19:02:25 #startmeeting keystone-office-hours 19:02:26 Meeting started Tue Aug 22 19:02:25 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:02:28 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:02:30 The meeting name has been set to 'keystone_office_hours' 19:03:58 o/ reporting for office hours 19:04:23 kmalloc: mind lifting your -2 here? https://review.openstack.org/#/c/496343/ 19:04:38 we'll need that based on how reno operates 19:04:41 in pike? 19:04:47 we didn't land the pike change did we? 19:04:57 just the master one(s)? 19:05:07 we need to ignore those release notes from rendering in pike release notes 19:05:23 right, we landed the change in pike?! 19:05:26 or just master 19:05:36 yes - let me grab the link 19:05:42 want to be sure. 19:05:45 related: ugh 19:06:11 #link https://github.com/openstack/keystone/commit/77500b3615ae94ea45837f3fc0d503c8aadcc462 19:06:11 can we just make this a tree of static files instead? [i know not today[] 19:06:53 lbragstad: that landed in master 8 days ago 19:06:59 stable/pike was already split 19:07:02 right? 19:07:26 https://review.openstack.org/#/c/496312/ 19:07:30 not landed. 19:07:46 https://docs.openstack.org/releasenotes/keystone/pike.html 19:07:53 ^ they still render there for the pike notes 19:07:58 because those links changed 19:08:13 how did the links change in the pike branch? 19:08:17 we didn't land the change 19:08:28 something is broken in the rendering systme not in our repo then 19:08:35 it's rendering from master not stable/pike 19:08:47 land the ignore in master, we have to do that 19:08:52 but we shouldn't need to in pike 19:09:04 if we do, something else is broken 19:09:35 i think we horked this up becuase i think the reno is always rendered from master 19:09:42 meaning we are effecitvely broken 19:09:51 on the docs page 19:10:43 https://review.openstack.org/#/c/492774/ 19:11:34 if we did not land a change to the release notes on stable/pike how are the changed links effecting the release notes 19:11:55 this really is not making sense. 19:12:13 kmalloc: want me to see if dhellmann will join us here? 19:12:14 if those are rendering in pike and the fix landed in master we have a bigger problem. 19:12:17 sure. 19:12:44 i am guessing things are not rendering from the right places 19:13:22 kmalloc: that would appear to be the case 20:37:20 Merged openstack/keystone master: Include a link in release note for bug 1698900 https://review.openstack.org/496322 20:37:22 bug 1698900 in OpenStack Identity (keystone) "DB check appears to not be working right" [High,Fix released] https://launchpad.net/bugs/1698900 - Assigned to Lance Bragstad (lbragstad) 20:55:10 Lance Bragstad proposed openstack/keystone master: Clarify documentation for release notes https://review.openstack.org/496417 20:56:22 cc kmalloc ^ 20:56:28 i also had to update https://review.openstack.org/#/c/496343/ 20:59:29 Merged openstack/keystone master: Remove missing release note from previous revert https://review.openstack.org/496342 21:01:19 sweet - https://review.openstack.org/#/c/496343/ is the only thing we need for rc3 21:09:28 Anyone know what the middleware module in keystone does? I'm having some trouble with understanding its functionality 21:17:18 mjax: are you referencing https://github.com/openstack/keystone/tree/master/keystone/middleware or https://github.com/openstack/keystonemiddleware ? 21:17:54 lbragstad: /keystone/keystone/middleware 21:18:30 mjax: ah - so that's "middleware" that runs in the paste pipeline in front of keystone 21:19:07 lbragstad: is it mainly in charge of interacting with wsgi? Does it have any specific connection to keystonemiddleware? 21:19:50 mjax: no - not really, keystonemiddleware is a separate project that is designed to run in front of other services 21:20:46 mjax: for example json_body middleware runs in front of keystone 21:20:54 as noted in the paste pipeline 21:20:56 https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L16 21:21:08 and following the entry point here - https://github.com/openstack/keystone/blob/master/setup.cfg#L195 21:21:38 lbragstad: I see, was curious because of the shared name and the import in auth.py 21:22:10 mjax: yeah - keystone/middleware is specific to keystone 21:22:25 keystonemiddleware is a generic middleware for other openstack services to use 21:22:38 (e.g. keystonemiddleware is what sits in front of nova or cinder) 21:24:27 lbragstad: thanks, got it. By the way is the /keystone/auth the first point where keystone tries to authenticate a user? Will services also authenticate from there 21:25:19 both services and users interact with the same endpoint for authentication 21:25:52 which endpoint is that? 21:26:00 either /v2.0/tokens or /v3/auth/tokens 21:26:10 GET /v3/auth/tokens is validate token 21:26:16 and POST /v3/auth/tokens is authenticate for token 21:26:29 hmm I see, will the token differ depending on whether its a service or user trying to authenticate 21:27:36 no - keystone doesn't know if it's a service or a user authenticating 21:28:24 services like nova have a service account (e.g. a user named nova) that they use to make API requests 21:32:05 right - how do the service account's password and credentials get set or passed? If I were to write an auth plugin that expects a password to an external SSO for that user, would I just have to include multiple case statements to catch the special case for users? 21:32:56 mjax: those are included in each services configuration file 21:33:13 also, it is /keystone/auth that handles the requests to the authentication endpoint right? 21:34:16 oh so thats how it works! 21:34:17 mjax: as in how does nova authenticate to keystone? 21:34:31 nova uses the keystoneauth1 library to authenticate to keystone 21:34:49 and keystonemiddleware to run process tokens before they reach nova's api 21:35:07 when you make a request to /auth/v3/tokens a json request body is passed in right? which module is in charge of breaking that down to do the authentication 21:37:14 that's this endpoint 21:37:29 https://github.com/openstack/keystone/blob/master/keystone/auth/routers.py#L27 21:37:44 which routes the request based on the request method (GET, POST, etc.) 21:37:51 to the appropriate controller method 21:38:29 so when you do a POST /v3/auth/tokens you can see the router wire the call to authenticate_for_token() 21:38:30 https://github.com/openstack/keystone/blob/master/keystone/auth/routers.py#L30 21:38:57 which is found here - https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L107 21:39:54 That clears up a lot! Thank you 21:40:33 mjax: yep 21:40:49 fwiw - that pattern can be applied to all apis in keystone 21:41:09 traffic comes in from the router -> controller -> core -> backend 21:42:50 lbragstad: then the controller calls the corresponding core's methods which make use of the relevant backend? Makes sense 21:43:17 yep - it's a pretty straight forward app 21:44:38 lbragstad: I'm still quite a newbie to dev and design patterns, so this is really helpful! Thanks again for going over it for me 21:50:53 hi , could someone shed some light on how to store users locally who are authorized using a custom identity backend which is not implemented via a saml or oauth protocol 21:53:23 mjax: anytime! 21:54:06 aahh: what release are you using? 21:54:38 @lbragstad : ocata 21:54:55 aahh: are you familiar with shadow users? 21:55:20 not yet , had been reading the specs docs on the ocata release. would be helpful on how its created and mapped 21:55:48 aahh: that works started in ocata 21:55:52 http://specs.openstack.org/openstack/keystone-specs/specs/keystone/mitaka/shadow-users.html 21:56:01 and continued into newton 21:56:02 http://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/shadow-users-newton.html 21:56:21 but the idea was that users should have some sort of reference stored within keystone regardless of where they authenticate from 21:56:55 meaning they could be authenticated through federation using a SAML assertion of some sort, or an external LDAP instance 21:57:34 assuming the authentication is successful - a user reference is created for that user 21:57:41 and stored within keystone 21:58:01 could you point to me the relevant files where this happens ?? 21:58:28 aahh: yeah - so all of that should be pretty self contained in keystone's identity API 21:58:46 which is here - https://github.com/openstack/keystone/tree/3e8f16dec47907bdded68e58880779a74bbeffef/keystone/identity 21:58:54 er - it starts there 21:59:56 aahh: from there you can see how the shadow_user_api is used in the business logic for identity - https://github.com/openstack/keystone/blob/3e8f16dec47907bdded68e58880779a74bbeffef/keystone/identity/core.py#L442 22:00:27 the interfaces and backend for storing shadow users is kept here - https://github.com/openstack/keystone/tree/3e8f16dec47907bdded68e58880779a74bbeffef/keystone/identity/shadow_backends 22:01:36 #endmeeting