Tuesday, 2019-01-15

« Monday, 2019-01-14 Index Wednesday, 2019-01-16 »
*** markvoelker has quit IRC00:06
*** erus has quit IRC00:22
*** whoami-rajat has joined #openstack-keystone01:20
*** markvoelker has joined #openstack-keystone01:35
*** markvoelker has quit IRC01:40
*** sapd1 has quit IRC01:50
openstackgerritMerged openstack/keystone master: Clean up the create_arguments_apply methods  https://review.openstack.org/62761701:55
*** markvoelker has joined #openstack-keystone01:59
*** Dinesh_Bhor has joined #openstack-keystone02:03
*** Dinesh_Bhor has quit IRC02:03
*** erus has joined #openstack-keystone02:04
*** markvoelker has quit IRC02:07
*** Dinesh_Bhor has joined #openstack-keystone02:09
*** erus_ has joined #openstack-keystone02:40
*** aojea has joined #openstack-keystone02:43
*** aojea has quit IRC02:47
*** mhen has quit IRC02:53
*** mhen has joined #openstack-keystone02:54
*** Dinesh_Bhor has quit IRC03:38
*** Dinesh_Bhor has joined #openstack-keystone03:45
*** vishakha has joined #openstack-keystone03:52
*** Dinesh_Bhor has quit IRC03:55
*** dave-mccowan has quit IRC04:11
*** Dinesh_Bhor has joined #openstack-keystone04:49
*** markvoelker has joined #openstack-keystone05:05
*** markvoelker has quit IRC05:47
*** markvoelker has joined #openstack-keystone05:48
*** lbragstad has quit IRC05:56
*** markvoelker has quit IRC05:59
*** Dinesh_Bhor has quit IRC06:23
*** itlinux_ has joined #openstack-keystone06:28
*** itlinux has quit IRC06:30
*** itlinux_ has quit IRC06:48
*** Dinesh_Bhor has joined #openstack-keystone06:53
*** rcernin has quit IRC06:59
openstackgerritNeha Alhat proposed openstack/python-keystoneclient master: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/62489806:59
*** artem_vasilyev has joined #openstack-keystone07:06
artem_vasilyevlbragstad: hi, just read your advise about adding request id to basic notifications (https://review.openstack.org/#/c/618095/3/). Would it be OK to add it in the same commit or better in another one?07:10
*** erus has quit IRC07:27
*** erus has joined #openstack-keystone07:29
*** erus has quit IRC07:37
*** erus has joined #openstack-keystone07:40
*** erus has quit IRC07:47
*** erus has joined #openstack-keystone07:54
*** erus has quit IRC08:01
*** erus has joined #openstack-keystone08:09
*** erus has quit IRC08:16
*** erus has joined #openstack-keystone08:27
*** yan0s has joined #openstack-keystone08:28
*** erus has quit IRC08:34
*** erus has joined #openstack-keystone08:41
*** erus has quit IRC08:47
*** xek has joined #openstack-keystone09:00
*** erus has joined #openstack-keystone09:01
*** erus has quit IRC09:08
*** erus has joined #openstack-keystone09:11
*** erus has quit IRC09:18
*** erus has joined #openstack-keystone09:26
*** pcaruana has joined #openstack-keystone09:30
*** erus has quit IRC09:33
*** erus has joined #openstack-keystone09:41
*** erus has quit IRC09:48
*** erus has joined #openstack-keystone09:56
*** Dinesh_Bhor has quit IRC09:56
*** erus has quit IRC10:03
*** Dinesh_Bhor has joined #openstack-keystone10:05
*** Dinesh_Bhor has quit IRC10:06
*** jaosorior has joined #openstack-keystone10:09
*** erus has joined #openstack-keystone10:14
*** erus has quit IRC10:20
*** erus has joined #openstack-keystone10:26
*** erus has quit IRC10:32
*** erus has joined #openstack-keystone10:41
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion  https://review.openstack.org/58821110:46
*** erus has quit IRC10:48
*** erus has joined #openstack-keystone10:56
*** erus has quit IRC11:03
*** erus has joined #openstack-keystone11:12
openstackgerritVishakha Agarwal proposed openstack/keystone master: Optimize fernet token and receipts in cli.py  https://review.openstack.org/62736411:12
*** openstackgerrit has quit IRC11:22
knikollao/12:04
eruso/12:34
*** raildo has joined #openstack-keystone12:34
*** nehaalhat_ has joined #openstack-keystone12:46
nehaalhat_wxy-xiyuan: Hi, Addressed your comment and uploaded patch: https://review.openstack.org/#/c/624898/212:47
nehaalhat_wxy-xiyuan: Kindly have a look on it12:47
*** gyee has joined #openstack-keystone12:53
*** dave-mccowan has joined #openstack-keystone13:28
*** gyee has quit IRC13:34
erus_I'll be here 3 more hours maybe knikolla, if you are going to stay around :D13:35
*** jdennis has quit IRC13:36
knikollaerus_: sounds good. I’m just eating breakfast and will be back in a bit.13:37
*** jdennis has joined #openstack-keystone13:39
erus_the same :)13:51
*** aojea has joined #openstack-keystone13:56
*** raildo has quit IRC13:56
*** mvkr has quit IRC13:58
*** raildo has joined #openstack-keystone14:03
*** shyamb has joined #openstack-keystone14:22
*** lbragstad has joined #openstack-keystone14:24
*** ChanServ sets mode: +o lbragstad14:24
*** ostackz has joined #openstack-keystone14:35
*** mchlumsky has joined #openstack-keystone14:50
*** shyamb has quit IRC14:53
ostackzHi keystone team, fyi while trying to do minor upgrade to OSA Rocy following this https://docs.openstack.org/openstack-ansible/rocky/admin/upgrades/minor-updates.html got error on setup-openstack.yml regarding keystone.14:55
ostackzUnhandled error: ValidationError: Role 0ea5e5a44a1d4477b1315a4daf97a7d8 is a domain-specific role. Unable to use a domain-specific role in a system assignment.14:55
ostackzMore details here https://pastebin.com/raw/9sGPVEQu Could be its because I have created domains and admin roles after rocky deployment and now that confuses bootstrap playbooks for keystone.14:55
*** artem_vasilyev has quit IRC14:57
*** mvkr has joined #openstack-keystone15:00
odyssey4melbragstad ^ any ideas?15:05
odyssey4meit would seem that perhaps there are multiple 'admin' roles configured in multiple domains, and the bootstrap command doesn't like that15:06
odyssey4meostackz it may help to understand if there ismore than one 'admin' role in the 'default' domain15:06
lbragstadthat's just what i was going to suggest15:07
lbragstaddoes role 0ea5e5a44a1d4477b1315a4daf97a7d8 had a domain id set on it?15:07
lbragstads/had/have/15:07
ostackzlbragstad role show 0ea5e5a44a1d4477b1315a4daf97a7d8 -> domain_id=default, name=admin15:10
lbragstadodyssey4me ostackz yeah... ok15:10
lbragstadso it's picking up a domain admin role... instead of a global role15:11
*** mchlumsky has quit IRC15:11
lbragstadin your installation, did you just re-use the admin role by setting the domain on it?15:11
*** mchlumsky has joined #openstack-keystone15:12
ostackzlbragstad I was testing several ways to get domains working, one that helped was mentioned in https://bugs.launchpad.net/keystone/+bug/1783659 more specifically "role add --domain TestDomain --user TestDomainAdmin admin"", but that is not in default domain15:14
openstackLaunchpad bug 968696 in OpenStack Identity (keystone) "duplicate for #1783659 "admin"-ness not properly scoped" [High,In progress] - Assigned to Lance Bragstad (lbragstad)15:14
ostackzlbragstad in role list  --domain Default I currently have 0ea5e5a44a1d4477b1315a4daf97a7d8(admin) and one more "cloud_admin" but second one is just some leftover from tests and should not be issue here15:16
knikollaerus_: i'm available now if you are.15:22
ostackzlbragstad offtopic - may be you can mention some link to comprehensive keystone docs regarding domains? Somehow info is scattered around, wondering if there are any docs where one can find answers to questions like "how to make domain admins that cannot delete networks created by other domain admins?" and the like, so each domain is isolated world in itself :)15:25
lbragstadi guess one thing that could be done would be to rename the domain role15:26
lbragstadso that the bootstrap command only gets a single role - which is the 'admin' role15:26
lbragstadotherwise - we need to elaborate on the bootstrap command to take a role id, for example15:27
ostackzlbragstad is there such thing as "domain role"? Or there are just roles "admin" that happen to be created in different domains?15:28
lbragstadwell - that's a good question15:28
lbragstadone minute - trying to multi-task another meeting15:28
*** aojea has quit IRC15:40
*** aojea has joined #openstack-keystone15:48
*** errr has quit IRC16:07
*** errr has joined #openstack-keystone16:10
*** aojea has quit IRC16:15
ostackzlbragstad if you have a minute later, please comment on that "domain role" vs "admin" role in multiple domains. Really keen to demystify this.16:21
lbragstadostackz for sure - i'm available at the top of the hour (in the keystone weekly meeting now)16:22
*** aojea has joined #openstack-keystone16:23
*** aojea has quit IRC16:26
*** dklyle has joined #openstack-keystone16:35
*** yan0s has quit IRC16:37
ostackzlbragstad what turns out and confuses me is that we get different set of rules with "role list --domain Default" and "role list" https://pastebin.com/raw/c2rFsBuK16:46
ostackzas for my understanding not specifying --domain we still should get output for domain Default.16:46
cmurphythere is a difference between global roles and domain-specific roles16:47
cmurphyif you specify --domain then you only get the roles owned by that domain16:47
cmurphyif you don't specify the domain then you get only global roles16:47
cmurphythere's no overlap16:47
ostackzcmurphy then I guess I was mixing Domain "Default" with global thing.16:50
cmurphyostackz: right, a role in the default domain isn't the same as a global role16:50
cmurphykeystone almost always deals in global roles16:50
ostackzif I need "domain admin" in each domain - should I create admin role in each domain an assign that to user in that domain or assign global admin role to users in each domain(if this works)?16:52
*** aojea has joined #openstack-keystone16:52
lbragstadi think that role would need to have a different name from 'admin' in order to work with the bootstrap comment16:53
lbragstadcommand*16:53
cmurphyi would still create the global role admin (bootstrap should create that) and modify your policies so that users with the admin role on a domain can perform actions on their domain16:54
lbragstad++16:54
ostackzlbragstad yes, bootstrap worked only when I renamed fbb04abe1b2749df80d549ede4b7c35e not 0ea5e5a44a1d4477b1315a4daf97a7d816:54
cmurphyi'm not really sure where domain-specific roles would be used in practice, maybe it's so domain admins can create roles themselves16:54
lbragstadcmurphy yeah - exactly16:55
cmurphybut they can't modify policies so it's not very useful16:55
lbragstadIIRC it was a feature created for domain users to be able to create their own roles16:55
lbragstadwhich is pretty hard to put into practice because it requires administrators to redeploy policy files16:55
cmurphyyeah not really useful yet16:56
cmurphymaybe someday16:56
*** mvkr has quit IRC16:56
ostackzfrom user perspective I would assume that each domain is isolated world - even admins in domain cannot see or modify resources in other domains. Then there is point for domains16:57
lbragstadostackz IMO - that's how it should be16:57
lbragstadbut there are parts of openstack that don't work that way - yet16:58
ostackzwell, I have played with domains couple of days and what I could do - delete external network created in another domain.16:59
lbragstad^ that - yeah16:59
lbragstadis a good example16:59
lbragstada lot of those operations are actually queuing off the fact that the token used to make that call has the 'admin' role16:59
lbragstadthey don't care what the user has the 'admin' role on16:59
lbragstadand that's what we're trying to fix with system-scope and domain-scope, which need to be propagated to other services17:00
ostackzIn what state it is in Rocky? Not getting how people manage to live in production with this state of permissions? :)17:01
lbragstadit varies across openstack projects17:02
lbragstadone of the typical fixes is to reserve the 'admin' role for only people who are allowed to operate on the deployment - so your system administrators17:02
lbragstadand then create subsequent "admin"-like roles that you enable via customized policy files17:02
lbragstadbut - that isn't guaranteed to work17:02
lbragstadsince not all projects guarantee policy checks to be done via configuration (e.g., a service could still check for "admin" when you want it to check for "cloud_admin" or "project_admin")17:03
lbragstadwhich is a hard-coding issue17:04
ostackzyes, those cloud_admin, domain_admin,project_admin notions seem so natural(have noticed in deep googling), but it seems they do not exist17:05
lbragstadIMO they exist as a work around17:05
lbragstadbut we also don't use them as defaults17:05
lbragstadideally - shouldn't a role named "project_admin" == ``openstack role add --user ostackz --project foobar admin``17:06
ostackzlet me ask - does it seem possible to run openstack cloud with only default settings, I mean not touching policy files? Trying to understand if default permission scheme is flexible enough17:08
ostackzas I understand - currently for example neutron just ignores permissions or does not differentiate "domain admin" from "global admin"17:10
lbragstadostackz i think that depends on your deployment17:10
lbragstadwell - a lot of services don't differentiate between project admin, domain admin, or system admin, yet..17:10
lbragstadthe system assignment concept was introduced in Rocky17:11
*** aojea has quit IRC17:11
lbragstadsorry - queens17:11
lbragstadhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html17:11
lbragstadwhich is ultimately trying to play a part in fixing - https://bugs.launchpad.net/keystone/+bug/96869617:12
openstackLaunchpad bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] - Assigned to Lance Bragstad (lbragstad)17:12
lbragstad(instead of forcing operators and deployers to roll custom policies in order to achieve security, or principal of least privilege)17:12
ostackzlbragstad need to read through "System Role Assignments" but when that will be "implemented"? Is it project specific?17:16
lbragstadgood question17:16
lbragstadthe work detailed there is specific to keystone17:17
lbragstadwhich was already implemented in Queens17:17
lbragstadbut - it does need to be consumed by other services in order to be useful17:17
erus_hi knikolla, I was bussy, are you available now?17:17
lbragstadand keystone isn't exempt, we're currently implementing parts of that now17:17
lbragstadostackz https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles17:17
lbragstad^ for example, those are some open patches proposed to keystone master that would address some of the concerns you have17:18
* lbragstad has to restart IRC quick 17:22
lbragstadbrb17:22
*** lbragstad has quit IRC17:22
knikollaerus_: yup17:22
*** lbragstad has joined #openstack-keystone17:26
*** ChanServ sets mode: +o lbragstad17:26
lbragstadback17:26
*** lbragstad has quit IRC17:33
*** lbragstad has joined #openstack-keystone17:33
*** ChanServ sets mode: +o lbragstad17:33
erus_o/17:37
knikollaerus_: o/17:38
knikollaso we left it at the 500 error yesterday, right?17:38
erus_right!17:39
knikolladid you look around for any meaningful error logs?17:39
erus_Jan 14 20:17:15 u-stack devstack@keystone.service[9084]: WARNING keystone.server.flask.application [None req-186efd8a-5b33-4404-971a-237a6f101092 None None] Authorization failed. The request you have made requires authentication. from 192.168.122.1: Unauthorized: The request you have made requires authentication.17:40
erus_that was the last one17:41
erus_but nothing happen when i run openstack token issue17:41
erus_neither in keystone logs or apache logs17:41
erus_happens*17:42
knikollajust to sanity check, `openstack token issue` works with local authentication?17:42
erus_yesterday worked, let me check again17:42
erus_yeah it works17:43
erus_and generate logs17:44
knikollaalright17:44
knikollaso to recap, keystone is working, however when hitting the endpoint protected by mellon, you get a 500.17:44
erus_yes, another thing that i notice was that when i login through the dashboard it thrown 3 erros, but i think it doesn't have relation with keystone17:46
erus_not sure when happened that or why17:47
knikollaplaying around with my devstack install to see if i can reproduce a 500 at the mellon redirect. give me a sec17:52
erus_ok thanks17:55
*** lbragstad is now known as lbragstad_lunch17:58
knikollaerus_: can you send me the keystone.conf again?18:00
knikollathe one for apache18:00
erus_ok ok18:01
*** pcaruana has quit IRC18:01
erus_http://paste.openstack.org/show/742674/18:02
erus_brb18:09
knikollaerus_: i tried the same keystone.conf you have (with my own metadata and keys, and the samltest.id idp metadata) and it doesn't error with 500 when trying the redirect.18:12
knikollalike this http://paste.openstack.org/show/RArYN9jUs0v2h4PsuNPw/18:12
*** erus_ has quit IRC18:13
*** itlinux has joined #openstack-keystone18:16
*** erus has quit IRC18:20
*** erus has joined #openstack-keystone18:21
*** erus_ has joined #openstack-keystone18:24
erus_I'm back18:25
erus_the last comment from you that I have is the link knikolla18:25
knikollacopy pasting18:26
knikolla1:12 PM <knikolla> erus_: i tried the same keystone.conf you have (with my own metadata and keys, and the samltest.id idp metadata) and it doesn't error with 500 when trying the redirect.18:26
knikolla1:12 PM <knikolla> like this http://paste.openstack.org/show/RArYN9jUs0v2h4PsuNPw/18:26
erus_yay i read that18:27
knikollayeah but i don't know what's wrong with your setup18:27
erus_ok hmm to be sure18:27
knikollathere's even no logs anywhere, i'm perplexed18:27
erus_the keystone.conf that you modified was the public or the admin?18:27
erus_haha that's weird that there's even no logs :(18:28
knikollapublic18:30
erus_idk18:30
erus_do you have ubuntu 18.04?18:31
erus_or xenial?18:32
erus_everything is "ok" until i set the env variables18:34
knikollaCentOS18:40
knikollabut that shouldn't matter18:40
erus_so I don't know18:43
erus_i could tell you my steps(?) i don't know if i am missing something18:44
knikollaworth a shot18:44
erus_brb give a minute18:49
*** lbragstad_lunch is now known as lbragstad18:52
lbragstadostackz following back up - but did some of that make sense?18:53
erus_i'm back19:07
erus_well first i set up de idp then the mapping and the protocol19:08
erus_after that openstack group create federated_users, openstack project create federated_project and openstack role add --group federated_users --project federated_project member19:08
erus_then i set up mellon and ran the script to generate the files and the metadata19:10
*** lbragstad has quit IRC19:10
*** lbragstad has joined #openstack-keystone19:11
*** ChanServ sets mode: +o lbragstad19:11
erus_hmm but i generate the metadata with sp.keystone.test.org not with localhost19:12
erus_then ran wget -O /etc/apache2/mellon/idp-metadata.xml https://samltest.id/saml/idp19:12
erus_configure keystone.conf with the auth methods19:13
erus_and the local_settings to enable WEBSSO19:13
erus_restart apache and finally set the env variables19:13
erus_that's it knikolla :)19:14
*** lbragstad has quit IRC19:20
*** lbragstad has joined #openstack-keystone19:21
*** ChanServ sets mode: +o lbragstad19:21
erus_got new error, notice that i had missed something :D19:52
*** aojea has joined #openstack-keystone19:56
erus_forget it :/ 0 logs19:57
*** whoami-rajat has quit IRC20:00
knikollaseems correct to me20:08
erus_but it doesn't matter that i generate the data with sp.keystone.test.org instead of localhost? knikolla20:19
knikollatechnically, it's good practice to use a url which works. it shouldn't break things were they're broken now though.20:22
erus_ok ok, i generated the metadata again with localhost just for test and tried to upload to samltest but it has been passed like 15 minutes and it's still loading :S20:24
*** aojea has quit IRC20:27
*** mvkr has joined #openstack-keystone20:32
erus_what should i try? or check?20:33
*** itlinux_ has joined #openstack-keystone20:36
*** itlinux has quit IRC20:37
*** itlinux_ has quit IRC20:39
erus_i think there is a problem with samltest.id page20:51
*** aojea has joined #openstack-keystone20:57
*** whoami-rajat has joined #openstack-keystone21:18
*** xek has quit IRC21:24
*** aojea has quit IRC21:29
erus_http://paste.openstack.org/show/742689/ idp logs21:40
erus_i was doing some tests and this is my last keystone logs http://paste.openstack.org/show/742690/21:42
knikollaerus_: looking21:58
*** raildo has quit IRC21:58
knikollaerus_: try not generating the data with localhost, but with the ip address of the vm. "http://192.168.122.141/identity/v3"22:02
knikollametadata*22:02
erus_i already did that22:04
erus_:D22:04
erus_and test it22:04
erus_i ran out of ideas knikolla :D22:05
knikollaerus_: at this point maybe screensharing wouldn't be a bad idea.22:06
erus_i think so22:06
erus_it could be a great idea22:06
*** imacdonn has quit IRC22:06
*** imacdonn has joined #openstack-keystone22:07
knikollai have to go now to pick up my laptop from service before they close shop (had to replace the keyboard), but i'll be again here in an hour or so.22:07
erus_yeah it's ok for me22:08
erus_good look with your laptop :D22:08
knikollathanks. almost everyone that i know who has one of these new macbooks, has had keyboard issues.22:09
erus_too bad, i want a new lenovo thinkpad :D22:10
erus_you use mac os or do you have linux in your macbook? (just curious)22:11
knikollamac os22:11
knikollai'm very very deep into the apple ecosystem22:11
erus_ohh i see, never had a macbook before22:12
erus_and i think i will never have it22:12
knikollai've used linux for most of my life, but once trying mac, i was sold.22:12
erus_hahaha22:12
erus_i try to stay as far as i can from all privative stuff22:13
erus_but have friend that say that mac changed their lives xD22:15
erus_friends*22:15
*** mhen has quit IRC22:21
*** mhen has joined #openstack-keystone22:23
*** rcernin has joined #openstack-keystone22:46
*** erus_ has quit IRC23:13
*** whoami-rajat has quit IRC23:47
« Monday, 2019-01-14 Index Wednesday, 2019-01-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!