Tuesday, 2019-01-22

*** ayoung has joined #openstack-keystone00:44
*** ileixe has joined #openstack-keystone00:55
*** aojea has joined #openstack-keystone01:02
*** aojea has quit IRC01:07
*** markvoelker has quit IRC01:08
*** markvoelker has joined #openstack-keystone02:09
*** Dinesh_Bhor has joined #openstack-keystone02:14
openstackgerritAdrian Turjak proposed openstack/keystone master: bump Keystone version for Stein  https://review.openstack.org/63136902:34
openstackgerritAdrian Turjak proposed openstack/keystone master: Add documentation for Auth Receipts and MFA  https://review.openstack.org/58053502:36
*** lbragstad_503 has quit IRC02:38
*** markvoelker has quit IRC02:43
*** shyamb has joined #openstack-keystone03:17
*** shyamb has quit IRC03:28
*** rcernin has quit IRC03:35
*** shyamb has joined #openstack-keystone03:36
*** markvoelker has joined #openstack-keystone03:41
*** Dinesh_Bhor has quit IRC03:45
*** rcernin has joined #openstack-keystone03:49
*** lbragstad_503 has joined #openstack-keystone03:54
*** ChanServ sets mode: +o lbragstad_50303:54
*** rcernin has quit IRC03:57
*** rcernin has joined #openstack-keystone03:58
*** Dinesh_Bhor has joined #openstack-keystone03:58
*** shyamb has quit IRC04:03
openstackgerritayoung proposed openstack/keystone master: Alternative Replace UUID with id_generator for Federated users  https://review.openstack.org/62311704:12
openstackgerritayoung proposed openstack/keystone master: Replace UUID with id_generator for Federated users  https://review.openstack.org/60516904:12
*** markvoelker has quit IRC04:13
openstackgerritayoung proposed openstack/keystone-specs master: Resurrect the unscoped token catalog specification  https://review.openstack.org/60734604:13
openstackgerritayoung proposed openstack/keystone master: Render Version 3 page as XHTML  https://review.openstack.org/63221304:16
*** ileixe has quit IRC04:34
*** shyamb has joined #openstack-keystone05:04
*** whoami-rajat has joined #openstack-keystone05:04
*** shyamb has quit IRC05:05
*** shyamb has joined #openstack-keystone05:05
*** ileixe has joined #openstack-keystone05:08
*** markvoelker has joined #openstack-keystone05:10
*** tkajinam_ has joined #openstack-keystone05:16
*** tkajinam has quit IRC05:18
*** Dinesh_Bhor has quit IRC05:24
*** tkajinam__ has joined #openstack-keystone05:25
*** tkajinam_ has quit IRC05:27
*** Dinesh_Bhor has joined #openstack-keystone05:30
*** shyamb has quit IRC05:38
*** markvoelker has quit IRC05:43
*** lbragstad_503 has quit IRC05:57
*** vishakha has joined #openstack-keystone05:58
*** tkajinam_ has joined #openstack-keystone06:09
*** tkajinam__ has quit IRC06:12
*** shyamb has joined #openstack-keystone06:14
*** spsurya has joined #openstack-keystone06:21
*** markvoelker has joined #openstack-keystone06:40
*** shyamb has quit IRC06:51
*** shyamb has joined #openstack-keystone06:54
*** markvoelker has quit IRC07:14
*** ileixe has quit IRC07:30
*** pcaruana has joined #openstack-keystone07:41
*** shyamb has quit IRC07:58
*** sapd1_ has quit IRC08:07
*** markvoelker has joined #openstack-keystone08:10
*** sapd1_ has joined #openstack-keystone08:11
*** tkajinam_ has quit IRC08:12
*** Dinesh_Bhor has quit IRC08:40
*** shyamb has joined #openstack-keystone08:40
*** markvoelker has quit IRC08:43
*** rcernin has quit IRC08:56
*** xek_ has joined #openstack-keystone09:00
*** Dinesh_Bhor has joined #openstack-keystone09:28
*** markvoelker has joined #openstack-keystone09:40
*** Dinesh_Bhor has quit IRC09:50
*** shyamb has quit IRC10:05
*** markvoelker has quit IRC10:13
*** shyamb has joined #openstack-keystone10:38
*** shyamb has quit IRC10:39
*** shyamb has joined #openstack-keystone10:39
*** jmlowe has quit IRC10:56
*** markvoelker has joined #openstack-keystone11:10
*** yan0s has joined #openstack-keystone11:27
*** mvkr has quit IRC11:34
*** markvoelker has quit IRC11:44
*** xek_ has quit IRC11:54
*** xek_ has joined #openstack-keystone11:54
*** dave-mccowan has joined #openstack-keystone11:56
*** rafaelweingartne has joined #openstack-keystone11:58
*** shyamb has quit IRC12:00
*** shyamb has joined #openstack-keystone12:02
*** mvkr has joined #openstack-keystone12:06
*** shyamb has quit IRC12:23
*** shyamb has joined #openstack-keystone12:23
*** gary_perkins has quit IRC12:24
*** gary_perkins has joined #openstack-keystone12:26
*** GregWaines has joined #openstack-keystone12:36
*** rafaelweingartne has quit IRC12:37
*** gary_perkins has quit IRC12:38
*** markvoelker has joined #openstack-keystone12:41
*** gary_perkins has joined #openstack-keystone12:41
*** gary_perkins has quit IRC12:44
*** gary_perkins has joined #openstack-keystone12:46
*** sapd1_ has quit IRC12:49
*** shyamb has quit IRC12:50
*** shyamb has joined #openstack-keystone12:52
*** sapd1_ has joined #openstack-keystone12:52
*** shyamb has quit IRC13:03
*** yan0s has quit IRC13:06
*** shyamb has joined #openstack-keystone13:06
*** markvoelker has quit IRC13:09
*** shyamb has quit IRC13:15
*** shyamb has joined #openstack-keystone13:15
*** yan0s has joined #openstack-keystone13:20
*** shyamb has quit IRC13:26
*** lbragstad_503 has joined #openstack-keystone13:56
*** ChanServ sets mode: +o lbragstad_50313:56
*** aojea_ has joined #openstack-keystone13:59
*** lbragstad_503 is now known as lbragstad14:03
*** yan0s has quit IRC14:06
*** lbragstad has quit IRC14:23
*** lbragstad has joined #openstack-keystone14:26
*** ChanServ sets mode: +o lbragstad14:26
knikollaFYI that I have to stop working at the end of this week, and resume when I get a favorable response from immigration. That will be at least a week, but may be longer.14:30
lbragstadlet us know if there is anything we can do to help14:32
knikollaNothing, really. BU messed up the timeline for filing for a visa, creating a gap.14:32
knikollaI’ll let you know in a few weeks if I’ll need references, lol.14:33
*** awalende has joined #openstack-keystone14:34
openstackgerritayoung proposed openstack/keystone master: Render Version 3 page as XHTML  https://review.openstack.org/63221314:36
ayoungknikolla, let me know if you need a job.  I'll push14:37
knikollaThanks ayoung, appreciate it. I’ll let you know.14:39
lbragstad++ ayoung14:40
lbragstadknikolla i know we've shared reading lists in the past, but if you're looking for a new book, i just picked up a copy of https://www.amazon.com/Programmers-Introduction-Mathematics-Dr-Jeremy/dp/172712545214:44
*** aojea_ has quit IRC14:46
*** yan0s has joined #openstack-keystone14:48
*** aojea_ has joined #openstack-keystone14:48
lbragstadi'm just starting it - but it's pretty interesting so far14:51
*** wxy| has joined #openstack-keystone15:00
*** yan0s has quit IRC15:03
*** aojea_ has quit IRC15:05
*** yan0s has joined #openstack-keystone15:15
*** awalende has quit IRC15:36
*** awalende has joined #openstack-keystone15:37
*** awalende has quit IRC15:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement JWS token provider  https://review.openstack.org/61454915:42
lbragstad^ passes python3 and python2 tests locally15:42
lbragstadshould be good to go for reviews15:42
*** openstackgerrit has quit IRC15:51
kmallocyay, i have networking at home now15:53
*** dklyle has joined #openstack-keystone15:53
kmallocknikolla: damn, let us know if you need anything as well.15:53
*** yan0s has quit IRC15:56
ayoungWe meet in here now or in -alt?15:59
*** openstackgerrit has joined #openstack-keystone15:59
openstackgerritMorgan Fainberg proposed openstack/keystone-specs master: Add note about boilerplate content  https://review.openstack.org/62528315:59
kmallocayoung: should still be -alt unless something changed16:00
kmallocbut don't listen to me, i've been on vacation for the last... uh... bunch16:00
openstackgerritayoung proposed openstack/keystone master: Allow an explicit_domain_id parameter when creating a domain  https://review.openstack.org/60523516:04
*** dims has quit IRC16:15
*** dims has joined #openstack-keystone16:20
*** GregWaines has quit IRC16:28
kmallocerus_: o/ :)16:42
*** awalende has joined #openstack-keystone16:45
erus_hi kmalloc how are you?16:45
jaosoriorayoung, lbragstad, kmalloc: Do I understand right that the preference is to start moving away from having an admin endpoint for keystone entirely?16:46
ayoungjaosorior, Keystone meeting going on right now...ask there.  #openstack-meeting-alt16:46
jaosoriorayoung: what's the agenda?16:47
*** awalende has quit IRC16:47
ayoungjaosorior, we're talking Stein commitments at the moment16:47
*** awalende has joined #openstack-keystone16:47
jaosoriorI guess I gotta wait for the end for "unrelated questions"16:48
lbragstadjaosorior sorry - trying to get to open discussion :016:56
jaosoriorlbragstad: it's all good. if someone has the chance to answer that here, I'm happy with that too.16:56
lbragstadwe do have office hours right after the meeting - so i'll be around for that, too16:57
kmallocjaosorior: yes. there is no reason for two endpoints they are the same now with v317:01
*** wxy| has quit IRC17:01
ayoungjaosorior, so...to answer your questions: I think we should move away from having an admin endpoint for keystone, unless we explicitly split up Keystone into multiple microservices17:01
kmallocjaosorior: you might want one that is not externally facing (e.g. if you do traffic shaping) but that is internal vs main.17:01
kmallocan explicit admin endpoint isn't super useful.17:02
*** pcaruana has quit IRC17:02
ayoungright, with all of V3 on one endpoint17:02
kmallocerus_: i am good, trying to get my brain back engaged in openstack.17:02
lbragstadjaosorior yeah - so the v3 app is all one endpoint really17:02
jaosoriorso the default in keystoneclient right now is to use the "admin" interface or endpoint\17:02
kmallocerus_: long vacation with no code/code review was good.17:02
ayoungwe used to split v2 between "users can dothis" on port 5000 and "admins can do this" on 35357, but it was poorly split17:02
kmalloci need to revisit SDK so we can just ksc.17:03
jaosoriorif this is the path folks want to take, maybe you/we wanna change that default?17:03
kmallocthe mid-term goal is have folks stop using ksc17:03
ayounglbragstad, we want to go 0trust!17:03
jaosoriorwe tried to remove 35357 from tripleo, but that went terribly :)17:03
kmallocjaosorior: you should use 80/44317:03
ayoungand register all Keystone endpoints to use the same value.17:04
jaosoriorkmalloc: it's too late to change to those; it would break folks too much.17:04
ayoungjaosorior, not it is not17:04
kmallocno it is not.17:04
ayoungjaosorior, we can do anything on a major version upgrade17:04
ayoungcustomers are not going to touch anything between OSP 13 and 1617:04
ayoung16 is a BLANK SLATE!17:05
ayoungand it happens to be TRAIN!17:05
kmallocfwiw we will be driving (i hope) all documentation and testing to 80/443 clearly17:05
kmalloci can't stop someone from using high ports, i can say it is not recommended under any deployment17:05
kmalloceven today17:05
erus_oh sweet :D kmalloc, sounds like a great vacations :P17:06
ayoungI can.  Three magic words17:06
ayoungIs. Not. Supported.17:06
kmallocayoung: this is less red hat and general "I cannot say it wont work" i can say it is not how we test nor how we (upstream) recommend deployment17:06
ayoungkmalloc, Yeah, but I know who jaosorior has to make happy.  So I can say it.17:08
* jaosorior is in a meeting. I'll read this in a bit.17:09
cmurphylbragstad: so re athenz i think keystone's external authentication support is a drop-in replacement for what athenz is doing17:09
cmurphyiirc what they are doing is using client certificates from athenz and exchanging them for tokens and meanwhile generating users and projects and role assignments with their custom auth plugin17:10
cmurphywhich is exactly what federation and shadow users does17:10
cmurphytokenless is another matter that i thought would help with edge but after talking with gyee i think not exactly17:12
cmurphybecause with tokenless auth you still need to establish a connection to keystone17:12
lbragstadthe question james and i had was if they'd be able to use x.50917:12
cmurphyyes i tried it with x.50917:12
cmurphyit works just fine17:12
lbragstadwow - nice work cmurphy17:13
lbragstadand that is separate from things i broke with https://review.openstack.org/#/c/605539/ ?17:13
ayoungSo...right.  We either need to push keystone to the edge itself, or make it possible to remotely validate stuff17:14
cmurphylbragstad: yeah that's separate17:14
lbragstadcc ildikov - since i think she's going to be interested in this17:14
cmurphyas long as they are fine with using the cert to get a token then that still works17:14
cmurphyand aiui that's what they're doing17:15
ildikovlbragstad: thanks!17:15
ildikovon a series of meetings, but will check it out as I can17:15
lbragstadi remember james saying that Athenz was planning on deprecating their token formats17:15
lbragstadwhich would break the keystone plugins they open-sourced17:15
ayoungso...lets talk remotely validating17:20
lbragstadcmurphy so - it sounds like we don't need a spec for the athenz related stuff?17:20
ayoungsay we do JWT or something like SAML, where all the data is in the assertion itseld.  Not SAML from the IDP, a Keystone Specific SAML17:20
ayoungsend that to nova, it could validate in process, just like PKI tokens were way back when.17:21
cmurphyayoung: how would revocation work?17:23
ayoungcmurphy, never revoke. Short time outs only17:24
ayoungEdge validates when it can, and continuies to function in the absence of access to the center17:24
cmurphygenerally sounds good to me17:27
ayoungcmurphy, how long would you think a token would need to last in order to A) process all its work and B) not be considered a security risk?  4 hours?17:27
ayoungKerberos is generally 8, but is usually backed by LDAP.  SAML, thou, is roughly the same17:28
kmallocwe should not do revocations if we can avoid it17:29
cmurphymy first thought is 4 hours seems long but if 4 or 8 is standard in other tech then i guess that makes sense17:29
kmalloc4 or 8 should be fine.17:29
kmallocand this is something that i don't mind being configurable17:30
kmallocas krb is.17:30
lbragstadour default token expiration right now is 1 hour17:30
ayoungIt could be on a per edge-site basis17:30
ayoungi.e. You need to go back to the center and get a different token for a different edge site17:31
jaosoriorok, back17:32
jaosoriorso, the official keystone team recomendation is to move towards ports 80/44317:33
jaosoriordid I understand that correctly?17:33
jaosoriorand to ditch the admin endpoint, in favor of just using an internal one (for the internal network)17:33
ayoungjaosorior, everything needs access to Keystone.  All of Keystone is now on one endpoint17:36
ayounginternal, admin, external, these things matter not17:37
ayoungall is v317:37
jaosoriorfair enough17:37
cmurphyiirc the docs all refer to 5000 because at the time it was simplest to just drop 35357 and not try to explain how to set up keystone on a /identity endpoint such that it wouldn't conflict with eg horizon17:38
*** awalende has quit IRC17:39
*** awalende has joined #openstack-keystone17:39
*** aojea has joined #openstack-keystone17:41
ayoungkmalloc, so...look at what I did...17:43
*** aojea has quit IRC17:44
*** awalende has quit IRC17:44
ayoungkmalloc, its just a POC, showing that Flask is very nice to work with17:44
kmalloccmurphy: yeah we need to fix that. train target imo17:44
*** aojea has joined #openstack-keystone17:44
kmallocayoung: yep. isn't that pretty easy now? :)17:46
ayoungkmalloc, yeah.  I started with render-template, but realize that most of what I wanted to do was hand rendered html, was easier to just pull my old code forward17:47
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-keystoneclient master: Make default interface 'internal' instead of 'admin'  https://review.openstack.org/63252017:47
ayoungkmalloc, here was the old review https://review.openstack.org/#/c/29105/17:49
ayoungI think I need to get Basic-Auth working with the Keystone password backend in order to continue that work.17:50
ayoungkmalloc, so, should /v3 had links to /v3/users /v3/projects etc by default, or only after a user authetnictates?17:55
ayoungand... /auth should not be under /v3. should it17:55
kmallocauth should move.17:56
kmallocthat is on a long list17:56
kmallociirc it shoudl have links to /v3/users and projects17:57
kmallocbut the users/projects links should require auth to reach17:57
kmallocif that makes sense17:57
kmalloce.g. redirect to login when clicked.17:57
ayoungyeah, but I'm thinking web flow here...say someone starts at https://keystone.  Right now, automatic redirect to /v317:58
ayoungdo we make them click on /auth at that point?17:58
ayoungalso, what about Federation?17:58
ayoungWe don't provide an enumeration of the Federated IdPs right now, but people shouild be able to log in via SAML et alles17:59
kmallocso this is part of the larger web-rendering bits17:59
kmallocand well-known endpoints/moving auth to /auth vrom /v3/auth17:59
ayoungso, if we assumed away to enumeration limitation, a user could go from /v3/ to /v3/federation/idps17:59
kmallocideally the rendering should just lean on the API and be something react-ish18:00
ayoung /v3/federation/idps/myidp/protocol/saml18:00
ayoungeven if the flow is automated, tho, the logic remains the same18:00
kmallocbut it probably would be /auth/.... not /v3/federation for enumeration18:00
kmallocbut yes18:00
ayounglets not reactify it first pass18:00
ayoungso /auth18:01
ayoungso /auth/idps?18:01
ayoungAnd treat keystone as just another IdP?18:01
kmallocso, we can put in an HTML renderer, but my hope is we're not just rendering things internal to keystone18:01
kmallocit's ok if it's static18:01
*** pcaruana has joined #openstack-keystone18:01
kmallocyes keystone's internal auth is just another idp in my view of the way it should work18:01
ayoungmy thought was that, once we get the HTML rendering to work, we allow a parameter in conf that can inject a style sheet18:01
kmalloci want to be VERY careful about coding html rendering into keystone.18:02
ayoungA list of links in a big table can always be managed via javascript to be a  a dropdown or something18:02
kmallocjust so we don't get locked into something.18:02
kmalloclike i said, i really would like for the UI to be purely based around the api (if at all possible)18:03
ayoungPure HTML in Keystone.  All Javascript is external.  HTML has 1 to 1 mapping with JSON18:03
kmallocthis is where a lead to some redesigned api, v3 may not in-fact work for this.18:03
kmalloci can roadmap out the vision i had again after breakfast18:03
kmallocif it will help18:03
ayoungdoes that mean that the vision was inspired by breakfast, or that you need breakfast before you can roadmap?18:04
kmallocneed breakfast first18:04
kmallocthe roadmap right now would be inspired by breakfast18:04
kmallocbecause i need food18:04
kmallocso it would look a lot like bagels, or coffee and eggs.18:04
kmalloc"this here is the creamcheese aPI, you use the knife to spread it on the toast... how does that relate to identity? IT JUST DOES OK!? ;)"18:05
kmalloci'll be back in about an hour18:05
kmalloci think18:05
kmallocwe can bluejeans (oh uh... maybe i need to get a USB cable)18:06
kmallocanyway... back in a bit and we can go over the stuff18:06
*** pcaruana has quit IRC18:23
*** erus_ has quit IRC18:44
*** aojea has quit IRC18:46
*** aojea has joined #openstack-keystone18:56
lbragstadcmurphy were you saying our docs for settings up certificate authentication need work?18:58
cmurphylbragstad: yes18:59
lbragstaddo we have a bug open for that yet? i'm looking at untriaged bugs18:59
cmurphyno i haven't opened one19:00
lbragstadjust checking19:00
*** erus_ has joined #openstack-keystone19:01
*** ianw_pto is now known as ianw19:02
*** aojea has quit IRC19:07
*** aojea has joined #openstack-keystone19:08
kmallocayoung: back19:25
kmalloclbragstad: https://review.openstack.org/#/c/625283/ super easy change19:25
kmalloclbragstad: just fgor future specs to discourage leaving boilerplate content in19:25
kmalloclbragstad: starting to look over code19:26
kmalloclbragstad: anywhere specific i should start or just hit the patchsets highlighted earlier?19:26
ayoungkmalloc, so...before we get started,  Ansible question:  I have ~/.config/openstac/clouds.yaml and I can do openstack --os-cloud fsi-moc token issue19:27
ayoung  but having trouble getting that to show in a playbook19:27
*** aojea has quit IRC19:27
ayoungis there some way to force what clouds.yaml file to use for ansible?19:27
*** takamatsu has quit IRC19:27
kmalloci ... i don't know19:27
kmallocthere should be an invocation for it19:28
openstackgerritMerged openstack/oslo.policy master: Add ability for policy-checker to read configuration  https://review.openstack.org/61665919:28
ayoungansible-playbook -e cloudname=fsi-moc -e ~/.config/openstack/clouds.yaml  ~/devel/rippowam/playbooks/openstack-provision.yml19:28
ayoungoh wait19:28
ayoungnope adding @ did not help19:28
ayoungFedora 29, so pretty recent code19:29
ayoungdocs say it should fiond things in  ~/.config/openstack/clouds.yaml19:30
ayoungno sudo in this19:30
kmallocayoung: ^ that seems to be a way to get it to work, os_client_config directive in your yaml?19:30
ayoungTASK [Get list of clouds from OpenStack client config] ************************************************************************************************************************************************************19:32
ayoungfatal: [localhost]: FAILED! => {"changed": false, "msg": "os-client-config is required for this module"}19:32
ayoungmaybe that19:32
kmallocyeah that would be an issue ;)19:32
ayoungpython2 vs 319:33
ayoungopenstack excecutable is using 219:33
ayoungnope, same problem, tho19:33
kmallocand you're running locally, right?19:34
kmallocbecause clouds.yaml is searched on remote machines (by design)19:35
kmallocand not local.19:35
ayoungkmalloc, so you need to remove somethig from your example19:35
kmallocthis was sourced very quickly from that bug19:35
ayoungsetting         clouds: fsi-moc overwrites the variable19:35
ayoungwithout that, yeah, I can list19:35
ayoungit seems to be getting config info from somehwere else...19:36
*** efried has joined #openstack-keystone19:36
efriedHowdy keystoners. Basic question (hopefully):19:37
efried'password', 'v2password', 'v3password' <== are these authentication mechanisms?19:37
ayoungkmalloc, got it19:38
ayoungthere was a clouds.yaml file in mny playbooks directory19:38
ayoungefried, yes19:39
efriedThanks ayoung. Who's it up to to decide which of these should be supported? The thing requesting authentication? The service into which the authentication is being done? Or keystone(auth) itself?19:39
efriedhah, perfect, then please tell me o ayoung, which should be supported when nova wants to talk to a (brand new) cyborg API19:40
ayoungok, so these are the mechs that keystone itself supports in order to get a token19:40
kmallocayoung: haha yeah that'd do it.19:40
ayoungwhere are you seeing these values?  That determines the rest of the answer19:40
kmallocefried: so keystoneauth loads the plugins, as long as a plugin conforms to our interface and is an entry point it can be used19:41
kmallocefried: it is up to the keystone being communicated with to determine if it supports the auth type.19:41
kmallocso it is both sides.19:41
efriedUntil this point, nova has never talked to cyborg. And the cyborg API we want to talk to hasn't yet been written. I'm trying to come up with the conf setup I need to define in nova to talk to this cyborg API.19:42
kmallocthe plugin must exist in the local system (where keystoneauth is)19:42
efriedSo what I'm wondering is: is there any reason for me to support v1 and v2, or can I just limit it to v3?19:42
ayoungefried, just v319:42
kmallocjust limit to v3 imo19:42
kmallocpretend for new stuff that v1/v2 doesn't exist (keystone wise)19:42
kmallocalso "password" is a bounce point for v2/v319:42
ayoungv1 was gone by the time I joined the project 9 years ago.  V2 is still supported, slightly, for auth only, but does not know about domains19:43
kmalloc"password" isn't a v1.19:43
efriedand then will the cyborg side have to do something special to limit as well, or is this side the only thing I need to do?19:43
efried"password is a bounce point..." -- so do I need to say19:44
efried        ks_loading.get_auth_common_conf_options() +19:44
efried        ks_loading.get_auth_plugin_conf_options('v3password') +19:44
efriedor will19:44
efried        ks_loading.get_auth_common_conf_options() +19:44
efried        ks_loading.get_auth_plugin_conf_options('password') +19:44
efrieddo the trick?19:44
efried...where ks_loading is19:45
efriedfrom keystoneauth1 import loading as ks_loading19:45
ayoungwhat is cyborg19:49
kmallocthe 'password' one should work19:50
*** pcaruana has joined #openstack-keystone19:50
lbragstadayoung it's an openstack project19:51
ayoungso its like Ironic?  Something that split out of Nova?19:51
lbragstadi believe it's for hardware accelerators19:52
ayoungThat is what the site says, yes.  I'm trying to understand where it fits in so I can give efried a better answer19:52
*** whoami-rajat has quit IRC19:52
ayoungefried, what is the workflow like?  Does it get a token from Nova?19:55
efriedayoung, lbragstad, kmalloc: Yeah, cyborg is (going to be) a service a lot like cinder, in the sense that it provides a thing (accelerators where cinder provides volumes) and nova has to talk to its API to like configure the thing.19:56
efriedor yeah like Ironic.19:56
efriedor neutron, or placement19:57
efriedworkflow-wise, it might be like, "Hey placement, allocate me an accelerator resource," then, "Hey cyborg, here's the UUID of an accelerator provider, go flash it with a gzip bitstream."19:58
efriedor, "Hey cyborg, tell me what accelerators you know about," analogous to, "Hey glance, tell me what images you know about."19:59
*** pcaruana has quit IRC20:11
*** pcaruana has joined #openstack-keystone20:24
*** dims has quit IRC20:40
*** dims has joined #openstack-keystone20:42
*** dave-mccowan has quit IRC20:48
*** dims has quit IRC20:50
*** dave-mccowan has joined #openstack-keystone20:51
*** dims has joined #openstack-keystone20:52
lbragstadcmurphy ok - getting caught up on a couple things here20:57
lbragstadcmurphy if i'm understanding the report in https://bugs.launchpad.net/keystone/+bug/1811605 correctly, once that is fixed oauth can essentially use that same flow for authentication with certificates issued from Athenz20:58
openstackLaunchpad bug 1811605 in OpenStack Identity (keystone) "Tokenless authentication is broken" [Undecided,New]20:58
* lbragstad is standing up a devstack now to do some testing20:58
cmurphylbragstad: no, they can do that already even with that bug20:58
*** xek_ has quit IRC20:59
cmurphythat bug is about tokenless auth not x509 auth20:59
lbragstadok - so i'm getting my wires cross tehn21:00
lbragstadin that example it's using an x509 certificate to get a token21:02
lbragstadand that shows the flow that oath needs (and works today)21:03
lbragstadit's specifically the last step that fails21:03
cmurphyright, it's trying to do a keystone request using --cert instead of -H x-auth-token , that's what's expected to work and doesn't21:05
cmurphythe getting a token is fine21:05
lbragstadcool - i think i'm on the same page now21:06
lbragstadyou put together those steps to recreate, right?21:07
lbragstador did you find that in a guide somewhere?21:07
cmurphyi cobbled it together from the external auth guide and the tokenless auth guide21:08
cmurphysome of what's in the tokenless guide should get moved over to external auth21:08
lbragstadi wonder if we could find a seam for this in the new federated guide21:08
*** pcaruana has quit IRC21:19
*** efried has quit IRC21:30
*** efried has joined #openstack-keystone21:30
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate  https://review.openstack.org/53101421:31
*** dklyle has quit IRC21:39
*** mchlumsky has quit IRC21:42
*** aojea has joined #openstack-keystone21:46
*** erus_ has quit IRC21:52
*** imus has quit IRC21:52
openstackgerritSergey Vilgelm proposed openstack/keystone master: Fix list projects for user  https://review.openstack.org/63256521:59
*** rcernin has joined #openstack-keystone22:10
efriedayoung, lbragstad, kmalloc: Thing we were talking about earlier FYI: https://review.openstack.org/63124222:17
*** rcernin has quit IRC22:17
ayoungkmalloc, shouldn't there be some better way than specifying password explicitly/22:18
* ayoung misses jamielennox at these points22:18
ayoungefried, I think what you did there is right22:18
ayoungI hate that we tie ourselves tighter to passwords with each one of these22:19
efriedayoung: fwiw, all the other conf setups do it like this (though most of them specify all three - 'password', 'v2password', 'v3password')22:19
*** rcernin has joined #openstack-keystone22:19
efriedcan provide examples on request22:19
efriedor just cuz:22:21
ayoungefried, yeah, this is config file stuff so nova can talk to another service.  Way back when we had gyee working on tokenless auth for these kindsof things, but we've seem to have let that lapsed22:22
efriedI don't want to solve the world here, just do a thing that'll work and be roughly in parity with how we do it for other things.22:23
efriedSolving the world I can do later.22:23
kmallocayoung: it should be configurable like KSM is22:24
kmallocspecify the plugin in the config22:24
kmallocnot hard-code password22:25
ayoungYeah, but don't they need the password config options in their config?22:25
efriedkmalloc: I think it's set up that way for the actual config. This (list_opts) is for the config doc generator.22:25
efriedThe actual registration of opts happens with22:26
efriedks_loading.register_auth_conf_options(conf, group)22:26
kmallocefried: ++ yeah22:26
kmallocayoung: you'll pull in the plugin when using loading/session22:27
kmallocayoung: so they can use any plugin that is available22:27
kmallocor should be able to*22:27
kmallocefried: make sure that with testing you test more than just password (loading wise)22:27
efriedso I guess what would make this smoother is something in ksa that I can call from list_opts that pulls the defs of all the available plugin-y things.22:27
ayounghttps://review.openstack.org/#/c/631242/3/nova/conf/cyborg.py  can he drop the password opts being in there explicitly?22:27
kmalloche should not explicitly set password imo22:28
efriedkmalloc: Fortunately for me, that part is all in util methods that are common to all the other services and tested elsewhere.22:28
kmallocefried: right i just meant check to make sure it's not explicitly only using password :)22:29
efriedAgain, the code that's mentioning 'password' explicitly is only used for conf doc generator, not for actually registering the options.22:29
kmallocwhen you test the code.22:29
kmalloci wouldn't supply a plugin there22:29
kmallocif possible... mostly so folks don't go "oh password only"22:29
efriedthis may help:22:29
kmallocbut if a plugin is needed for the doc generation password is fine22:30
efriedkmalloc: I think the "common auth options" part might get the rest. Not sure.22:30
efriedeasy enough to see how this looks in the conf doc...22:30
efriedif you look at the placement section, after the first two or three opts, that's where the stuff pulled from ksa starts, right?22:32
efriedI suspect all that chunk of list_opts is doing is populating the fields starting around22:33
efriedwhich seems reasonable enough; it's not like it's pushing you to use password auth - it's just documenting those opts in case you do.22:33
*** lifeless_ is now known as lifeless22:34
* efried notices that the sub-fields are a tad sparse on those...22:34
lbragstadcmurphy ok - following your report i was able to get a token22:44
lbragstadi mucked with the mapping a bit - https://pasted.tech/pastes/0811a856155aad9dbf68d03a3d2ed536964e93e3.raw22:44
lbragstadthe https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-a-map bit here didn't work for me initially22:44
*** imacdonn_ has quit IRC22:48
*** imacdonn_ has joined #openstack-keystone22:49
lbragstadmy mapping might not be quite right yet, either... but i think i have enough to confirm the bug22:52
*** efried has quit IRC22:53
*** tkajinam has joined #openstack-keystone22:54
cmurphylbragstad: the SSL_CLIENT_S_DN_O value matches the O value in the client cert, which in the example is 'openstack', so you either need to have the cert use an organization called 'Default' or create a domain called 'openstack', and then also create the idp hash with the same value23:00
*** erus_ has joined #openstack-keystone23:11
*** aojea has quit IRC23:24

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!