17:01:45 <lbragstad> #startmeeting keystone-office-hours
17:01:46 <openstack> Meeting started Tue Apr 10 17:01:45 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:50 <openstack> The meeting name has been set to 'keystone_office_hours'
17:02:23 <lbragstad> well - sorry about that
17:02:32 <lbragstad> i apparently forgot to end the meeting last week
17:02:51 <lbragstad> despite my efforts - http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-03-17.01.log.html#l-41
17:03:03 <lbragstad> must have been issues it the openstack bot
17:03:08 <lbragstad> with*
17:03:36 <lbragstad> i'll be back in about 15 to 20 minutes
17:03:39 <wxy|> lbragstad: https://review.openstack.org/#/c/558489/ replied the question for the test code. I'll address other comments tomorrow.
17:03:50 <lbragstad> wxy|: awesome
17:03:59 <lbragstad> i'll review the hierarchical limits specs
17:04:15 <wxy|> thanks
17:11:49 <mugsie> so, random question - I know in the past project IDs could be basically any string ... has that changed? or is project id's being UUIDs just the default so that is all anyone sees?
17:14:19 <SamYaple> mugsie: my ldap projects are much longer than uuid4s still
17:14:57 <mugsie> SamYaple: that is what I thought :) just wanted to confirm before blocking a patch :)
17:15:00 <mugsie> thanks!
17:38:16 <kmalloc> lbragstad: back
17:38:50 <kmalloc> mugsie: Keystone is very opinionated
17:39:03 <kmalloc> mugsie: project_ids are intended to be uuid4
17:39:49 <kmalloc> mugsie: legacy stuff that included ldap may not have been limited to uuid4
17:40:12 <mugsie> I knew it was the long term plan, but if there is still people out there using non uuid IDs, I can't allow a patch that enforces it on people
17:40:28 <kmalloc> hold on, let me give you our specific table sizes
17:40:36 <mugsie> i.e. I know the hp public cloud had ints back in the day
17:40:44 <mugsie> its a string(64) afaik
17:40:45 <kmalloc> that will break keystone.
17:40:52 <kmalloc> so you can give that guidance.
17:41:26 <kmalloc> mugsie: id = sql.Column(sql.String(64), primary_key=True)
17:42:50 <mugsie> kmalloc: thanks
17:43:05 <kmalloc> mugsie: we allow for 64bytes, so a sha256 (we use that in some caseS) for ids
17:43:21 <kmalloc> it may not be a uuid4, it might be a sha256 hexdigest
17:44:03 <kmalloc> if someone proposes a patch that enforces uuid or less than 64bytes, we cannot guarantee we wont break you
17:44:13 <mugsie> yeah - the patch is for uuidutils.is_uuid_like(project_id)
17:44:19 <kmalloc> yeah i'd -2 that
17:44:22 * mugsie wang
17:44:23 <kmalloc> and never let it land
17:44:24 <kmalloc> :)
17:44:27 <mugsie> damn
17:44:42 <kmalloc> we may go to 64bytes for ids.
17:44:43 * mugsie *wants* to wait for the keystone unified limits
17:44:58 <kmalloc> we may not, we future planned
17:45:08 <kmalloc> but we will be opinionated we should generate the ids
17:45:09 <kmalloc> :)
17:45:21 <kmalloc> if that helps ya
17:45:56 <mugsie> the problem is people are setting quotas on non existant projects, and want a way to validate the input - but this helps a lot :) I wanted to make sure I was right in my suspissions
17:46:02 <kmalloc> :)
17:46:07 <kmalloc> we're working on the limit things
17:46:16 <kmalloc> but it is slow =/
17:47:46 <kmalloc> mugsie: man, i need to get my openstack control plane up and running
17:49:54 <lbragstad> kmalloc: we wrapped up the meeting talking about the domain to idp mappings
17:50:04 <kmalloc> lbragstad: cool.
17:50:16 <lbragstad> and if there is a use case to have more than one domain per idp
17:50:48 <kmalloc> there could be.
17:51:10 <kmalloc> but that said, you could make it work with a 1-per restriction
17:56:28 <lbragstad> we had someone in boston ask for multiple domains per identity provider
17:56:33 <lbragstad> i specifically remember that
18:00:48 <lbragstad> kmalloc: how would you do it with a workaround?
18:01:11 <kmalloc> assignments cross domains
18:02:13 <lbragstad> oh - from the shadow user across domains you mean?
18:02:38 <kmalloc> yeah, just assign the role for the <user> to <domain1> <domain2> whatever
18:02:39 <lbragstad> i suppose
18:02:42 <lbragstad> that would work
18:03:35 <lbragstad> since that's an option, i don't really see a reason to not have a one to one mapping
18:03:42 <kmalloc> yeh
18:03:44 <lbragstad> between identity providers and domains
18:04:08 <kmalloc> you can also register another idp in the system if you need clear isolation
18:04:15 <kmalloc> e.g. some users in domain x and some in y
18:04:27 <kmalloc> the same idp could be used multiple times.
18:05:23 <kmalloc> a flat 1-to-1 mapping is not really needed. but also explicitly multiple domains per idp isn't needed afaict
18:05:30 <kmalloc> without knowing more use-case specifics
18:06:02 <Pete_> hello
18:06:17 <lbragstad> kmalloc: sure
18:07:02 <lbragstad> Pete_: hi
18:27:00 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Move fernet doctor checks into tokens checks  https://review.openstack.org/527527
18:46:11 <lbragstad> gagehugo: with https://review.openstack.org/#/c/555196/
18:46:25 <lbragstad> when you generate the api-ref, where are you seeing the changes?
18:46:54 <lbragstad> i've tried generating the API reference with and without the change, but i don't notice a difference
19:18:51 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Update keystone functional tests  https://review.openstack.org/560129
19:26:23 <gagehugo> lbragstad I looked at that locally vs the latest page
19:26:38 <gagehugo> under "code documentation" it's a bit different
19:26:59 <gagehugo> oh
19:27:01 <gagehugo> not the api-ref
19:27:12 <gagehugo> the docs that are auto-generated via sphinx-apidocs
19:27:25 <lbragstad> oh
19:27:29 <lbragstad> checking that quick
19:28:24 <lbragstad> gagehugo: you compared them to https://docs.openstack.org/keystone/latest/ ?
19:30:43 <gagehugo> ye
19:31:13 <gagehugo> the toctree is a bit different here: https://docs.openstack.org/keystone/latest/api/modules.html
19:31:17 <gagehugo> vs change
19:31:51 <gagehugo> it looks like it's nesting differently, but the info ends up being there
19:31:56 <lbragstad> some of the configuration options look different too
19:31:57 <Pete_> need help
19:32:01 <Pete_> Error: Could not prefetch keystone_role provider 'openstack': Execution of '/bin/openstack role list --quiet --format csv' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/roles: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) (tried 47, for a total of 170 seconds) Error: Not managing Keystone_role[_member_] due to earlier Keystone API failures. Error: /Stage[main]/Pra_openstack::Ke
19:32:13 <Pete_> What is this and how to fix
19:32:54 <Pete_> we config the admin_url/public_url as "https://<fqdn>:35357"
19:33:21 <Pete_> but why "/bin/openstack role list" talks to 127.0.0.1 instead?
19:33:22 <gagehugo> hmm
19:34:11 <Pete_> the scenario is like this, in an existing env which keystone/and other components runs w/o SSL
19:34:26 <Pete_> we are putting change through puppet to setup SSL for keystone
19:34:48 <Pete_> change admin/public_url from "http" to "https" using the same port "5000/35357"
19:35:19 <Pete_> and provides "ssl_cert, ssl_key, ssl_cacert, use_ssl=true" to start keystone
19:36:00 <lbragstad> openstack cli should look for an auth url to authenticate against
19:36:28 <lbragstad> are you sure openstack client is finding that?
19:37:01 <Pete_> when you say "openstack client" you mean "/bin/openstack"?
19:37:40 <lbragstad> yeah - is that python-openstackclient?
19:37:58 <lbragstad> https://pypi.python.org/pypi/python-openstackclient
19:38:09 <Pete_> I can't tell
19:38:35 <Pete_> from where the openstack client get the auth_url?
19:38:52 <Pete_> from the 'table keystone" or from env vars?
19:38:57 <lbragstad> openstackclient can get the auth url a couple different ways
19:39:08 <lbragstad> one of the most common is it use environment variables
19:39:09 <lbragstad> https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html#authentication-methods
19:39:15 <lbragstad> is to use*
19:40:10 <Pete_> export OS_AUTH_URL="http://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3" export OS_IDENTITY_API_VERSION="3" export OS_IMAGE_API_VERSION="2"
19:40:24 <Pete_> export OS_PROJECT_DOMAIN_NAME="Default" export OS_PROJECT_NAME="admin" export OS_USERNAME="admin" export OS_USER_DOMAIN_NAME="Default"
19:40:42 <Pete_> export OS_PASSWORD="blabla"
19:40:52 <Pete_> that is the env vars setting
19:41:51 <lbragstad> ok - are you able to get a token?
19:42:06 <lbragstad> using `openstack token issue` for example?
19:42:07 <Pete_> how?
19:43:10 <Pete_> declare -x OS_AUTH_URL="https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3"
19:43:16 <Pete_> i changed this
19:43:22 <Pete_> run "openstack user list"
19:43:34 <Pete_> [centos@piab1-praccn1-1-piab ~]$ openstack user list Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
19:44:05 <lbragstad> that still looks like a certificate error
19:44:35 <Pete_> but I run "openssl" to verify the cert/key are fine
19:45:07 <lbragstad> did you use the upstream openstack puppet modules to setup SSL
19:45:20 <lbragstad> if so, the puppet team might be able to help
19:46:28 <Pete_> we use github/puppet-keystone
19:47:06 <Pete_> https://github.com/openstack/puppet-keystone/
19:48:22 <lbragstad> yeah - the folks in #puppet-openstack might be able to help
19:48:48 <lbragstad> from what i can tell, it looks like an issue with the certificates
19:49:14 <lbragstad> which means the request likely isn't even getting to the keystone application yet
19:50:39 <Pete_> '/bin/openstack role list --quiet --format csv' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/roles:
19:50:43 <Pete_> anyidea
19:50:59 <Pete_> why "/bin/openstack role list" talk to 127.0.0.1
19:54:37 <lbragstad> how is your service catalog setup/
19:54:40 <lbragstad> ?
19:55:17 <Pete_> what command to run?
19:55:57 <Pete_> whatever command "openstack" I ran all hit
19:56:06 <Pete_> Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
19:56:59 <lbragstad> yeah - thats an ssl error
19:57:15 <Pete_> any idea how to trouble shoot it?
19:57:31 <lbragstad> when you setup the service catalog, how did you do it?
20:00:00 <Pete_> this is an existing env which was setup before
20:00:31 <lbragstad> do you know what was used to set it up? was it setup using puppet?
20:01:26 <Pete_> yes
20:02:35 <Pete_> class { '::keystone':     admin_token         => $::pra_openstack::constant::keystone_admin_token,     admin_password      => $::pra_openstack::config::keystone_admin_pwd,     database_connection => "mysql+pymysql://keystone_admin:${keystone_cfg_ks_db_pw}@${keystone_cfg_mariadb_host}/keystone",     token_provider      => 'fernet',     enable_fernet_setup => true,     debug               => $::pra_openstack::constant::debu
20:02:53 <Pete_> we just add enable_ssl => true
20:03:05 <Pete_> ssl_certfile=>
20:03:10 <Pete_> ssl_keyfile=>
20:03:14 <Pete_> ssl_ca_certs
20:03:26 <Pete_> validate_insecure=> true
20:03:41 <Pete_> to config keystone with SSL
20:03:50 <lbragstad> just a heads up, but http://paste.openstack.org/ helps if you have a bunch of information
20:04:16 <lbragstad> often times pastes don't turnout well in IRC due to formatting
20:05:17 <Pete_> http://paste.openstack.org/show/718860/
20:05:26 <lbragstad> awesome - thanks
20:05:59 <lbragstad> public_bind_host and admin_bind_host are commented out
20:06:22 <Pete_> first we didn't comment them out, but the same failure
20:07:18 <lbragstad> i'm not very familiar with how openstack puppet does their orchestration, but someone in #puppet-openstack might
20:07:23 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Have project get domain_id from parent  https://review.openstack.org/489655
20:10:00 <Pete_> ok, i will try taht channel, thx
21:08:26 <lbragstad> #endmeeting