gyee | marekd, let me know if you want to talk https://review.openstack.org/#/c/156870/ | 00:00 |
---|---|---|
*** darrenc is now known as darrenc_afk | 00:12 | |
*** ankita_wagh has joined #openstack-keystone | 00:13 | |
*** ankita_wagh has quit IRC | 00:15 | |
*** dims__ has quit IRC | 00:16 | |
openstackgerrit | Merged openstack/keystoneauth: Update k2k plugin with related code comments https://review.openstack.org/209671 | 00:18 |
*** shoutm has quit IRC | 00:19 | |
*** shadower has quit IRC | 00:23 | |
*** shadower has joined #openstack-keystone | 00:23 | |
*** shoutm has joined #openstack-keystone | 00:23 | |
openstackgerrit | Jamie Lennox proposed openstack/keystoneauth: Add session and auth loading to loading.__init__ https://review.openstack.org/219463 | 00:27 |
openstackgerrit | Jamie Lennox proposed openstack/keystoneauth: Return oslo.config opts from config loading https://review.openstack.org/219467 | 00:27 |
openstackgerrit | Jamie Lennox proposed openstack/keystoneauth: Use auth_type instead of auth_plugin by default https://review.openstack.org/219520 | 00:27 |
openstackgerrit | Jamie Lennox proposed openstack/keystoneauth: Provide combined register and loading functions https://review.openstack.org/219521 | 00:27 |
*** darrenc_afk is now known as darrenc | 00:29 | |
openstackgerrit | Jamie Lennox proposed openstack/keystoneauth: Auth-url is required for identity plugins https://review.openstack.org/219111 | 00:31 |
*** claudiub has quit IRC | 00:39 | |
*** vivekd has quit IRC | 00:40 | |
*** lhcheng has quit IRC | 00:49 | |
*** wwwjfy has joined #openstack-keystone | 00:49 | |
*** dims__ has joined #openstack-keystone | 00:51 | |
*** henrynash has quit IRC | 00:52 | |
*** spandhe has joined #openstack-keystone | 00:52 | |
*** dims__ has quit IRC | 00:56 | |
openstackgerrit | Lin Hua Cheng proposed openstack/keystone: Deprecate LDAP Resource Backend https://review.openstack.org/203748 | 01:02 |
*** r-daneel has quit IRC | 01:04 | |
*** browne has quit IRC | 01:04 | |
*** bknudson has quit IRC | 01:04 | |
*** roxanaghe has joined #openstack-keystone | 01:07 | |
*** roxanaghe has quit IRC | 01:08 | |
openstackgerrit | Merged openstack/keystoneauth: Remove deprecated options from identity base plugin https://review.openstack.org/219087 | 01:08 |
*** roxanaghe has joined #openstack-keystone | 01:11 | |
*** stevemar has joined #openstack-keystone | 01:15 | |
*** ChanServ sets mode: +v stevemar | 01:15 | |
*** vivekd has joined #openstack-keystone | 01:16 | |
*** btully has joined #openstack-keystone | 01:17 | |
openstackgerrit | Merged openstack/keystoneauth: Move admin_token to base _plugins dir https://review.openstack.org/218727 | 01:28 |
*** roxanaghe has quit IRC | 01:29 | |
*** diazjf has quit IRC | 01:35 | |
*** vivekd has quit IRC | 01:39 | |
*** samleon has quit IRC | 01:41 | |
*** roxanagh_ has joined #openstack-keystone | 01:42 | |
morgan | gyee: or we could always just return port 5000 ? Make v3 standardize on that? Will take a second look at that review in a moment | 01:48 |
*** roxanagh_ has quit IRC | 01:49 | |
*** vivekd has joined #openstack-keystone | 01:50 | |
gyee | morgan, let me double check with Haneef, he mentioned always returning public won't work for him | 01:56 |
morgan | Because long term we're killing the need for 5000 and 35357 | 01:57 |
morgan | So you'll only need 5000 | 01:57 |
gyee | well, public URL has extra cost because it may have extra SSL hops, whereas internal services does not need to go through that | 01:58 |
gyee | at least we still want to retain that flexibility | 01:58 |
morgan | So token validation but the rest could use public. | 01:59 |
morgan | ? | 01:59 |
*** spandhe has quit IRC | 02:00 | |
morgan | Which should be fine. | 02:00 |
gyee | not just that, Horizon could use the admin port as well | 02:00 |
morgan | Newer horizon is moving towards javascript | 02:00 |
gyee | since both are behind the firewall | 02:00 |
gyee | oh | 02:00 |
morgan | Which would mean it will be the browser directly | 02:00 |
gyee | I see | 02:01 |
morgan | This is why we're doing the CORS stuff | 02:01 |
gyee | make sense | 02:02 |
morgan | Which reminds | 02:04 |
morgan | Me. I need to review krotscheck's patch | 02:04 |
morgan | By the time we kill 35357 horizon prob. Will be significantly browser based (ish) | 02:06 |
gyee | the angular stuff right? | 02:07 |
morgan | Yah | 02:07 |
gyee | morgan, so for fernet token to work currently, Horizon needs to enable session caching, either in DB or memcached | 02:08 |
gyee | would that change with browser based approach? | 02:08 |
morgan | Why? The token sizes are small enough they *should* fit into cookies | 02:08 |
gyee | I don't know, they basically hashing the token if its greater than certain length, 256 I think | 02:09 |
openstackgerrit | Merged openstack/keystoneauth: Provide has_scope_parameters function on plugins https://review.openstack.org/219089 | 02:09 |
gyee | or was it 64? I'll need to double check the code | 02:09 |
gyee | nevermind, that was old code | 02:11 |
*** davechen has joined #openstack-keystone | 02:11 | |
morgan | I think it is 1k-ish | 02:12 |
morgan | Or so. | 02:12 |
*** hrou has joined #openstack-keystone | 02:17 | |
openstackgerrit | Henrique Truta proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854 | 02:19 |
openstackgerrit | Henrique Truta proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936 | 02:19 |
openstackgerrit | Henrique Truta proposed openstack/keystone: Add is_domain in token response https://review.openstack.org/197331 | 02:20 |
*** davechen1 has joined #openstack-keystone | 02:23 | |
stevemar | +1 to killing 35357 | 02:25 |
*** davechen has quit IRC | 02:26 | |
gyee | stevemar, unless you don't want deployment flexibility :) | 02:28 |
ayoung | jamielennox, would you expect the keystoneclient py34 tests to run? | 02:28 |
jamielennox | ayoung: i would guess | 02:29 |
jamielennox | ayoung: they seem to in gate | 02:29 |
dstanek | morgan: you hanging around? | 02:31 |
morgan | dstanek: im lurking ;) | 02:31 |
ayoung | morgan, always return relative urls | 02:31 |
*** cloud_zhanglei has joined #openstack-keystone | 02:31 | |
*** cloud_zhanglei is now known as leizhang | 02:31 | |
*** richm has quit IRC | 02:31 | |
ayoung | if the request comes in on 35357, 5000 whatever, it returns the right thing | 02:31 |
dstanek | morgan: Liberty is the 12th release, but will be released a keystone 9.0 right? | 02:32 |
morgan | Yes | 02:32 |
morgan | Erm | 02:32 |
morgan | No | 02:32 |
morgan | 8.0 | 02:32 |
dstanek | should i change my versioned api patches to be v8 then? | 02:33 |
ayoung | jamielennox, Ran 1124 tests in 4.945s | 02:33 |
ayoung | FAILED (id=0, failures=36, skips=4) | 02:33 |
ayoung | that is a clean repo...could it be the deprecation warnings making things fail? | 02:33 |
jamielennox | ayoung: i've no idea | 02:34 |
morgan | Hmm | 02:34 |
morgan | dstanek: sure? I dont care what version we start with | 02:34 |
morgan | If you want it tied to the keystone version, yes | 02:34 |
morgan | I support any version... Even version 1 :P | 02:35 |
dstanek | morgan: it's nice if it matches our release | 02:35 |
jamielennox | dstanek: versioned like the response in / | 02:36 |
jamielennox | ? | 02:36 |
morgan | I expect to not see a version every release. This one probably wouldn't have one for uhmm i'm sure one of the backends | 02:36 |
dstanek | jamielennox: no, versioned drivers | 02:36 |
* morgan will support any of them | 02:36 | |
jamielennox | ok | 02:36 |
dstanek | jamielennox: https://review.openstack.org/#/c/218481/6 | 02:36 |
morgan | dstanek: your choice, i 100% back it ;) | 02:37 |
ayoung | dstanek, you running on fedora now? | 02:37 |
gyee | dstanek, DriverV12.0.0, see morgan still back it :) | 02:38 |
morgan | gyee: you'd probably break python | 02:38 |
morgan | So cant merge it | 02:38 |
gyee | hah | 02:38 |
dstanek | ayoung: yes, on one laptop. once i get around to it and can afford the downtime i'm going to install it on my air | 02:38 |
ayoung | dstanek, f22? Can you tell me if a python-keystoneclient tox -epy34 runs clean for you? | 02:39 |
dstanek | ayoung: if you give me a few i can - i have to fire up a VM. i'm in Texas now and only have my air | 02:39 |
ayoung | dstanek, no problem...just wondering... | 02:40 |
ayoung | mine is failing, and I don't want to move ahead with broken tests | 02:40 |
dstanek | ayoung: do you have a paste of the output already? | 02:41 |
ayoung | dstanek, I can post | 02:41 |
ayoung | dstanek, http://paste.openstack.org/show/439523/ | 02:43 |
ayoung | that is one of the failing tests...keeping the output to a minimun | 02:43 |
*** lhcheng has joined #openstack-keystone | 02:43 | |
*** ChanServ sets mode: +v lhcheng | 02:43 | |
dstanek | morgan: you don't want your stable driver interface spec for this release? | 02:45 |
morgan | Hmm? | 02:45 |
dstanek | didn't see it on the launchpad list | 02:45 |
morgan | Oh it was probably missed. | 02:46 |
morgan | Lets add it. But honestly, we will need a FFE probably *or* finish in mitaka | 02:46 |
morgan | After the basic scafolding | 02:47 |
morgan | Feature freeze is like 2 days out :( | 02:47 |
*** gyee has quit IRC | 02:47 | |
dstanek | tests are so slooow without this: https://review.openstack.org/#/c/219323/ | 02:48 |
morgan | dstanek: that is an easy +A | 02:49 |
ayoung | damn too slow | 02:49 |
morgan | Hehe | 02:49 |
*** hakimo_ has joined #openstack-keystone | 02:52 | |
*** spandhe has joined #openstack-keystone | 02:52 | |
*** hakimo has quit IRC | 02:54 | |
*** leizhang has quit IRC | 02:55 | |
ayoung | what does tox use to run the tests? I thought it was testr? | 02:55 |
*** fangzhou has quit IRC | 02:57 | |
*** spandhe has quit IRC | 02:59 | |
lifeless | will someone fixup the bad mock import there? | 03:01 |
openstackgerrit | Henrique Truta proposed openstack/keystone: Change policy to comply with is_domain in token https://review.openstack.org/206063 | 03:02 |
lifeless | (it looks to be the same pattern that broke Ironic a couple weeks back) | 03:02 |
lifeless | ayoung: I'd presume so | 03:03 |
htruta | tox is really fast on here: Ran: 5745 tests in 1490.0000 sec | 03:05 |
lifeless | hrou: thats slow | 03:05 |
lifeless | bah | 03:05 |
lifeless | htruta: ^ | 03:05 |
htruta | lifeless: that was sarcasm heh | 03:06 |
htruta | am I the only one who liked run_tests? :/ | 03:06 |
dstanek | htruta: yes | 03:07 |
ayoung | no he's not | 03:07 |
dstanek | ayoung: :-) | 03:08 |
ayoung | We've fucked up testing. Lets not beat around the bush | 03:08 |
dstanek | it just became a bad wrapper around tox | 03:08 |
ayoung | if unit tests take too long to run, the whole development process is busted | 03:08 |
dstanek | ayoung: i've been saying that for a while. that's why i spent so much time cleaning them up | 03:08 |
*** dave-mccowan has quit IRC | 03:08 | |
ayoung | dstanek, ++ | 03:08 |
htruta | dstanek ++ | 03:08 |
lifeless | a few seconds is about right | 03:09 |
htruta | is this patch of yours supposed to make the faster again? | 03:09 |
dstanek | htruta: yes | 03:09 |
dstanek | it's only fair since i made them slower by using entry points | 03:09 |
ayoung | when I had sqlite running on top of a memory based file it was not too bad. | 03:09 |
ayoung | Ran 456 tests in 27.262s | 03:10 |
ayoung | http://adam.younglogic.com/2012/06/sqlite-unit-tests/ | 03:10 |
ayoung | crap was tghat really 3 years ago? | 03:10 |
htruta | ayoung: long time ago | 03:10 |
ayoung | what am I doing with my life | 03:10 |
htruta | lol | 03:10 |
dstanek | ayoung: ++ | 03:10 |
dstanek | i can't believe it's been 2 years for me | 03:10 |
ayoung | KC is Ran 1124 tests in 15.719s (+10.246s) | 03:10 |
ayoung | how many tests in that run htruta ? | 03:11 |
htruta | 5745 tests in 1490.0000 sec | 03:11 |
dstanek | htruta: my patch should cut your test runtine in half if not more | 03:11 |
htruta | on an i7, 8GB ram | 03:11 |
htruta | dstanek: awesome | 03:11 |
ayoung | it should be about one minute | 03:12 |
ayoung | the two things slowing it down are the web connections and the database accesses | 03:12 |
htruta | sometimes i just run the test_backend stuff... it's taking about 5 minutes | 03:13 |
ayoung | dstanek, jamielennox it is definietly the deprecation warning that is breaking my 3.4 run | 03:21 |
dstanek | ayoung: your traceback is pretty strange | 03:21 |
ayoung | dstanek, I just rpdb set_trace | 03:21 |
dstanek | ayoung: is that in a new tox venv? | 03:22 |
ayoung | dstanek, yep | 03:22 |
ayoung | keystoneclient/v3/client.py line 190 | 03:22 |
dstanek | lifeless: i have patches to clean most of that py3 mocking garbage out of our tests | 03:25 |
lifeless | dstanek: cool | 03:26 |
lifeless | dstanek: if you need an eyeball on them lemme know | 03:26 |
dstanek | lifeless: sure, thx. i've have them on hold until we get through all of this release stuff. so tonight or tomorrow i'll probably push. most of it is really just deleting the code now that the libraries work in py3 | 03:27 |
ayoung | http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v3/client.py#n193 | 03:28 |
ayoung | warnings.warn( is acting like raise | 03:28 |
lifeless | dstanek: dunno if you saw your grammatical error in https://review.openstack.org/#/c/219323/ | 03:28 |
lifeless | ayoung: warnings.warn will do that if a raise handler is set | 03:28 |
dstanek | lifeless: yeah, i'll push a follow up. needed to get this in so that our tests speed back up. | 03:29 |
ayoung | lifeless, and how would that have happened? | 03:29 |
dstanek | ayoung: yeah, we do that on purpose | 03:29 |
ayoung | dstanek, then how does anything pass gate? | 03:29 |
lifeless | ayoung: ^^ as dstanek says, but also various test runners do it too | 03:29 |
ayoung | can we not do that? | 03:29 |
dstanek | ayoung: i think we do it in keystone.tests.unit.core... | 03:31 |
ayoung | this is KC | 03:31 |
lifeless | ayoung: why? | 03:31 |
dstanek | ayoung: oh, then i don't knw | 03:31 |
ayoung | lifeless, because we have failing unit tests due to warnings | 03:32 |
ayoung | that is wrong | 03:32 |
ayoung | and if it is intentional, we should stop | 03:32 |
lifeless | ayoung: deprecation warnings, or some others?> | 03:32 |
ayoung | deprecation in this case | 03:32 |
lifeless | ayoung: because, 'that is wrong' is far to facile an answer. | 03:32 |
ayoung | lifeless, somehow, I am triggereing it on this machine. I suspect that we are not doing this intentioanlly | 03:33 |
lifeless | ayoung: upstream opinion on deprecation warnings is that they shouldn't be shown to users by default; they should trap errors at test time, and be shown in interactive shells | 03:33 |
ayoung | lifeless, "<dstanek> ayoung: yeah, we do that on purpose" was what I meant was wrong | 03:33 |
lifeless | ayoung: I think dstanek meant 'we convert the to errors on purpose', not 'we trigger the warning on purpose' | 03:33 |
*** fangzhou has joined #openstack-keystone | 03:33 | |
ayoung | lifeless, tox -epy 27 runs fine, but 34 does not... I don;'t think that is intentional, whatever we are planning on doing with deprecations | 03:34 |
ayoung | lifeless, are you suggesting that as soon as we deprecate something we should stop running a unit test on it? | 03:34 |
ayoung | CUz...I know that you are not | 03:34 |
jamielennox | ayoung: ok, did you figure it out? | 03:34 |
ayoung | jamielennox, not really | 03:35 |
lifeless | ayoung: the pattern is that tests of deprecated things would reset the handler themselves | 03:35 |
dstanek | lifeless: right, i think we turn warnings into errors. deprecation warnings for sure | 03:35 |
ayoung | dstanek, only for py34? | 03:35 |
lifeless | ayoung: so yes, we should keep testing deprecated things. We should turn off warning->error for them alone | 03:35 |
dstanek | ayoung: no, should be for everything. running the tests right now in f22 | 03:36 |
ayoung | so..I should be runnign tox with some magic switch that turns off the "treat warnings as errors"? | 03:36 |
*** btully has quit IRC | 03:36 | |
lifeless | ayoung: what thing that is deprecated is being triggered? | 03:38 |
*** woodster_ has quit IRC | 03:39 | |
ayoung | lifeless, http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/v3/client.py#n193 | 03:39 |
dstanek | ayoung: in keystone server we only treat sqlalchemy warnings and deprecation warnings as errors; not sure about client yet | 03:39 |
lifeless | ok, so its not something in the stdlib | 03:39 |
dstanek | ayoung: getting crazy gcc errors running tox :-( | 03:40 |
ayoung | dstanek, its only for py3 tests, too | 03:40 |
ayoung | dstanek, you are missing rpms | 03:40 |
ayoung | rpobably ldap-devel and mysql-devel | 03:40 |
dstanek | this is so not helpful | 03:41 |
dstanek | dnf install all-the-f*ing-rpms! | 03:42 |
dstanek | not sure what netifaces actually is | 03:42 |
ayoung | dstanek, get the list from devstack | 03:42 |
ayoung | http://git.openstack.org/cgit/openstack-dev/devstack/tree/files/rpms/keystone | 03:44 |
ayoung | http://git.openstack.org/cgit/openstack-dev/devstack/tree/files/rpms/devlibs | 03:44 |
ayoung | http://git.openstack.org/cgit/openstack-dev/devstack/tree/files/rpms/general | 03:44 |
dstanek | ayoung: i'm just stacking now so it does the dirty work | 03:44 |
dstanek | installing 131 rpms! | 03:45 |
lifeless | there's a bindep repo you can use | 03:47 |
lifeless | https://rbtcollins.wordpress.com/2015/07/12/bootstrapping-developer-environments-for-openstack/ | 03:47 |
lifeless | http://git.openstack.org/cgit/openstack-infra/project-config/plain/jenkins/data/bindep-fallback.txt | 03:47 |
*** dikonoor has joined #openstack-keystone | 03:48 | |
*** links has joined #openstack-keystone | 03:48 | |
dstanek | lifeless: that's interesting. i'll have to give that a try later. | 03:50 |
openstackgerrit | David Stanek proposed openstack/keystone: Stable Keystone Driver Interfaces https://review.openstack.org/209524 | 03:51 |
openstackgerrit | David Stanek proposed openstack/keystone: Initial support for versioned driver classes https://review.openstack.org/218481 | 03:51 |
dstanek | achievement unlocked: commited, tested and pushed patchsets while eating french toast at cracker barrel! | 03:52 |
*** diazjf has joined #openstack-keystone | 03:53 | |
*** dikonoor has quit IRC | 03:56 | |
*** dikonoor has joined #openstack-keystone | 03:57 | |
*** ankita_wagh has joined #openstack-keystone | 03:58 | |
*** roxanaghe has joined #openstack-keystone | 04:03 | |
*** dims__ has joined #openstack-keystone | 04:03 | |
*** csoukup has joined #openstack-keystone | 04:04 | |
*** csoukup has quit IRC | 04:05 | |
*** fangzhou has quit IRC | 04:06 | |
dstanek | ayoung: yeah, i don't know how these tests work - the fix that in breaking me was committed here: http://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=803eb235 | 04:13 |
ayoung | dstanek, looks like it is passing in gate, though | 04:14 |
*** dims__ is now known as dims | 04:17 | |
*** davechen has joined #openstack-keystone | 04:19 | |
*** davechen1 has quit IRC | 04:22 | |
*** spandhe has joined #openstack-keystone | 04:22 | |
*** hrou has quit IRC | 04:22 | |
dstanek | yeah, i don't get it | 04:23 |
*** dims has quit IRC | 04:24 | |
*** spandhe_ has joined #openstack-keystone | 04:25 | |
*** stevemar has quit IRC | 04:25 | |
*** spandhe has quit IRC | 04:26 | |
*** fangzhou has joined #openstack-keystone | 04:27 | |
*** spandhe_ has quit IRC | 04:29 | |
dstanek | lhcheng: you hanging out? | 04:31 |
lhcheng | dstanek: hey | 04:31 |
lhcheng | dstanek: just finishing up some stuff | 04:32 |
lhcheng | dstanek: what's up? | 04:32 |
*** fangzhou has quit IRC | 04:32 | |
*** fangzhou has joined #openstack-keystone | 04:33 | |
dstanek | lhcheng: were you able to test out https://review.openstack.org/#/c/214766 with DOA? | 04:33 |
*** btully has joined #openstack-keystone | 04:33 | |
*** topol has joined #openstack-keystone | 04:34 | |
*** ChanServ sets mode: +v topol | 04:34 | |
*** mylu has joined #openstack-keystone | 04:35 | |
lhcheng | dstanek: still having some problem with my keystone federation env, trying to update it from kilo to L. | 04:37 |
lhcheng | mostly tested it separately | 04:37 |
dstanek | lhcheng: i'll call that a yes then :-) thx | 04:37 |
lhcheng | dstanek: do you know if I can update devstack env in such a way it would not wipe my keystone db? | 04:37 |
*** btully has quit IRC | 04:37 | |
dstanek | lhcheng: i usually unstack, update devstack (and repos) and stack; never noticed the DB being wiped | 04:38 |
dstanek | lhcheng: you could always just take a backup, just in case | 04:39 |
lhcheng | dstanek: I've done some minimal testing, hence adding a fix in PS6. | 04:39 |
lhcheng | dstanek: good idea | 04:39 |
lhcheng | would be easier than just trying to upgrade keystone manually. | 04:40 |
lhcheng | dstanek: that reminds me, I have to bug people to review the DOA change. | 04:42 |
dstanek | every time is see that i think dead on arrival | 04:43 |
*** Nirupama has joined #openstack-keystone | 04:44 | |
lhcheng | lol yeah, it's not the best acronym | 04:44 |
*** mtreinish has quit IRC | 04:57 | |
dstanek | these should be relatively simple https://review.openstack.org/#/c/218481/7 | 04:57 |
*** mtreinish has joined #openstack-keystone | 05:04 | |
dstanek | ayoung: it also fails on my brand new ubuntu vm | 05:05 |
ayoung | dstanek, I wonder how it passes gate? | 05:06 |
*** markvoelker has joined #openstack-keystone | 05:06 | |
lhcheng | dstanek: where does the V8 come from? is that the keystone release #? | 05:08 |
*** ayoung is now known as ayoung_ZZzz | 05:08 | |
lhcheng | dstanek: >> CatalogDriverV8 | 05:08 |
dstanek | lhcheng: yes, that's the keystone release number | 05:08 |
*** markvoelker has quit IRC | 05:11 | |
*** markvoelker has joined #openstack-keystone | 05:12 | |
*** mylu has quit IRC | 05:13 | |
*** diazjf has left #openstack-keystone | 05:21 | |
*** btully has joined #openstack-keystone | 05:45 | |
*** btully has quit IRC | 05:49 | |
*** topol has quit IRC | 05:52 | |
*** topol has joined #openstack-keystone | 05:54 | |
*** ChanServ sets mode: +v topol | 05:54 | |
morgan | We should stop using acronyms | 05:55 |
morgan | Ksc, ksa, ks, doa, etc all raises the barrier to entry for new contributors. /late night thoughts | 05:55 |
*** topol has quit IRC | 05:57 | |
*** roxanaghe has quit IRC | 06:05 | |
*** lhcheng has quit IRC | 06:08 | |
*** ParsectiX has joined #openstack-keystone | 06:11 | |
openstackgerrit | Vivek Dhayaal proposed openstack/keystone: Stable Keystone Driver Interfaces https://review.openstack.org/209524 | 06:13 |
*** browne has joined #openstack-keystone | 06:23 | |
*** markvoelker has quit IRC | 06:23 | |
*** sdake has joined #openstack-keystone | 06:24 | |
*** lhcheng has joined #openstack-keystone | 06:27 | |
*** ChanServ sets mode: +v lhcheng | 06:27 | |
*** lhcheng has quit IRC | 06:32 | |
*** browne has quit IRC | 06:34 | |
*** stevemar has joined #openstack-keystone | 06:38 | |
*** ChanServ sets mode: +v stevemar | 06:38 | |
*** roxanaghe has joined #openstack-keystone | 06:42 | |
*** stevemar has quit IRC | 06:42 | |
*** roxanaghe has quit IRC | 06:43 | |
*** ankita_wagh has quit IRC | 06:44 | |
*** roxanaghe has joined #openstack-keystone | 06:45 | |
*** ankita_wagh has joined #openstack-keystone | 06:45 | |
*** roxanaghe has quit IRC | 06:49 | |
*** ankita_wagh has quit IRC | 06:49 | |
*** exploreshaifali has joined #openstack-keystone | 06:50 | |
*** dims has joined #openstack-keystone | 06:50 | |
*** ParsectiX has quit IRC | 06:51 | |
*** afazekas__ has joined #openstack-keystone | 06:52 | |
*** dims has quit IRC | 06:54 | |
*** ankita_wagh has joined #openstack-keystone | 07:05 | |
*** ankita_wagh has quit IRC | 07:05 | |
*** ankita_wagh has joined #openstack-keystone | 07:06 | |
*** ParsectiX has joined #openstack-keystone | 07:13 | |
openstackgerrit | Dave Chen proposed openstack/keystonemiddleware: update middlewarearchitecture.rst https://review.openstack.org/219162 | 07:23 |
*** vivekd has quit IRC | 07:28 | |
*** fhubik has joined #openstack-keystone | 07:41 | |
*** henrynash has joined #openstack-keystone | 07:44 | |
*** ChanServ sets mode: +v henrynash | 07:44 | |
*** dims has joined #openstack-keystone | 07:44 | |
*** ankita_wagh has quit IRC | 07:46 | |
*** roxanaghe has joined #openstack-keystone | 07:46 | |
*** dims has quit IRC | 07:49 | |
*** roxanaghe has quit IRC | 07:51 | |
*** fhubik has quit IRC | 07:57 | |
*** e0ne has joined #openstack-keystone | 08:01 | |
*** pnavarro|afk has joined #openstack-keystone | 08:01 | |
*** topol has joined #openstack-keystone | 08:09 | |
*** ChanServ sets mode: +v topol | 08:09 | |
*** jistr has joined #openstack-keystone | 08:11 | |
*** e0ne has quit IRC | 08:13 | |
*** topol has quit IRC | 08:14 | |
*** lhcheng has joined #openstack-keystone | 08:16 | |
*** ChanServ sets mode: +v lhcheng | 08:16 | |
*** pnavarro|afk is now known as pnavarro | 08:19 | |
*** pnavarro has quit IRC | 08:19 | |
*** pnavarro has joined #openstack-keystone | 08:20 | |
*** lhcheng has quit IRC | 08:21 | |
*** vivekd has joined #openstack-keystone | 08:23 | |
*** EinstCrazy has joined #openstack-keystone | 08:25 | |
*** fhubik has joined #openstack-keystone | 08:27 | |
*** shoutm has quit IRC | 08:36 | |
*** ParsectiX has quit IRC | 08:37 | |
*** dims has joined #openstack-keystone | 08:38 | |
*** marzif has joined #openstack-keystone | 08:43 | |
*** dims has quit IRC | 08:43 | |
*** exploreshaifali has quit IRC | 08:48 | |
*** davechen has left #openstack-keystone | 08:56 | |
*** markvoelker has joined #openstack-keystone | 08:57 | |
*** martinus__ has joined #openstack-keystone | 09:01 | |
*** markvoelker has quit IRC | 09:02 | |
martinus__ | Hi there, is someone can take a look at my question at http://pastebin.com/njJ6DHDd ? (ask.openstack.org says it's spam...) | 09:03 |
martinus__ | dstanek, henrynash , jamielennox or marekd maybe ? | 09:04 |
*** shoutm has joined #openstack-keystone | 09:11 | |
*** ParsectiX has joined #openstack-keystone | 09:15 | |
*** kiran-r has joined #openstack-keystone | 09:20 | |
*** ParsectiX has quit IRC | 09:20 | |
*** marzif has quit IRC | 09:22 | |
marekd | martinus__: DEBUG (shell:914) Unable to establish connection to http://localhost:5000/v2.0/tokens ? | 09:24 |
martinus__ | yes, | 09:24 |
marekd | make sure you can get through with some nmap, nc or whatever :-) | 09:24 |
martinus__ | marekd the host is not localhost as explained | 09:25 |
martinus__ | the API answers localhost | 09:25 |
marekd | martinus__: also, what version of openstack is that? | 09:25 |
marekd | is it grizzly too ? | 09:25 |
marekd | or it's just openrc | 09:25 |
martinus__ | my openrc client is ubuntu | 09:25 |
martinus__ | 15.04 | 09:25 |
martinus__ | my openstack installation is grizzly | 09:25 |
marekd | and on this 'old debian box' ? | 09:26 |
martinus__ | it is one of the server of the grizzly cluster | 09:26 |
marekd | grizzly seems to be very old, so I'd suspect some troubles here. | 09:26 |
martinus__ | ok maybe I will never know what is the issue. I just can't use my python clients from my ubuntu 15.04 | 09:27 |
martinus__ | not cool :( | 09:27 |
marekd | what's the debug from this 'old box' ? | 09:27 |
martinus__ | I going to pastebin it | 09:28 |
marekd | you know, we usually tr to be backwards compatible, but we sometimes deprecate some options etc. Usually when something is deprecated it stays for at least 2 cycles. Grizzly is far beyong 2 cycles | 09:28 |
martinus__ | marekd, here it is http://pastebin.com/9ZhwkF20 | 09:31 |
*** e0ne has joined #openstack-keystone | 09:32 | |
martinus__ | it is run from that debian wheezy box | 09:32 |
martinus__ | you see there is a POST curl | 09:32 |
*** dims has joined #openstack-keystone | 09:32 | |
marekd | martinus__: try openstack commandline | 09:33 |
marekd | openstack server list for instance | 09:33 |
marekd | $ openstack --debug server list | 09:33 |
marekd | or maybe you can paste openrc? | 09:34 |
jamielennox | wow - grizzly, there are a whole bunch of things that will have changed since then | 09:35 |
marekd | jamielennox: ++ | 09:35 |
martinus__ | marekd, jamielennox : ahah, it works with openstack command ! | 09:36 |
jamielennox | my first guess though is that it's querying GET / from keystone | 09:36 |
marekd | martinus__: openstack cli is a new way to utilize openstack instead of glance,nova,cinder etc. | 09:36 |
jamielennox | because something is getting back a version list, and you probably want to set like admin_host and public_host in keystone.conf on the server to something real | 09:36 |
marekd | martinus__: i don't know why nova didn't work (and why GET instead of POST), but i'd bother that much - rather upgrade grizzly to something else :-) | 09:36 |
marekd | i wouldn't bother * | 09:37 |
martinus__ | marekd, I'm sorry I was really not aware of that new way | 09:37 |
marekd | martinus__: no problem | 09:37 |
marekd | nova should work i think | 09:37 |
*** dims has quit IRC | 09:37 | |
martinus__ | nova python clien don't, glance one neither | 09:37 |
marekd | dunno | 09:37 |
marekd | martinus__: just switch to openstack cli | 09:38 |
*** stevemar has joined #openstack-keystone | 09:38 | |
*** ChanServ sets mode: +v stevemar | 09:38 | |
* marekd pokes stevemar | 09:38 | |
*** stevemar has quit IRC | 09:42 | |
*** e0ne has quit IRC | 09:46 | |
*** EinstCrazy has quit IRC | 09:46 | |
martinus__ | marekd, thank you for your help | 09:49 |
martinus__ | jamielennox, the same for you ;) | 09:49 |
marekd | martinus__: you are welcome | 09:49 |
jamielennox | martinus__: np | 09:49 |
*** e0ne has joined #openstack-keystone | 09:55 | |
jamielennox | marekd: so i want to understand the security issue of not having remote_id a bit better | 09:56 |
jamielennox | marekd: to my mind when you set up an apache mod for a url you almost always limit what can be accepted there | 09:57 |
jamielennox | with SAML you provide an idp metadata file, so only relevant assertions are allowed | 09:57 |
sileht | Hi folks, does a new liberty keystonemiddleware release is planned ? | 09:57 |
jamielennox | with kerberos you provide a keytab | 09:58 |
jamielennox | sileht: not specifically that i know of | 09:58 |
jamielennox | sileht: but i think its been a while so you could probably get one if you're waiting for something | 09:58 |
jamielennox | my understanding is that if you want it to be in libery g-r it has to be out soon | 09:58 |
*** katkapilatova has joined #openstack-keystone | 09:59 | |
sileht | jamielennox, yes I'm waiting for a fix for aodh | 09:59 |
jamielennox | sileht: did that merge? | 09:59 |
sileht | jamielennox, yes | 09:59 |
jamielennox | ok | 09:59 |
marekd | jamielennox: if you can configure mellon/whatever so only cola IdP is allowed for identity_providers/cola/protocols/saml2/auth and only pepsi idp is allowed for identity_providers/pepsi/protocols/saml2/auth then you are good. You will never end in a situation where cola guy says he wants to use identity_providers/pepsi/protocols/saml2/auth | 09:59 |
sileht | we currently use a workaround to pass our gate, but we want to release liberty without the workaround | 09:59 |
jamielennox | sileht: so morgan is the person to talk to about a new release - he's based in california | 10:00 |
sileht | jamielennox, ok thanks | 10:00 |
*** fhubik is now known as fhubik_brb | 10:00 | |
*** fhubik_brb is now known as fhubik | 10:00 | |
*** fhubik is now known as fhubik_brb | 10:00 | |
marekd | jamielennox: if you, on the other hand, specify one protected url like identity_providers/*/protocols/saml2/auth then it will be usedfor both pepsi and cola. Now, shib will trust both of them and will pass the request forward, and keystone , without remote_id doesn't know who was really originating IdP. | 10:01 |
marekd | so cola guy can say he is from pepsi and cola manager is surely not a pepsi manager. | 10:01 |
jamielennox | marekd: if there is a conflict like that then keystone will error out wont it? | 10:02 |
jamielennox | oh - no, i guess it wont | 10:02 |
marekd | jamielennox: which conflict? | 10:02 |
marekd | remote_id is a value stored in the assertion (so also accessible for keystone) that identifies issuing IdP. | 10:03 |
jamielennox | so i guess i've never liked the * as part of apache, but i can see why people use it | 10:03 |
marekd | jamielennox: you can leave without remote ids but you should make sure you make such protection in mellon config, so specify which idp will be accepted for which urls. | 10:03 |
marekd | jamielennox: s/leave/live | 10:04 |
marekd | sorry | 10:04 |
jamielennox | yea, i don't know how that works in mellon - if you wanted to do that you'd configure apache the full way | 10:05 |
*** lhcheng has joined #openstack-keystone | 10:05 | |
*** ChanServ sets mode: +v lhcheng | 10:05 | |
marekd | jamielennox: so my point was we should make docs clear that somewhere it must be configured, otherwise admins are exposing themselves to some security risks. | 10:06 |
*** marzif has joined #openstack-keystone | 10:06 | |
jamielennox | marekd: yep, is there a way we can check that case for people? | 10:06 |
jamielennox | a remote_id_required conf or something | 10:06 |
jamielennox | problem with that is if you understand the need for the conf option you know the problem you are trying to avoid | 10:07 |
marekd | what do you mean by 'check the case' ? | 10:08 |
jamielennox | but we could turn it on by default as i think they are currently required | 10:08 |
marekd | you can turn of remote_id validation | 10:08 |
jamielennox | we have that flag? | 10:09 |
marekd | https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L217 | 10:09 |
*** lhcheng has quit IRC | 10:10 | |
marekd | CONF.federation.remote_id_attribute just set this to '' | 10:10 |
jamielennox | hmm | 10:10 |
jamielennox | not sure if that's the default | 10:11 |
marekd | https://github.com/openstack/keystone/blob/master/keystone/common/config.py#L514 | 10:11 |
marekd | yeah, i think it's not | 10:11 |
marekd | i cannot remember why | 10:11 |
marekd | maybe we concluded we should not expose this by default. | 10:11 |
jamielennox | ok, so the default would trigger that | 10:11 |
marekd | but it should be mandatory | 10:11 |
*** ParsectiX has joined #openstack-keystone | 10:13 | |
marekd | ^^ i mean that was the intention beforehand | 10:13 |
openstackgerrit | Merged openstack/keystone: Add support for data-driven backend assignment testing https://review.openstack.org/149178 | 10:14 |
jamielennox | marekd: yea, that's not a good default given the way we tell people to configure federation at the moment | 10:16 |
marekd | default set to '' ? | 10:16 |
jamielennox | yea | 10:16 |
*** kiran-r has quit IRC | 10:19 | |
marekd | jamielennox: i thnk at the beginning it was also due to backwards compatibility issues | 10:19 |
*** shoutm has quit IRC | 10:19 | |
marekd | jamielennox: or maybe not | 10:19 |
*** dims has joined #openstack-keystone | 10:26 | |
*** lhcheng has joined #openstack-keystone | 10:28 | |
*** ChanServ sets mode: +v lhcheng | 10:28 | |
*** dims has quit IRC | 10:31 | |
*** lhcheng has quit IRC | 10:33 | |
*** chmouel has quit IRC | 10:40 | |
*** chmouel has joined #openstack-keystone | 10:41 | |
*** fhubik_brb is now known as fhubik | 10:46 | |
*** daemontool_ has joined #openstack-keystone | 10:50 | |
openstackgerrit | Merged openstack/python-keystoneclient: Deprecate create HTTPClient without session https://review.openstack.org/205832 | 10:51 |
*** dave-mccowan has joined #openstack-keystone | 10:51 | |
openstackgerrit | Merged openstack/python-keystoneclient: Proper deprecation for httpclient.USER_AGENT https://review.openstack.org/205833 | 10:52 |
openstackgerrit | Merged openstack/python-keystoneclient: Update deprecation text for Session properties https://review.openstack.org/191511 | 10:52 |
*** fhubik is now known as fhubik_brb | 10:56 | |
*** fhubik_brb is now known as fhubik | 10:56 | |
*** claudiub has joined #openstack-keystone | 10:57 | |
*** pnavarro is now known as pnavarro|lunch | 11:06 | |
*** ftco has joined #openstack-keystone | 11:06 | |
ftco | Hi every body... | 11:15 |
ftco | I have two installation of openstack. Is it possible merge them in one dashboard? | 11:19 |
*** fhubik has quit IRC | 11:20 | |
*** fhubik has joined #openstack-keystone | 11:20 | |
*** dims has joined #openstack-keystone | 11:21 | |
*** kiran-r has joined #openstack-keystone | 11:21 | |
*** henrynash has quit IRC | 11:22 | |
*** martinus__ has quit IRC | 11:23 | |
*** dims has quit IRC | 11:26 | |
*** hrou has joined #openstack-keystone | 11:32 | |
*** aix has quit IRC | 11:36 | |
*** gordc has joined #openstack-keystone | 11:38 | |
*** tjcocozz_ has quit IRC | 11:42 | |
*** bapalm has quit IRC | 11:43 | |
openstackgerrit | Marek Denis proposed openstack/keystone: IdP deletion triggers token revocation https://review.openstack.org/210456 | 11:45 |
odyssey4me | ftco see the answer in #openstack | 11:45 |
*** ankita_wagh has joined #openstack-keystone | 11:46 | |
*** samueldmq has joined #openstack-keystone | 11:47 | |
samueldmq | morning | 11:47 |
*** tjcocozz has joined #openstack-keystone | 11:48 | |
*** bapalm has joined #openstack-keystone | 11:49 | |
*** ankita_wagh has quit IRC | 11:51 | |
openstackgerrit | Marek Denis proposed openstack/keystone: IdP deletion triggers token revocation https://review.openstack.org/210456 | 11:52 |
*** amakarov_away is now known as amakarov | 11:54 | |
*** petertr7_away is now known as petertr7 | 12:03 | |
*** stevemar has joined #openstack-keystone | 12:05 | |
*** ChanServ sets mode: +v stevemar | 12:05 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 12:08 | |
*** aix has joined #openstack-keystone | 12:09 | |
*** stevemar has quit IRC | 12:09 | |
*** petertr7 is now known as petertr7_away | 12:17 | |
*** pnavarro|lunch is now known as pnavarro | 12:19 | |
*** ankita_wagh has joined #openstack-keystone | 12:22 | |
*** petertr7_away is now known as petertr7 | 12:23 | |
*** david-lyle has quit IRC | 12:27 | |
*** mordred has quit IRC | 12:27 | |
*** david-lyle has joined #openstack-keystone | 12:28 | |
*** raildo-afk is now known as raildo | 12:29 | |
*** ankita_wagh has quit IRC | 12:29 | |
*** nicodemos has joined #openstack-keystone | 12:38 | |
*** claudiub has quit IRC | 12:38 | |
*** Nirupama has quit IRC | 12:38 | |
*** _kiran_ has joined #openstack-keystone | 12:41 | |
*** kiran-r has quit IRC | 12:42 | |
*** jiaxi has joined #openstack-keystone | 12:43 | |
*** _kiran_ is now known as kiran-r | 12:43 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 12:45 | |
*** jiaxi has quit IRC | 12:47 | |
*** NM has joined #openstack-keystone | 12:48 | |
*** dims has joined #openstack-keystone | 12:48 | |
*** e0ne has quit IRC | 12:53 | |
marekd | ste | 13:01 |
*** kiran-r has quit IRC | 13:02 | |
*** vivekd has quit IRC | 13:04 | |
*** roxanaghe has joined #openstack-keystone | 13:06 | |
*** vivekd has joined #openstack-keystone | 13:06 | |
*** dsirrine has joined #openstack-keystone | 13:08 | |
*** roxanaghe has quit IRC | 13:10 | |
openstackgerrit | Henrique Truta proposed openstack/keystone: Restricting domain_id update https://review.openstack.org/207218 | 13:13 |
*** wwwjfy has quit IRC | 13:16 | |
*** wwwjfy has joined #openstack-keystone | 13:16 | |
*** links has quit IRC | 13:17 | |
*** dims_ has joined #openstack-keystone | 13:17 | |
openstackgerrit | Merged openstack/keystone: Validate Mapped User object. https://review.openstack.org/217049 | 13:20 |
*** dims has quit IRC | 13:21 | |
lbragstad | dstanek: do you know if there was a DOA change for https://review.openstack.org/#/c/214766 ? | 13:22 |
*** A-Morgan has joined #openstack-keystone | 13:23 | |
A-Morgan | Hello there | 13:23 |
A-Morgan | can anyone in advance help me for some issues with keystone ove SSL | 13:23 |
*** vivekd_ has joined #openstack-keystone | 13:25 | |
*** vivekd has quit IRC | 13:25 | |
*** vivekd_ is now known as vivekd | 13:26 | |
A-Morgan | is anyone there for help | 13:26 |
A-Morgan | ???? | 13:26 |
*** henrynash has joined #openstack-keystone | 13:29 | |
*** ChanServ sets mode: +v henrynash | 13:29 | |
larsks | A-Morgan: probably more folks around once more of the US is awake and @ work. This channel is mostly for development discussion; try #openstack for help (but same comment there about people being around). | 13:30 |
*** A-Morgan has left #openstack-keystone | 13:31 | |
htruta | ping henrynash, a few minutes to talk about this bug https://review.openstack.org/#/c/213448/11/keystone/tests/unit/test_v3.py that is not a bug? | 13:33 |
*** henrynash has quit IRC | 13:33 | |
*** mordred has joined #openstack-keystone | 13:34 | |
*** richm has joined #openstack-keystone | 13:34 | |
*** henrynash has joined #openstack-keystone | 13:35 | |
*** ChanServ sets mode: +v henrynash | 13:35 | |
henrynash | htuta: hi | 13:35 |
henrynash | htruta: hi | 13:36 |
htruta | hey, I don't think this is a bug... before this patch (Manager support for projects acting as domains), we didn't allow domain_id passed as None in the schema | 13:36 |
htruta | henrynash: now we'me made it nullable, so, we should change the None domain_id in this same patch | 13:36 |
henrynash | htruta: ah! | 13:37 |
henrynash | htruta: yep, think you are correct then….we have removed that check, so we should fix it - although I would think in theory we shoudl fix it in the patch we made domain_id nullable | 13:38 |
htruta | henrynash: we made it nullable in the schame in this one... and nullable at sql backend at a follow up | 13:38 |
htruta | henrynash: I think this one is the right place for it | 13:39 |
henrynash | htruta: ok, yep, I agree | 13:39 |
*** fhubik has quit IRC | 13:39 | |
htruta | henrynash: cool. I'll make that change and mark the bug as invalid | 13:40 |
*** fhubik has joined #openstack-keystone | 13:40 | |
henrynash | htruta: ++ | 13:40 |
*** henrynash has quit IRC | 13:40 | |
*** edmondsw has joined #openstack-keystone | 13:41 | |
*** markvoelker has joined #openstack-keystone | 14:01 | |
*** petertr7 is now known as petertr7_away | 14:02 | |
*** petertr7_away is now known as petertr7 | 14:05 | |
*** marzif has quit IRC | 14:05 | |
*** markvoelker has quit IRC | 14:06 | |
*** marzif has joined #openstack-keystone | 14:06 | |
*** kiran-r has joined #openstack-keystone | 14:09 | |
*** vivekd_ has joined #openstack-keystone | 14:09 | |
*** _kiran_ has joined #openstack-keystone | 14:09 | |
*** _kiran_ has quit IRC | 14:10 | |
*** _kiran_ has joined #openstack-keystone | 14:11 | |
*** phalmos has joined #openstack-keystone | 14:11 | |
*** ParsectiX has quit IRC | 14:11 | |
openstackgerrit | Henrique Truta proposed openstack/keystone: Manager support for projects acting as domains https://review.openstack.org/213448 | 14:11 |
*** vivekd has quit IRC | 14:12 | |
*** vivekd_ is now known as vivekd | 14:12 | |
*** rbak has joined #openstack-keystone | 14:13 | |
*** kiran-r has quit IRC | 14:13 | |
breton_ | jamielennox: hey! Do you remember what issues happened with non-thread-safety on https://github.com/openstack/nova/blob/stable/kilo/nova/network/neutronv2/api.py#L195 ? | 14:14 |
*** raildo is now known as raildo-afk | 14:16 | |
*** raildo-afk is now known as raildo | 14:17 | |
*** _kiran_ has quit IRC | 14:18 | |
*** kiran-r has joined #openstack-keystone | 14:18 | |
*** phalmos has quit IRC | 14:20 | |
*** thiagop has joined #openstack-keystone | 14:22 | |
*** sdake has quit IRC | 14:28 | |
*** fhubik has quit IRC | 14:29 | |
*** jsavak has joined #openstack-keystone | 14:30 | |
*** fangzhou_ has joined #openstack-keystone | 14:30 | |
*** kiran-r has quit IRC | 14:30 | |
*** fangzhou has quit IRC | 14:31 | |
*** fangzhou_ is now known as fangzhou | 14:31 | |
*** afazekas__ has quit IRC | 14:31 | |
*** sdake has joined #openstack-keystone | 14:32 | |
*** jsavak has quit IRC | 14:34 | |
*** roxanaghe has joined #openstack-keystone | 14:38 | |
*** phalmos has joined #openstack-keystone | 14:39 | |
*** e0ne has joined #openstack-keystone | 14:39 | |
*** jsavak has joined #openstack-keystone | 14:42 | |
*** markvoelker has joined #openstack-keystone | 14:42 | |
*** markvoelker has quit IRC | 14:42 | |
*** petertr7 is now known as petertr7_away | 14:42 | |
*** markvoelker has joined #openstack-keystone | 14:43 | |
*** browne has joined #openstack-keystone | 14:43 | |
*** roxanaghe has quit IRC | 14:49 | |
*** zzzeek has joined #openstack-keystone | 14:50 | |
*** diazjf has joined #openstack-keystone | 14:53 | |
*** djc_ has joined #openstack-keystone | 14:55 | |
*** krotscheck is now known as kro_afk | 14:59 | |
*** vivekd has quit IRC | 15:00 | |
*** KarthikB has joined #openstack-keystone | 15:01 | |
KarthikB | Good morning all | 15:02 |
*** topol has joined #openstack-keystone | 15:03 | |
*** ChanServ sets mode: +v topol | 15:03 | |
*** dave-mccowan has quit IRC | 15:03 | |
KarthikB | I work for IBM and I'm currently working on using external identity(IBM) with Keystone | 15:04 |
*** kro_afk is now known as krotscheck | 15:04 | |
KarthikB | I've followed this http://docs.openstack.org/developer/keystone/external-auth.html post and created a middleware which sets REMOTE_USER to some user name and the same user name has been created in keystone as well | 15:05 |
KarthikB | but When I make a call I'm still getting the following error | 15:06 |
KarthikB | 2015-09-02 09:41:47.365 7783 DEBUG keystone.token.persistence.backends.kvs [-] <keystone.common.kvs.core.KeyValueStore object at 0x7f1cb2e6fed0> _get_key /usr/lib/python2.7/site-packages/keystone/token/persistence/backends/kvs.py:78 2015-09-02 09:41:47.367 7783 WARNING keystone.common.controller [-] RBAC: Invalid token 2015-09-02 09:41:47.367 7783 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authenti | 15:06 |
KarthikB | Please can someone help me to sort out the issue? | 15:07 |
*** dims_ has quit IRC | 15:12 | |
*** jistr is now known as jistr|call | 15:12 | |
*** phalmos has quit IRC | 15:12 | |
*** richm has quit IRC | 15:14 | |
*** phalmos has joined #openstack-keystone | 15:15 | |
*** slberger has joined #openstack-keystone | 15:15 | |
*** dave-mccowan has joined #openstack-keystone | 15:16 | |
*** Ephur has joined #openstack-keystone | 15:22 | |
KarthikB | Re-posting my query | 15:23 |
KarthikB | KarthikB I work for IBM and I'm currently working on using external identity(IBM) with Keystone 10:04:46 AM kro_afk is now known as krotscheck. I've followed this http://docs.openstack.org/developer/keystone/external-auth.html post and created a middleware which sets REMOTE_USER to some user name and the same user name has been created in keystone as well, but When I make a call I'm still getting the following error 2015-09-02 09:41:47.365 7 | 15:25 |
KarthikB | I work for IBM and I'm currently working on using external identity(IBM) with Keystone | 15:25 |
*** vmbrasseur has left #openstack-keystone | 15:26 | |
*** samueldmq has quit IRC | 15:29 | |
*** yottatsa has joined #openstack-keystone | 15:29 | |
*** richm has joined #openstack-keystone | 15:30 | |
*** yottatsa has quit IRC | 15:30 | |
*** katkapilatova has left #openstack-keystone | 15:33 | |
*** jsavak has quit IRC | 15:36 | |
*** geoffarnold has joined #openstack-keystone | 15:36 | |
*** ayoung_ZZzz is now known as ayoung | 15:36 | |
*** tonytan4ever has joined #openstack-keystone | 15:37 | |
*** geoffarnold has quit IRC | 15:38 | |
*** jistr|call is now known as jistr | 15:38 | |
*** geoffarnold has joined #openstack-keystone | 15:39 | |
*** yottatsa has joined #openstack-keystone | 15:43 | |
*** djc_ has quit IRC | 15:44 | |
*** roxanaghe has joined #openstack-keystone | 15:44 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider validate_v3_token() https://review.openstack.org/196877 | 15:48 |
ayoung | KarthikB, you trying to do Kerberos? | 15:48 |
*** jsavak has joined #openstack-keystone | 15:48 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone: Consolidate the fernet provider issue_v2_token() https://review.openstack.org/197647 | 15:48 |
KarthikB | no @ayoung | 15:49 |
ayoung | KarthikB, what are you trying to do? | 15:49 |
*** yottatsa has quit IRC | 15:51 | |
KarthikB | just a mysql identity backend | 15:51 |
ayoung | KarthikB, password and basic-auth? | 15:51 |
*** dims has joined #openstack-keystone | 15:51 | |
ayoung | KarthikB, what API call are you making that gives you RBAC: Invalid token? | 15:52 |
KarthikB | We are currently working on making bluemix as our external identity and while trying to achieve that we are running into few issues. Here are some of the assumptions made and work done. 1) Every request to Keystone identity will have bluemix token. 2) Developed a middle-ware to receive the token from the request, make a call to UAA to get the detailed user information and assign the user name to REMOTE_USER env variable. 3) Modified the Pip | 15:52 |
*** yottatsa has joined #openstack-keystone | 15:53 | |
ayoung | UAA? Pip? | 15:53 |
KarthikB | @ayoung that is what I'm trying to do | 15:53 |
KarthikB | UAA | 15:53 |
*** kiran-r has joined #openstack-keystone | 15:53 | |
ayoung | KarthikB, I know nothing about bluemix. Define your terms, please. | 15:53 |
*** yottatsa has quit IRC | 15:53 | |
ayoung | KarthikB, and no need for an @ in IRC. This predates twitter :) | 15:54 |
*** browne has quit IRC | 15:55 | |
KarthikB | curl -k -v -H "X-Auth-Token: bearer TOKEN" https://169.55.28.133:5000/v3/users/3bb02a91a3524ddf868ec7c445a40550 | 15:55 |
KarthikB | this is the call I'm making | 15:55 |
KarthikB | ok :-) | 15:56 |
*** gyee has joined #openstack-keystone | 15:57 | |
*** ChanServ sets mode: +v gyee | 15:57 | |
ayoung | bearer TOKEN was something issued by Keystone? | 15:58 |
KarthikB | bluemix is where I have the user info, According to the openstack post that I've mentioned previously. I've created a custom middleware which could make a call to bluemix to get the user information and set the REMOTE_USER variable. | 15:59 |
ayoung | KarthikB, so, unless you;ve done more magic, Keystone still needs a Keystone Issued token for most operations | 15:59 |
ayoung | top bypass that, look at the the Tokenless work gyee and company are working on | 15:59 |
KarthikB | No Young, that was issued by bluemix | 15:59 |
ayoung | REMOTE_USER is only used when creating a keystone token | 16:00 |
*** jsavak has quit IRC | 16:00 | |
*** jsavak has joined #openstack-keystone | 16:00 | |
ayoung | KarthikB, but see https://review.openstack.org/#/c/156870/ for how the other TOkenless work is being done | 16:00 |
KarthikB | I'm assuming the user is already authenticated and having is user token which bluemix can understand, I don't want keystone to perform one more validation. | 16:02 |
*** dims has quit IRC | 16:02 | |
*** kiran-r has quit IRC | 16:02 | |
*** dims has joined #openstack-keystone | 16:03 | |
*** markvoelker has quit IRC | 16:03 | |
*** dims_ has joined #openstack-keystone | 16:04 | |
*** petertr7_away is now known as petertr7 | 16:04 | |
*** browne has joined #openstack-keystone | 16:05 | |
gyee | ayoung, KarthikB, sorry I didn't catch the whole conversation, speaking of that patch, I need to talk to marekd | 16:05 |
*** bknudson has joined #openstack-keystone | 16:06 | |
*** ChanServ sets mode: +v bknudson | 16:06 | |
gyee | marekd, you still awake? | 16:06 |
*** dims has quit IRC | 16:07 | |
ayoung | KarthikB, all of the workflow in OpemnStack assume you are passing around Keystone tokens. All that external does is let you use an exterenal identity provider to get the token. THe token provuides the openstack relevcant access informtation. So, while it is a little dumb that you need it to do work on Keystone, that is how things are designed | 16:07 |
ayoung | so, try getting a scoped keystone token first, and I think the rest should work for you | 16:07 |
KarthikB | thanks for you input ayoung | 16:08 |
KarthikB | ayoung: there is no other way to pass token that aren't provided by keystone? | 16:10 |
ayoung | KarthikB, http://adam.younglogic.com/2015/08/tokenless-keystone/ | 16:10 |
*** stevemar has joined #openstack-keystone | 16:11 | |
*** ChanServ sets mode: +v stevemar | 16:11 | |
morgan | ayoung: we need to approve the last x509 patch today if possible. But it hasnt been updated from the -1s | 16:11 |
morgan | gyee: ^cc | 16:11 |
ayoung | morgan, it ain't gonna happen | 16:11 |
morgan | Because otherwise it isnt landing in liberty | 16:11 |
ayoung | needs too much work | 16:11 |
morgan | Then im punting it to mitaka | 16:11 |
gyee | morgan, yes, I'll update the patch if Sam don't time to get to it | 16:12 |
gyee | was hoping I can answer marekd's concern | 16:12 |
ayoung | morgan, I'll stay on it in terms of reviewing | 16:12 |
morgan | gyee: update in the next hour | 16:12 |
gyee | k | 16:12 |
gyee | right away sir | 16:12 |
*** shoutm has joined #openstack-keystone | 16:12 | |
KarthikB | Thanks for your time ayoung, let me go through that | 16:12 |
ayoung | morgan, you know me; the perfect is the enemy of the good. I'm OK with a sub-perfect patch for an experimental feature | 16:12 |
ayoung | so long as it can be turned off, I'd rather have people beating on it | 16:13 |
morgan | gyee: it has to be gating yesterday if we want it without a FFE and im going to say i am -1 on FFEs to begin with. Especially with the general unresponsiveness to questions on patcches we have had this cycle | 16:13 |
gyee | ayoung, you want perfect, and you want workable software?! :) | 16:13 |
morgan | But at this point im ready to let everything slide to mitaka. | 16:14 |
gyee | morgan, that's fine if noone's going to review it | 16:15 |
morgan | gyee: the issue isnt just reviews. It has been even with reviews no responses | 16:15 |
morgan | So everything has been yet again pushed to the last minute | 16:15 |
gyee | morgan, lemme update it | 16:15 |
morgan | Ok. | 16:15 |
gyee | I was hoping to catch marekd so I can address his concerns here | 16:16 |
*** afazekas__ has joined #openstack-keystone | 16:16 | |
morgan | Those concerns have been there for a week now? | 16:16 |
*** devlaps has joined #openstack-keystone | 16:16 | |
gyee | yesterday | 16:16 |
gyee | Sam's been active in updating it I think | 16:16 |
morgan | Ok so why did it wait until the last week to get work done on it? | 16:16 |
*** pkholkin has joined #openstack-keystone | 16:17 | |
gyee | I think he's been updating it, just the reviews come slowly | 16:17 |
morgan | I've seen these patches sit for a significant amount of time with -1s | 16:17 |
morgan | And no updates. Not just this one of others too | 16:17 |
morgan | I am rather irritated that we are a day before feature freeze and cramming this in. | 16:18 |
*** tdurakov has joined #openstack-keystone | 16:18 | |
tdurakov | jamielennox, hi, are you around? | 16:18 |
gyee | morgan, that patch's been review thoroughly and tested by multiple folks | 16:19 |
gyee | I think we are at the bike shedding land right now | 16:19 |
gyee | anyway, let me update | 16:19 |
tdurakov | jamielennox, got question about your note: https://github.com/openstack/nova/blob/master/nova/network/neutronv2/api.py#L205 | 16:20 |
*** petertr7 is now known as petertr7_away | 16:21 | |
*** jsavak has quit IRC | 16:23 | |
*** jsavak has joined #openstack-keystone | 16:24 | |
stevemar | hmm no lhcheng | 16:25 |
stevemar | dang! | 16:25 |
KarthikB | ayoung quick question a section "Developing a WSGI middleware for authentication" in http://docs.openstack.org/developer/keystone/external-auth.html post will not work? | 16:26 |
ayoung | KarthikB, that is just to get a keystone token | 16:26 |
*** afazekas__ has quit IRC | 16:35 | |
*** pnavarro is now known as pnavarro|afk | 16:36 | |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Deprecate create Discover without session https://review.openstack.org/205829 | 16:39 |
*** marzif has quit IRC | 16:43 | |
*** marzif has joined #openstack-keystone | 16:43 | |
*** samleon has joined #openstack-keystone | 16:44 | |
*** jistr has quit IRC | 16:44 | |
*** fangzhou has quit IRC | 16:45 | |
openstackgerrit | guang-yee proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870 | 16:45 |
*** afazekas__ has joined #openstack-keystone | 16:48 | |
*** hrou has quit IRC | 16:49 | |
*** henrynash has joined #openstack-keystone | 16:54 | |
*** ChanServ sets mode: +v henrynash | 16:54 | |
*** tonytan4ever has quit IRC | 16:57 | |
KarthikB | ayoung Yes, I just want to get the keystone token since I already authenticated the user with third party provider. I'm passing the third party issued token just to get the user information in keystone middleware, and that user name is already created in keystone with appropriate access. | 16:57 |
stevemar | KarthikB: same Karthik that sent me an email two days ago? | 16:57 |
KarthikB | Hi Stevev | 16:58 |
stevemar | i am just looking at it now :) | 16:58 |
KarthikB | Steve* yes, same Karthik | 16:58 |
stevemar | we can chat here, is there anything new info that you can add - did you get any further? | 16:58 |
stevemar | i was thinking... i | 16:58 |
stevemar | you may need to enable logging to get more info here, and make sure that the new middleware is being invoked | 16:59 |
stevemar | cause i'm not seeing that in the log you pasted | 16:59 |
openstackgerrit | Merged openstack/keystoneauth: Auth-url is required for identity plugins https://review.openstack.org/219111 | 16:59 |
openstackgerrit | Merged openstack/keystoneauth: Return oslo.config opts from config loading https://review.openstack.org/219467 | 17:00 |
KarthikB | yes, my middleware is getting triggered and it is successfully able to make a call to UAA to get the use information and sets the REMOTE_USER variable as well | 17:00 |
KarthikB | stevemar | 17:00 |
KarthikB | Can I paste the log here stevemar? | 17:01 |
stevemar | you can PM if you want, doesn't much matter to me | 17:03 |
*** woodster_ has joined #openstack-keystone | 17:03 | |
openstackgerrit | henry-nash proposed openstack/keystone: Support project hierarchies in data driver tests https://review.openstack.org/154485 | 17:04 |
*** lhcheng has joined #openstack-keystone | 17:05 | |
*** ChanServ sets mode: +v lhcheng | 17:05 | |
openstackgerrit | henry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct https://review.openstack.org/148995 | 17:07 |
*** mylu has joined #openstack-keystone | 17:10 | |
*** mylu has quit IRC | 17:10 | |
*** e0ne has quit IRC | 17:12 | |
*** afazekas__ has quit IRC | 17:14 | |
*** phalmos has quit IRC | 17:17 | |
*** wwwjfy has quit IRC | 17:18 | |
*** roxanaghe has quit IRC | 17:19 | |
*** roxanaghe has joined #openstack-keystone | 17:19 | |
*** marzif has quit IRC | 17:20 | |
morgan | gyee: questions on x509. | 17:23 |
*** fangzhou has joined #openstack-keystone | 17:23 | |
morgan | And one thing that needs a followup patch to fix. Log level in one case should not be warn | 17:24 |
gyee | morgan, sure | 17:25 |
gyee | let me check | 17:25 |
*** spandhe has joined #openstack-keystone | 17:31 | |
*** dims_ has quit IRC | 17:33 | |
mordred | morgan: is keystone still a special case in the catalog? | 17:34 |
morgan | mordred: i believe so (sorry) | 17:34 |
mordred | morgan: k. so I need to keep this still https://github.com/openstack-infra/shade/blob/master/shade/__init__.py#L758-L768 | 17:35 |
lhcheng | jamielennox stevemar lbragstad: when you get the chance, this is the patch in django_openstack_auth for the IDP specific websso: https://review.openstack.org/#/c/219041/ | 17:35 |
*** markvoelker has joined #openstack-keystone | 17:35 | |
*** markvoelker has quit IRC | 17:35 | |
*** dims has joined #openstack-keystone | 17:35 | |
morgan | lbragstad: why are we changing responses here? https://review.openstack.org/#/c/196877/21/keystone/tests/unit/test_v3_auth.py 404 should be still returned for invalid tokens? | 17:36 |
*** markvoelker has joined #openstack-keystone | 17:36 | |
morgan | Why is github's mobile site so useless. The line number stuff doesnt work because they dont render line numbers /rage | 17:36 |
morgan | And you have to scroll to the bottom of the page to get the "desktop" site. | 17:37 |
morgan | Stupid design is stupid... | 17:37 |
morgan | mordred: yes likely you need to keep that. | 17:38 |
openstackgerrit | venkatamahesh proposed openstack/keystone: Fix the http link for JSON schema https://review.openstack.org/217319 | 17:38 |
mordred | morgan: okie! | 17:39 |
*** aix has quit IRC | 17:40 | |
*** jsavak has quit IRC | 17:41 | |
lbragstad | morgan: there was a comment on the patch set; specifically pointing to https://review.openstack.org/#/c/205554/ | 17:42 |
lbragstad | it was on PS 12 and it was made by Vladimir | 17:42 |
morgan | lbragstad: but you are changing 404 to 400? | 17:42 |
*** slberger has quit IRC | 17:43 | |
* morgan needs to look more closely on non-mobile device i guess. | 17:43 | |
lbragstad | morgan: I think that is because of https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L228 | 17:43 |
morgan | Which is wrong | 17:44 |
morgan | Should be a 404 | 17:44 |
*** dikonoor has quit IRC | 17:44 | |
lbragstad | morgan: the fernet.core:Provider.validate_v3_token method use to except that and return 404 https://review.openstack.org/#/c/196877/21/keystone/token/providers/fernet/core.py | 17:44 |
morgan | We need to be consistent in what invalid tokens do. | 17:44 |
lbragstad | morgan: I can roll that into a new patch | 17:44 |
morgan | Ah | 17:45 |
morgan | Yeah ok. | 17:45 |
morgan | Hard to see that from a mobile device | 17:45 |
morgan | Not sure of the benefit to alway rerolling a 400 to a 404 | 17:45 |
morgan | Prob should clean that up in a follow up then. | 17:45 |
lbragstad | morgan: I left a comment, I can respin if you want, or address in the follow up.. | 17:46 |
lbragstad | morgan: up to you | 17:46 |
morgan | Dont respin | 17:46 |
lbragstad | morgan: alright, i'll address in a follow on patch | 17:46 |
morgan | As long as 404 is alway emitted (except if auth-token is invalid) to the user it doesnt matter much | 17:46 |
morgan | We can bike shed about internals later. | 17:46 |
morgan | Dont rush on the follow up either ;) | 17:47 |
morgan | It can wait as long as users only see 404 or 401 as expected | 17:47 |
gyee | morgan, I told Sam to keep looking at the patch, he's not allowed to take any shnaps today :) | 17:48 |
mordred | morgan: cool - so, I think I'm not going to land the ksa change to shade until ksa releases 1.0 (so that I cna go ahead and make th requirements line ">=1.0.0") - but the change is ready to fly | 17:48 |
morgan | mordred: ++ | 17:48 |
morgan | gyee: good. Please rally some more reviewers. I want that to land if we can. | 17:48 |
morgan | I can hold the rel team a day to land it if it is gating | 17:49 |
gyee | morgan, yeah, lhcheng will review it once more | 17:49 |
gyee | thanks | 17:49 |
morgan | But if it isnt gating by this afternoon, ffe or mitaka | 17:49 |
gyee | stevemar, pleeeease if you have cycle | 17:49 |
morgan | So you have 3-4 hours to get 2x+2 on it | 17:49 |
gyee | ayoung, free beer on me? | 17:49 |
morgan | And it looks good to me, as long as that warning is addressed in a followup | 17:50 |
ayoung | gyee, TANSTAAFB | 17:50 |
*** jsavak has joined #openstack-keystone | 17:50 | |
morgan | So you have 1x+2 if you post that followup | 17:50 |
ayoung | gyee, is it ready for review? | 17:50 |
morgan | ayoung: it should be. | 17:50 |
*** spandhe has quit IRC | 17:50 | |
gyee | ayoung, yes | 17:50 |
gyee | dstanek, if you review it, I'll fixup Manziel | 17:51 |
ayoung | morgan, yes DNs can have spaces | 17:52 |
morgan | mordred: there are ~2 patches to ksa that could use another +2/+A and we need to check with jamielennox as he asked for another day | 17:52 |
ayoung | is that a deal breaker? | 17:52 |
morgan | ayoung: no. But we need to file it as a bug and fix it post L3 | 17:52 |
gyee | ayoung, could be a bug in mod_ssl, seem like it is stripping the spaces | 17:52 |
morgan | Known limitation is fine | 17:52 |
ayoung | hmm | 17:52 |
gyee | we can remove it once mod_ssl is fixed | 17:52 |
gyee | remove that comment from the doc I mean | 17:52 |
morgan | gyee: even in the middle of a dn element? | 17:53 |
ayoung | why no spaces? | 17:53 |
gyee | morgan, that's what Sam's seeing | 17:53 |
morgan | Strip spaces or convert spaces? | 17:53 |
morgan | Hmm so dn=morgan fainberg becomes dn=morganfainberg ? | 17:53 |
morgan | For example? | 17:53 |
gyee | strips the spaces according to Sam | 17:53 |
gyee | right | 17:53 |
morgan | (Fwiw this sounds broken) | 17:53 |
gyee | just the DN | 17:54 |
gyee | individual attributes seem fine | 17:54 |
morgan | Weird | 17:55 |
morgan | Because dn=thing one, ... Should be distinct from dn=thingone, ... | 17:55 |
morgan | Wonder if nginx does the same thing | 17:56 |
gyee | we haven't try nginx | 17:56 |
ayoung | gyee, https://review.openstack.org/#/c/156870/59/keystone/middleware/core.py,cm how do I turn it off? | 17:57 |
gyee | any case, I'll ask Sam to file a bug for mod_ssl | 17:57 |
gyee | ayoung, it is off by default if you don't specify a trusted_issuer in keystone.conf | 17:57 |
morgan | Maybe the rfc is thst spaces are ignored | 17:57 |
* morgan looks. | 17:57 | |
morgan | If that is the case, it makes life easier, we can collapse spaces ourselves. | 17:58 |
ayoung | morgan, why only +1? | 17:59 |
gyee | morgan, yes, I'll push a follow-on patch to make it easier to configure trusted issuer using 'keystone-manage' cli | 17:59 |
morgan | ayoung: the inline questions and followup need for the warning downgrade | 17:59 |
morgan | ayoung: +2 after those things. | 17:59 |
*** yottatsa has joined #openstack-keystone | 18:00 | |
ayoung | morgan, OK...I'll +1 as well. gyee we going to get an update with those in time? | 18:00 |
morgan | gyee: looking at cert dn rfc now. Trying to determine relevance of spaces | 18:00 |
gyee | ayoung, no, I won't be able to do the keystone-manage stuff today | 18:01 |
*** yottatsa has quit IRC | 18:02 | |
openstackgerrit | Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870 | 18:02 |
gyee | Sam can address the minor comments if needed | 18:02 |
*** yottatsa has joined #openstack-keystone | 18:02 | |
morgan | gyee: ayoung https://tools.ietf.org/html/rfc5280#section-4.1.2.4 looking at what the string types are | 18:03 |
*** spandhe has joined #openstack-keystone | 18:03 | |
morgan | This is a seriously dense rfc even compared to most | 18:03 |
gyee | right its printable string so space should be allowed | 18:04 |
*** yottatsa_ has joined #openstack-keystone | 18:04 | |
*** yottatsa has quit IRC | 18:04 | |
*** jsavak has quit IRC | 18:04 | |
lhcheng | gyee: what happened to the "ephemeral_user" config for x509? | 18:05 |
*** jsavak has joined #openstack-keystone | 18:05 | |
*** markvoelker has quit IRC | 18:05 | |
gyee | lhcheng, no need, it is supported by mapping now | 18:06 |
samleon | lhcheng: we changed that in the mapping | 18:06 |
samleon | in the mapping, it supports ephemeral user as marek pointed out | 18:06 |
samleon | so no need in the config option anymore | 18:06 |
samleon | gyee, yeah a patch just up | 18:07 |
morgan | Except apache is assuming issuer is dns compatible as common name is typically so via RFC2818 | 18:08 |
morgan | Euuw | 18:08 |
openstackgerrit | Merged openstack/keystone: Adds caching to paste deploy's egg lookup https://review.openstack.org/219323 | 18:08 |
morgan | Apache might be extracting common name not pure dn | 18:09 |
*** marzif has joined #openstack-keystone | 18:09 | |
morgan | Which case it makes some assumptions. And they are kindof not rfc compliant | 18:09 |
morgan | It looks like | 18:09 |
gyee | samleon, lets file a bug for mod_ssl to see what they think | 18:10 |
*** mylu has joined #openstack-keystone | 18:10 | |
samleon | yeah, will do that | 18:11 |
lhcheng | gyee, samleon: cool, got it. will continue to look at the recent changes. | 18:11 |
morgan | Anyway lets add a minor line that ondicate apache strips spaces from the middle of the value of the attribute | 18:12 |
morgan | As why the no spaces are needed | 18:12 |
morgan | This can be a followup patch | 18:12 |
gyee | samleon, ^^^ | 18:12 |
samleon | lhcheng, be aware that ephemeral user is the default one in the mapping for some reasons, so you will have define 'local' if want it a regular user | 18:12 |
samleon | morgan, yep | 18:13 |
morgan | That should identify/squash any worries about "whhhyyyy is it like this" | 18:13 |
morgan | It is crappy but no one can complain this way. | 18:13 |
morgan | Well they can but we dont need to justify it further | 18:14 |
*** sdake_ has joined #openstack-keystone | 18:14 | |
*** csoukup has joined #openstack-keystone | 18:16 | |
*** __dstanek__ has joined #openstack-keystone | 18:16 | |
*** sdake has quit IRC | 18:17 | |
*** sdake has joined #openstack-keystone | 18:21 | |
*** marzif has quit IRC | 18:22 | |
*** tonytan4ever has joined #openstack-keystone | 18:22 | |
*** henrynash has quit IRC | 18:22 | |
*** marzif has joined #openstack-keystone | 18:22 | |
*** roxanaghe has quit IRC | 18:22 | |
*** dsirrine has quit IRC | 18:25 | |
*** sdake_ has quit IRC | 18:25 | |
*** marzif has quit IRC | 18:28 | |
openstackgerrit | Monty Taylor proposed openstack/keystoneauth: Add session and auth loading to loading.__init__ https://review.openstack.org/219463 | 18:29 |
openstackgerrit | Monty Taylor proposed openstack/keystoneauth: Use auth_type instead of auth_plugin by default https://review.openstack.org/219520 | 18:29 |
mordred | morgan: ^^ I just fixed those two that jamielennox had outstanding (merge conflict and 2 duplicate lines) | 18:30 |
*** phalmos has joined #openstack-keystone | 18:30 | |
*** jasonsb has quit IRC | 18:32 | |
*** aix has joined #openstack-keystone | 18:34 | |
*** petertr7_away is now known as petertr7 | 18:38 | |
*** dsirrine has joined #openstack-keystone | 18:39 | |
*** phalmos has quit IRC | 18:39 | |
*** phalmos has joined #openstack-keystone | 18:41 | |
*** sdake_ has joined #openstack-keystone | 18:41 | |
*** jsavak has quit IRC | 18:42 | |
*** e0ne has joined #openstack-keystone | 18:42 | |
*** __dstanek__ has quit IRC | 18:42 | |
*** jsavak has joined #openstack-keystone | 18:43 | |
*** slberger has joined #openstack-keystone | 18:44 | |
*** sdake has quit IRC | 18:45 | |
*** amakarov is now known as amakarov_away | 18:46 | |
*** jecarey has joined #openstack-keystone | 18:46 | |
*** btully has joined #openstack-keystone | 18:52 | |
*** yottatsa_ has quit IRC | 18:52 | |
lhcheng | samleon: added some comments on the x509 patch, it can be addressed as follow-up. Not worth re-submitting. | 18:53 |
lhcheng | gyee: ^ | 18:53 |
openstackgerrit | Terry Howe proposed openstack/keystoneauth: Change auth plugin help text to auth type https://review.openstack.org/219838 | 18:54 |
*** harlowja has quit IRC | 18:54 | |
gyee | lhcheng, thanks! | 18:54 |
*** harlowja has joined #openstack-keystone | 18:58 | |
*** markvoelker has joined #openstack-keystone | 19:00 | |
*** yottatsa has joined #openstack-keystone | 19:00 | |
*** Ephur has quit IRC | 19:00 | |
gsilvis | stevemar: hey, I'm here now, if you want to talk | 19:01 |
*** phalmos has quit IRC | 19:01 | |
*** mylu has quit IRC | 19:02 | |
*** mylu has joined #openstack-keystone | 19:02 | |
stevemar | gsilvis: i punted over stuff in an email instead | 19:05 |
stevemar | gsilvis: its something for the two dude in the email to bug you about, i was just playing liaison to get them in the right direction :) | 19:06 |
gsilvis | stevemar: yeah, I noticed that just after I said that | 19:06 |
gsilvis | stevemar: okay, I'll be ready with possible answers :) | 19:06 |
morgan | dstanek: followup patch for stable interfaces +2/+A | 19:07 |
morgan | dstanek: is that bp "implemented" as far as liberty is concerned? | 19:08 |
morgan | now | 19:08 |
gyee | yay! | 19:08 |
stevemar | gsilvis: haha, cool. thanks dude! it sounds very very familiar to what y'all were doing with cinder/nova, just place that with swift/barbican | 19:08 |
gsilvis | stevemar: yup, and there's a lot of the same subtleties too, I bet | 19:08 |
slberger | Has anyone run into trouble making concurrent requests when using fernet_tokens? like any more than 10 and you get unauthorized statuses intermittently | 19:09 |
*** yottatsa has quit IRC | 19:10 | |
lbragstad | slberger: hmmm, what's your client look like/ | 19:10 |
*** yottatsa has joined #openstack-keystone | 19:10 | |
slberger | lbragstad, I don't understand the question | 19:10 |
*** yottatsa has quit IRC | 19:10 | |
lbragstad | slberger: FYI, dolphm and I have used this for bench marking before - https://gist.github.com/dolph/02c6d37f49596b3f4298#file-benchmark-sh | 19:10 |
lbragstad | slberger: you're simulating 10 or more users hitting the keystone server, creating and validating tokens right? | 19:11 |
*** yottatsa has joined #openstack-keystone | 19:12 | |
*** phalmos has joined #openstack-keystone | 19:12 | |
*** e0ne has quit IRC | 19:12 | |
*** hrou has joined #openstack-keystone | 19:13 | |
slberger | lbragstad, yea, this has shown in a few tests our performance team has been running that just tries to boot nova instances | 19:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone: Allow Fernet to return TokenNotFound https://review.openstack.org/219848 | 19:17 |
lbragstad | morgan: ^ | 19:17 |
lbragstad | slberger: are you able to pin it down to a specific error message? | 19:18 |
slberger | Unauthorized: The request you have made requires authentication. (HTTP 401) | 19:20 |
slberger | it happens very sporatically | 19:20 |
lbragstad | your performance team isn't attempting a key rotation during the tests are they? | 19:21 |
*** yottatsa has quit IRC | 19:22 | |
lbragstad | dolphm: you don't remember anything around that do you? I thought we hit something similar but not towards the end of our testing ^^ | 19:22 |
slberger | lbragstad, I mean they are testing in an environment with rotation in place | 19:22 |
lbragstad | slberger: so rotation is being done automatically? | 19:23 |
slberger | yea | 19:23 |
slberger | every 15 minutes | 19:23 |
lbragstad | but the 401s happen intermittently around that? | 19:23 |
slberger | im not sure | 19:24 |
slberger | lbragstad, they say the tests only last 5 minutes | 19:24 |
lbragstad | ok, I'd probably check and see if there is a correlation there at all | 19:24 |
lbragstad | oh... | 19:24 |
*** yottatsa has joined #openstack-keystone | 19:24 | |
lbragstad | so it shouldn't even hit the first rotation | 19:24 |
slberger | lbragstad, ok I can ask them to check | 19:24 |
lbragstad | slberger: are they able to run the tests with one user? | 19:25 |
lbragstad | slberger: these are the validate token results we got with 100 concurrent users - https://gist.github.com/dolph/02c6d37f49596b3f4298#file-validate_token_concurrent-L15 | 19:26 |
slberger | lbragstad, not sure I think they might be using just one user, they are running tests through rally | 19:26 |
jdennis | I could use some help, I'm debugging an incorrect URL used for ECP in Saml2UnscopedToken._send_idp_saml2_authn_request() | 19:27 |
lbragstad | slberger: hmm, if they are running the test with only one user, it wouldn't be concurrent, would it? | 19:27 |
jdennis | it's sending it to self.identity_provider_url which is set in the Saml2UnscopedToken.__init__(), but for the life of me I can't find where this object is created | 19:28 |
jdennis | and hence who is providing the identity_provider_url | 19:29 |
*** yottatsa has quit IRC | 19:29 | |
slberger | lbragstad, yea I guess you are right. | 19:29 |
*** hideme has quit IRC | 19:30 | |
lbragstad | slberger: is there a load balancer in the equation at all? | 19:30 |
lbragstad | or a cluster of keystone nodes? | 19:30 |
*** Guest16076 has joined #openstack-keystone | 19:30 | |
slberger | yes there is a load balancer | 19:30 |
slberger | lbragstad, ^ | 19:31 |
lbragstad | slberger: can they verify that all the keys on the hosts are consistent? | 19:32 |
*** chris_19 has joined #openstack-keystone | 19:32 | |
slberger | lbragstad, from my testing the keys are being synced across all of the keystone instances, but I'm not sure what kind of latency there is between the rotation and sync | 19:33 |
lbragstad | slberger: ok, that's good | 19:34 |
*** roxanaghe has joined #openstack-keystone | 19:34 | |
mordred | morgan: oh! I may have found a new break | 19:35 |
morgan | ? | 19:35 |
mordred | in ksa | 19:35 |
mordred | interface break - that might break people in the wild using ansible - one sec - lemme see if I can work around it | 19:36 |
lbragstad | latency shouldn't be a real problem as long as the staged key is there | 19:36 |
mordred | (in moving to ksa that is) | 19:36 |
lbragstad | mfisch: you haven't hit anything like what slberger has, have you? | 19:37 |
mfisch | we dont rotate much but no issues so fr | 19:37 |
mfisch | far | 19:37 |
mfisch | we do the rotation with puppet and ansible | 19:38 |
mfisch | and can have up to 6 hours where keys are mixed | 19:38 |
lbragstad | mfisch: have you hit issues with concurrent (or non-concurrent) users getting 401s? | 19:38 |
mfisch | I dont think so | 19:38 |
mfisch | I dont hammer the crap out of keystone during rotations | 19:39 |
mfisch | a rotated key may slow perf? | 19:40 |
mfisch | because the initial decode will fail | 19:40 |
mfisch | right? | 19:40 |
*** jasonsb_ has joined #openstack-keystone | 19:41 | |
lbragstad | why would the initial one fail? | 19:42 |
*** gyee has quit IRC | 19:44 | |
*** mylu has quit IRC | 19:45 | |
mordred | morgan: how do I get the service catalog with ksa? | 19:45 |
morgan | mordred: sec. | 19:45 |
mordred | in ksc, I did this: | 19:45 |
mordred | return self.keystone_session.auth.get_access( | 19:45 |
mordred | self.keystone_session).service_catalog.get_data() | 19:45 |
*** mylu has joined #openstack-keystone | 19:45 | |
morgan | mordred: right and with KSA i think you need to convert to the access info thing: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/access/access.py#L62 | 19:47 |
morgan | let me 2x check that though. | 19:47 |
* morgan is context switching from a phone call with family :P | 19:47 | |
mordred | morgan: actually - .service_catalog gets it from the AccessInfo - but there doesn't seem to be a way to get the raw catalog | 19:49 |
morgan | ah. | 19:49 |
mordred | from the ServiceCatalog oject | 19:49 |
morgan | looking because i know https://github.com/openstack/keystoneauth/blob/master/doc/source/using-sessions.rst#service-discovery also exists.. but you want the complete catalog | 19:49 |
*** mylu has quit IRC | 19:50 | |
mordred | yea - mainly because the task I want to do right now is "print out the catalog" | 19:51 |
mordred | (this is also a feature we have exposed in the os_auth module for ansible | 19:51 |
morgan | ok we don't have that in KSA | 19:52 |
morgan | afaict | 19:52 |
morgan | we can list all endpoints for a service | 19:52 |
morgan | all urls | 19:52 |
mordred | k. mind if I add an accessor method to ServiceCatalog ? | 19:52 |
morgan | [seems we can't enumerate services] | 19:52 |
morgan | would it make sense to enumerate services and the allow enumeration of the endpoints/urls for the services? | 19:53 |
morgan | or you need <raw_catalog>? | 19:53 |
mordred | yeah - kinda want raw_catalog | 19:53 |
morgan | ok. i'm not opposed to that | 19:53 |
mordred | I mean, that's what we're returning in the catalog field in os_auth | 19:53 |
morgan | just seeing if we can abstract it | 19:53 |
mordred | now - having methods to do the things on it is what I want for real things | 19:54 |
morgan | yeah we can add an accessor method | 19:54 |
morgan | lets just be clear in the docs for that method that it should be avoided where possible. - raw data access opens doors for people to abuse the underlying structure | 19:55 |
morgan | and we are trying to fix that abuse by abstracting the access out to these other methods | 19:56 |
morgan | jamielennox: ^ cc | 19:56 |
slberger | lbragstad, wouldn't the initial one fail after a rotation because it would be using an old token | 19:57 |
*** erhudy has joined #openstack-keystone | 20:00 | |
morgan | samleon: https://review.openstack.org/#/c/156870/ pep8 failure | 20:01 |
morgan | samleon: otherwise looks pretty good. | 20:02 |
mordred | morgan: yea - just me accessing _catalog in shade gets me what I was looking for there | 20:02 |
openstackgerrit | guang-yee proposed openstack/keystone: Return correct endpoint URL in /v3 response https://review.openstack.org/208168 | 20:02 |
morgan | mordred: ok lets add the method you need. | 20:02 |
*** geoffarnold is now known as geoffarnoldX | 20:03 | |
morgan | dstanek: does it make sense to roll all of keystone's routers into a single entry in paste-ini and then just deprecate/stub the current ones prior to flask? it means we can shuffle things around a bit more easily? | 20:05 |
openstackgerrit | Monty Taylor proposed openstack/keystoneauth: Add accessor method for raw catalog content https://review.openstack.org/219862 | 20:05 |
mordred | morgan: ^^ | 20:05 |
mordred | there you go | 20:05 |
morgan | mordred: +2 added terry and jamielennox for review though | 20:06 |
morgan | mordred: in case there is a better way that I missed.. you know :) | 20:06 |
*** gyee has joined #openstack-keystone | 20:06 | |
*** ChanServ sets mode: +v gyee | 20:06 | |
*** roxanaghe has quit IRC | 20:08 | |
*** roxanaghe has joined #openstack-keystone | 20:08 | |
jdennis | whois marekd | 20:10 |
morgan | jdennis: marek dennis - from cern | 20:11 |
morgan | ;) | 20:11 |
morgan | jdennis: sorry couldn't resist. i am sure you meant /whois | 20:11 |
*** petertr7 is now known as petertr7_away | 20:12 | |
jdennis | morgan: thanks, I forgot the / in front of whois, btw there seems to be a conceptual error in the saml2 code, marek doesn't seem to be around, anyone else I should ping? | 20:13 |
morgan | jdennis: stevemar is a great resource | 20:13 |
lbragstad | slberger: as long as the key that the token was encrypted with hasn't been pruned from the key repository, it should be able to decrypt it | 20:13 |
* morgan tosses stevemar under the bus. :P | 20:13 | |
stevemar | o/ | 20:13 |
jdennis | stevemar: ok you're on the hot seat now :-) it looks to me in keystoneclient/contrib/auth/v3/saml2.py there is only one url for the identity provider | 20:15 |
*** sdake_ is now known as sdake | 20:15 | |
jdennis | i.e. the config option identity-provider-url | 20:16 |
jdennis | but in SAML an IdP may have many URL for endpoints which can only be know by fetching the IdP metadata | 20:16 |
*** roxanaghe has quit IRC | 20:17 | |
jdennis | I don't see code to fetch the metadata and find the appropriate endpoint URL, is it there? | 20:17 |
*** roxanaghe has joined #openstack-keystone | 20:17 | |
*** roxanaghe has quit IRC | 20:18 | |
*** roxanaghe has joined #openstack-keystone | 20:18 | |
*** geoffarnoldX is now known as geoffarnold | 20:19 | |
stevemar | looking... 1 sec | 20:19 |
*** roxanaghe has quit IRC | 20:20 | |
*** roxanaghe has joined #openstack-keystone | 20:20 | |
samleon | morgan: got it, fixing it now | 20:21 |
morgan | samleon: cool | 20:21 |
*** markvoelker has quit IRC | 20:21 | |
lhcheng | samleon: maybe you can also incorporate my comments to use _LI() for log.info msg since the pep8 failure is in that area too. :) | 20:23 |
stevemar | jdennis: so its been a while since i've looked at this | 20:25 |
stevemar | what line are you looking at in https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py | 20:25 |
rodrigods | jdennis, stevemar we setup the identity_provider_url upfront | 20:26 |
*** Ephur has joined #openstack-keystone | 20:26 | |
rodrigods | we don't exchange the IdP metadata | 20:26 |
jdennis | stevemar: now to the nitty gritty details, I'm debugging ECP failures and Saml2UnscoptedToken tries to post to self.identity_provider_url | 20:27 |
samleon | lhcheng, that's what's i'm working on now ;-) | 20:28 |
jdennis | but that concept doesn't exist in saml, there isn't a single URL, there are many URL's potentially one per <service,binding> pair on the IdP, you have to know the service and binding to know the URL | 20:28 |
*** jsavak has quit IRC | 20:29 | |
jdennis | one looks up the <service,binding> pair in the IdP metadata | 20:29 |
openstackgerrit | Terry Howe proposed openstack/keystoneauth: Raise exception for v2 with domain scope https://review.openstack.org/216883 | 20:29 |
*** mpmsimo has joined #openstack-keystone | 20:29 | |
*** jsavak has joined #openstack-keystone | 20:30 | |
lhcheng | samleon: great | 20:30 |
jdennis | rodrigods: why isn't the metadata fetched from the IdP? | 20:30 |
*** hrou has quit IRC | 20:30 | |
rodrigods | jdennis, actually... it is, we just don't look at the URLs there | 20:30 |
jdennis | rodrigods: where is the metadata loaded (in the code) and why isn't it parsed? | 20:32 |
rodrigods | jdennis, we generate the IdP metadata using a keystone cli tool | 20:32 |
*** topol has quit IRC | 20:32 | |
stevemar | which is fetchable through a url | 20:33 |
rodrigods | stevemar, ++ | 20:33 |
rodrigods | we than set this URL in the service provider | 20:33 |
openstackgerrit | Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870 | 20:34 |
*** jsavak has quit IRC | 20:35 | |
*** jdandrea has joined #openstack-keystone | 20:35 | |
*** e0ne has joined #openstack-keystone | 20:35 | |
jdennis | rodrigods: I'm still confused, what service provider? With ECP the SP does not determine the IdP, and in any event there isn't one URL with SAML so how can you set a single URL? | 20:36 |
*** jsavak has joined #openstack-keystone | 20:36 | |
rodrigods | jdennis, we do some stuff over ECP | 20:36 |
rodrigods | we don't strictly follow it | 20:36 |
jdandrea | When I have a Keystone V2 Client, what's the proper way to tell if the session is expired (e.g., token expired)? Do I use client_obj.session.verify or do I do date arithmetic on auth_ref['token']['expires']? (Trying to locate docs for this.) | 20:37 |
*** markvoelker has joined #openstack-keystone | 20:37 | |
rodrigods | for example, in k2k the conversation is started by the IdP by sending an ECP wrapped SAML assertion to the service provider | 20:37 |
stevemar | jdennis: i think the metadata that we configure is only usable for keystone 2 keystone | 20:38 |
openstackgerrit | guang-yee proposed openstack/keystone: Return correct endpoint URL in /v3 response https://review.openstack.org/208168 | 20:39 |
*** roxanaghe has quit IRC | 20:41 | |
*** roxanaghe has joined #openstack-keystone | 20:41 | |
*** raildo is now known as raildo-afk | 20:43 | |
*** raildo-afk is now known as raildo | 20:43 | |
*** spandhe has quit IRC | 20:45 | |
*** harlowja has quit IRC | 20:45 | |
morgan | jdennis: in keystone2keystone it's IDP originated, so you skip the SP -> redirect to IDP -> redirect back to SP dance | 20:46 |
morgan | jdennis: you tell the IDP, "hey i am going to SP, give me an assertion" and then go to the SP | 20:46 |
*** roxanaghe has quit IRC | 20:47 | |
morgan | jdennis: in theory you could go a step further, but we didn't support the full-featured IDP within keystone, we assumed if you wanted a real IDP you'd point at something like FreeIPA or ADFS. It felt odd to make keystone an IDP for something other than another keystone. | 20:48 |
*** markvoelker has quit IRC | 20:48 | |
morgan | jdennis: we also didn't rule out moving to where keystone was a full featured IdP. | 20:48 |
jdennis | morgan: that's all well and good, but how do you know which endpoint at the IdP to post the SOAP Samlp:AuthRequest to? | 20:49 |
morgan | jdennis: this was an intentional choice to start with. | 20:49 |
morgan | it's part of the service catalog | 20:49 |
*** roxanaghe has joined #openstack-keystone | 20:49 | |
morgan | and you are exchanging your token for an assertion with the knowledge of the SPs url you post to | 20:49 |
morgan | you don't have to post to the IdP in keystone2keystone in this case. | 20:50 |
morgan | post SamlP:AuthRequest in the strict SAML sense | 20:50 |
morgan | it's a keystone token. | 20:50 |
morgan | if you are doing keystone as an SP this is very different. | 20:51 |
morgan | and is more like a normal SAML workflow, where based upon your valid IdP selection (There is an enumeration/apriori knowledge depending on sso/non-sso/public/non-public iirc) which does the normal redirect dance | 20:51 |
jdennis | morgan: is ECP ever used to get an Assertion from an external IdP or is the ECP usage in Keystone strictly limited to k2k? | 20:55 |
morgan | I believe we need ECP in the standard federation as well. | 20:56 |
morgan | i *think*? | 20:56 |
morgan | stevemar: ^ | 20:56 |
*** slberger has quit IRC | 20:57 | |
*** slberger has joined #openstack-keystone | 20:59 | |
*** stevemar has quit IRC | 21:00 | |
*** petertr7_away is now known as petertr7 | 21:04 | |
*** btully has quit IRC | 21:04 | |
jdennis | morgan: http://ur1.ca/nnd7f here is what I was asked to debug, is this an example of k2k? | 21:06 |
morgan | jdennis: not sure at a glance | 21:06 |
morgan | of course... stevemar just disconnected | 21:07 |
*** raildo is now known as raildo-afk | 21:07 | |
morgan | jamielennox, marekd: ^ jdennis' question | 21:07 |
jdennis | morgan: yeah, he knew what was coming :-) | 21:07 |
jdennis | morgan: ha, jamie asked me to debug this :-) | 21:07 |
morgan | lol | 21:08 |
morgan | stevemar and marekd are the resources I would need to direct you to | 21:08 |
morgan | but jamielennox can tell you if it's k2k vs non-k2k | 21:08 |
jdennis | morgan: ok, many thanks for your help | 21:08 |
*** stevemar has joined #openstack-keystone | 21:09 | |
*** ChanServ sets mode: +v stevemar | 21:09 | |
jdennis | stevemar: oh good you're back :-) can you answer my question above with the pastebin, is this k2k or not? | 21:10 |
stevemar | jdennis: oy vei, i am getting it from all sides :) | 21:11 |
stevemar | jdennis: paste me brah! | 21:11 |
jdennis | it's hell being the smartest guy in the room | 21:11 |
jdennis | stevemar: http://ur1.ca/nnd7f | 21:12 |
stevemar | jdennis: i tricked everyone | 21:12 |
*** dave-mccowan has quit IRC | 21:14 | |
stevemar | jdennis: what about `openstack list federation projects` | 21:14 |
jdennis | stevemar: is that supposed to be an openstack cli command? If so my openstack cli doesn't know what that means | 21:17 |
stevemar | jdennis: it should be | 21:17 |
marekd | jdennis: hi, i am on a suuuuper slow and unstable internet wire, so if i don't respond or hang - sorry, not my fault :( Yes, we are using ECP in a standard federation as well as for k2k. | 21:18 |
*** chutwig has joined #openstack-keystone | 21:18 | |
stevemar | https://github.com/openstack/python-openstackclient/blob/master/setup.cfg#L263 | 21:18 |
marekd | however, i'd suggest investigating keystoneauth and keystoneauth-saml2 | 21:18 |
*** tonytan4ever has quit IRC | 21:18 | |
*** diazjf has left #openstack-keystone | 21:18 | |
marekd | there are the plugins with the proper shape. | 21:18 |
stevemar | the full command is: `openstack federation_project_list` | 21:19 |
*** petertr7 is now known as petertr7_away | 21:19 | |
stevemar | without the underscores | 21:19 |
*** dims has quit IRC | 21:19 | |
stevemar | i'm not sure token issue will work | 21:19 |
stevemar | it might... | 21:19 |
marekd | stevemar: jdennis make sure you export OS_IDENTITY_API_VERSION=3 and check whether you have this option in $ openstack -h | 21:19 |
stevemar | either way, that url looks awful funny | 21:19 |
*** dims has joined #openstack-keystone | 21:19 | |
stevemar | POST /idp/saml2/SSO/ | 21:20 |
*** petertr7_away is now known as petertr7 | 21:20 | |
stevemar | i dont recall that being in our API http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html | 21:20 |
*** spandhe has joined #openstack-keystone | 21:20 | |
*** harlowja has joined #openstack-keystone | 21:21 | |
*** edmondsw has quit IRC | 21:21 | |
*** chutwig is now known as erhudy1 | 21:22 | |
*** fangzhou_ has joined #openstack-keystone | 21:22 | |
*** fangzhou has quit IRC | 21:23 | |
*** fangzhou_ is now known as fangzhou | 21:23 | |
jdennis | marekd: yes, I'm usiing the v3 API | 21:23 |
gyee | lbragstad, lhcheng, is session caching required in Horizon in order for Fernet token to work? I would think not, but just want to 2x confirm | 21:23 |
*** dims has quit IRC | 21:24 | |
jdennis | marekd: http://ur1.ca/nnd7f can you look this paste please, is this k2k or an example of Keystone trying use ECP to authn the user? | 21:25 |
*** henrynash has joined #openstack-keystone | 21:25 | |
*** ChanServ sets mode: +v henrynash | 21:25 | |
lhcheng | gyee: if you're running on V3. you definitely need a db/memcache session backend. | 21:26 |
marekd | jdennis: given that this is using keystoneclient it cannot be k2k, because there is no k2k plugin in keystoneclient (there is one in keystoneauth). | 21:26 |
*** tonytan4ever has joined #openstack-keystone | 21:26 | |
*** stevemar has quit IRC | 21:26 | |
marekd | jdennis: but as stevemar mentioned - it's kind of strange url. | 21:26 |
gyee | lhcheng, that for /v3 in general, or specific to fernet tokens? | 21:27 |
marekd | jdennis: ah, i think it's IdP's url so i cannot comment on that. | 21:27 |
jdennis | marekd: the url is strange for two reasons, for some reason the scheme and host are omitted, and second is that jamie gave it to me :-) | 21:27 |
marekd | jdennis: and now you are giving it to me...but dennis or denis..doesn't really matter :-) | 21:28 |
jdennis | marekd: it's supposed to go to our IdP, but our IdP has many different endpoints as defined in our metadata, and this is not going to the SingleSignOn SOAP endpoint, it's going to the HTTP-POST endpoint | 21:28 |
lhcheng | gyee: v3 in general.. because horizon stores the catalog in session and the v3 catalog is bigger. I had a proposal to fix that, but folks suggested to just use db/memche session to workaround the issue :( | 21:29 |
morgan | samleon, gyee: https://review.openstack.org/#/c/156870/ needs to be marked experimental | 21:29 |
marekd | jdennis: i think so too, but i cannot advise on your idp setup as I don't even know what you are even using. | 21:29 |
morgan | samleon, gyee: sorry should have seen that earlier | 21:29 |
jdennis | marekd: so what I don't understand at the moment is why Saml2UnscopedToken is initialized with just one URL instead of being passed the metadata? | 21:30 |
marekd | gyee: you didn't respond to my question regarding x509 - what do i get in response when i present my certificate. Is it a token? | 21:30 |
gyee | morgan, sure | 21:30 |
morgan | marekd: the idea is you can either get a token or directly interact with keystone | 21:30 |
gyee | marekd, you don't need a token when using certs | 21:31 |
morgan | marekd: if you auth as you would expect you'd get a token. if you use the x509 cert you can interact with keystone w/o a token [or at least that was the initial design] | 21:31 |
marekd | morgan: ok, because i couldn't find that exact explanation in the spec or nowhere. | 21:31 |
lhcheng | morgan: how do we mark services as experimental? Is that just a doc thing. | 21:32 |
*** HT_sergio has quit IRC | 21:32 | |
*** e0ne has quit IRC | 21:32 | |
morgan | lhcheng: mostly | 21:32 |
gyee | lhcheng, gotcha | 21:32 |
morgan | if it's an extension that goes into JSON home there is more stuff that happens | 21:32 |
marekd | morgan: and this is why i wasa asking why doing all this kind of stuff (groups, roles, mapping) sooooo early in the pipeline | 21:32 |
morgan | it is added to the experimental block | 21:32 |
lhcheng | gyee: are you guys testing fernet with v2 or v3 setup? | 21:32 |
lhcheng | morgan: cool, good to know. | 21:33 |
morgan | since this is in the auth pipeline, it is just a doc thing. | 21:33 |
gyee | lhcheng, both | 21:33 |
*** e0ne has joined #openstack-keystone | 21:33 | |
morgan | deployers are warned this is experimental and use / enable at their own risk | 21:33 |
gyee | morgan, samleon may be taking a shnap at the moment | 21:33 |
gyee | let me update | 21:33 |
morgan | we try to not introduce bad code, but it hasn't had a lot of eyes/pounding on it | 21:33 |
marekd | jdennis: whose metadata? idp's metadata? | 21:34 |
lhcheng | morgan: ah so that's the "status=json_home.Status.EXPERIMENTAL" in the router. nice. | 21:34 |
morgan | yep | 21:34 |
morgan | :) | 21:34 |
jdennis | marekd: yes, the IdP's metadata so it can find the URL matching the <SingleSignOn,SOAP> pair, or is it expected whoever configures identity_provider_url has already done that and knows apriori that URL will only ever be used for SingleSignOn,SOAP | 21:35 |
marekd | identity_provider_url should be that link and you should know that apriori. | 21:36 |
*** mpmsimo has quit IRC | 21:36 | |
marekd | jdennis: i don't say it's the best, but .... you want to store all the metadata files locally? or instead of the ECP endpoint store url with the metadata? | 21:37 |
gyee | marekd, you cool with the explanation? your satisfaction is guaranteed | 21:37 |
jdennis | marekd: and identity_provider_url will never ever be used for any other SAML operations? | 21:37 |
marekd | gyee: kind of. | 21:37 |
marekd | jdennis: it's where you send SAML request (comming from the SP) to the IdP for the first time. | 21:38 |
marekd | identity_provider_url ^^ | 21:38 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Deprecate LDAP Resource Backend https://review.openstack.org/203748 | 21:39 |
marekd | identity_provider_url is a kind of "ask you admin" parameter. | 21:39 |
jdennis | marekd: what I'm not understanding is that many different SAML requests which could be sent, each may have their own endpoint URL | 21:39 |
marekd | different == because i may want to use different idp ? | 21:40 |
*** jsavak has quit IRC | 21:40 | |
jdennis | marekd: no, because depending on the SAML profile you're using you have to find the endpoint at the IdP | 21:40 |
*** e0ne has quit IRC | 21:41 | |
henrynash | dstanek: hi…there are a couple more of those data driven assignment tests that you looked at before which are now ready to go in….if you have a moment, perhaps you could do the honors….starting at: https://review.openstack.org/#/c/151962/ | 21:41 |
marekd | jdennis: can we have different ECP profiles? | 21:42 |
marekd | because ksc is all constrained to ECP | 21:42 |
*** e0ne has joined #openstack-keystone | 21:43 | |
jdennis | marekd: ksc? | 21:43 |
marekd | jdennis: keystoneclient | 21:44 |
*** marzif has joined #openstack-keystone | 21:44 | |
*** chris_19 has quit IRC | 21:44 | |
*** dave-mccowan has joined #openstack-keystone | 21:45 | |
jdennis | marekd: if it's only ever going to contact the IdP using ECP then there is only one URL, the name of the parameter (identity_provider_url) makes it sound like a generic URL to the IdP, not something specific to ECP exclusively | 21:46 |
*** petertr7 is now known as petertr7_away | 21:46 | |
jdennis | marekd: specifically it's <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="XXX"/> | 21:49 |
marekd | jdennis: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L113 | 21:49 |
marekd | and above that it says it's a client using ecp | 21:49 |
jamielennox | jdennis: yea, we always provide the POST url upfront - i don't know why this was long before i had a way of testing this stuff and i was under the impression there was no way to get it otherwise | 21:50 |
marekd | i am not saying i am completely clean with that...i am saying i am not completely wrong | 21:50 |
*** lhcheng_ has joined #openstack-keystone | 21:51 | |
marekd | jamielennox: what post? where? | 21:51 |
jdennis | marekd: no problem, just trying to sort this out as somebody not familar with keystone but very familar with SAML | 21:51 |
jamielennox | identity_provider_url | 21:51 |
*** lhcheng_ has quit IRC | 21:51 | |
marekd | it's post because you are already sending saml2 request from the SP | 21:51 |
marekd | jdennis: sure | 21:51 |
*** lhcheng_ has joined #openstack-keystone | 21:51 | |
jamielennox | my understanding is that we get the ecp autnrequest from the protect route in keystone - but we don't look at it at all we always POST to a predefined location | 21:52 |
marekd | jamielennox: yes we do | 21:52 |
*** e0ne has quit IRC | 21:52 | |
jamielennox | i was under the impression that was because there wsan't a way to determine the IDP url otherwise - but it means we should never have ambiguous URLs because we provide the URL | 21:53 |
samleon | morgan, hey I'm not sure I understood what needs to be updated in routers.py | 21:53 |
*** lhcheng has quit IRC | 21:54 | |
samleon | morgan, thats for experimental thing | 21:54 |
marekd | jamielennox: there wasn't a way to determine the idp url | 21:55 |
marekd | no service discover in ecp afaik -> no automatic idp url | 21:55 |
jdennis | marekd: its' in the metadata once you know the IdP | 21:56 |
marekd | i still need to know at least generic idp's url. | 21:56 |
marekd | apriori | 21:56 |
marekd | jdennis: we can put that url in the idnetity provider object in keystone | 21:56 |
marekd | jdennis: ah, no we cannot. | 21:57 |
*** henrynash has quit IRC | 21:57 | |
jdennis | in saml there is only one generic url for an IdP, the one you can fetch the metadata from | 21:57 |
marekd | how do i know it? | 21:57 |
ayoung | gyee, you handling making the tokenless experimental? | 21:57 |
marekd | i need to know it apriori, right? | 21:57 |
*** pnavarro|afk has quit IRC | 21:57 | |
marekd | like i do have to know identity_provider_url apriori now. | 21:57 |
*** zzzeek has quit IRC | 21:58 | |
marekd | jdennis: see, the problem is also that one url identity_provider/edugain/protocols/saml2/auth can be 'responsib;e' for whole federations - so you create one identity provier object and tell all 500 folkd within your federation "use that link" | 21:58 |
jdennis | that's a great question, I'm not sure this is correct but have you ever noticed the convention that the IdP entityid is the url to it's metadata? | 21:59 |
marekd | otherwise, you would have to create 500 objects and make nice names for their idp | 21:59 |
marekd | jdennis: i haven't until now | 22:00 |
marekd | but that may be true. | 22:00 |
marekd | neverthe less, i still need to know apriori what idp i am going to use. | 22:01 |
marekd | jdennis: i connect to identity_providers/edugain/protocols/saml2/auth and i still need to know that my org is CERN | 22:01 |
marekd | not ETH or MIT | 22:01 |
jdennis | marekd: but there isn't one link unless you restrict yourself to exactly one <service,binding> pair | 22:01 |
marekd | jdennis: with keystoneclient i can only use ECP | 22:02 |
marekd | are ther emany profiles of ECP? If so, which one shall I use? | 22:02 |
marekd | and based on what algo shall I choose the best one? | 22:02 |
marekd | i see what you are trying to say: use Metadata, and choose the right endpoint | 22:02 |
marekd | we could probably work on that | 22:03 |
marekd | but what would be the real added value? | 22:03 |
jdennis | marekd: that you haven't boxed yourself into a corner and prevented any other use of SAML | 22:03 |
jamielennox | mordred: i put a -1 on https://review.openstack.org/#/c/219862/ which would be an easy change if you agree | 22:04 |
marekd | jdennis: can you specify other use of SAML with regard to keystoneclient ? | 22:04 |
marekd | i don't see we can use websso for instance | 22:04 |
*** spandhe has quit IRC | 22:04 | |
marekd | so HTTP/POST profiles are out, right? | 22:05 |
marekd | jdennis: anyway, we could probably add such metadata parsin - i like it :-) | 22:05 |
*** jsavak has joined #openstack-keystone | 22:07 | |
jdennis | marekd: yes, you can't use any of the other profiles the way this is set up, maybe that's ok, but as soon as someone has a need for a different profile then identity_provider_url won't work, it's future proofing | 22:08 |
marekd | jdennis: ok,i understand | 22:09 |
*** btully has joined #openstack-keystone | 22:09 | |
marekd | you are probably right | 22:09 |
*** spandhe has joined #openstack-keystone | 22:09 | |
*** NM has quit IRC | 22:09 | |
*** HT_sergio has joined #openstack-keystone | 22:10 | |
openstackgerrit | Sam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate https://review.openstack.org/156870 | 22:11 |
*** roxanaghe has quit IRC | 22:11 | |
*** roxanaghe has joined #openstack-keystone | 22:12 | |
*** roxanaghe has quit IRC | 22:12 | |
*** jsavak has quit IRC | 22:13 | |
*** roxanaghe has joined #openstack-keystone | 22:13 | |
*** slberger has left #openstack-keystone | 22:13 | |
*** jsavak has joined #openstack-keystone | 22:13 | |
*** btully has quit IRC | 22:13 | |
*** shoutm has quit IRC | 22:14 | |
*** KarthikB has quit IRC | 22:14 | |
*** roxanaghe has quit IRC | 22:15 | |
*** roxanaghe has joined #openstack-keystone | 22:16 | |
*** roxanaghe has quit IRC | 22:17 | |
*** roxanaghe has joined #openstack-keystone | 22:18 | |
*** marzif has quit IRC | 22:18 | |
*** roxanaghe has quit IRC | 22:18 | |
*** roxanaghe has joined #openstack-keystone | 22:19 | |
*** roxanaghe has quit IRC | 22:19 | |
dstanek | how goes it keystoners? | 22:19 |
*** roxanaghe has joined #openstack-keystone | 22:20 | |
*** roxanaghe has quit IRC | 22:20 | |
*** roxanaghe has joined #openstack-keystone | 22:21 | |
*** roxanaghe has quit IRC | 22:21 | |
*** roxanaghe has joined #openstack-keystone | 22:22 | |
*** roxanaghe has quit IRC | 22:22 | |
*** roxanaghe has joined #openstack-keystone | 22:23 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 22:23 | |
*** roxanaghe has quit IRC | 22:23 | |
dstanek | lbragstad: marekd: anyone working on https://bugs.launchpad.net/keystone/+bug/1482701 ? | 22:24 |
openstack | Launchpad bug 1482701 in Keystone "Federation: user's name in rules not respected" [Medium,In progress] - Assigned to Marek Denis (marek-denis) | 22:24 |
*** roxanaghe has joined #openstack-keystone | 22:24 | |
*** roxanaghe has quit IRC | 22:24 | |
*** tonytan4ever has quit IRC | 22:24 | |
*** roxanaghe has joined #openstack-keystone | 22:25 | |
*** jecarey has quit IRC | 22:25 | |
*** roxanaghe has quit IRC | 22:25 | |
*** jecarey has joined #openstack-keystone | 22:25 | |
*** roxanaghe has joined #openstack-keystone | 22:26 | |
*** roxanaghe has quit IRC | 22:26 | |
*** roxanaghe has joined #openstack-keystone | 22:26 | |
*** jsavak has quit IRC | 22:27 | |
*** roxanaghe has quit IRC | 22:28 | |
gyee | ayoung, samleon just updated it | 22:28 |
*** roxanaghe has joined #openstack-keystone | 22:28 | |
*** roxanaghe has quit IRC | 22:29 | |
*** roxanaghe has joined #openstack-keystone | 22:29 | |
marekd | dstanek: i think there were some nasty things with fernet | 22:30 |
*** btully has joined #openstack-keystone | 22:31 | |
*** thiagop has quit IRC | 22:31 | |
dstanek | marekd: is there already a code review for it? | 22:32 |
marekd | dstanek: there was a code review for this: https://review.openstack.org/#/c/211093/ | 22:34 |
marekd | but it didn't fix fernet | 22:34 |
marekd | scoped fernet* | 22:34 |
*** btully has quit IRC | 22:35 | |
*** phalmos has quit IRC | 22:35 | |
*** gordc has quit IRC | 22:36 | |
dstanek | marekd: thx | 22:37 |
dstanek | so there is still some work to be done for that bug? | 22:38 |
marekd | i think i got on hold with that after some convos with dolph about dropping name entirely | 22:40 |
* marekd should start writing down his thoughts | 22:40 | |
*** dsirrine has quit IRC | 22:42 | |
*** spandhe has quit IRC | 22:43 | |
*** spandhe has joined #openstack-keystone | 22:45 | |
*** HT_sergio has quit IRC | 22:46 | |
*** csoukup has quit IRC | 22:47 | |
openstackgerrit | David Stanek proposed openstack/keystone: Deprecate LDAP Resource Backend https://review.openstack.org/203748 | 22:52 |
*** rbak has quit IRC | 22:53 | |
*** ayoung has quit IRC | 22:53 | |
*** roxanaghe has quit IRC | 22:53 | |
*** roxanaghe has joined #openstack-keystone | 22:54 | |
*** roxanaghe has quit IRC | 22:54 | |
openstackgerrit | David Stanek proposed openstack/keystone: Fixes confusing deprecation message https://review.openstack.org/219906 | 22:55 |
morgan | dstanek: you're here now! | 22:56 |
morgan | dstanek: so... silly question | 22:56 |
dstanek | morgan: yeah, today was a team outing. i'm in SAT this week | 22:56 |
morgan | dstanek: does it make sense to roll up all the routers into a single entry in paste before flask? | 22:56 |
morgan | dstanek: and just stub all the ones we have | 22:56 |
dstanek | morgan: no, because that'll mess up what i'm already doing. is that something you needed to do? | 22:57 |
morgan | and deprecate them too | 22:57 |
morgan | no, just figuring out order of things | 22:57 |
morgan | was pondering if that would make things easier to shuffle things around | 22:57 |
morgan | thats all | 22:58 |
morgan | dstanek: random thoughts | 22:58 |
dstanek | morgan: ah, i see | 22:58 |
*** dsirrine has joined #openstack-keystone | 22:59 | |
openstackgerrit | Merged openstack/keystone: Correct docstrings in resource/core.py https://review.openstack.org/217400 | 22:59 |
dstanek | i'm trying to get some reviews done tonight before i start getting ready for tomorrow's bug day | 22:59 |
openstackgerrit | Merged openstack/keystone: Provide new_xyz_ref functions in tests.core https://review.openstack.org/70520 | 22:59 |
morgan | right | 22:59 |
morgan | wait what bug day? | 22:59 |
openstackgerrit | Merged openstack/keystone: Change JSON Home for OS-FEDERATION to use /auth/projects|domains https://review.openstack.org/219059 | 23:00 |
dstanek | it's a rax initiative for our team | 23:00 |
*** annasort has quit IRC | 23:01 | |
dstanek | morgan: how's the gate been? | 23:02 |
morgan | dstanek: sloooooooow | 23:02 |
morgan | but haven't seen lots of failures | 23:02 |
dstanek | cool, could be worse then | 23:02 |
morgan | yah | 23:03 |
openstackgerrit | David Stanek proposed openstack/keystone: Fixes a typo in a comment https://review.openstack.org/219907 | 23:03 |
*** spandhe has quit IRC | 23:07 | |
*** ayoung has joined #openstack-keystone | 23:09 | |
*** ChanServ sets mode: +v ayoung | 23:09 | |
dstanek | ayoung: did you ever ask bknudson about those client test failures in py34? | 23:12 |
*** sdake has quit IRC | 23:15 | |
*** hrou has joined #openstack-keystone | 23:17 | |
*** spandhe has joined #openstack-keystone | 23:19 | |
*** erhudy has quit IRC | 23:19 | |
bknudson | dstanek: nobody asked me about client test failures in py34. | 23:20 |
*** bknudson has left #openstack-keystone | 23:20 | |
*** bknudson has joined #openstack-keystone | 23:20 | |
*** ChanServ sets mode: +v bknudson | 23:20 | |
dstanek | that was sorta like a mic drop | 23:20 |
dstanek | we were getting failures because of some deprecation warnings | 23:21 |
bknudson | there are a lot of things that were deprecated in ksc but didn't generate warnings... now they generate warnings | 23:23 |
*** roxanaghe has joined #openstack-keystone | 23:23 | |
dstanek | bknudson: here is some sample output http://paste.openstack.org/show/442763/ | 23:27 |
dstanek | bknudson: i haven't looked, just thought you might know | 23:27 |
*** sdake has joined #openstack-keystone | 23:28 | |
bknudson | dstanek: this fails when you run it on your system, but doesn't fail in the gate? | 23:28 |
bknudson | I don't run the py34 tests very often. | 23:28 |
bknudson | dstanek: I get a lot of output but no warnings | 23:30 |
bknudson | sys:1: ResourceWarning: unclosed file <_io.FileIO name=1 mode='wb'> | 23:30 |
bknudson | that looks bad. | 23:30 |
dstanek | bknudson: very odd. yeah, works in the gate, but not on my machine | 23:30 |
dstanek | maybe i have a missing dep | 23:30 |
dstanek | was running it because ayoung said it was failing for him | 23:31 |
*** krotscheck is now known as kro_paternity | 23:34 | |
*** harlowja has quit IRC | 23:42 | |
*** harlowja has joined #openstack-keystone | 23:43 | |
gyee | morgan, ayoung, dstanek, https://review.openstack.org/#/c/156870/ | 23:44 |
gyee | help a brother out please | 23:44 |
*** wwwjfy has joined #openstack-keystone | 23:45 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/219493 | 23:45 |
*** markvoelker has joined #openstack-keystone | 23:46 | |
*** shoutm has joined #openstack-keystone | 23:49 | |
*** topol has joined #openstack-keystone | 23:55 | |
*** ChanServ sets mode: +v topol | 23:55 | |
*** markvoelker has quit IRC | 23:58 | |
*** topol has quit IRC | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!