| *** imacdonn has quit IRC | 01:17 | |
| *** imacdonn has joined #openstack-keystone | 01:17 | |
| *** rcernin has quit IRC | 01:40 | |
| *** rcernin has joined #openstack-keystone | 01:40 | |
| *** imacdonn has quit IRC | 02:35 | |
| *** imacdonn has joined #openstack-keystone | 02:50 | |
| *** pooja_jadhav has joined #openstack-keystone | 04:14 | |
| *** viks__ has joined #openstack-keystone | 04:28 | |
| *** shyamb has joined #openstack-keystone | 04:52 | |
| *** spsurya has joined #openstack-keystone | 05:02 | |
| *** shyamb has quit IRC | 05:09 | |
| *** shyamb has joined #openstack-keystone | 05:23 | |
| *** shyamb has quit IRC | 05:33 | |
| *** dave-mccowan has joined #openstack-keystone | 05:36 | |
| *** shyamb has joined #openstack-keystone | 05:49 | |
| *** pcaruana has joined #openstack-keystone | 06:05 | |
| *** shyamb has quit IRC | 06:24 | |
| *** shyamb has joined #openstack-keystone | 06:24 | |
| *** shyam89 has joined #openstack-keystone | 06:29 | |
| *** shyamb has quit IRC | 06:32 | |
| *** belmoreira has joined #openstack-keystone | 06:35 | |
| *** nick_kar_ has joined #openstack-keystone | 06:42 | |
| *** belmoreira has quit IRC | 06:45 | |
| *** belmoreira has joined #openstack-keystone | 06:47 | |
| *** rcernin has quit IRC | 07:06 | |
| *** shyam89 has quit IRC | 07:07 | |
| *** shyamb has joined #openstack-keystone | 07:13 | |
| *** shyamb has quit IRC | 07:18 | |
| *** shyamb has joined #openstack-keystone | 07:20 | |
| *** mattgo has joined #openstack-keystone | 07:31 | |
| *** shyamb has quit IRC | 07:35 | |
| *** openstackgerrit has quit IRC | 08:22 | |
| *** shyamb has joined #openstack-keystone | 08:30 | |
| *** kukacz has quit IRC | 09:10 | |
| *** jaosorior has quit IRC | 09:11 | |
| *** kukacz has joined #openstack-keystone | 09:12 | |
| *** shyamb has quit IRC | 09:26 | |
| *** shyamb has joined #openstack-keystone | 09:35 | |
| *** shyamb has quit IRC | 09:46 | |
| *** shyamb has joined #openstack-keystone | 09:52 | |
| *** sapd1__ has quit IRC | 09:54 | |
| *** sapd1_ has joined #openstack-keystone | 09:59 | |
| *** Emine has joined #openstack-keystone | 10:01 | |
| *** shyamb has quit IRC | 10:21 | |
| *** shyamb has joined #openstack-keystone | 10:21 | |
| *** jaosorior has joined #openstack-keystone | 10:22 | |
| *** shyamb has quit IRC | 10:35 | |
| *** mvkr has quit IRC | 11:17 | |
| *** mvkr has joined #openstack-keystone | 11:29 | |
| *** shyamb has joined #openstack-keystone | 11:33 | |
| *** shyamb has quit IRC | 11:45 | |
| *** shyamb has joined #openstack-keystone | 11:47 | |
| *** openstackgerrit has joined #openstack-keystone | 11:50 | |
| openstackgerrit | Merged openstack/oslo.limit master: Ignore documentation builds https://review.openstack.org/603167 | 11:50 |
|---|---|---|
| *** devx has quit IRC | 12:09 | |
| *** shyamb has quit IRC | 12:37 | |
| *** viks__ has quit IRC | 12:37 | |
| mordred | kmalloc, cmurphy: https://review.openstack.org/#/c/604635/ is green with the testing and ready for review | 12:41 |
| *** jaosorior has quit IRC | 12:42 | |
| *** jaosorior has joined #openstack-keystone | 12:44 | |
| *** jrist has joined #openstack-keystone | 12:59 | |
| knikolla | o/ | 13:15 |
| *** lbragstad has joined #openstack-keystone | 13:18 | |
| *** ChanServ sets mode: +o lbragstad | 13:18 | |
| lbragstad | o/ | 13:23 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Render API reference documentation https://review.openstack.org/600264 | 13:23 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Add a conceptual overview to docs https://review.openstack.org/600265 | 13:23 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Allow ProjectClaims to support multiple resources https://review.openstack.org/600266 | 13:23 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Use openstackdocstheme for documentation https://review.openstack.org/600866 | 13:24 |
| *** lbragstad changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )" | 13:29 | |
| *** lbragstad changes topic to "Stein release schedule: https://releases.openstack.org/stein/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )" | 13:29 | |
| *** belmorei_ has joined #openstack-keystone | 13:30 | |
| *** belmoreira has quit IRC | 13:32 | |
| *** SteelyDan is now known as dansmith | 13:34 | |
| *** mbeierl has joined #openstack-keystone | 13:41 | |
| *** edmondsw has joined #openstack-keystone | 13:48 | |
| *** jaosorior has quit IRC | 13:55 | |
| *** beekneemech is now known as bnemec | 13:57 | |
| *** raildo has joined #openstack-keystone | 14:02 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Adresses LDAP case-sensitive issue https://review.openstack.org/603345 | 14:04 |
| *** jdennis has quit IRC | 14:06 | |
| *** jdennis has joined #openstack-keystone | 14:13 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/oslo.limit master: Make callbacks required for enforcement https://review.openstack.org/604795 | 14:14 |
| *** belmorei_ has quit IRC | 14:19 | |
| hrybacki | o/ | 14:29 |
| *** belmoreira has joined #openstack-keystone | 14:30 | |
| lbragstad | hrybacki morning - do we wanna try and go through the stein board sometime this week? | 14:31 |
| hrybacki | lbragstad: yes -- I can do tomorrow before the weekly meeting if that works for you? | 14:31 |
| lbragstad | yessir | 14:31 |
| * hrybacki goes to send off an invite | 14:32 | |
| lbragstad | my schedule is wide open this week so... | 14:32 |
| cmurphy | kmalloc: knikolla query for you on the ml http://lists.openstack.org/pipermail/openstack-dev/2018-September/135006.html | 14:34 |
| kmalloc | I saw, was reading the email, pre-coffee so brain is.... OoooooOOOooooOoooOoo | 14:35 |
| cmurphy | kmalloc: no rush :) | 14:36 |
| *** mchlumsky has joined #openstack-keystone | 14:40 | |
| *** mchlumsky has quit IRC | 14:45 | |
| *** mchlumsky has joined #openstack-keystone | 14:47 | |
| *** dave-mccowan has quit IRC | 14:50 | |
| aning | cmurphy: I have a keystone instance setup as SP and testshib.org as Idp. When I login in with the Idp, Horizon gives an error: The current path, auth/login/default/auth/OS-FEDERATION/websso/saml2, didn't match any of these. | 14:50 |
| gagehugo | o/ | 14:50 |
| aning | cmurphy: but I tried "identity/v3/auth/OS-FEDERATION/websso/saml2" directly, it works. | 14:51 |
| aning | cmurphy: looks like some settings are missed in Horizon, that it doesn't redirect to the right URL | 14:52 |
| cmurphy | aning: are you using master of horizon? i think I saw something similar last week but haven't had time to report the bug yet | 14:53 |
| aning | cmurphy: I think so ... I'm using devstack master, so I would think it pulled in the master. | 14:54 |
| aning | cmurphy: things seem to be working from the point where Apache shibboleth is contact (this is the URL:identity/v3/auth/OS-FEDERATION/websso/saml2) | 14:56 |
| cmurphy | aning: if it's what i was seeing, it seems to be new on master and rocky is not broken. you can try checking out stable/rocky in /opt/stack/horizon, then you'll also have to run some django commands to reinit horizon and then restart apache http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/horizon#n154 | 14:58 |
| aning | cmurphy: thx, I'm trying this. Will report back. | 15:05 |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate https://review.openstack.org/531014 | 15:10 |
| *** dave-mccowan has joined #openstack-keystone | 15:12 | |
| *** dave-mccowan has quit IRC | 15:17 | |
| *** dave-mccowan has joined #openstack-keystone | 15:22 | |
| cmurphy | mordred: so much for green https://review.openstack.org/604635 | 15:28 |
| *** gagehugo has quit IRC | 15:29 | |
| *** gagehugo has joined #openstack-keystone | 15:33 | |
| mordred | cmurphy: ugh. that's a timeout issue in the openstacksdk test suite I've been fighting | 15:33 |
| mordred | cmurphy: hopefully https://review.openstack.org/#/c/604628/ will stop the flapping | 15:45 |
| *** lbragstad has quit IRC | 16:10 | |
| *** lbragstad has joined #openstack-keystone | 16:18 | |
| *** ChanServ sets mode: +o lbragstad | 16:18 | |
| *** spotz is now known as spotz_ | 16:25 | |
| *** spotz_ is now known as spotz | 16:25 | |
| *** dave-mccowan has quit IRC | 16:38 | |
| *** belmoreira has quit IRC | 17:04 | |
| openstackgerrit | Merged openstack/keystone master: Implement Trust Flush via keystone-manage. https://review.openstack.org/589378 | 17:06 |
| hrybacki | kmalloc: you around? | 17:16 |
| *** mattgo has quit IRC | 17:16 | |
| *** mvkr has quit IRC | 17:25 | |
| errr | kmalloc: ah ok, well I opened a bug report about it https://bugs.launchpad.net/keystone/+bug/1793845 because in openstack-ansible we used the method I describe in our keystone playbook if we setup federation | 17:27 |
| openstack | Launchpad bug 1793845 in OpenStack Identity (keystone) "Federation Protocol saml2 fails on Rocky" [Undecided,New] | 17:27 |
| errr | and I feel like it worked still in Queens and changed in Rocky. I know it worked like I described in Pike for sure | 17:28 |
| hrybacki | gagehugo: should https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L34-L40 be removed as well? | 17:32 |
| *** dave-mccowan has joined #openstack-keystone | 17:35 | |
| lbragstad | is it just me or does the new chrome update on osx seems *way* too much like safari? | 17:51 |
| gagehugo | it is very safari-ish | 17:55 |
| gagehugo | hrybacki: iirc another api was calling that for something | 17:56 |
| gagehugo | https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L362 | 17:57 |
| gagehugo | so I just left the class in | 17:57 |
| *** mvkr has joined #openstack-keystone | 18:15 | |
| hrybacki | gagehugo: ah I see. I wonder if we can point that at a newer helper function | 18:20 |
| openstackgerrit | Andreas Jaeger proposed openstack/python-keystoneclient master: Use templates for cover and lower-constraints https://review.openstack.org/600692 | 18:22 |
| openstackgerrit | Andreas Jaeger proposed openstack/python-keystoneclient master: Import legacy keystoneclient-dsvm-functional https://review.openstack.org/604868 | 18:22 |
| gagehugo | hrybacki: yeah, I figured it could be done in a separate change | 18:31 |
| gagehugo | (or wait until auth gets moved over and just avoid it lol) | 18:31 |
| gagehugo | >.> | 18:31 |
| aning | cmurphy: andy idea how to turn Apache Shibboleth Mod ECP on? | 18:43 |
| aning | cmurphy: I remember that you mentioned ECP on SP is off by default. | 18:44 |
| errr | its off by default? | 18:46 |
| aning | errr: to me? | 18:47 |
| cmurphy | aning: in shibboleth2.xml in the SSO tag i think it's just ECP="true" or something like that | 18:47 |
| aning | cmurphy: k, trying ... | 18:48 |
| aning | <SSO entityID="https://idp.testshib.org/idp/shibboleth"> | 18:51 |
| aning | SAML2 SAML1 ECP | 18:51 |
| aning | </SSO> | 18:51 |
| aning | Found this: | 18:55 |
| aning | <SSO discoveryProtocol="SAMLDS" ECP="true" discoveryURL="https://examplefederation.org/DS"> | 18:55 |
| aning | SAML2 SAML1 | 18:55 |
| aning | </SSO> | 18:55 |
| *** aojea has joined #openstack-keystone | 19:05 | |
| *** pcaruana has quit IRC | 19:17 | |
| aning | cmurphy: update ... minimum config like this works: | 19:17 |
| aning | <SSO discoveryProtocol="SAMLDS" ECP="true"> | 19:17 |
| aning | SAML2 SAML1 | 19:17 |
| aning | </SSO> | 19:17 |
| *** aojea has quit IRC | 19:23 | |
| aning | cmurphy: but the WESSO support for Horizon is broken :( | 19:23 |
| openstackgerrit | Harry Rybacki proposed openstack/keystone master: WIP: Convert projects API to Flask https://review.openstack.org/603451 | 19:23 |
| *** aojea has joined #openstack-keystone | 19:24 | |
| errr | aning: in which release? | 19:24 |
| aning | errr: I'm using Devstack with master. | 19:24 |
| errr | ah | 19:25 |
| errr | havented tested that yet | 19:25 |
| errr | -ed | 19:25 |
| aning | I think I may to try another installation with Rocky. | 19:25 |
| errr | it for sure works in rocky. I just did an install Friday | 19:26 |
| errr | I was using mellon, but that wont matter at the horizon side of things | 19:26 |
| aning | errr: what's your SSO section like? | 19:27 |
| errr | in the horizon config? | 19:28 |
| aning | errr: never mind, you are not using shibboleth ... | 19:28 |
| errr | well I use both all the time | 19:28 |
| errr | if Im working on rhel I have to use mellon, when Im on ubuntu our stuff uses shibboleth | 19:28 |
| aning | errr: you made both WEBSSO and ECP work at the same time? | 19:28 |
| errr | so I may have some missunderstanding of what ECP is, but I thought that was something on the IDP side of things, not the SP | 19:29 |
| aning | errr: so far, I kind of made WEBSSO works with Horizon, and ECP works with openstack CLI, but not wit the same config in shibboleth2.xml | 19:30 |
| errr | ah so to use cli apps I use a work around which kind of sucks | 19:30 |
| errr | there is a plugin from pf9 that I use | 19:30 |
| aning | I don't think it's the client | 19:31 |
| errr | https://github.com/michaelrice/openrc_maker I made this to get cli working with sso | 19:31 |
| aning | errr: that's nice. | 19:32 |
| errr | its ugly but it works | 19:33 |
| aning | errr: but the openstack CLI does work. | 19:33 |
| errr | yep | 19:33 |
| errr | I worked with the pf9 fols to get their plugin into pip so I need to update my code to pip install their plugin rather than pull my fork of it from github | 19:34 |
| aning | errr: In production, we definitely need WEBSSO with Horizon and ECP with openstack CLI work. | 19:34 |
| errr | folks* | 19:34 |
| errr | yeah we have to have web sso and cli for those users too | 19:35 |
| aning | errr: and both need to work at the same time without any change to configuration. | 19:35 |
| errr | we dont use sso for service accounts, just users | 19:35 |
| errr | with the solution I came up with its 1 extra step for people to generate their openrc file before they can start using the cli | 19:36 |
| aning | errr: What does the openrc maker generate, other than these OS environment varibles? | 19:39 |
| aning | errr: this is the openstack CLI is used (copied from cmurphy's blog) | 19:41 |
| aning | $ openstack \ | 19:41 |
| aning | --os-auth-type v3samlpassword \ | 19:41 |
| aning | --os-identity-provider testidp \ | 19:41 |
| aning | --os-identity-provider-url https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP \ | 19:41 |
| aning | --os-protocol saml2 \ | 19:41 |
| aning | --os-username myself \ | 19:41 |
| aning | --os-password myself \ | 19:41 |
| aning | --os-auth-url http://devstack-sp.wrs.com/identity/v3 \ | 19:41 |
| aning | --os-project-name demo \ | 19:41 |
| aning | --os-project-domain-name Default \ | 19:41 |
| aning | --os-identity-api-version 3 \ | 19:41 |
| aning | token issue | 19:41 |
| errr | it just makes a valid openrc file. but it uses v3token instead of v3samlpassword | 19:41 |
| aning | errr: you are using this with k2k? | 19:42 |
| errr | I have not tested it with that. We normally use okta as an idp and also adfs | 19:42 |
| errr | for k2k there may be something else better.. I just havent had that come in yet so I have never set it up | 19:43 |
| aning | errr: It's just the v3token remind me of k2k, since in k2k federated setup, client get a token from the Idp Keystone, and with that token start the SAML procedure. | 19:50 |
| *** raildo_ has joined #openstack-keystone | 20:11 | |
| *** raildo_ has quit IRC | 20:12 | |
| *** raildo has quit IRC | 20:13 | |
| openstackgerrit | Ben Nemec proposed openstack/oslo.limit master: Fix doc grammar/spelling nits https://review.openstack.org/604907 | 20:49 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Convert legacy functional jobs to Zuul-v3-native https://review.openstack.org/602452 | 20:57 |
| lbragstad | is anyone here familiar with tempest auth clients? | 21:28 |
| rodrigods | lbragstad, i kinda was, but i'm pretty sure my memory will fail me | 21:35 |
| lbragstad | rodrigods yeah... it's kinda complicated | 21:35 |
| lbragstad | i spent most of friday and today trying to find a way to add system-scoping to tempest clients | 21:36 |
| lbragstad | curious if anyone anyone had pointers https://review.openstack.org/#/c/604909/ | 21:36 |
| lbragstad | s/anyone anyone/anyone/ | 21:36 |
| rodrigods | let me take a look | 21:37 |
| lbragstad | https://review.openstack.org/#/c/604909/1/tempest/api/identity/admin/v3/test_credentials.py is ultimately what i want to do | 21:37 |
| lbragstad | since it's needed for https://review.openstack.org/#/c/594547/11 to pass | 21:37 |
| rodrigods | i have 0 memories of them :/ | 21:41 |
| lbragstad | :) | 21:43 |
| *** aojea has quit IRC | 21:47 | |
| *** Emine has quit IRC | 22:03 | |
| openstackgerrit | Merged openstack/oslo.limit master: Render API reference documentation https://review.openstack.org/600264 | 22:32 |
| openstackgerrit | Merged openstack/oslo.limit master: Add a conceptual overview to docs https://review.openstack.org/600265 | 22:32 |
| *** rcernin has joined #openstack-keystone | 22:45 | |
| *** pooja-jadhav has joined #openstack-keystone | 22:51 | |
| *** kukacz_ has joined #openstack-keystone | 22:55 | |
| *** dims_ has joined #openstack-keystone | 22:59 | |
| *** jamiec_ has joined #openstack-keystone | 22:59 | |
| *** _d34dh0r53_ has joined #openstack-keystone | 23:00 | |
| *** kukacz has quit IRC | 23:00 | |
| *** pooja_jadhav has quit IRC | 23:00 | |
| *** dims has quit IRC | 23:00 | |
| *** d34dh0r53 has quit IRC | 23:00 | |
| *** jlvillal has quit IRC | 23:00 | |
| *** jamiec has quit IRC | 23:00 | |
| *** cburgess has quit IRC | 23:00 | |
| *** eglute has quit IRC | 23:00 | |
| *** andreykurilin has quit IRC | 23:03 | |
| *** andreykurilin has joined #openstack-keystone | 23:05 | |
| openstackgerrit | Merged openstack/oslo.limit master: Fix doc grammar/spelling nits https://review.openstack.org/604907 | 23:54 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!