at least, nothing it configured to use them (and there are no DNS references to them)21:21
kmallocmemcache has issues in this case with v621:21
kmallocbut as long as you're using v421:21
kmallocthat is a non-issue21:22
imacdonnok21:22
kmalloccan you reach memcache server from the neutron server host?21:22
imacdonnyes ... they're actually on the same host21:23
kmalloctelnet should work fine to test21:23
imacdonn# lsof -i TCP:11211 | wc -l21:23
imacdonn49521:23
imacdonn# lsof -i TCP:11211 | grep ^neutron21:23
imacdonn#21:23
kmallocwell, more specifically can you reach memcache via telnet using the ip/port specified in neutron config21:23
imacdonnnote that it works if the advanced pool is not enabled21:23
kmallocjust making sure it's not just something wonky going on21:23
kmallocah21:23
kmallocok21:23
kmallochm21:23
imacdonncompare to:21:24
imacdonn# lsof -i TCP:11211 | grep -c ^neutron21:24
imacdonn286621:24
imacdonn#21:24
imacdonn(Pike env that has the problem)21:24
*** felipemonteiro_ has quit IRC21:27
kmallochm.21:28
kmalloci don't see how this is not working21:28
kmallocthere is nothing wonky in the code base atm21:28
kmallocit should just work with the advanced pool21:28
imacdonnyeah. I'm trying to figure out what it's hanging on21:29
kmallocbe back in a few21:29
imacdonnk21:29
kmalloci need to not look at this for a sec and get some food/another coffee21:29
kmalloc:)21:29
imacdonn:)21:29
*** edmondsw has quit IRC21:36
*** edmondsw_ has joined #openstack-keystone21:45
*** mchlumsky has quit IRC21:49
*** edmondsw_ has quit IRC21:49
*** spilla has joined #openstack-keystone21:51
*** dave-mccowan has quit IRC22:16
*** spilla has quit IRC22:18
*** rcernin has joined #openstack-keystone22:32
*** imacdonn has quit IRC22:44
*** imacdonn has joined #openstack-keystone22:44
*** lbragstad has joined #openstack-keystone22:50
*** ChanServ sets mode: +o lbragstad22:50
imacdonnkmalloc: unsurprisingly, the hang is occurring here (haven't attempted to trace beyond this point yet):  https://github.com/openstack/keystonemiddleware/blob/stable/queens/keystonemiddleware/auth_token/__init__.py#L73022:50
lbragstad#endmeeting22:51
*** openstack changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"22:51
openstackMeeting ended Tue Jul 17 22:51:44 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:51
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-07-17-17.01.html22:51
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-07-17-17.01.txt22:51
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-07-17-17.01.log.html22:51
lbragstadsorry that was a bit late22:51
imacdonnthat was a long meeting ;)22:53
lbragstadyeah - technically it was our office hours :)22:54
imacdonnah22:55
*** itlinux has joined #openstack-keystone23:03
lbragstadcmurphy: thanks for following up on the limits review23:04
*** tosky has joined #openstack-keystone23:09
*** itlinux has quit IRC23:09
*** itlinux has joined #openstack-keystone23:17
openstackgerritMorgan Fainberg proposed openstack/keystone master: Correctly pull input data for enforcement  https://review.openstack.org/58335623:27
openstackgerritMorgan Fainberg proposed openstack/keystone master: Use oslo_serialization.jsonutils  https://review.openstack.org/58337323:27
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add pycadf initiator for flask resource  https://review.openstack.org/58337423:27
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow for 'extension' rel in json home  https://review.openstack.org/58335723:27
openstackgerritMorgan Fainberg proposed openstack/keystone master: Trusts do not implement patch.  https://review.openstack.org/58335823:27
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move trusts to flask native dispatching  https://review.openstack.org/58327823:28
*** ksavich_ has quit IRC23:46
« Monday, 2018-07-16 Index Wednesday, 2018-07-18 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!