Mario_ | did you check the firewall? | 00:00 |
---|---|---|
jamielennox | ergghh, xml is broken | 00:06 |
*** esmute has quit IRC | 00:06 | |
jamielennox | did we decide if we are able to deprecaate it properly? | 00:06 |
*** david-lyle has joined #openstack-keystone | 00:09 | |
morganfainberg | jamielennox, did it get undeprecated w/ v2? | 00:10 |
jamielennox | morganfainberg: oh it's done already? | 00:10 |
morganfainberg | jamielennox, v2 is undeprecated for I release | 00:10 |
jamielennox | yea, but the xml middleware? | 00:11 |
morganfainberg | not sure | 00:11 |
*** Trozz has joined #openstack-keystone | 00:19 | |
*** Trozz has left #openstack-keystone | 00:20 | |
ayoung | morganfainberg, that looks OK as far as it goes, but we need to pull the mock stuff out of those tests and put it somehow into the setup. I don;t like that the LDAP tests run aainst Fake are so different from the Live tests. | 00:21 |
ayoung | but we won't | 00:22 |
ayoung | I suspect not, anyway | 00:22 |
ayoung | if we do, then it would be | 00:22 |
ayoung | /auth/x509 or /auth/SAML | 00:22 |
openstackgerrit | Jamie Lennox proposed a change to openstack/keystone: Make service catalog include service name https://review.openstack.org/78127 | 00:26 |
*** browne has quit IRC | 00:32 | |
Mario_ | does anyone got keystone able to connect to ldap? and to the dashboard | 00:36 |
*** marcoemorais has quit IRC | 00:47 | |
*** marcoemorais has joined #openstack-keystone | 00:48 | |
ayoung | Mario_, I think I might have seen it once or twice. | 00:51 |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Example Initialization scripts https://review.openstack.org/82687 | 01:06 |
*** marcoemorais has quit IRC | 01:09 | |
*** vhoward- has joined #openstack-keystone | 01:11 | |
*** vhoward has quit IRC | 01:12 | |
*** bknudson has quit IRC | 01:12 | |
*** harlowja has quit IRC | 01:12 | |
*** dolphm has quit IRC | 01:12 | |
*** zigo has quit IRC | 01:12 | |
*** amerine has quit IRC | 01:12 | |
*** sudorandom has quit IRC | 01:12 | |
*** marekd|away has quit IRC | 01:12 | |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Add list function to services v3 https://review.openstack.org/83263 | 01:13 |
*** derek_c has joined #openstack-keystone | 01:14 | |
*** browne has joined #openstack-keystone | 01:16 | |
*** harlowja has joined #openstack-keystone | 01:17 | |
*** stevemar has quit IRC | 01:18 | |
*** derek_c has quit IRC | 01:19 | |
*** browne has quit IRC | 01:22 | |
morganfainberg | ayoung, those tests are testing not LDAP stuff | 01:24 |
morganfainberg | ayoung, they are testing the get_connection code. | 01:24 |
ayoung | oh, are they? Hmmm... OK | 01:25 |
ayoung | I'm still doing LaTex | 01:25 |
ayoung | need to explain to our Support groups all about Havana and Icehouse. | 01:25 |
morganfainberg | ayoung, yeah. it's validating that we call __init__ on the ldap handler with chase_referrals=False and that we don't call simple_bind_s if no password | 01:25 |
ayoung | ah | 01:25 |
morganfainberg | ayoung, aha, good luck with that! | 01:26 |
ayoung | we have smart people | 01:26 |
morganfainberg | ayoung, i'm sure. doesn't mean a good luck isn;t warranted (i didn't mean it sarcastically) | 01:26 |
morganfainberg | time to reverify the SQLite change again. | 01:27 |
ayoung | Heh...thanks. I never had to learn LaTex before, but I like it | 01:27 |
ayoung | Beats powerpoint | 01:27 |
morganfainberg | ayoung, ++ | 01:32 |
morganfainberg | ayoung, next presentation i'm thinking of using impress.js | 01:32 |
ayoung | USE TEX! | 01:32 |
ayoung | I'll give you miy slides | 01:32 |
morganfainberg | ayoung, hehe i'll bug you when i need to do my next presentation | 01:33 |
morganfainberg | but for now... | 01:33 |
morganfainberg | not soon | 01:33 |
ayoung | Dude, its like writing code | 01:33 |
ayoung | bu without a bknudson code review to hold you up | 01:33 |
morganfainberg | ayoung, LOL | 01:33 |
ayoung | I even use GIT! | 01:33 |
morganfainberg | ayoung, or the gate rechecks? | 01:33 |
* ayoung does an interim checking now | 01:33 | |
morganfainberg | ayoung, doesn't help for reverifys | 01:34 |
ayoung | morganfainberg, I figured out how to pull the diagrams out into their own files, so I can even re-use them in future presentations....its what I've needed for presentations for a long time | 01:35 |
morganfainberg | ayoung, awesome | 01:36 |
ayoung | morganfainberg, http://admiyo.fedorapeople.org/openstack/keystone/keystone-hij.pdf see how pretty | 01:37 |
ayoung | Ooh, reminds me, I need a "fixing things with the ADMIN_TOKEN" slide | 01:39 |
*** david-lyle has quit IRC | 01:46 | |
jamielennox | ayoung, morganfainberg: ugh, so i've got a situation in auth_token where the current behaviour means that if you specify an admin_token in the CONF as well as a user/pass and the admin_token is wrong | 01:49 |
*** bknudson has joined #openstack-keystone | 01:49 | |
*** amerine has joined #openstack-keystone | 01:49 | |
*** dolphm has joined #openstack-keystone | 01:49 | |
*** zigo has joined #openstack-keystone | 01:49 | |
*** sudorandom has joined #openstack-keystone | 01:49 | |
*** marekd|away has joined #openstack-keystone | 01:49 | |
*** dickson.freenode.net sets mode: +o dolphm | 01:49 | |
jamielennox | then it will erase the admin_token and re-attempt with the user/pass | 01:49 |
ayoung | HA! | 01:49 |
jamielennox | is this behaviour i need to maintain? | 01:49 |
ayoung | jamielennox, why not? | 01:49 |
jamielennox | ayoung: because it works easily enough now when you are dealing with tokens directly | 01:50 |
jamielennox | but when you go to auth plugins there isn't exactly a fallback | 01:50 |
ayoung | jamielennox, maybe admin_token should be a different method | 01:50 |
ayoung | or different auth_plugin | 01:50 |
jamielennox | ayoung: it is a different auth_plugin | 01:50 |
ayoung | So, yeah, no fall back required | 01:51 |
jamielennox | but that's the problem | 01:51 |
ayoung | you can break the existing behavior | 01:51 |
jamielennox | because it is a different plugin there is no real way to do a fallback | 01:51 |
ayoung | is this going to break the CLI? | 01:51 |
jamielennox | what i *could* do is create a new plugin that stradles both methods - but i'm just not sure it's worth it | 01:52 |
jamielennox | ayoung: no this is auth_token | 01:52 |
ayoung | ah...my guess is that in auth_token, we should not even bother with admin token. | 01:52 |
ayoung | that should be honored only by Keystone | 01:52 |
jamielennox | ayoung: you can use admin tokens in auth_token - you've always been able to | 01:53 |
jamielennox | that's a much bigger change | 01:53 |
ayoung | ut don't you need to chose which to use? Or, just that you need to pick one based on what comes in the token? If the token has admin_token, use it and only it, I would say is proper | 01:54 |
ayoung | admin_token masks userid/pass when using the CLI anyway | 01:54 |
jamielennox | ayoung: token? | 01:55 |
*** derek_c has joined #openstack-keystone | 01:56 | |
jamielennox | ayoung: this is all based on the CONF file and the paste file when other services configure keystoneclient middleware | 01:56 |
jamielennox | you build auth mechanisms based on what is available | 01:56 |
jamielennox | you can either do an admin token or v2 user/pass | 01:56 |
ayoung | jamielennox, this is for getting the revocation list from keystone? | 01:56 |
ayoung | and certs etc? | 01:56 |
jamielennox | ayoung: that and UUID tokens | 01:57 |
ayoung | admin_token trumps. | 01:57 |
jamielennox | that's what i thought | 01:57 |
ayoung | if admin_token is wrong, error out is fine | 01:57 |
jamielennox | but if you specify both then it will fallback to user/pass if the admin token is wrong | 01:57 |
*** esmute has joined #openstack-keystone | 02:02 | |
openstackgerrit | A change was merged to openstack/keystone: code hygiene; use six.text_type, escape regexp's, use key function https://review.openstack.org/82396 | 02:08 |
openstackgerrit | A change was merged to openstack/keystone: Add placeholders for reserved migrations https://review.openstack.org/70153 | 02:08 |
openstackgerrit | A change was merged to openstack/keystone: Add a space after the hash for block comments https://review.openstack.org/78116 | 02:16 |
*** stevemar has joined #openstack-keystone | 02:16 | |
*** harlowja is now known as harlowja_away | 02:19 | |
*** david-lyle has joined #openstack-keystone | 02:28 | |
Mario_ | somebody helps what's wrong with this " Authorization failed. Invalid user / password from 192.x.x.x" | 02:28 |
Mario_ | in the ldap but I used to display in th keystone command all the users | 02:29 |
ayoung | Mario_, you probably used the Keystone admin_token to list users. | 02:32 |
ayoung | Mario_, Authorization failed. Invalid user / password from 192.x.x.x is probably using userid and password. THere is also a special "admin_token" field at the start of the keystone conf that can be used to talk to tkeystone. But als, thereis an admin user for talking to LDAP | 02:33 |
ayoung | to authenticate an end user, it does a Simple Bind against the server. | 02:34 |
*** harlowja_away is now known as harlowja | 02:37 | |
*** gyee has quit IRC | 02:37 | |
*** devlaps has quit IRC | 02:46 | |
*** zhiyan_ is now known as zhiyan | 02:48 | |
*** mberlin has quit IRC | 02:48 | |
*** ayoung has quit IRC | 02:51 | |
*** mberlin has joined #openstack-keystone | 03:04 | |
Mario_ | ayoung, i already configured to use the admin_token and the ldap... they able to communicate as I can list all the users of the ldap | 03:06 |
*** derek_c has quit IRC | 03:06 | |
Mario_ | ayoung, but seems the problem is on the keystone, extraction of the password from the ldap. Coz if i use non-existing user, i got this "Authorization failed. Could not find user, user1" | 03:14 |
Mario_ | as observed the password in mysql is started with "$6$rounds=40000$" while on the ldap is different using standard algorithm | 03:16 |
Mario_ | mine is using ssha on the ldap, and I able to list all users using this command -> "keystone --os-token mytokenpass --os-endpoint http://localhost:35357/v2.0/ user-list" or using tenant-list, role-list | 03:18 |
Mario_ | referring to the ldap user | 03:19 |
*** derek_c has joined #openstack-keystone | 03:25 | |
*** derek_c has quit IRC | 03:39 | |
*** devlaps has joined #openstack-keystone | 03:40 | |
*** harlowja is now known as harlowja_away | 03:47 | |
*** chandan_kumar has joined #openstack-keystone | 03:52 | |
*** derek_c has joined #openstack-keystone | 04:02 | |
*** topol has joined #openstack-keystone | 04:32 | |
*** chandan_kumar has quit IRC | 04:34 | |
*** saju_m has joined #openstack-keystone | 04:39 | |
*** amerine has quit IRC | 05:21 | |
*** amerine has joined #openstack-keystone | 05:23 | |
*** chandan_kumar has joined #openstack-keystone | 05:30 | |
*** kun_huang has joined #openstack-keystone | 05:44 | |
kun_huang | hi guys, which is the simplest way to verify admin endpoint (5000 or 35357) | 05:46 |
*** devlaps has quit IRC | 05:55 | |
*** devlaps has joined #openstack-keystone | 06:00 | |
openstackgerrit | Jenkins proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/83297 | 06:00 |
*** saju_m has quit IRC | 06:07 | |
*** amcrn has quit IRC | 06:13 | |
*** derek_c has quit IRC | 06:27 | |
*** gokrokve has joined #openstack-keystone | 06:35 | |
*** derek_c has joined #openstack-keystone | 06:50 | |
*** saju_m has joined #openstack-keystone | 06:51 | |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Example Initialization scripts https://review.openstack.org/82687 | 07:10 |
*** derek_ has joined #openstack-keystone | 07:11 | |
*** derek_ has quit IRC | 07:13 | |
*** devlaps has quit IRC | 07:16 | |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient https://review.openstack.org/81980 | 07:17 |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Authenticate via oauth https://review.openstack.org/81981 | 07:18 |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions https://review.openstack.org/80193 | 07:18 |
*** jaosorior has joined #openstack-keystone | 07:22 | |
openstackgerrit | Steve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions https://review.openstack.org/80193 | 07:26 |
*** topol has quit IRC | 07:29 | |
*** stevemar has quit IRC | 07:35 | |
*** derek_c has quit IRC | 07:39 | |
*** kun_huang has quit IRC | 07:43 | |
*** flaper87|afk is now known as flaper87 | 07:53 | |
*** gokrokve has quit IRC | 07:56 | |
*** gokrokve has joined #openstack-keystone | 07:56 | |
*** gokrokve has quit IRC | 08:01 | |
*** gokrokve has joined #openstack-keystone | 08:27 | |
*** andreaf has joined #openstack-keystone | 08:28 | |
*** gokrokve_ has joined #openstack-keystone | 08:29 | |
*** gokrokv__ has joined #openstack-keystone | 08:31 | |
*** jamielennox is now known as jamielennox|away | 08:32 | |
*** gokrokve has quit IRC | 08:32 | |
*** gokrokve_ has quit IRC | 08:34 | |
*** gokrokv__ has quit IRC | 08:36 | |
*** saju_m has quit IRC | 08:43 | |
*** saju_m has joined #openstack-keystone | 08:56 | |
*** amcrn has joined #openstack-keystone | 09:01 | |
*** leseb has joined #openstack-keystone | 09:13 | |
*** saju_m has quit IRC | 09:16 | |
*** saju_m has joined #openstack-keystone | 09:28 | |
*** gokrokve has joined #openstack-keystone | 09:32 | |
*** gokrokve has quit IRC | 09:36 | |
*** bvandenh has joined #openstack-keystone | 09:37 | |
*** kun_huang has joined #openstack-keystone | 09:41 | |
*** leseb has quit IRC | 09:43 | |
*** amcrn has quit IRC | 09:44 | |
*** leseb has joined #openstack-keystone | 10:12 | |
*** saju_m has quit IRC | 10:24 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers. https://review.openstack.org/83337 | 10:24 |
*** YorikSar has quit IRC | 10:25 | |
*** YorikSar has joined #openstack-keystone | 10:28 | |
*** gokrokve has joined #openstack-keystone | 10:29 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers. https://review.openstack.org/83337 | 10:30 |
*** gokrokve has quit IRC | 10:34 | |
*** marekd|away is now known as marekd | 10:35 | |
*** bvandenh has quit IRC | 10:40 | |
*** kun_huang has quit IRC | 10:43 | |
marekd | jamielennox|away: ^^ would you take a look at it? | 10:46 |
*** flaper87 is now known as flaper87|afk | 10:48 | |
*** bvandenh has joined #openstack-keystone | 10:53 | |
openstackgerrit | Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers. https://review.openstack.org/83337 | 10:55 |
*** kun_huang has joined #openstack-keystone | 10:59 | |
*** david-lyle has quit IRC | 11:03 | |
marekd | Any git master available here and now? | 11:11 |
*** saju_m has joined #openstack-keystone | 11:14 | |
*** leseb has quit IRC | 11:19 | |
*** morganfainberg is now known as morganfainberg_Z | 11:19 | |
*** leseb has joined #openstack-keystone | 11:19 | |
*** kun_huang has quit IRC | 11:21 | |
*** leseb has quit IRC | 11:24 | |
*** YorikSar has quit IRC | 11:31 | |
*** YorikSar has joined #openstack-keystone | 11:33 | |
*** saju_m has quit IRC | 11:33 | |
*** saju_m has joined #openstack-keystone | 11:36 | |
*** kun_huang has joined #openstack-keystone | 11:49 | |
*** kun_huang has quit IRC | 11:55 | |
*** gokrokve has joined #openstack-keystone | 12:09 | |
*** jaosorior has quit IRC | 12:10 | |
*** gokrokve has quit IRC | 12:14 | |
*** leseb has joined #openstack-keystone | 12:14 | |
*** leseb has quit IRC | 12:19 | |
*** topol has joined #openstack-keystone | 12:20 | |
*** browne has joined #openstack-keystone | 12:26 | |
*** gokrokve has joined #openstack-keystone | 12:29 | |
*** gokrokve has quit IRC | 12:34 | |
dstanek | hey marekd | 12:44 |
dstanek | marekd: i'm no master, but i can try to help if you are still having an issue | 12:44 |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone: Remove extraenous instantiations of managers https://review.openstack.org/81720 | 12:46 |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone: Use in-memory SQLite for testing https://review.openstack.org/82917 | 12:46 |
openstackgerrit | Dolph Mathews proposed a change to openstack/keystone: Use in-memory SQLite for sql migration tests https://review.openstack.org/82918 | 12:46 |
dolphm | marekd: more importantly, if you don't actually ask a question, *no one* can help :P | 12:46 |
*** leseb has joined #openstack-keystone | 12:47 | |
marekd | dstanek: Hi! So I am adding 3 parts to the keystoneclient - IdP CRUD, mapping CRUD, protocols CRUD. Already added IdP CRUD code, and by that I also created 'base structure' for all the parts, e.g. v3/contrib/federation, files like __init__.py, core.py etc. Now, as I want to add, say mapping, and make the IdPs as a dependency I shall just fetch patch with IdPs, checkout to new branch, add mapping related stuff and commit with new commit me | 12:48 |
marekd | dolphm: right, but already learned that asking the question without pinging somebody doesn't really work :P | 12:49 |
dolphm | marekd: sure it does - that's the beauty of IRC! there's more than just one person in the channel! | 12:51 |
dolphm | marekd: keep your patches small! you can use `git review -d ######` to checkout a specific review, make commits on top of it, and then `git review` again to propose a series of commits back to gerrit | 12:52 |
*** dims_ has quit IRC | 12:52 | |
*** andrew_______ has joined #openstack-keystone | 12:53 | |
marekd | dolphm: that's what i am trying to do, so there is already: https://review.openstack.org/#/c/83337/ | 12:53 |
marekd | now i want to create another patch for mappings, but make the 1st one as a dependency, so I don't need to create structure again (directories, __init__.py etc) | 12:53 |
dolphm | marekd: looks good, so you'd have a review that's dependent on that one to add mapping | 12:53 |
dolphm | marekd: git review -d 83337; vi keystoneclient/v3/contrib/federation/mapping.py; git commit; git review | 12:54 |
*** wchrisj has joined #openstack-keystone | 12:56 | |
dolphm | marekd: which checks out a local branch based on what's in gerrit, creates a commit in that branch, and then submits both reviews back to gerrit (rebased onto the latest master) | 12:56 |
*** bknudson has quit IRC | 12:58 | |
andrew_______ | i'm doing an initial install of keystone and in my first tenant-create, i am getting "Invalid OpenStack Identity credentials". is there a logfile somewhere that would give me more details? | 12:58 |
marekd | dolphm: but it will then update the first patchset, right? | 12:58 |
dolphm | marekd: only by rebasing it | 12:59 |
dolphm | marekd: if you want to avoid that (and there's no reason not to, unless it's already gating), just use --no-rebase at the end | 12:59 |
dstanek | marekd: had to quickly drive the kids to school, but i see dolphm's got it covered | 12:59 |
marekd | dolphm: no, i want to get another Change-Id... | 12:59 |
dolphm | andrew_______: if debug is enabled in keystone, the error message might change, and keystone's log should have some details | 12:59 |
marekd | dolphm: so i have two patchests: one for IdPs, one for mappings... | 13:00 |
dolphm | marekd: you'll get a second Change-Id before you upload to gerrit (when you git commit) | 13:00 |
marekd | dolphm: a, ok then :-) | 13:00 |
dolphm | marekd: in other words, don't git commit --amend, just git commit | 13:00 |
marekd | dolphm: OK~ | 13:00 |
dolphm | you can verify with git log -n 2 before you git review | 13:00 |
marekd | dolphm:uhm | 13:00 |
andrew_______ | how would i enable debug? (i installed the regular binaries via yum install.) | 13:00 |
andrew_______ | and where is the log? | 13:01 |
dolphm | andrew_______: set debug=true in /etc/keystone/keystone.conf | 13:01 |
dolphm | andrew_______: the path to the log would be configured there as well | 13:01 |
dolphm | andrew_______: i'm not sure where the yum packages put it | 13:01 |
marekd | dolphm: ok, thanks for your help! | 13:02 |
* dolphm wanders off to produce release notes for icehouse :( #paperwork | 13:03 | |
marekd | dstanek: no worries :-) | 13:03 |
*** dims_ has joined #openstack-keystone | 13:05 | |
andrew_______ | dolphm: thanks | 13:05 |
*** flaper87|afk is now known as flaper87 | 13:11 | |
andrew_______ | in my initial tenant-create, it fails because my request "requires authentication". what is it asking for, exactly? | 13:14 |
*** bknudson has joined #openstack-keystone | 13:18 | |
*** joesavak has joined #openstack-keystone | 13:28 | |
*** wchrisj has quit IRC | 13:28 | |
*** gokrokve has joined #openstack-keystone | 13:29 | |
*** gokrokve has quit IRC | 13:34 | |
*** chandankumar_ has joined #openstack-keystone | 13:35 | |
*** ayoung has joined #openstack-keystone | 13:36 | |
*** nkinder has quit IRC | 13:47 | |
*** thedodd has joined #openstack-keystone | 13:48 | |
*** jaosorior has joined #openstack-keystone | 13:55 | |
*** zigo has quit IRC | 14:01 | |
*** zigo has joined #openstack-keystone | 14:03 | |
*** topol has quit IRC | 14:09 | |
dolphm | just pushed keystoneclient 0.7.1 to pypi with the v2.0 -> v3 hack | 14:13 |
dolphm | https://pypi.python.org/pypi/python-keystoneclient/ | 14:13 |
*** stevemar has joined #openstack-keystone | 14:13 | |
openstackgerrit | John Dennis proposed a change to openstack/keystone: Expand the use of non-ascii values in ldap test https://review.openstack.org/82399 | 14:24 |
openstackgerrit | John Dennis proposed a change to openstack/keystone: Properly handle unicode & utf-8 in LDAP https://review.openstack.org/82398 | 14:24 |
openstackgerrit | John Dennis proposed a change to openstack/keystone: Refactor LDAP API https://review.openstack.org/82397 | 14:24 |
*** david-lyle has joined #openstack-keystone | 14:28 | |
*** dims_ is now known as dims | 14:28 | |
*** dims is now known as Guest68499 | 14:28 | |
*** Guest68499 has quit IRC | 14:29 | |
*** gokrokve has joined #openstack-keystone | 14:29 | |
*** dims_ has joined #openstack-keystone | 14:29 | |
*** gokrokve has quit IRC | 14:34 | |
*** nkinder has joined #openstack-keystone | 14:38 | |
*** leseb_ has joined #openstack-keystone | 14:38 | |
openstackgerrit | John Dennis proposed a change to openstack/keystone: Expand the use of non-ascii values in ldap test https://review.openstack.org/82399 | 14:40 |
openstackgerrit | John Dennis proposed a change to openstack/keystone: Properly handle unicode & utf-8 in LDAP https://review.openstack.org/82398 | 14:40 |
openstackgerrit | John Dennis proposed a change to openstack/keystone: Refactor LDAP API https://review.openstack.org/82397 | 14:40 |
*** leseb has quit IRC | 14:42 | |
*** andreaf has quit IRC | 14:45 | |
*** chandankumar_ has quit IRC | 14:46 | |
*** topol has joined #openstack-keystone | 14:48 | |
*** devlaps has joined #openstack-keystone | 14:51 | |
*** gokrokve has joined #openstack-keystone | 14:52 | |
*** gokrokve_ has joined #openstack-keystone | 14:52 | |
*** chandankumar_ has joined #openstack-keystone | 14:53 | |
openstackgerrit | A change was merged to openstack/keystone: Remove extraenous instantiations of managers https://review.openstack.org/81720 | 14:53 |
*** gokrokve has quit IRC | 14:56 | |
*** packet has quit IRC | 14:57 | |
*** jagee has joined #openstack-keystone | 15:01 | |
bknudson | I want to propose for Juno that we don't sync modules from oslo-incubator | 15:10 |
bknudson | all or nothing. | 15:10 |
bknudson | I think morganfainberg_Z had a patch up to sync all of oslo-incubator... | 15:10 |
dolphm | everyone should read http://lists.openstack.org/pipermail/openstack/2014-March/006238.html | 15:14 |
dolphm | i also just realized i capitalized PyPI wrong, twice | 15:16 |
dolphm | meh | 15:16 |
bknudson | this could be the most anticipated release of python-keystoneclient yet. | 15:24 |
*** chandankumar_ has quit IRC | 15:24 | |
dstanek | so we have this blueprint for py3kcompat which the drafter really says it's about using six - should i make a new one or update that one to be more general? | 15:25 |
dstanek | i was thinking first-class-python3-support | 15:25 |
bknudson | dstanek: in keystone or keystoneclient? | 15:26 |
dstanek | bknudson: keystone | 15:27 |
bknudson | six is a part of the work, and the libs are another part... I'd say a new blueprint could be used for the libs. | 15:28 |
*** kun_huang has joined #openstack-keystone | 15:30 | |
dolphm | bknudson: ++ it's a bigger relief to me to get that out the door than icehouse itself! | 15:34 |
*** kun_huang has quit IRC | 15:38 | |
*** gyee has joined #openstack-keystone | 15:41 | |
*** david_lyle_ has joined #openstack-keystone | 15:43 | |
*** saju_m has quit IRC | 15:44 | |
*** david-lyle has quit IRC | 15:46 | |
*** gokrokve_ has quit IRC | 16:00 | |
*** gokrokve has joined #openstack-keystone | 16:00 | |
dstanek | just created https://blueprints.launchpad.net/keystone/+spec/python3 to track the fun! | 16:02 |
*** gokrokve_ has joined #openstack-keystone | 16:03 | |
*** andreaf has joined #openstack-keystone | 16:04 | |
*** gokrokve has quit IRC | 16:05 | |
*** dims_ has quit IRC | 16:10 | |
*** zhiyan is now known as zhiyan_ | 16:16 | |
*** marcoemorais has joined #openstack-keystone | 16:16 | |
*** zhiyan_ is now known as zhiyan | 16:16 | |
*** dims_ has joined #openstack-keystone | 16:25 | |
openstackgerrit | Jenkins proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/82231 | 16:33 |
*** zigo has quit IRC | 16:41 | |
*** amcrn has joined #openstack-keystone | 16:43 | |
dolphm | ayoung: http://www.meetup.com/Alamo-City-Python-Group/events/173759942/?a=ea1_grp&rv=ea1 | 16:49 |
*** leseb_ has quit IRC | 16:49 | |
*** leseb has joined #openstack-keystone | 16:50 | |
*** wchrisj has joined #openstack-keystone | 16:52 | |
*** leseb has quit IRC | 16:54 | |
marekd | stevemar: jamielennox|away: some initial comments very much appreciated: https://review.openstack.org/#/c/83337/3 :-) | 16:58 |
*** marekd is now known as marekd|away | 16:58 | |
stevemar | marekd|away, i'm actually reviewing it now | 16:58 |
dstanek | dolphm: if that were only a little closer | 16:59 |
dolphm | dstanek: it'll be a bit closer to you when it's at pycon :P | 16:59 |
dstanek | dolphm: nah, no pycon for me this year; too much going on | 16:59 |
*** harlowja_away is now known as harlowja | 17:08 | |
*** leseb has joined #openstack-keystone | 17:09 | |
ayoung | dolphm, can you please attend? | 17:09 |
*** thedodd has quit IRC | 17:09 | |
ayoung | dolphm, I'm kindof astounded that no onw has started a M2-py33 port | 17:12 |
*** amcrn has quit IRC | 17:13 | |
*** bvandenh has quit IRC | 17:20 | |
dolphm | ayoung: i'm planning on it | 17:24 |
dolphm | ayoung: it's not great timing for me, though :-/ | 17:25 |
dolphm | ayoung: superficially, the cryptography package appears to be fairly well done | 17:25 |
ayoung | dolphm, I forwarded it to edewata, the Dogtag dev that lives in Austin. He's going to try to make it, too. | 17:26 |
dolphm | ayoung: cool! | 17:26 |
*** leseb has quit IRC | 17:26 | |
*** morganfainberg_Z is now known as morganfainberg | 17:26 | |
*** bada has quit IRC | 17:28 | |
*** arborism has joined #openstack-keystone | 17:30 | |
*** david_lyle_ is now known as david_lyle | 17:31 | |
*** dims_ has quit IRC | 17:32 | |
*** zigo has joined #openstack-keystone | 17:39 | |
*** zhiyan is now known as zhiyan_ | 17:40 | |
morganfainberg | ayoung, dolphm, when is pycon? | 17:41 |
ayoung | next week? | 17:41 |
morganfainberg | ayoung, ah | 17:41 |
bknudson | https://us.pycon.org/2014/ | 17:42 |
morganfainberg | i knew i was forgetting a conference this year >.< | 17:42 |
ayoung | 9-17 | 17:42 |
bknudson | PyCon 2014 is sold out! | 17:42 |
bknudson | back on Feb 17 | 17:42 |
bknudson | looks like you need to sign up early | 17:42 |
morganfainberg | like i said. knew is was missing a conf :( | 17:42 |
morganfainberg | i was planning on going. | 17:42 |
ayoung | Its like Burning Man, noly for programmers | 17:42 |
ayoung | only | 17:42 |
morganfainberg | ah well, budget wasn't going to play nice with it. | 17:43 |
morganfainberg | as in, i didn't want to jump through hoops for approvals | 17:43 |
morganfainberg | bknudson, ++ on only syncing the whole oslo-incubator! | 17:43 |
morganfainberg | bknudson, that would make me happier than trying to resolve individual modules | 17:43 |
morganfainberg | unless we have an explicit need for a speciifc bug fix | 17:44 |
bknudson | morganfainberg: I thought you had a patch to do that ... wasn't too much change? | 17:44 |
morganfainberg | bknudson, it was a while back, we should do it from scratch instead i think. | 17:45 |
morganfainberg | bknudson, it was when i was resolving sample_config automation things | 17:45 |
bknudson | ok, if I get a chance I'll take a look at it. | 17:45 |
morganfainberg | bknudson, if not i'll try and get something up this weekend / early next week | 17:45 |
*** gokrokve has joined #openstack-keystone | 17:46 | |
*** dims_ has joined #openstack-keystone | 17:47 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Fix assertEqual arguments order(auth_plugin, backend, backend_sql, etc) https://review.openstack.org/75851 | 17:50 |
*** gokrokve_ has quit IRC | 17:50 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Fix assertEqual arguments order(auth_plugin, backend, backend_sql, etc) https://review.openstack.org/75851 | 17:52 |
*** dims_ has quit IRC | 17:57 | |
*** arborism has quit IRC | 18:04 | |
*** gokrokve has quit IRC | 18:05 | |
*** gokrokve has joined #openstack-keystone | 18:06 | |
*** gokrokve_ has joined #openstack-keystone | 18:09 | |
*** thedodd has joined #openstack-keystone | 18:09 | |
*** gokrokve has quit IRC | 18:11 | |
*** dims has joined #openstack-keystone | 18:11 | |
*** gokrokve_ has quit IRC | 18:13 | |
*** flaper87 is now known as flaper87|afk | 18:13 | |
*** gokrokve has joined #openstack-keystone | 18:14 | |
*** nachi has joined #openstack-keystone | 18:29 | |
*** gokrokve has quit IRC | 18:33 | |
*** gokrokve has joined #openstack-keystone | 18:34 | |
*** gokrokve has quit IRC | 18:38 | |
bknudson | Ever seen then when running the tests? "Your configuration specifies to merge with the ref 'master'" | 18:46 |
*** vhoward- has left #openstack-keystone | 18:48 | |
*** nachi has quit IRC | 18:50 | |
*** jaosorior has quit IRC | 18:50 | |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Templated v3 catalog https://review.openstack.org/70630 | 18:56 |
*** derek_c has joined #openstack-keystone | 19:04 | |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Templated v3 catalog https://review.openstack.org/70630 | 19:06 |
*** ayoung has quit IRC | 19:23 | |
dolphm | just finished the icehouse release notes if anyone wants to provide feedback https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse#OpenStack_Identity_.28Keystone.29 | 19:25 |
dolphm | i put it on the meeting agenda for next week as well | 19:25 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Add localized response test https://review.openstack.org/70610 | 19:36 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Add localized response test https://review.openstack.org/70610 | 19:38 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Remove noqa form import _s https://review.openstack.org/83551 | 19:43 |
*** derek_c has quit IRC | 19:45 | |
*** derek_c has joined #openstack-keystone | 20:03 | |
*** harlowja is now known as harlowja_away | 20:03 | |
dstanek | morganfainberg: i am so sad, py3 is tragic | 20:06 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Safer noqa handling https://review.openstack.org/83563 | 20:09 |
*** amcrn has joined #openstack-keystone | 20:11 | |
*** wwriverrat has joined #openstack-keystone | 20:11 | |
openstackgerrit | David Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy https://review.openstack.org/83565 | 20:12 |
bknudson | v3 of anything never works out... py3, identity v3, nova v3. | 20:12 |
bknudson | should just jump to v4 | 20:13 |
dstanek | bknudson: for reals? that make the whole file unchecked? | 20:13 |
bknudson | dstanek: that's what happened for me... https://review.openstack.org/#/c/83551/1/keystone/common/dependency.py | 20:14 |
bknudson | dstanek: removed the `# flake8: noqa` and then it noticed that there was only 1 line between functions | 20:14 |
dstanek | bknudson: wow, that makes me want to rip out 'flake8: ' entirely | 20:15 |
bknudson | dstanek: that seems reasonable... the only places it's used now are on the __init__.py that import and don't use... | 20:16 |
dstanek | bknudson: https://pypi.python.org/pypi/flake8 | 20:16 |
bknudson | we'd have to #noqa all the lines. | 20:16 |
bknudson | dstanek: I thought that doc meant that if # flake8: noqa was on a line by itself then the file is ignored. | 20:16 |
bknudson | but apparently it's anywhere on a line | 20:17 |
bknudson | dstanek: also, `# noqa` doesn't work with everything. | 20:17 |
bknudson | dstanek: https://review.openstack.org/#/c/83563/1/keystone/catalog/backends/sql.py | 20:17 |
bknudson | the flake8 test has to explicitly check for `# noqa` and not all of them do | 20:18 |
dstanek | bknudson: for that one it may need to be on 254 where the statement begins | 20:18 |
dstanek | bknudson: ah, good to know | 20:18 |
*** ayoung has joined #openstack-keystone | 20:19 | |
dstanek | bknudson: i would have expected the flake8 framework to deal with that instead of each check | 20:19 |
bknudson | I didn't try putting it on a different line... | 20:20 |
*** leseb has joined #openstack-keystone | 20:21 | |
*** packet has joined #openstack-keystone | 20:21 | |
bknudson | dstanek: enabled_is_true = Endpoint.enabled == True # noqa | 20:24 |
bknudson | still fails... not sure what the deal is. | 20:24 |
bknudson | dstanek: https://github.com/jcrocholl/pep8/blob/master/pep8.py#L958 | 20:24 |
bknudson | dstanek: but my version is like "match = COMPARE_SINGLETON_REGEX.search(logical_line)" | 20:25 |
bknudson | so fixed in a newer version, maybe. | 20:25 |
*** leseb has quit IRC | 20:34 | |
*** wwriverrat has quit IRC | 20:34 | |
*** harlowja_away is now known as harlowja | 20:35 | |
morganfainberg | bknudson, doesn't it need to be flake8: noqa? i thought noqa was a global file tag? | 20:35 |
bknudson | morganfainberg: "flake8: noqa" is the global file tag. | 20:36 |
bknudson | pep8 is busted. | 20:36 |
bknudson | if noqa or nrows == 1: | 20:36 |
bknudson | noqa is a function | 20:36 |
morganfainberg | bknudson, oh joy | 20:36 |
ayoung | is it possible to source a bash file from python and get the env vars available? | 20:39 |
ayoung | cuz I would really like to have a python script that starts with . ./keystone.rc | 20:39 |
dolphm | ayoung: http://docs.python.org/2/library/os.html#os.environ | 20:40 |
ayoung | dolphm, but is there an equivalent to the bash call . ./keystone.rc? | 20:41 |
ayoung | that library gives access to the vars afterwards | 20:41 |
ayoung | http://stackoverflow.com/questions/3503719/emulating-bash-source-in-python | 20:42 |
*** mspreitz has joined #openstack-keystone | 20:45 | |
mspreitz | anybody having trouble with dbus? | 20:47 |
*** leseb has joined #openstack-keystone | 20:49 | |
dstanek | ayoung: you want to source a python file and have it set variables in your shell? | 20:50 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values) https://review.openstack.org/83235 | 20:50 |
*** amrita has joined #openstack-keystone | 20:51 | |
amrita | Hi folks | 20:51 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values) https://review.openstack.org/83235 | 20:51 |
amrita | my keystone mssql db somehow got washed off y'day | 20:52 |
amrita | and I am trying to recover the cluster back up | 20:52 |
amrita | for now the horizon UI gets an error "unable to retrieve the authorized projects" for everytime a user tries to login | 20:53 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Enable concurrent testing by default https://review.openstack.org/83584 | 20:53 |
amrita | can you guys - suggest a way to recover the data ? | 20:54 |
amrita | [root@node-23 log]# keystone user-role-list --user amande --tenant admin WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). An unexpected error prevented the server from fulfilling your request. (ProgrammingError) (1146, "Table 'keystone.user_project_metadata' doesn't exist") 'SELECT user_project_metadata.user_id AS user_project_metadata_user_id, user_project_metadat | 20:54 |
amrita | here is the error i get on the keystone cmdline | 20:54 |
ayoung | dstanek, I got it | 20:55 |
ayoung | http://stackoverflow.com/questions/3503719/emulating-bash-source-in-python dstanek | 20:55 |
Mario_ | hi | 20:56 |
ayoung | I wanted to source keystone.rc | 20:56 |
morganfainberg | amrita, this looks like a case where you'd want to restore from a backup if possible. what happened to get you in this state? | 20:56 |
ayoung | Mario_, did you get it to work | 20:56 |
*** jagee has quit IRC | 20:56 | |
Mario_ | ayoung stilll having issues | 20:56 |
dstanek | ayoung: ok, looks like you were doing the opposite of what i was thinking | 20:56 |
ayoung | dstanek, yep. I want to reuse the same env var file for a script that is used elsewhere | 20:57 |
amrita | morganfainberg, unfortunately the mssql backup wasn't configured correctly - and hence in this state of mine - i ahve no way to restore the data from a point | 20:57 |
Mario_ | i think my probs is on the password linking to other services of openstack ayoung | 20:57 |
morganfainberg | amrita, what occurred that caused this? | 20:58 |
amrita | morganfainberg, is there any way that i can manually recreate the tables missing? | 20:58 |
morganfainberg | amrita, did it just disappear? | 20:58 |
ayoung | Mario_, http://adam.younglogic.com/2013/07/troubleshooting-pki-middleware/ | 20:58 |
dstanek | ayoung: i usually just use a wrapper shell script for that | 20:58 |
ayoung | dstanek, how unpythonic | 20:58 |
amrita | morganfainberg, I don't quite know, a reason for sure. Looks like it just dissapeared | 20:58 |
morganfainberg | amrita, because that could indicate a larger issue. sure you could recreate the table, but the data would be missing | 20:58 |
dstanek | ayoung: reusable! | 20:59 |
*** derek_c has quit IRC | 20:59 | |
amrita | I did do keystone-manage db_sync - and it didn't create me all the tables | 20:59 |
dstanek | ./script_to_set_env python doit.py | 20:59 |
ayoung | dstanek, I'm actually trying to move away from bash and toward python for my day-to-day scripting for Openstack stuff: make more use of client apis | 20:59 |
Mario_ | ayoung got this on my logs "An unexpected error prevented the server from fulfilling your request. {'info': 'Password: attribute type undefined', 'desc': 'Undefined attribute type'} (HTTP 500)" supposedly to create user in keystone in the ldap | 20:59 |
ayoung | plus token reuse | 20:59 |
morganfainberg | amrita, so you had a running OpenStack deployment, the table disappeared and you tried to recover with db_sync? | 20:59 |
morganfainberg | amrita, since the actual backup is/was broken | 21:00 |
amrita | Yepp | 21:00 |
ayoung | Mario_, are you trying to use an existing LDAP set up, or are you going to have an LDAP server dedicated to Open Stack? | 21:00 |
bknudson | ayoung: http://docs.python.org/2/library/configparser.html ? it parses INI files. | 21:00 |
ayoung | bknudson, yeah, but this bash | 21:00 |
ayoung | export OS_AUTH_URL=http://10.16.17.4:5000/v2.0/ | 21:00 |
amrita | ===================>>> credential.frm domain.frm group_domain_metadata.frm group_project_metadata.frm policy.frm role.frm token.frm db.opt endpoint.frm group.frm migrate_version.frm project.frm service.frm <<<<<<<<<<<<<<<<<<<<<------- these are the only tables it creayted | 21:00 |
bknudson | ok, it wouldn't like the export | 21:00 |
Mario_ | ayoung, yes an existing LDAP but my assignments are on the mysql, local. | 21:01 |
morganfainberg | amrita, you could look at the model for the table and recreate from that, but like i said, you wont have the data. if tables are randomly disappearing from your db server, I'd go look into that before going any further. perhaps you could do some recovery on that front. unfortunately recreating the live data isn't easy | 21:01 |
ayoung | Mario_, OK, so you don't use keystone to add users, just to do role assingments | 21:01 |
morganfainberg | amrita, if you don't care about the previous data (at all, in the keystone db) you could recreate the db w/ a clean db_sync. | 21:02 |
amrita | it didn't create the following ------->>>>>>>>>>>>>>>>>>>>>>>>>>> trsut_role.frm users*.frm <<<<<<<<<<<<<<<<<,,=========================== | 21:02 |
morganfainberg | amrita, but that involves destroying the whole db first. | 21:02 |
ayoung | Mario_, so create the project and roles using the ADMIN_TOKEN and assign a role on that project to a user, then , as that user, to token-get... | 21:02 |
*** marcoemorais has quit IRC | 21:02 | |
*** marcoemorais has joined #openstack-keystone | 21:03 | |
ayoung | Mario_, you can either set env vars, or pass the values you want on the command line. | 21:03 |
ayoung | so | 21:03 |
*** marcoemorais has quit IRC | 21:03 | |
*** marcoemorais has joined #openstack-keystone | 21:03 | |
amrita | no other way of selectively recreating / restoring the data (somehow) from ...... ? without being destructive ? | 21:04 |
Mario_ | ayoung, I bit little confused as of linking with ldap... it's working fine using mysql.. | 21:04 |
*** YorikSar has quit IRC | 21:04 | |
ayoung | keystone --os-endpoint=http://10.16.17.4:35357/v2.0/ --os-token=<match admin_token in your config file> | 21:04 |
ayoung | Mario_, yeah...switching over is tricky | 21:04 |
morganfainberg | amrita, from what i'm hearing the DB is suspect to begin with, tables don't go missing arbitrarily in my experience | 21:04 |
morganfainberg | amrita, if you solve that issue you might be able to find the data / restore | 21:04 |
ayoung | Mario_, are you comfortable with the LDAP search tools? Its often useful to confirm all of your assumptions via direct LDAP queries | 21:04 |
ayoung | Make sure that the user you want to auth as is alive, etc | 21:05 |
morganfainberg | amrita, but unfortunately while the tables could be recreated, i don't have magic to recreate the data in those tables. | 21:05 |
Mario_ | ayoung, yes i can do it using ldapsearch. | 21:05 |
ayoung | Good | 21:05 |
amrita | any specific logs that I can begin digging ? | 21:05 |
morganfainberg | amrita, so i'd stop trying to restore the table structure first and make sure your db server wont do this again | 21:05 |
ayoung | Mario_, so assuming you have a user named admin in LDAP, it would look like this | 21:05 |
Mario_ | ayoung, how do i able to link my exising ldap users to the tenant or role | 21:06 |
amrita | true! ... anything you would do - to steer me in the right direction ? | 21:06 |
mspreitz | Anybody having trouble with keystone tripping over dbus while installing with DevStack? | 21:06 |
amrita | coz right now I am clueless | 21:06 |
ayoung | Mario_, the normal approach is that the last segment of the DN becomes the user_id | 21:06 |
amrita | as to what caused this | 21:06 |
ayoung | so for example id mine were CN=ayoung,CN=redhat.CN=com my userid is ayoung | 21:06 |
morganfainberg | amrita, hmm. unfortunately I don't have much direction to give on recovering dbs in a case like this. it's been a while since i've had to look at it. but you could start with dmesg / mysql (this is mysql right?) logs. | 21:06 |
Mario_ | ayoung, yes i will follow your message | 21:07 |
ayoung | you would create a role assignment where user_id=ayoung | 21:07 |
amrita | yeah mssql. | 21:07 |
ayoung | Mario_, so you can do | 21:07 |
morganfainberg | amrita, mssql? (microsoft sql server?) or MySQL? | 21:07 |
ayoung | keystone --os-endpoint=http://10.16.17.4:35357/v2.0/ --os-token=<match admin_token in your config file> user_list | 21:07 |
ayoung | and you get back everyone in your LDAP... | 21:08 |
ayoung | (not something you want to do a lot, but a good test) | 21:08 |
ayoung | or, say | 21:08 |
ayoung | that should be user-list | 21:08 |
ayoung | not user_list | 21:08 |
ayoung | keystone user-get ayoung | 21:09 |
*** thedodd has quit IRC | 21:09 | |
morganfainberg | amrita, in either case i am not sure where to direct you besides perhaps the documentation on recovery / tables disappearing. if it's MySQL, the percona/maria-db folks are usually pretty helpful (but honeslty not sure where to find them) | 21:09 |
Mario_ | ayoung, yes I got it I able to list all the users | 21:09 |
ayoung | Mario_, I was working on a sample script for populating a Keystone server https://review.openstack.org/#/c/82687/6/examples/scripts/initialize_keystone.py | 21:09 |
*** YorikSar has joined #openstack-keystone | 21:09 | |
Mario_ | of the ldap using that command | 21:09 |
ayoung | you don't want to do all of that, but | 21:10 |
morganfainberg | amrita, if it's microsoft, i really have even less advice to give. i really don't want to give you bad advice on data recovery. it isn't my area of expertise. | 21:10 |
*** YorikSar has quit IRC | 21:10 | |
ayoung | 51 project = admin_client.projects.list(name='admin', domain='default')[0] | 21:10 |
ayoung | 52 user = admin_client.users.list(name='admin', domain='default')[0] | 21:10 |
ayoung | 53 role = admin_client.roles.list(name='admin')[0] | 21:10 |
ayoung | 54 | 21:10 |
ayoung | 55 try: | 21:10 |
ayoung | 56 admin_client.roles.grant(role=role, user=user, domain=domain) | 21:10 |
* ayoung apologized for the flood | 21:10 | |
morganfainberg | ayoung, OMG so flood. | 21:11 |
morganfainberg | ayoung, :P | 21:11 |
*** YorikSar has joined #openstack-keystone | 21:11 | |
Mario_ | ayoung, thanks for the link, I will try to use it | 21:11 |
ayoung | morganfainberg, being the root cause of floods goes with the name Adam | 21:11 |
ayoung | Mario_, nah, just understand it | 21:12 |
morganfainberg | ayoung, lol nice | 21:12 |
ayoung | note that it uses the ADMIN_TOKEN to set things up, and then you should be able to log on as the user | 21:12 |
*** joesavak has quit IRC | 21:12 | |
ayoung | Mario_, if you poke around in the mysql instance, you need to see: a Role, a Project, and a Role Assignment....which version of Keystone are you running? | 21:13 |
Mario_ | ayoung, I am using 0.4.1 | 21:13 |
Mario_ | i got a probs on using keystone user-get 'user' | 21:13 |
*** florentflament has joined #openstack-keystone | 21:13 | |
ayoung | Mario_, OK, so that is Havana....the table with the various role assignments got consolidated in Icehouse.. | 21:14 |
ayoung | Mario_, turn on logging and see what LDAP query the server is running, probably a problem with mapping the DN to the ID | 21:14 |
ayoung | what do your DNs look like? | 21:14 |
*** YorikSar has quit IRC | 21:14 | |
ayoung | Mario_, also, are your users all in one node, or do you need subtree queries? | 21:15 |
openstackgerrit | A change was merged to openstack/keystone: Use in-memory SQLite for testing https://review.openstack.org/82917 | 21:15 |
morganfainberg | ayoung, ^ woooooooooot!! | 21:15 |
Mario_ | yes i used the subtree | 21:15 |
ayoung | morganfainberg, ^^^^^^^^^^^^^^^ \m_ (>.<) _\m/ | 21:15 |
morganfainberg | ayoung, the second one is about to merge too | 21:16 |
*** derek_c has joined #openstack-keystone | 21:16 | |
Mario_ | my DN is ou=users,dc=example,dc=com | 21:16 |
ayoung | Mario_, ok...so it is going to do a subtree serarch, find the entry, then chop off the first segment of the DN | 21:16 |
ayoung | Mario_, is it cn=Mario,ou=users....? | 21:16 |
dstanek | morganfainberg: nice! | 21:16 |
dstanek | morganfainberg: https://review.openstack.org/#/c/83565/ | 21:17 |
morganfainberg | dstanek oh that isn't a bad patchset... | 21:17 |
Mario_ | ayoung, it is uid=Mario,ou=users... as I am using openldap | 21:17 |
*** YorikSar has joined #openstack-keystone | 21:17 | |
Mario_ | but cn also same as UID | 21:17 |
ayoung | ok, so you need to say that the DN field is uid, in the config file | 21:17 |
morganfainberg | dstanek, is this WIP? | 21:18 |
*** YorikSar has quit IRC | 21:18 | |
openstackgerrit | A change was merged to openstack/keystone: Use in-memory SQLite for sql migration tests https://review.openstack.org/82918 | 21:18 |
morganfainberg | dstanek, oh i see you're overriding the commands. | 21:18 |
morganfainberg | dstanek, just so that it passes. | 21:18 |
Mario_ | ayoung, my config I put there as user_name_attribute = cn | 21:19 |
morganfainberg | dstanek, i uhm. almost think we should probably make this an expirimental job instead of a non-voting one | 21:19 |
ayoung | '(&(%(id_attr)s=%(id)s)' | 21:19 |
morganfainberg | dstanek, rather than have a dummy command run. | 21:19 |
ayoung | Mario_, you also need to set the user_id_attr | 21:19 |
Mario_ | and user_pass_attribute = Password | 21:19 |
morganfainberg | dstanek, i think infra would likely agree on that front. | 21:19 |
Mario_ | ayoung, you mean user_id_attr = '(&(%(id_attr)s=%(id)s)' | 21:20 |
Mario_ | am I right? | 21:20 |
ayoung | Mario_, can you post the LDAP section of your config on http://paste.openstack.org/ and post the link? Drop the password, of course, and any other sensitive data | 21:20 |
ayoung | Mario_, heh, I didn't give you the context http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n363 | 21:21 |
*** leseb has quit IRC | 21:21 | |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Enable concurrent testing by default https://review.openstack.org/83584 | 21:21 |
openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values) https://review.openstack.org/83235 | 21:21 |
ayoung | self.id_attr, for user is user_id_attr in the conf file | 21:21 |
dstanek | morganfainberg: the patch i'm working on right now runs a handful of the tests | 21:22 |
ayoung | http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/config.py#n441 Mario_ | 21:22 |
dstanek | morganfainberg: that was just the first step | 21:22 |
ayoung | default is cn, so you might be OK | 21:22 |
morganfainberg | dstanek, i still think this is a case where moving to expirimental until it's ready (unless it'll be ready soon) makes sense | 21:22 |
dstanek | morganfainberg: today i'll have another patch that runs at least a few test modules | 21:23 |
morganfainberg | dstanek, and by ready i mean something we'd legitimately want to gate on | 21:23 |
morganfainberg | dstanek, partial test runs i'm not sure if there is a huge win for. i'll go with your gut feeling though | 21:23 |
morganfainberg | dstanek, i just think even a non-voting test if it's running a very partial test suite is misleading. | 21:23 |
dstanek | morganfainberg: that's what oslo is currently doing - partial test runs | 21:24 |
Mario_ | ayoung, I paste the logs on the link | 21:24 |
morganfainberg | dstanek, ah ok then prior art, i'm fine with it | 21:24 |
Mario_ | ayoung, not logs you mean the configs | 21:24 |
ayoung | Mario_, yeah, config | 21:24 |
dstanek | if you start with that then you can gradually start making everything py3 friendly - and that'll stop regressions in things that are already working | 21:25 |
morganfainberg | dstanek, mind i i hold off on +2 until the next patchset? | 21:25 |
*** jamielennox|away is now known as jamielennox | 21:25 | |
morganfainberg | dstanek, the one that enables some tests | 21:25 |
morganfainberg | that is | 21:25 |
dstanek | morganfainberg: because our test suite is currently so top heavy i'm struggling with exactly how to get things to run without being evil | 21:25 |
dstanek | morganfainberg: sure | 21:26 |
morganfainberg | dstanek, be evil :P i mean... sounds good to me (you've convinced me i was incorrect, my mind is changed) | 21:26 |
*** mspreitz has left #openstack-keystone | 21:26 | |
dstanek | morganfainberg: this is the kinds of crap i started with http://paste.openstack.org/show/74496/ | 21:27 |
morganfainberg | dstanek, LOL | 21:27 |
dstanek | i've since been able to remove the need for some of that - i want it all gone before the next patch | 21:27 |
*** dims has quit IRC | 21:28 | |
dstanek | morganfainberg: there are many more problematic libraries than i realized - they install ok, but paste and mox don't actually work in py3 | 21:28 |
morganfainberg | dstanek, i would like to see mox go away | 21:30 |
morganfainberg | dstanek, i don't particularly like it | 21:30 |
morganfainberg | dstanek, but not sure if there is another good option atm. | 21:31 |
morganfainberg | well, mock.patch.object is my new favorite, but thats personal pref. | 21:31 |
dstanek | morganfainberg: i thought that was on my blueprint. it wasn't so i just added it | 21:31 |
morganfainberg | and the patchobject fixture is pretty cool | 21:31 |
morganfainberg | dstanek, :) | 21:31 |
dstanek | the general openstack trend is toward mock anyway | 21:32 |
morganfainberg | dstanek, i'm not opposed to this. | 21:32 |
Mario_ | ayoung, done pasting the ldap section | 21:32 |
ayoung | topol, Mario_ post the link it gave you | 21:32 |
Mario_ | http://paste.openstack.org/show/74498/ | 21:32 |
ayoung | Mario_, you see how dstanek posted http://paste.openstack.org/show/74496/ ? same kind of thing | 21:32 |
ayoung | Mario_, good | 21:33 |
topol | ayoung, whats up | 21:33 |
ayoung | topol, heh | 21:33 |
ayoung | meant to yell at you about this | 21:33 |
ayoung | http://www.ibm.com/developerworks/cloud/library/cl-openstack-pythonapis/index.html?ca=drs- | 21:33 |
topol | ayoung, oh no | 21:34 |
ayoung | topol, look at his examples: | 21:34 |
ayoung | topol he has from credentials import get_nova_creds | 21:34 |
ayoung | what is that? | 21:34 |
*** amrita has quit IRC | 21:34 | |
ayoung | since you are responsible for all thing IBM, of course. | 21:34 |
ayoung | ah...I see | 21:34 |
*** nachi has joined #openstack-keystone | 21:34 | |
ayoung | its earlier in his doc... | 21:34 |
topol | whats wrong with the paper. I havent read it | 21:34 |
topol | is it wrong? | 21:35 |
ayoung | nah, its fine...just points to the need for a unified approach to the API auth | 21:35 |
topol | does it need revised? | 21:35 |
topol | ayoung? | 21:35 |
ayoung | Listing 5 | 21:35 |
*** nachi has quit IRC | 21:35 | |
ayoung | topol, actually, I was wondering if you had seen the doc, and if you were in some way involved | 21:36 |
topol | ayoung, so I dont have much experience on the client side. I assume its totally wrong? | 21:36 |
topol | I did not write that article. Not listed as an author. ayoung, but if something is in error I can get it fixed | 21:37 |
ayoung | topol, nah...I've been drinking the AuthPLugin coolaid for so long...I never tried to do straight python to nova before | 21:37 |
topol | :-) | 21:37 |
ayoung | topol, instead, i think we should target a follow up article once: AuthPlugins are done and we have a unified CLI | 21:37 |
ayoung | but...that code is ugly | 21:37 |
topol | ayoung agreed | 21:37 |
ayoung | not his fault...its ours | 21:38 |
ayoung | topol, its actually a very good intro article | 21:38 |
topol | Let's write a new article and fix it that way. I may be able to then get the old one revised to point to the new one. ayoung, sound ok? | 21:38 |
ayoung | yeah.... | 21:38 |
morganfainberg | dstanek, any reason not to +A https://review.openstack.org/#/c/78117 | 21:39 |
morganfainberg | dstanek, ? | 21:39 |
topol | ayoung the developerworks manager is right down the hall. Should be easy to get fixed. | 21:39 |
dstanek | morganfainberg: no it should be fine | 21:40 |
ayoung | topol, I don't think there is anything to fix, yet....I just missed the module he wrote. But I can see why he did, to make it easier for auth in future subsections | 21:40 |
topol | :-) | 21:40 |
ayoung | its the keystone client that needs to be fixed, and then we need to get Nova client to consume the Auth Plugin from the keystone client | 21:40 |
*** leseb has joined #openstack-keystone | 21:41 | |
ayoung | topol, jamielennox did a nice write up of how it should look: http://www.jamielennox.net/blog/2014/02/24/client-session-objects/ | 21:41 |
Mario_ | ayoung, just a recap do I need to create a user cinder,glance,nova,neutron on my ldap.. as it does not exist | 21:41 |
ayoung | Mario_, yes you do | 21:41 |
ayoung | those service users will attempt to contact Keystone to fetch certificates and the revocation list | 21:41 |
Mario_ | ayoung, it seems the problem is there | 21:41 |
ayoung | and they need to be admin users | 21:41 |
Mario_ | ayoung, you mean admin users in the ldap? | 21:42 |
ayoung | Mario_, ...thanks, you just reminded me of something I need to add to a presentation I am putting together | 21:42 |
ayoung | Mario_, yes | 21:42 |
ayoung | its a shortcoming of our current deployment that service users must be in the same backend as everything else | 21:42 |
Mario_ | ayoung, I see.. where is your presentation? so we can take a look hehe | 21:43 |
jamielennox | topol: what's wrong? | 21:43 |
*** dims has joined #openstack-keystone | 21:43 | |
ayoung | Mario_, internal, for now...but I will post it once its done. Nothing proprietary, just need to polish it. | 21:43 |
ayoung | I can post though | 21:43 |
topol | ayoung, jamielennox nothing wrong. sounds like you wrote the better mouse trap. | 21:44 |
ayoung | jamielennox, see this and you will under stand http://www.ibm.com/developerworks/cloud/library/cl-openstack-pythonapis/index.html?ca=drs- | 21:44 |
ayoung | jamielennox, the way we need to auth to Nova is just...antiplugin | 21:44 |
Mario_ | ayoung, no worries | 21:45 |
ayoung | Mario_, one sec | 21:45 |
jamielennox | ayoung, topol: whoa - that doesn't work | 21:45 |
ayoung | Mario_, http://admiyo.fedorapeople.org/openstack/keystone/keystone-hij.pdf that is still under development. Take a look, but don't share it around until I finish it up | 21:45 |
ayoung | jamielennox, it does, it just sucks | 21:45 |
Mario_ | ayoung, yes I do.. | 21:46 |
topol | ayoung, tell him the plan so he feels better | 21:46 |
jamielennox | ayoung: oh - misread | 21:46 |
ayoung | jamielennox, once we get auth plugins together, we are going to write up a follow up article and have this one point to it | 21:46 |
ayoung | Mario_, ah...I had it in there...see the LDAP slid "Service users must be in LDAP" | 21:47 |
ayoung | page 10 | 21:47 |
jamielennox | ayoung: ++ | 21:47 |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Safer noqa handling https://review.openstack.org/83563 | 21:47 |
Mario_ | ayoung, I see it's cool | 21:47 |
ayoung | Mario_, thanks. | 21:48 |
jamielennox | ayoung: a review for you when you have a minute: https://review.openstack.org/#/c/74956/ | 21:49 |
Mario_ | I see it added also selinux, as on my configs I disble it | 21:49 |
ayoung | Mario_, don't disable SELinux. | 21:49 |
ayoung | its like taking off your seat belts in a road race | 21:49 |
Mario_ | don't much of the selinux, ok but need to refine my settings | 21:50 |
jamielennox | dolphm: can you unblock: https://review.openstack.org/#/c/78127/ | 21:50 |
Mario_ | what do you mean by this trust? a two-way trust to different keystones | 21:50 |
ayoung | keystone/common/ldap/core.py+488, -211 with most of the additions comments? Must be a jdennis review. | 21:52 |
Mario_ | ayoung, as I also concern this, can we have a multiple domains/ldaps on keystone? | 21:52 |
ayoung | Mario_, not yet | 21:52 |
ayoung | Mario_, its on the schedule for the Juno summit. Was supposed to be in Icehouse, but we couldn't quite agree on the approach. I think we have a path forward, though. | 21:53 |
Mario_ | I see, something to be wait hehe | 21:54 |
Mario_ | but I see on the config in the dashboard, that you can setup multiple domains, is it not working? then | 21:54 |
Mario_ | referring to the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True | 21:56 |
ayoung | Only in SQL Mario_ | 21:58 |
ayoung | Multi LDAP didn't quite make the cut, nor having multiple domain in a single directory | 21:58 |
Mario_ | ayoung, in my existing setup, it is on a one-way trust.. | 22:00 |
ayoung | Mario_, so you have a local LDAP server, and then you pull users over from Active Directory? | 22:00 |
ayoung | or some other centrla LDAP? | 22:00 |
Mario_ | ayoung, yes that's the setup | 22:01 |
ayoung | Mario_, can you add local users? | 22:01 |
ayoung | they can go in a different subtree | 22:01 |
Mario_ | ayoung, no because of the trust but yes can add local users | 22:02 |
ayoung | Mario_, will that work for you, then, to put the nova, etc users in your local LDAP, and get the rest via trust? | 22:02 |
*** derek_c has quit IRC | 22:03 | |
Mario_ | ayoung, that's will be my next task, I just need the local LDAP work first, as got the probs but I'm modifying my configs to what you said earlier and test if gonna work | 22:04 |
ayoung | Good luck | 22:04 |
Mario_ | ayoung, thanks | 22:04 |
Mario_ | give you feedback later on | 22:04 |
*** amcrn has quit IRC | 22:05 | |
*** ayoung is now known as ayoung-afk | 22:06 | |
*** topol has quit IRC | 22:06 | |
*** nkinder has quit IRC | 22:06 | |
*** derek_c has joined #openstack-keystone | 22:23 | |
*** leseb has quit IRC | 22:23 | |
*** bknudson has quit IRC | 22:30 | |
*** gokrokve has joined #openstack-keystone | 22:32 | |
*** gokrokve_ has joined #openstack-keystone | 22:32 | |
openstackgerrit | A change was merged to openstack/keystone: Remove noqa form import _s https://review.openstack.org/83551 | 22:32 |
mfisch | is there a way to make all users show as enabled with the LDAP backend WITHOUT using the enabled emulation (which is horrifyingly slow) | 22:33 |
mfisch | ? | 22:33 |
mfisch | I'd rather have everyone show enabled rather than a blank field | 22:33 |
*** marcoemorais has quit IRC | 22:33 | |
mfisch | or maybe it doesn't matter that Enabled shows blank?? | 22:33 |
*** marcoemorais has joined #openstack-keystone | 22:34 | |
*** gokrokve has quit IRC | 22:36 | |
*** marcoemorais has quit IRC | 22:36 | |
*** marcoemorais has joined #openstack-keystone | 22:37 | |
mfisch | looks like setting enabled_default and enabled_mask and not setting enabled_attribute does what I want | 22:38 |
*** derek_c has quit IRC | 22:43 | |
*** browne has left #openstack-keystone | 22:44 | |
*** marcoemorais has quit IRC | 22:48 | |
*** marcoemorais has joined #openstack-keystone | 22:48 | |
*** finite has joined #openstack-keystone | 23:01 | |
finite | Anyone have time to help me troubleshoot apache throwing 503s when using wsgi to front keystone? | 23:02 |
*** gokrokve_ has quit IRC | 23:04 | |
*** topol has joined #openstack-keystone | 23:13 | |
*** david_lyle has quit IRC | 23:19 | |
*** finite has quit IRC | 23:27 | |
*** amcrn has joined #openstack-keystone | 23:29 | |
*** packet has quit IRC | 23:29 | |
*** dstanek has quit IRC | 23:44 | |
*** topol has quit IRC | 23:48 | |
*** wwriverrat has joined #openstack-keystone | 23:51 | |
openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Safer noqa handling https://review.openstack.org/83563 | 23:52 |
*** wwriverrat1 has joined #openstack-keystone | 23:53 | |
*** wwriverrat has quit IRC | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!