Thursday, 2018-11-01

*** aojea has quit IRC00:00
*** markvoelker has quit IRC00:01
*** zul has quit IRC01:04
*** ayoung has quit IRC01:49
*** Dinesh_Bhor has joined #openstack-keystone01:54
*** sapd1 has quit IRC02:02
*** sapd1_ has joined #openstack-keystone02:02
*** markvoelker has joined #openstack-keystone02:03
*** nelsnelson has quit IRC02:33
*** nelsnelson has joined #openstack-keystone02:35
*** markvoelker has quit IRC02:35
openstackgerritMerged openstack/keystone master: Deprecate eventlet related configuration
*** xek has joined #openstack-keystone03:09
*** sapd1_ has quit IRC03:15
*** sapd1__ has joined #openstack-keystone03:17
*** sapd1__ has quit IRC03:22
*** sapd1_ has joined #openstack-keystone03:22
*** markvoelker has joined #openstack-keystone03:32
*** Dinesh_Bhor has quit IRC03:56
*** markvoelker has quit IRC04:06
*** xek has quit IRC04:45
*** Dinesh_Bhor has joined #openstack-keystone04:46
vishakhalbragstad: Thanks for the quick update for I will update a follow up patch in master and will then backport it to stacble/rocky?05:01
*** markvoelker has joined #openstack-keystone05:02
*** markvoelker has quit IRC05:36
*** Dinesh_Bhor has quit IRC06:25
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Implement scope_type checking for role_assignments
*** markvoelker has joined #openstack-keystone06:33
kmallocvishakha: no new functionality can be abckported06:35
kmallocvishakha: so, no backporting in this case, rocky has shipped06:35
vishakhakmalloc: Hi, Actually I just proposed backport for Trust CLI, as one of our Customer was interested to get this feature in Rocky, as they will  migrate to stein later . So If we can backport these patches -
vishakhakmalloc: Getting this in Rocky will be a great help.06:45
*** Dinesh_Bhor has joined #openstack-keystone07:01
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement scope_type checking for role_assignments
*** markvoelker has quit IRC07:05
*** Dinesh_Bhor has quit IRC07:24
kmallocunfortunately that isn't something that we backport07:24
openstackgerritMerged openstack/ldappool master: Add plumbing to support reno release notes
*** Dinesh_Bhor has joined #openstack-keystone07:30
*** pcaruana|elisa| has joined #openstack-keystone07:40
*** aojea has joined #openstack-keystone07:41
*** pcaruana|elisa| has quit IRC07:59
*** imacdonn has quit IRC08:00
*** Dinesh_Bhor has quit IRC08:02
*** markvoelker has joined #openstack-keystone08:03
*** pcaruana has joined #openstack-keystone08:05
*** aojea has quit IRC08:11
*** markvoelker has quit IRC08:36
*** aojea has joined #openstack-keystone08:46
*** xek has joined #openstack-keystone08:49
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add abstract method in trusts
*** aojea has quit IRC08:59
*** aojea has joined #openstack-keystone09:00
*** Dinesh_Bhor has joined #openstack-keystone09:05
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add abstract method in trusts
*** aojea has quit IRC09:13
vishakhalbragstad:  I updated the patch for abstract method in TrustBaseDriver Pl review09:13
*** wy has joined #openstack-keystone09:19
*** masayukig[m] has joined #openstack-keystone09:28
*** markvoelker has joined #openstack-keystone09:33
vishakhakmalloc: thanks. I get your point09:40
kmallocsorry man10:00
*** markvoelker has quit IRC10:07
*** phuongnh has joined #openstack-keystone10:14
openstackgerritTaishi Roy proposed openstack/keystone master: changed port in argument '--bootstrap-admin-url'
openstackgerritShuayb Popoola proposed openstack/keystone master:  use port 5000 and keystone-wsgi-public
*** jaosorior has quit IRC10:23
*** wy has quit IRC10:26
*** phuongnh has quit IRC10:31
openstackgerritShuayb Popoola proposed openstack/keystone master: use port 5000, keystone-wsgi-public, and --http-socket
*** dave-mccowan has joined #openstack-keystone10:46
*** Dinesh_Bhor has quit IRC10:57
*** markvoelker has joined #openstack-keystone11:04
*** pcaruana has quit IRC11:05
*** xek_ has joined #openstack-keystone11:22
*** xek has quit IRC11:25
*** xek__ has joined #openstack-keystone11:25
*** xek_ has quit IRC11:27
*** jaosorior has joined #openstack-keystone11:35
*** markvoelker has quit IRC11:36
*** Nel1x has joined #openstack-keystone11:40
*** pcaruana has joined #openstack-keystone11:52
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Pass in policy name as part of the oslopolicy-check check call
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check
*** raildo has joined #openstack-keystone12:17
*** markvoelker has joined #openstack-keystone12:31
*** Nel1x has quit IRC12:37
*** imus has joined #openstack-keystone12:46
*** jmlowe has quit IRC12:47
*** zul has joined #openstack-keystone12:56
*** zul has quit IRC13:04
*** zul has joined #openstack-keystone13:05
*** jmlowe has joined #openstack-keystone13:07
*** mchlumsky has joined #openstack-keystone13:12
*** belmoreira has joined #openstack-keystone13:17
*** imus has quit IRC13:20
*** imus has joined #openstack-keystone13:20
lbragstadvishakha awesome - thanks13:22
*** imus_ has joined #openstack-keystone13:32
*** imus has quit IRC13:35
*** mvkr has quit IRC14:40
*** jmlowe has quit IRC15:10
*** mvkr has joined #openstack-keystone15:11
*** kukacz has quit IRC15:12
*** itlinux has quit IRC15:13
*** kukacz has joined #openstack-keystone15:19
*** gyee has joined #openstack-keystone15:33
kmalloco/ ....... <Zzzzzzzzzzzzzzzzzz> oh uh, I swear I'm not asleep.16:02
*** belmoreira has quit IRC16:11
*** dnguyen has joined #openstack-keystone16:13
*** itlinux has joined #openstack-keystone16:13
*** imacdonn has joined #openstack-keystone16:15
*** dnguyen has quit IRC16:18
lbragstadi wonder if we have a bug in how we load backends16:41
lbragstador default configuration16:41
lbragstadi wrote the bits for JWT, but for some reason keystone is trying to load it as the default token provider?16:42
lbragstadas in, CONF.token.provider is 'jwt'...16:42
lbragstadwithout using the fixture or specifying it16:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider
lbragstadoutside of that ^ that works16:43
*** nels has joined #openstack-keystone16:54
*** nelsnelson has quit IRC16:55
*** belmoreira has joined #openstack-keystone17:02
*** belmoreira has quit IRC17:19
*** belmoreira has joined #openstack-keystone17:20
openstackgerritRaildo Mascena proposed openstack/pycadf master: Enabling FIPS mode by using sha256 instead of md5
kmalloclbragstad: i'd need to poke at it17:45
kmallochuh i could have sworn we already did that ^ the sha thing17:46
raildokmalloc, looks like we forgot to update the pycadf side17:47
kmallocraildo: doh17:48
lbragstadyou can recreate using tox locally without /etc/keystone/jwt-keys/ dir created17:48
kmallocwe didn't have this issue with uuid17:51
kmallocso... weird.17:51
lbragstadi'm going to decompose that review into bit-sized pieces a little later today17:58
* lbragstad stepping away for about 30 minutes18:00
kmalloclbragstad: we messed up in adding description to roles18:01
kmalloclbragstad: we forgot to migrate the values from the json blob to the column18:01
kmallociirc that means descriptions got eaten18:02
kmallocI think we messed up*18:02
*** jpm__ has joined #openstack-keystone18:09
jpm__good day all... i have been struggling through a mitaka to ocata upgrade for days18:12
*** prometheanfire has joined #openstack-keystone18:13
jpm__wondering if someone can point me in the right direction wrt this error "There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set"18:13
prometheanfirelbragstad: you are probably busy, but you still have an open assigned task (unless you unassign yourself)!/story/200379218:13
jpm__seeing this in apache keystone log when running openstack commands against nova18:14
jpm__followed the ubuntu 16.04 install docs but seem to be stuck.  do I need to manually generate tokens and send them to the endpoint via curl?18:16
jpm__any help would be much appreciated!!18:17
jpm__using password authentication.  error pasted here
jpm__openstack command error with debug here
*** jmlowe has joined #openstack-keystone18:22
*** nels has quit IRC18:33
jpm__can someone tell me what section of keystone.conf "service_token_roles" should go into?18:34
*** nelsnelson has joined #openstack-keystone18:35
lbragstadprometheanfire oh - i'm not sure i remember the context of that one18:46
prometheanfirelbragstad: doc reasoning behind lower-constraints testing and why it's useful18:47
prometheanfirelbragstad: you going to berlin?18:47
*** mvkr has quit IRC18:47
lbragstadprometheanfire yes18:47
lbragstadjpm__ looks like an issue with nova client?18:48
*** belmoreira has quit IRC18:48
prometheanfirewe could meet there18:48
lbragstadprometheanfire ok18:48
lbragstadjpm__ "There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. "18:50
lbragstad^ that isn't really an error - just unfortunate wording that makes it seem like it's an error18:50
lbragstadthat wording has since been removed18:50
jpm__@lbragstad hi and thank you.  I'll poke around in nova a bit more.18:52
lbragstadjpm__ did go away regarding the AttributeError?18:52
jpm__@lbragstad no it did not :(18:53
*** itlinux has quit IRC19:01
jpm__@lbragstad  full error from apache keystone.log here
*** pcaruana has quit IRC19:05
kmalloclbragstad:  we have a bug i think19:06
kmalloclbragstad: sending you a PM19:06
lbragstadkmalloc does that trace ring any bells for you?19:10
lbragstadi thought it looked familiar but i'm not pulling anything up19:10
kmalloci don't remember seeing that anywhere19:10
kmallocit looks like we're not populating the context dict19:11
kmallocwhich would be consistent with no token19:11
kmallocor no auth context19:11
kmallocsomehow we got past the no context point and raised up an error because no context19:12
lbragstadwe're logging no auth context19:12
kmallocthat does not sound familiar though (exception wise)19:12
jpm__@lbragstad so based on this conversation should I assume I do not have tokens setup properly?19:24
lbragstadjpm__ can you authenticate?19:29
*** nels has joined #openstack-keystone19:31
*** nelsnelson has quit IRC19:32
*** belmoreira has joined #openstack-keystone19:32
*** imus_ has quit IRC19:39
*** imus_ has joined #openstack-keystone19:39
*** itlinux has joined #openstack-keystone19:39
openstackgerritNathan Kinder proposed openstack/ldappool master: Allow pool status to be printed as a table
jpm__@lbragstad  based on this i believe so. this was an "openstack group list" command that completed successfully19:49
jpm__@lbragstad there are errors in the log though19:50
*** mvkr has joined #openstack-keystone19:51
*** ayoung has joined #openstack-keystone19:51
jpm__@lbragstad and whenever i run an openstack command i get "Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. Failed to contact the endpoint at http://controller:35357/v3/ for discovery. Fallback to using that endpoint as the base url"19:51
ayoungkmalloc, knikolla just got off a marathon call.  We still want to talk today, or is it OK if we defer a bit?19:51
knikolladeferring works for me19:52
kmallocayoung: yeah can talk today or tomorrow19:52
ayoungI need food19:52
kmallocI'll be in Berlin on ... Monday as well (early)19:52
kmallocso anything we don't cover next week, I can hit the ground and help finish up19:53
ayoungkmalloc, ah...We'll schedule morning meetings then19:53
kmallocso, next week I'll have one day I'll be unavailable as well prior to my flight on Sunday the 11th out to Berlin19:54
kmalloci think it will be wednesday19:54
kmallocnext week.19:54
ayoung kmalloc lets shoot for a Monday session, then.  I'll try to get the notes we have into a Slide preso format, with a reasonable theme, and we can take it from there.19:54
lbragstadjpm__ are you specifying an auth url in your config or clouds.yaml?19:57
kmallocI'm going to try and catch up on sleep this weekend19:57
*** ayoung has quit IRC20:00
jpm__@lbragstad in the nova.conf as auth_url = http://controller:3535720:05
*** belmoreira has quit IRC20:12
*** itlinux has quit IRC20:14
*** itlinux has joined #openstack-keystone20:15
jpm__@lbragstad based on what you have seen what else should i investigate as a root cause?20:32
*** dave-mccowan has quit IRC20:32
*** belmoreira has joined #openstack-keystone20:35
*** belmoreira has quit IRC20:35
lbragstadjpm__ were you able to get past the hypervisor key issue?20:35
jpm__@lbragstad no.  most openstack commands fail with AttributeError: context_dict20:40
jpm__@lbragstad actually all openstack commands show this error but some commands do complete.20:43
lbragstadwhat release are you seeing that with? ocata?20:45
jpm__@lbragstad yes20:46
lbragstadare you using an older openstack client?20:47
lbragstador have you upgraded that already?20:47
gyeekmalloc, lbragstad, stupid question, how do I log stuff here?
jpm__@lbragstad already upgraded to 3.8.120:51
gyeeI am trying to chase down a test failure where user is unable to do 'openstack trust show <id>'20:51
kmallocgyee: what are you trying to extract log wise?20:52
lbragstadgyee doesn't look like that module has any logging20:52
kmallocgyee: you can just from oslo_log import log20:52
lbragstadand init a logger20:52
kmallocand setup logging (temp) just like anywhere else20:52
kmallocthen call LOG.xxxx20:52
lbragstadLOG = log.getLogger(__name__) or something like that20:52
kmallocinherently there is no extra logging in the api files unless needed.20:52
gyeeI could, just wondering why that one have no logs20:53
kmallocbecause there is nothing to log20:53
kmalloclogging happens above/below20:53
kmallocbut there is nothing to log in the api calls themselves20:53
gyeeWe ran into this problem where user can list trusts, but can do show trust20:54
kmallocfailures/etc are simple e.g. ValidationError, Unuathorized etc20:54
kmallocgyee: hah, ask ayoung about that. there is an open bug.20:54
gyeecan't do 'openstack trust show <id>'20:54
gyeeit returns 200 with an empty list, which is weird20:54
openstackLaunchpad bug 1791973 in OpenStack Identity (keystone) "User cannot list their own trusts" [Medium,Triaged]20:54
kmallocthere is that one20:54
gyeethis is 'trust show <id>'20:55
gyeelist works fine20:55
kmalloc*shrug* might be enforcement20:55
kmallocmight be something wrong in OSC20:55
gyeeno, otherwise, I would've expected a 403 or something20:55
gyeeanyway, let me import oslo_log and poke around20:56
kmalloclook at the bits here:
kmallocasnd the normalization20:56
kmallocbut... show trust shouldn't be a list20:57
gyeewith debug enable I can see openstack CLI is sending something like "/v3/OS-TRUST/trusts?name=9f461863683f409ead3189a5f0d6aec3"20:58
gyeehow does flask map the "name" parameter to "trust_id"?20:58
kmallocthat is a list with a filter by name21:02
kmallocthat is not a trust_id21:02
kmallocso you're not calling OS-TRUSTS/trusts/<string:trust_id>21:02
kmallocyou're calling OS-TRUSTS/trusts and filtering the results by name21:02
kmallocsounds to me like that is broken behavior in OSC21:02
gyeethat's what openstack appear to be sending with "openstack trust show <id>"21:02
kmallocdo trusts even have... names?21:02
gyeenope :-)21:03
gyeemaybe OCLI is broken broken21:03
kmallocyeah, that is broken21:03
kmallocnot keystone, OSC or KSC issue21:03
*** raildo has quit IRC21:25
gyeekmalloc, turns out it was our custom policy problem :-)21:25
*** xek__ has quit IRC21:36
kmallocgyee: .... didn't i say policy/enforcement off the bat?21:37
openstackgerritMerged openstack/pycadf master: Enabling FIPS mode by using sha256 instead of md5
gyeekmalloc, we make identity:get_trust unnecessarily restricted, I am going to change that21:51
kmallocgyee: on your end you mean, in your policy file?21:56
kmallochehe, not surprising21:56
* kmalloc might have a REALLY good idea of how everything in keystone works atm due to flask rework21:56
gyeekmalloc, yes, at my end22:01
mordredkmalloc, gyee: see. policy files are the worst idea in the history of mankind22:02
kmallocmordred: i just rm -rf'd oslo.policy22:04
kmallocmordred: i feel better now22:04
mordredkmalloc: +10022:04
kmallocmordred: i really want custom policy to die.22:04
kmallocor at least "custom policy" in a terrible json DSL22:04
mordredit's really the only thing I want in life22:05
mordredthe api is the api22:05
mordredand it should be the api22:05
kmalloci totally get that you might want custom role names / grant/revoke acess to some apis22:06
kmalloclike sub-admin22:06
kmallocbut that stuff should be very very straightforward22:06
kmallocand defaults should be rich enough to do everything most people need.22:06
kmallocvery specifically ADMIN stuff should be what we split up with anything custom not general use-cases22:06
kmallocand even then...22:06
kmallocmaybe not22:06
gyeewe do have some custom roles and adminness to compensate for the lack of admin segregation support in upstream awhile back22:08
gyeeanyway, time to consolidate22:09
*** threestrands has joined #openstack-keystone22:17
openstackgerritNathan Kinder proposed openstack/ldappool master: Allow pool status to be printed as a table
*** erus has joined #openstack-keystone22:55
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware master: Fix revocation list/PKI[z] removal nits.
*** mvkr has quit IRC23:22
*** mvkr has joined #openstack-keystone23:23
*** gyee has quit IRC23:58

Generated by 2.15.3 by Marius Gedminas - find it at!