Sunday, 2014-05-04

*** leseb has joined #openstack-keystone		00:02
*** rodrigods has quit IRC		00:08
*** rodrigods has joined #openstack-keystone		00:17
*** leseb has quit IRC		00:20
*** Chicago has quit IRC		00:33
*** rodrigods has quit IRC		00:36
*** rodrigods has joined #openstack-keystone		00:43
*** Chicago has joined #openstack-keystone		00:45
*** key1 has joined #openstack-keystone		00:54
key1	Any keystone gurus who can help with question on LDAP integration ?	00:54
*** rodrigods has quit IRC		00:55
key1	after integrating with LDAP i get this error on starting keystone : 2014-05-03 19:49:16.252 TRACE keystone.common.wsgi AttributeError: 'Identity' object has no attribute 'get_domain'	00:55
key1	anythoughts ?	00:55
*** derek_c has joined #openstack-keystone		00:57
key1	Can any one help me please	00:57
morganfainberg	key1, 2 things, 1) it's saturday (weekend) for a lot of people so might be a bit limited responses, 2) let me see if i can help you out :)	00:58
morganfainberg	key1, what version of keystone?	00:58
key1	sure morgan thank you so much	00:58
morganfainberg	key1, happy to try and help.	00:59
key1	i have the trunk version of devstack	00:59
morganfainberg	key1, ok so latest master	00:59
key1	Yeah	00:59
morganfainberg	key1, can you provide (via paste.openstack.org or similar) your keystone config?	01:00
key1	sure i will paste it	01:00
morganfainberg	key1, and out of curiosity what are tyou trying to do that is generarting the error.	01:01
key1	https://gist.github.com/rkatti/43b53d1d01b03b764e16	01:05
morganfainberg	ah	01:06
morganfainberg	i think i see your issue	01:06
morganfainberg	you're using the Identity driver for assignment	01:07
key1	i am trying to start keystone and it is generating that error	01:07
key1	ohh is t	01:07
morganfainberg	key1, assignment and identity are two very different systems	01:08
morganfainberg	key1, are you trying to use LDAP for both identity and assignment or just identity (users/groups)	01:08
key1	I want LDAP just for identity	01:08
morganfainberg	ok	01:08
morganfainberg	so in the [assigment] block use "driver = keystone.assignment.backends.sql.Assignment"	01:09
morganfainberg	and in the [identity] section put the "identty" one you have at the top of your file	01:09
key1	yea just doing that	01:10
key1	server started successfully	01:10
morganfainberg	key1, :)	01:10
key1	so if i create an entry under OU=Users and login with that inside horizon it should work you think ?	01:10
morganfainberg	key1, let me look at the config a bit more closely.	01:11
key1	sure let me paste	01:11
morganfainberg	key1, nah i'm just looking at the one you pasted	01:11
morganfainberg	key1, i'm assuming it's close to what you have.	01:11
key1	yea ... i changed assignment to identity and matched to these instructions http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html	01:12
morganfainberg	yeah	01:12
morganfainberg	it looks like if you create a proper user object in OU=Users it should work	01:12
key1	Is it let me try	01:13
key1	this is what i got : userid=keystone,ou=Users,dc=xyz,dc=com will this work	01:14
morganfainberg	key1, you'd need to have the expected attributes.	01:14
morganfainberg	key1, but yeah that sounds right	01:15
morganfainberg	it's been a while since i've worked with the LDAP stuff.	01:15
key1	its failing	01:17
morganfainberg	key1, you might be missing needed attributes	01:18
key1	here is error log	01:18
key1	https://gist.github.com/rkatti/80dce477a31b33397b82	01:18
key1	i see this when trying to login to horizon with username password : keystone/admin	01:19
morganfainberg	key1, what object type did you use for the user?	01:19
key1	i am using that LDAP PHP admin tool ... i used simpleSecurityObject	01:20
morganfainberg	key1, user_objectclass = inetOrgPerson	01:21
morganfainberg	needs to be inetOrgPerson	01:21
key1	ok let me try again	01:21
key1	so this what I got	01:22
key1	https://gist.github.com/rkatti/aff6ce87880da059120b	01:24
key1	does this look goog	01:24
key1	good	01:24
morganfainberg	key1, that might work	01:28
morganfainberg	key1, not suire if you have all the attributes you need tbh, i would need to figure out what the object needs to look like.	01:28
key1	ohh ok	01:29
morganfainberg	key1, but you're on the right path	01:29
key1	i will give this a try	01:29
*** diegows has quit IRC		01:31
key1	hey morgan... sweet its gone one step ahead	01:34
morganfainberg	key1, cool!	01:34
key1	I am still not able to get inside because horizon says : You are not authorized for any projects.	01:34
key1	i had to play with cn sn values to get there	01:34
morganfainberg	key1, you need to create an assignment in the assignment backend for the user	01:35
key1	ahh	01:35
key1	i gotcha	01:35
key1	Well in the logs i see this another query :	01:41
key1	2014-05-03 20:37:27.579 DEBUG keystone.common.ldap.core [-] LDAP search: base=ou=UserGroups,dc=xyz,dc=com scope=1 filterstr=(&(&(objectClass=groupOfNames)(member=cn=admin,ou=Users,dc=xyz,dc=com))(objectClass=groupOfNames)) attrs=['ou', 'description'] attrsonly=0 from (pid=29303) search_s /opt/stack/keystone/keystone/common/ldap/core.py:503	01:41
key1	so do i need an entry in ou=UserGroups	01:41
key1	how do i create assignment backend	01:52
key1	i mean that user admin was already there before ldap integration	01:52
key1	and i am assuming was there within MYSQL	01:52
morganfainberg	key1, yes, this goes in the SQL assignment backend	01:58
key1	but its already there right	01:58
key1	i mean when i setup devstack it already created admin and i was able to login to horizon then	01:58
morganfainberg	key1, you would need to make sure the assignment matches the correct id for the user in ldap	01:59
key1	ok do you think there is an entry needed for base=ou=UserGroups,dc=xyz,dc=com ?	01:59
morganfainberg	key1. we use a method on the ldap module to convert the DN to an id	02:00
key1	ok how do i match assignment	02:01
morganfainberg	key1, usually that is done via the REST api.	02:01
morganfainberg	key1, you need to update the sql in the assignment table so the admin user's id would be utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1])	02:02
morganfainberg	key1, though it would be easier to use the rest api (and the basic admin token for bootstrapping)	02:03
key1	umm ok	02:03
key1	looking at it now	02:03
key1	from LDAP side i am all good ... correct ? I dont need to add or change anything there	02:04
morganfainberg	key1, i think you're good.	02:04
key1	ok let me see MYSQL	02:05
morganfainberg	key1, unfortunately i need to go. hope this has set you on the right track.	02:05
key1	ok no problem morgan ... are you from mirantis if i may ask :)	02:06
key1	thanks for the help	02:06
morganfainberg	key1, nope, i work for a small startup called Metacloud	02:06
key1	ohh cool is it in US ?	02:06
morganfainberg	key1, yeah	02:06
morganfainberg	key1, Southern California	02:07
key1	cool cool I am in Minneapolis	02:07
morganfainberg	key1, nice! hows the weather out there?	02:07
key1	we can talk if you are around tommorow ...	02:07
morganfainberg	key1, it's a bit toasty here in Pasadena today :P	02:07
morganfainberg	key1, i'll be around on monday for sure, not sure if i'll be on irc tomorrow.	02:07
key1	ohh it was 60 here this morning but still cold	02:07
morganfainberg	key1, but if i am, i'm happy to chat then	02:08
key1	Sure morgan appreciate so much i am on GIThub rkatti	02:08
morganfainberg	cheers	02:08
key1	but i will be here tommorow .... so you said i need to tweak mysql right	02:08
key1	is there a guide ?	02:08
key1	i mean documentation of what to tweak or what rest apis to call	02:08
key1	i dont see that	02:08
morganfainberg	key1, well you'll need to adust the grant in the assignment table. not sure if there is a good example of directly injecting the rows	02:09
key1	ohh ok i will give it a try tommorow i will be here afternoon CST	02:09
key1	have a good evening in sunny Pasadena	02:09
morganfainberg	key1, ok.	02:10
morganfainberg	key1, cheers	02:10
*** key1 has quit IRC		02:16
*** mberlin has joined #openstack-keystone		02:17
*** mberlin1 has quit IRC		02:17
*** stevemar has joined #openstack-keystone		02:25
*** derek_c has quit IRC		02:50
*** dims has joined #openstack-keystone		03:03
*** stevemar has quit IRC		03:03
*** dims has quit IRC		04:28
openstackgerrit	Fernando Ribeiro proposed a change to openstack/python-keystoneclient: Closes-Bug: #1315798 https://review.openstack.org/91990	05:52
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	06:01
*** fribeiro has joined #openstack-keystone		06:12
*** fribeiro has left #openstack-keystone		06:13
*** ukalifon1 has joined #openstack-keystone		06:31
*** morganfainberg is now known as morganfainberg_Z		06:49
*** Chicago has quit IRC		08:00
*** Chicago has joined #openstack-keystone		08:01
*** Chicago has joined #openstack-keystone		08:01
*** wendle has quit IRC		08:03
openstackgerrit	Li Ma proposed a change to openstack/keystone: Password trunction makes password insecure https://review.openstack.org/77325	08:21
*** zhiyan_ is now known as zhiyan		09:05
*** RockKuo_iPad has joined #openstack-keystone		11:28
boris-42	morganfainberg_Z ping	11:33
*** RockKuo_iPad has quit IRC		11:35
*** zhiyan has quit IRC		11:45
*** zhiyan has joined #openstack-keystone		11:47
*** RockKuo_iPad has joined #openstack-keystone		11:57
*** RockKuo_iPad has quit IRC		11:59
*** praneshp has joined #openstack-keystone		12:05
*** dims has joined #openstack-keystone		12:08
marekd	boris-42: i think it's around 5 am in California right now :-)	12:09
boris-42	marekd it's ok=)	12:09
boris-42	sunday 5.a.m. the best time to work=) nobody distribute=)	12:09
*** dims has quit IRC		12:09
marekd	boris-42: hah, right.	12:10
*** Chicago has quit IRC		13:14
openstackgerrit	Fernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token https://review.openstack.org/92009	13:25
*** praneshp_ has joined #openstack-keystone		13:42
*** praneshp has quit IRC		13:45
*** praneshp_ is now known as praneshp		13:45
openstackgerrit	Fernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token https://review.openstack.org/91990	13:53
openstackgerrit	Fernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token https://review.openstack.org/91990	14:05
openstackgerrit	Fernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token https://review.openstack.org/91990	14:05
*** leseb has joined #openstack-keystone		14:38
*** ukalifon1 has quit IRC		14:50
*** rodrigods has joined #openstack-keystone		14:57
*** rodrigods has quit IRC		15:26
boris-42	bknudson ping	15:31
bknudson	boris-42: what's up?	15:32
boris-42	bknudson hm why we need infra patch at all?	15:32
boris-42	bknudson I mean this one https://review.openstack.org/#/c/91690	15:32
boris-42	bknudson if everything works here https://review.openstack.org/#/c/91677/ ?	15:32
bknudson	boris-42: we only need the py33 part if we're going to run rally on stable/icehouse	15:33
bknudson	and stable/havana	15:33
bknudson	I haven't seen a rally run on stable/havana yet...	15:33
bknudson	could backport the patch to add rally config	15:33
boris-42	bknudson actually I am not sure that we need to run it	15:33
boris-42	bknudson against stable branches	15:34
boris-42	bknudson so probably we can just remove it	15:34
bknudson	boris-42: the only reason might be if we have some performance fix to backport.	15:34
*** leseb has quit IRC		15:34
boris-42	bknudson hmm yep probably	15:35
boris-42	bknudson but in such rare cases probably we can just test by hand?	15:35
bknudson	boris-42: I think it makes sense to test it yourself for stable backports.	15:35
boris-42	bknudson yep	15:35
bknudson	or maybe have an experimental option.	15:35
boris-42	bknudson yep but not for every patch	15:36
bknudson	boris-42: so go ahead with the -infra patch?	15:36
bknudson	boris-42: and abandon the stable/icehouse patch? Or should we take that one anyways?	15:36
boris-42	bknudson let's just remove rally work from stable branches	15:37
boris-42	bknudson so +1 infra patch	15:38
boris-42	rally job*	15:38
bknudson	boris-42: that works for me. it's easy enough to add it back again if we want it	15:38
boris-42	bknudson not sure that we will need =)	15:38
boris-42	bknudson performance bugs are often related to work with DB/RPC and so on	15:39
boris-42	that couldn't be backported	15:39
boris-42	can not*	15:39
*** bvandenh has quit IRC		15:40
boris-42	bknudson btw I bump timeout of keystone client in rally	15:40
boris-42	bknudson http://logs.openstack.org/63/91463/1/check/check-rally-dsvm-rally/30e0b0c/rally-plot/results.html.gz	15:40
bknudson	boris-42: it looked like some of the POST /v2.0/tokens were taking about 60 sec	15:41
bknudson	boris-42: is rally supposed to fail if any of the operations fail?	15:42
*** dstanek is now known as dstanek_zzz		15:42
boris-42	bknudson nope	15:43
boris-42	bknudson rally shouldn't fail	15:43
boris-42	bknudson even if you are benchmarking dead cloud	15:44
boris-42	bknudson we are catching all exceptions and storing info about them for future analyze	15:44
bknudson	looks like now we need to figure out how to speed up creating and deleting users	15:44
boris-42	bknudson seems like that it's more about configuration	15:44
boris-42	bknudson cause my colleague tried to benchmark opnestack deployed by fuel and seems like it works well	15:45
boris-42	bknudson btw I will add way to setup rally.conf file from other projects tree	15:46
*** ukalifon1 has joined #openstack-keystone		15:46
bknudson	seems like the keystone benchmark scripts should be in keystone.	15:46
boris-42	bknudson it's another thing	15:48
boris-42	bknudson I mean there will be as well support of plugins	15:49
boris-42	bknudson so you guys will be able to write own benchmarks inside keystone tree and run in gates	15:49
boris-42	bknudson but it's not related to the configuration of rally	15:49
boris-42	bknudson I mean you are not able to specify anything from this file https://github.com/stackforge/rally/blob/master/etc/rally/rally.conf.sample inside keystone	15:50
bknudson	boris-42: so we'll be able to have our own keystone.rally.conf that gets loaded to override rally.conf options?	15:51
boris-42	bknudson exactly	15:51
boris-42	bknudson for example if you would like to bump keystone clients timeouts	15:51
boris-42	bknudson or run in debug mode	15:52
bknudson	boris-42: the timeout is in rally.conf somewhere?	15:52
boris-42	bknudson oh we should regenerate sample conf	15:53
boris-42	bknudson yep it's in CONF https://github.com/stackforge/rally/blob/master/rally/osclients.py#L32-L32	15:53
*** zhiyan is now known as zhiyan_		15:56
bknudson	boris-42: how does fuel configure keystone differently? memcache backend?	15:57
*** diegows has joined #openstack-keystone		15:57
boris-42	bknudson not sure that it uses memcached at the moment	15:57
boris-42	bknudson I'll ask=)	15:57
*** leseb has joined #openstack-keystone		16:26
*** rodrigods has joined #openstack-keystone		17:02
*** rodrigods has joined #openstack-keystone		17:02
*** leseb has quit IRC		17:04
*** diegows has quit IRC		18:24
*** dstanek_zzz is now known as dstanek		18:34
*** daneyon_ has joined #openstack-keystone		19:09
*** daneyon has quit IRC		19:09
*** rodrigods has quit IRC		19:31
*** rodrigods has joined #openstack-keystone		19:43
*** stevemar has joined #openstack-keystone		19:49
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	19:49
*** rodrigods has quit IRC		19:53
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	19:56
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Fix client fixtures https://review.openstack.org/92021	19:56
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	20:05
*** stevemar has quit IRC		20:06
openstackgerrit	Fernando Ribeiro proposed a change to openstack/python-keystoneclient: Fix listing of endpoints for a token https://review.openstack.org/91990	20:13
*** rodrigods has joined #openstack-keystone		20:55
*** key1 has joined #openstack-keystone		21:22
key1	Any keystone gurus here have question with this error : You are not authorized for any projects.	21:22
key1	hi morgan	21:22
key1	i think you are talking about this yesterday : http://mirandazhangq.wordpress.com/2014/02/10/wish-list-common-misunderstanding-undocumented-openstack-identity-api-authentication-add-user/	21:25
key1	Hey morgan ... another awesome doc : http://adam.younglogic.com/2013/09/keystone-v3-api-examples/	21:59
*** jamielennox\|away is now known as jamielennox		22:08
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Make auth_token return a V2 Catalog https://review.openstack.org/89458	22:09
*** rodrigods has quit IRC		22:10
*** leseb has joined #openstack-keystone		22:35
*** leseb has quit IRC		22:49
*** daneyon_ has quit IRC		22:50
*** daneyon has joined #openstack-keystone		22:50
*** jamielennox is now known as jamielennox\|away		23:10
*** stevemar has joined #openstack-keystone		23:23
*** diegows has joined #openstack-keystone		23:24
*** dstanek is now known as dstanek_zzz		23:51

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!