Friday, 2014-05-09

*** nkinder has joined #openstack-keystone		00:00
*** gokrokve has quit IRC		00:10
*** dstanek_zzz is now known as dstanek		00:11
*** rodrigods has quit IRC		00:12
*** dims has joined #openstack-keystone		00:25
*** gokrokve has joined #openstack-keystone		00:27
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225	01:01
praneshp	ls	01:01
*** dc has joined #openstack-keystone		01:04
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/91240	01:07
*** amcrn has quit IRC		01:08
*** dstanek is now known as dstanek_zzz		01:13
dc	What is the best way to make keystone HA?	01:15
*** marcoemorais has quit IRC		01:20
*** bach has quit IRC		01:28
*** gokrokve has quit IRC		01:31
*** praneshp has quit IRC		01:31
*** gokrokve has joined #openstack-keystone		01:31
*** dc has quit IRC		01:31
*** gokrokve has quit IRC		01:36
mfisch	anyone know if keystone can handle client-side certs?	01:49
mfisch	I'm hoping that if I configure the underlying python lib correctly it won't care	01:49
*** gokrokve has joined #openstack-keystone		01:50
*** Chicago has quit IRC		02:04
*** dstanek_zzz is now known as dstanek		02:05
*** xianghui has joined #openstack-keystone		02:08
*** mberlin has joined #openstack-keystone		02:11
*** mberlin1 has quit IRC		02:11
*** dstanek is now known as dstanek_zzz		02:15
*** gyee has quit IRC		02:17
*** dstanek_zzz is now known as dstanek		02:20
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225	02:23
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts https://review.openstack.org/82687	02:36
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: revocation_events script https://review.openstack.org/91895	02:36
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Revocation event API https://review.openstack.org/81166	02:36
ayoung	mfisch, pretty sure it can	02:37
mfisch	ayoung: yeah I was thinking I'd just need to setup the ldap.conf correctly	02:38
mfisch	my AD guys say I need a client-side cert to talk to them	02:38
*** richm has quit IRC		02:41
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation https://review.openstack.org/71181	02:43
ayoung	mfisch, almost positive I saw a param for that poking through the client	02:43
ayoung	ah..you mean for TLS in LDAP?	02:43
mfisch	tls_cacertfile is for the server cert	02:44
mfisch	it should be tls_certfile if it matches ldap.conf	02:44
mfisch	ayoung: and yes to your question	02:44
ayoung	mfisch, https://bugs.launchpad.net/keystone/+bug/1040115	02:44
uvirtbot	Launchpad bug 1040115 in keystone "TLS support for LDAP back end" [High,Fix released]	02:44
*** harlowja is now known as harlowja_away		02:47
mfisch	ayoung: yes, ldaps works great with tls	02:47
mfisch	ayoung: but in addition to a server cert, apparently I need a client-side cert	02:47
ayoung	mfisch, that actually makes sense.	02:48
mfisch	so not TLS_CACERT, TLS_CERT	02:48
mfisch	per: http://linux.die.net/man/5/ldap.conf	02:48
ayoung	mfisch, you good?	02:51
mfisch	ayoung: yeah I'm just going to try it out and see what happens	02:52
mfisch	after atl	02:52
mfisch	thx	02:52
ayoung	morganfainberg, I don't think that was a token you pasted	03:10
ayoung	http://paste.fedoraproject.org/100353/96049841	03:10
ayoung	that is from http://pasteraw.com/4nn8ysxubevs07izfwnty32kpdd9k68	03:10
ayoung	no token body in there, unless it is in that section called PKCS #7 Data	03:11
*** dims has quit IRC		03:18
*** sbfox has joined #openstack-keystone		03:18
*** dstanek is now known as dstanek_zzz		03:26
*** morganfainberg is now known as morganfainberg_Z		03:29
*** sld has joined #openstack-keystone		03:42
sld	is anyone around by chance?	03:43
*** sbfox has quit IRC		03:50
*** amerine has quit IRC		03:54
*** sbfox has joined #openstack-keystone		04:07
*** sbfox has quit IRC		04:07
*** praneshp has joined #openstack-keystone		04:08
*** gokrokve has quit IRC		04:11
*** sbfox has joined #openstack-keystone		04:13
*** sbfox has quit IRC		04:13
*** sbfox has joined #openstack-keystone		04:14
*** sbfox has quit IRC		04:15
*** sbfox has joined #openstack-keystone		04:15
*** sbfox has quit IRC		04:16
*** sbfox has joined #openstack-keystone		04:17
*** sbfox has quit IRC		04:17
*** sbfox has joined #openstack-keystone		04:18
*** sbfox has quit IRC		04:18
*** sbfox has joined #openstack-keystone		04:23
*** sbfox has quit IRC		04:23
openstackgerrit	Steven Deaton proposed a change to openstack/python-keystoneclient: Change get to show https://review.openstack.org/92974	04:45
sld	there.	04:48
sld	if anyone can look at that review and offer feedback, it'd be great. thanks.	04:48
*** gokrokve has joined #openstack-keystone		04:51
*** gokrokve has quit IRC		04:56
*** sbfox has joined #openstack-keystone		04:58
*** sbfox has quit IRC		04:58
*** sbfox has joined #openstack-keystone		05:05
*** sbfox has quit IRC		05:09
openstackgerrit	Matt Fischer proposed a change to openstack/python-keystoneclient: Add support for extensions-list https://review.openstack.org/92978	05:13
*** dstanek_zzz is now known as dstanek		05:25
*** gokrokve has joined #openstack-keystone		05:52
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	06:01
*** dstanek is now known as dstanek_zzz		06:08
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes https://review.openstack.org/92535	06:19
*** jaosorior has joined #openstack-keystone		06:24
*** amerine has joined #openstack-keystone		06:24
*** kashyap has joined #openstack-keystone		06:27
*** atmark has joined #openstack-keystone		06:29
atmark	hello all, i accidentally deleted the tenant admin and now i'm unable to login and query from the cli	06:34
atmark	how am i suppose to get it back?	06:34
*** zhiyan_ is now known as zhiyan		06:42
sld	never done that before, but the only thing i can think of is trying to use the admin token to connect... admin username and admin token should give you full access to everything, so you should be able to recreate it, in theory.	06:58
jaosorior	:t face	07:00
jaosorior	wrong application	07:00
*** zhiyan is now known as zhiyan_		07:05
*** praneshp has quit IRC		07:07
*** andreaf has joined #openstack-keystone		07:12
*** florentflament has joined #openstack-keystone		07:24
*** d0ugal has joined #openstack-keystone		07:37
*** d0ugal has joined #openstack-keystone		07:37
*** leseb has joined #openstack-keystone		07:48
*** henrynash has joined #openstack-keystone		07:54
*** derek_c has quit IRC		08:30
*** mberlin has quit IRC		08:44
*** d0ugal_ has joined #openstack-keystone		08:49
*** d0ugal has quit IRC		08:51
*** Abhijeet_ has joined #openstack-keystone		08:54
Abhijeet_	Hi all, can anyone help me with keystone identity module in openstack/tempest	08:56
openstackgerrit	Andreas Jaeger proposed a change to openstack/identity-api: Pretty print JSON sample files https://review.openstack.org/93003	08:57
*** mberlin has joined #openstack-keystone		08:58
*** Abhijeet_ has quit IRC		09:09
*** d0ugal_ is now known as d0ugal		09:11
*** Abhijeet_ has joined #openstack-keystone		09:12
*** xianghui has quit IRC		09:23
*** leseb has quit IRC		09:42
*** leseb has joined #openstack-keystone		09:43
*** leseb has quit IRC		09:47
openstackgerrit	Christian Berendt proposed a change to openstack/keystone: debug level logs should not be translated https://review.openstack.org/93013	10:06
*** leseb has joined #openstack-keystone		10:11
*** Abhijeet_ has quit IRC		10:14
*** leseb has quit IRC		10:34
openstackgerrit	Christian Berendt proposed a change to openstack/keystone: debug level logs should not be translated https://review.openstack.org/93013	10:50
*** leseb has joined #openstack-keystone		11:01
*** dims_ has joined #openstack-keystone		11:01
*** IanGovett has joined #openstack-keystone		11:10
*** rodrigods has joined #openstack-keystone		11:23
*** rodrigods has joined #openstack-keystone		11:23
*** leseb has quit IRC		11:26
*** leseb_ has joined #openstack-keystone		11:29
*** leseb_ has quit IRC		11:29
*** d0ugal has quit IRC		11:37
*** joesavak has joined #openstack-keystone		12:01
*** jsavak has joined #openstack-keystone		12:03
*** erecio has joined #openstack-keystone		12:04
*** joesavak has quit IRC		12:05
*** rodrigods has quit IRC		12:06
*** joesavak has joined #openstack-keystone		12:06
*** jsavak has quit IRC		12:07
openstackgerrit	Christian Berendt proposed a change to openstack/keystone: debug level logs should not be translated https://review.openstack.org/93013	12:14
*** rodrigods has joined #openstack-keystone		12:18
*** xianghui has joined #openstack-keystone		12:41
*** jsavak has joined #openstack-keystone		13:28
*** sld has quit IRC		13:29
*** joesavak has quit IRC		13:31
*** bknudson has joined #openstack-keystone		13:36
ayoung	dolphm, bknudson I'm attempting to use next-review. Keep getting "paramiko.PasswordRequiredException: Private key file is encrypted"	13:54
ayoung	1. What is paramiko using for Key/password mgmgt	13:55
ayoung	2. How do I kick it to let me try to use my password again? I got it wrong too many times.	13:55
dolphm	ayoung: ha, hmm...	13:55
dolphm	ayoung: i have no idea what paramiko uses -- and i've never been locked out (?) of an ssh key. so you don't get the SSH Key Passphrase prompt anymore?	13:56
ayoung	dolphm, not anymore, and it was rejecting the one I have been using.	13:57
dolphm	ayoung: is that a red hat thing?	13:57
ayoung	dolphm, possibly.	13:57
ayoung	The password dialog is gnome based, probably	13:57
ayoung	dolphm, I might just need to package that for Fedora.....	13:58
bknudson	I had to set my username since it's not the same as on my box -- username=blk-u in ~/.next_review	13:58
bknudson	if git-review works then next-review should also work... I think it's mostly the same code	13:59
ayoung	bknudson, OK,: pip installl --upgrade and now I got prompted...and now	13:59
ayoung	paramiko.ssh_exception.SSHException: No existing session	13:59
ayoung	is it looking for an ssh-agent?	13:59
bknudson	I always have ssh-agent running	14:00
ayoung	yeah, that was it. Doing an explicit ssh-add made it work	14:01
*** stevemar has joined #openstack-keystone		14:09
*** leseb has joined #openstack-keystone		14:12
* larsks notes that "No existing session" is also paramiko's secret code for "you're using the wrong username"		14:13
*** gokrokve has quit IRC		14:20
*** gokrokve_ has joined #openstack-keystone		14:20
*** gokrokve_ has quit IRC		14:20
*** gokrokve has joined #openstack-keystone		14:21
*** marekd is now known as marekd\|away		14:21
*** jaosorior has quit IRC		14:21
dolphm	larsks: good to know	14:28
*** henrynash has quit IRC		14:29
*** dstanek_zzz is now known as dstanek		14:29
*** gokrokve has quit IRC		14:38
*** sbfox has joined #openstack-keystone		14:39
*** gokrokve has joined #openstack-keystone		14:40
*** gokrokve_ has joined #openstack-keystone		14:41
*** gokrokve has quit IRC		14:45
openstackgerrit	Christian Berendt proposed a change to openstack/keystone: debug level logs should not be translated https://review.openstack.org/93013	14:46
*** rodrigods_ has joined #openstack-keystone		14:49
*** gokrokve_ has quit IRC		14:51
*** rodrigods_ has quit IRC		14:53
*** xianghui has quit IRC		14:54
*** gokrokve has joined #openstack-keystone		14:56
*** andriyk0 has joined #openstack-keystone		15:02
*** daneyon has joined #openstack-keystone		15:02
andriyk0	Hello guys! Could you please help me to understand how the keystone-client tests work? For me it looks like it is kind of "fake everything". What 'ref' and 'req_ref' are?	15:04
*** sbfox has quit IRC		15:22
*** gyee has joined #openstack-keystone		15:29
*** leseb has quit IRC		15:32
dolphm	andriyk0: can you link to a specific test that you're looking at?	15:32
dolphm	andriyk0: happy to talk through one	15:32
*** gokrokve_ has joined #openstack-keystone		15:36
andriyk0	dolphm: /.venv/lib/python2.7/site-packages/keystoneclient/tests/v3/utils.py	15:39
andriyk0	keystoneclient.tests.v3.utils.CrudTests#test_create	15:39
andriyk0	I am interested in ref and req_ref	15:39
*** gokrokve has quit IRC		15:40
*** sbfox has joined #openstack-keystone		15:42
andriyk0	what should be passed to self.stub_entity entity argument? I suspect that is body of request?	15:42
andriyk0	and then self.assertEntityRequestBodyIs(req_ref). Is it not a fake? We set params for body in request and then check it? Of course it will never fail	15:43
*** joesavak has joined #openstack-keystone		15:44
*** jsavak has quit IRC		15:46
ayoung	andriyk0, just dealt with this last night	15:49
ayoung	the refs are assuming that the whole thing is going to be built up into a response. But there are other ways to do it.	15:49
ayoung	andriyk0, https://review.openstack.org/#/c/81166/13/keystoneclient/tests/v3/test_revoke.py,cm line 42	15:52
ayoung	I actually produce the expected result out of the JSON read from the examples directory	15:52
dolphm	andriyk0: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/v3/utils.py#L189-L211	15:54
dolphm	andriyk0: this isn't actually a standalone test, though	15:54
*** sbfox has quit IRC		15:55
openstackgerrit	Steve Martinelli proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples. https://review.openstack.org/90121	16:01
ayoung	stevemar, do we need a User in each rule? I don't think we do	16:05
stevemar	ayoung, was going to ping you about that, the way the mapping rules are evaluated, there has to be at least one 'user' rule	16:06
andriyk0	ayoung: so 'ref' is what I expect in response and 'req_ref' is reuest's body. correct?	16:06
ayoung	stevemar, right...	16:06
ayoung	stevemar, not really sufficient, though	16:07
ayoung	you need to make sure that everyone is covered. So a rule that only covers, say, ayoung@REDHAT.COM won't cut it	16:07
*** daneyon has quit IRC		16:07
andriyk0	dolphm: yes. I know that it is not a standalone test, but it is inherited by all tests that do crud operations	16:07
*** daneyon has joined #openstack-keystone		16:08
andriyk0	so understanding of https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/v3/utils.py#L189-L211 is crucial for me	16:08
ayoung	andriyk0, the stub_entity call basically builds the response for HTTPretty. https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/tests/v3/utils.py#L167	16:08
ayoung	andriyk0, and that calls self.stub_url...	16:09
ayoung	and I can't see where that is defined in that file...one sec	16:09
stevemar	otherwise, we wouldn;t know what to drop into the token	16:10
stevemar	ayoung, ^ the user option can take advantage of the wildcard operation {0}	16:11
stevemar	since it's normally just specifying a SAML attribute, and not SAML attribute+value	16:11
ayoung	stevemar, right...I think what we need to say is that all valid users need to have a rule that maps userids.	16:11
stevemar	ayoung, we're not saying that?	16:12
stevemar	let me look at the patch again	16:12
ayoung	stevemar, is there an ordering of the rules, that ensures the wildcard only applies if no other rule applies?	16:12
stevemar	ayoung, you mean if there were 2 rules that were the same 'remote' value?	16:13
stevemar	either way, i think the answer is no	16:14
ayoung	stevemar, say on that mapped stemevar@ibm.com to Admin and another that was a {0}	16:14
stevemar	ayoung, i see what you mean	16:16
andriyk0	ok. thanks, guys	16:16
*** andreaf has quit IRC		16:16
ayoung	stevemar, Juno feature waiting there, I think	16:17
ayoung	andriyk0, got what you needed? What are you trying to test?	16:17
stevemar	ayoung, i believe we pick the first one, and log the second	16:17
ayoung	stevemar, but how do we define first and second?	16:17
stevemar	ayoung, there is no notion of priority	16:17
ayoung	ordering should be explicit	16:17
andriyk0	actually not :), but I will spend some time to put correct prints for debugging in order to understand where those ref and req_ref are used	16:18
andriyk0	but this is helpful "the stub_entity call basically builds the response for HTTPretty" - now I know the place where the response is built	16:19
*** andriyk0 has quit IRC		16:20
*** sbfox has joined #openstack-keystone		16:24
*** gokrokve_ has quit IRC		16:25
*** marcoemorais has joined #openstack-keystone		16:35
ayoung	dolphm, do we have a mechanism to do away with URL building code like this and instead detect how the object was referecnes/called? return self._create('/users/%s/credentials/OS-EC2' % user_id,	16:36
ayoung	params, "credential", management=False)	16:36
*** dstanek is now known as dstanek_zzz		16:38
*** gokrokve has joined #openstack-keystone		16:41
-openstackstatus- NOTICE: New contributors can't complete enrollment due to https://launchpad.net/bugs/1317957 (Gerrit is having trouble reaching the Foundation Member system)		16:42
*** ChanServ changes topic to "New contributors can't complete enrollment due to https://launchpad.net/bugs/1317957 (Gerrit is having trouble reaching the Foundation Member system)"		16:42
*** harlowja_away is now known as harlowja		16:50
*** florentflament has quit IRC		16:50
*** harlowja is now known as harlowja_away		16:51
*** gabriel-bezerraa has quit IRC		16:52
*** gabriel-bezerra has joined #openstack-keystone		16:54
*** gokrokve has quit IRC		16:55
*** lbragstad has quit IRC		16:55
*** harlowja_away is now known as harlowja		16:56
*** dstanek_zzz is now known as dstanek		17:00
*** sbfox has quit IRC		17:04
openstackgerrit	ayoung proposed a change to openstack/keystone: Basic-Auth middleware https://review.openstack.org/92137	17:06
*** sbfox has joined #openstack-keystone		17:14
*** Amrita has joined #openstack-keystone		17:16
Amrita	http://paste.openstack.org/show/79752/	17:17
Amrita	How can I restore my clustre's mysql service ?	17:17
*** gokrokve has joined #openstack-keystone		17:22
*** Anju_ has joined #openstack-keystone		17:23
*** praneshp has joined #openstack-keystone		17:27
*** dims_ is now known as clueless		17:27
*** clueless is now known as dims		17:27
*** atmark has quit IRC		17:30
ayoung	Amrita, depends on your distro, but probably just service mysqld start on each node	17:37
gabriel-bezerra	ayoung: I figured out that I couldn't authenticate with curl but it worked ok when I used Postman REST Client. Are you still using curl to test keystone api? The command I was issuing was pretty much the same I could find on some post of your blog.	17:41
ayoung	" I couldn't authenticate with curl " what do you mean by that?	17:41
gabriel-bezerra	I mean.. have you had any problems working with curl to test keystone on apache recently?	17:42
ayoung	nope	17:42
ayoung	use it just the other day	17:42
ayoung	with Kerberos	17:42
gabriel-bezerra	it always returns me Unauthorized	17:42
ayoung	it doesn't like you	17:42
*** atmark has joined #openstack-keystone		17:43
ayoung	gabriel-bezerra, grep through the code for if username = "gabriel-bezerra" and you can see where I explicitly lock you out.	17:43
*** atmark is now known as Guest11293		17:43
nkinder	ayoung: that referral backport needs some changes to make the tests work	17:43
ayoung	nkinder, no surprise	17:43
nkinder	ayoung: fakeldap had quite a few changes, so the tests don't work.	17:44
gabriel-bezerra	hehehe.. I take a token with a POST to /v3/auth/tokens and \| awk '/X-Subject-Token/ {print $2}'	17:44
ayoung	the whole FakeLDAP/...yep	17:44
nkinder	I think the actual fix is the easy part, it's just the tests that are difficult (and maybe not worth worrying about)?	17:44
*** marcoemorais has quit IRC		17:44
*** bknudson has left #openstack-keystone		17:45
ayoung	nkinder, hmmm....hate to have it without tests, but the FakeLDAP tests are kindof meaningless	17:45
nkinder	ayoung: I don't see how it is actually testing referral chasing	17:45
ayoung	gabriel-bezerra, can you run keystone in a debugger? Guessing you are not getting the token. Turn on Keystone debugging in the conf file anyway	17:45
*** marcoemorais has joined #openstack-keystone		17:46
ayoung	nkinder, so long as we run something in liveldap that shows Just adding the option doesn't break a normal usage it is safe.	17:46
ayoung	But yeah, chop out the tests, and we can test that by hand as we need to anyway	17:46
gabriel-bezerra	export ADMIN_TOKEN=$(curl -si -d @token-request.json -H "Content-type: application/json" http://10.1.0.48:5000/v3/auth/tokens \| awk '/X-Subject-Token/ {print $2}')	17:47
gabriel-bezerra	curl -si -H "X-Auth-Token: $ADMIN_TOKEN" -H "Content-type: application/json" http://10.1.0.48:5000/v3/services	17:48
gabriel-bezerra	returns Unauthorized	17:48
gabriel-bezerra	but...	17:48
gabriel-bezerra	$ echo $ADMIN_TOKEN \| wc -c	17:48
gabriel-bezerra	8170	17:48
gabriel-bezerra	it does look like a token	17:49
*** daneyon has quit IRC		17:50
*** afaranha has left #openstack-keystone		17:50
gabriel-bezerra	ayoung: I set debug=True on keystone.conf, but I couldn't find usefulh information on the logs.	17:53
*** richm has joined #openstack-keystone		17:53
*** bknudson has joined #openstack-keystone		17:54
ayoung	gabriel-bezerra let me see your code?	17:55
*** derek_c has joined #openstack-keystone		17:55
gabriel-bezerra	ayoung: what part of the code you mean? keystone.conf?	17:56
ayoung	no, the calling code. fpaste your curl call	17:56
gabriel-bezerra	ok	17:57
ayoung	gabriel-bezerra, you are sure you got back a token?	17:57
gabriel-bezerra	yes I am	17:57
ayoung	gabriel-bezerra, then you got authenticated properly	17:57
*** dstanek is now known as dstanek_zzz		17:58
ayoung	the problem is either that you are requesting a resource that you have no permissions on	17:58
ayoung	or that the URL is configured to do Authentication (Kerberos or whatever) and you are not calling curl with the right options to pass through that. Or something	17:58
*** gokrokve has quit IRC		17:59
*** gokrokve_ has joined #openstack-keystone		17:59
gabriel-bezerra	ayoung: https://gist.github.com/gabriel-bezerra/ed61678e7346e599e257	18:02
*** derek_c has quit IRC		18:02
*** sbfox has quit IRC		18:02
ayoung	http://10.1.0.48:5000/v3/services	18:03
ayoung	shouldn't that be 35357?	18:03
gabriel-bezerra	anyway, the result is the same	18:04
*** morganfainberg_Z is now known as morganfainberg		18:04
ayoung	yeah, it would be a 404 otherwise	18:04
gabriel-bezerra	I've just done it to check. Got same result.	18:04
morganfainberg	ayoung, compressed tokens is looking good (trying to get the full review done before hopping on a plane)	18:04
ayoung	morganfainberg, that would be swell	18:05
morganfainberg	gabriel-bezerra, for the mod-shib documentation for apache 2.4, would including at the top that this was done on 12.04 be sufficient (vs just "ubuntu")?	18:05
*** dstanek_zzz is now known as dstanek		18:05
morganfainberg	gabriel-bezerra, 12.04 ships apache 2.2 (not 2.4)	18:05
gabriel-bezerra	ayoung: when I used Postman, I copied and pasted the token and it worked out. With curl, I get that error.	18:06
ayoung	gabriel-bezerra, I've not seen that.	18:07
ayoung	gabriel-bezerra, how long is your token?	18:08
gabriel-bezerra	morganfainberg: Ubuntu 12.04 and Apache 2.2. It would make clear that the apache version is not recent.	18:09
gabriel-bezerra	morganfainberg: does it make sense to you?	18:09
morganfainberg	gabriel-bezerra, would you be opposed to that coming as a followup patch?	18:09
morganfainberg	gabriel-bezerra, i'd like to get that documentation merged, i can propose that change today as a followup if that works.	18:10
gabriel-bezerra	ayoung: you mean the token I got with postman?	18:10
morganfainberg	gabriel-bezerra, and yes, that makes sense.	18:10
ayoung	gabriel-bezerra, ah, you are getting the token via a different mechanism....no clue. You going to be at the Summit next week?	18:10
gabriel-bezerra	morganfainberg: no, I wouldn't. I just got the error and would like that the doc at least warned about that.	18:12
morganfainberg	gabriel-bezerra, great, i'll respond to your comment on that and get a follwup being more specific propsed :)	18:12
gabriel-bezerra	ayoung: When I both got the token and used the api with Postman, it worked. When I both got the token and used the api with curl, I got the error.	18:13
morganfainberg	ayoung, https://review.openstack.org/#/c/71181/39/keystoneclient/common/cms.py line #315, is that meant to be encoding text_types only (unicode) or also convert byte_str to bytearray as well?	18:13
ayoung	morganfainberg, whatever it is, it works for both py3 and py27	18:14
gabriel-bezerra	ayoung: I won't make it to this Summit.	18:14
morganfainberg	ayoung, ok works for me.	18:14
ayoung	gabriel-bezerra, bummer...	18:14
morganfainberg	gabriel-bezerra, :( thats unfortunate!	18:15
ayoung	morganfainberg, txt types only	18:15
morganfainberg	ayoung, in py27, six.string_types will be str() and unicode()	18:15
ayoung	not sure what byte_str means in that case.	18:15
ayoung	morganfainberg, yep	18:15
morganfainberg	byte_str = py27 str()	18:16
morganfainberg	text_type = unicode()	18:16
morganfainberg	in 27 you shouldn't need that conversion, but i don't think it hurts...	18:16
ayoung	morganfainberg, pretty sure that conversion was for 33	18:16
morganfainberg	i'm not sure you'll ever hit the else in py27	18:16
morganfainberg	ayoung, right,	18:16
morganfainberg	ayoung, it's fine, just making sure i understood the intention :)	18:17
ayoung	morganfainberg, we need to make sure that what we pass to popen is a string format	18:17
ayoung	ah	18:18
ayoung	I mean "not" a string format, for py3	18:18
morganfainberg	ayoung, ++	18:18
ayoung	it was that whole universal newline thing	18:18
morganfainberg	ayoung, ahhh ok yeah	18:18
ayoung	that might be the py27 specific code. as py33 is alreay a byte array, no?	18:18
morganfainberg	ayoung, no py33 str() = py27 unicode	18:19
morganfainberg	ayoung, bytes() is the type in py33 you'd want, but bytearray is 27/33 compatible	18:19
morganfainberg	bytes() in 27 = str() in 27	18:19
morganfainberg	it's... stupidly confusing	18:19
ayoung	morganfainberg, my head hurts	18:19
morganfainberg	ayoung, so does mine :P	18:20
ayoung	yeah, and this works, and was done by trial and error over a month ago and I forget	18:20
morganfainberg	ayoung, i'm going to stop worrying about this. it looks good.	18:20
morganfainberg	ayoung, and if it works -- we can make it better in the future	18:20
morganfainberg	if needed	18:20
ayoung	morganfainberg, yep.	18:21
*** diegows has joined #openstack-keystone		18:23
morganfainberg	ayoung, https://review.openstack.org/#/c/71181/39/keystoneclient/tests/client_fixtures.py line 188 is that supposed to be zlib- or PKIZ_ prefixing the token?	18:23
ayoung	morganfainberg, just garbage	18:24
morganfainberg	ayoung, sure, wasn't sure if you were planning on using the real prefix or not	18:24
ayoung	I guess PKIZ_ would go deeper into the test, though	18:24
morganfainberg	ayoung, the ASN1 has the real prefix is all	18:25
ayoung	morganfainberg, can't hurt to change that,	18:25
morganfainberg	ayoung, ok i'll tag it / comment	18:25
ayoung	yreah, should be PKIZ I think. That might be based on an old appraoch.	18:25
morganfainberg	ayoung, cool	18:25
stevemar	marekd\|away, ping?	18:32
morganfainberg	stevemar, https://review.openstack.org/#/c/89220/ add a followup patch that fixes gabriel-bezerra's concern about apache 2.4 (or i can later today)	18:35
morganfainberg	stevemar, just approved that one after the irc convo.	18:35
*** derek_c has joined #openstack-keystone		18:35
stevemar	morganfainberg, doing that now, was hoping to ask marekd\|away what his system was specically	18:35
morganfainberg	stevemar, ++	18:35
stevemar	morganfainberg, i'll just have to call out < 2.4 instead	18:35
morganfainberg	stevemar, sure.	18:36
morganfainberg	stevemar, it's safe to call it 2.2 - my guess	18:36
morganfainberg	stevemar, rather than < 2.4	18:36
stevemar	yeah	18:36
stevemar	morganfainberg, "The following configuration steps were performed on a machine running	18:37
stevemar	Ubuntu 12.04 and Apache 2.2.22."	18:37
morganfainberg	stevemar, ++ works for me.	18:37
stevemar	cool	18:37
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs https://review.openstack.org/89220	18:38
morganfainberg	stevemar, or.. you could update the patch and punt it out of gate :P	18:38
stevemar	morganfainberg, i wrote a good chunk of this, i feel bad even +2'ing it	18:39
morganfainberg	stevemar, ah ok	18:39
morganfainberg	i see the co-author now.	18:39
morganfainberg	stevemar, works for me	18:39
stevemar	i mean, a lot of it was just moving things around and putting the structure in place, and making it rst friendly	18:39
stevemar	but ya know	18:39
morganfainberg	well +2 then.	18:40
morganfainberg	i'll let you chase soemone else down for the followup +2+A	18:40
stevemar	morganfainberg, ah shoot, i didn't realize you had +A'ed it	18:41
stevemar	lol	18:41
morganfainberg	stevemar, i told you specifically before you revised it :P	18:41
stevemar	morganfainberg, you said patch!	18:41
stevemar	morganfainberg, that means put up another revision	18:42
morganfainberg	stevemar, [20140509 11:35:14] <morganfainberg> stevemar, just approved that one after the irc convo.	18:42
morganfainberg	stevemar, [20140509 11:35:34] <stevemar> morganfainberg, doing that now, was hoping to ask marekd\|away what his system was specically	18:42
morganfainberg	:P	18:42
stevemar	morganfainberg, man, now i went and destroyed the gate	18:42
morganfainberg	stevemar, hehe	18:43
stevemar	morganfainberg, our mail server is too slow, i get the notice a few minutes too late	18:43
morganfainberg	stevemar, aww :(	18:43
* morganfainberg writes a gerritbot to send notices to stevemar on all voting of patches he's watching. (private messages)		18:43
* stevemar apologizes to the magical gate		18:43
morganfainberg	:P	18:44
stevemar	morganfainberg, no worries, i can always get dolphm to take another look at it	18:44
morganfainberg	stevemar, looks like mod_wsgi wont ever work until we get compressed tokens :(	18:45
dolphm	morganfainberg: there's a patch for that	18:45
morganfainberg	stevemar, tempest that is	18:45
morganfainberg	dolphm, lol just reviewed it. minor issue with the client fixture, but ti's close	18:45
dolphm	morganfainberg: upload a patchset!	18:46
morganfainberg	dolphm, planning on it.	18:46
openstackgerrit	Morgan Fainberg proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation https://review.openstack.org/71181	18:48
morganfainberg	dolphm, otherwise keystoneclient change looks good to me.	18:49
morganfainberg	ok gotta head out for a bit. be back... in a few hours i hope.	18:51
*** kfox1111 has joined #openstack-keystone		18:58
kfox1111	ok, so I added a heat domain as described in the release notes, and lots of things just broke.	18:58
kfox1111	are there other things I need to do to enable multiple domains?	18:58
*** sbfox has joined #openstack-keystone		19:01
kfox1111	...	19:04
kfox1111	some of my tenants disapeared...	19:04
*** derek_c has quit IRC		19:04
kfox1111	how can that happen?!?	19:07
openstackgerrit	A change was merged to openstack/keystone: Reduce excess LDAP searches https://review.openstack.org/47441	19:08
*** sbfox has quit IRC		19:08
dolphm	(does heat ever delete tenants/projects?)	19:17
*** openstackgerrit has quit IRC		19:19
*** openstackgerrit has joined #openstack-keystone		19:20
kfox1111	I should think not...	19:23
*** IanGovett1 has joined #openstack-keystone		19:23
kfox1111	whatever the case, this is a serious issue.	19:23
*** IanGovett has quit IRC		19:25
kfox1111	shoudln't keystone.user_group_membership have stuff in it?	19:27
kfox1111	hmm.. assignment table I guess...	19:28
kfox1111	:/	19:29
kfox1111	so...	19:29
kfox1111	keystone user-role-list --user-id f5a3891411f34614b499f53fae5674ad prints nothing	19:29
kfox1111	but if I look in assignments, I see:	19:29
kfox1111	\| UserProject \| f5a3891411f34614b499f53fae5674ad \| 94c1fbbc041f477f9b56275c887ac724 \| 373c8af87f224286810eff872d3ac042 \| 0 \|	19:29
*** erecio_1 has joined #openstack-keystone		19:29
ayoung	nkinder, We can finally forget about "Remember the DN."	19:30
*** dims has quit IRC		19:30
nkinder	ayoung: yay!	19:31
*** Anju_ has quit IRC		19:31
*** erecio has quit IRC		19:32
*** sbfox has joined #openstack-keystone		19:39
stevemar	kfox1111, did you get any farther?	19:43
*** sbfox has quit IRC		19:49
kfox1111	well, I recovered...	19:51
kfox1111	I recreated the tenant manually in the database,	19:51
kfox1111	then readded users to the tenant and things are back to working.	19:51
kfox1111	all the vm's are still there.	19:51
kfox1111	I'm wondering if heat behaves badly if you don't update the keystone endpoing url to be v3.	19:52
ayoung	nkinder, http://junodesignsummit.sched.org/event/811d49302b270670aaa25c06a49ee77b#.U20yFTkjPiU Just realized that was on the schedule.	19:53
ayoung	Signed Images....which means certificate management	19:53
*** rodrigods has quit IRC		19:58
*** derek_c has joined #openstack-keystone		20:03
*** dims has joined #openstack-keystone		20:04
*** dc_ has joined #openstack-keystone		20:06
*** daneyon has joined #openstack-keystone		20:07
ayoung	bknudson, https://review.openstack.org/#/c/92727/4/keystone/service.py,cm You are calling Tokens an extension, but it really is not. We need to have a standard name for the core modules.	20:08
bknudson	ayoung: yes, what should it be called?	20:08
dc_	what is the best way to make keystone HA?	20:08
*** jsavak has joined #openstack-keystone		20:11
*** derek_c has quit IRC		20:11
*** joesavak has quit IRC		20:14
*** derek_c has joined #openstack-keystone		20:14
ayoung	bknudson, I was thinking "modules" but I'm flexible?	20:16
bknudson	ayoung: so you think there should be a v2.0/modules reponse?	20:16
bknudson	and not in v2.0/extensions?	20:16
ayoung	bknudson, I was not sure. I was toying with just doing it all in Links	20:16
bknudson	or v2.0/extensions returns both 'extensions' and 'modules'?	20:17
ayoung	token and other core things should be in sync with the /v2.0 page	20:17
bknudson	this is also something that we could do with v3	20:17
bknudson	actually there is a v3 revocation list	20:17
ayoung	yep	20:17
dolphm	dc_: spread keystone horizontally and focus your HA efforts on keystone's backend	20:17
bknudson	I don't think auth_token will use the v3 revocation list	20:17
ayoung	bknudson, they are both the same format.	20:18
ayoung	At least, I think they were when I did it	20:18
bknudson	y, the code is copy-pasted. it should be easy to change auth_token to use it.	20:18
dolphm	bknudson: there's a patch for it to do so	20:18
dolphm	bknudson: that looked really close	20:18
dolphm	bknudson: the patch actually eliminated any dep on v2	20:19
bknudson	dolphm: I think I saw one for fetching PKI certs, but did that handle revocation list, too?	20:19
dolphm	bknudson: probalby the same patch, yeah	20:19
dc_	@dolphm: so cluster the mysql database? with galera or something?	20:21
bknudson	yep, it does use /v3/auth/tokens/OS-PKI/revoked -- https://review.openstack.org/#/c/88620/9/keystoneclient/middleware/auth_token.py	20:22
bknudson	I should stop working on other stuff and get these things merged	20:22
*** erecio_2 has joined #openstack-keystone		20:28
*** erecio_1 has quit IRC		20:31
*** sbfox has joined #openstack-keystone		20:32
*** sbfox has quit IRC		20:32
*** sbfox has joined #openstack-keystone		20:33
*** sbfox has quit IRC		20:33
*** sbfox has joined #openstack-keystone		20:34
*** erecio_2 has quit IRC		20:34
*** sbfox has quit IRC		20:35
stevemar	ayoung, another doc patch for federation coming up	20:38
stevemar	hot and freshly made to order	20:38
ayoung	stevemar, you see the distinction I'm going for?	20:39
stevemar	yep	20:39
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs https://review.openstack.org/89220	20:39
dc_	@dolphm: so cluster the mysql database? with galera or something?	20:41
openstackgerrit	Diane Fleming proposed a change to openstack/identity-api: Pretty print JSON sample files https://review.openstack.org/93003	20:53
*** ChanServ changes topic to "Sunday summit meetup @ http://www.parkbaratlanta.com/ (5 min walk from conference) \| Potential mid-cycle hackathon dates: July 9, 10, 11 (Wed-Fri)"		20:55
*** joesavak has joined #openstack-keystone		20:56
*** jsavak has quit IRC		20:59
*** raildo has quit IRC		21:00
openstackgerrit	Diane Fleming proposed a change to openstack/identity-api: Pretty print JSON sample files https://review.openstack.org/93003	21:02
*** derek_c has quit IRC		21:05
*** sbfox has joined #openstack-keystone		21:22
*** sbfox has quit IRC		21:22
*** sbfox has joined #openstack-keystone		21:23
*** sbfox has quit IRC		21:24
gabriel-bezerra	morganfainberg, regarding https://review.openstack.org/90771: I've just seen that a2ensite on ubuntu 14.04 (apache 2.4) ignores .conf in the end of the file...	21:25
*** sbfox has joined #openstack-keystone		21:25
*** sbfox has quit IRC		21:25
*** sbfox has joined #openstack-keystone		21:26
*** sbfox has quit IRC		21:26
gabriel-bezerra	so, it only accepts sites that end with .conf; it shows the message "available sites: keystone, horizon"; but it will recognize as 'keystone' if you put 'keystone.conf' as parameter	21:27
gabriel-bezerra	my idea then is to change ubuntu's enable_apache_site to receive as parameter just the site name and use a2ensite ${site}.conf	21:29
*** harlowja has quit IRC		21:29
*** dstanek is now known as dstanek_zzz		21:33
gabriel-bezerra	the problem is that swift and horizon also use the same function and configuration files in different ways.	21:33
*** daneyon has quit IRC		21:34
*** dc_ has quit IRC		21:35
*** praneshp has quit IRC		21:42
*** praneshp has joined #openstack-keystone		21:43
*** stevemar has quit IRC		21:44
*** dims has quit IRC		21:50
gabriel-bezerra	morganfainberg: I'll put that on gerrit	21:51
*** derek_c has joined #openstack-keystone		21:53
*** daneyon has joined #openstack-keystone		21:53
*** dstanek_zzz is now known as dstanek		21:54
*** jsavak has joined #openstack-keystone		21:58
*** dims has joined #openstack-keystone		21:59
*** joesavak has quit IRC		22:01
*** gokrokve_ has quit IRC		22:01
*** dstanek is now known as dstanek_zzz		22:04
*** openstackgerrit has quit IRC		22:05
*** openstackgerrit has joined #openstack-keystone		22:05
boris-42	ayoung around?	22:10
*** arosen has joined #openstack-keystone		22:10
arosen	I got a quick keystone question. As a normal tenant doing keystone tenant-list you get a 403	22:11
arosen	That cli command makes a request to keystone on :35357 but if i take the same auth token and make the request on 5000 it works fine.	22:11
arosen	I'm curious if this is intended or not and why?	22:11
ayoung	boris-42, yep	22:15
boris-42	ayoung does keystone use ceilometer stuff?	22:15
ayoung	boris-42, nope	22:15
boris-42	ayoung oh at all?	22:15
ayoung	boris-42, not at all. Ceilometer might collect events from Keystone, but Keystone doesn't know about it if it happens.	22:16
boris-42	ayoung I mean I would like to send from keystone notifications	22:16
boris-42	ayoung e.g. using notification.api	22:17
nkinder	ayoung: I have ipsilon and freeipa up and running, and I'm working on setting keystone up to use it.	22:17
ayoung	nkinder, nice!	22:17
nkinder	ayoung: hopefully I have a working setup on my laptop that I can show to others	22:17
ayoung	that would be great	22:17
nkinder	ayoung: ipsilon is pretty nice given that I can use kerberos to login to the idp	22:18
ayoung	nkinder, Oh, yeah, it makes a lot of sense.	22:19
openstackgerrit	Aaron Rosen proposed a change to openstack/python-keystoneclient: Fix Client to use admin_url when querying for tenants https://review.openstack.org/93139	22:28
*** bknudson has quit IRC		22:36
*** jsavak has quit IRC		22:40
*** ayoung is now known as ayoung-out		22:44
*** dstanek_zzz is now known as dstanek		22:51
*** harlowja has joined #openstack-keystone		22:54
*** sbfox has joined #openstack-keystone		22:55
*** sbfox has quit IRC		23:00
gabriel-bezerra	arosen: AFAIK that api on 35357 was a bad idea on history of Keystone and the plan is to make both apis equal.	23:00
gabriel-bezerra	other people in this channel should have a better answer	23:01
*** sbfox has joined #openstack-keystone		23:06
*** sbfox has quit IRC		23:10
*** ericvw has quit IRC		23:12
*** dims has quit IRC		23:12
*** sbfox has joined #openstack-keystone		23:14
*** sbfox has quit IRC		23:14
*** sbfox has joined #openstack-keystone		23:15
*** IanGovett1 has quit IRC		23:24
morganfainberg	gabriel-bezerra, ++ or better yet, deploy behind apache on port 443 (https) behind something akin to /identity for the first part of the URL	23:32
morganfainberg	arosen, ^ (what i said to gabriel-bezerra)	23:32
morganfainberg	gabriel-bezerra, arosen, that claim (same on both ports) would be for v3 not v2 of the API	23:33
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/identity-api: Updated from global requirements https://review.openstack.org/93153	23:49
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225	23:50
*** praneshp has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!