Saturday, 2021-12-04

fungiof course, volume list breaks doing that, but server list will work00:00
Clark[m]Ya you have to use cinder v1 iirc00:00
Clark[m]I know Mordred said v2 would work but I'm not sure it ever did with tax. But that shouldnt affect server list?00:00
fungiyeah, but for some reason cinderclient is getting loaded and forcing an error early even when it's not needed by the call00:05
fungiyeah, the errors are coming from cinderclient/api_versions.py00:05
fungiwhen running `openstack server list`00:06
fungiso the real problem, i guess, is that new cinderclient refuses to support old cinder api, and openstackclient hasn't been fixed to not use cinderclient00:07
fungiand also cinderclient.client.get_client_class() is being called even when there are no volume commands run00:18
mordredWe need to replace cinderclient with sdk in osc and this should get better00:26
mordredBut, you know, ENOTIME00:26
mordredFwiw, I frequently just open a repl, make an sdk object and call shade methods instead00:28
opendevreviewJames E. Blair proposed opendev/ master: Add keycloak01
opendevreviewJames E. Blair proposed opendev/system-config master: Add keycloak01
corvusokay everything's ready to go00:37
*** dpawlik6 is now known as dpawlik14:45
opendevreviewMerged opendev/ master: Add keycloak01
opendevreviewMerged opendev/system-config master: Add keycloak01
opendevreviewMerged opendev/system-config master: Add a keycloak server
corvuslet's see if we magically end up with a keycloak server sometime today :)17:18
corvuswe do have a keycloak server now :)17:51
corvusthere's some config issues, i'm manually working through them now and will propose a patch shortly18:29
opendevreviewJames E. Blair proposed opendev/system-config master: Correct keycloak proxy config
fungicorvus: out of curiosity, why is keycloak.vhost a template? i don't see any actual jinja2 substitutions in it19:12
corvuscopypasta from etherpad which did have a substitution... and i've developed a habit of making files that might develop template substitutions templates from the start.  i don't know if it's a good habit, but i enjoy not having to switch them from static to template just to add a variable (or the other way if we remove the last variable).19:14
corvusi can change that if folks don't like it, but i think it's a good idea for vhosts and docker-compose files and the like19:15
funginah, it doesn't hurt anything, i was just curious whether i was missing a substitution19:16
corvusfungi: want to check it out?  go to and click "sign in" in top right19:27
corvusfungi: then click the 'openstackid' button on the signin page;  that will let you log into the keycloak realm with openstackid creds19:27
fungiWelcome to Keycloak Account Management19:29
fungishould we be putting together notes/observations yet, or are you still tuning?19:29
corvusfungi: go for it.  i've achieved my immediate goal of confirming that openstackid can be a federated idp.  :)19:31
fungicool, my only significant observation so far was wondering if we can/should hide the username/password option, since one of the goals of the sso spec was to not have local accounts19:32
corvusyeah, i looked into that briefly -- it looks like the only option there is basically to make a custom theme without the html elements (which is weird, that is a very frequently requested feature)19:33
fungigot it, that seems straightforward enough. i'm not worried about fixing things like that now, more just understanding feasability19:34
corvusfungi: also, you're welcome to grab the admin password from bridge (keycloak_admin_password)  and then log into to see the admin side of things19:34
jrosseri have ansible to configure keycloak realms via the rest api which i can share next week if you're interested19:34
corvusjrosser: awesome thanks, i think we will want that :)19:35
jrosserno problem, i'll look at getting our repo public19:36
fungiyeah, that was one of the undecided bits i think? whether we configure via the webui and then stick the resulting config in git, or orchestrate the configuration itself19:36
fungibut seeing how folks are doing it with ansible would be a big help19:36
jrosseryeah, we have a kind of opinionated ansible role to do all the HA stuff and set up realms and oidc mappings19:37
jrosserso taking whatever inspiration / tasks from that was what i was thinking19:38
opendevreviewMerged opendev/system-config master: Correct keycloak proxy config
corvusfungi: i added a google provider (but it's in test mode so to work i need to manually add google accounts to it); let me know if you want me to add yours (if you have one) and you can try out linking a second provider19:58
* corvus uploaded an image: (34KiB) < >19:59
* corvus uploaded an image: (38KiB) < >19:59
corvusbut there's some screenshots -- it's super intuitive20:00
fungicorvus: i have a google account... what specifier would you need for it?20:00
corvusfungi: done20:01
fungiyeah, i was able to log into that and it shows two linked accounts20:02
fungiinterestingly, on the linked accounts panel, it has a "link account" option next to the openstackid entry in the unlinked accounts section, but gives an error if i click it "Federated identity returned by openstackid is already linked to another user."20:03
corvuskeycloak (optionally -- this is highly configurable) does matching on email addresses when you login, so since my addresses matched, when i clicked log in via google, i got the option to link on login.  with different email addrs, people would get 2 accounts if they logged in twice, i think.  not sure what the reconciliation options are in that case.20:04
fungiahh, yep, that's it. if i log out and then log in again with openstackid, it shows the openstackid as linked but google as unlinked, and gives the same error if i try to link the google id20:05
corvusfungi: so starting with an openstackid-linked account, you used the "link account" button and still ended up with 2 accounts?  interesting, that's not very intuitive to me... :/20:08
fungii think the update to my account logged me out, since it sent me back to the login page, at which point i selected to log in with google20:10
fungipossible i did that incorrectly20:10
corvusoh ok, that makes sense then20:10
funginow i realize the screenshots you linked a moment ago were probably instructions on what to do20:10
fungiand i should have logged back in with my openstackid first20:11
corvusi just did it the other way (log in via openstackid, then link google account with different email), and it did link them (so i ended up still with 1 account)20:11
corvuswell, i didn't know that at the time, i'm still learning :)20:11
corvusso there's still a rough edge with the "i accidentally made 2 accounts and now can't link them" issue that you discovered20:11
corvusi'm guessing the only resolution to that is to delete one of them to then allow the user to purposefully link20:12
fungisure, i expect if i log in with the admin creds i can delete the second account and then go back to my openstackid account and link them correctly20:12
corvusyeah, that's more or less what i did with my testing just now20:13
fungiokay, after deleting my google account from the users panel in the admin console, i logged in with my openstackid and was then able to link my google account20:20
fungiso that seems to work20:20
funginow if i log out and sign back in with google it takes me to the correct account both are linked in20:21
corvusi can't think of a way to make this work self-service (at least, not without tortuous things like "associate with a new fake account then disassociate from the original one), so there might be some admin action required for situations like this.20:25
corvusbut at least it's easy, and hopefully rare?20:26
corvuswell, actually, if we allow password login, then it could be done self-service... in that case you can unlink from all external idps.  so you could unlink from the unwanted account and then link to the wanted one.20:28
fungiyeah, worth discussing20:31
corvusrelated -- if we don't want that, we still need to figure out how to disable setting the password from the self-serv management menu since that's what i just did and it worked :)20:32

Generated by 2.17.2 by Marius Gedminas - find it at!