Wednesday, 2019-05-15

« Tuesday, 2019-05-14 Index Thursday, 2019-05-16 »
*** mvkr has quit IRC00:00
*** gyee has quit IRC00:18
*** jamesmcarthur has joined #openstack-keystone00:22
*** dklyle has joined #openstack-keystone00:30
joshualylewell no matter what I do I just get "SvcErr: DSID-03100754, problem 5012 (DIR_ERROR)". It is maybe authenticating since I get "Unable to retrieve authorized projects." but I'm still unable to login. Any ideas?00:39
*** jamesmcarthur has quit IRC00:46
*** jamesmcarthur has joined #openstack-keystone00:47
*** jamesmcarthur has quit IRC00:52
*** jamesmcarthur has joined #openstack-keystone01:11
*** rcernin has quit IRC01:16
*** rcernin has joined #openstack-keystone01:17
*** rcernin has quit IRC01:18
*** rcernin has joined #openstack-keystone01:19
*** whoami-rajat has joined #openstack-keystone01:34
*** jamesmcarthur has quit IRC02:14
*** jamesmcarthur has joined #openstack-keystone02:32
*** tkajinam has quit IRC02:55
*** tkajinam has joined #openstack-keystone02:56
*** jamesmcarthur has quit IRC03:40
*** jamesmcarthur has joined #openstack-keystone03:58
*** jamesmcarthur has quit IRC04:03
*** mvkr has joined #openstack-keystone04:37
*** shyamb has joined #openstack-keystone05:14
*** vishakha has joined #openstack-keystone05:24
*** vishalmanchanda has joined #openstack-keystone05:43
*** spsurya has joined #openstack-keystone05:49
*** shyamb has quit IRC05:57
*** shyamb has joined #openstack-keystone05:58
*** awalende has joined #openstack-keystone06:04
*** awalende has quit IRC06:08
*** jaosorior has quit IRC06:42
*** mvkr has quit IRC06:43
*** josecastroleon has joined #openstack-keystone06:48
*** jaosorior has joined #openstack-keystone06:51
*** awalende has joined #openstack-keystone07:01
*** starborn has joined #openstack-keystone07:01
*** awalende_ has joined #openstack-keystone07:04
*** awalende has quit IRC07:05
*** shyamb has quit IRC07:11
*** tesseract has joined #openstack-keystone07:13
openstackgerritVishakha Agarwal proposed openstack/keystone master: Pep8 environment to run on delta code only  https://review.opendev.org/65922507:14
*** awalende_ has quit IRC07:17
*** awalende has joined #openstack-keystone07:17
*** awalende_ has joined #openstack-keystone07:20
openstackgerritVishakha Agarwal proposed openstack/keystone master: Pep8 environment to run on delta code only  https://review.opendev.org/65922507:20
*** awalende has quit IRC07:22
*** awalende_ has quit IRC07:22
*** awalende has joined #openstack-keystone07:25
*** rcernin has quit IRC07:25
*** shyamb has joined #openstack-keystone07:26
*** zigo has quit IRC07:28
*** tkajinam has quit IRC08:08
*** awalende has quit IRC08:11
*** awalende has joined #openstack-keystone08:11
*** awalende has quit IRC08:16
*** shyamb has quit IRC08:17
openstackgerritwangxiyuan proposed openstack/keystone master: Drop limit columns  https://review.opendev.org/65718708:21
*** awalende has joined #openstack-keystone08:24
*** shyamb has joined #openstack-keystone08:45
*** pcaruana has joined #openstack-keystone08:51
*** shyamb has quit IRC09:09
*** shyamb has joined #openstack-keystone09:21
*** zigo has joined #openstack-keystone09:33
*** josecastroleon has quit IRC09:53
*** faizy98 has joined #openstack-keystone10:07
*** tesseract has quit IRC10:12
*** tesseract has joined #openstack-keystone10:12
*** shyamb has quit IRC10:23
*** zigo has quit IRC10:30
*** zigo has joined #openstack-keystone10:41
*** raildo has joined #openstack-keystone11:05
*** shyamb has joined #openstack-keystone11:10
*** awalende has quit IRC11:50
*** awalende has joined #openstack-keystone11:51
*** raildo has quit IRC11:51
*** awalende_ has joined #openstack-keystone11:54
*** awalende has quit IRC11:55
*** spsurya has quit IRC12:08
openstackgerritJose Castro Leon proposed openstack/keystone master: Adds caching of credentials  https://review.opendev.org/63664512:14
*** shyamb has quit IRC12:18
*** jamesmcarthur has joined #openstack-keystone12:19
*** jamesmcarthur has quit IRC12:29
*** raildo has joined #openstack-keystone12:37
*** awalende_ has quit IRC12:40
*** awalende has joined #openstack-keystone12:47
*** jamesmcarthur has joined #openstack-keystone12:50
*** awalende has quit IRC12:51
*** raildo has quit IRC12:53
*** awalende has joined #openstack-keystone12:53
*** Nelson has joined #openstack-keystone12:59
*** raildo has joined #openstack-keystone13:00
*** lbragstad has joined #openstack-keystone13:18
redrobotHi Keystone friends!  I'm trying to get a keystone instance running in podman, and I'm having some trouble getting the fernet tokens created.13:18
redrobotThings seem to work fine, unless I mount a volume to /etc/keystone/fernet-keys13:19
redrobotIf I try the fernet_setup with a mounted volume I get a permissions issue. :(13:19
lbragstadwhat are the permissions of the volume?13:19
redrobotPerms error: http://paste.openstack.org/show/751421/13:20
lbragstadit looks like the user your running `keystone-manage fernet_setup` as doesn't have permissions to write to that directory13:21
redrobotlbragstad, inside container: http://paste.openstack.org/show/751422/13:21
lbragstadare you running that command directly or as the user running keystone (e.g., apache)?13:22
redrobotlbragstad, I'm running keystone-manage fernet_setup as root.13:22
redrobotwell, root inside the container13:22
redrobotwhich is weird because it only fails when the fernet-keys dir is a volume.  If I don't mount anything the keys get generated just fine.13:22
lbragstadhmmm13:24
lbragstadi'm not sure we've had anyone report something like this, but i'm not sure why that wouldn't work13:25
redrobotOn a related note, keystone-manage doesn't give any feedback when it fails13:26
redrobotI've had to run 'echo $?' after running keystone-manage every single time.13:27
lbragstadand the logs you pulled came from keystone.log?13:27
redrobotyeah13:27
lbragstadthat's not really helpful13:27
redrobothehe, yeah.  It would be awesome if keystone-manage would print something to stderr on failure.13:28
lbragstadwould you want to open a bug for the volume issue?13:29
*** raildo_ has joined #openstack-keystone13:32
*** awalende has quit IRC13:33
*** awalende has joined #openstack-keystone13:34
*** raildo has quit IRC13:34
*** Nelson has quit IRC13:36
*** awalende_ has joined #openstack-keystone13:37
*** awalende has quit IRC13:38
openstackgerritLance Bragstad proposed openstack/keystone master: Update the meaning of low-hanging-fruit  https://review.opendev.org/65914113:40
*** awalende_ has quit IRC13:42
redrobotlbragstad, sure, y'all use launchpad or storyboard?13:46
lbragstadwe still use LP13:46
*** vishalmanchanda has quit IRC13:48
*** NM has joined #openstack-keystone13:49
*** vishakha has quit IRC13:56
*** awalende has joined #openstack-keystone14:04
*** awalende has quit IRC14:08
*** jdwidari has joined #openstack-keystone14:14
knikollao/14:21
*** jamesmcarthur has quit IRC14:25
*** NM has quit IRC14:37
gagehugoo/14:45
cmurphyo/14:56
*** NM has joined #openstack-keystone15:01
*** vishalmanchanda has joined #openstack-keystone15:01
redrobotlbragstad, I think I figured out the permissions thing.  Seems keystone-manage creates the keys as the keystone user regardless of what user you run the command as15:02
redrobotlbragstad, not sure why the install guide says that it needs to be run as root.15:03
cmurphyjoshualyle: did you figure out an answer to your question? i don't know the specific answer to your question but you should be able to play with user_tree_dn, user_filter and user_objectclass in your [ldap] config to get the search right15:07
cmurphy"Unable to retrieve authorized projects" comes from horizon i think so i would try with the cli first15:08
*** starborn has quit IRC15:30
*** tesseract has quit IRC15:35
*** shyamb has joined #openstack-keystone15:36
*** NM has quit IRC15:38
ayoungredrobot, because it does a chown, I believe15:55
*** jdwidari has quit IRC15:56
*** shyamb has quit IRC15:57
lbragstadredrobot huh - we should correct that then?15:58
lbragstadredrobot i know keystone-manage supports parameters to pass in the keystone user and group15:59
ayounglbragstad, it works correctly16:07
ayoungit uses the keystone user to manage the keys.  But the assumption is that keystone-manage is not run as the keystone user16:08
ayoungkeystone is the unit user that runs the wsgi app16:08
ayoungUnix16:11
*** xek has quit IRC16:14
joshualylecmurphy: I worked on it for a few more hours after post that. I followed it through the source and set some debug prints and saw that the first call to search_s found my ldap user but then there was another call that involved the group_tree_dn that messed up the search. It seems that group_tree_dn was set to some LDAP default that didn't match anything in the LDAP server and I had to set group_tree_dn to the same thing as u16:19
joshualyleser_tree_dn and it seems to auth successfully. Now I'm stuck with the message "You are not authorized for any projects or domains." I'm not sure how to set the default role or project to assign an LDAP user to after they have authenticated16:19
ayoungjoshualyle, there is none16:23
ayoungdefaults are a sql thing16:23
*** tesseract has joined #openstack-keystone16:24
joshualylethere is an ldap setting called user_default_project_id_attribute in the docs that I tried setting to a project_id with no success16:24
ayoungOh that...hmmm16:24
ayoungdo you actually have an attribute in LDAP that you can use to set to a project ID?  Usually LDAP is not writable16:26
cmurphyjoshualyle: you can use keystone-manage mapping_populate to generate IDs for ldap users in the keystone database and then create direct role assignments with that, or create role assignments for the ldap group16:26
ayoungWhat she said16:27
joshualylecmurphy: so the keystone has to pull LDAP users into the traditional DB so that they can be assigned a role/project?16:29
cmurphyjoshualyle: basically yes, because the role and project only exists in sql16:29
*** NM has joined #openstack-keystone16:29
*** dklyle has quit IRC16:31
joshualylecmurphy: interesting. I'll give it a try. So does that mean that any new users created in ldap after the initial mapping_populate run will not be available until after running mapping_populate again?16:32
cmurphyjoshualyle: they can log in with an unscoped token which would create an entry for them in the database but you'd still need to create the role assignment, or if they have a role assignment via a group membership then things should just work16:34
*** dklyle has joined #openstack-keystone16:37
*** gyee has joined #openstack-keystone16:38
joshualylecmurphy: thanks for all of your help. I don't want to have to keep bugging you. Are there docs on how to set role by group membership?16:40
cmurphyjoshualyle: not sure if we have a good document on it in keystone but the openstack cli covers it https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/role.html16:45
*** mvkr has joined #openstack-keystone16:52
*** mvkr has quit IRC16:55
*** dklyle has quit IRC17:29
*** dklyle has joined #openstack-keystone17:49
*** dklyle has quit IRC17:56
*** NM has quit IRC18:00
*** tesseract has quit IRC18:01
*** NM has joined #openstack-keystone18:10
ayoungcmurphy, lbragstad hrybacki   here is my write up on Sync https://adam.younglogic.com/2019/05/sync-keystones-api/18:15
joshualylecmurphy: well I managed to get a single login working from ldap so that progress. Can you explain the process a little more about role assignment via group membership works? Is there an implicit group that LDAP members belong to? Or is this a setting in the domain/domain.conf file that sets the group based on an ldap attribute?18:17
*** dklyle has joined #openstack-keystone18:20
cmurphyjoshualyle: the group would come from ldap, so if the user is a member of a group in ldap and keystone can find it with group_tree_dn etc then the group would get shadowed in keystone and you could assign roles to it18:25
redrobotHello again Keystone friends!18:27
redrobotWhat's the difference between fernet_setup and credential_setup?18:27
redrobotLooking at Step 4 in https://docs.openstack.org/keystone/stein/install/keystone-install-rdo.html#install-and-configure-components18:28
redrobotMostly I'm wondering if I need another volume in my container in addition to /etc/keystone/fernet-keys ?18:28
cmurphyredrobot: fernet_setup is to set up the symmetric key repository for fernet tokens, credential_setup does the same but for the /v3/credentials API18:29
cmurphythey are in different directories by default18:29
redrobotcmurphy, what's the location of the keys that get generated by credential_setup ?18:29
cmurphy/etc/keystone/credential-keys/18:30
redrobotand do I need to run both if I'm using fernet tokens?18:30
cmurphynot to be able to use fernet tokens, only to use the credentials API (which is not related to tokens even though it sounds like it would be)18:31
cmurphyyou only need fernet_setup for tokens to work18:31
redrobotcool, thanks cmurphy! 😁18:32
cmurphyyw18:32
*** ab-a has quit IRC18:40
*** vishalmanchanda has quit IRC19:01
*** dklyle has quit IRC19:01
*** pcaruana has quit IRC20:14
*** whoami-rajat has quit IRC20:24
openstackgerritGage Hugo proposed openstack/keystonemiddleware master: Remove PKI/PKIZ support  https://review.opendev.org/61367520:34
gagehugokmalloc: ^ fixed the merge conflict20:36
joshualylecmurphy: finally got everything working! The big crux of the groups not showing up was that default group_objectclass did not match our default attribute that defined groups so it didn't match any groups. After defining that and setting the id,name,and desc attributes to something that made sense in our ldap as well as making the group_tree_dn an OU closer to the root (so that it encompasses all possible group objects), the20:38
joshualyle groups were recognized and imported correctly with keystone-manage mapping_populate. Thanks for all of your help!20:38
*** dklyle has joined #openstack-keystone20:39
cmurphyjoshualyle: great!20:40
joshualyleI'm not sure if our ldap is setup with a bunch of non-standard values but I ended up having to define nearly every ldap variable in the keystone.conf.20:41
*** raildo_ has quit IRC20:59
dtruongI have a question on keystoneauth1 loading session.  Is there a reason why the names of the cert parameters are different in the load_from_options function (https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/session.py#L51) from the equivalent config options (https://github.com/openstack/keystoneauth/blob/master/keystoneaut21:12
dtruongh1/loading/session.py#L170)?21:12
dtruongE.g. cacert vs cafile21:12
dtruongThis becomes a problem in the ironic client when it tries to filter out what to pass into the load_from_options call like this: https://github.com/openstack/python-ironicclient/blob/master/ironicclient/client.py#L9921:14
*** dklyle has quit IRC21:14
redrobotlbragstad, https://bugs.launchpad.net/keystone/+bug/182929621:21
openstackLaunchpad bug 1829296 in OpenStack Identity (keystone) "keystone-manage fails silently" [Undecided,New]21:21
*** NM has quit IRC21:22
lbragstadthanks redrobot21:22
*** dklyle has joined #openstack-keystone21:29
*** dklyle has quit IRC22:00
*** xek has joined #openstack-keystone22:07
*** tkajinam has joined #openstack-keystone23:05
*** rcernin has joined #openstack-keystone23:14
*** NM has joined #openstack-keystone23:25
*** NM has quit IRC23:34
*** d34dh0r53 has joined #openstack-keystone23:43
*** d34dh0r53 has quit IRC23:58
« Tuesday, 2019-05-14 Index Thursday, 2019-05-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!