Thursday, 2018-11-01

*** aojea has quit IRC		00:00
*** markvoelker has quit IRC		00:01
*** zul has quit IRC		01:04
*** ayoung has quit IRC		01:49
*** Dinesh_Bhor has joined #openstack-keystone		01:54
*** sapd1 has quit IRC		02:02
*** sapd1_ has joined #openstack-keystone		02:02
*** markvoelker has joined #openstack-keystone		02:03
*** nelsnelson has quit IRC		02:33
*** nelsnelson has joined #openstack-keystone		02:35
*** markvoelker has quit IRC		02:35
openstackgerrit	Merged openstack/keystone master: Deprecate eventlet related configuration https://review.openstack.org/568764	02:39
*** xek has joined #openstack-keystone		03:09
*** sapd1_ has quit IRC		03:15
*** sapd1__ has joined #openstack-keystone		03:17
*** sapd1__ has quit IRC		03:22
*** sapd1_ has joined #openstack-keystone		03:22
*** markvoelker has joined #openstack-keystone		03:32
*** Dinesh_Bhor has quit IRC		03:56
*** markvoelker has quit IRC		04:06
*** xek has quit IRC		04:45
*** Dinesh_Bhor has joined #openstack-keystone		04:46
vishakha	lbragstad: Thanks for the quick update for https://review.openstack.org/#/c/589378/14/keystone/trust/backends/sql.py. I will update a follow up patch in master and will then backport it to stacble/rocky?	05:01
*** markvoelker has joined #openstack-keystone		05:02
*** markvoelker has quit IRC		05:36
*** Dinesh_Bhor has quit IRC		06:25
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: [WIP] Implement scope_type checking for role_assignments https://review.openstack.org/609210	06:29
*** markvoelker has joined #openstack-keystone		06:33
kmalloc	vishakha: no new functionality can be abckported	06:35
kmalloc	sorry	06:35
kmalloc	vishakha: so, no backporting in this case, rocky has shipped	06:35
vishakha	kmalloc: Hi, Actually I just proposed backport for Trust CLI, as one of our Customer was interested to get this feature in Rocky, as they will migrate to stein later . So If we can backport these patches -https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/rocky+owner:%22Vishakha+Agarwal+%253Cagarwalvishakha18%2540gmail.com%253E%22	06:43
vishakha	kmalloc: Getting this in Rocky will be a great help.	06:45
*** Dinesh_Bhor has joined #openstack-keystone		07:01
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Implement scope_type checking for role_assignments https://review.openstack.org/609210	07:05
*** markvoelker has quit IRC		07:05
*** Dinesh_Bhor has quit IRC		07:24
kmalloc	unfortunately that isn't something that we backport	07:24
openstackgerrit	Merged openstack/ldappool master: Add plumbing to support reno release notes https://review.openstack.org/614611	07:30
*** Dinesh_Bhor has joined #openstack-keystone		07:30
*** pcaruana\|elisa\| has joined #openstack-keystone		07:40
*** aojea has joined #openstack-keystone		07:41
*** pcaruana\|elisa\| has quit IRC		07:59
*** imacdonn has quit IRC		08:00
*** Dinesh_Bhor has quit IRC		08:02
*** markvoelker has joined #openstack-keystone		08:03
*** pcaruana has joined #openstack-keystone		08:05
*** aojea has quit IRC		08:11
*** markvoelker has quit IRC		08:36
*** aojea has joined #openstack-keystone		08:46
*** xek has joined #openstack-keystone		08:49
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add abstract method in trusts base.py https://review.openstack.org/614716	08:51
*** aojea has quit IRC		08:59
*** aojea has joined #openstack-keystone		09:00
*** Dinesh_Bhor has joined #openstack-keystone		09:05
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add abstract method in trusts base.py https://review.openstack.org/614716	09:11
*** aojea has quit IRC		09:13
vishakha	lbragstad: I updated the patch for abstract method in TrustBaseDriver https://review.openstack.org/614716. Pl review	09:13
*** wy has joined #openstack-keystone		09:19
*** masayukig[m] has joined #openstack-keystone		09:28
*** markvoelker has joined #openstack-keystone		09:33
vishakha	kmalloc: thanks. I get your point	09:40
kmalloc	np	10:00
kmalloc	sorry man	10:00
*** markvoelker has quit IRC		10:07
*** phuongnh has joined #openstack-keystone		10:14
openstackgerrit	Taishi Roy proposed openstack/keystone master: changed port in argument '--bootstrap-admin-url' https://review.openstack.org/614620	10:19
openstackgerrit	Shuayb Popoola proposed openstack/keystone master: use port 5000 and keystone-wsgi-public https://review.openstack.org/614734	10:21
*** jaosorior has quit IRC		10:23
*** wy has quit IRC		10:26
*** phuongnh has quit IRC		10:31
openstackgerrit	Shuayb Popoola proposed openstack/keystone master: use port 5000, keystone-wsgi-public, and --http-socket https://review.openstack.org/614735	10:41
*** dave-mccowan has joined #openstack-keystone		10:46
*** Dinesh_Bhor has quit IRC		10:57
*** markvoelker has joined #openstack-keystone		11:04
*** pcaruana has quit IRC		11:05
*** xek_ has joined #openstack-keystone		11:22
*** xek has quit IRC		11:25
*** xek__ has joined #openstack-keystone		11:25
*** xek_ has quit IRC		11:27
*** jaosorior has joined #openstack-keystone		11:35
*** markvoelker has quit IRC		11:36
*** Nel1x has joined #openstack-keystone		11:40
*** pcaruana has joined #openstack-keystone		11:52
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Pass in policy name as part of the oslopolicy-check check call https://review.openstack.org/614223	12:00
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker https://review.openstack.org/613313	12:00
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check https://review.openstack.org/614224	12:00
*** raildo has joined #openstack-keystone		12:17
*** markvoelker has joined #openstack-keystone		12:31
*** Nel1x has quit IRC		12:37
*** imus has joined #openstack-keystone		12:46
*** jmlowe has quit IRC		12:47
*** zul has joined #openstack-keystone		12:56
*** zul has quit IRC		13:04
*** zul has joined #openstack-keystone		13:05
*** jmlowe has joined #openstack-keystone		13:07
*** mchlumsky has joined #openstack-keystone		13:12
*** belmoreira has joined #openstack-keystone		13:17
*** imus has quit IRC		13:20
*** imus has joined #openstack-keystone		13:20
lbragstad	vishakha awesome - thanks	13:22
*** imus_ has joined #openstack-keystone		13:32
*** imus has quit IRC		13:35
*** mvkr has quit IRC		14:40
gagehugo	o/	14:55
knikolla	o/	15:07
*** jmlowe has quit IRC		15:10
*** mvkr has joined #openstack-keystone		15:11
*** kukacz has quit IRC		15:12
*** itlinux has quit IRC		15:13
*** kukacz has joined #openstack-keystone		15:19
*** gyee has joined #openstack-keystone		15:33
kmalloc	o/ ....... <Zzzzzzzzzzzzzzzzzz> oh uh, I swear I'm not asleep.	16:02
*** belmoreira has quit IRC		16:11
*** dnguyen has joined #openstack-keystone		16:13
*** itlinux has joined #openstack-keystone		16:13
*** imacdonn has joined #openstack-keystone		16:15
*** dnguyen has quit IRC		16:18
lbragstad	i wonder if we have a bug in how we load backends	16:41
lbragstad	or default configuration	16:41
lbragstad	i wrote the bits for JWT, but for some reason keystone is trying to load it as the default token provider?	16:42
lbragstad	as in, CONF.token.provider is 'jwt'...	16:42
lbragstad	without using the fixture or specifying it	16:42
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider https://review.openstack.org/614549	16:43
lbragstad	outside of that ^ that works	16:43
*** nels has joined #openstack-keystone		16:54
*** nelsnelson has quit IRC		16:55
*** belmoreira has joined #openstack-keystone		17:02
*** belmoreira has quit IRC		17:19
*** belmoreira has joined #openstack-keystone		17:20
openstackgerrit	Raildo Mascena proposed openstack/pycadf master: Enabling FIPS mode by using sha256 instead of md5 https://review.openstack.org/614817	17:44
kmalloc	lbragstad: i'd need to poke at it	17:45
kmalloc	huh i could have sworn we already did that ^ the sha thing	17:46
raildo	kmalloc, looks like we forgot to update the pycadf side	17:47
kmalloc	raildo: doh	17:48
lbragstad	you can recreate using tox locally without /etc/keystone/jwt-keys/ dir created	17:48
kmalloc	weird.	17:51
kmalloc	we didn't have this issue with uuid	17:51
kmalloc	so... weird.	17:51
lbragstad	right...	17:58
lbragstad	i'm going to decompose that review into bit-sized pieces a little later today	17:58
* lbragstad stepping away for about 30 minutes		18:00
kmalloc	lbragstad: we messed up in adding description to roles	18:01
kmalloc	lbragstad: we forgot to migrate the values from the json blob to the column	18:01
kmalloc	iirc that means descriptions got eaten	18:02
kmalloc	I think we messed up*	18:02
*** jpm__ has joined #openstack-keystone		18:09
jpm__	good day all... i have been struggling through a mitaka to ocata upgrade for days	18:12
*** prometheanfire has joined #openstack-keystone		18:13
jpm__	wondering if someone can point me in the right direction wrt this error "There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set"	18:13
prometheanfire	lbragstad: you are probably busy, but you still have an open assigned task (unless you unassign yourself) https://storyboard.openstack.org/#!/story/2003792	18:13
jpm__	seeing this in apache keystone log when running openstack commands against nova	18:14
jpm__	followed the ubuntu 16.04 install docs but seem to be stuck. do I need to manually generate tokens and send them to the endpoint via curl?	18:16
jpm__	any help would be much appreciated!!	18:17
jpm__	using password authentication. error pasted here http://paste.openstack.org/show/733856/	18:19
jpm__	openstack command error with debug here http://paste.openstack.org/show/733857/	18:21
*** jmlowe has joined #openstack-keystone		18:22
*** nels has quit IRC		18:33
jpm__	can someone tell me what section of keystone.conf "service_token_roles" should go into?	18:34
*** nelsnelson has joined #openstack-keystone		18:35
lbragstad	prometheanfire oh - i'm not sure i remember the context of that one	18:46
prometheanfire	lbragstad: doc reasoning behind lower-constraints testing and why it's useful	18:47
prometheanfire	iirc	18:47
prometheanfire	lbragstad: you going to berlin?	18:47
*** mvkr has quit IRC		18:47
lbragstad	prometheanfire yes	18:47
lbragstad	jpm__ http://paste.openstack.org/show/733857/ looks like an issue with nova client?	18:48
*** belmoreira has quit IRC		18:48
prometheanfire	we could meet there	18:48
lbragstad	prometheanfire ok	18:48
lbragstad	jpm__ "There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. "	18:50
lbragstad	^ that isn't really an error - just unfortunate wording that makes it seem like it's an error	18:50
lbragstad	that wording has since been removed	18:50
jpm__	@lbragstad hi and thank you. I'll poke around in nova a bit more.	18:52
lbragstad	jpm__ did http://paste.openstack.org/show/733856/ go away regarding the AttributeError?	18:52
jpm__	@lbragstad no it did not :(	18:53
*** itlinux has quit IRC		19:01
jpm__	@lbragstad full error from apache keystone.log here http://paste.openstack.org/show/733890/	19:02
*** pcaruana has quit IRC		19:05
kmalloc	lbragstad: we have a bug i think	19:06
kmalloc	lbragstad: sending you a PM	19:06
lbragstad	kmalloc does that trace ring any bells for you?	19:10
lbragstad	^	19:10
kmalloc	nope	19:10
lbragstad	i thought it looked familiar but i'm not pulling anything up	19:10
kmalloc	i don't remember seeing that anywhere	19:10
kmalloc	it looks like we're not populating the context dict	19:11
kmalloc	which would be consistent with no token	19:11
kmalloc	or no auth context	19:11
kmalloc	somehow we got past the no context point and raised up an error because no context	19:12
lbragstad	right	19:12
lbragstad	we're logging no auth context	19:12
kmalloc	that does not sound familiar though (exception wise)	19:12
jpm__	@lbragstad so based on this conversation should I assume I do not have tokens setup properly?	19:24
lbragstad	jpm__ can you authenticate?	19:29
*** nels has joined #openstack-keystone		19:31
*** nelsnelson has quit IRC		19:32
*** belmoreira has joined #openstack-keystone		19:32
*** imus_ has quit IRC		19:39
*** imus_ has joined #openstack-keystone		19:39
*** itlinux has joined #openstack-keystone		19:39
openstackgerrit	Nathan Kinder proposed openstack/ldappool master: Allow pool status to be printed as a table https://review.openstack.org/614842	19:41
jpm__	@lbragstad based on this http://paste.openstack.org/show/733920/ i believe so. this was an "openstack group list" command that completed successfully	19:49
jpm__	@lbragstad there are errors in the log though	19:50
*** mvkr has joined #openstack-keystone		19:51
*** ayoung has joined #openstack-keystone		19:51
jpm__	@lbragstad and whenever i run an openstack command i get "Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. Failed to contact the endpoint at http://controller:35357/v3/ for discovery. Fallback to using that endpoint as the base url"	19:51
ayoung	kmalloc, knikolla just got off a marathon call. We still want to talk today, or is it OK if we defer a bit?	19:51
knikolla	deferring works for me	19:52
kmalloc	ayoung: yeah can talk today or tomorrow	19:52
ayoung	I need food	19:52
kmalloc	I'll be in Berlin on ... Monday as well (early)	19:52
kmalloc	so anything we don't cover next week, I can hit the ground and help finish up	19:53
ayoung	kmalloc, ah...We'll schedule morning meetings then	19:53
kmalloc	so, next week I'll have one day I'll be unavailable as well prior to my flight on Sunday the 11th out to Berlin	19:54
kmalloc	i think it will be wednesday	19:54
kmalloc	next week.	19:54
ayoung	kmalloc lets shoot for a Monday session, then. I'll try to get the notes we have into a Slide preso format, with a reasonable theme, and we can take it from there.	19:54
kmalloc	wfm	19:57
lbragstad	jpm__ are you specifying an auth url in your config or clouds.yaml?	19:57
kmalloc	I'm going to try and catch up on sleep this weekend	19:57
*** ayoung has quit IRC		20:00
jpm__	@lbragstad in the nova.conf as auth_url = http://controller:35357	20:05
*** belmoreira has quit IRC		20:12
*** itlinux has quit IRC		20:14
*** itlinux has joined #openstack-keystone		20:15
jpm__	@lbragstad based on what you have seen what else should i investigate as a root cause?	20:32
*** dave-mccowan has quit IRC		20:32
*** belmoreira has joined #openstack-keystone		20:35
*** belmoreira has quit IRC		20:35
lbragstad	jpm__ were you able to get past the hypervisor key issue?	20:35
jpm__	@lbragstad no. most openstack commands fail with AttributeError: context_dict	20:40
jpm__	@lbragstad actually all openstack commands show this error but some commands do complete.	20:43
lbragstad	what release are you seeing that with? ocata?	20:45
jpm__	@lbragstad yes	20:46
lbragstad	are you using an older openstack client?	20:47
lbragstad	or have you upgraded that already?	20:47
gyee	kmalloc, lbragstad, stupid question, how do I log stuff here? https://github.com/openstack/keystone/blob/master/keystone/api/trusts.py	20:51
jpm__	@lbragstad already upgraded to 3.8.1	20:51
gyee	I am trying to chase down a test failure where user is unable to do 'openstack trust show <id>'	20:51
kmalloc	gyee: what are you trying to extract log wise?	20:52
lbragstad	gyee doesn't look like that module has any logging	20:52
kmalloc	gyee: you can just from oslo_log import log	20:52
lbragstad	and init a logger	20:52
kmalloc	and setup logging (temp) just like anywhere else	20:52
kmalloc	then call LOG.xxxx	20:52
lbragstad	LOG = log.getLogger(__name__) or something like that	20:52
kmalloc	inherently there is no extra logging in the api files unless needed.	20:52
gyee	I could, just wondering why that one have no logs	20:53
kmalloc	because there is nothing to log	20:53
gyee	:-)	20:53
kmalloc	logging happens above/below	20:53
kmalloc	but there is nothing to log in the api calls themselves	20:53
gyee	We ran into this problem where user can list trusts, but can do show trust	20:54
kmalloc	failures/etc are simple e.g. ValidationError, Unuathorized etc	20:54
kmalloc	gyee: hah, ask ayoung about that. there is an open bug.	20:54
gyee	can't do 'openstack trust show <id>'	20:54
gyee	it returns 200 with an empty list, which is weird	20:54
kmalloc	https://bugs.launchpad.net/keystone/+bug/1791973	20:54
openstack	Launchpad bug 1791973 in OpenStack Identity (keystone) "User cannot list their own trusts" [Medium,Triaged]	20:54
kmalloc	there is that one	20:54
gyee	this is 'trust show <id>'	20:55
gyee	list works fine	20:55
kmalloc	shrug might be enforcement	20:55
kmalloc	might be something wrong in OSC	20:55
gyee	no, otherwise, I would've expected a 403 or something	20:55
gyee	anyway, let me import oslo_log and poke around	20:56
kmalloc	look at the bits here: https://github.com/openstack/keystone/blob/master/keystone/api/trusts.py#L148-L154	20:56
kmalloc	asnd the normalization	20:56
kmalloc	but... show trust shouldn't be a list	20:57
kmalloc	fwiw	20:57
gyee	with debug enable I can see openstack CLI is sending something like "/v3/OS-TRUST/trusts?name=9f461863683f409ead3189a5f0d6aec3"	20:58
gyee	how does flask map the "name" parameter to "trust_id"?	20:58
kmalloc	that is a list with a filter by name	21:02
kmalloc	that is not a trust_id	21:02
kmalloc	so you're not calling OS-TRUSTS/trusts/<string:trust_id>	21:02
kmalloc	you're calling OS-TRUSTS/trusts and filtering the results by name	21:02
kmalloc	sounds to me like that is broken behavior in OSC	21:02
gyee	that's what openstack appear to be sending with "openstack trust show <id>"	21:02
kmalloc	do trusts even have... names?	21:02
gyee	nope :-)	21:03
gyee	maybe OCLI is broken broken	21:03
kmalloc	yeah, that is broken	21:03
kmalloc	not keystone, OSC or KSC issue	21:03
*** raildo has quit IRC		21:25
gyee	kmalloc, turns out it was our custom policy problem :-)	21:25
*** xek__ has quit IRC		21:36
kmalloc	gyee: .... didn't i say policy/enforcement off the bat?	21:37
kmalloc	;)	21:37
openstackgerrit	Merged openstack/pycadf master: Enabling FIPS mode by using sha256 instead of md5 https://review.openstack.org/614817	21:38
gyee	kmalloc, we make identity:get_trust unnecessarily restricted, I am going to change that	21:51
kmalloc	gyee: on your end you mean, in your policy file?	21:56
kmalloc	hehe, not surprising	21:56
* kmalloc might have a REALLY good idea of how everything in keystone works atm due to flask rework		21:56
kmalloc	;)	21:56
gyee	kmalloc, yes, at my end	22:01
mordred	kmalloc, gyee: see. policy files are the worst idea in the history of mankind	22:02
lbragstad	+2a	22:04
kmalloc	mordred: i just rm -rf'd oslo.policy	22:04
kmalloc	mordred: i feel better now	22:04
kmalloc	:)	22:04
mordred	kmalloc: +100	22:04
kmalloc	mordred: i really want custom policy to die.	22:04
kmalloc	or at least "custom policy" in a terrible json DSL	22:04
mordred	it's really the only thing I want in life	22:05
mordred	the api is the api	22:05
mordred	and it should be the api	22:05
kmalloc	i totally get that you might want custom role names / grant/revoke acess to some apis	22:06
kmalloc	like sub-admin	22:06
kmalloc	but that stuff should be very very straightforward	22:06
kmalloc	and defaults should be rich enough to do everything most people need.	22:06
kmalloc	very specifically ADMIN stuff should be what we split up with anything custom not general use-cases	22:06
kmalloc	and even then...	22:06
kmalloc	maybe not	22:06
gyee	we do have some custom roles and adminness to compensate for the lack of admin segregation support in upstream awhile back	22:08
gyee	anyway, time to consolidate	22:09
*** threestrands has joined #openstack-keystone		22:17
openstackgerrit	Nathan Kinder proposed openstack/ldappool master: Allow pool status to be printed as a table https://review.openstack.org/614842	22:17
*** erus has joined #openstack-keystone		22:55
openstackgerrit	Morgan Fainberg proposed openstack/keystonemiddleware master: Fix revocation list/PKI[z] removal nits. https://review.openstack.org/613966	23:02
*** mvkr has quit IRC		23:22
*** mvkr has joined #openstack-keystone		23:23
*** gyee has quit IRC		23:58

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!