Friday, 2014-08-08

« Thursday, 2014-08-07 Index Saturday, 2014-08-09 »
jamielennoxdstanek, gyee: thanks00:00
jamielennoxgyee, bknudson: going back through some of my older reviews i had marked this one WIP https://review.openstack.org/#/c/90632/00:03
jamielennoxthe reason being that if nova or something with a tenant_id in the service catalog URL it won't be able to just trim a suffix00:04
jamielennoxdo we think it matters? does it need to be a regexp or something?00:05
gyeejamielennox, ++ for backward compatibility00:08
gyeewtf? tenant_id in the url?00:10
jamielennoxgyee: we definitely need something like that, and i had bknudson's +2 on it already - it just won't work for the ocmpute endpoints00:10
*** Dafna has joined #openstack-keystone00:11
*** morganbird has joined #openstack-keystone00:11
jamielennoxfor nova i see:00:11
jamielennoxhttp://localhost:$(compute_port)s/v1.1/$(tenant_id)00:11
jamielennoxalso00:11
jamielennoxhttp://localhost:8776/v1/$(tenant_id)s00:11
jamielennoxhttp://localhost:8888/v1/AUTH_$(tenant_id)s00:12
jamielennoxwho is 8776 and 8888?00:12
*** xianghui has quit IRC00:12
gyeeprobably Swift00:12
gyeeSwift have this reseller prefix thingy00:12
*** xianghui has joined #openstack-keystone00:12
jamielennoxswift is 888800:12
jamielennoxthe other is volume00:13
*** morganbird has quit IRC00:13
gyeeI remember seeing Swift adding reseller prefix in the url00:13
*** morganbird has joined #openstack-keystone00:14
gyeejamielennox, but for that review, we only care about identity url right?00:14
jamielennoxmaybe there's nothing i can do for them00:14
jamielennoxgyee: not really, everything will go through this point00:14
jamielennoxwhen i say i want a compute (3, 0) endpoint it will get this opportunity to munge the 'compute' endponit00:15
gyeeoh, I see what you mean00:15
gyeebloody00:15
jamielennoxthis is horrible00:16
jamielennoxi can see why nova just added a computev3 service type00:16
*** tpatil_ has quit IRC00:18
*** morganbird has quit IRC00:19
jamielennoxgyee: i'm not actually sure how it would work for nova anyway00:20
jamielennoxif i have to strip back to / and then i do discovery and find i should use the v1 url then i would have to add that stripped part back to the URL before returning it00:21
gyeejamielennox, I would think you do one or the other, both not mix the two00:22
gyeeeither get it from the SC, or discovery00:22
gyees/both/but/00:22
gyeeperhaps like you said, add a regex_match param to get_endpoint()?00:24
jamielennoxso with keystone it's not too hard because if i strip the /v2.0 i get / and then i do discovery to find that i either want /v2.0 or /v300:26
jamielennoxwith nova if i strip the /v1/(tenant_id) to / and do discovery i'll get /v1 and /v3 - but that's not enough because the v1 response has to return /v1/(tenant_id) to work00:27
*** nbarnett has joined #openstack-keystone00:35
*** nbarnett has quit IRC00:36
jamielennoxgyee: lol, but cry - it makes no difference, nova's discovery is broken anyway: http://paste.openstack.org/show/91788/00:37
bknudsonI doubt there will ever be a compute v300:39
bknudsonI don't see how anyone's ever going to have a new version00:39
bknudsonI think glance might have a v200:39
bknudsonjamielennox: that is funny00:39
bknudsonlet's just use json home instaed.00:39
jamielennoxbknudson: it's actually my fault the correct url is /v2 not /v2.0 - but it's still broken00:40
jamielennoxjson home doesn't solve the initial problem though00:40
bknudsonwhat's the initial problem?00:40
jamielennoxwe still have these values in the service catalog00:40
bknudsonwe can return JSON Home for /v2 also00:41
jamielennoxi get timeout errors asking for /v2 and /v3 - this will be interesting00:41
bknudsonjust return the same document for all /v2 whatevers00:41
jamielennoxthe problem is doing the stripping of the URLs to do discovery on what's available, if i strip /v1/(tenant_id) down to / to do discovery and then decide i want to use v1 then i've lost the (tenant_id) part of the url that needs to be returned00:43
bknudsonchange nova to return the JSON Home for /v1/(tenant_id)00:44
bknudsonjust return JSON Home for everything00:44
jamielennoxthe complete home? v1 and v3?00:44
bknudsongood question.. maybe it's just v1? (since v3 is experimental and will be going away)00:45
*** zzzeek has quit IRC00:45
jamielennoxalso how will JSON home handle returning URLs with a (tenant_id) in them that changes based on authentication?00:45
*** marcoemorais has quit IRC00:45
jamielennoxi mean i can see that you can do it - it's just horrible00:45
*** diegows has quit IRC00:46
jamielennoxi think it's a shame they are killing off v3 for the sake of precedent it sets. There are good reasons to make a new api version and if they feel they need it they should make it00:47
jamielennoxat this rate no-one will ever be able to make a new versio00:47
bknudsonwe really are stuck with what we've got00:48
bknudsonyou get too much baggage00:48
jamielennoxthis was part of the goal of all this session and discovery work - make it easier to run multiple APIs side by side00:49
jamielennoxmake it easier to transition between them00:49
gyeejamielennox, yeah, not much we can do there00:50
bknudsonmaybe solve it for keystone and we go from there.00:50
jamielennoxi think one day we'll want a v4 - that will be fun00:51
gyeejamielennox, I've got a feeling you are going to propose a "lets fix this fucking service catalong" session in Paris00:51
jamielennoxgyee: honestly i don't care about the format, i'm at the point i just want it to work00:51
jamielennoxi want the services to all be consistent in what they do00:51
jamielennoxany 'fix' will take ages to come through and from a client perspective i'm still going to have to be backwards compatible with the broken crap we have now00:52
gyeeuh, version the SCs? :)00:53
jamielennoxlol00:53
*** ayoung has joined #openstack-keystone00:53
jamielennoxthe basics of the data structure we need are there - the problem is coming up with a migration path for the data from what we have now to what should go in the catalog00:54
jamielennoxwtf thought that /v1/AUTH_%(tenant_id) was a good idea00:55
openstackgerritA change was merged to openstack/python-keystoneclient: Remove intersphinx mappings  https://review.openstack.org/11247900:56
gyeenot me :)00:57
jamielennoxhey novaclient approved the conversion to requests-mock :) some good news for this morning00:59
*** morganbird has joined #openstack-keystone01:15
stevemardstanek, thoughts about the notifications for role_assignments?01:16
*** morganbird has quit IRC01:20
*** gyee has quit IRC01:21
stevemarohhh can i get a review of: https://review.openstack.org/#/c/111170/ it a whopping 3 lines :D01:21
*** spandhe_ has joined #openstack-keystone01:32
*** amerine has quit IRC01:51
*** morganbird has joined #openstack-keystone02:15
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Add composite authentication support  https://review.openstack.org/10838402:20
*** morganbird has quit IRC02:20
*** mitz has joined #openstack-keystone02:30
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Versioned Endpoint hack for Sessions  https://review.openstack.org/9063203:07
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: [WIP] Add template hacks to identity plugins  https://review.openstack.org/11275203:07
jamielennoxmorganfainberg: interesting, i just pushed those two patches behind the one you just approved but it included a rebase to master03:08
jamielennoxit seems to have gone ok03:08
jamielennoxit's still in the queue03:08
openstackgerritA change was merged to openstack/identity-api: add name filter on list services  https://review.openstack.org/11181803:09
jamielennoxi guess because zuul must do a rebase before tying to put it through the gate?03:09
morganfainbergjamielennox, usually03:10
morganfainbergjamielennox, but git review does magic sometimes03:10
jamielennoxmorganfainberg: yea, i looked to make sure it was still unapproved before i rebased - then saw it had been approved in the mean time, expected it to be ejected from gate03:11
*** morganbird has joined #openstack-keystone03:16
*** morganbird has quit IRC03:21
openstackgerritA change was merged to openstack/python-keystoneclient: expose the revoke token for V3  https://review.openstack.org/10270103:26
*** richm has quit IRC03:32
*** oomichi has quit IRC03:48
openstackgerritA change was merged to openstack/python-keystoneclient: Isolate get_discovery function  https://review.openstack.org/10756904:05
*** morganbird has joined #openstack-keystone04:17
*** morganbird has quit IRC04:21
*** jaosorior has joined #openstack-keystone04:48
*** spandhe_ has quit IRC04:48
openstackgerritQiu Yu proposed a change to openstack/python-keystoneclient: Ensure using int type for revocation_cache_time  https://review.openstack.org/11275604:50
*** ncoghlan has joined #openstack-keystone04:50
*** Muhammad_Efendi has joined #openstack-keystone04:57
*** Muhamma__ has joined #openstack-keystone05:13
*** Muhammad_Efendi has quit IRC05:16
*** morganbird has joined #openstack-keystone05:17
openstackgerritA change was merged to openstack/keystone: Trust unit tests should target additional threat scenarios  https://review.openstack.org/10912005:22
*** morganbird has quit IRC05:22
openstackgerritA change was merged to openstack/python-keystoneclient: Mark the keystoneclient s3_token middleware deprecated  https://review.openstack.org/11184705:23
*** chandankumar has joined #openstack-keystone05:24
*** chandankumar_ has joined #openstack-keystone05:24
*** ukalifon has joined #openstack-keystone05:27
*** ukalifon has quit IRC05:27
stevemarbump05:32
*** bknudson has quit IRC05:35
openstackgerritJeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess  https://review.openstack.org/5161005:39
*** ajayaa has joined #openstack-keystone05:40
*** ukalifon1 has joined #openstack-keystone05:41
*** ukalifon1 has quit IRC05:53
*** wanghong has quit IRC05:59
*** k4n0 has joined #openstack-keystone06:02
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:04
*** wanghong has joined #openstack-keystone06:05
*** henrynash has joined #openstack-keystone06:10
*** henrynash has quit IRC06:15
*** morganbird has joined #openstack-keystone06:18
*** morganbird has quit IRC06:23
*** Muhamma__ has quit IRC06:33
*** chandankumar_ has quit IRC06:39
*** tomoiaga has joined #openstack-keystone06:57
*** bvandenh has joined #openstack-keystone06:58
*** bvandenh has quit IRC07:07
openstackgerritA change was merged to openstack/keystone: Update CADF auditing example to show non-payload information  https://review.openstack.org/11165707:12
*** morganfainberg is now known as morganfainberg_Z07:17
*** morganbird has joined #openstack-keystone07:19
*** ncoghlan has quit IRC07:19
*** morganbird has quit IRC07:24
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Replace httpretty with requests-mock  https://review.openstack.org/11277707:25
*** henrynash has joined #openstack-keystone07:32
*** jamielennox is now known as jamielennox|away07:33
*** morganfainberg_Z is now known as morganfainberg07:34
*** Dafna has quit IRC07:35
*** Dafna has joined #openstack-keystone07:37
*** bvandenh has joined #openstack-keystone07:59
*** stevemar has quit IRC08:03
*** henrynash has quit IRC08:06
*** morganbird has joined #openstack-keystone08:20
*** morganbird has quit IRC08:25
openstackgerritMatthieu Huin proposed a change to openstack/keystone: Check for empty string value in REMOTE_USER  https://review.openstack.org/11195308:30
*** lsmola has joined #openstack-keystone09:04
lsmoladoes anybody know why Service name is not forced as unique?09:04
*** morganbird has joined #openstack-keystone09:20
*** morganbird has quit IRC09:25
*** amirosh has joined #openstack-keystone09:36
*** henrynash has joined #openstack-keystone09:48
*** morganbird has joined #openstack-keystone10:21
*** bvandenh has quit IRC10:23
*** rwsu has quit IRC10:23
*** arunkant has quit IRC10:23
*** arunkant has joined #openstack-keystone10:25
*** bvandenh has joined #openstack-keystone10:25
*** morganbird has quit IRC10:26
*** rwsu has joined #openstack-keystone10:27
*** ajayaa has quit IRC10:36
openstackgerritAbhishek Kekane proposed a change to openstack/keystone: Keystone service throws error on receiving SIGHUP  https://review.openstack.org/10748210:42
*** henrynash has quit IRC10:46
*** ajayaa has joined #openstack-keystone10:53
*** abhishekk has joined #openstack-keystone10:54
*** henrynash has joined #openstack-keystone11:21
*** morganbird has joined #openstack-keystone11:22
*** morganbird has quit IRC11:27
*** andreaf_ has quit IRC11:31
*** __afazekas has quit IRC11:32
*** morganbird has joined #openstack-keystone11:32
*** ajayaa has quit IRC11:35
*** diegows has joined #openstack-keystone11:41
*** andreaf has joined #openstack-keystone11:49
*** ajayaa has joined #openstack-keystone11:52
*** ayoung has quit IRC12:13
*** __afazekas has joined #openstack-keystone12:18
*** diegows has quit IRC12:19
dstanekjaosorior: you around?12:19
jaosorioryo12:20
jaosoriordstanek, wazzup?12:21
dstanekjaosorior: i was just thinking about your name-based filtering review. do you have a feel for how many service records would be in a large openstack installation?12:21
jaosoriordstanek: You are wondering if a migration script should be written instead of filtering by extra attributes, I guess.12:22
*** miqui has joined #openstack-keystone12:23
dstanekjaosorior: yeah. i suspect number or records is really low anyway. but i have no idea12:24
dstanekjaosorior: if the table is small then the query optimizer may determine a full table scan is more efficient than and index scan anyway12:25
dstaneks/than and/than an/12:25
jaosoriorI don't think theyŕe that many dude, at least not as many as to loose much performance.12:25
jaosoriorand not in our deployments at least12:26
*** bknudson has joined #openstack-keystone12:32
jaosorior*they're12:32
*** morganbird has quit IRC12:35
*** bknudson has quit IRC12:37
*** morganbird has joined #openstack-keystone12:38
*** david-lyle has joined #openstack-keystone12:40
*** morganbird has quit IRC12:42
*** Muhammad_Efendi has joined #openstack-keystone12:44
*** david-lyle has quit IRC12:46
*** david-lyle has joined #openstack-keystone12:46
*** dhellmann_ is now known as dhellmann12:47
*** Muhamma__ has joined #openstack-keystone12:49
*** Muhammad_Efendi has quit IRC12:50
*** david-lyle has quit IRC12:51
*** bknudson has joined #openstack-keystone12:54
*** gordc has joined #openstack-keystone12:56
*** morganbird has joined #openstack-keystone13:07
*** henrynash has quit IRC13:07
*** hrybacki has joined #openstack-keystone13:09
*** henrynash has joined #openstack-keystone13:09
*** zzzeek has joined #openstack-keystone13:10
*** henrynash has quit IRC13:11
*** joesavak has joined #openstack-keystone13:18
*** richm has joined #openstack-keystone13:22
*** __afazekas has quit IRC13:24
*** Muhamma__ has quit IRC13:24
*** ajayaa has quit IRC13:41
*** henrynash has joined #openstack-keystone13:46
*** amirosh has quit IRC13:46
*** amirosh has joined #openstack-keystone13:47
*** abhishekk has quit IRC13:47
*** jorge_munoz has joined #openstack-keystone13:49
*** russellb is now known as rustlebee13:50
*** amirosh has quit IRC13:51
*** jasondotstar has joined #openstack-keystone13:52
*** ayoung has joined #openstack-keystone13:53
*** ajayaa has joined #openstack-keystone13:53
*** jasondotstar has quit IRC13:54
*** jasondotstar has joined #openstack-keystone13:54
*** tomoiaga has quit IRC13:57
*** gabriel-bezerra has joined #openstack-keystone14:03
*** saipandi has joined #openstack-keystone14:06
*** ildikov has joined #openstack-keystone14:08
*** tomoiaga has joined #openstack-keystone14:15
*** bvandenh has quit IRC14:18
ildikovhi All14:20
ildikovI'm kinda fighting with this bug: https://bugs.launchpad.net/ceilometer/+bug/135053314:21
uvirtbotLaunchpad bug 1350533 in ceilometer "CommandError: Unable to determine the Keystone version to authenticate with using the given auth_url: http://127.0.0.1:35357/v2.0" [High,Confirmed]14:21
ildikovI tried to use ceilometer client in a freshly installed devstack env, and I got the same error message that was reported in the bug report above14:21
ildikov... the strange is that if I change the auth url to use port 5000 instead of 35357, then it works fine14:22
ildikov... I found the 'Could not find version: v2.0' in Keystone log14:23
ildikov... what I do not understand is that why the port matters in the auth url as it should work with 35357 too according to my knowledge14:24
ildikov... I would appreciate any hint on this, if it rings a bell for any of you14:26
ildikov... I also need to drop off soon, but I will read the logs later14:27
*** saipandi has quit IRC14:28
*** stevemar has joined #openstack-keystone14:28
ayounghenrynash, so with what you have commited today, can I use LDAP  and SQL identity backends together?  Service users in SQL,  LDAP for humans?14:34
henrynashayoung: as long as they are in different domains, yes14:35
*** elmiko has joined #openstack-keystone14:35
elmikoyo14:35
ayounghenrynash, what do I need to do to test that?14:35
henrynashayoung: thinking14:36
*** vhoward has joined #openstack-keystone14:36
ayoungelmiko, it was henrynash that wrote the multi-backend stuff.  I asked him and I can hear the gears grinding all the way from Jolluy Ole England to Boston14:36
elmikonice14:37
*** hrybacki has quit IRC14:37
ayoungelmiko, the issue we had to solve was that things need to have a unique identifier, even across all domains.  THe solution was to hash the User ID/domain combination  and stick it into another table14:38
ayoungthere are some grandfathered aspects for existing LDAP deployments14:38
ayoungso we don't need to rewrite userids for a working backend...14:38
*** k4n0 has quit IRC14:39
ayoungat least, in theory14:39
elmikomakes sense14:39
henrynashayoung: so one way I think would be to have ldap set up in the main conf file14:39
elmikowould you even accept a blueprint for something that would allow refreshing a token in use?14:39
elmikos/even/ever14:39
henrynashayoung: and one domain set aside for servcie users…could be teh default, could be a special one - so you create domain specific conf file for that14:40
ayoungelmiko, actually I wrote a spec for one, but now I think it is a mistake and I have a better approach14:41
elmikoayoung: cool, so it sounds like that idea is at least floating around somewhere14:41
ayounghenrynash, So if I have LDAP as the default domain,  but they are stored in SQL,  what goes in the domain specific config file?14:42
henrynashayoung: and specify the sql driver in that domain-specific conf file14:42
ayoungmove the LDAP config to it?14:42
ayoungelmiko, no14:42
elmiko:(14:42
ayoungelmiko, tokens are the wrong abstraction for that14:42
elmikoahh ok14:42
ayoungelmiko, we have other mechanisms that will work for you.14:42
elmikoayoung: here's another question, is it possible to learn the expiration time of a token given only the token?14:43
henrynashso if you want a specific domain to have the SQL service users in….create a domain specific config file taht specifies the sql driver in it14:44
elmikoi'm thinking theoretically, the nodes in our cluster could just gain new tokens from the old ones before they expire14:44
ayoungelmiko, yes.14:44
henrynashayoung:…have to admit I never tested thjis way round :-)14:45
ayoungI can work with you on that.  The token validation process provide the contents of the token.  Assuming you are using a PKI token, you can read all of the data in it.14:45
ayounghenrynash, how did you test it?14:45
ayoungLDAP was in the domain specific config file?14:45
henrynashayoung: I had smultiple separate LDAP domains, with SQL as teh default for other domains14:46
elmikoayoung: we may not be able to control the keystone config, is it possible to gain the PKI token if we had a UUID?14:47
ayounghenrynash, So if I have an LDAP default domain,  I move that to a domain specific config file, I can have multiple non-default domains in SQL, just the remote services need to be able to pass domain from Auth-token middleware14:47
ayoungelmiko, authenticating a token against Keystone is a priviledged operation14:47
ayounger  validating a token14:47
bknudsonayoung: henrynash: you have +2s on the child reviews of https://review.openstack.org/#/c/109041/ , and that one looks good to me14:48
ayoungwhich, come to think of it is kindof dumb.14:48
ayoungbut validating a token returns information that you would not want to hand out to everyone....14:48
* ayoung files some notes away on that14:49
henrynashayoung: yes14:49
elmikoayoung: ok, but if i start with a token, i can use that token to gain a new one. is that a form of validation, or something else?14:49
henrynashayoung: if you look in test_backend_ldap.py you’ll see the class tests I did to test this14:50
ayoungelmiko, hmmm, good question.  I think it could be.  When you exchnage one token for another, you get back the token data for the new token....this whole thing sucks14:50
henrynashayoung: MultiLDAPandSQLIdentity14:50
elmikoayoung: but it might work for our needs. the instances could be seeded with a good token. then they could acquire new ones from that original14:51
ayoungelmiko, that is bad14:51
ayounglets not go there unless under duress14:51
elmikook, why bad?14:52
ayoungfocus14:52
*** Muhammad_Efendi has joined #openstack-keystone14:52
elmikobetter to let our controller distribute the tokens?14:52
ayoungwe are trying to get to the good solution...the token-for-token approach doesn't get you that14:52
elmikoagreed14:52
ayoungno.  better to let the nodes request tokens when they need them14:52
ayoungelmiko, assume a token only lives for 5 minutes14:52
henrynashayoung: be offline for a while, back on in a bit14:52
elmikoayoung: good point14:53
ayoungthat is wehere we want to head with this.  A token lives for a short lived task/14:53
elmikoright14:53
ayoungtrusts are the mechanism for your use case, but they require authentication14:53
ayoungauthentication for the trustee, and I think that is the most secure approach14:53
ayoungwe have trust re-delegation,  so  proxy user should be able to redelegate to the nodes  for a hadoop job14:54
ayoungthat reduces the complexity to the nodes authenticating14:54
ayoungand that is solvable with the multiple domains approach.14:54
elmikomy main concern with the nodes having credentials to acquire tokens as needed is that then our controller needs to store those credentials, which is what we are trying to avoid.14:54
ayoungelmiko, those credentials should be for  such a limited user as to be irrelevant14:55
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add OS-FEDERATION section to scoped federation tokens  https://review.openstack.org/11187314:55
ayoungthe node users will have no roles on any project14:55
ayoung they exist solely to execute trusts14:55
ayoungthen the password gets synced between the node and keystone14:56
elmikoayoung: they would need to at least have some sort of membership role delegated to gain swift access?14:56
ayoungno14:56
ayoungthey are going to use the trust token to gain access to swift14:56
elmikoright, but don't we need a role_names when we create the trust?14:56
ayoungnope14:56
*** ildikov has quit IRC14:56
elmikoahh interesting14:56
ayoungthe user creates the trust, not the proxy14:56
*** hrybacki has joined #openstack-keystone14:56
elmikouser = trustor, proxy = trustee, no role needeD?14:57
mhumarekd, you got a shibboleth SP config file you could share with me ? I am struggling to enable ECP on the Service Provider14:57
ayoungelmiko, what we need is an exchange from the scheduler to the user saying "here are the roles we are going to need.  PLease submit this trust creation request to let us work on your behalf."14:57
marekdmhu: sure.14:57
marekdmhu:  one sec.14:57
mhumarekd, thanks a lot14:58
marekdmhu: you want shibboleth2.xml only?14:58
elmikoayoung: not sure i'm following14:58
mhumarekd, should be enough14:58
marekdmhu@enovance.com?14:58
mhumarekd, yep14:58
mhuwe don't have our redhat addresses yet :)14:59
ayoungelmiko, what system does the user talk to in order  to set up the Hadoop job?15:00
ayoungmhu, we got you too?  AWESOME!15:00
elmikoayoung: could be ReST api to sahara, saharaclient, or horizon15:00
elmikoi guess horizon counts as saharaclient15:00
ayoungelmiko, ok,  lets start with sahara15:00
marekdayoung: a long time ago i think :-)15:01
*** henrynash has quit IRC15:01
ayounguser says "submit hadoop job:"15:01
ayoungresponse comes back with a bunc of JSON, part of which is "trust_request"15:01
ayoungmarekd, so many awesome people from eNovance are now my co-workers.  So many more people that know Keystone, I can finally be fired!15:02
elmikolol15:02
marekdmhu: sent15:02
openstackgerritDolph Mathews proposed a change to openstack/keystone: add i18n to lxml error  https://review.openstack.org/11291415:03
ayoungelmiko, any further keystone questions you have should be sent to mhu@redhat.com15:03
*** chandankumar has quit IRC15:03
elmikonice15:03
mhuayoung, lol15:03
mhumarekd, thanks15:03
mhunice ! I was wondering how to configure the SP for a multi-IdP setting, I guess I got this as an extra !15:04
openstackgerritDolph Mathews proposed a change to openstack/keystone: swap import order of lxml  https://review.openstack.org/11291515:04
marekdmhu: yeah :-)15:04
ayoungmhu, here is what I am going to try:15:04
ayoungI have a FreeIPA setup in our lab.  I'm going to set up a new devstack machine, and then try to link the LDAP from the FreeIPA setup as a seoncd Domain there.  lets see what happens15:05
elmikoayoung: thanks for the help, i think we might have to investige distributing the proxy user creds to the nodes. i'm not sure it's ideal, but it seems better than a situation where tokens are being updated every five minutes15:10
ayoungelmiko, there are many ways to do it.  X509 is probably the best option15:11
ayoungand I have not yet tested that...but soon15:11
elmikoi'm only vaguely familiar with X509 in general15:11
ayoungelmiko, the short of it is that the nodes would generate a private/public keypair, and use the public key to authenticate15:12
elmikoayoung: that would be ideal15:12
ayoungWorking on it15:12
elmikowell, this feature might gets pushed until Kilo given the difficulties we are running into15:13
ayoungelmiko, you can do it in Juno.15:13
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Merge "Update CADF auditing example to show non-payload information"  https://review.openstack.org/11291915:14
ayoungelmiko, I have to do a Camp pickup here in 15 minutes (gumble half day)  and then I'll be back  on line after lunch15:14
mhumarekd, could you check if any other config file mentions ECP in /etc/shibboleth/ ? I feel like I am still missing something15:14
elmikoayoung: ok, we'll talk more later15:14
ayoungmeanwhile, I'm spinning up a VM to try the multi backend approach for identity15:14
ayounglets see what happens15:14
marekdmhu: what are the errors/warns ?15:15
elmikoayoung: ah very cool15:16
marekdmhu: what IdP are you using?15:16
mhumarekd, my very own, so I wouldn't be surprised if things go wrong15:16
*** fish_ has left #openstack-keystone15:17
marekdmhu: mhu you very own which is...?15:17
marekdmhu: what are the errors?15:17
marekdI would try with something that's proven to work - like testshib. However I didn't have any problems with adding extra IdPs.15:17
*** saipandi has joined #openstack-keystone15:17
mhumarekd, it's a shibboleth idp in a lab. From its logs, I think the pb is due to an AttributeConsumingService that is not set, possibly in my SP metadata15:18
marekdmhu: oh, this looks like XML debugging...;/15:19
marekdmhu: well, the Shibboleth IdP should have ECP enabled by default starting from ver 2.415:21
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Merge "Update CADF auditing example to show non-payload information"  https://review.openstack.org/11292615:21
marekdI guess you have that ver.15:21
*** jorge_munoz has quit IRC15:21
mhumarekd, yes, all I needed to do was add the basic auth on the ECP endpoint15:21
*** ajayaa has quit IRC15:22
mhumarekd, I think the IdP part is working correctly, I've tried it with this payload and it goes well: http://paste.openstack.org/show/92127/15:22
mhubut when I try it with keystoneclient, I get this notification about AttributeConsumingService, and redirected to the IdP login page15:24
marekdmhu: what's exactly in this notification ?15:24
mhumarekd, I'd like to see your SP metadata if possible, I think that might be the key15:24
mhu"AttributeConsumingService candidate list was empty, can not select service"15:25
marekdmhu: you have your keystone on port 443 or 5000 ?15:25
mhu5000, with SSL activated15:25
marekdi dont see  it exposed in the xml you pasted.15:26
marekdhow did you generate your metadata from SP ?15:26
*** ayoung has quit IRC15:26
marekdyou should use URL: host.com:5000/Shibboleth.sso/Metadata15:26
marekd(with port)15:26
mhumarekd, I used shib-metagen and copied it on my IdP15:28
*** henrynash has joined #openstack-keystone15:28
*** david-lyle has joined #openstack-keystone15:29
marekdmhu: https://gist.github.com/zaccone/080c6bd69f13257e50c415:30
marekdmhu: i dont know this script to be honst.15:30
marekdwhat I usually do is use my browser and enter UrL : https://host:5000/Shibboleth.sso/Metadata15:30
marekdand it creates the file for me.15:30
marekdit's important to put the port15:30
marekdand shibboleth will respect that when creating the xml file.15:31
openstackgerritA change was merged to openstack/keystone: Refactor serializer import to XmlBodyMiddleware  https://review.openstack.org/11110815:31
openstackgerritAnne Gentle proposed a change to openstack/identity-api: Removes WADL references from Identity v2.0 API  https://review.openstack.org/11262015:32
mhumarekd, yeah, you can use both to generate metadata. The CLI shib-metagen allows you to configure some additional info in the metadata15:33
marekdmhu: ok15:34
mhumarekd, hmm .... I am definitely missing some AssertionConsumerService definitions in my metadata15:35
mhuand there's one for ECP, so it looks like I got my culprit15:35
mhuthanks again for the help, I should be fine from then on !15:35
marekdmhu: that's a relief the code is not broken (I hope so!) :-)15:36
henrynashayoung: I’ve been thinking about adding some more tests for domain-specific backends…happy to add on that matches a real use case that you have...15:36
stevemarmarekd, mhu not sure if you guys covered this, but i found you need to manually put the port # :5000 in the md:AssertionConsumerService Locations15:36
marekdmhu: anyway, let me know whether you succedded15:36
marekdstevemar: if you generate the metadata and specify the port shib should take care of that...15:37
marekdat least I never had co edit metadata15:37
mhumarekd, stevemar yeah I had to tinker my metadata manually, since at first I had set shib for use on SSL (keystone wasn't installed yet)15:37
stevemarmhu, ah, i wasn't using shib as my idp15:37
mhuso I had to add the ports manually15:37
marekdstevemar: he talks about shib sp.15:37
stevemaroh15:37
mhumarekd, stevemar : correct, shib sp15:38
stevemarthen i guess i just didn't specify the port correctly15:38
stevemarweird15:38
marekdstevemar: there are many ways to achieve the goal :-)15:39
stevemartrue enough15:39
stevemarbknudson, another revision of the control exchange patch coming up15:41
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events  https://review.openstack.org/11220415:41
*** bknudson has left #openstack-keystone15:44
*** comstud is now known as bearhands15:45
openstackgerritA change was merged to openstack/python-keystoneclient: move attributes of v3.client.Client into alphabetical order  https://review.openstack.org/11193915:47
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update control_exchange value in keystone.conf  https://review.openstack.org/11117015:47
*** elmiko is now known as _elmiko15:52
*** Raildo has joined #openstack-keystone15:53
*** bknudson has joined #openstack-keystone15:54
*** Raildo_ has joined #openstack-keystone15:56
*** amerine has joined #openstack-keystone15:57
*** Raildo has quit IRC15:59
openstackgerrithenry-nash proposed a change to openstack/identity-api: Make API specification match our token format for role list.  https://review.openstack.org/11295916:00
openstackgerrithenry-nash proposed a change to openstack/identity-api: Make API specification match our token format for role list.  https://review.openstack.org/11295916:01
*** gyee has joined #openstack-keystone16:01
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 federated authentication for ADFS.  https://review.openstack.org/11177116:01
*** marekd is now known as marekd|weekend16:02
henrynashis there somewhere that lists the latest commit mesasge cmds in terms of closes-bug/partial-closes/implenents etc….I can never seem to get them right…16:05
morganfainberghenrynash, i always go with related-bug, partial-bug, closes-bug (the last one the only one that *really* acts differently) and "bp: <bp>"16:06
henrynashmorganfaingerg: ok..thanks..and is the “:” significant?  e.g. closes_bug vs closes-bug: ?16:07
openstackgerritA change was merged to openstack/keystone: Check for empty string value in REMOTE_USER  https://review.openstack.org/11195316:07
morganfainberghenrynash, i've never tried closes_bug16:07
morganfainbergonly closes-bug16:07
henrynashoops, I meand closes-bug16:07
morganfainbergah, uh, i alwayse use the ':' but dunno16:08
henrynashok, thx!16:08
dstanekhenrynash: i use this as a reference16:08
dstanekhttps://wiki.openstack.org/wiki/GitCommitMessages16:08
morganfainberghm.16:08
morganfainberghttps://review.openstack.org/#/c/110575/5/keystone/common/config.py i think we need a default cache time for this.16:08
morganfainbergnot "indefinite" but... i might be wrong16:08
henrynashdstaneK; thx…yes, have used that…thx16:09
dstanekanyone know why these methods weren't implemented for LDAP? https://review.openstack.org/#/c/102244/5/keystone/assignment/backends/ldap.py16:11
*** david-lyle has quit IRC16:19
*** david-lyle has joined #openstack-keystone16:19
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure roles created by unit tests have correct attributes.  https://review.openstack.org/11296516:19
*** henrynash has quit IRC16:22
*** david-lyle has quit IRC16:23
morganfainbergdstanek, because ldap assignment has been kindof a hack/languishing compared to sql assignment?16:24
morganfainbergdstanek, also might have been related to some of the domain-specific logic that doesn't work with ldap assignment (initially)16:24
openstackgerritA change was merged to openstack/python-keystoneclient: Mark auth plugin options as secret  https://review.openstack.org/11246216:25
dstanekmorganfainberg: ok, so there's no reason to hold up that patch once the fix it up?16:34
morganfainbergdstanek, none that *i* can think of16:34
dstanekmorganfainberg: what sucks about the patch is that is has to do lots of queries like get_role(id) instead of get_roles([ids])16:35
morganfainbergdstanek, i'd 2x check with ayoung maybe nkinder_away in case i'm missing something16:35
morganfainbergdstanek, that might have been part of it as well16:35
morganfainbergdstanek, the ldap assignmnet isn't exactly *efficient*16:35
nkinder_awaydstanek, morganfainberg: I think the general assumption was that using LDAP for assignment isn't common (and doesn't offer much/any benefit over SQL).16:39
nkinder_awayThis has caused it to be ignored for some things that were implemented to the identity LDAP driver.16:40
nkinder_awayIt certainly has room for improvement, but it's unclear how important it is.16:40
dstaneknkinder_away: that makes sense; looks like there is at least one interested party16:41
*** hrybacki has quit IRC16:42
morganfainbergnkinder_away, thanks!16:44
*** spandhe has joined #openstack-keystone16:45
*** marcoemorais has joined #openstack-keystone16:48
*** diegows has joined #openstack-keystone16:52
*** bknudson has quit IRC17:03
stevemargate has been super flakely lately17:06
*** zzzeek has quit IRC17:09
*** dvorak has quit IRC17:09
*** zzzeek has joined #openstack-keystone17:09
*** traz__ has quit IRC17:10
*** dvorak has joined #openstack-keystone17:13
*** _elmiko is now known as elmiko17:14
*** tomoiaga has quit IRC17:20
*** henrynash has joined #openstack-keystone17:20
*** Raildo_ has quit IRC17:22
*** jaosorior has quit IRC17:22
openstackgerritA change was merged to openstack/identity-api: Add OS-FEDERATION section to scoped federation tokens  https://review.openstack.org/11187317:22
*** cray\ejp has joined #openstack-keystone17:26
*** david-lyle has joined #openstack-keystone17:28
*** marcoemorais has quit IRC17:31
*** marcoemorais has joined #openstack-keystone17:31
openstackgerrithenry-nash proposed a change to openstack/identity-api: Make API specification match our token format.  https://review.openstack.org/11295917:38
dstaneklooks like we're on a +A roll today17:39
*** saipandi has quit IRC17:40
henrynashmorgainfainberg: fyi, the “:” is signifcant in commit comments….17:40
openstackgerrithenry-nash proposed a change to openstack/identity-api: Make API specification match our token format.  https://review.openstack.org/11295917:50
*** saipandi has joined #openstack-keystone17:53
*** hrybacki has joined #openstack-keystone17:53
*** Muhammad_Efendi has quit IRC17:53
*** ayoung has joined #openstack-keystone17:54
*** amirosh has joined #openstack-keystone17:56
openstackgerritA change was merged to openstack/keystone: Delete intersphinx mappings  https://review.openstack.org/11248518:01
morganbirdHey all, is there documentation somewhere with examples of adding a saml idp to keystone? The one example I've found doesn't seem to match what's in the v3 identity APIs.18:02
*** Muhammad_Efendi has joined #openstack-keystone18:03
*** Muhammad_Efendi has quit IRC18:08
marekd|weekendmorganbird: what about https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md#identity-provider-api ?18:09
morganbirdWhere would I put the cert from the idp in that case?18:11
marekd|weekendyou need to conigure mod_shib18:12
marekd|weekendconfigure18:12
morganbirdOkay, gotcha. The docs were a little vague on that and shib is complicated. Thanks.18:13
marekd|weekendi suggest reading: http://docs.openstack.org/developer/keystone/extensions/federation.html and http://docs.openstack.org/developer/keystone/configure_federation.html18:14
*** browne has joined #openstack-keystone18:14
marekd|weekendshib is not the easiest, but not super complicated, unless you want to do something really non standard18:14
morganbirdYeah, those are what I've been working from.18:15
marekd|weekendmorganbird: allrigthy.18:15
marekd|weekendgood luck then.18:15
*** jasondotstar has quit IRC18:15
dstanekstevemar: wha? http://logs.openstack.org/70/111170/5/check/gate-keystone-python26/1153c20/console.html  i don't think the gate is very happy with you18:15
stevemardstanek, seems that way18:16
morganbirdOh, fyi, the links under "Add Identity Provider(s), Mapping(s), and Protocol(s)" are all broken.18:16
morganbirdOn the configure federation doc.18:16
openstackgerritA change was merged to openstack/keystonemiddleware: Use oslosphinx in keystonemiddlware for documentation  https://review.openstack.org/11190918:17
stevemardstanek, rpm: command not found18:17
stevemarinteresting18:17
dstanekmorganbird: this is our version of where's waldo18:17
stevemarjeez, abt time that one merged, it only took 4 rechecks18:17
stevemarlots of pip related errors lately, either sporadic timeout, or rax mirror failed18:18
*** amirosh has quit IRC18:18
stevemarmorganbird, whaaa18:18
*** henrynash_ has joined #openstack-keystone18:19
stevemarmorganfainberg, sigh, this is why we don't link to github18:19
*** andreaf has quit IRC18:20
*** henrynash has quit IRC18:20
*** henrynash_ is now known as henrynash18:20
*** morganbird has quit IRC18:23
*** morganbird has joined #openstack-keystone18:23
*** browne has quit IRC18:24
*** jaosorior has joined #openstack-keystone18:26
*** jsavak has joined #openstack-keystone18:30
*** miqui has quit IRC18:32
*** joesavak has quit IRC18:33
*** stevemar has quit IRC18:43
*** stevemar has joined #openstack-keystone18:44
*** jorge_munoz has joined #openstack-keystone18:49
jorge_munoz Hi all, how are endpoint in version 3 of keystone associated to a user’s project? What links them together?18:49
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events  https://review.openstack.org/11220418:52
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add an OS-FEDERATION section to scoped federation tokens  https://review.openstack.org/11107018:58
*** huats has quit IRC18:59
*** henrynash_ has joined #openstack-keystone19:01
*** henrynash has quit IRC19:01
*** henrynash_ is now known as henrynash19:01
*** david-lyle has quit IRC19:06
*** david-lyle has joined #openstack-keystone19:06
*** amirosh has joined #openstack-keystone19:07
*** jdennis has quit IRC19:07
*** jorge_munoz has quit IRC19:11
*** morganbird has quit IRC19:19
*** gabriel-bezerra has quit IRC19:21
*** gabriel-bezerra has joined #openstack-keystone19:22
*** jorge_munoz has joined #openstack-keystone19:27
*** gabriel-bezerra has quit IRC19:27
*** gabriel-bezerra has joined #openstack-keystone19:29
*** jdennis has joined #openstack-keystone19:31
*** ukalifon has joined #openstack-keystone19:35
*** ukalifon has quit IRC19:36
*** jorge_munoz has quit IRC19:36
*** jorge_munoz has joined #openstack-keystone19:41
*** morganfainberg has quit IRC19:43
*** morganfainberg has joined #openstack-keystone19:43
*** dickson.freenode.net sets mode: +o morganfainberg19:43
*** miqui has joined #openstack-keystone19:46
*** amirosh has quit IRC19:46
*** amirosh has joined #openstack-keystone19:47
*** amirosh has quit IRC19:51
*** ukalifon has joined #openstack-keystone19:56
*** spandhe has quit IRC19:59
*** hrybacki has quit IRC20:03
stevemartwo merges in a row!20:05
*** saipandi has quit IRC20:09
*** hrybacki has joined #openstack-keystone20:14
*** openstackgerrit has quit IRC20:20
jorge_munoz:qa20:21
*** cray\ejp has left #openstack-keystone20:31
dstanekstevemar: now you're done it...don't anger the gate20:31
stevemardstanek, sorry sorry!20:32
dstanekdolphm: Alan didn't like https://review.openstack.org/#/c/111519/20:32
*** ukalifon has quit IRC20:38
henrynashstevemar: if you’ve got the gate in a good mood….let’s sneak this tiddler in: https://review.openstack.org/#/c/112965/120:38
*** david-lyle has quit IRC20:38
stevemarhenrynash, now i'm scared, i don't know what a tiddler is, or how the gate's going to like it :)20:39
stevemardone :)20:39
henrynashstevemar: be brave, mon veux, be brace20:39
henrynash(brave, even)20:39
henrynashstevemar: http://www.oxforddictionaries.com/definition/english/tiddler20:41
dstanekwhat in the world is this: https://review.openstack.org/#/c/112926/20:43
dstanekand this https://review.openstack.org/#/c/112919/20:44
henrynashdstanek: well at least jenkins didn’t fail it :-)20:44
henrynashdstanek: i saw this - I have now idea20:44
dstanekhenrynash: i think the infra tools are just biased toward the other infra tools20:44
stevemardstanek, i have no idea20:45
henrynashdstanek: ahh, infratoolswars20:45
stevemarhenrynash, ahh a small fish20:46
stevemaror a small person20:46
stevemaranything small20:46
henrynashstevemar: yes, no slight on your manhood intended…20:46
stevemarhenrynash, lol20:47
stevemarhenrynash, dstanek not quite a tiddler, but it was already +2'ed, just needed a rebase: https://review.openstack.org/#/c/111070/20:47
stevemarand since you both have already reviewed this one... i'd appreciate another go at: https://review.openstack.org/#/c/112204/20:47
*** hrybacki has quit IRC20:49
dstanekstevemar: you needs to get your pep8s in order20:53
henrynashstevemar: that’s teh trouble with non-tiddlers….20:54
henrynashwilll be back on later20:54
*** stevemar has quit IRC20:55
*** saipandi has joined #openstack-keystone21:01
*** jorge_munoz has left #openstack-keystone21:03
*** gordc has quit IRC21:07
*** saipandi has quit IRC21:08
ayoungthis is how you get a certificate with certmonger.  sudo ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/keystone.younglogic.net@YOUNGLOGIC.NET -N 'CN=keystone.younglogic.net,O=YOUNGLOGIC.NET'21:30
elmikoayoung: hey, i kinda lost track of the time. could we catch up on monday?21:37
*** gabriel-bezerra has quit IRC21:37
ayoungelmiko, yes.  I was sucked into a bug hunt21:37
elmikoayoung: no worries :)21:37
ayoungthe devstack setup just finished21:37
elmikolol wow21:37
ayoungnah, I had not kicked it off until recently21:38
elmikoahh ok21:38
ayoungI got the vm started, then had to shift gears...21:38
elmikotocha21:38
elmikogotcha even...21:38
ayoungelmiko, so the next step is to figure out how to add an LDAP config on top of it, but I think henrynash is doing family stuff at the moment21:38
ayoungmeans I have to think for myseld21:38
ayoungdammit21:39
elmikosounds dangerous ;)21:39
ayoungBe thankful I'm not on your hardware21:39
elmikolol21:39
*** gabriel-bezerra has joined #openstack-keystone21:39
ayoungelmiko, you have a public key you can send me, I'll get you into the VM where I set up devstack21:40
elmikosure, email ok?21:40
*** jsavak has quit IRC21:41
ayoungelmiko, works fine, or PM21:41
*** spandhe_ has joined #openstack-keystone21:42
elmikoayoung: mail sent21:42
elmikoi'm remote, will i need to use the vpn to access the machine?21:42
*** marzif_ has joined #openstack-keystone21:43
*** david-lyle has joined #openstack-keystone21:48
*** miqui has quit IRC21:48
elmikoayoung: gotta run, i might be back later. if not, have a good weekend :)21:52
*** elmiko is now known as _elmiko21:52
*** Raildo_ has joined #openstack-keystone21:53
*** spandhe_ has quit IRC21:57
*** spandhe_ has joined #openstack-keystone21:58
*** Raildo has joined #openstack-keystone22:01
*** spandhe_ has quit IRC22:03
*** spandhe_ has joined #openstack-keystone22:03
*** Raildo_ has quit IRC22:04
*** spandhe_ has joined #openstack-keystone22:05
*** spandhe_ has quit IRC22:09
*** henrynash has quit IRC22:11
*** spandhe_ has joined #openstack-keystone22:11
*** Raildo has quit IRC22:11
*** stevemar has joined #openstack-keystone22:25
stevemardstanek, apparently when i'm offline everything gets merged22:26
dstanekstevemar: that may be the universe trying to tell you to go grab a beer22:29
stevemardstanek, and a burger22:30
*** david-lyle has quit IRC22:37
*** david-lyle has joined #openstack-keystone22:37
*** david-lyle has quit IRC22:37
*** david-lyle has joined #openstack-keystone22:38
*** openstackgerrit has joined #openstack-keystone22:38
*** spandhe_ has quit IRC22:39
*** david-lyle has quit IRC22:42
*** gabriel-bezerra has quit IRC22:59
*** gabriel-bezerra has joined #openstack-keystone23:03
*** stevemar has quit IRC23:40
*** jaosorior has quit IRC23:42
*** richm has left #openstack-keystone23:58
« Thursday, 2014-08-07 Index Saturday, 2014-08-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!