Wednesday, 2016-05-18

« Tuesday, 2016-05-17 Index Thursday, 2016-05-19 »
*** diazjf has joined #openstack-barbican00:33
*** dimtruck is now known as zz_dimtruck01:00
*** diazjf1 has joined #openstack-barbican01:12
*** diazjf has quit IRC01:15
*** zz_dimtruck is now known as dimtruck01:28
agrebennikovjamielennox, hey, I have a question for you regarding potential issue in barbican, and it is probably connected to how you resolved it in keystone https://github.com/openstack/keystone/commit/7a760caa5d26e87879fe7e0276a5603c697cc71701:42
-openstackstatus- NOTICE: Gerrit is about to be restarted to help with page timeouts01:45
jamielennoxagrebennikov: still here? how can i help?02:21
agrebennikovyep, thanks jamielennox02:21
agrebennikovso barbican uses pecan02:22
agrebennikovand when I make a call just to the port of the api, it constructs the url automatically02:22
agrebennikovlike curl http://1.1.1.1:9311 gives the response with {v1: {href: http://1.1.1.1:9311}}, and if I call to another endpoint - IP will be different while the prefix and the port-the same02:23
jamielennoxyep, the request object should have in it the url you used to call it02:23
agrebennikovso what I should do if I have haproxy with https in the frontend?02:24
agrebennikovapi still returns http02:24
jamielennoxah, ok02:24
agrebennikovwith keystone we strictry specify public_endpoint02:24
jamielennoxso typically there are two headers set with haproxy02:24
agrebennikovright?02:24
jamielennoxHTTP_X_FORWARDED_FOR02:25
jamielennoxand HTTP_X_FORWARDED_PROTO02:25
jamielennox(top of my head, i might be slightly off)02:25
agrebennikovok02:25
jamielennoxforwarded-proto is set to https by haproxy if the incoming request was a https call02:25
jamielennoxso i'm not sure if pecan supports checking that env directly or not, some of the wsgi frameworks know02:26
agrebennikovhm... you mean pecan receives already http instead of https, right?02:26
agrebennikovthis is why it returns http02:26
jamielennoxthere was also an oslo middleware that would do some hackery02:27
jamielennoxhttps://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/ssl.py02:27
jamielennoxthough that middleware says deprecated_for_removal so i don't know what you're supposed to do there02:27
agrebennikovbut then.... I have to set barbican server so that it can work out ssl itself02:28
agrebennikovcrap02:28
jamielennoxright, well pecan was called with a http call so it thinks it's doing the right thing, you should look to see if forwarded-proto is set and if so replace the http02:28
agrebennikovbut then02:28
agrebennikovwhat was the main reason for introducing public_endpoint setting in keystone?02:29
agrebennikovI thought it was somehow connected to this usecase02:29
jamielennoxso public_endpoint predated all of this, originally you had to set public endpoint to make keystone work02:29
agrebennikovset where?02:30
jamielennoxnow if you set public endpoint that will always be used, but if you don't set it we figure out an appropriate url from the request02:30
jamielennoxin config02:30
agrebennikovright, so now we must do that because when for example heat calls for versions, it receives url with http02:31
agrebennikovbut when we specify pub_endpoint - it works like a charm02:31
agrebennikovspecify with https I mean02:31
agrebennikov(I may lie with heat though, meybe some other)02:32
agrebennikovoh, yes, so we do this http-request  set-header X-Forwarded-Proto https if { ssl_fc }02:32
agrebennikovand now we just need to teach barbican to recognize it02:32
jamielennoxagrebennikov: so try putting that oslo_middleware ssl in your pipeline and see if it "just works"02:33
jamielennoxpecan relies on webob and webob will read the wsgi.url_scheme that the middleware sets02:33
agrebennikovok, let me go ahead and try it out. I can ask dims to help me with that..... Thanks a lot!02:34
jamielennoxno problem02:34
agrebennikovso you suggest to not go with the hardcoded urls in config, right?02:34
jamielennoxagrebennikov: it really depends on your deployment, if you always know the url and it's the same for public and internal use sometimes it's just easier to force the url02:36
jamielennoxbut you should make sure that the default when it's not set is correct02:36
jamielennoxagrebennikov: looks like https://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/http_proxy_to_wsgi.py is why they deprecated the ssl middleware02:37
agrebennikovjamielennox, right, but in this case I have to redo the same exercise as you did with keystone02:37
jamielennoxagrebennikov: so probably easier to not add the public_endpoint stuff to config02:37
jamielennoxthat's actually a super cool little piece of middleware i haven't seen before02:38
agrebennikovjamielennox, I'm actually not a developer, so I cannot immediately figure out its coolness))02:38
agrebennikovbut I'll ask02:38
jamielennoxagrebennikov: well the good thing about this one is you can add it to your paste.ini file without having to add it to code02:39
agrebennikovyeah, I kind of "watch through the fog" - just tell it in the config how I want to forward the requests02:40
jamielennoxbasically if it sees the forwarded headers in a request then it replaces the host and protocol values on the request with the original ones so the code does the right thing02:40
*** diazjf1 has quit IRC02:40
agrebennikovyeah, and it was probably added to heat already, because I don't see specific headers in its config02:41
agrebennikovlike before02:41
jamielennoxyep, you can see http_proxy_to_wsgi  at https://github.com/openstack/heat/blob/master/etc/heat/api-paste.ini#L402:43
jamielennoxn02:43
jamielennoxbut you will need to set enable_proxy_headers_parsing=True in your config file02:44
jamielennoxhttps://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/http_proxy_to_wsgi.py#L2002:44
agrebennikovah, but it will only make sense if the service is running under wsgi, which we don't have currently02:44
agrebennikovit will only applicable for barbican02:45
jamielennoxagrebennikov: wsgi is a protocol for python web requests, pecan will use it02:45
agrebennikovI mean the rest of the services are still eventlets02:45
jamielennoxuwsgi is an app that service wsgi stuff02:45
agrebennikovexcept keystone02:45
jamielennoxthey all use wsgi internally02:45
agrebennikovI heard about it...02:45
agrebennikovwhich will be much more painful to debug02:46
agrebennikovoh, you mean they Already do?02:46
jamielennoxbarbican has a paste file so you can add the middleware there in the same way heat does02:46
jamielennoxhttps://github.com/openstack/barbican/blob/master/etc/barbican/barbican-api-paste.ini02:46
jamielennoxthis is not related to eventlet/apache/uwsgi/pecan02:46
jamielennoxwhich i can see it horribly confusing if you don't spend a lot of time around them :)02:47
agrebennikovso we seems do not use it yet in out deployments (which is liberty), that is why I didn't see any traces of it.....02:49
agrebennikovok02:49
jamielennoxyea. it looks like that wasn't in liberty - but the ssl one was and that should work for what you need02:50
agrebennikovso there is a number of pipelines in barbican - barbican_version and barbican_api. I guess I have to fix the first one, right?02:51
jamielennoxi'd add it to both02:52
agrebennikovahh... so it seems requires its own section then..... all this api-paste stuff is superconfusing...02:53
agrebennikovis it an app or a filter?02:54
agrebennikovjamielennox,02:55
jamielennoxtrying to find an example of it from liberty02:56
agrebennikovah, nevermind, found already... sorry for my stupidity - it is 8pm already))02:56
agrebennikovit is all in that heat-api-paste02:56
agrebennikov[filter:http_proxy_to_wsgi]02:56
agrebennikovpaste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory02:56
jamielennoxyea, but that won't work in liberty because the middleware isn't there yet02:57
jamielennoxthe factory will be02:57
agrebennikovyeah, already broken....02:57
jamielennoxpaste.filter_factory = oslo_middleware:SSLMiddleware.factory02:57
*** dimtruck is now known as zz_dimtruck02:58
agrebennikovyay!!!!!! this works!02:58
jamielennoxlooks like they called it just filter:ssl by convention, but so long as you are using the same name within your paste file it doesn't really matter02:58
agrebennikovmeaning I can continue using the same oslo_middleware:SSLMiddleware.factory in the next releases?02:59
jamielennoxit'll still work up to master, it's just deprecated in favour of the http_proxy_to_wsgi one03:00
jamielennoxprobably removal in Otaca at a guess03:00
agrebennikovall right jamielennox, you actually resolved the issue I was struggled with for almost 6 hours, trying to dig into pecan and find out how it transform the protocol))03:03
agrebennikovI Really appreciate it!03:03
jamielennoxagrebennikov: heh, everyone has those days - any time03:03
agrebennikovso let me go ahead and change the automation so that it can set it up properly.... Thnaks a lot!03:04
agrebennikovhave a great day jamielennox :)03:06
jamielennoxagrebennikov: thanks - you too03:06
*** agrebennikov has quit IRC03:12
*** zz_dimtruck is now known as dimtruck03:14
*** agrebennikov has joined #openstack-barbican03:15
*** dimtruck is now known as zz_dimtruck03:16
*** zz_dimtruck is now known as dimtruck03:18
*** gyee has quit IRC03:20
*** dave-mccowan has quit IRC03:32
*** agrebennikov1 has joined #openstack-barbican03:33
*** agrebennikov has quit IRC03:33
*** agrebennikov1 has quit IRC03:57
*** agrebennikov has joined #openstack-barbican03:58
*** alee has joined #openstack-barbican04:25
*** edtubill has joined #openstack-barbican04:27
*** dimtruck is now known as zz_dimtruck04:29
*** agrebennikov has quit IRC04:39
*** alpha_ori has quit IRC04:42
*** alpha_ori has joined #openstack-barbican04:44
*** agrebennikov has joined #openstack-barbican04:45
*** fawadkhaliq has joined #openstack-barbican04:57
*** edtubill has quit IRC05:02
*** stupidni` has joined #openstack-barbican05:11
*** stupidnic has quit IRC05:12
*** alpha_ori has quit IRC05:13
*** agrebennikov has quit IRC05:16
*** agrebennikov has joined #openstack-barbican05:16
*** edtubill has joined #openstack-barbican05:17
*** agrebennikov has quit IRC05:17
*** alpha_ori has joined #openstack-barbican05:17
*** edtubill has quit IRC05:21
*** edtubill has joined #openstack-barbican05:22
*** david-lyle has quit IRC06:05
*** edtubill has quit IRC06:22
*** edtubill has joined #openstack-barbican06:25
*** edtubill has quit IRC06:30
*** andreas_s has joined #openstack-barbican06:50
*** ozialien10 has quit IRC06:50
*** mixos has quit IRC07:11
*** fawadkhaliq has quit IRC07:52
*** fawadkhaliq has joined #openstack-barbican07:52
*** david-lyle has joined #openstack-barbican07:57
*** fawadkhaliq has quit IRC07:58
*** fawadkhaliq has joined #openstack-barbican07:58
*** fawadkhaliq has quit IRC07:58
*** fawadkhaliq has joined #openstack-barbican07:59
*** fawadkhaliq has quit IRC07:59
*** fawadkhaliq has joined #openstack-barbican08:00
*** fawadkhaliq has quit IRC08:00
*** fawadkhaliq has joined #openstack-barbican08:01
*** fawadkhaliq has quit IRC08:01
*** fawadkhaliq has joined #openstack-barbican08:01
*** fawadkhaliq has quit IRC08:02
*** fawadkhaliq has joined #openstack-barbican08:02
*** shohel has joined #openstack-barbican08:02
*** fawadkhaliq has quit IRC08:02
*** fawadkhaliq has joined #openstack-barbican08:03
*** fawadkhaliq has quit IRC08:03
*** fawadkhaliq has joined #openstack-barbican08:04
*** fawadkhaliq has quit IRC08:04
*** fawadkhaliq has joined #openstack-barbican08:05
*** fawadkhaliq has quit IRC08:05
*** fawadkhaliq has joined #openstack-barbican08:06
*** fawadkhaliq has quit IRC08:06
*** fawadkhaliq has joined #openstack-barbican08:06
*** fawadkhaliq has quit IRC08:07
*** fawadkhaliq has joined #openstack-barbican08:08
*** andreas_s has quit IRC08:12
*** vipuls has joined #openstack-barbican08:42
*** Kevin_Zheng_ has joined #openstack-barbican08:42
*** jraim_ has joined #openstack-barbican08:44
*** eglute_s has joined #openstack-barbican08:44
*** hockeynut_afk has joined #openstack-barbican08:45
*** mathiasb_ has joined #openstack-barbican08:45
*** tdink_afk has joined #openstack-barbican08:45
*** sigmavirus24_awa has quit IRC08:45
*** hockeynut has quit IRC08:45
*** tdink has quit IRC08:45
*** shohel has quit IRC08:45
*** jillysciarilly has quit IRC08:45
*** jraim has quit IRC08:45
*** zz_dimtruck has quit IRC08:45
*** vipul- has quit IRC08:45
*** hyakuhei has quit IRC08:45
*** Kevin_Zheng has quit IRC08:45
*** briancurtin has quit IRC08:45
*** mathiasb has quit IRC08:45
*** rbradfor has quit IRC08:45
*** eglute has quit IRC08:45
*** jamielennox has quit IRC08:45
*** jillysciarilly has joined #openstack-barbican08:45
*** dimtruckl has joined #openstack-barbican08:45
*** Kevin_Zheng_ is now known as Kevin_Zheng08:46
*** dimtruckl is now known as dimtruck08:46
*** shohel has joined #openstack-barbican08:46
*** rbradfor has joined #openstack-barbican08:46
*** jraim_ is now known as jraim08:47
*** sigmavirus24_awa has joined #openstack-barbican08:48
*** hyakuhei has joined #openstack-barbican08:48
*** hyakuhei has quit IRC08:49
*** hyakuhei has joined #openstack-barbican08:49
*** hyakuhei has quit IRC08:49
*** hyakuhei has joined #openstack-barbican08:49
*** jaosorior has joined #openstack-barbican08:51
*** rm_work has quit IRC08:53
*** rm_work has joined #openstack-barbican08:54
*** jamielennox has joined #openstack-barbican08:55
*** briancurtin has joined #openstack-barbican09:05
*** Kevin_Zheng has quit IRC09:16
*** Kevin_Zheng has joined #openstack-barbican09:21
*** fawadkhaliq has quit IRC09:49
*** fawadkhaliq has joined #openstack-barbican09:50
*** dimtruck is now known as zz_dimtruck10:36
*** Kevin_Zheng has quit IRC11:11
*** andreas_s has joined #openstack-barbican11:12
*** andreas_s_ has joined #openstack-barbican11:57
*** andreas_s_ has quit IRC11:57
*** sigmavirus24_awa is now known as sigmavirus2412:12
*** fawadkhaliq has quit IRC12:17
*** fawadkhaliq has joined #openstack-barbican12:18
*** zz_dimtruck is now known as dimtruck12:33
*** Kevin_Zheng has joined #openstack-barbican12:46
*** dimtruck is now known as zz_dimtruck13:42
*** elo1 has joined #openstack-barbican13:43
*** elo1 has quit IRC13:45
*** elo1 has joined #openstack-barbican13:48
*** jmckind has joined #openstack-barbican13:57
*** elo1 has quit IRC13:58
*** dave-mccowan has joined #openstack-barbican13:59
*** spotz_zzz is now known as spotz14:23
*** edtubill has joined #openstack-barbican14:32
*** elo1 has joined #openstack-barbican14:36
*** jmckind has quit IRC14:37
*** jmckind has joined #openstack-barbican14:38
*** kfarr has joined #openstack-barbican14:52
*** elo1 has quit IRC14:56
*** hockeynut_afk is now known as hockeynut14:56
*** shohel has quit IRC14:57
*** jaosorior has quit IRC14:59
*** jaosorior has joined #openstack-barbican14:59
*** Kevin_Zheng has quit IRC15:01
*** fawadkhaliq has quit IRC15:04
*** elo1 has joined #openstack-barbican15:04
*** mixos has joined #openstack-barbican15:06
*** woodster_ has joined #openstack-barbican15:08
*** diazjf has joined #openstack-barbican15:10
*** andreas_s has quit IRC15:13
*** fawadkhaliq has joined #openstack-barbican15:23
*** fawadkhaliq has quit IRC15:23
*** fawadkhaliq has joined #openstack-barbican15:34
*** jmckind_ has joined #openstack-barbican15:44
*** jmckind has quit IRC15:48
*** zz_dimtruck is now known as dimtruck15:51
*** agrebennikov has joined #openstack-barbican16:00
*** edtubill has quit IRC16:02
*** edtubill has joined #openstack-barbican16:15
*** elo1 has quit IRC16:21
*** elo1 has joined #openstack-barbican16:22
*** jmckind_ has quit IRC16:23
*** gyee has joined #openstack-barbican16:25
*** dimtruck is now known as zz_dimtruck16:27
*** zz_dimtruck is now known as dimtruck16:29
*** jmckind has joined #openstack-barbican16:37
*** fawadkhaliq has quit IRC16:50
*** fawadkhaliq has joined #openstack-barbican16:51
*** fawadkhaliq has quit IRC16:55
*** diazjf has quit IRC16:58
*** elo1 has quit IRC17:33
*** dimtruck is now known as zz_dimtruck17:50
*** zz_dimtruck is now known as dimtruck17:52
*** dimtruck is now known as zz_dimtruck18:19
*** elo1 has joined #openstack-barbican18:20
*** jhfeng has joined #openstack-barbican18:23
*** diazjf has joined #openstack-barbican18:28
*** jhfeng has quit IRC18:44
*** kfarr has quit IRC19:13
*** jhfeng has joined #openstack-barbican19:29
*** jmckind has quit IRC19:31
*** jmckind has joined #openstack-barbican19:35
*** jmckind has quit IRC19:40
*** diazjf has quit IRC19:46
*** diazjf has joined #openstack-barbican19:47
*** fawadkhaliq has joined #openstack-barbican19:54
*** fawadkhaliq has quit IRC19:54
*** fawadkhaliq has joined #openstack-barbican19:55
*** zz_dimtruck is now known as dimtruck20:06
*** jhfeng has quit IRC20:09
*** diazjf has quit IRC20:13
*** fawadkhaliq has quit IRC20:15
*** diazjf has joined #openstack-barbican20:20
*** kfarr has joined #openstack-barbican20:25
*** elo1 has quit IRC20:35
*** elo1 has joined #openstack-barbican20:41
*** mathiasb_ is now known as mathiasb21:01
*** kfarr has quit IRC21:15
*** elo1 has quit IRC21:16
*** dave-mccowan has quit IRC21:23
*** edtubill has quit IRC21:33
*** elo1 has joined #openstack-barbican21:38
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: Update mailmap for Douglas Mendizábal  https://review.openstack.org/31834621:41
*** mixos has quit IRC21:46
*** diazjf has quit IRC21:50
*** ozialien10 has joined #openstack-barbican22:03
*** spotz is now known as spotz_zzz22:31
*** jaosorior has quit IRC22:58
*** jaosorior has joined #openstack-barbican22:59
*** jamielennox is now known as jamielennox|away23:04
*** agrebennikov has quit IRC23:14
*** jamielennox|away is now known as jamielennox23:51
*** diazjf has joined #openstack-barbican23:58
« Tuesday, 2016-05-17 Index Thursday, 2016-05-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!