Monday, 2015-04-13

*** lhcheng has quit IRC		00:03
*** jamielennox\|away is now known as jamielennox		00:06
*** gabriel-bezerra has joined #openstack-keystone		00:14
*** lhcheng has joined #openstack-keystone		00:16
*** ChanServ sets mode: +v lhcheng		00:16
*** sdake has joined #openstack-keystone		00:30
*** sdake_ has quit IRC		00:34
*** sdake_ has joined #openstack-keystone		00:46
*** sdake has quit IRC		00:49
*** sdake has joined #openstack-keystone		00:52
*** sdake_ has quit IRC		00:56
bknudson	jamielennox: y, that is weird that all it cares about is that there's a cookie and not that the cookie is valid...	01:10
bknudson	since there could be a cookie for some other reason.	01:10
jamielennox	bknudson: right, we don't set any of our own currently but there's a bunch of reasons one might be added	01:12
jamielennox	but your review still improves on what's there so +2	01:12
*** dimsum_ has quit IRC		01:19
openstackgerrit	Jamie Lennox proposed openstack/keystone: Move endpoint_policy migrations into keystone core https://review.openstack.org/171916	01:22
*** iurygregory has quit IRC		01:26
*** ericksonsantos has quit IRC		01:26
*** dimsum_ has joined #openstack-keystone		01:28
*** ericksonsantos has joined #openstack-keystone		01:29
*** iurygregory has joined #openstack-keystone		01:30
*** dimsum_ has quit IRC		01:35
jamielennox	morganfainberg: have you had any luck with keystoneauth package - if you're busy i'll do it, i know what needs to come out	01:50
*** erkules_ has quit IRC		01:53
*** Ephur has joined #openstack-keystone		01:55
*** sdake_ has joined #openstack-keystone		02:11
*** sdake has quit IRC		02:14
*** dimsum_ has joined #openstack-keystone		02:35
*** dimsum_ has quit IRC		02:41
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add Proxy plugins https://review.openstack.org/137864	02:49
openstackgerrit	Jamie Lennox proposed openstack/keystone: Don't autodoc the test suite https://review.openstack.org/172778	03:01
*** sdake_ has quit IRC		03:25
*** erkules_ has joined #openstack-keystone		03:49
openstackgerrit	Merged openstack/keystone: Removes discover from test-reqs https://review.openstack.org/171542	03:53
*** Ephur has quit IRC		03:59
openstackgerrit	Jamie Lennox proposed openstack/keystone: Move endpoint_policy migrations into keystone core https://review.openstack.org/171916	04:14
openstackgerrit	Jamie Lennox proposed openstack/keystone: Move endpoint policy into keystone core https://review.openstack.org/171448	04:14
openstackgerrit	Jamie Lennox proposed openstack/keystone: Don't autodoc the test suite https://review.openstack.org/172778	04:14
openstackgerrit	Jamie Lennox proposed openstack/keystone: Don't provide backends from __all__ in persistence https://review.openstack.org/172783	04:14
*** rm_work\|away is now known as rm_work		04:17
*** ishant has joined #openstack-keystone		04:53
*** rushiagr_away is now known as rushiagr		05:04
*** rushiagr is now known as rushiagr_away		05:34
*** topol has quit IRC		05:48
*** tobberydberg has joined #openstack-keystone		05:49
*** ajayaa has joined #openstack-keystone		05:49
*** rushiagr_away is now known as rushiagr		06:03
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/172624	06:03
*** afazekas has joined #openstack-keystone		06:08
*** rwsu has joined #openstack-keystone		06:34
*** jaosorior has joined #openstack-keystone		07:02
*** amakarov_away has quit IRC		07:06
*** tsufiev has quit IRC		07:06
*** amakarov_away has joined #openstack-keystone		07:06
*** tsufiev has joined #openstack-keystone		07:07
*** jamielennox is now known as jamielennox\|away		07:11
*** ihrachyshka has joined #openstack-keystone		07:22
*** tobberyd_ has joined #openstack-keystone		07:22
*** jistr has joined #openstack-keystone		07:24
*** tobberydberg has quit IRC		07:25
*** chlong has quit IRC		07:25
*** ihrachyshka has quit IRC		07:28
*** fhubik has joined #openstack-keystone		07:40
*** tobberydberg has joined #openstack-keystone		07:47
*** bdossant has joined #openstack-keystone		07:48
*** krykowski has joined #openstack-keystone		07:49
*** tobberyd_ has quit IRC		07:51
*** lhcheng has quit IRC		08:16
*** lsmola_ has joined #openstack-keystone		08:16
*** fhubik is now known as fhubik_afk		08:16
*** fhubik_afk is now known as fhubik		08:19
*** fhubik is now known as fhubik_afk		08:28
*** fhubik_afk is now known as fhubik		08:42
*** jamielennox\|away is now known as jamielennox		09:02
*** pnavarro has joined #openstack-keystone		09:23
*** aix has joined #openstack-keystone		09:23
*** fhubik is now known as fhubik_afk		09:46
*** fhubik_afk is now known as fhubik		09:48
*** markvoelker has joined #openstack-keystone		09:59
*** sdake has joined #openstack-keystone		10:09
*** markvoelker has quit IRC		10:16
*** markvoelker has joined #openstack-keystone		10:18
*** fhubik has quit IRC		10:19
*** fhubik has joined #openstack-keystone		10:20
*** fhubik_afk has joined #openstack-keystone		10:27
*** fhubik_afk has quit IRC		10:27
*** fhubik_afk has joined #openstack-keystone		10:27
*** fhubik_afk is now known as fhubik_		10:27
*** sdake_ has joined #openstack-keystone		10:28
*** fhubik has quit IRC		10:28
*** markvoelker has quit IRC		10:29
*** sdake has quit IRC		10:31
*** fhubik_ is now known as fhubik		10:38
*** dimsum_ has joined #openstack-keystone		10:39
*** aix has quit IRC		10:45
*** sdake_ has quit IRC		10:53
*** amakarov_away is now known as amakarov		11:01
*** ishant has quit IRC		11:01
*** ajayaa has quit IRC		11:11
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Fix signed_saml2_assertion.xml tests fixture https://review.openstack.org/172535	11:15
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add openstack_project_domain to assertion https://review.openstack.org/172536	11:15
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Refactor _create_attribute_statement IdP method https://review.openstack.org/172647	11:15
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add openstack_user_domain to assertion https://review.openstack.org/172562	11:15
*** fhubik is now known as fhubik_afk		11:25
*** ajayaa has joined #openstack-keystone		11:25
*** erkules has joined #openstack-keystone		11:37
*** erkules_ has quit IRC		11:38
*** samueldmq has joined #openstack-keystone		11:39
samueldmq	morning	11:44
*** samueldmq has quit IRC		11:44
*** samueldmq has joined #openstack-keystone		11:45
*** ajayaa has quit IRC		11:49
*** rushiagr is now known as rushiagr_away		11:52
*** dimsum_ has quit IRC		11:52
*** fhubik_afk is now known as fhubik		11:57
*** sdake has joined #openstack-keystone		12:00
*** sdake_ has joined #openstack-keystone		12:01
*** sdake has quit IRC		12:04
*** jamielennox is now known as jamielennox\|away		12:12
*** EmilienM\|afk is now known as EmilienM		12:19
*** sdake_ has quit IRC		12:25
*** sdake has joined #openstack-keystone		12:25
*** henrynash has joined #openstack-keystone		12:26
*** ChanServ sets mode: +v henrynash		12:26
*** rushiagr_away is now known as rushiagr		12:27
*** sdake_ has joined #openstack-keystone		12:27
*** samueldmq_ has joined #openstack-keystone		12:29
*** sdake has quit IRC		12:31
*** Ephur has joined #openstack-keystone		12:33
*** fhubik is now known as fhubik_afk		12:35
*** davechen has joined #openstack-keystone		12:37
*** Ephur has quit IRC		12:37
openstackgerrit	Rodrigo Duarte proposed openstack/python-keystoneclient: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/172155	12:38
*** Ephur has joined #openstack-keystone		12:39
*** fhubik_afk is now known as fhubik		12:43
*** rdo has quit IRC		12:45
*** rdo has joined #openstack-keystone		12:46
*** bknudson has quit IRC		12:51
*** gordc has joined #openstack-keystone		12:51
*** markvoelker has joined #openstack-keystone		12:52
*** dimsum_ has joined #openstack-keystone		12:53
*** ajayaa has joined #openstack-keystone		12:53
*** markvoelker_ has joined #openstack-keystone		12:54
*** raildo has joined #openstack-keystone		12:57
*** markvoelker has quit IRC		12:58
*** dimsum_ has quit IRC		12:58
*** openstackgerrit has quit IRC		13:00
*** adrian_otto has joined #openstack-keystone		13:01
*** henrynash has quit IRC		13:02
*** openstackgerrit has joined #openstack-keystone		13:03
*** krtaylor has quit IRC		13:03
*** kiran-r has joined #openstack-keystone		13:04
*** richm has joined #openstack-keystone		13:09
kiran-r	Hello! What is the project_domains and user_domain all about?	13:09
*** bknudson has joined #openstack-keystone		13:14
*** ChanServ sets mode: +v bknudson		13:14
*** ayoung has joined #openstack-keystone		13:15
*** ChanServ sets mode: +v ayoung		13:15
samueldmq	kiran-r, hi, where are you finding these?	13:16
*** ozialien has joined #openstack-keystone		13:16
kiran-r	https://github.com/stackforge/rally/blob/a4532557cdd5b085cc2fceab8399c7898af70ed4/rally/benchmark/context/users.py#L41-L46 https://github.com/stackforge/rally/blob/cd62844e46136b2470cb7c0b5a0a082518f49702/etc/rally/rally.conf.sample#L538-L542	13:18
samueldmq	kiran-r, from what I can see, this is how rally calls the project domain, and the user domain, respectively	13:19
samueldmq	kiran-r, if you want to know what is a domain, here is the right place	13:19
samueldmq	kiran-r, if you want to know more about rally, try #openstack-rally	13:20
samueldmq	kiran-r, k, so you want to know what a domain is, right?	13:22
samueldmq	kiran-r, domain is a container for users and projects, so users and projects are in a domain (only one)	13:23
samueldmq	kiran-r, project_domains is where they are putting the project domain (similar to users)	13:23
*** aix has joined #openstack-keystone		13:24
*** henrynash has joined #openstack-keystone		13:29
*** ChanServ sets mode: +v henrynash		13:29
*** bdossant has quit IRC		13:30
samueldmq	henrynash, hi	13:32
*** samueldmq_ has quit IRC		13:32
henrynash	hi	13:32
samueldmq	henrynash, I replied your comment at 'Exposes bug on role assignments creation'	13:33
henrynash	ok, let me check….what’s teh link?	13:33
samueldmq	henrynash, https://review.openstack.org/#/c/171596/	13:33
samueldmq	henrynash, thanks a lot :)	13:35
henrynash	samueldmq: sorry. must haev been having a caffine shortage at the time…	13:35
samueldmq	henrynash, haha np	13:36
*** ajayaa has quit IRC		13:38
*** adrian_otto has quit IRC		13:39
openstackgerrit	Brant Knudson proposed openstack/keystone: Update sample config file https://review.openstack.org/171860	13:42
openstackgerrit	Brant Knudson proposed openstack/keystone: Use short names for drivers https://review.openstack.org/166622	13:42
openstackgerrit	rajiv proposed openstack/python-keystoneclient: Now keystone enables listing of user by name https://review.openstack.org/167543	13:42
openstackgerrit	Brant Knudson proposed openstack/keystone: Update sample config file https://review.openstack.org/171860	13:42
*** rushiagr is now known as rushiagr_away		13:42
openstackgerrit	rajiv proposed openstack/python-keystoneclient: Now keystone enables listing of user by name https://review.openstack.org/167543	13:44
*** henrynash has quit IRC		13:44
*** rushiagr_away is now known as rushiagr		13:45
*** markvoelker_ has quit IRC		13:46
*** ajayaa has joined #openstack-keystone		13:50
*** sdake has joined #openstack-keystone		13:59
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Add parent_id to GET /projects https://review.openstack.org/166326	13:59
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: API changes for Reseller https://review.openstack.org/153007	13:59
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Recursive deletion and project disabling https://review.openstack.org/148730	13:59
*** fhubik is now known as fhubik_afk		13:59
*** sdake_ has quit IRC		14:02
*** topol has joined #openstack-keystone		14:03
*** ChanServ sets mode: +v topol		14:03
*** nkinder has joined #openstack-keystone		14:04
openstackgerrit	Dave Chen proposed openstack/keystone: Let 'region' field be effective both in the testcase and API https://review.openstack.org/167534	14:09
*** dimsum_ has joined #openstack-keystone		14:10
openstackgerrit	Rodrigo Duarte proposed openstack/python-keystoneclient: Add Keystone2KeystoneAuthPlugin for K2K federation https://review.openstack.org/172155	14:11
*** rushiagr is now known as rushiagr_away		14:12
*** tellesnobrega has quit IRC		14:17
*** carlosmarin has joined #openstack-keystone		14:17
*** sdake_ has joined #openstack-keystone		14:18
*** tellesnobrega has joined #openstack-keystone		14:19
*** mattfarina has joined #openstack-keystone		14:19
*** krtaylor has joined #openstack-keystone		14:20
*** fhubik_afk is now known as fhubik		14:20
*** sdake has quit IRC		14:21
*** henrynash has joined #openstack-keystone		14:22
*** ChanServ sets mode: +v henrynash		14:22
*** jistr is now known as jistr\|mtg		14:29
*** davechen has left #openstack-keystone		14:30
*** rushiagr_away is now known as rushiagr		14:35
*** dimsum_ is now known as dims		14:39
*** mattamizer has joined #openstack-keystone		14:43
*** markvoelker has joined #openstack-keystone		14:47
*** sdake has joined #openstack-keystone		14:47
*** markvoelker_ has joined #openstack-keystone		14:48
raildo	henrynash, ping, Did you saw my comment here? https://review.openstack.org/#/c/158398/17/keystone/resource/controllers.py What do you think?	14:48
henrynash	looking	14:48
*** sdake_ has quit IRC		14:50
*** markvoelker has quit IRC		14:52
*** markvoelker has joined #openstack-keystone		14:52
*** markvoelker_ has quit IRC		14:52
*** fhubik has quit IRC		14:54
*** rwsu has quit IRC		14:54
*** rwsu has joined #openstack-keystone		14:54
*** fhubik has joined #openstack-keystone		14:55
*** fhubik_afk has joined #openstack-keystone		14:55
*** markvoelker has quit IRC		14:58
*** kiran-r has quit IRC		14:58
openstackgerrit	Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	14:58
*** stevemar has joined #openstack-keystone		15:07
*** ChanServ sets mode: +v stevemar		15:07
*** jistr\|mtg is now known as jistr		15:07
*** sdake_ has joined #openstack-keystone		15:07
*** zzzeek has joined #openstack-keystone		15:08
*** trey has quit IRC		15:11
*** sdake has quit IRC		15:13
*** trey has joined #openstack-keystone		15:16
*** afazekas has quit IRC		15:18
*** pnavarro has quit IRC		15:20
*** stevemar has quit IRC		15:30
*** stevemar has joined #openstack-keystone		15:30
*** ChanServ sets mode: +v stevemar		15:30
*** gyee has joined #openstack-keystone		15:41
*** ChanServ sets mode: +v gyee		15:41
*** jistr has quit IRC		15:45
*** rushil has joined #openstack-keystone		15:46
*** mattamizer has quit IRC		15:46
rushil	Hey. I'm seeing this keystone error when trying to update from stable/juno to RC1 when I do a cinder list or nova list -> ERROR: An unexpected error prevented the server from fulfilling your request: Can't load plugin: sqlalchemy.dialects:mysql (Disable debug mode to suppress these details.) (HTTP 500)> Any ideas how to fix this?	15:47
*** _cjones_ has joined #openstack-keystone		15:47
openstackgerrit	hongxiaolong proposed openstack/keystone: Allowed owners to delete token with v2 API https://review.openstack.org/172968	15:50
*** rushil has quit IRC		15:51
*** markvoelker_ has joined #openstack-keystone		15:53
*** henrynash has quit IRC		15:53
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	15:54
ayoung	rushiagr, that looks like a sql alchemy packaging problem.	15:56
ayoung	rushiagr, how did you deploy?	15:56
rushiagr	ayoung: er.. that's not me :)	15:56
ayoung	sorry...nicknamed matched to the 5th character. Can't be expected to type names that long	15:57
ayoung	and he quit	15:57
*** markvoelker_ has quit IRC		15:59
*** stevemar has quit IRC		16:03
*** stevemar has joined #openstack-keystone		16:04
*** ChanServ sets mode: +v stevemar		16:04
*** alexsyip has joined #openstack-keystone		16:04
*** fhubik_afk has quit IRC		16:06
*** tobberydberg has quit IRC		16:09
*** afazekas has joined #openstack-keystone		16:10
ccard	I'm trying to understand setting up keystone to use SSL. I can see all the options in the [ssl] and [signing] sections of keystone.conf. I understand that a key is needed for signing and a certificate is needed for validating the signature, but I'm not clear on the role of the ca key. Any pointers?	16:12
bknudson	[signing] is for PKI tokens, not SSL.	16:13
ccard	bknudson: yes, but I can sign without a ca key surely?	16:14
bknudson	keystone-manage can be used to generate some test certs, in which case it needs ca key. it's not used on normal running.	16:14
bknudson	you could ask your ca for their private key and see what they say.	16:14
bknudson	if they hand it to you it's probably time for a new ca.	16:14
ayoung	ccard, run Keystone in HTTPD, not eventlet	16:15
ccard	bknudson: so if I have my own CA to sign certs, and provide a key and certificate (signed by my ca) and a ca cert, can I leave ca_key undef?	16:15
ayoung	"The rest is commentary. Go and study"	16:15
ccard	ayoung: I'm trying to follow the OpenStack Security Guide recommendations.	16:16
bknudson	ccard: y, and as ayoung said you're better off running keystone under apache, in which case apache handles the connections	16:16
bknudson	if the security guide doesn't say to run keystone under apache then it's wrong.	16:17
ccard	bknudson: it's one of the options	16:17
*** kiran has joined #openstack-keystone		16:17
ccard	http://docs.openstack.org/security-guide/content/tls-proxies-and-http-services.html	16:18
bknudson	for keystone you don't need httpd as a proxy, you can run keystone right in httpd	16:18
ayoung	ccard, "Keystone should be run in HTTPD, Princess. Anyone who says differently is selling something" --The Dread Admin Roberts.	16:19
*** tqtran has joined #openstack-keystone		16:19
*** ayoung is now known as dreadadminrobert		16:19
stevemar	hehe	16:19
*** dreadadminrobert is now known as ayoung		16:19
ccard	ayoung: Inconceivable	16:19
bknudson	we need that in the deprecation message.	16:19
ayoung	actually, anyone who says differently has not updated their Puppet scripts...	16:20
ccard	ayoung: we're using quickstack puppet manifests to set up OpenStack	16:20
ayoung	ccard, which inherit from upstream puppet modules, I assume?	16:21
*** ozialien has quit IRC		16:22
ccard	ayoung: yes, the keystone module from stackforge	16:23
*** kiran is now known as kiran-r		16:24
ayoung	can you just fix that for me? That would be great....	16:24
* ayoung shakes his head		16:24
ayoung	ccard, I see that rushiagr has updated the HTTPD portion of it, so there must be some support	16:25
ayoung	let me guess, though, that quickstack is coded to set up eventlet	16:25
*** lsmola_ has quit IRC		16:25
ccard	ayoung: what should I look for in the Apache configuration?	16:26
*** vhoward has left #openstack-keystone		16:26
ayoung	ccard, presense, first of all	16:26
ayoung	if there is no apache config, it can't run in apache	16:26
ayoung	ah.	16:27
ayoung	I mean of the keystone.conf file, ccard	16:27
ayoung	/etc/httpd/conf.d/keystone.conf or something similar	16:27
ayoung	maybe with a number in front of it	16:27
ccard	ayoung: we are using Apache, but I don't see anything about keystone under /etc/httpd/*. keystone itself is being run as a pacemaker resource (via /usr/bin/keystone-all)	16:29
ccard	configuration from /etc/keystone/keystone.conf	16:30
*** adrian_otto has joined #openstack-keystone		16:30
*** afazekas has quit IRC		16:30
ayoung	ccard, that means keystone is run in Eventlet. You have 3 minutes to leave the building before it releases a ...sorry wrong movie..	16:30
ayoung	ccard, so pretty sure the puppet modules can be called either way.	16:31
ayoung	I should know this stuff.	16:31
ayoung	I don't	16:31
ccard	ayoung: ok, but I'm not planning to change that (or anything, actually) at the moment. I'm just trying to understand what the ca_key is used for, and if I need it.	16:33
bknudson	ccard: unless you're using keystone-manage pki_setup, you don't need ca_key	16:33
ccard	bknudson: that's what I thought, but I couldn't find it stated anywhere. What about the ca cert? Is that still needed?	16:34
ayoung	ccard, you should plan on changing it	16:35
*** hogepodge has quit IRC		16:35
ayoung	instead of spending time understanding Eventlet, use your time more wisely	16:35
ayoung	Eventlet SSL is the path to the dark side.	16:35
ayoung	And by that, I mean your Openstack deployment going dark	16:35
morganfainberg	Eventlet running SSL is not secure. You cannot select ciphers or limit SSL versions.	16:36
morganfainberg	Do not terminate SSL in event let.	16:36
*** krykowski has quit IRC		16:36
morganfainberg	At the very least terminate with Apache. But as ayoung said, running keystone in mod_wsgi is way better.	16:37
ccard	so I should ignore the [ssl] section in keystone.conf?	16:38
ayoung	morganfainberg, no. Don't even tell people that there are still eventlet based options out there. Eventlet is not pining, its passed on Bereft of life, it rests in pieces. Its run down the curtain, shuffled off its mortal coil, and gone join the bleeding choir invisibule. It is an ex-project!	16:38
morganfainberg	ccard: best bet	16:39
ccard	and what about [signing] Is token signing a good idea?	16:39
*** bknudson has quit IRC		16:40
morganfainberg	ccard: so pki tokens are a mixed bag. Some people have a lot of success with them, some don't. I prefer UUID tokens for simplicity (pre kilo). Less general headaches and you don't potentially have 4k-40k (yes someone had a 40k+ sized token) due to the catalog needing to be in the token itself.	16:42
morganfainberg	kilo and later , in going to recommend fernet tokens to eliminate the token table. But that it needs some drive time to prove out.	16:43
morganfainberg	But fernet tokens is largely taking what we learned about UUID and pki tokens and an attempt to improve everything significantly.	16:44
morganfainberg	Annnnd to avoid needing to store the token in a db.	16:44
*** henrynash has joined #openstack-keystone		16:44
*** ChanServ sets mode: +v henrynash		16:44
dolphm	morganfainberg: +10	16:46
dolphm	ccard: fernet tokens are signed too, but they don't require any options from the [signing] section	16:47
ccard	morganfainberg: our current configuration is for pki tokens and using keystone-manage pki_setup, which I think has created some signing keys and certs. But we're still developing our OpenStack (juno) configuration, so this could change. If I wanted to use our own CA to sign a signing cert, do I need to supply the signing ca_key?	16:47
ccard	i.e. can I leave the signing ca_key undef?	16:47
dolphm	ccard: no, that's just to issue self-signed signing cert	16:48
dolphm	ccard: most of those options are primarily there to run pki_setup rather than to actually make pki work	16:48
morganfainberg	What dolphm said. That is only if keystone is managing the self-signed ca	16:48
ccard	dolphm: that's what I thought, but it's not very clear from the docs	16:48
dolphm	ccard: if you're doing your own setup, you can skip several options	16:48
dolphm	ccard: that's true	16:48
ccard	thanks for your help everyone, now I'll have to go and find out how to run keystone under mod_wsgi, using quickstack.	16:49
ccard	no idea how that fits with pacemaker :(	16:50
morganfainberg	ccard: keystone is subordinate to apache	16:50
morganfainberg	ccard: so you'd work with Apache under pacemaker	16:50
morganfainberg	You can either: use a separate instance of Apache that just runs keystone, or you can share via extra listeners on the appropriate ports. You can also do crazy vhost things, but that tends to add a lot of complexity.	16:52
*** afazekas has joined #openstack-keystone		16:52
*** vhoward has joined #openstack-keystone		16:57
ccard	we have haproxy sitting on the keystone endpoint talking to the actual keystone servers (this is an ha OpenStack setup with 3 machines running keystone etc.)	16:57
*** lhcheng has joined #openstack-keystone		16:57
*** ChanServ sets mode: +v lhcheng		16:57
ccard	I suppose the haproxy setup will remain the same if we move keystone to run under mod_wsgi	16:58
morganfainberg	Yep totally can haproxy Apache instances (which in this case just happen to run keystone)	16:59
ccard	thanks	17:02
*** afazekas has quit IRC		17:09
*** tobberydberg has joined #openstack-keystone		17:09
*** ozialien has joined #openstack-keystone		17:12
*** kiran-r has quit IRC		17:14
*** tobberydberg has quit IRC		17:14
openstackgerrit	Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	17:14
*** rushil has joined #openstack-keystone		17:16
*** ajayaa has quit IRC		17:19
*** kiran has joined #openstack-keystone		17:19
*** hogepodge has joined #openstack-keystone		17:23
openstackgerrit	Alexander Makarov proposed openstack/keystone: Redis token backend https://review.openstack.org/150844	17:25
openstackgerrit	Alexander Makarov proposed openstack/keystone: Redis cache backend https://review.openstack.org/173000	17:25
*** ozialien has quit IRC		17:31
*** aix has quit IRC		17:32
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Prohibit invalid ids in subtree and parents list https://review.openstack.org/158720	17:34
*** afazekas has joined #openstack-keystone		17:34
*** browne has joined #openstack-keystone		17:36
*** harlowja_away is now known as harlowja		17:37
*** aix has joined #openstack-keystone		17:37
openstackgerrit	Raildo Mascena de Sousa Filho proposed openstack/keystone: Prohibit invalid ids in subtree and parents list https://review.openstack.org/158720	17:40
*** tobberydberg has joined #openstack-keystone		17:41
openstackgerrit	Alexander Makarov proposed openstack/keystone: Redis cache backend https://review.openstack.org/173000	17:45
*** joesavak has joined #openstack-keystone		17:48
*** bknudson has joined #openstack-keystone		17:48
*** ChanServ sets mode: +v bknudson		17:48
*** aix has quit IRC		17:49
openstackgerrit	Alexander Makarov proposed openstack/keystone: Redis token backend https://review.openstack.org/150844	17:51
*** r-daneel has joined #openstack-keystone		17:51
*** ozialien has joined #openstack-keystone		17:52
*** tobberydberg has quit IRC		17:53
openstackgerrit	Alexander Makarov proposed openstack/keystone: Redis token backend https://review.openstack.org/150844	17:56
*** kiran has quit IRC		17:56
*** markvoelker has joined #openstack-keystone		17:56
*** afazekas has quit IRC		17:57
*** mgagne_ is now known as mgagne		17:58
*** afazekas has joined #openstack-keystone		18:01
*** markvoelker has quit IRC		18:01
amakarov	browne, hi!	18:03
ayoung	amakarov, WHY? Why you do this to mEE!	18:03
ayoung	We come to bury the token backend, not to praise it!	18:04
amakarov	ayoung, mwahahaha!! [evil necromancer laughter] I'm raising it as a possible alternative cache/storage	18:05
*** afazekas has quit IRC		18:05
amakarov	Actually I've split it in two for that	18:05
ayoung	amakarov, Dogpile can already cache to reddis, and we run dogpile in front of the TOken backend.	18:06
amakarov	ayoung, correct, but if connection requires password it'll be exposed. So I made a sort of wrapper with url and password marked as secret	18:07
ayoung	amakarov, dang it...you are now exposing the fact that I was supposed to work on getting passwords out of our config file	18:08
ayoung	amakarov, that really is an oslo config problem	18:08
*** edmondsw has joined #openstack-keystone		18:09
ayoung	if oslo had the power to read a password from a file instead of from the key-value of the config file, we'd all be happier	18:09
bknudson	how would having the password in a different file be better?	18:10
amakarov	ayoung, agreed, alas it cannot read passwords from a file so it's a workaround	18:10
bknudson	seems like the security is the same for that file vs the keystone.conf file	18:10
ayoung	bknudson, not really. Most of the config file values should be world readable	18:11
amakarov	bknudson, the idea is to prevent leaking password to the log	18:11
ayoung	so, if anything needs to read the values, it needs to have access to the whole file	18:11
ayoung	bknudson, which means that readers get way too much power,	18:11
bknudson	who's reading keystone.conf?	18:12
ayoung	bknudson, No, Whoo's on First	18:12
bknudson	if you're using puppet then puppet knows your keystone config values.	18:12
bknudson	I don't know how puppet works, though... we use chef for whatever reason	18:13
ayoung	bknudson, they are comparable in this regard	18:13
ayoung	bknudson, its just a good practice to keep your secrets apart from the rest of the config values,	18:13
bknudson	you can actually split up your keystone.conf file, since oslo.conf can read from multiple config files	18:14
ayoung	it might be puppet, might be something else, but if you lump them together, you need to keep data private that really doesn't have to be, which leads to scripes requireing elevated privs to perform operations	18:14
bknudson	so you could have your secret stuff in a separate file already	18:14
ayoung	bknudson, could we do that with, say, just the mysql url?	18:14
bknudson	y, you could have a file keystone.conf and a keystone2.conf that has the mysql url	18:14
ayoung	bknudson, in a live deployment, what would it take to make that happen?	18:15
bknudson	might want to ask on -oslo, but I think that works.	18:15
ayoung	bknudson, I kindof figured, as henrynash used something along those lines for the domain-specific backend code.	18:15
openstackgerrit	Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	18:16
bknudson	I'll try it on my devstack setup.	18:17
bknudson	/usr/local/bin/keystone-all --config-file /etc/keystone/keystone.conf --config-file /etc/keystone/keystone-db.conf	18:19
bknudson	ayoung: that worked ^	18:19
bknudson	there's also a config directory option, too	18:19
samueldmq	henrynash, just to let you know, I am making a demo of the domain-specific database config (which is amazing)	18:19
ayoung	bknudson, so for httpd, we'd update the config option to add that to the list...	18:20
ayoung	let me see.	18:20
samueldmq	henrynash, I am switching the user_tree_dn and listing users dynamically :-)	18:20
bknudson	now I wonder how the httpd server finds its config file(s)?	18:20
*** tobberydberg has joined #openstack-keystone		18:20
*** drjones has joined #openstack-keystone		18:25
*** _cjones_ has quit IRC		18:25
openstackgerrit	Alexander Makarov proposed openstack/keystone-specs: Revocation events for keystonemiddleware https://review.openstack.org/169399	18:25
bknudson	how does someone normally pass options from httpd to the wsgi app?	18:26
*** tobberydberg has quit IRC		18:32
amakarov	bknudson, depends on http server. For ex. nginx + uwsgi use UWSGI_XXXX style options	18:32
openstackgerrit	Merged openstack/python-keystoneclient: Fix tests to work with requests<2.3 https://review.openstack.org/172655	18:32
*** ozialien has quit IRC		18:33
browne	amakarov: hi	18:33
amakarov	browne, it was interesting chat here related to Redis patches :)	18:34
amakarov	Addressing your comment: https://review.openstack.org/#/c/173000/	18:35
browne	i see. yes, i like the idea of putting some options into another file	18:35
browne	for sql connection , i remember someone said a cert could be used instead of password. is that true?	18:35
browne	for mysql anyway	18:35
amakarov	browne, can't say for sure	18:36
*** tqtran has quit IRC		18:38
*** tqtran has joined #openstack-keystone		18:38
openstackgerrit	Eric Brown proposed openstack/keystone: backend_argument should be marked secret https://review.openstack.org/173034	18:39
*** ashleighfarnham has joined #openstack-keystone		18:42
amakarov	browne, why not to make them all secret then? ))	18:43
openstackgerrit	Eric Brown proposed openstack/keystone: backend_argument should be marked secret https://review.openstack.org/173034	18:51
browne	amakarov: all of them? which do you mean?	18:51
amakarov	browne, I try to understand, what advantage have non-secret options	18:53
browne	as a deployer its useful to know what configuration values were set by examining the logs. i've done this multiple times	18:54
amakarov	browne, thanks - plain and simple ))	18:54
browne	np	18:55
*** hockeynut_ has quit IRC		18:57
*** hockeynut has joined #openstack-keystone		18:58
*** amakarov is now known as amakarov_away		19:02
openstackgerrit	Steve Martinelli proposed openstack/keystone: Update openid connect docs to include release info for other distros https://review.openstack.org/173043	19:04
openstackgerrit	Steve Martinelli proposed openstack/keystone: Update openid connect docs to include other distros https://review.openstack.org/173043	19:05
* bknudson wonders how many pull requests there are for keystone.		19:07
* bknudson also not sure how legal it is to accept them.		19:07
stevemar	bknudson, thats a good point	19:10
bknudson	stevemar: I asked on -infra in case they had run into this already... can see the response there.	19:11
stevemar	bknudson, was a 2 line doc change	19:13
stevemar	not really derivative	19:13
bknudson	stevemar: y, I don't think that's the major issue... the icla probably has a clause that requires any work proposed to not be derivative already.	19:14
stevemar	y	19:14
*** joesavak has quit IRC		19:18
*** carlosmarin has quit IRC		19:20
*** _cjones_ has joined #openstack-keystone		19:30
*** drjones has quit IRC		19:31
*** joesavak has joined #openstack-keystone		19:33
*** rushiagr is now known as rushiagr_away		19:36
openstackgerrit	Henrique Truta proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	19:38
*** rushiagr_away is now known as rushiagr		19:45
*** _cjones_ has quit IRC		19:46
*** _cjones_ has joined #openstack-keystone		19:46
*** sdake has joined #openstack-keystone		19:53
openstackgerrit	Merged openstack/keystone: Fix signed_saml2_assertion.xml tests fixture https://review.openstack.org/172535	19:56
*** sdake_ has quit IRC		19:56
dtroyer_zz	morganfainberg: hey, have you spent any cycles on the 'splitting out Session from keystoneclient' stuff?	20:01
gordc	does anyone know why if when PKI and ceilometer is enabled, everything breaks. but if i skip 'create_ceilometer_account' and use PKI, only ceilometer services are broken (as expected)	20:13
morganfainberg	dtroyer_zz: and yes I have it is pretty much canned and I just need the down and do it	20:20
dtroyer_zz	morganfainberg: by any chance will that be able to be done without using any oslo libs?	20:21
morganfainberg	Tests etc are what is needed.	20:21
morganfainberg	Should be doable w/o Oslo libs	20:21
morganfainberg	Will need to look.	20:21
morganfainberg	But I think so.	20:22
dtroyer_zz	that would be awesome. oslo.serialization recently grew a dependency on msgpack-python and that has C components. bad bad bad for clients	20:22
morganfainberg	I will try w/o serialization.	20:23
morganfainberg	Etc	20:23
bknudson	maybe keystoneclient doesn't need oslo.serialization?	20:23
dtroyer_zz	I'd love to see oslo.config go away too, but more on principle than anything else (so far)	20:23
*** pnavarro has joined #openstack-keystone		20:33
*** HenryG has quit IRC		20:33
*** HenryG has joined #openstack-keystone		20:37
stevemar	dtroyer_zz, bknudson we could probably just use import json	20:42
*** diegows has joined #openstack-keystone		20:42
*** nbernard has joined #openstack-keystone		20:43
*** lhcheng has quit IRC		20:43
bknudson	I think the oslo.serialization stuff was there for some kind of performance problem in 2.6?	20:43
*** tobberydberg has joined #openstack-keystone		20:47
*** ashleighfarnham has quit IRC		20:50
*** tobberydberg has quit IRC		20:52
*** sdake_ has joined #openstack-keystone		20:53
*** sdake has quit IRC		20:57
*** markvoelker has joined #openstack-keystone		20:59
*** adrian_otto has left #openstack-keystone		20:59
*** markvoelker has quit IRC		21:03
*** ozialien has joined #openstack-keystone		21:04
*** joesavak has quit IRC		21:08
*** rushiagr is now known as rushiagr_away		21:10
*** lhcheng has joined #openstack-keystone		21:11
*** ChanServ sets mode: +v lhcheng		21:11
*** stevemar has quit IRC		21:13
*** aix has joined #openstack-keystone		21:21
*** mattfarina has quit IRC		21:23
*** carlosmarin has joined #openstack-keystone		21:27
*** pnavarro has quit IRC		21:28
*** gyee has quit IRC		21:32
*** topol has quit IRC		21:41
*** gordc has quit IRC		21:45
*** ozialien has quit IRC		21:59
*** markvoelker_ has joined #openstack-keystone		22:00
*** nkinder has quit IRC		22:05
bigjools	how do I get idp_remote_ids populated?	22:17
bigjools	I'm using trunk	22:17
*** henrynash has quit IRC		22:22
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Make get_trust a protected method https://review.openstack.org/172620	22:26
*** rushil has quit IRC		22:30
*** rushil has joined #openstack-keystone		22:31
*** gyee has joined #openstack-keystone		22:36
*** ChanServ sets mode: +v gyee		22:36
*** rm_work is now known as rm_work\|away		22:37
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: Make get_trust a protected method https://review.openstack.org/172620	22:39
*** Ephur has quit IRC		22:43
*** rushil has quit IRC		22:44
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add openstack_project_domain to assertion https://review.openstack.org/172536	22:50
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Refactor _create_attribute_statement IdP method https://review.openstack.org/172647	22:50
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add openstack_user_domain to assertion https://review.openstack.org/172562	22:50
*** henrynash has joined #openstack-keystone		22:52
*** ChanServ sets mode: +v henrynash		22:52
rodrigods	henrynash, addressed your comments in https://review.openstack.org/#/c/172536/	22:55
rodrigods	dolphm, replied your comment in bug #1442787	22:56
openstack	bug 1442787 in Keystone "Mapping openstack_user attribute in k2k assertions with different domains" [Wishlist,In progress] https://launchpad.net/bugs/1442787 - Assigned to Rodrigo Duarte (rodrigodsousa)	22:56
henrynash	ok, wthx, will look in a bit	22:56
*** bknudson has quit IRC		23:02
*** dims_ has joined #openstack-keystone		23:03
*** dims has quit IRC		23:04
bigjools	the openstack shell tool won't let me set remote-ids (the option doesn't exist) using latest devstack, how should I do this now?	23:11
*** chlong has joined #openstack-keystone		23:15
*** Raildo_ has joined #openstack-keystone		23:15
*** jamielennox\|away is now known as jamielennox		23:22
openstackgerrit	Merged openstack/keystone: backend_argument should be marked secret https://review.openstack.org/173034	23:24
*** Raildo_ has quit IRC		23:26
*** Raildo_ has joined #openstack-keystone		23:27
*** Raildo_ has quit IRC		23:27
jamielennox	morganfainberg, dtroyer_zz: why does oslo.serialization depend on msgpack? we use it for the jsonutils for encoding objects to json. We don't have to use it, but i think there are requirements in there for datetime and such	23:27
*** Raildo__ has joined #openstack-keystone		23:27
*** jaosorior has quit IRC		23:32
dtroyer_zz	jamielennox: it's an install req, gets pulled in my pip	23:35
jamielennox	that's dumb, but can't we raise that with oslo?	23:36
jamielennox	i agree, i want keystoneauth to come out with minimal dependencies	23:36
dtroyer_zz	I'm going on a mad run trying to dump as many dependencies as possible	23:36
jamielennox	and particularly nothing C	23:36
dtroyer_zz	and I don't think I want any oslo code in a client, it isn't developed with that in mind	23:36
jamielennox	i don't know where morganfainberg is at	23:37
*** tobberydberg has joined #openstack-keystone		23:37
jamielennox	dtroyer_zz: when i initially did plugins i didn't use oslo.config - i got overruled because we already had one option abstraction format and i should use cfg rather than invent my own	23:37
jamielennox	"everyone already uses it anyway"	23:37
dtroyer_zz	they're wrong, that's a fine argument server-side	23:38
dtroyer_zz	but then I don't think the plugins should be doing cli stuff anyway ;)	23:38
jamielennox	yea, i know that now	23:38
dtroyer_zz	tomorrow Im going to start looking at how bad it would be to stuff the SDK session/transport into the existing client libs for the gaps they still have	23:38
jamielennox	dtroyer_zz: i see your point but disagree, i want this to be more useful than just OSC and others who know what the options are	23:39
jamielennox	for example, everytime i write a test script now i do a .register_argparse_arguments and .load_from so that i can inherit auth options from env without rewriting it all again	23:39
*** nbernard has quit IRC		23:39
dtroyer_zz	sure, that's fine. but just like I want a low-level api, I also want to control the option handling. this also get into the os-client-config bits too	23:40
jamielennox	i was looking at os-c-c the other day	23:40
jamielennox	i think the abstraction is off there	23:40
dtroyer_zz	if the cli stuff can be spit into a subclass, that'd be great, but we've always talked sdk anyway so maby now is the time to start	23:40
jamielennox	i would like to see os-c-c depend on keystoneauth and return a session object and/or a plugin object. I get that OSC wants to handle options, but no-one else does	23:41
*** tobberydberg has quit IRC		23:41
jamielennox	i don't know if the option stuff could live in another class...	23:42
dtroyer_zz	I really haven't thought that through yet	23:42
*** r-daneel has quit IRC		23:43
jamielennox	waiting for morganfainberg to finish up the split so we can start ripping things out	23:43
*** zzzeek has quit IRC		23:43
dtroyer_zz	he said earlier in scrollback that it was basically needing tests	23:43
jamielennox	dtroyer_zz: i'll have a think about what we can do about removing oslo.config, it might be tricky	23:46
*** markvoelker has joined #openstack-keystone		23:49
*** markvoelker_ has quit IRC		23:51
*** markvoelker_ has joined #openstack-keystone		23:53
*** markvoelker_ has quit IRC		23:54
*** markvoelker has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!