Friday, 2018-11-02

*** phuongnh has joined #openstack-keystone00:48
*** phuongnh has quit IRC01:32
*** Dinesh_Bhor has joined #openstack-keystone01:51
openstackgerritwangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool
openstackgerritwangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool
*** Dinesh_Bhor has quit IRC02:03
*** sapd1_ has quit IRC02:20
*** Dinesh_Bhor has joined #openstack-keystone02:30
openstackgerritMerged openstack/oslo.policy master: Unit test for CLI
*** prometheanfire has left #openstack-keystone03:19
*** sapd1 has joined #openstack-keystone03:24
*** erus has quit IRC03:41
*** david-lyle has joined #openstack-keystone04:08
*** itlinux has quit IRC04:09
*** dklyle has quit IRC04:09
*** erus has joined #openstack-keystone04:20
openstackgerritArica Chakraborty proposed openstack/keystone master: changed the port numbers
*** jpm__ has quit IRC04:53
*** nels has quit IRC05:37
*** nelsnelson has joined #openstack-keystone05:40
*** threestrands has quit IRC05:40
*** Ebukha has joined #openstack-keystone05:45
*** Ebukha has quit IRC06:09
*** Dinesh_Bhor has quit IRC06:15
openstackgerritArica Chakraborty proposed openstack/keystone master:   Changed the port numbers.   No more seperate ports.
*** pcaruana has joined #openstack-keystone07:20
*** Dinesh_Bhor has joined #openstack-keystone07:21
openstackgerritwangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool
*** Dinesh_Bhor has quit IRC08:53
*** xek__ has joined #openstack-keystone09:08
*** wangy has joined #openstack-keystone09:21
wxy-xiyuanping vishakha09:30
wxy-xiyuanfor, any process?09:30
*** Dinesh_Bhor has joined #openstack-keystone09:31
wxy-xiyuanvishakha: added my thought in the patch.09:35
wxy-xiyuancc cmurphy lbragstad09:35
wxy-xiyuanBTW, I'd like to get your thoughts about
openstackLaunchpad bug 1801309 in OpenStack Identity (keystone) "Support configurable saml assertion property" [Undecided,New] - Assigned to wangxiyuan (wangxiyuan)09:36
wxy-xiyuankmalloc: ^09:36
*** wangy has quit IRC09:38
cmurphywxy-xiyuan: i don't think we should support exposing the user's extra column, and there aren't any other user attributes that we can expose besides group09:40
cmurphyrole description is not a property of a user09:40
wxy-xiyuancmurphy: the example maybe  unsuitable. I just want to point a case that the SP may need more info.09:44
wxy-xiyuannot sure  commnity accept this kind of usage or not.09:46
openstackgerritArica Chakraborty proposed openstack/keystone master:   Changed the port numbers
*** Dinesh_Bhor has quit IRC10:41
*** wy has joined #openstack-keystone10:43
*** dave-mccowan has joined #openstack-keystone11:30
*** raildo has joined #openstack-keystone11:45
*** erus has quit IRC11:51
openstackgerritMerged openstack/keystone master: changed port in argument '--bootstrap-admin-url'
*** zul has quit IRC12:06
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check
*** zul has joined #openstack-keystone12:36
*** raildo has quit IRC12:53
*** raildo has joined #openstack-keystone12:54
*** jmlowe has quit IRC13:05
*** jmlowe has joined #openstack-keystone13:08
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Add test case for overridding both old and deprecated policy names
openstackgerritMerged openstack/ldappool master: Handle retry logic for timeouts with multiple LDAP servers
*** mchlumsky has quit IRC13:36
*** mchlumsky has joined #openstack-keystone13:37
openstackgerritMerged openstack/keystone-specs master: fix wrong spelling of "configuration"
openstackgerritColleen Murphy proposed openstack/ldappool master: Add release notes jobs
*** izake has joined #openstack-keystone13:47
izakeHi all13:47
izakewe are currently using openstack with LDAP backend on domains and users for authentication13:48
izakewe can create domains and project13:48
izakeand users can authenticate against the LDAP back-end server13:48
kmallocPlease do not expose the extra column in new places wxy-xiyuan13:48
izakebut when we try to delete the domain by revoking the users from the domain and removing the LDAP domain configuration13:49
izakewe get a 500 internal server error13:49
izakeit seems like keystone is creating a local mapping of remote LDAP users in the user table13:49
izakewhich causes the domain deletion to break as the local user is still linked on the keystone db13:50
izakeany advice on how keystone will not map remote users from LDAP to a domain in the user table13:50
cmurphyizake: what version of keystone? we fixed that i believe13:54
*** nels has joined #openstack-keystone13:59
izake@cmurphy, is there a quick way to get version of keystone, we are running Pike in development and Queens in staging?13:59
izakeWe are just the developers on the paltform so not so familiar with the openstack side14:00
*** nelsnelson has quit IRC14:00
izakewe are using V3 of openstack keystone14:01
izakewe are using V3 of openstack keystone API14:01
cmurphyizake: not really an easy way to see the release, you can curl the /v3 endpoint and see what the minor version of the 3.X API is and that will give a hint about what version is on the server14:03
cmurphyizake: I think you're hitting which we fixed in ocata it looks like14:04
openstackLaunchpad bug 1718747 in OpenStack Identity (keystone) pike "Unable to delete domain with users in it" [High,Fix committed] - Assigned to Colleen Murphy (krinkle)14:04
openstackgerritMerged openstack/oslo.policy master: Pass in policy name as part of the oslopolicy-check check call
openstackgerritColleen Murphy proposed openstack/keystone master: Implement auth receipts spec
izake@cmurphy "id": "v3.8"14:09
izakeyes, I have also found that bug report14:10
izakebut like you mentioned it has been implemented, but we are still experiencing this issue14:10
cmurphyizake: can you file a new bug report? and can you attach the traceback from the logs or get your operator to attach the logs?14:11
*** dansmith is now known as SteelyDan14:13
*** nels has quit IRC14:13
izake@cmurphy, yeah we can do14:14
*** nelsnelson has joined #openstack-keystone14:16
openstackgerritColleen Murphy proposed openstack/ldappool master: Add release notes jobs
*** nels has joined #openstack-keystone14:23
*** nelsnelson has quit IRC14:23
*** izake has quit IRC14:27
*** nels has quit IRC14:29
*** nelsnelson has joined #openstack-keystone14:30
*** nelsnelson has quit IRC14:33
*** nelsnelson has joined #openstack-keystone14:35
*** nels has joined #openstack-keystone14:38
*** nelsnelson has quit IRC14:39
kmalloccmurphy: yay release notes!14:49
openstackgerritMerged openstack/keystoneauth master: fix wrong spelling of "unnecessary"
*** xek has joined #openstack-keystone15:05
*** xek__ has quit IRC15:06
johnthetubaguylbragstad: I think jaypipes is working on things too, but finally got a chance to sort out some unified quota stuff nova side15:10
lbragstadjohnthetubaguy awesome!15:11
lbragstadthat's good news15:11
johnthetubaguyso I added TODOs where I want to call oslo limit, and the counting function I want to pass into oslo_limit15:11
johnthetubaguyfinally got this stuff out of my head onto paper, to see if its horrid or simple15:12
lbragstadi was just looking at those15:12
lbragstadwxy-xiyuan was waiting to get some things merged into openstack-sdk before we could continue merging
lbragstadand it looks like that happened, so we should be picking those up again soon15:13
lbragstadwe were waiting to get some feedback from someone on the nova side about
johnthetubaguyI was just looking at that, realized I don't have enough context to tell if its what I want or not15:14
johnthetubaguyneed to do a bit more reading on what is there already, didn't see example usage in the published docs yet15:14
wxy-xiyuanlbragstad: It has been done. I refreshed the olso.limit patch already15:14
lbragstadwxy-xiyuan awesome - i'll make a note to review those today then15:15
lbragstadwxy-xiyuan thanks!15:15
lbragstadjohnthetubaguy I don't think we have docs for usage yet, only because the code for enforcement hasn't landed yet15:16
johnthetubaguyyeah, that makes sense15:16
lbragstadi'm sure you've already seen it - but
*** wy has quit IRC15:17
wxy-xiyuankmalloc: cmurphy:about  saml assertion, I'll add more content next week. thanks for response.15:17
lbragstadthe way we're doing things currently, is having Claims be an object that you pass to the enforcer15:18
openstackgerritMerged openstack/keystone master: Remove compatability shim
lbragstadjohnthetubaguy these were the examples we were working through at the PTG -
johnthetubaguyah, so I see the point of the patch now, a project claim represents multiple resources, got it15:19
johnthetubaguyjust been looking through enforcer15:20
lbragstadit can, yes...15:20
lbragstadthe idea was services would build a "claim" and then pass that to the enforcer15:20
lbragstadand the claim would contain information about what is being claimed, obviously... but it would associate to the unified limit information in keystone15:20
johnthetubaguyFWIW, I just worked out the context manager thing is much less of a big deal than I first through, and sorry about that...15:21
lbragstadless of a big deal?15:22
johnthetubaguyessentially, where we need that pattern in nova is for limits we don't expect to move into Keystone15:22
lbragstadoh - things that have quota but don't actually protect a physical resource?15:22
lbragstadlike keypairs?15:22
johnthetubaguyyes, although...15:23
johnthetubaguyits more like things where you can't sensible tell anyone how much a project is using currently15:23
johnthetubaguy... like the number of metadata items a server has15:24
johnthetubaguyits really a rate limit / db protection thing15:24
*** wy has joined #openstack-keystone15:24
lbragstadright - yeah that's ringing a bell15:24
wyHi all15:24
johnthetubaguywe have two types of those it turns out, but that's not really interesting here15:24
wyI am configuring keystone for federation in pike according to this web(
openstackgerritColleen Murphy proposed openstack/ldappool master: Add release notes jobs
*** dave-mccowan has quit IRC15:25
wyI met a problem15:25
wyI used the Shibboleth and make a k2k federation.15:25
wyI followed the last step
lbragstadjohnthetubaguy and those are going to stay configuration options in nova, right?15:25
wyThen I got the token.But when I used the token to obtain a new token, the response returned 401.15:25
wyWhat's the problem?Please help me15:25
*** dave-mccowan has joined #openstack-keystone15:26
*** gyee has joined #openstack-keystone15:26
wyCan someone help me,thanks15:27
johnthetubaguylbragstad: yes, +115:28
johnthetubaguylbragstad: added a comment here to try link all the patches together:
wyOh,sorry, it's no 401. it was 404(Could not find token)15:29
openstackgerritMerged openstack/keystone master: Fix spelling 'unnecessary'
lbragstadjohnthetubaguy count_dynamic_limits has a limits param, are those the same as claims?15:31
johnthetubaguylbragstad: should really say resource_name15:38
johnthetubaguyor rather resource_names15:38
*** wy has quit IRC15:42
lbragstadjohnthetubaguy i'm going to review the oslo.limit patches and refresh myself on those, then I'll see if i can figure out how they map to the patch you have for nova15:43
johnthetubaguylbragstad: thanks15:44
lbragstadthanks for the ping :)15:44
*** xek_ has joined #openstack-keystone15:48
*** xek has quit IRC15:51
*** jaosorior has quit IRC15:58
*** wnagy has joined #openstack-keystone15:59
*** bnemec is now known as beekneemech16:00
*** wnagy has quit IRC16:09
*** imacdonn has quit IRC16:15
*** imacdonn has joined #openstack-keystone16:15
johnthetubaguylbragstad: I think this would link the two parts together, but I am not sure:
johnthetubaguylbragstad: the previous commit is more important I think16:17
*** pcaruana has quit IRC16:17
johnthetubaguythats the bit16:17
lbragstadcool - maybe we can work that into wxy-xiyuan's patch?16:18
johnthetubaguysure thing16:18
kmalloclbragstad: the more i think about it the more i want to rip KSM out of keystone server again16:18
kmalloci am not in love with the auth extraction bits16:18
kmallocit really feels like we went through a ton of hoops to to wedge it in because keystone has a faster path to the data16:19
kmallocand it does feel very wedged in16:19
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware master: Fix revocation list/PKI[z] removal nits.
kmalloclbragstad: ^ the previous review was just broken16:31
kmallocthis is fixed16:31
kmallocand i don't know why, something i did wrong i'm sure.16:31
lbragstadack - will do16:31
kmallocand the other keystone/ksm fixes should be ready to land16:31
johnthetubaguylbragstad: the more I wire up the interface, the less I like it, will let you know what comes together...16:39
johnthetubaguylbragstad: apologies, I should have done this months ago!16:39
lbragstadno worries - we haven't released oslo.limit yet and it's not close to 1.0 yet, so we can be flexible16:40
lbragstadif there are larger concerns with the keystone specific API for limits, we can be flexible there, too16:40
openstackgerritShuayb Popoola proposed openstack/keystone master:  use port 5000 and keystone-wsgi-public
johnthetubaguylbragstad: its just oslo_limits at this point, its only a tweak I think, just trying to type out my thoughts now16:43
kmallocadriant, cmurphy: +2/+A on auth receipts still lots of comments but nothing that needs to be done in that review16:45
kmallocall can be done as followup16:45
openstackgerritNathan Kinder proposed openstack/ldappool master: Allow pool status to be printed as a table
*** zul has quit IRC16:53
lbragstadjohnthetubaguy sounds good16:55
openstackgerritArica Chakraborty proposed openstack/keystone master: Changed the port numbers
*** nkinder has joined #openstack-keystone17:28
nkinderkmalloc, cmurphy: would you like me to change the output for that ldappool __str__() patch?17:30
nkinderI have a modified version that doesn't use PrettyTable (but would allow the caller to easily parse it for a nicely formatted output)17:30
nkinderkmalloc, cmurphy: This is what the modified patch does -
kmallocnkinder: i don't mind prettytable really17:38
kmallocnkinder: it's just not my preference17:38
kmallocnote the +2, i'm fine with it as is17:38
kmallocnkinder: i think the only case(s) where we'd be doing printing (where __str__ is useful) is where it's being debugged17:42
kmallocso pretty table makes sense in that regard.17:43
nkinderkmalloc, What I have in mind is allowing a way to have keystone log the table on an interval for debugging17:53
nkinderkmalloc, we run into scenarios where we are trying to troubleshoot issues for prod systems, and we can't access the environment or run a debugger session there17:53
nkinderhaving a way to see the connection pool state over time would be really valuable17:54
nkinderkmalloc, for example, I have heard reports of keystone claiming it can't connect to the LDAP server, yet ldapsearch on the same system works using the same settings that keystone uses17:55
nkinder^^^ that is with pooling enabled.  Seeing the state of the connections in the pool would help figure out what is going on.17:56
*** itlinux has joined #openstack-keystone17:58
*** itlinux has quit IRC18:06
johnthetubaguylbragstad: so I think something like this could work:
johnthetubaguylbragstad: attempted to show how it could get wired up into nova:
-openstackstatus- NOTICE: OpenStack infra's mirror nodes stopped accepting connections on ports 8080, 8081, and 8082. We will notify when this is fixed and jobs can be rechecked if they failed to communicate with a mirror on these ports.18:09
lbragstadjohnthetubaguy oh - sure18:10
lbragstadthat's an option18:10
*** blake has joined #openstack-keystone18:10
*** pcaruana has joined #openstack-keystone18:27
openstackgerritMerged openstack/keystone master: Implement auth receipts spec
*** zul has joined #openstack-keystone18:41
-openstackstatus- NOTICE: The firewall situation with ports 8080, 8081, and 8082 on mirror nodes has been resolved. You can recheck jobs that have failed to communicate to the mirrors on those ports now.18:54
*** chudler has joined #openstack-keystone19:07
*** pcaruana has quit IRC19:08
*** nels has quit IRC19:35
*** jistr has quit IRC19:35
*** jistr has joined #openstack-keystone19:37
*** nelsnelson has joined #openstack-keystone19:37
chudlerI just installed keystone(Rocky) for the first time and use ldap driver. I am able to authenticate, but I dont understand how Roles/Assignments.20:09
chudlerI bootstrapped with an admin user and sql driver. Can I reach admin status with my ldap user? I don't intend to use ldap driver for anything except users and groups.20:10
chudlerI have many questions that I cannot find answered in docs.. for instance, how is userPassword used? does it really not BIND?20:13
lbragstadchudler you can assignment role to users regardless of them being in LDAP or SQL20:26
lbragstadassign roles*20:27
*** blake has quit IRC20:27
chudlerI think I will create a User domain first, to house these end-users. I am realizing that I don't want all of the identities in a corporate directory server..20:28
lbragstadyou can back different domains to different LDAP servers20:29
lbragstadby default the "default" domain is backed to SQL20:29
chudlerthanks. I will use sql for services and ldap for humans. I have too many conceptual gaps to bother this Good Channel with ;-)20:29
lbragstaddo you have specific questions about roles or assignments that we can help you with now?20:30
lbragstadare you curious about them conceptually? or do you have more specific concerns?20:30
chudlerI use posix groups in ldap with memberuid. keystone uses user_id_attribute when querying, e.g., "(&(memberUid=1001)(objectClass=posixGroup)(gidNumber=*))", but that will never match because the value is the user's id.20:36
chudlerso, to make that work, I change user_id_attribute = uid, user_name_attribute = uidNumber(?), but now I am concerned about ldap uid that may match names that are used internally (services? "admin"?).20:38
chudlerjust now I meant so say the value is the user's rdn (uid in our environment)20:39
lbragstadyou should be able to build specific queries depending on the user structure you have in ldap20:40
chudlerI think group_filter is what you refer to. I have not understood it from the docs yet20:43
*** imus_ has quit IRC20:43
lbragstadthis ?20:48
chudler"The LDAP search filter to use for groups." and it has no default. This is literally all that is offered tehre.20:48
chudlerin the meantime, I experimented with group_members_are_ids = false and it does use full DN. I believe now that is the limit of what is offered. It is not how that attribute is populated, historically20:50
lbragstadthere also isn't a default for
chudlersorry, we've just been discussing an old issue:
openstackLaunchpad bug 1526462 in OpenStack Identity (keystone) "duplicate for #1489105 Need support for OpenDirectory in LDAP driver" [Medium,Fix released] - Assigned to Andrey Grebennikov (agrebennikov)20:52
chudlerI didn't know20:52
*** imus has joined #openstack-keystone20:52
lbragstadbut that's probably because it's highly dependent on how users and groups are setup in ldap20:52
chudlersupposing that I am successful in mapping uid to id and uid also to name, and I have a sql backed domain for service and admin users, shall I be concerned about id and name being identical but not in the same domain? Is it a security problem?20:58
chudlerI have an LDAP user uid=nova that is a real human being.20:58
lbragstadi don't think that should be an issue... keystone namespaces groups and users to domains21:00
lbragstadso - nova within the "default" domain is different from nova in "users" domain.21:00
lbragstadkeystone does the same thing with projects, which are namespaced to their containing domains21:00
chudlerthanks. I am sure I read that somewhere but I am a newb with it21:02
lbragstadno worries21:02
chudlerI am unsure if I will have api v2 clients and I am also unsure if others *always* specify the domain. In the case that they don't, I will put service accounts in the default domain and leave it named "default".21:08
lbragstadwell - the rocky release doesn't support the v2.0 API anymore21:08
lbragstadthat was actually removed in queens21:08
openstackgerritLance Bragstad proposed openstack/keystone master: Add test fixture for JWT key repository
openstackgerritLance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement
openstackgerritLance Bragstad proposed openstack/keystone master: Implement JSON Web Token provider
openstackgerritLance Bragstad proposed openstack/keystone master: Refactor directory creation into a common place
openstackgerritLance Bragstad proposed openstack/keystone master: Add keystone-manage jwt_setup functionality
chudlernice to know. I have almost no knowledge of openstack and its rude of me to be here, but I have read several books worth of material on it so far...21:09
lbragstadnot a problem21:10
*** raildo has quit IRC21:19
chudlerits working! amusing and excellent21:33
*** dave-mccowan has quit IRC21:35
*** imus has quit IRC21:38
*** imus has joined #openstack-keystone21:39
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Make upgrades more robust with policy overrides
*** erus has joined #openstack-keystone21:51
erusI'm trying to install devstack but having troubles :P is anybody there?21:53
*** erus has quit IRC22:00
lbragstadkmalloc re: oslo.limit context manager bits, would be good to get your eyes on whenever you're available22:03
kmalloclbragstad: commented22:25
openstackgerritShuayb Popoola proposed openstack/keystone master:  use port 5000 and keystone-wsgi-public
openstackgerritShuayb Popoola proposed openstack/keystone master:  use port 5000, keystone-wsgi-public and --http-socket. The change in port and wsgi application isdue to v2 API removal. Also, the uswgi needs a flag for its command line, hence, --http-socket
lbragstadsweet - thanks23:01
openstackgerritIrina Anyusheva proposed openstack/keystone master: Closes-bug: #1779889
openstackbug 1779889 in OpenStack Identity (keystone) "Lack of documentation for validating expired tokens with service users" [Medium,In progress] - Assigned to Irina Anyusheva (anyushevai)23:04
openstackgerritShuayb Popoola proposed openstack/keystone master: use port 5000, keystone-wsgi-public and --http-socket.Change in port and wsgi app are due to v2 API removal. Also,uswgi needs a flag for its command line: --http-socket
*** markvoelker has quit IRC23:41
*** markvoelker has joined #openstack-keystone23:41
*** markvoelker has quit IRC23:46
*** gyee has quit IRC23:48
*** mchlumsky has quit IRC23:50
*** mchlumsky has joined #openstack-keystone23:51

Generated by 2.15.3 by Marius Gedminas - find it at!