Friday, 2019-07-26

« Thursday, 2019-07-25 Index Saturday, 2019-07-27 »
*** xek__ has joined #openstack-keystone00:00
openstackgerritguang-yee proposed openstack/keystone master: discourage using X.509 with external auth  https://review.opendev.org/66995900:01
*** xek_ has quit IRC00:02
*** jamesmcarthur has joined #openstack-keystone00:03
*** jamesmcarthur has quit IRC00:06
*** jamesmcarthur has joined #openstack-keystone00:06
*** gyee has quit IRC00:19
*** raildo has quit IRC01:10
*** jamesmcarthur has quit IRC01:30
*** whoami-rajat has joined #openstack-keystone02:26
*** jamesmcarthur has joined #openstack-keystone02:59
*** joshualyle has joined #openstack-keystone04:20
*** viks___ has joined #openstack-keystone04:26
*** jamesmcarthur has quit IRC04:32
*** jaosorior has joined #openstack-keystone05:21
*** etp has joined #openstack-keystone05:27
*** jamesmcarthur has joined #openstack-keystone05:45
*** rcernin has quit IRC06:08
*** jamesmcarthur has quit IRC06:33
*** etp has quit IRC07:02
*** tesseract has joined #openstack-keystone07:03
*** awalende has joined #openstack-keystone07:19
*** pcaruana has joined #openstack-keystone07:44
*** ivve has joined #openstack-keystone08:37
*** dancn has joined #openstack-keystone09:04
*** joshualyle has quit IRC09:23
openstackgerritDmitry Tantsur proposed openstack/keystoneauth master: Allow requesting fixed retry delay instead of exponential  https://review.opendev.org/67293009:39
openstackgerritAndreas Jaeger proposed openstack/keystone master: doc: Fix broken links  https://review.opendev.org/67294710:32
*** brtknr has quit IRC10:36
*** brtknr has joined #openstack-keystone10:37
*** brtknr has quit IRC11:02
*** brtknr has joined #openstack-keystone11:02
*** brtknr has quit IRC11:02
*** brtknr has joined #openstack-keystone11:03
*** brtknr has quit IRC11:06
*** brtknr has joined #openstack-keystone11:10
*** kplant has joined #openstack-keystone11:11
*** jaosorior has quit IRC11:15
*** mvkr has joined #openstack-keystone11:16
*** irclogbot_3 has quit IRC11:53
*** irclogbot_0 has joined #openstack-keystone11:54
openstackgerritChason Chan proposed openstack/keystone master: Deprecate keystone.conf.memcache socket_timeout  https://review.opendev.org/67262911:57
*** raildo has joined #openstack-keystone12:13
*** awalende has quit IRC12:31
*** waverider has joined #openstack-keystone12:34
kplantcmurphy: i may have found the problem from yesterday "User has disabled cookies, or has lost the cookie before returning from the SAML2 login server." <-- that's coming from apache running keystone12:59
kplantthat may explain the 400 coming back from keycloak to keystone13:00
*** xek__ has quit IRC13:01
*** brtknr has quit IRC13:01
*** xek__ has joined #openstack-keystone13:02
*** brtknr has joined #openstack-keystone13:03
*** brtknr has quit IRC13:05
*** brtknr has joined #openstack-keystone13:05
*** brtknr has quit IRC13:05
*** brtknr has joined #openstack-keystone13:06
*** brtknr has quit IRC13:06
*** brtknr has joined #openstack-keystone13:06
*** jawad_axd has joined #openstack-keystone13:24
*** mchlumsky has joined #openstack-keystone13:26
*** stingrayza_ has joined #openstack-keystone13:28
*** stingrayza has quit IRC13:28
openstackgerritAndreas Jaeger proposed openstack/keystone master: Remove broken api-ref link  https://review.opendev.org/67297913:31
*** jawad_axd has quit IRC13:37
*** waverider has quit IRC13:39
*** xek__ has quit IRC13:46
*** xek__ has joined #openstack-keystone13:47
*** FlorianFa has quit IRC13:58
*** mchlumsky_ has joined #openstack-keystone13:59
*** mchlumsky has quit IRC14:00
kplantalso fwiw i have the same exact behavior with samltest.id as the idp14:13
*** jmlowe has quit IRC14:17
*** bnemec is now known as beekneemech14:26
*** xek__ has quit IRC14:28
*** xek__ has joined #openstack-keystone14:29
*** jmlowe has joined #openstack-keystone14:29
*** jamesmcarthur has joined #openstack-keystone14:43
gagehugoo/14:45
*** dancn has quit IRC14:47
gagehugocmurphy: Do you know if the info in the federation section of the security guide still relevant? https://docs.openstack.org/security-guide/identity/federated-keystone.html#future14:51
*** openstackgerrit has quit IRC14:51
*** jmlowe has quit IRC15:07
cmurphygagehugo: the security guide is wildly out of date, i tried to bring it up as a bug report a long time ago and as shot down15:11
cmurphygagehugo: i wish the security team wouldn't maintain its own copy of the keystone docs15:12
cmurphykplant: is that because you disabled cookies? or something else is wrong?15:13
gagehugocmurphy: we have someone in the security sig who is working on updating the guide, we could simply link to the keystone docs and get rid of that page entirely15:13
kplanthah. i wish it were that simple. my browser allows cookies and i even tried a few others as well15:13
cmurphygagehugo: that would be fantastic15:13
*** Ben78 has joined #openstack-keystone15:16
*** jamesmcarthur has quit IRC15:17
*** jamesmcarthur has joined #openstack-keystone15:21
*** cmurphy is now known as cmorpheus15:25
*** jmlowe has joined #openstack-keystone15:29
*** xek__ has quit IRC15:51
*** xek__ has joined #openstack-keystone15:51
*** joshualyle has joined #openstack-keystone15:52
*** joshualyle has quit IRC15:57
*** gyee has joined #openstack-keystone15:59
*** jamesmcarthur has quit IRC16:15
*** jamesmcarthur has joined #openstack-keystone16:16
*** jamesmcarthur has quit IRC16:21
*** vishwanathj has quit IRC16:22
*** AJaeger has joined #openstack-keystone16:24
*** vishwanathj has joined #openstack-keystone16:24
AJaegerI've noticed a couple of broken links in the keystone docs when building our site index - and those come from broken usage of RST in a few cases. Fixed by https://review.opendev.org/672947 (broken RST) and a tiny one at https://review.opendev.org/672979 .16:25
cmorpheusthanks AJaeger16:30
*** jamesmcarthur has joined #openstack-keystone16:31
AJaegeryou're welcome, cmorpheus16:33
*** jamesmcarthur has quit IRC16:36
*** jamesmcarthur has joined #openstack-keystone16:36
*** vishwanathj has quit IRC16:44
*** vishwanathj has joined #openstack-keystone16:46
*** AJaeger has left #openstack-keystone16:46
*** joshualyle has joined #openstack-keystone16:55
*** joshualyle has quit IRC16:55
*** vishwanathj has quit IRC17:00
*** jamesmcarthur has quit IRC17:08
*** vishwanathj has joined #openstack-keystone17:09
*** Ben78 has quit IRC17:28
*** vishwanathj has quit IRC17:28
mnasero/ i asked this a little bit earlier but it was late so i will try again: is it possible to run keystonemiddleware without admin credentials?17:33
mnaseri.e. using the token provided to go to keystone and look it up there?17:33
*** tesseract has quit IRC17:54
*** chason has quit IRC17:56
*** Ben78 has joined #openstack-keystone17:57
gyeemnaser, I don't think so. But it doesn't have to be admin cred, just any cred that has user token validation permission.18:02
*** openstackgerrit has joined #openstack-keystone18:02
openstackgerritMerged openstack/keystone master: doc: Fix broken links  https://review.opendev.org/67294718:02
openstackgerritMerged openstack/keystone master: Remove broken api-ref link  https://review.opendev.org/67297918:02
*** joshualyle has joined #openstack-keystone18:09
*** cwright has quit IRC18:11
*** joshualyle has quit IRC18:12
cmorpheusmnaser: you can use any auth method supported by keystoneauth18:23
cmorpheusmnaser: can you explain a little more what you're trying to do?18:24
mnasercmorpheus: in this case, writing a service that authenticates against keystone (but without necessarily being the deployer/owner of said cloud)18:24
kmalloccmorpheus: ^ we just talked about pretty much that scenario18:28
kmalloc:)18:28
cmorpheuskmalloc: lol18:29
cmorpheusmnaser: yeah i don't think ksm is equipped to handle something like that, it relies pretty strongly on having a service user do things on behalf of the user18:29
mnaseraha, aww, alright18:30
openstackgerritMerged openstack/keystone master: Remove [signing] config  https://review.opendev.org/65943418:41
*** jmlowe has quit IRC18:43
kplantcmorpheus: sorry to keep singling you out but... do you have any other recommendations? i tried a samltrace and everything looks kosher there as well18:58
cmorpheuskplant: okay let's backtrack19:03
cmorpheushttps://docs.openstack.org/keystone/latest/admin/federation/introduction.html#websso-with-keystone-and-horizon19:03
cmorpheusit's failing at the part after you've auth'd with the idp and it's trying to POST to a mellon endpoint?19:03
kplantcorrect19:04
*** vishalmanchanda has quit IRC19:05
cmorpheusbut you see a log in keystone saying "expected content-type application/json" at that moment?19:05
kplantno that was when i intially was using /v3/mellon as the mellon endpoint19:06
kplanti changed it to: /v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth/mellon19:06
kplantnow the response is: a 400, bad request19:06
kplantthe only thing i can pick out from the logs is from apache: "User has disabled cookies, or has lost the cookie before returning from the SAML2 login server."19:06
kplantthat happens when my browser is trying to post to the mellon postResponse endpoint19:07
cmorpheuscan you tell what the path is that it's trying to use now for the postResponse endpoint?19:07
kplantsure19:07
kplantthe full path is: http://sp.keystone.example.org:5000/v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth/mellon/postResponse19:08
cmorpheusisn't that the same path it was using when you were getting the "expected content-type" problem?19:08
kplantyeah, so the mellon script generated that endpoint in the metadata19:09
kplantso i changed MellonEndpointPath to match it19:09
kplantif i change MellonEndpointPath back to "/v3/mellon" i just get an endless loop now. not even the content-type issue19:10
cmorpheusthat's weird19:10
cmorpheusdoes the 400 error come from keystone or from mellon?19:11
cmorpheuscan you show your whole apache config for this vhost?19:11
cmorpheusknikolla: if you're around and have ideas ^19:11
knikollacmorpheus: i'm around (and in need of a break from studying japanese) let me read the convo19:12
knikollalogs would be helpful19:14
kplantsorry i had to step away for a moment19:18
kplantsure i can share my config19:18
kplanthttp://paste.openstack.org/show/754903/19:18
*** jmlowe has joined #openstack-keystone19:19
kplantcmorpheus: i assume the 400 comes from mellon as it's produced by apache and the event is never recorded in any keystone log19:19
kplantbut i could be wrong19:19
cmorpheuskplant: can you share the logs?19:20
kplantsure. what are you looking for exactly? all i can see is "2019-07-26 18:59:36.021713 User has disabled cookies, or has lost the cookie before returning from the SAML2 login server."19:21
knikollathe more the merrier19:21
cmorpheuskplant: the 400 error19:21
kplanthttp://paste.openstack.org/show/754904/19:22
kplantstarted the tail, tried to auth, stopped the tail19:22
kplantlet me know if you need more from any specific files19:22
knikollaNotOnOrAfter in SubjectConfirmationData was in the past.19:24
knikollahave you checked that are on the same timezone?19:24
kplantkeycloak is in utc, keystone is in utc, client is in edt19:25
kplanthttp://paste.openstack.org/show/754906/ <-- that's the horizon config as well, the websso statements19:31
*** brtknr has quit IRC19:40
*** brtknr has joined #openstack-keystone19:40
cmorpheusknikolla: that log was from a few minutes before so i'm guessing not relevant19:44
kplantmellon is at least somewhat working as metadata is served when i curl /v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth/mellon/metadata19:48
cmorpheuskplant: can you paste the metadata?19:51
cmorpheusonly thing i can find about that error is in the code itself https://github.com/Uninett/mod_auth_mellon/blob/master/auth_mellon_handler.c#L1845-L1850 which looks pretty straightforward19:52
kplantyeah i found that too19:52
kplantno cookie, throw error message19:52
kplantand sure19:52
cmorpheusin your samltrace when it does POST <stuff>/postResponse is there a Cookie: header ?19:53
kplanthttp://paste.openstack.org/show/754907/19:54
kplanti will check19:54
kplantnope, no "cookie" inside <samlp:Response blah blah19:56
kplantno cookie in the html either19:56
*** jmlowe has quit IRC19:57
kplanthere's the saml if you care to see it: http://paste.openstack.org/show/754908/20:00
*** jmlowe has joined #openstack-keystone20:00
kplanti'm heading home. i'll check the channel logs when i get home for updates. thanks cmorpheus knikolla !20:00
*** kplant has quit IRC20:00
cmorpheusjust seems like some kind of issue between the idp and the browser afaict20:02
cmorpheusi would try using the cli and see if you can get that to work20:02
*** brtknr_ has joined #openstack-keystone20:19
*** brtknr has quit IRC20:22
*** mchlumsky_ has quit IRC20:35
kmallocmnaser: cmorpheus and I were just talking about a service that could be used to auth endpoint in front of keystone to solve pretty much your exact use-case.20:44
kmallocmnaser: it's just very early on in that discussion.20:44
mnaserya in this case im trying to build a service that talks on behalf of openstack users20:45
mnaserso a deployer can run it (but a user can deploy it too, as long as they point to keystone and nothing more)20:45
*** kplant has joined #openstack-keystone20:58
kplantdo i need anything additional other than python-openstackclient and python-keystoneclient? i don't seem to have v3samlpassword as a valid auth type for cli21:14
kplantnvm. was missing lxml21:15
kmallocmnaser: ahh21:19
kmallocmnaser: hhhhmmmm. thats tough cause token validation is considered (in many cases) priviledged.21:20
*** beekneemech is now known as bnemec-pto21:22
kplantcmorpheus: CLI yields: "/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL should provide a single element list"21:23
cmorpheusoh hrm i can't remember what the fix is for that21:23
cmorpheusit's keystoneauth handling an error response really really badly i think21:24
kmallocoooh that one...21:24
kmallocuhm. yeah that's a weird one.21:24
cmorpheuskplant: oh suggestion i should have mentioned before is check the logs on the idp21:25
cmorpheusif you haven't already21:25
cmorpheussamltest.id has them available21:25
kplantyeah the idp just shows successful authentications21:25
kplantgood thing you mentioned that though.. my credentials where wrong in the rc21:26
kplantwell now it's literally the same error:21:27
kplant[kplant@chrnc-void-kolla-01 ~]$ openstack federation project list --insecure21:27
kplantBad Request (HTTP 400)21:27
cmorpheussame thing in the apache/keystone logs?21:28
cmorpheusyou can add --debug to see what requests the client is making too21:29
kplantyeah i was just looking at that21:31
kplanthttp://paste.openstack.org/show/754912/21:31
kplanti'm looking at the logs right now too21:31
kplantthis is new: http://paste.openstack.org/21:34
kplanterr21:34
kplanthttp://paste.openstack.org/show/754914/21:34
mnaserkmalloc: yeah but my thought process was -- i can take the token that i was given, i will reach out to keystone with said token and ask what roles/projects i have acces sto21:37
mnaseri mean, isnt that already avaialble when you request a token anyways21:37
cmorpheuskplant: not sure about that part21:38
cmorpheusbest i can figure it's something wrong with the apache <Location ...> and/or MellonEndpointPath because the 400 is just apache saying that's not a path you've defined21:39
kplanti wonder if apache redirecting to haproxy vip is making am_handle_logout_response() return invalidly21:39
kplantwhich then in turn is making mellon poop itself21:39
cmorpheushaha yes haproxy will make things confusing, the documentation isn't written with that in mind21:40
kplantyeah i think my next attempt i'll just deploy without haproxy and see how it goes21:40
kplantthanks for the help though21:40
cmorpheusi think you'll have much better luck without haproxy21:40
kplanti'm out of energy for today21:41
kplantwhen i get it working i'll let you know what path i used in order to confirm/correct the documentation21:41
kplanti'm thinking the longer endpoint is the correct one21:41
cmorpheusi think the documented one might be right actually21:42
cmorpheusbased on https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html#mellon_endpoint_path21:42
kplanti will definitely try them both and let you know the result either way21:43
cmorpheuscool21:43
kplantyeah that's definitely it am_validate_redirect_url() returns 400 if it can't verify the redirect url21:54
*** jamesmcarthur has joined #openstack-keystone21:55
kmallocmnaser: sure, if you trust service X with your token :)21:59
*** brtknr_ has quit IRC22:01
*** Ben78 has quit IRC22:05
*** whoami-rajat has quit IRC22:06
openstackgerritNate Johnston proposed openstack/keystonemiddleware master: Fix context issue for neutron audit  https://review.opendev.org/50865922:08
*** xek__ has quit IRC22:12
*** jamesmcarthur has quit IRC22:15
*** gyee has quit IRC22:39
*** jamesmcarthur has joined #openstack-keystone22:45
*** gyee has joined #openstack-keystone22:55
*** jamesmcarthur has quit IRC23:00
kplantcmorpheus: cli and websso work without haproxy+nat23:08
kplantblah23:08
kplantand it's working with "MellonEndpointPath /v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth/mellon"23:09
*** jamesmcarthur has joined #openstack-keystone23:10
cmorpheuskplant: does it work with /v3/mellon ?23:31
kplantit does not23:32
kplanti get an infinite redirect loop23:33
kplantkeystone -> idp -> keystone -> idp -> etc...23:33
cmorpheusinteresting23:33
kplantany idea how to make the displayed username more friendly than G-[UUID]? i recall in oidc i could just use e-mail instead23:39
kplanti'm trying to force nameid to e-mail with keycloak but no luck yet23:40
cmorpheuskplant: that's part of the mapping, you need to pick out what attribute from the assertion you want to map to the username attribute in keystone23:40
cmorpheusyou probably used REMOTE_USER which could be something ugly coming from keycloak, but you can look at the assertion and pick anything23:41
kplantaah - makes sense23:41
kplanti was overthinking it trying to override with MellonUser23:41
kplantthat's much simpler :-)23:41
*** jamesmcarthur has quit IRC23:42
« Thursday, 2019-07-25 Index Saturday, 2019-07-27 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!