Tuesday, 2019-11-26

« Monday, 2019-11-25 Index Wednesday, 2019-11-27 »
*** jamesmcarthur has joined #openstack-keystone00:03
*** jamesmcarthur has quit IRC00:08
*** jamesmcarthur has joined #openstack-keystone00:37
*** jamesmcarthur has quit IRC00:42
*** cmart has quit IRC00:43
*** mvkr has quit IRC01:04
*** awalende has joined #openstack-keystone01:05
*** awalende has quit IRC01:10
*** mvkr has joined #openstack-keystone01:17
*** jamesmcarthur has joined #openstack-keystone01:39
*** jamesmcarthur has quit IRC01:43
*** jamesmcarthur has joined #openstack-keystone02:10
*** jamesmcarthur has quit IRC02:15
*** jamesmcarthur has joined #openstack-keystone02:52
*** jamesmcarthur has quit IRC02:57
*** spatel has joined #openstack-keystone03:04
spatelmorning03:04
spatelI am having issue setting up my openrc file with multi-domain keystone03:05
spatelThis is my openrc file - http://paste.openstack.org/show/786693/03:06
spatelbut somehow its saying authorization fail..03:06
spatelI can use same account username/password in horizon and it works03:07
*** awalende has joined #openstack-keystone03:13
*** awalende has quit IRC03:18
*** renich has joined #openstack-keystone03:27
*** jamesmcarthur has joined #openstack-keystone03:29
*** jamesmcarthur has quit IRC03:34
*** jamesmcarthur has joined #openstack-keystone04:31
*** jamesmcarthur has quit IRC04:35
*** cmart has joined #openstack-keystone04:36
*** renich_ has joined #openstack-keystone04:44
*** renich has quit IRC04:45
*** cmart has quit IRC05:11
*** spatel has quit IRC05:11
*** tkajinam has quit IRC05:37
*** tkajinam has joined #openstack-keystone05:38
*** jamesmcarthur has joined #openstack-keystone06:07
*** jamesmcarthur has quit IRC06:12
*** pcaruana has joined #openstack-keystone06:32
*** renich has joined #openstack-keystone07:27
*** renich_ has quit IRC07:28
*** tesseract has joined #openstack-keystone08:16
*** amoralej|off is now known as amoralej08:16
*** tkajinam has quit IRC08:19
*** renich has quit IRC08:19
*** renich has joined #openstack-keystone08:33
*** ivve has joined #openstack-keystone10:35
*** takamatsu has quit IRC10:55
*** jaosorior has joined #openstack-keystone11:13
*** rcernin has quit IRC11:40
*** raildo has joined #openstack-keystone11:53
*** jawad_axd has joined #openstack-keystone12:48
*** amoralej is now known as amoralej|lunch13:07
*** raildo has quit IRC13:28
*** raildo has joined #openstack-keystone13:29
*** jaosorior has quit IRC13:38
*** tkajinam has joined #openstack-keystone14:00
*** amoralej|lunch is now known as amoralej14:02
lbragstadcmurphy in case you want to take a look before it lands14:14
lbragstadhttps://review.opendev.org/#/c/669181/14:14
*** renich_ has joined #openstack-keystone14:39
*** renich has quit IRC14:41
*** jawad_axd has quit IRC14:48
*** jaosorior has joined #openstack-keystone15:04
*** spatel has joined #openstack-keystone15:16
spatelcmurphy: Hii15:17
spatelAre you there?15:18
spatelI am having very strange issue, my openrc doesn't like LDAP account, if i add local account that works15:18
*** tkajinam has quit IRC15:19
lbragstadspatel do you have any logs?15:25
spatelI am collecting but just wanted to check if i am dealing with bug here..15:25
lbragstadldap authentication can be tricky and it's hard to diagnose the issue without more information15:25
*** awalende has joined #openstack-keystone15:45
*** renich_ has quit IRC15:46
*** spatel has quit IRC15:48
*** awalende has quit IRC15:50
cmurphylbragstad: thanks, lgtm15:52
*** spatel has joined #openstack-keystone15:54
*** vishakha has joined #openstack-keystone15:56
*** cmart has joined #openstack-keystone16:00
*** ivve has quit IRC16:02
vishakhao/16:02
spatellbragstad: can you see this issue? http://paste.openstack.org/show/786735/16:09
lbragstadspatel it looks like you have dns issues16:10
lbragstadyou need to either update your catalog or double check your dns configuration16:10
spatelI already have DNS name configure for that IP..16:10
lbragstadsure - but your catalog is referencing ip addresses16:11
spatelwho tells openstack use name instead of IP?>16:11
lbragstadpython-openstackclient uses the catalog to discover other services in your cloud16:11
spatelhow should i fix that?16:11
lbragstadupdate the endpoints16:11
spatelhow? i never done that before16:11
spateldo i need to edit each service ?16:12
lbragstaduse the cli and do it manually - `openstack endpoint set --help`16:12
lbragstadyou might have to iterate all the serviecs,16:13
lbragstadbut i think you only need to update the endpoints that correspond to the services16:13
spatelhmm!16:14
spatellet me try hold on16:14
*** jamesmcarthur has joined #openstack-keystone16:19
*** ygk_12345 has joined #openstack-keystone16:23
*** tesseract has quit IRC16:23
ygk_12345hi all16:23
ygk_12345i have added an ldap domain to keystone. but when I do a user list from that domain it is gateway 504 timeout16:24
ygk_12345any idea ?16:24
spatellbragstad: i don't think you can update endpoint URL from command line,16:25
spatellots of people saying use MySQL directly16:25
ygk_12345can anyone here help me with my issue please16:25
ygk_12345http://paste.openstack.org/show/786738/16:25
lbragstadspatel i don't recommend modifying the database directly16:27
lbragstadusing the CLI works just ifne16:27
lbragstadfine*16:27
lbragstadhttp://paste.openstack.org/show/786739/16:27
lbragstadspatel endpoint operations are typically reserved for admins, so if you hit permission issues you might need to use a different user16:30
spatelhmm! let me try.. thanks16:30
*** ygk_12345 has quit IRC16:34
spatellbragstad: you are awesome!! that works16:37
spatellbragstad: i am going to change all of them now16:37
lbragstadsounds good - glad you got it working16:37
spatellbragstad: how to handle this one? should i put them in quotes ' ' ?16:42
-spatel- [root@ostack-osa-eng ~]# openstack endpoint set --url https://openstack-eng.example.com:8004/v1/%(tenant_id)s 7dd979b3ea6d4459a780aa09baff8d0616:42
-spatel- -bash: syntax error near unexpected token `('16:42
knikollaspatel: put it in single quotes16:45
alogahello there16:52
alogaI have a question regarding https://review.opendev.org/#/c/373983/616:52
alogathis was a spec we proposed some time ago in order to provide a native OpenID Connect plugin for Keystone, rather than relying on the Apache module16:53
alogathis way all OpenID Connect stuff can be configured within Keystone, not in Apache16:54
alogawe have sucessfully implemented it as an auth plugin to an extent: https://github.com/IFCA/keystone-oidc-auth-plugin/16:54
alogasince OpenID connect requires a redirect for the user agent to be redirected from the relying party (keystone) to the OpenID Connect provider (OP)16:55
spatelknikolla: single quotes works16:56
alogaIIRC, this was possible with the old WSGI plumbing, as you could raise a 302 exception and it was propagated to the user16:56
alogahowever, it is not possible anymore with Flask16:56
alogatherefore this bug: https://bugs.launchpad.net/keystone/+bug/185404116:57
openstackLaunchpad bug 1854041 in OpenStack Identity (keystone) "Keystone should propagate redirect exceptions from auth plugins" [Undecided,New]16:57
alogaso, the question is, would a solution to bug 1854041 make sense to you?16:58
openstackbug 1854041 in OpenStack Identity (keystone) "Keystone should propagate redirect exceptions from auth plugins" [Undecided,New] https://launchpad.net/bugs/185404116:58
alogai.e. allow plugins either to raise redirect exceptions or raise any HTTP exception and propagate it to the user?16:59
aloga(the piece of code in Flask Keystone that manages the Keystone exceptions and converts them to JSON is https://github.com/openstack/keystone/blob/master/keystone/server/flask/application.py#L77)17:02
*** ivve has joined #openstack-keystone17:06
knikollaaloga: would you like to add that topic to next week's meeting? https://etherpad.openstack.org/p/keystone-weekly-meeting17:08
knikollai don't think many people are around these days due to US holidays.17:08
alogaknikolla: thanks17:11
alogaknikolla: what time are the meetings though?17:11
knikollaaloga: http://eavesdrop.openstack.org/#Keystone_Team_Meeting17:12
knikollayou can grab a .ics here17:12
knikollaWeekly on Tuesday at 1600 UTC in #openstack-meeting-alt17:12
alogaknikolla: yes, I got it, many thanks17:13
knikollaawesome :)17:13
alogaknikolla: I see that there is also a related documentation change17:13
aloga(related to OIDC)17:13
knikollaaloga: yeah, we were missing documentation authenticating using oauth 2.0 bearer tokens rather than the usual oidc flow.17:17
alogaknikolla: yes, however, there are still 2 outstanding problems with the current setup17:17
alogaknikolla: you require all CLI to get registered as an OpenID Connect client17:18
alogas/you/the setup/ I mean :-917:18
knikollanot necessarily. you can have a public client and have all CLI use that.17:18
knikollaas in not confidential.17:19
alogawell, yes, that may be the case17:19
alogabut anyway, the other problems still exist17:21
alogasince it is using Oauth2 bearer tokens you may miss any additional claims the the userinfo endpoint returns17:21
alogaunless: you use the introspection endpoint to validate the token (the provider has to support it) and the provider returns those additional claims in the introspection response (also the provider has to support it)17:22
alogatherefore you cannot do any mappings on those additional claims17:22
*** jamesmcarthur has quit IRC17:22
alogaand the other outstanding problem is that it is impossible to use two different identity providers17:23
alogait is possible to configure two different providers using *only* openid17:23
alogabut when mixing openid and oauth it is not, as the plugin does not allow to define per-location OIDCOAuth* options17:24
alogaand mixing it is required for CLI and WEB access17:24
knikollain general, single sign-on and CLI don't mix well together and you have to compromise something, somewhere.17:25
knikollaThis is partially a limitation of the standards, and partially a matrix of idps only supporting a subset of the features available.17:26
alogayes, but I do see a large limitation not being able to use several OPs17:26
alogamaybe this is not the case for a commercial provider that would use their very own idp, but for instance in science and distributed computing it is a limiting issue17:27
knikollaI understand that, my compromise was to run an idp broker17:27
alogawhere users can come from different trusted sources17:27
knikollaso: multiple idps -> single idp -> openstack / kubernetes / etc17:27
*** spatel has quit IRC17:28
alogaknikolla: yes, and in some cases this is what it is being done17:30
alogabut the dynamics of research projects, funding agencies, idps, identity providers and so on are difficult sometimes17:30
*** gshippey has joined #openstack-keystone17:30
alogaand not always it is possible to use an idp proxy for that17:30
knikollathat they are17:30
knikollaare you able to use application credentials for your users cli access?17:31
knikollaThat should make the experience more tolerable.17:31
alogano, application credentials are not always usable17:31
*** jaosorior has quit IRC17:32
knikollai would be amazed if something was *always* usable across multiple identity providers17:33
knikollatry to think up of something that would make your life easier, and we can discuss that next tuesday during the meeting17:33
alogaknikolla: well...17:34
alogaknikolla: I do not have any decision power here17:35
alogaknikolla: the scientific cloud in europe has adopted OpenID Connect as the solution17:35
alogaknikolla: the most used middleware is OpenStack17:35
knikollaThat's much much better than the scientific cloud here going with SAML and no SAML ECP.17:36
alogaknikolla: but the outstanding problem that lots of sites are seeing is that they cannot configure two idps17:36
knikollahere in the US*17:36
alogaknikolla: basically because the oidc mod for apache does not support it17:37
alogaknikolla: *and* that configuration has to be managed in Apache, not keystone17:37
alogaknikolla: some sites do not see as an acceptable solution to deploy a proxy17:38
alogaanyway, we are anticipating discussion here :-)17:39
alogaand I have to leave17:39
alogathanks for the feedback17:39
knikollanp :)17:40
cmurphyknikolla: we forgot to talk about it during the ptg but want to propose http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/support-federated-attr.html and http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/expiring-group-memberships.html to the ussuri directory?17:47
*** openstackgerrit has quit IRC17:49
*** ab-a has joined #openstack-keystone17:53
*** jaosorior has joined #openstack-keystone18:26
*** amoralej is now known as amoralej|off18:48
*** jamesmcarthur has joined #openstack-keystone19:36
*** cmart has quit IRC19:44
*** cmart has joined #openstack-keystone20:13
bnemecHeh, response to the policy popup team has almost been _too_ good. I'm not sure we want to have a bunch of projects all trying to figure out the best practices in parallel.20:24
bnemecBut I guess we don't want to discourage people if they're willing to do the work now.20:24
bnemec#NiceProblemToHave20:24
* bnemec sits in the timeout corner for using a hashtag on IRC20:24
cmurphyi was thinking the same...i definitely don't want to discourage people from jumping on the policy bandwagon but maybe the disband criteria should still be limited to a few projects?20:30
bnemecMaybe just drop the migration complete bullet entirely? As I understand it the main output from the popup team should be the documentation of best practices. Migrating all the things is a job for the community goal.20:41
bnemecAlthough finishing at least one of the migrations might be necessary to have a complete picture of how it will work.20:42
*** vishakha has quit IRC20:45
cmurphyi think having at least a couple projects completely finished is important20:45
cmurphythe issues nova will face are going to be different from what neutron faces are going to be different from what cinder faces etc20:45
bnemecTrue, and we may not know which subset need to be completed yet.20:50
bnemecIt's probably not worth agonizing about. If we get to the point where we feel like the popup team has served its purpose and all of the listed projects aren't migrated yet we can worry about it then.20:52
cmurphy++21:20
*** threestrands has joined #openstack-keystone21:27
*** raildo has quit IRC21:28
*** d34dh0r53 has quit IRC21:39
*** d34dh0r53 has joined #openstack-keystone21:39
*** jaosorior has quit IRC21:59
*** rcernin has joined #openstack-keystone22:04
*** pcaruana has quit IRC22:16
*** tkajinam has joined #openstack-keystone23:08
*** gshippey has quit IRC23:30
*** cmart has quit IRC23:33
« Monday, 2019-11-25 Index Wednesday, 2019-11-27 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!