Monday, 2018-11-12

« Sunday, 2018-11-11 Index Tuesday, 2018-11-13 »
*** aojea has quit IRC00:39
*** irclogbot_1 has quit IRC00:55
openstackgerritMerged openstack/keystone master: Update api-ref for set registered limits.  https://review.openstack.org/61675501:58
*** cburgess has quit IRC02:22
*** trident has quit IRC02:25
*** cburgess has joined #openstack-keystone02:26
*** trident has joined #openstack-keystone02:30
openstackgerritwangxiyuan proposed openstack/keystone master: Remove "crypt_strength" option  https://review.openstack.org/61321802:38
openstackgerritwangxiyuan proposed openstack/keystone master: Drop the compatibility password column  https://review.openstack.org/61351302:38
openstackgerritwangxiyuan proposed openstack/keystone master: Bump sqlalchemy minimum version to 1.1.0  https://review.openstack.org/61383002:52
*** edmondsw has quit IRC02:56
*** lamt has joined #openstack-keystone03:02
*** jmlowe has quit IRC05:41
*** sheel has joined #openstack-keystone06:15
openstackgerritwangxiyuan proposed openstack/keystone master: Bump sqlalchemy minimum version to 1.1.0  https://review.openstack.org/61383006:54
*** hoonetorg has quit IRC07:03
openstackgerritlei zhang proposed openstack/keystone master: Fix the dead URL  https://review.openstack.org/61576007:13
openstackgerritlei zhang proposed openstack/keystone master: Fix the dead URL  https://review.openstack.org/61576007:20
*** hoonetorg has joined #openstack-keystone07:20
*** errr has quit IRC07:21
*** errr has joined #openstack-keystone07:23
vishakhacmurphy: Hi. I had one query regarding K2K federation.  The token I issued from IDP, I can directly go to SP and use? or I have to issue any another token by passing the saml response?08:02
*** amoralej|off is now known as amoralej08:06
cmurphyvishakha: you can't directly use the token from the idp on the sp, you have to go through the saml auth process with it08:06
vishakhacmurphy , Ok thanks08:08
*** lbragstad has joined #openstack-keystone08:18
*** ChanServ sets mode: +o lbragstad08:18
vishakhacmurphy: I issue the token by passing --os-service-provider, --remote-project-name  and domain. After that what I have to do, I am not able to find that in document08:22
cmurphyvishakha: that should get you a token from the SP so you should be able to use that on the SP08:26
*** Dinesh_Bhor has joined #openstack-keystone08:29
vishakhacmurphy: Sorry But I am still confused. I want to test my k2k . I issued a token from IDP by passing the paramenters os-service-provider, --remote-project-name and then I was used that token on my SP in my curl request08:32
*** sapd1_ has quit IRC08:35
*** sapd1 has joined #openstack-keystone08:36
*** hoonetorg has quit IRC08:38
*** pcaruana has quit IRC08:39
cmurphyvishakha: sorry, it's confusing :) when you do that command it's actually getting two tokens, first one from the idp and one from the sp, the one it prints out is the one from the SP and that's the one you can use on the SP08:44
vishakhacmurphy: ok now I got it. So I doing right. Thanks a lot08:46
cmurphyyep :)08:46
*** Dinesh_Bhor has quit IRC09:07
*** Emine has joined #openstack-keystone09:46
*** Dinesh_Bhor has joined #openstack-keystone09:56
*** shrasool has joined #openstack-keystone10:05
csatariWe are working on adding a Shibboleth to the testing environment of Keystone. One option if to use a Docekrized IdP what makes the isntallation and the configuration of the IdP more easy. I started to use this one: https://github.com/Unicon/shibboleth-idp-dockerized when the container is started in "config mode" it asks some questions what I find difficult to answer.10:09
csatariHostname, Attribute Scope, SAML EntityID, Backchannel PKCS12 Password and Cookie Encryption Key Password10:09
*** Emine has quit IRC10:10
csatariI also needed to generate a Browser-based TLS Certificate and a Key10:10
csatariSoo, the question is how to configure the parameters of Shibboleth IdP to match with the config of Keysone?10:10
*** xek has quit IRC10:27
*** xek has joined #openstack-keystone10:27
*** Dinesh_Bhor has quit IRC10:36
*** Dinesh_Bhor has joined #openstack-keystone10:43
*** Dinesh_Bhor has quit IRC11:07
*** lbragstad has quit IRC11:09
*** raildo has joined #openstack-keystone11:33
*** lbragstad has joined #openstack-keystone12:07
*** ChanServ sets mode: +o lbragstad12:07
*** shrasool has quit IRC12:16
csatariAn other problem on an other level what I discovered. I configured the IdP with almost random parmeters, I've changed tempest.conf's parameters to point to the IdP running on my localhost and I ran test_request_unscoped_token. What I get is a " requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=4443): Max retries exceeded with url: /idp/profile/SAML2/SOAP/ECP (Caused by SSLError(SSLError("bad12:17
csatarihandshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))". Anyone has any idea what can be the reason for this?12:17
*** shrasool has joined #openstack-keystone12:18
*** Dinesh_Bhor has joined #openstack-keystone12:19
cmurphycsatari: your docker container probably uses the hostname parameter to configure the ssl certificates, it needs to exactly match the hostname you use to connect to the idp and you need to add the certificate to your trusted certificate store if it's a self-signed certificate12:28
cmurphycsatari: you can use openssl s_client to try connecting to the service to understand why it's not valid12:29
cmurphycsatari: i have a seat open next to me if you want to talk about it12:30
*** Dinesh_Bhor has quit IRC12:31
csataricmurphy: Thanks for the hints. I will visit you after all guys have a review up from my table.12:33
*** Dinesh_Bhor has joined #openstack-keystone12:42
*** mvkr has quit IRC12:54
*** bnemec has joined #openstack-keystone12:57
*** bnemec has quit IRC13:02
*** Dinesh_Bhor has quit IRC13:09
*** erus has quit IRC13:18
*** erus has joined #openstack-keystone13:19
*** erus has quit IRC13:23
*** amoralej is now known as amoralej|lunch13:25
*** erus has joined #openstack-keystone13:27
*** erus has quit IRC13:30
*** aojea has joined #openstack-keystone13:33
*** mvkr has joined #openstack-keystone13:38
*** shrasool has quit IRC13:40
*** aojea has quit IRC13:48
*** aojea has joined #openstack-keystone13:49
gmannlbragstad: little confuse about lockout_failure_attempts feature is diabled by default and its default value as 1 : https://github.com/openstack/keystone/blob/177c0e610180d8709f90046f5d0e6563c95742f6/keystone/conf/security_compliance.py#L3713:50
gmannis it via ignore_options here - https://github.com/openstack/keystone/blob/177c0e610180d8709f90046f5d0e6563c95742f6/keystone/identity/backends/sql.py#L92 ?13:51
gmannbut i did not find the option_value for that option13:51
*** shrasool has joined #openstack-keystone13:52
*** aojea has quit IRC13:53
*** sheel has quit IRC13:55
lbragstadgmann yeah - so that's working hand in hand with the users options stuff13:57
lbragstadgmann for example13:58
lbragstadhttps://docs.openstack.org/keystone/latest/admin/identity-security-compliance.html#setting-an-account-lockout-threshold13:58
lbragstadif a user has that attribute set on their reference, then it gets factored into that case13:58
lbragstadwhich just allows operators to explicitly say "this user shouldn't be locked out due to invalid password authentication attempts" (e.g., service users)13:59
lbragstadgmann the user options stuff is not documented :(14:00
lbragstadbut we have a bug for it14:00
lbragstadhttps://bugs.launchpad.net/keystone/+bug/179202614:00
openstackLaunchpad bug 1792026 in OpenStack Identity (keystone) "User options are not documented in the API reference" [Medium,In progress] - Assigned to Chason Chan (chen-xing)14:00
gmannlbragstad: ohk, so that work with 2 control, one with overall config option and second per user.14:03
lbragstadyes - exactly14:03
lbragstadthe code in the second link14:03
lbragstadhttps://github.com/openstack/keystone/blob/177c0e610180d8709f90046f5d0e6563c95742f6/keystone/identity/backends/sql.py#L9214:03
lbragstadis using the resource option from the user referenc e14:03
lbragstadand not the configuration option14:03
gmannok, we are missing that user side enable/disable info in tempest tests - https://github.com/openstack/tempest/blob/ed896859c221b144df23724f386da6eaa64bffc1/tempest/api/identity/v3/test_users.py#L13514:06
lbragstadyeah - it's relatively fresh14:08
lbragstadthe user options work was done after the initial PCI-DSS work14:08
gmannlbragstad: and does GET /users return this info ?14:08
lbragstad(we still need to document it within keystone and do some client work for it, too)14:08
lbragstadgmann yes - it does14:08
*** bnemec has joined #openstack-keystone14:09
*** mchlumsky has joined #openstack-keystone14:09
lbragstadif you set user options, it will be returned in the reference14:09
lbragstadwell...14:09
lbragstadGET /v3/users/{user_id} will return it14:09
gmannand if it is not set, is it missing or default to True14:09
lbragstadit will be missing14:09
gmannhumm.14:10
gmannthanks. we can use that API at least.14:10
lbragstadgmann here is an example request BODY if you were to set ignore_lockout_failure_attempts14:11
lbragstadhttps://docs.openstack.org/keystone/latest/admin/identity-security-compliance.html#setting-an-account-lockout-threshold14:11
lbragstadwhich would be PATCH /v3/users/{user_id} with a similar request body ({"user": {"options": {"option_name": "option_value"}}})14:12
*** erus has joined #openstack-keystone14:13
lbragstadunofficial registry of supported user options https://github.com/openstack/keystone/blob/master/keystone/identity/backends/resource_options.py#L60-L11114:19
gmannlbragstad: thanks. that will help. but if GET API would return that options always and with default value of  True then, it makes user easy to use that info instead of checking attr presence in response.14:21
lbragstadgmann sure - that makes sense14:22
lbragstadwe can try and run that by kmalloc14:22
lbragstadget his opinion on it14:22
lbragstadhe wrote the majority of that code - but i can see how that would simplify clients14:22
*** Dinesh_Bhor has joined #openstack-keystone14:28
*** mchlumsky has quit IRC14:33
*** mchlumsky has joined #openstack-keystone14:37
*** Dinesh_Bhor has quit IRC14:38
*** dklyle has joined #openstack-keystone14:38
*** erus has quit IRC14:39
*** bnemec has quit IRC14:48
*** amoralej|lunch is now known as amoralej14:48
*** shrasool has quit IRC14:58
*** shrasool has joined #openstack-keystone15:19
*** bnemec has joined #openstack-keystone15:31
*** jmlowe has joined #openstack-keystone15:37
*** jmlowe has quit IRC15:42
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add introduction section to federation docs  https://review.openstack.org/61538415:43
*** shrasool has quit IRC15:54
*** shrasool has joined #openstack-keystone15:55
*** bnemec has quit IRC15:58
*** mchlumsky has quit IRC15:58
*** erus has joined #openstack-keystone15:59
*** shrasool has quit IRC15:59
*** bnemec has joined #openstack-keystone16:02
*** lbragstad has quit IRC16:07
*** bnemec has quit IRC16:19
*** mchlumsky has joined #openstack-keystone16:22
*** mchlumsky has quit IRC16:24
*** mchlumsky has joined #openstack-keystone16:26
*** mchlumsky has quit IRC16:26
*** gyee has joined #openstack-keystone16:40
*** lbragstad has joined #openstack-keystone16:58
*** ChanServ sets mode: +o lbragstad16:58
*** pcaruana has joined #openstack-keystone17:27
*** dklyle has quit IRC17:33
*** dklyle has joined #openstack-keystone17:34
*** lbragstad has quit IRC17:36
*** sapd1 has quit IRC18:15
*** sapd1_ has joined #openstack-keystone18:15
*** jmlowe has joined #openstack-keystone18:32
*** dklyle has quit IRC18:34
*** dklyle has joined #openstack-keystone18:40
*** dklyle has quit IRC18:47
*** dklyle has joined #openstack-keystone18:47
*** jmlowe has quit IRC18:55
*** jmlowe has joined #openstack-keystone18:56
*** jmlowe has quit IRC19:04
*** amoralej is now known as amoralej|off19:24
*** aojea has joined #openstack-keystone19:31
*** aojea has quit IRC19:36
*** mvkr has quit IRC19:53
*** shrasool has joined #openstack-keystone19:59
*** shrasool has quit IRC20:19
*** shrasool has joined #openstack-keystone20:20
*** hoonetorg has joined #openstack-keystone20:27
*** mvkr has joined #openstack-keystone20:28
*** shrasool has quit IRC21:10
*** mattoliverau has quit IRC21:16
*** lbragstad has joined #openstack-keystone21:19
*** ChanServ sets mode: +o lbragstad21:19
*** itlinux has joined #openstack-keystone21:31
*** shrasool has joined #openstack-keystone21:40
*** raildo has quit IRC21:53
*** raildo has joined #openstack-keystone21:54
*** itlinux has quit IRC22:12
*** shrasool has quit IRC22:15
*** aojea has joined #openstack-keystone22:21
*** aojea has quit IRC22:26
*** mattoliverau has joined #openstack-keystone22:26
kmalloclbragstad gmann: if we want to extend the user options for defaults, i'm happy to do so.22:31
kmallocor well, happy to accept it22:31
*** naptastic has joined #openstack-keystone22:32
naptasticIs it possible to specify more than one keypair to put on a VM at the time I instantiate it? The UI removes one key if I try to add another. Can that behavior be changed¿22:33
naptastic(wow... didn't realize I could make a ¿ by accident)22:33
*** imacdonn_ has quit IRC22:40
*** imacdonn_ has joined #openstack-keystone22:40
*** lbragstad has quit IRC22:57
*** pcaruana has quit IRC22:58
*** spsurya has quit IRC23:40
cmurphynaptastic: that's more of a #openstack-nova question, keystone isn't involved with keypairs23:49
*** raildo has quit IRC23:51
*** erus has quit IRC23:54
naptasticcmurphy, Thanks! Asking there.23:56
« Sunday, 2018-11-11 Index Tuesday, 2018-11-13 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!