Tuesday, 2019-01-22

*** ayoung has joined #openstack-keystone		00:44
*** ileixe has joined #openstack-keystone		00:55
*** aojea has joined #openstack-keystone		01:02
*** aojea has quit IRC		01:07
*** markvoelker has quit IRC		01:08
*** markvoelker has joined #openstack-keystone		02:09
*** Dinesh_Bhor has joined #openstack-keystone		02:14
openstackgerrit	Adrian Turjak proposed openstack/keystone master: bump Keystone version for Stein https://review.openstack.org/631369	02:34
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Add documentation for Auth Receipts and MFA https://review.openstack.org/580535	02:36
*** lbragstad_503 has quit IRC		02:38
*** markvoelker has quit IRC		02:43
*** shyamb has joined #openstack-keystone		03:17
*** shyamb has quit IRC		03:28
*** rcernin has quit IRC		03:35
*** shyamb has joined #openstack-keystone		03:36
*** markvoelker has joined #openstack-keystone		03:41
*** Dinesh_Bhor has quit IRC		03:45
*** rcernin has joined #openstack-keystone		03:49
*** lbragstad_503 has joined #openstack-keystone		03:54
*** ChanServ sets mode: +o lbragstad_503		03:54
*** rcernin has quit IRC		03:57
*** rcernin has joined #openstack-keystone		03:58
*** Dinesh_Bhor has joined #openstack-keystone		03:58
*** shyamb has quit IRC		04:03
openstackgerrit	ayoung proposed openstack/keystone master: Alternative Replace UUID with id_generator for Federated users https://review.openstack.org/623117	04:12
openstackgerrit	ayoung proposed openstack/keystone master: Replace UUID with id_generator for Federated users https://review.openstack.org/605169	04:12
*** markvoelker has quit IRC		04:13
openstackgerrit	ayoung proposed openstack/keystone-specs master: Resurrect the unscoped token catalog specification https://review.openstack.org/607346	04:13
openstackgerrit	ayoung proposed openstack/keystone master: Render Version 3 page as XHTML https://review.openstack.org/632213	04:16
*** ileixe has quit IRC		04:34
*** shyamb has joined #openstack-keystone		05:04
*** whoami-rajat has joined #openstack-keystone		05:04
*** shyamb has quit IRC		05:05
*** shyamb has joined #openstack-keystone		05:05
*** ileixe has joined #openstack-keystone		05:08
*** markvoelker has joined #openstack-keystone		05:10
*** tkajinam_ has joined #openstack-keystone		05:16
*** tkajinam has quit IRC		05:18
*** Dinesh_Bhor has quit IRC		05:24
*** tkajinam__ has joined #openstack-keystone		05:25
*** tkajinam_ has quit IRC		05:27
*** Dinesh_Bhor has joined #openstack-keystone		05:30
*** shyamb has quit IRC		05:38
*** markvoelker has quit IRC		05:43
*** lbragstad_503 has quit IRC		05:57
*** vishakha has joined #openstack-keystone		05:58
*** tkajinam_ has joined #openstack-keystone		06:09
*** tkajinam__ has quit IRC		06:12
*** shyamb has joined #openstack-keystone		06:14
*** spsurya has joined #openstack-keystone		06:21
*** markvoelker has joined #openstack-keystone		06:40
*** shyamb has quit IRC		06:51
*** shyamb has joined #openstack-keystone		06:54
*** markvoelker has quit IRC		07:14
*** ileixe has quit IRC		07:30
*** pcaruana has joined #openstack-keystone		07:41
*** shyamb has quit IRC		07:58
*** sapd1_ has quit IRC		08:07
*** markvoelker has joined #openstack-keystone		08:10
*** sapd1_ has joined #openstack-keystone		08:11
*** tkajinam_ has quit IRC		08:12
*** Dinesh_Bhor has quit IRC		08:40
*** shyamb has joined #openstack-keystone		08:40
*** markvoelker has quit IRC		08:43
*** rcernin has quit IRC		08:56
*** xek_ has joined #openstack-keystone		09:00
*** Dinesh_Bhor has joined #openstack-keystone		09:28
*** markvoelker has joined #openstack-keystone		09:40
*** Dinesh_Bhor has quit IRC		09:50
*** shyamb has quit IRC		10:05
*** markvoelker has quit IRC		10:13
*** shyamb has joined #openstack-keystone		10:38
*** shyamb has quit IRC		10:39
*** shyamb has joined #openstack-keystone		10:39
*** jmlowe has quit IRC		10:56
*** markvoelker has joined #openstack-keystone		11:10
*** yan0s has joined #openstack-keystone		11:27
*** mvkr has quit IRC		11:34
*** markvoelker has quit IRC		11:44
*** xek_ has quit IRC		11:54
*** xek_ has joined #openstack-keystone		11:54
*** dave-mccowan has joined #openstack-keystone		11:56
*** rafaelweingartne has joined #openstack-keystone		11:58
*** shyamb has quit IRC		12:00
*** shyamb has joined #openstack-keystone		12:02
*** mvkr has joined #openstack-keystone		12:06
*** shyamb has quit IRC		12:23
*** shyamb has joined #openstack-keystone		12:23
*** gary_perkins has quit IRC		12:24
*** gary_perkins has joined #openstack-keystone		12:26
*** GregWaines has joined #openstack-keystone		12:36
*** rafaelweingartne has quit IRC		12:37
*** gary_perkins has quit IRC		12:38
*** markvoelker has joined #openstack-keystone		12:41
*** gary_perkins has joined #openstack-keystone		12:41
*** gary_perkins has quit IRC		12:44
*** gary_perkins has joined #openstack-keystone		12:46
*** sapd1_ has quit IRC		12:49
*** shyamb has quit IRC		12:50
*** shyamb has joined #openstack-keystone		12:52
*** sapd1_ has joined #openstack-keystone		12:52
*** shyamb has quit IRC		13:03
*** yan0s has quit IRC		13:06
*** shyamb has joined #openstack-keystone		13:06
*** markvoelker has quit IRC		13:09
*** shyamb has quit IRC		13:15
*** shyamb has joined #openstack-keystone		13:15
*** yan0s has joined #openstack-keystone		13:20
*** shyamb has quit IRC		13:26
*** lbragstad_503 has joined #openstack-keystone		13:56
*** ChanServ sets mode: +o lbragstad_503		13:56
*** aojea_ has joined #openstack-keystone		13:59
*** lbragstad_503 is now known as lbragstad		14:03
*** yan0s has quit IRC		14:06
knikolla	o/	14:07
cmurphy	\o	14:18
lbragstad	o/	14:23
lbragstad	brb	14:23
*** lbragstad has quit IRC		14:23
*** lbragstad has joined #openstack-keystone		14:26
*** ChanServ sets mode: +o lbragstad		14:26
knikolla	FYI that I have to stop working at the end of this week, and resume when I get a favorable response from immigration. That will be at least a week, but may be longer.	14:30
cmurphy	:O	14:30
lbragstad	=(	14:32
lbragstad	let us know if there is anything we can do to help	14:32
knikolla	Nothing, really. BU messed up the timeline for filing for a visa, creating a gap.	14:32
knikolla	I’ll let you know in a few weeks if I’ll need references, lol.	14:33
*** awalende has joined #openstack-keystone		14:34
openstackgerrit	ayoung proposed openstack/keystone master: Render Version 3 page as XHTML https://review.openstack.org/632213	14:36
ayoung	knikolla, let me know if you need a job. I'll push	14:37
knikolla	Thanks ayoung, appreciate it. I’ll let you know.	14:39
lbragstad	++ ayoung	14:40
lbragstad	knikolla i know we've shared reading lists in the past, but if you're looking for a new book, i just picked up a copy of https://www.amazon.com/Programmers-Introduction-Mathematics-Dr-Jeremy/dp/1727125452	14:44
*** aojea_ has quit IRC		14:46
*** yan0s has joined #openstack-keystone		14:48
*** aojea_ has joined #openstack-keystone		14:48
lbragstad	i'm just starting it - but it's pretty interesting so far	14:51
*** wxy\| has joined #openstack-keystone		15:00
*** yan0s has quit IRC		15:03
*** aojea_ has quit IRC		15:05
*** yan0s has joined #openstack-keystone		15:15
*** awalende has quit IRC		15:36
*** awalende has joined #openstack-keystone		15:37
*** awalende has quit IRC		15:42
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement JWS token provider https://review.openstack.org/614549	15:42
lbragstad	^ passes python3 and python2 tests locally	15:42
lbragstad	should be good to go for reviews	15:42
*** openstackgerrit has quit IRC		15:51
kmalloc	o/	15:52
kmalloc	yay, i have networking at home now	15:53
*** dklyle has joined #openstack-keystone		15:53
gagehugo	o/	15:53
kmalloc	knikolla: damn, let us know if you need anything as well.	15:53
*** yan0s has quit IRC		15:56
ayoung	We meet in here now or in -alt?	15:59
*** openstackgerrit has joined #openstack-keystone		15:59
openstackgerrit	Morgan Fainberg proposed openstack/keystone-specs master: Add note about boilerplate content https://review.openstack.org/625283	15:59
kmalloc	ayoung: should still be -alt unless something changed	16:00
kmalloc	but don't listen to me, i've been on vacation for the last... uh... bunch	16:00
openstackgerrit	ayoung proposed openstack/keystone master: Allow an explicit_domain_id parameter when creating a domain https://review.openstack.org/605235	16:04
*** dims has quit IRC		16:15
*** dims has joined #openstack-keystone		16:20
*** GregWaines has quit IRC		16:28
erus_	o/	16:36
kmalloc	erus_: o/ :)	16:42
*** awalende has joined #openstack-keystone		16:45
erus_	hi kmalloc how are you?	16:45
jaosorior	ayoung, lbragstad, kmalloc: Do I understand right that the preference is to start moving away from having an admin endpoint for keystone entirely?	16:46
ayoung	jaosorior, Keystone meeting going on right now...ask there. #openstack-meeting-alt	16:46
jaosorior	oh	16:46
jaosorior	#openstack-meeting-alt	16:46
jaosorior	ugh	16:46
jaosorior	ayoung: what's the agenda?	16:47
*** awalende has quit IRC		16:47
ayoung	jaosorior, we're talking Stein commitments at the moment	16:47
*** awalende has joined #openstack-keystone		16:47
jaosorior	I guess I gotta wait for the end for "unrelated questions"	16:48
lbragstad	jaosorior sorry - trying to get to open discussion :0	16:56
lbragstad	:)	16:56
jaosorior	lbragstad: it's all good. if someone has the chance to answer that here, I'm happy with that too.	16:56
lbragstad	we do have office hours right after the meeting - so i'll be around for that, too	16:57
jaosorior	alright!	17:00
cmurphy	o/	17:01
kmalloc	jaosorior: yes. there is no reason for two endpoints they are the same now with v3	17:01
*** wxy\| has quit IRC		17:01
ayoung	jaosorior, so...to answer your questions: I think we should move away from having an admin endpoint for keystone, unless we explicitly split up Keystone into multiple microservices	17:01
kmalloc	jaosorior: you might want one that is not externally facing (e.g. if you do traffic shaping) but that is internal vs main.	17:01
kmalloc	an explicit admin endpoint isn't super useful.	17:02
*** pcaruana has quit IRC		17:02
ayoung	right, with all of V3 on one endpoint	17:02
kmalloc	erus_: i am good, trying to get my brain back engaged in openstack.	17:02
jaosorior	right	17:02
lbragstad	jaosorior yeah - so the v3 app is all one endpoint really	17:02
jaosorior	so the default in keystoneclient right now is to use the "admin" interface or endpoint\	17:02
kmalloc	erus_: long vacation with no code/code review was good.	17:02
ayoung	we used to split v2 between "users can dothis" on port 5000 and "admins can do this" on 35357, but it was poorly split	17:02
kmalloc	i need to revisit SDK so we can just ksc.	17:03
jaosorior	if this is the path folks want to take, maybe you/we wanna change that default?	17:03
kmalloc	the mid-term goal is have folks stop using ksc	17:03
ayoung	lbragstad, we want to go 0trust!	17:03
jaosorior	we tried to remove 35357 from tripleo, but that went terribly :)	17:03
kmalloc	jaosorior: you should use 80/443	17:03
lbragstad	^	17:03
ayoung	and register all Keystone endpoints to use the same value.	17:04
jaosorior	kmalloc: it's too late to change to those; it would break folks too much.	17:04
kmalloc	++	17:04
ayoung	jaosorior, not it is not	17:04
kmalloc	no it is not.	17:04
ayoung	jaosorior, we can do anything on a major version upgrade	17:04
ayoung	customers are not going to touch anything between OSP 13 and 16	17:04
ayoung	16 is a BLANK SLATE!	17:05
kmalloc	hehe.	17:05
ayoung	and it happens to be TRAIN!	17:05
kmalloc	fwiw we will be driving (i hope) all documentation and testing to 80/443 clearly	17:05
kmalloc	i can't stop someone from using high ports, i can say it is not recommended under any deployment	17:05
kmalloc	even today	17:05
erus_	oh sweet :D kmalloc, sounds like a great vacations :P	17:06
ayoung	I can. Three magic words	17:06
ayoung	Is. Not. Supported.	17:06
kmalloc	ayoung: this is less red hat and general "I cannot say it wont work" i can say it is not how we test nor how we (upstream) recommend deployment	17:06
ayoung	kmalloc, Yeah, but I know who jaosorior has to make happy. So I can say it.	17:08
* jaosorior is in a meeting. I'll read this in a bit.		17:09
cmurphy	lbragstad: so re athenz i think keystone's external authentication support is a drop-in replacement for what athenz is doing	17:09
cmurphy	iirc what they are doing is using client certificates from athenz and exchanging them for tokens and meanwhile generating users and projects and role assignments with their custom auth plugin	17:10
lbragstad	yeah	17:10
cmurphy	which is exactly what federation and shadow users does	17:10
cmurphy	tokenless is another matter that i thought would help with edge but after talking with gyee i think not exactly	17:12
cmurphy	because with tokenless auth you still need to establish a connection to keystone	17:12
lbragstad	the question james and i had was if they'd be able to use x.509	17:12
cmurphy	yes i tried it with x.509	17:12
cmurphy	it works just fine	17:12
lbragstad	wow - nice work cmurphy	17:13
lbragstad	and that is separate from things i broke with https://review.openstack.org/#/c/605539/ ?	17:13
ayoung	So...right. We either need to push keystone to the edge itself, or make it possible to remotely validate stuff	17:14
cmurphy	lbragstad: yeah that's separate	17:14
lbragstad	cc ildikov - since i think she's going to be interested in this	17:14
cmurphy	as long as they are fine with using the cert to get a token then that still works	17:14
cmurphy	and aiui that's what they're doing	17:15
ildikov	lbragstad: thanks!	17:15
ildikov	on a series of meetings, but will check it out as I can	17:15
lbragstad	i remember james saying that Athenz was planning on deprecating their token formats	17:15
lbragstad	which would break the keystone plugins they open-sourced	17:15
ayoung	so...lets talk remotely validating	17:20
lbragstad	cmurphy so - it sounds like we don't need a spec for the athenz related stuff?	17:20
ayoung	say we do JWT or something like SAML, where all the data is in the assertion itseld. Not SAML from the IDP, a Keystone Specific SAML	17:20
ayoung	send that to nova, it could validate in process, just like PKI tokens were way back when.	17:21
cmurphy	ayoung: how would revocation work?	17:23
ayoung	cmurphy, never revoke. Short time outs only	17:24
ayoung	Edge validates when it can, and continuies to function in the absence of access to the center	17:24
cmurphy	generally sounds good to me	17:27
ayoung	cmurphy, how long would you think a token would need to last in order to A) process all its work and B) not be considered a security risk? 4 hours?	17:27
ayoung	Kerberos is generally 8, but is usually backed by LDAP. SAML, thou, is roughly the same	17:28
kmalloc	++	17:29
kmalloc	we should not do revocations if we can avoid it	17:29
cmurphy	my first thought is 4 hours seems long but if 4 or 8 is standard in other tech then i guess that makes sense	17:29
kmalloc	4 or 8 should be fine.	17:29
kmalloc	and this is something that i don't mind being configurable	17:30
kmalloc	as krb is.	17:30
lbragstad	our default token expiration right now is 1 hour	17:30
ayoung	It could be on a per edge-site basis	17:30
ayoung	i.e. You need to go back to the center and get a different token for a different edge site	17:31
kmalloc	right.	17:32
jaosorior	ok, back	17:32
jaosorior	so, the official keystone team recomendation is to move towards ports 80/443	17:33
jaosorior	did I understand that correctly?	17:33
jaosorior	and to ditch the admin endpoint, in favor of just using an internal one (for the internal network)	17:33
ayoung	jaosorior, everything needs access to Keystone. All of Keystone is now on one endpoint	17:36
ayoung	internal, admin, external, these things matter not	17:37
ayoung	all is v3	17:37
jaosorior	fair enough	17:37
cmurphy	iirc the docs all refer to 5000 because at the time it was simplest to just drop 35357 and not try to explain how to set up keystone on a /identity endpoint such that it wouldn't conflict with eg horizon	17:38
*** awalende has quit IRC		17:39
lbragstad	++	17:39
*** awalende has joined #openstack-keystone		17:39
*** aojea has joined #openstack-keystone		17:41
ayoung	kmalloc, so...look at what I did...	17:43
ayoung	https://review.openstack.org/#/c/632213/	17:43
*** aojea has quit IRC		17:44
*** awalende has quit IRC		17:44
kmalloc	looking	17:44
ayoung	kmalloc, its just a POC, showing that Flask is very nice to work with	17:44
kmalloc	cmurphy: yeah we need to fix that. train target imo	17:44
*** aojea has joined #openstack-keystone		17:44
kmalloc	ayoung: yep. isn't that pretty easy now? :)	17:46
ayoung	kmalloc, yeah. I started with render-template, but realize that most of what I wanted to do was hand rendered html, was easier to just pull my old code forward	17:47
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/python-keystoneclient master: Make default interface 'internal' instead of 'admin' https://review.openstack.org/632520	17:47
ayoung	kmalloc, here was the old review https://review.openstack.org/#/c/29105/	17:49
ayoung	I think I need to get Basic-Auth working with the Keystone password backend in order to continue that work.	17:50
kmalloc	++	17:54
ayoung	kmalloc, so, should /v3 had links to /v3/users /v3/projects etc by default, or only after a user authetnictates?	17:55
ayoung	and... /auth should not be under /v3. should it	17:55
kmalloc	auth should move.	17:56
kmalloc	that is on a long list	17:56
kmalloc	iirc it shoudl have links to /v3/users and projects	17:57
kmalloc	but the users/projects links should require auth to reach	17:57
kmalloc	if that makes sense	17:57
kmalloc	e.g. redirect to login when clicked.	17:57
ayoung	yeah, but I'm thinking web flow here...say someone starts at https://keystone. Right now, automatic redirect to /v3	17:58
ayoung	do we make them click on /auth at that point?	17:58
ayoung	also, what about Federation?	17:58
ayoung	We don't provide an enumeration of the Federated IdPs right now, but people shouild be able to log in via SAML et alles	17:59
kmalloc	so this is part of the larger web-rendering bits	17:59
kmalloc	and well-known endpoints/moving auth to /auth vrom /v3/auth	17:59
ayoung	so, if we assumed away to enumeration limitation, a user could go from /v3/ to /v3/federation/idps	17:59
kmalloc	ideally the rendering should just lean on the API and be something react-ish	18:00
ayoung	/v3/federation/idps/myidp/protocol/saml	18:00
ayoung	even if the flow is automated, tho, the logic remains the same	18:00
kmalloc	but it probably would be /auth/.... not /v3/federation for enumeration	18:00
kmalloc	but yes	18:00
ayoung	lets not reactify it first pass	18:00
ayoung	right	18:01
ayoung	so /auth	18:01
ayoung	so /auth/idps?	18:01
ayoung	And treat keystone as just another IdP?	18:01
kmalloc	so, we can put in an HTML renderer, but my hope is we're not just rendering things internal to keystone	18:01
kmalloc	it's ok if it's static	18:01
*** pcaruana has joined #openstack-keystone		18:01
kmalloc	yes keystone's internal auth is just another idp in my view of the way it should work	18:01
ayoung	my thought was that, once we get the HTML rendering to work, we allow a parameter in conf that can inject a style sheet	18:01
kmalloc	i want to be VERY careful about coding html rendering into keystone.	18:02
ayoung	A list of links in a big table can always be managed via javascript to be a a dropdown or something	18:02
kmalloc	just so we don't get locked into something.	18:02
kmalloc	like i said, i really would like for the UI to be purely based around the api (if at all possible)	18:03
ayoung	Pure HTML in Keystone. All Javascript is external. HTML has 1 to 1 mapping with JSON	18:03
kmalloc	this is where a lead to some redesigned api, v3 may not in-fact work for this.	18:03
kmalloc	i can roadmap out the vision i had again after breakfast	18:03
kmalloc	if it will help	18:03
ayoung	does that mean that the vision was inspired by breakfast, or that you need breakfast before you can roadmap?	18:04
kmalloc	need breakfast first	18:04
kmalloc	the roadmap right now would be inspired by breakfast	18:04
kmalloc	because i need food	18:04
kmalloc	so it would look a lot like bagels, or coffee and eggs.	18:04
ayoung	++	18:04
kmalloc	:)	18:04
kmalloc	"this here is the creamcheese aPI, you use the knife to spread it on the toast... how does that relate to identity? IT JUST DOES OK!? ;)"	18:05
kmalloc	^_^	18:05
kmalloc	i'll be back in about an hour	18:05
kmalloc	i think	18:05
kmalloc	we can bluejeans (oh uh... maybe i need to get a USB cable)	18:06
kmalloc	anyway... back in a bit and we can go over the stuff	18:06
*** pcaruana has quit IRC		18:23
*** erus_ has quit IRC		18:44
*** aojea has quit IRC		18:46
*** aojea has joined #openstack-keystone		18:56
lbragstad	cmurphy were you saying our docs for settings up certificate authentication need work?	18:58
cmurphy	lbragstad: yes	18:59
lbragstad	do we have a bug open for that yet? i'm looking at untriaged bugs	18:59
cmurphy	no i haven't opened one	19:00
lbragstad	just checking	19:00
*** erus_ has joined #openstack-keystone		19:01
*** ianw_pto is now known as ianw		19:02
*** aojea has quit IRC		19:07
*** aojea has joined #openstack-keystone		19:08
kmalloc	ayoung: back	19:25
kmalloc	lbragstad: https://review.openstack.org/#/c/625283/ super easy change	19:25
kmalloc	lbragstad: just fgor future specs to discourage leaving boilerplate content in	19:25
kmalloc	lbragstad: starting to look over code	19:26
kmalloc	lbragstad: anywhere specific i should start or just hit the patchsets highlighted earlier?	19:26
ayoung	kmalloc, so...before we get started, Ansible question: I have ~/.config/openstac/clouds.yaml and I can do openstack --os-cloud fsi-moc token issue	19:27
ayoung	but having trouble getting that to show in a playbook	19:27
*** aojea has quit IRC		19:27
ayoung	is there some way to force what clouds.yaml file to use for ansible?	19:27
*** takamatsu has quit IRC		19:27
kmalloc	i ... i don't know	19:27
kmalloc	there should be an invocation for it	19:28
openstackgerrit	Merged openstack/oslo.policy master: Add ability for policy-checker to read configuration https://review.openstack.org/616659	19:28
ayoung	ansible-playbook -e cloudname=fsi-moc -e ~/.config/openstack/clouds.yaml ~/devel/rippowam/playbooks/openstack-provision.yml	19:28
ayoung	oh wait	19:28
ayoung	nope adding @ did not help	19:28
kmalloc	hmm	19:29
ayoung	Fedora 29, so pretty recent code	19:29
ayoung	docs say it should fiond things in ~/.config/openstack/clouds.yaml	19:30
ayoung	no sudo in this	19:30
kmalloc	https://www.irccloud.com/pastebin/niOVx1ea/	19:30
kmalloc	ayoung: ^ that seems to be a way to get it to work, os_client_config directive in your yaml?	19:30
kmalloc	maybe	19:32
ayoung	TASK [Get list of clouds from OpenStack client config] ************************************************************************************************************************************************************	19:32
ayoung	fatal: [localhost]: FAILED! => {"changed": false, "msg": "os-client-config is required for this module"}	19:32
ayoung	maybe that	19:32
kmalloc	ah	19:32
kmalloc	yeah that would be an issue ;)	19:32
ayoung	python2 vs 3	19:33
ayoung	openstack excecutable is using 2	19:33
ayoung	nope, same problem, tho	19:33
kmalloc	hm	19:34
kmalloc	and you're running locally, right?	19:34
kmalloc	because clouds.yaml is searched on remote machines (by design)	19:35
kmalloc	and not local.	19:35
kmalloc	https://github.com/ansible/ansible/issues/40056	19:35
ayoung	kmalloc, so you need to remove somethig from your example	19:35
kmalloc	this was sourced very quickly from that bug	19:35
ayoung	setting clouds: fsi-moc overwrites the variable	19:35
ayoung	without that, yeah, I can list	19:35
ayoung	it seems to be getting config info from somehwere else...	19:36
kmalloc	weird.	19:36
*** efried has joined #openstack-keystone		19:36
efried	Howdy keystoners. Basic question (hopefully):	19:37
efried	'password', 'v2password', 'v3password' <== are these authentication mechanisms?	19:37
ayoung	kmalloc, got it	19:38
ayoung	there was a clouds.yaml file in mny playbooks directory	19:38
ayoung	efried, yes	19:39
efried	Thanks ayoung. Who's it up to to decide which of these should be supported? The thing requesting authentication? The service into which the authentication is being done? Or keystone(auth) itself?	19:39
ayoung	Me	19:39
ayoung	heh	19:40
efried	hah, perfect, then please tell me o ayoung, which should be supported when nova wants to talk to a (brand new) cyborg API	19:40
ayoung	ok, so these are the mechs that keystone itself supports in order to get a token	19:40
kmalloc	ayoung: haha yeah that'd do it.	19:40
ayoung	where are you seeing these values? That determines the rest of the answer	19:40
kmalloc	efried: so keystoneauth loads the plugins, as long as a plugin conforms to our interface and is an entry point it can be used	19:41
kmalloc	efried: it is up to the keystone being communicated with to determine if it supports the auth type.	19:41
kmalloc	so it is both sides.	19:41
efried	Until this point, nova has never talked to cyborg. And the cyborg API we want to talk to hasn't yet been written. I'm trying to come up with the conf setup I need to define in nova to talk to this cyborg API.	19:42
kmalloc	the plugin must exist in the local system (where keystoneauth is)	19:42
efried	So what I'm wondering is: is there any reason for me to support v1 and v2, or can I just limit it to v3?	19:42
ayoung	efried, just v3	19:42
kmalloc	just limit to v3 imo	19:42
kmalloc	pretend for new stuff that v1/v2 doesn't exist (keystone wise)	19:42
kmalloc	also "password" is a bounce point for v2/v3	19:42
ayoung	v1 was gone by the time I joined the project 9 years ago. V2 is still supported, slightly, for auth only, but does not know about domains	19:43
kmalloc	"password" isn't a v1.	19:43
efried	and then will the cyborg side have to do something special to limit as well, or is this side the only thing I need to do?	19:43
efried	"password is a bounce point..." -- so do I need to say	19:44
efried	ks_loading.get_auth_common_conf_options() +	19:44
efried	ks_loading.get_auth_plugin_conf_options('v3password') +	19:44
efried	or will	19:44
efried	ks_loading.get_auth_common_conf_options() +	19:44
efried	ks_loading.get_auth_plugin_conf_options('password') +	19:44
efried	do the trick?	19:44
efried	...where ks_loading is	19:45
efried	from keystoneauth1 import loading as ks_loading	19:45
ayoung	what is cyborg	19:49
kmalloc	the 'password' one should work	19:50
*** pcaruana has joined #openstack-keystone		19:50
lbragstad	ayoung it's an openstack project	19:51
ayoung	so its like Ironic? Something that split out of Nova?	19:51
lbragstad	i believe it's for hardware accelerators	19:52
ayoung	That is what the site says, yes. I'm trying to understand where it fits in so I can give efried a better answer	19:52
*** whoami-rajat has quit IRC		19:52
ayoung	efried, what is the workflow like? Does it get a token from Nova?	19:55
efried	ayoung, lbragstad, kmalloc: Yeah, cyborg is (going to be) a service a lot like cinder, in the sense that it provides a thing (accelerators where cinder provides volumes) and nova has to talk to its API to like configure the thing.	19:56
efried	or yeah like Ironic.	19:56
efried	or neutron, or placement	19:57
efried	workflow-wise, it might be like, "Hey placement, allocate me an accelerator resource," then, "Hey cyborg, here's the UUID of an accelerator provider, go flash it with a gzip bitstream."	19:58
efried	or, "Hey cyborg, tell me what accelerators you know about," analogous to, "Hey glance, tell me what images you know about."	19:59
*** pcaruana has quit IRC		20:11
*** pcaruana has joined #openstack-keystone		20:24
*** dims has quit IRC		20:40
*** dims has joined #openstack-keystone		20:42
*** dave-mccowan has quit IRC		20:48
*** dims has quit IRC		20:50
*** dave-mccowan has joined #openstack-keystone		20:51
*** dims has joined #openstack-keystone		20:52
lbragstad	cmurphy ok - getting caught up on a couple things here	20:57
lbragstad	cmurphy if i'm understanding the report in https://bugs.launchpad.net/keystone/+bug/1811605 correctly, once that is fixed oauth can essentially use that same flow for authentication with certificates issued from Athenz	20:58
openstack	Launchpad bug 1811605 in OpenStack Identity (keystone) "Tokenless authentication is broken" [Undecided,New]	20:58
* lbragstad is standing up a devstack now to do some testing		20:58
cmurphy	lbragstad: no, they can do that already even with that bug	20:58
*** xek_ has quit IRC		20:59
cmurphy	that bug is about tokenless auth not x509 auth	20:59
lbragstad	ok - so i'm getting my wires cross tehn	21:00
lbragstad	then*	21:00
lbragstad	in that example it's using an x509 certificate to get a token	21:02
lbragstad	and that shows the flow that oath needs (and works today)	21:03
lbragstad	it's specifically the last step that fails	21:03
cmurphy	right, it's trying to do a keystone request using --cert instead of -H x-auth-token , that's what's expected to work and doesn't	21:05
cmurphy	the getting a token is fine	21:05
lbragstad	cool - i think i'm on the same page now	21:06
lbragstad	you put together those steps to recreate, right?	21:07
lbragstad	or did you find that in a guide somewhere?	21:07
cmurphy	i cobbled it together from the external auth guide and the tokenless auth guide	21:08
cmurphy	some of what's in the tokenless guide should get moved over to external auth	21:08
lbragstad	i wonder if we could find a seam for this in the new federated guide	21:08
*** pcaruana has quit IRC		21:19
*** efried has quit IRC		21:30
*** efried has joined #openstack-keystone		21:30
openstackgerrit	Gage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate https://review.openstack.org/531014	21:31
*** dklyle has quit IRC		21:39
*** mchlumsky has quit IRC		21:42
*** aojea has joined #openstack-keystone		21:46
*** erus_ has quit IRC		21:52
*** imus has quit IRC		21:52
openstackgerrit	Sergey Vilgelm proposed openstack/keystone master: Fix list projects for user https://review.openstack.org/632565	21:59
*** rcernin has joined #openstack-keystone		22:10
efried	ayoung, lbragstad, kmalloc: Thing we were talking about earlier FYI: https://review.openstack.org/631242	22:17
*** rcernin has quit IRC		22:17
ayoung	kmalloc, shouldn't there be some better way than specifying password explicitly/	22:18
* ayoung misses jamielennox at these points		22:18
ayoung	efried, I think what you did there is right	22:18
ayoung	I hate that we tie ourselves tighter to passwords with each one of these	22:19
efried	ayoung: fwiw, all the other conf setups do it like this (though most of them specify all three - 'password', 'v2password', 'v3password')	22:19
*** rcernin has joined #openstack-keystone		22:19
efried	can provide examples on request	22:19
efried	or just cuz:	22:21
efried	https://github.com/openstack/nova/blob/master/nova/conf/neutron.py#L183-L185	22:21
efried	https://github.com/openstack/nova/blob/master/nova/conf/cinder.py#L117-L119	22:21
efried	https://github.com/openstack/nova/blob/master/nova/conf/ironic.py#L101	22:21
efried	https://github.com/openstack/nova/blob/master/nova/conf/placement.py#L96-L98	22:21
ayoung	efried, yeah, this is config file stuff so nova can talk to another service. Way back when we had gyee working on tokenless auth for these kindsof things, but we've seem to have let that lapsed	22:22
efried	I don't want to solve the world here, just do a thing that'll work and be roughly in parity with how we do it for other things.	22:23
efried	Solving the world I can do later.	22:23
kmalloc	ayoung: it should be configurable like KSM is	22:24
kmalloc	specify the plugin in the config	22:24
kmalloc	not hard-code password	22:25
ayoung	Yeah, but don't they need the password config options in their config?	22:25
efried	kmalloc: I think it's set up that way for the actual config. This (list_opts) is for the config doc generator.	22:25
efried	The actual registration of opts happens with	22:26
efried	ks_loading.register_auth_conf_options(conf, group)	22:26
kmalloc	efried: ++ yeah	22:26
kmalloc	ayoung: you'll pull in the plugin when using loading/session	22:27
kmalloc	ayoung: so they can use any plugin that is available	22:27
kmalloc	or should be able to*	22:27
ayoung	so...	22:27
kmalloc	efried: make sure that with testing you test more than just password (loading wise)	22:27
efried	so I guess what would make this smoother is something in ksa that I can call from list_opts that pulls the defs of all the available plugin-y things.	22:27
ayoung	https://review.openstack.org/#/c/631242/3/nova/conf/cyborg.py can he drop the password opts being in there explicitly?	22:27
kmalloc	he should not explicitly set password imo	22:28
efried	kmalloc: Fortunately for me, that part is all in util methods that are common to all the other services and tested elsewhere.	22:28
kmalloc	efried: right i just meant check to make sure it's not explicitly only using password :)	22:29
efried	Again, the code that's mentioning 'password' explicitly is only used for conf doc generator, not for actually registering the options.	22:29
kmalloc	when you test the code.	22:29
kmalloc	hm.	22:29
kmalloc	i wouldn't supply a plugin there	22:29
kmalloc	if possible... mostly so folks don't go "oh password only"	22:29
efried	this may help:	22:29
efried	https://github.com/openstack/nova/blob/master/nova/conf/utils.py#L81	22:29
kmalloc	but if a plugin is needed for the doc generation password is fine	22:30
efried	kmalloc: I think the "common auth options" part might get the rest. Not sure.	22:30
efried	easy enough to see how this looks in the conf doc...	22:30
kmalloc	yeah	22:32
efried	if you look at the placement section, after the first two or three opts, that's where the stuff pulled from ksa starts, right?	22:32
efried	https://docs.openstack.org/nova/latest/configuration/config.html#placement	22:32
efried	I suspect all that chunk of list_opts is doing is populating the fields starting around	22:33
efried	https://docs.openstack.org/nova/latest/configuration/config.html#placement.username	22:33
efried	which seems reasonable enough; it's not like it's pushing you to use password auth - it's just documenting those opts in case you do.	22:33
*** lifeless_ is now known as lifeless		22:34
* efried notices that the sub-fields are a tad sparse on those...		22:34
lbragstad	cmurphy ok - following your report i was able to get a token	22:44
lbragstad	i mucked with the mapping a bit - https://pasted.tech/pastes/0811a856155aad9dbf68d03a3d2ed536964e93e3.raw	22:44
lbragstad	the https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#create-a-map bit here didn't work for me initially	22:44
*** imacdonn_ has quit IRC		22:48
*** imacdonn_ has joined #openstack-keystone		22:49
lbragstad	my mapping might not be quite right yet, either... but i think i have enough to confirm the bug	22:52
*** efried has quit IRC		22:53
*** tkajinam has joined #openstack-keystone		22:54
cmurphy	lbragstad: the SSL_CLIENT_S_DN_O value matches the O value in the client cert, which in the example is 'openstack', so you either need to have the cert use an organization called 'Default' or create a domain called 'openstack', and then also create the idp hash with the same value	23:00
lbragstad	aha	23:06
*** erus_ has joined #openstack-keystone		23:11
*** aojea has quit IRC		23:24

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!