Wednesday, 2015-11-04

*** richm has quit IRC00:00
*** mylu has joined #openstack-keystone00:02
*** hidekazu has joined #openstack-keystone00:07
*** markvoelker has quit IRC00:11
openstackgerritguang-yee proposed openstack/keystone: update mailmap with gyee's new email
*** josecastroleon has quit IRC00:15
jamielennoxso is deprecated in favour of keystone-wsgi-admin and keystone-wsgi-main
jamielennoxwhere are they exactly?00:17
*** slberger has left #openstack-keystone00:18
jamielennoxoh, they get generated and installed into /usr/bin00:19
jamielennoxthat's weird00:19
jamielennoxwhy would i want scripts that can only be executed by mod_wsgi installed into bin?00:20
*** jbell8 has quit IRC00:21
*** dims has joined #openstack-keystone00:28
*** browne has quit IRC00:29
*** hrou has joined #openstack-keystone00:29
*** edmondsw has quit IRC00:32
openstackgerritMerged openstack/keystoneauth: Make public the base loader classes
*** jerrygb has joined #openstack-keystone00:44
openstackgerritzouyee proposed openstack/keystone: get_user_roles in RoleAssignmentV2 to resolve KeyError
*** bapalm has quit IRC00:46
*** bapalm has joined #openstack-keystone00:48
*** jerrygb has quit IRC00:48
*** mylu has quit IRC00:48
*** jsavak has quit IRC00:49
*** mylu has joined #openstack-keystone00:49
*** tellesnobrega is now known as tellesnobrega_af00:51
*** mylu has quit IRC00:53
*** mylu has joined #openstack-keystone00:58
*** RA_ has quit IRC01:07
*** gildub has joined #openstack-keystone01:08
*** RA_ has joined #openstack-keystone01:09
*** markvoelker has joined #openstack-keystone01:12
*** arunkant has quit IRC01:15
*** arunkant has joined #openstack-keystone01:17
*** markvoelker has quit IRC01:17
*** chlong has joined #openstack-keystone01:18
*** gyee has quit IRC01:28
*** lhcheng has quit IRC01:30
*** shaleh has quit IRC01:32
*** mylu has quit IRC01:36
*** mylu has joined #openstack-keystone01:36
*** su_zhang has quit IRC01:37
*** davechen has joined #openstack-keystone01:42
*** btully has quit IRC01:43
*** phalmos has quit IRC01:45
*** arunkant has quit IRC01:48
*** arunkant has joined #openstack-keystone01:48
*** tellesnobrega_af is now known as tellesnobrega01:48
*** tellesnobrega is now known as tellesnobrega_af01:49
samueldmqjamielennox: to make that job pass, did you have some changes in tempest as well ?01:55
samueldmqjamielennox: (I am expecting you did)01:56
*** bandwidth has joined #openstack-keystone01:57
*** bandwidth has quit IRC01:59
*** jerrygb has joined #openstack-keystone02:00
*** browne has joined #openstack-keystone02:01
openstackgerritlei zhang proposed openstack/keystone: Update sample catalog templates
*** woodster_ has quit IRC02:09
jamielennoxsamueldmq: there were some changes in tempest but they should all be done now02:10
*** dims has quit IRC02:13
*** jbell8 has joined #openstack-keystone02:13
*** topol has joined #openstack-keystone02:25
*** ChanServ sets mode: +v topol02:25
*** chlong has quit IRC02:25
*** flwang has quit IRC02:30
*** chlong has joined #openstack-keystone02:31
*** flwang has joined #openstack-keystone02:31
*** btully has joined #openstack-keystone02:31
samueldmqjamielennox: yep, just wanted to check, thanks02:32
jamielennoxso best i can tell keystone is broken using an admin_token?02:32
jamielennoxthat can't be right, devstack must do something there02:32
samueldmqjamielennox: what is that ?02:33
samueldmqjamielennox: admin_token bypass all the checks, using is_admin:1 in the policies, is that ,02:33
jamielennoxthere is a part of the standard path that is trying to fetch the token dictionary from the context and fails if it's not present02:33
jamielennoxbut in the admin_token case this information is not populated02:33
jamielennoxso i see02:34
jamielennox2015-11-04 02:30:55.386036 2015-11-04 02:30:55.385 4783 WARNING keystone.common.utils [req-9a2e2a03-ee52-4502-b074-4b527086487f - - - - -] Couldn't find the auth context.02:34
jamielennox2015-11-04 02:30:55.388632 2015-11-04 02:30:55.387 4783 WARNING keystone.common.wsgi [req-9a2e2a03-ee52-4502-b074-4b527086487f - - - - -] Authorization failed. The request you have made requires authentication.02:34
samueldmqjamielennox: yeah, admin_token contains no context, it should simply get authorized all the time02:34
*** jbell8 has quit IRC02:35
samueldmqjamielennox: that's weird we don't test that anywhere. probably going to be in functional tests02:36
samueldmqmaybe tempest was supposed to test that02:36
jamielennoxah, no i found it02:37
jamielennoxso if you don't specify domain parameters for certain create calls like openstack user create then it tries to put them in the same domain as your current scope02:38
jamielennoxin the ADMIN token case we don't have a scope02:38
jamielennoxand it fails out as unauthorized02:38
openstackgerritzouyee proposed openstack/keystone: get_user_roles in RoleAssignmentV2 to resolve KeyError
openstackgerritTony Wang proposed openstack/keystone: add `type' filter for list_credentials_for_user
openstackgerritzouyee proposed openstack/keystone: get_user_roles in RoleAssignmentV2 to resolve KeyError
*** chlong has quit IRC02:42
*** markvoelker has joined #openstack-keystone02:43
samueldmqjamielennox: maybe it'd be better to fail with bad request ? or something more accurate ?02:46
*** markvoelker has quit IRC02:48
openstackgerritMerged openstack/keystone: update mailmap with gyee's new email
jamielennoxsamueldmq: yea, i mean there could just be a debug helper there that says if is_admin and 'token' not in context['KEYSTONE_AUTH_CONTEXT'] provide a better message02:50
jamielennoxi can probably fix that real quick02:50
jamielennoxah there is a bug and an attempted fix02:52
samueldmqjamielennox: BTW, see
samueldmqjamielennox: for making the jobs non-voting in both devstack and tempest (where they exist as experimental today)03:00
jamielennoxsamueldmq: looks reasonable, but i'm not very good with the infra reviews03:01
samueldmqjamielennox: me neither, I can do changes by learning with code that is around and behave similarly03:03
samueldmqjamielennox: I added you as reviewer so you can follow that patch :)03:03
samueldmqjamielennox: tomorrow I will try to get mtreinish's opinion on making them non-voting + some reviews from infra experts ( andreaf helped me a the time I created that first gate )03:04
jamielennoxprobably better off asking in -infra03:05
jamielennoxmtreinish and andreaf might know but they are more on the tempest side of things03:05
jamielennoxi doubt they would have any concerns with getting the job voting as i know andreaf has put a lot of work into that03:06
samueldmqhaving their +1 there will give infra folks confidence to approve that03:07
samueldmqand I will ask -infra folks directly tomorrow too03:07
* samueldmq is going to hit the sack03:07
samueldmqjamielennox: see you03:08
jamielennoxsamueldmq: night03:08
openstackgerritMerged openstack/keystone: Revert "Added CORS support to Keystone"
*** sileht has joined #openstack-keystone03:19
*** jmccrory has quit IRC03:23
*** dims has joined #openstack-keystone03:33
*** spandhe has quit IRC03:36
*** jamielennox is now known as jamielennox|away03:38
*** jamielennox|away is now known as jamielennox03:40
*** topol has quit IRC03:42
*** mylu has quit IRC03:51
*** mylu has joined #openstack-keystone03:53
*** mylu has quit IRC03:55
*** su_zhang has joined #openstack-keystone03:58
*** mylu has joined #openstack-keystone03:59
*** mylu has quit IRC04:01
*** mylu has joined #openstack-keystone04:01
*** dims has quit IRC04:03
*** mylu has quit IRC04:06
*** jbell8 has joined #openstack-keystone04:08
*** hrou has quit IRC04:08
*** bapalm_ has joined #openstack-keystone04:10
*** kragniz_ has joined #openstack-keystone04:10
*** gus_ has joined #openstack-keystone04:10
*** flwang has quit IRC04:11
*** RA_ has quit IRC04:11
*** mjb has quit IRC04:11
*** browne has quit IRC04:11
*** bapalm has quit IRC04:11
*** errr has quit IRC04:11
*** ryanpetrello has quit IRC04:11
*** gus has quit IRC04:11
*** kragniz has quit IRC04:11
*** mylu has joined #openstack-keystone04:12
*** roxanaghe has quit IRC04:13
*** ryanpetrello has joined #openstack-keystone04:15
*** mjb has joined #openstack-keystone04:15
*** browne has joined #openstack-keystone04:15
*** gus_ is now known as gus04:18
*** errr has joined #openstack-keystone04:24
openstackgerritJamie Lennox proposed openstack/keystoneauth: Split ADFS and SAML2 plugins
openstackgerritJamie Lennox proposed openstack/keystoneauth: SAML2 authentication plugins in keystoneauth
*** boris-42 has quit IRC04:28
*** chlong has joined #openstack-keystone04:33
openstackgerritMerged openstack/keystone: Capitalize a Few Words
*** jmccrory has joined #openstack-keystone04:44
*** markvoelker has joined #openstack-keystone04:44
*** chlong has quit IRC04:45
openstackgerritMerged openstack/keystoneauth: Declare an extras directory for plugins
*** chlong has joined #openstack-keystone04:49
*** markvoelker has quit IRC04:49
*** su_zhang has quit IRC04:52
*** daemontool has quit IRC04:53
*** daemontool has joined #openstack-keystone04:54
*** btully has quit IRC04:57
*** links has joined #openstack-keystone05:02
*** chlong has quit IRC05:10
openstackgerritMerged openstack/keystoneauth: Correct references in authentication-plugin.rst
*** fangzhou_ has joined #openstack-keystone05:13
*** fangzhou has quit IRC05:14
*** fangzhou_ is now known as fangzhou05:14
*** fangzhou has quit IRC05:17
*** kragniz_ is now known as kragniz05:18
*** jraju has joined #openstack-keystone05:36
*** links has quit IRC05:37
*** jaosorior has joined #openstack-keystone05:40
*** btully has joined #openstack-keystone05:41
*** ajaya has joined #openstack-keystone05:41
*** ramishra has quit IRC05:46
*** ramishra has joined #openstack-keystone05:46
*** topol has joined #openstack-keystone05:54
*** ChanServ sets mode: +v topol05:54
*** topol has quit IRC05:58
*** jerrygb has quit IRC06:01
*** jasonsb has joined #openstack-keystone06:04
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Zanata
*** jraju has quit IRC06:15
openstackgerritzouyee proposed openstack/keystone: get_user_roles in RoleAssignmentV2 to resolve KeyError
*** wanghua_ has quit IRC06:27
*** wanghua has joined #openstack-keystone06:27
openstackgerritzouyee proposed openstack/keystone: get_user_roles in RoleAssignmentV2 to resolve KeyError
*** lhcheng has joined #openstack-keystone06:36
*** ChanServ sets mode: +v lhcheng06:36
*** tobberydberg has joined #openstack-keystone06:37
*** sawangpongm has joined #openstack-keystone06:39
*** e0ne has joined #openstack-keystone06:40
*** links has joined #openstack-keystone06:42
*** sawangpongm has quit IRC06:44
*** markvoelker has joined #openstack-keystone06:45
*** sawangpongm has joined #openstack-keystone06:46
*** sawangpongm has quit IRC06:48
*** markvoelker has quit IRC06:49
*** e0ne has quit IRC06:50
openstackgerritDave Chen proposed openstack/keystone: Change `region` to `region_id` for endpoint reference
*** freerunner has quit IRC06:51
*** sawangpongm has joined #openstack-keystone06:53
*** freerunner has joined #openstack-keystone06:53
*** sawangpongm has left #openstack-keystone06:53
*** GB21_ has joined #openstack-keystone06:55
*** GB21 has joined #openstack-keystone06:55
*** tobberyd_ has joined #openstack-keystone06:56
*** gildub has quit IRC06:58
*** tobberydberg has quit IRC06:59
*** GB21 has quit IRC07:00
*** markvoelker has joined #openstack-keystone07:00
*** jamielennox is now known as jamielennox|away07:02
*** josecastroleon has joined #openstack-keystone07:02
*** lsmola has joined #openstack-keystone07:03
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use the oslo.utils.reflection to extract the class name
*** GB21_ is now known as GB2107:05
*** markvoelker has quit IRC07:05
*** tsufiev has quit IRC07:12
*** tsufiev has joined #openstack-keystone07:12
*** dobson has quit IRC07:27
*** cloudnull has quit IRC07:27
*** jamiec has quit IRC07:27
*** urulama has joined #openstack-keystone07:32
*** cloudkiller has joined #openstack-keystone07:36
*** dobson has joined #openstack-keystone07:40
*** ktychkova has quit IRC07:44
*** ktychkova has joined #openstack-keystone07:45
*** mylu has quit IRC07:45
*** jerrygb has joined #openstack-keystone07:47
davechenhenrynash: ping?07:49
davechenhenrynash: let me see if i am lucky to catch you at this time. :)07:50
*** jerrygb has quit IRC07:52
*** jbell8 has quit IRC07:52
*** jbell8 has joined #openstack-keystone07:57
*** tobberyd_ has quit IRC07:58
*** jaosorior has quit IRC08:00
*** lhcheng has quit IRC08:00
*** jaosorior has joined #openstack-keystone08:01
*** jaosorior has quit IRC08:01
*** jaosorior has joined #openstack-keystone08:02
*** Nirupama has joined #openstack-keystone08:04
*** kodokuu has joined #openstack-keystone08:07
kodokuuHi, I have issue with keystone when I use ec2 credential. Keystone return me bad signature. Anyone have fix or idea ?08:08
kodokuuOr someone know what is the URI is taken for test signature08:15
davechenkodokuu: what's the URI do you mean here?08:20
*** btully has quit IRC08:24
*** Nirupama has quit IRC08:26
kodokuudavechen For generate ec2 credential, we need accesskey, secretkey and an URI no ?08:27
*** cloudkiller is now known as cloudnull08:28
davechenkodokuu: for the easier way, you can just use openstack cli to generate the ec credential08:29
kodokuudavechen I can generate signature ?08:32
*** wanghua has quit IRC08:33
*** wanghua has joined #openstack-keystone08:33
kodokuudavechen because my issue is the url generate by heat pour scalinggroup not work because keystone say wrong signature08:34
kodokuufor scalinggroup08:34
*** josecastroleon has quit IRC08:34
davechenkodokuu: so, do you have your ec2 credentails created at the first? all you need is to create ec2 credentail is accesskey and secretkey.08:35
kodokuudavechen heat create ec2 for me08:36
kodokuudavechen I check with V3 API, ec2 credential is created. But the issue is when keystone check signature08:37
davechenkodokuu: i guess the url you metioned is what you want to generate the signature from.08:37
*** Guest98556 is now known as d0ugal08:37
*** d0ugal has quit IRC08:38
*** d0ugal has joined #openstack-keystone08:38
davechenkodokuu: i have no idea how heat did those.08:38
davechenkodokuu: this is where the check logic is given:
kodokuudavechen I have that  Invalid EC2 signature08:42
kodokuudavechen so "signature = signer.generate(credentials)" this is where keystone generate signature08:43
kodokuuand keystone check with utils.auth_str_equal08:43
davechenyou properly need dig into the code to see what happened there, it's around the L77 where you will see "Invalid EC2 signature"08:44
kodokuuI need to see signature variable :)08:44
kodokuuI'am not a dev but I need to copy signature variable to a file08:45
kodokuudavechen where can I find ec2_utils for see generate function ?08:46
davechenit's from keystone cient.08:47
davechenwithout debugging in your env, i think it's hard to detect what's going wrong.08:48
*** josecastroleon has joined #openstack-keystone08:49
davechenit's here:
kodokuuI find genrate
kodokuuyeah ;)08:49
kodokuuI need to find where keystone call check_signature for see credential params08:51
davechenhere are read some testcase i wrote long time ago, hope it will helpful:, you will see how we check_signature, generate signature.08:52
kodokuuok thx I'll read it08:52
kodokuudavechen For test, I add return True to
kodokuuFor accept all signature08:56
*** fhubik has joined #openstack-keystone08:56
kodokuubut no works^^08:57
davechenkodokuu: cool! so, all you need is someway to workaround?08:57
kodokuudavechen I have always Invalid EC2 signature. Strange....08:57
kodokuuIf I add return True before If for compar signature, all signature is good no ?08:58
davechentry to restart your keystone service.08:59
*** e0ne has joined #openstack-keystone08:59
kodokuuAnd if I want to Log a variable without warning or exception do you have a fucntion ?09:00
*** pnavarro has joined #openstack-keystone09:00
*** markvoelker has joined #openstack-keystone09:01
kodokuudavechen same error after restart service :/09:02
kodokuuI add return True to first line of function :p09:02
davechenyou should import log, if you just want to see the value of the varaiable you can just print it.09:03
kodokuuwhere python print ?09:03
kodokuuin log ?09:03
davechensys lib, so you needn't import anyting.09:03
*** fhubik is now known as fhubik_brb09:05
*** markvoelker has quit IRC09:06
*** jistr has joined #openstack-keystone09:08
kodokuuI add print now I search the print ;:p09:09
kodokuudavechen I'am on centos, do you know where I can find the result of print command ?09:12
kodokuuok find /var/log/httpd/keystone_wsgi_main_error.log09:15
kodokuuOMG davechen I found BUG09:19
davechen :-D09:19
kodokuulook the print09:19
kodokuusigner: FTh0hLTk3PnH18YTTBDm88 e1DlnUR4kkiSK rLEDMo= signature: FTh0hLTk3PnH18YTTBDm88+e1DlnUR4kkiSK+rLEDMo=09:19
kodokuuWhy I have space ?09:19
davecheni think it's the bug from heat.09:19
davechenthey are different signature per my undestanding.09:20
kodokuuwith new test09:20
kodokuusigner: tEnIPQxhbDlcR1MIuQCyzZ92UtHrDcVITlG/rWfqPQA= signature: FTh0hLTk3PnH18YTTBDm88+e1DlnUR4kkiSK+rLEDMo=09:20
kodokuuSo heat send not good signature09:20
kodokuuor keystone generate not a good signature09:20
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use the oslo.utils.reflection to extract the class name
*** fhubik_brb is now known as fhubik09:22
*** fhubik is now known as fhubik_brb09:22
davecheni remember you told me heat generate ec2 credentaials, if they are treated as equal it will keystone's bug. :)09:22
davechengood catch!09:22
kodokuudavechen I force signature and I have signer: FTh0hLTk3PnH18YTTBDm88+e1DlnUR4kkiSK+rLEDMo= signature: FTh0hLTk3PnH18YTTBDm88+e1DlnUR4kkiSK+rLEDMo=09:24
kodokuuSo this is equal09:24
kodokuubut keystone end always User is not authorized to perform action09:24
davechenUser is not authorized to perform action is properly anthoer issue.09:25
kodokuuhum sorry it's heat error. I have always Invalid EC2 signature.09:27
kodokuuSo I fail here ==> if utils.auth_str_equal(credentials['signature'],signature):09:28
kodokuuBut I Print  ==> print "signer: %s signature: %s" % (credentials['signature'],signature)09:28
kodokuuand it's same string O_o09:28
openstackgerritDave Chen proposed openstack/keystone: Get user role without project id is not implemented
*** GB21 has quit IRC09:33
*** LukeHinds has joined #openstack-keystone09:34
*** browne has quit IRC09:37
*** fhubik_brb is now known as fhubik09:39
davechenkodokuu: Good luck! i need back home now.09:42
davechenkodokuu: ask someone beside you who understand python will be helpful :)09:42
*** davechen has left #openstack-keystone09:44
*** placeed has joined #openstack-keystone09:45
placeedHi all, every 5 minute when i start to interact with keystone, it doesn't answere. When i restart it, everything work fine for few minutes and then he don't answere again09:47
*** aix has joined #openstack-keystone09:48
placeedIn client side, it look like he wait for a timeout09:48
placeedI see nothing bad in logs, someone can help me please ?09:48
*** gildub has joined #openstack-keystone09:49
*** jgriffith has quit IRC09:50
*** jgriffith has joined #openstack-keystone09:51
*** jgriffith is now known as Guest9024209:51
*** alex_xu has quit IRC09:54
*** jamielennox|away is now known as jamielennox09:55
*** alex_xu has joined #openstack-keystone09:57
*** kodokuu has quit IRC10:03
placeedIt seem that the problem is on /auth/tokens?10:04
*** urulama has quit IRC10:06
*** urulama has joined #openstack-keystone10:06
*** samueldmq has quit IRC10:13
*** samueldmq has joined #openstack-keystone10:15
*** alex_xu has quit IRC10:23
*** alex_xu has joined #openstack-keystone10:24
*** gildub has quit IRC10:37
*** pgbridge has quit IRC10:42
*** wanghua has quit IRC10:42
*** wanghua has joined #openstack-keystone10:43
*** fhubik is now known as fhubik_brb10:45
*** ajaya has quit IRC10:45
*** jistr_ has joined #openstack-keystone10:48
*** jistr has quit IRC10:48
*** fhubik_brb has quit IRC10:49
*** khomkrit has joined #openstack-keystone10:50
*** daemontool has quit IRC10:51
*** jistr_ has quit IRC10:53
*** markvoelker has joined #openstack-keystone11:02
*** jistr_ has joined #openstack-keystone11:05
*** markvoelker has quit IRC11:06
*** akanksha_ has joined #openstack-keystone11:11
*** GB21 has joined #openstack-keystone11:20
*** topol has joined #openstack-keystone11:22
*** ChanServ sets mode: +v topol11:22
*** topol has quit IRC11:26
*** josecastroleon has quit IRC11:31
*** jaosorior has quit IRC11:40
*** jaosorior has joined #openstack-keystone11:41
*** aix has quit IRC11:41
*** GB21 has quit IRC11:45
*** jaosorior has quit IRC11:49
*** jaosorior has joined #openstack-keystone11:50
*** ayoung has quit IRC11:50
*** GB21 has joined #openstack-keystone11:51
*** henrynash has quit IRC11:58
*** tellesnobrega_af is now known as tellesnobrega12:00
*** ayoung has joined #openstack-keystone12:03
*** ChanServ sets mode: +v ayoung12:03
*** daemontool has joined #openstack-keystone12:03
*** pgreg has joined #openstack-keystone12:06
*** ericksonsantos has quit IRC12:08
*** ericksonsantos has joined #openstack-keystone12:09
*** pgreg has quit IRC12:13
*** aix has joined #openstack-keystone12:13
*** wasmum has quit IRC12:14
*** markvoelker has joined #openstack-keystone12:17
*** dims has joined #openstack-keystone12:18
*** tellesnobrega is now known as tellesnobrega_af12:19
*** markvoelker has quit IRC12:22
*** hrou has joined #openstack-keystone12:26
*** placeed has quit IRC12:26
*** EinstCrazy has joined #openstack-keystone12:30
*** gordc has joined #openstack-keystone12:30
*** kodokuu has joined #openstack-keystone12:31
*** tellesnobrega_af is now known as tellesnobrega12:32
*** hrou has quit IRC12:39
*** sawangpongm has joined #openstack-keystone12:39
*** josecastroleon has joined #openstack-keystone12:40
*** sawangpongm has left #openstack-keystone12:40
*** dims has quit IRC12:43
*** chlong has joined #openstack-keystone12:43
*** jistr_ is now known as jistr12:44
*** wanghua has quit IRC12:45
*** wanghua has joined #openstack-keystone12:46
*** GB21 has quit IRC12:48
*** jamielennox is now known as jamielennox|away12:48
*** wasmum has joined #openstack-keystone12:50
*** fhubik_brb has joined #openstack-keystone12:54
*** daemontool has quit IRC12:57
*** daemontool has joined #openstack-keystone12:57
*** dobson has quit IRC13:00
*** chlong has quit IRC13:01
*** chlong has joined #openstack-keystone13:02
openstackgerritDave Chen proposed openstack/keystone: Get user role without project id is not implemented
*** urulama has quit IRC13:07
*** urulama has joined #openstack-keystone13:07
*** pnavarro has quit IRC13:07
*** dims has joined #openstack-keystone13:09
*** petertr7_away is now known as petertr713:18
*** pauloewerton has joined #openstack-keystone13:19
*** evrardjp has left #openstack-keystone13:19
openstackgerritHenrique Truta proposed openstack/keystone: Tests for projects acting as domains
openstackgerritHenrique Truta proposed openstack/keystone: Projects acting as domains
*** dims has quit IRC13:20
*** markvoelker has joined #openstack-keystone13:23
*** xek has joined #openstack-keystone13:25
*** jvarlamova_ has joined #openstack-keystone13:29
*** kodokuu has quit IRC13:33
*** su_zhang has joined #openstack-keystone13:33
*** edmondsw has joined #openstack-keystone13:34
*** links has quit IRC13:41
marekdjamielennox|away: so here saml2 plugins are not listed - is it because you are going to do some sort of private stuff ?13:44
marekd_saml2 etc13:44
*** fhubik_brb is now known as fhubik13:47
*** placeed has joined #openstack-keystone13:49
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking that migrations don't cause downtime
placeedHi all ! I have an issue with keystone ... Someone can help me ?13:49
placeedSometime the services stop to get token and stay blocked on keystone.common.wsgi [-] POST /auth/tokens?13:49
placeedI tried with apache wsgi or keystone wsgi and i get the same issue13:50
placeedIf i restart keystone, the service work again ... but few minutes after, same issue13:50
*** henrynash has joined #openstack-keystone13:54
*** ChanServ sets mode: +v henrynash13:54
*** henrynash has quit IRC13:54
openstackgerritHenrique Truta proposed openstack/keystone: Add is_domain in token response
openstackgerritHenrique Truta proposed openstack/keystone: Change policy to comply with is_domain in token
*** hrou has joined #openstack-keystone13:56
placeedSomeone can help me ?14:00
*** richm has joined #openstack-keystone14:02
marekdplaceed: anything in the logs ?14:02
marekdwhere does it hang?14:02 reponse?14:02
marekdwhat tokens are you using? uuid, pki, fernet?14:03
dstanekplaceed: what do you mean blocked?14:03
placeedit seem it hang14:05
dstanekyou don't get any response back to the client?14:05
placeedthe client "for example openstack endpoint list" wait14:05
placeedit stay waiting14:05
placeedToken = uuid14:06
dstanekdoes it print a timeout message?14:06
dstanekwhat happens when you use curl directly?14:06
placeedNo, but after few minute the service is available again14:07
placeedIt stay blocked with curl too14:07
placeedIt look like big hang on keystone services14:07
*** fhubik is now known as fhubik_brb14:07
*** fhubik_brb is now known as fhubik14:07
placeeddstanek : did u already see such issue ?14:09
*** jsavak has joined #openstack-keystone14:10
dstanekplaceed: no, I've never seen it14:13
dstanekDid you try curl? I'm interested to know what it sees14:14
dstanekAlso, do other requests work when tokens appear to be blocking?14:14
placeedanother stange issue now14:15
placeedopenstack endpoint list work fine14:15
placeedopenstack server list stay blocked14:15
*** miguelgrinberg has quit IRC14:17
dstanektry using curl on the blocked calk14:17
*** links has joined #openstack-keystone14:17
*** gds has joined #openstack-keystone14:18
placeedCan't find the url14:18
*** pgbridge has joined #openstack-keystone14:18
*** miguelgrinberg has joined #openstack-keystone14:19
placeedit seem to work with curl14:20
*** jvarlamova_ has joined #openstack-keystone14:21
*** topol has joined #openstack-keystone14:23
*** ChanServ sets mode: +v topol14:23
dstanekplaceed: so while the client doesn't return to the shell, a curl worked?14:25
dstanekplaceed: I'm on my phone so I'm a little slow14:25
placeeddstanek : No problem ... I m not sure because "openstack endpoint list" work fine while "openstack server list" don't work14:27
*** phalmos has joined #openstack-keystone14:27
placeedCan't understand why ... There is no logic14:27
placeedThis is the output when it don't work (server list on this case)
dstanekWhen you say that it doesn't work, what exactly are you seeing from the client?14:28
*** jerrygb has joined #openstack-keystone14:28
dstanekWhen you say that it doesn't work, what exactly are you seeing from the client?14:29
*** mhu has joined #openstack-keystone14:29
placeedit still waiting14:29
*** phalmos has quit IRC14:29
dstanekSo it doesn't return to the shell?14:29
placeedHe wait for /auth/tokens i think14:30
*** urulama has quit IRC14:30
*** urulama has joined #openstack-keystone14:31
*** su_zhang has quit IRC14:33
*** phalmos has joined #openstack-keystone14:33
marekdplaceed: do you have access to logs in the server?14:34
marekdplaceed: anything suspicous?14:34
placeedno ... i only see that he stay blocked on INFO eventlet.wsgi.server [-] - - [04/Nov/2015 15:34:04] "GET /v3/auth/tokens HTTP/1.1" 200 2714 0.05701814:34
placeedI disabled memcache but same issue14:35
dstanekSounds like you may need to do a bit of debugging in the client14:35
marekdplaceed: i would recommend checking the /auth/tokens with curl14:35
marekdplaceed: and see if it behaves that way too14:35
marekdso you can narrow down the problem to either server or as dstanek says client.14:35
dstanekmarekd: curling seemed to work while the client was broken14:36
marekddstanek: placeed so create venv, install client and try with fresh version.14:37
placeedBut sometime client work, sometime not14:37
placeedit depent of the client request14:37
placeed"openstack endpoint list" work fine while "openstack server list" don't work14:37
*** pece has joined #openstack-keystone14:37
dstanekDo you have caching on?14:37
marekdplaceed: i suggest trying with fresh installation within say...venv so you can isolate14:37
placeedcaching = memcache ?14:38
placeedI disabled it14:38
placeeddriver read directly on sq14:38
*** topol has quit IRC14:40
*** jsavak has quit IRC14:41
*** jsavak has joined #openstack-keystone14:41
marekddolphm: do you have your profiling results somehere published?14:42
placeedNo idea ? Only fresh install ?14:42
marekdplaceed: no fresh install.14:42
marekdplaceed: try fresh client.14:43
*** openstackgerrit has quit IRC14:47
*** openstackgerrit has joined #openstack-keystone14:48
*** jaosorior has quit IRC14:51
*** links has quit IRC14:56
*** pnavarro has joined #openstack-keystone15:04
*** Ctina has joined #openstack-keystone15:05
*** GB21 has joined #openstack-keystone15:06
openstackgerritBrant Knudson proposed openstack/keystone: More useful message when using direct driver import
*** pnavarro has quit IRC15:09
*** pumaranikar has joined #openstack-keystone15:13
openstackgerritBrant Knudson proposed openstack/keystone: More useful message when using direct driver import
*** csoukup has joined #openstack-keystone15:18
*** placeed has quit IRC15:18
*** akanksha_ has quit IRC15:18
*** tellesnobrega is now known as tellesnobrega_af15:20
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking that migrations don't cause downtime
*** pnavarro has joined #openstack-keystone15:22
*** GB21 has quit IRC15:22
*** btully has joined #openstack-keystone15:22
*** jsavak has quit IRC15:27
*** Ctina is now known as ctina15:27
*** timcline has joined #openstack-keystone15:27
openstackgerritGrzegorz Grasza (xek) proposed openstack/keystone: Unit test for checking that migrations don't cause downtime
*** jsavak has joined #openstack-keystone15:28
*** tonytan4ever has joined #openstack-keystone15:30
*** slberger has joined #openstack-keystone15:30
*** dobson has joined #openstack-keystone15:31
*** jamiec has joined #openstack-keystone15:31
*** dobson has quit IRC15:31
*** dobson has joined #openstack-keystone15:33
openstackgerritMarek Denis proposed openstack/keystone: Adds a base class for functional tests
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests
*** jsavak has quit IRC15:35
*** mylu has joined #openstack-keystone15:39
lbragstaddolphm  fyi, i pushed a new patch set -
*** zqfan_afk has joined #openstack-keystone15:40
*** jsavak has joined #openstack-keystone15:42
*** ayoung has quit IRC15:43
bknudsonlbragstad: "Lance Bradstag will be the new Docs liaison"  --  hehe15:45
*** ayoung has joined #openstack-keystone15:46
*** ChanServ sets mode: +v ayoung15:46
*** jsavak has quit IRC15:46
*** jsavak has joined #openstack-keystone15:47
lbragstadbknudson I don't know who that is...15:50
bknudsonhe probably hangs out with that Nudson guy.15:50
lbragstadbknudson probably15:50
lbragstadbknudson that must mean the responsibility goes back to stevemar?15:51
bknudsonspelling is important for the docs liaison, so might be a bad choice.15:52
*** roxanaghe has joined #openstack-keystone15:55
*** topol has joined #openstack-keystone15:57
*** ChanServ sets mode: +v topol15:57
openstackgerritMarek Denis proposed openstack/keystone: Federation Identity Provider functional tests
*** daemontool has quit IRC16:02
*** pnavarro has quit IRC16:02
*** phalmos has quit IRC16:03
*** chrisshattuck has joined #openstack-keystone16:05
*** lsmola has quit IRC16:05
openstackgerritBrian Elliott proposed openstack/keystone: Bump oslo.log to fix startup error
bknudsonwere we planning to remove any ldap drivers this release?16:14
lbragstadbknudson I know it came up a lot in the deprecations sessions16:14
bknudsonwe should do that before we work on switching to ldap316:14
*** pnavarro has joined #openstack-keystone16:15
*** phalmos has joined #openstack-keystone16:16
openstackgerritBrant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet padding for python 3
openstackgerritBrant Knudson proposed openstack/keystone: Fix key_repository_signature method for python3
*** roxanaghe has quit IRC16:29
*** roxanaghe has joined #openstack-keystone16:30
openstackgerritBrant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet padding for python 3
openstackgerritBrant Knudson proposed openstack/keystone: Fix key_repository_signature method for python3
openstackgerritHenrique Truta proposed openstack/keystone: Bye Bye Domain Table
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references
andrewbogottayoung: does policy.json only work with the v3 api?  It looks like all the v2 calls just assert_admin right up top.16:36
ayoungandrewbogott, nope.  The file  was written for v2.16:37
ayoungV3  should work with both that one and an edited version of16:37
openstackgerritMarek Denis proposed openstack/keystone: Functional tests for federation mapping CRUD
andrewbogottok, then what’s with the assert_admin calls?  It seems like no matter what I set in my policy file, I’m foiled by the lack of adminship16:38
ayoungwhere you substitute in the value for admin domain idf16:38
ayoungI need an oversized keybaord for these fat fingers16:38
andrewbogottSo, the policy file can change what is meant by ‘admin’ but I can’t actually allow non-admins to do things, is that right?16:39
andrewbogottAn example of my confusion:  I just added a reference to a non-existent rule:  "identity:list_projects": "rule:waffle_required"16:41
*** roxanaghe has quit IRC16:41
andrewbogottWhen I hit that command (‘keystone tenant-list’) it succeeds, and the logs show an attempt to verify admin but no reference to waffle_required16:41
bknudsonkeystone CLI only uses v2 API, and the v2 api only uses the is_admin rule in policy.json16:43
bknudsonit's not going to check identity:list_projects -- that's GET  v3/projects16:43
bknudson(technically, there are a couple of v2 apis that use different policy.json rules)16:44
andrewbogottbknudson: so when ayoung said that was written for v2… he meant just the first line?  Everything else only applies to v3?16:44
bknudsonmaybe he meant that it was written to work like v2?16:45
ayoungandrewbogott, is_admin is a rule, that is called in by the other rules16:45
bknudsonit doesn't take advantage of some v3 features.16:45
*** mylu has quit IRC16:45
bknudson... should be able to point to the code ...16:45
ayoungandrewbogott, so when you call ‘keystone tenant-list  that calls into the python code and hits:16:46
*** hrou has quit IRC16:46
ayoungor the next line16:46
ayoungdepending on how the client calls it16:46
ayoung"rule:admin_required",  is resolved16:46
ayoung  as you know16:46
ayoungand the other16:46
ayoungis admin_or_owner is resolved16:47
andrewbogottjust to confirm… you and bknudson are disagreeing about how v2 works?16:47
bknudsonHere's the v2 controller:
ayoungwhich is in turn either is_admikn as before or16:47
ayoung"owner" : "user_id:%(user_id)s",16:47
ayoungandrewbogott, I am saying how "policy" works16:47
ayoungnot all of the V2 API is calling in to policy16:48
*** phalmos has quit IRC16:48
ayoungdoes not16:48
bknudsonit calls assert_admin which is
bknudsonayoung: get_all_projects calls self.assert_admin(context)16:49
ayoungbknudson, where is the List projects for user call?  I thought that was v2 as well...has to be for the WebUI16:50
andrewbogottright, which I think is what I said before… the only part of policy.json that matters to the v2 api is the definition of admin.16:50
andrewbogottSo — this has me back to being crippled until I upgrade to v3.16:50
bknudsonayoung: that would be in the v2 public controller ... I'll see if I can find it.16:51
*** r-daneel has joined #openstack-keystone16:51
bknudson(I mean router not controller)16:52
*** phalmos has joined #openstack-keystone16:53
bknudsonayoung: here it is:
bknudsonwhich is going to call
bknudsonwhich doesn't do any policy stuff16:54
ayoungandrewbogott, so, yeah, none of those use policy16:54
ayoungthe fact that they were called "project" should have been a give-away16:54
ayoungSorry bout that16:54
bknudsonI can't remember if keystone tenant-list uses the public API or admin?16:54
bknudsonmaybe it depends on which endpoint you tell it to use.16:55
*** daemontool has joined #openstack-keystone16:55
andrewbogottand, do I recall correctly that I can’t use ldap assignment with v3?  (I know I’m going in circles at this point.)16:55
bknudsonI don't think we have a way to do domain role assignments using ldap.16:56
andrewbogottyep, ok16:56
*** roxanaghe has joined #openstack-keystone16:56
bknudsonI think we can do group role assignments ... not sure if it was implemented.16:57
*** gyee has joined #openstack-keystone16:57
*** ChanServ sets mode: +v gyee16:57
bknudsonuser role assignments must work.16:57
*** hrou has joined #openstack-keystone16:57
ayoungandrewbogott, so, if users are in LDAP, but assignments are in SQL, you can assign.  I think actually LDAP assignment will work with V3 as well, so long as everythign is in the default domain, but I would not be surprised if we broke that16:57
*** su_zhang has joined #openstack-keystone16:57
bknudsonI should have said group role assignments on projects and user role assignments on projects above.16:58
andrewbogottI think my list of bugs-blocking-other-bugs is about to become a cyclic graph :)16:59
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update
*** petertr7 is now known as petertr7_away16:59
andrewbogottI definitely only have one domain, so maybe it’s worth a try.17:01
*** rodrigods has left #openstack-keystone17:02
*** rodrigods has joined #openstack-keystone17:02
*** pumaranikar has quit IRC17:03
openstackgerritBrant Knudson proposed openstack/keystone: Merge keystone.config into keystone.common.config
*** pnavarro has quit IRC17:05
*** tellesnobrega_af is now known as tellesnobrega17:06
*** jistr has quit IRC17:08
*** su_zhang has quit IRC17:10
*** urulama has quit IRC17:10
*** ctina has quit IRC17:11
*** urulama has joined #openstack-keystone17:11
*** ctina has joined #openstack-keystone17:11
*** Ephur has quit IRC17:13
*** r-daneel has quit IRC17:26
*** e0ne has quit IRC17:27
*** r-daneel has joined #openstack-keystone17:27
*** doug-fish has joined #openstack-keystone17:33
*** shaleh has joined #openstack-keystone17:33
*** daemontool has quit IRC17:36
*** timcline has quit IRC17:39
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone
dstanekhmmmm... so i cut the test runtime down by about 25%, but i'm getting random failures.17:39
shalehwhatr steps did you take to reduce the run time?17:40
shalehI was going to start looking into it next week17:40
dstanekshaleh: restructing lots of stuff17:41
dstanekbasically reduce redundant or useless setup17:41
shalehdstanek: stuff we talked about. Good.17:42
*** jsavak has quit IRC17:42
shalehperhaps some of the setup was masking behavior? Or there is some left over cruft between tests that it covered?17:42
*** jsavak has joined #openstack-keystone17:43
dstaneki think i'm missing a cleanup somewhere17:44
shalehdstanek: sounds likely17:44
*** jsavak has quit IRC17:48
shalehdstanek: if you would like another pair of eyes, you can mail me the patch17:48
*** jsavak has joined #openstack-keystone17:48
*** tonytan4ever has quit IRC17:48
*** hrou has quit IRC17:49
dstaneki'm in the process of breaking it apart now so that i can start putting it up for review17:50
*** fhubik has quit IRC17:52
*** wanghua has quit IRC17:53
*** wanghua has joined #openstack-keystone17:54
*** su_zhang has joined #openstack-keystone17:54
*** petertr7_away is now known as petertr717:56
*** jvarlamova_ has quit IRC17:57
*** jsavak has quit IRC18:00
shalehdstanek: how much refactoring will i need to do in my new_*_ref() cleanup work?18:05
dstanekshaleh: likely none18:05
*** petertr7 is now known as petertr7_away18:05
*** aix has quit IRC18:05
*** browne has joined #openstack-keystone18:08
*** mylu has joined #openstack-keystone18:14
andrewbogottbknudson: ok, with my endpoints switched over to v3, here’s what I get:
andrewbogottCan you tell from the log what’s going on?  Am I just missing an export?18:16
*** e0ne has joined #openstack-keystone18:17
bknudson"ERROR: openstack "18:17
bknudsonthat's pretty useful18:17
andrewbogottyeah, if I turn on —debug there’s more but not a lot more18:18
bknudsonwhat request is failing?18:18
andrewbogottanyway, at least it’s hitting keystone, judging from the log18:18
andrewbogottbknudson: what do you mean?18:18
bknudsonwhat's the REST call that's failing?18:18
andrewbogottI think auth/tokens18:18
andrewbogottbut let me post the —debug output… should’ve done that anyway18:19
bknudsonPOST /v3/auth/tokens HTTP/1.1" 20118:19
*** mylu has quit IRC18:19
*** mylu has joined #openstack-keystone18:19
andrewbogottbknudson: here’s the client-side debug:
*** jerrygb has quit IRC18:21
bknudsonI think the log is showing that there are no roles assigned to the user on the project18:21
bknudsonwhich is why you can't get a token18:21
bknudsonsearch: base=ou=roles,dc=wikimedia,dc=org scope=1 filterstr=(&(cn=48c33cc399984b9e855cfc1636ddaba9)(objectClass=organizationalRole)) attrs=['cn'] attrsonly=018:21
bknudsonthat's the ldapsearch that it's doing18:22
shalehv2 lookup, No OS_IDENTITY_API_VERSION=318:22
andrewbogottbknudson: ok, so that suggests that assignment with ldap isn’t working18:22
andrewbogottwhich is, I guess, what I was trying to learn18:22
bknudsonandrewbogott: what do you think it's doing wrong?18:23
bknudsonis that not the correct search?18:23
andrewbogott‘48c33cc399984b9e855cfc1636ddaba9’ is supposed to be the role id?18:23
*** mylu has quit IRC18:24
bknudsonandrewbogott: I assume so since it's looking under ou=roles,dc=wikimedia,dc=org18:24
bknudsonso what should be in there are roles with objectclass organizationalRole and the cn is the id18:24
bknudson... why would it be looking up the role by ID ...18:25
bknudsonsearch: base=ou=roles,dc=wikimedia,dc=org scope=1 filterstr=(&(cn=admin)(objectClass=organizationalRole)) attrs=['cn'] attrsonly=018:25
andrewbogottI see that role defined in ldap but I’m not sure wher eit came from.  IT doesn’t have anything human readable so I don’t know what it’s supposed to be.18:25
bknudsonit did that just before ^^18:25
andrewbogottBut, let me add myself to the role and see what happens :)18:25
bknudsonand it apparently worked18:25
openstackgerritRamaraja proposed openstack/keystone: Adding Mitaka version oslo.log
bknudsonmaybe it's checking to see if the role is disabled or something?18:26
bknudsonwe could use some better debug logging.18:26
andrewbogottok, the role exists and novaadmin is in that role in project testlabs18:26
andrewbogotthere’s what I see in ldap:
*** pumaranikar has joined #openstack-keystone18:29
*** timcline has joined #openstack-keystone18:30
*** timcline has quit IRC18:31
andrewbogottI wonder where keystone is getting that ID?  I have another role that’s just called ‘admin’ — that seems like the obvious choice18:31
*** timcline has joined #openstack-keystone18:31
andrewbogott(back in 5)18:32
*** akanksha_ has joined #openstack-keystone18:37
andrewbogottback.  bknudson, are you code-digging, or surrendering for now?18:39
*** fangzhou has joined #openstack-keystone18:41
*** hrou has joined #openstack-keystone18:46
bknudsonandrewbogott: I'm continuing to work on what I was doing before... it's open source so anybody can look at it.18:48
andrewbogottthat’s fine, just didn’t want to go to lunch and leave you mid-debug :)18:49
* andrewbogott ponders how to roll back this change, now that the api doesn’t work18:53
*** Ephur has joined #openstack-keystone18:55
*** doug-fis_ has joined #openstack-keystone18:56
*** jbell8 has quit IRC18:57
*** doug-fish has quit IRC18:58
andrewbogottok!  I’m dumb, shaleh had a solution (at least partly) in the backscroll.  Thanks shaleh18:58
bknudsonyou're not going to tell us what the solution was?18:59
shalehevery time i have seen the "error: openstack" message it was due to using the wrong API version19:00
bknudsonif the auth version was incorrect you'd get a 404 error19:00
bknudsonsince it would try to do v3/tokens rather than v3/auth/tokens19:00
*** doug-fis_ has quit IRC19:00
*** jbell8 has joined #openstack-keystone19:02
*** jsavak has joined #openstack-keystone19:02
*** doug-fish has joined #openstack-keystone19:04
andrewbogottit was throwing ‘EndpointNotFound’ which is probably due to a 404, although right before it was trying to hit /v3/auth/tokens19:05
shalehit always annoys me that accessing /v3/blah does not inherently set the API_VERSION=3.19:07
*** jsavak has quit IRC19:07
*** jsavak has joined #openstack-keystone19:07
andrewbogottI also thought that the ‘openstack’ cli (vs the ‘keystone’ cli) was only compatible with v3 anyway.19:08
*** doug-fish has quit IRC19:08
dstanekshaleh: it really shouldn't. the client shouldn't know what the URL mean19:08
andrewbogottAt least I couldn’t get it to cooperate with v2, but I didn’t try that hard.19:08
*** doug-fish has joined #openstack-keystone19:08
shalehandrewbogott: it does function with v2, but not well.19:08
shalehat least in my experience19:08
andrewbogottI guess it would be rude to make it default to 3 at this late date.19:09
shalehdstanek: I get the purist viewpoint on that. but it is not great UX19:09
bknudsonopenstack CLI supports both v2 and v319:09
andrewbogottYeah, I got responses but with a bunch of empty columns and such.19:09
bknudsonif you want great UX you should use clouds.yaml19:09
shalehbknudson: I do. Much happier :-)19:09
andrewbogottAnyway, setting OS_IDENTITY_API_VERSION is painless now that I know :)19:09
andrewbogottMaybe we should just change that ‘Error: openstack’ message to say “error: openstack.  Probably you need to set OS_IDENTITY_API_VERSION"19:10
shalehandrewbogott: I am sure it happens for other reasons. But yes, we should be better about it.19:10
bknudsonthe code is here:
bknudsonif you have time go ahead and propose a fix.19:11
dstanekshaleh: i'd prefer not to have version in the URL :-)19:11
andrewbogottOr maybe the client should just check the version before doing anything else.  That adds a roundtrip though.19:11
shalehdstanek: that is how i know about andrewbogott's issue. Trying to get versionless URLs to work :-)19:12
shalehbknudson: fixing that error message has been on my back burner for a bit. Thanks to both andrewbogott and you for reminding me19:12
* andrewbogott lunches19:13
shalehandrewbogott: think you could ensure a bug exists for that behavior?19:14
dstanekshaleh: it's unfortunate that we don't use linking for the client to get around. i'd love to see the version disappear19:14
dstanekbut unfortunately we publish URLs in our API docs19:14
bknudsonwe've got JSON Home support in keystone19:14
bknudsonand the rels are published in the API docs19:15
*** hrou has quit IRC19:15
bknudsonbut it's not supported in the client lib yet19:15
dstanekbknudson: yeah, we are getting closer for sure19:15
*** petertr7_away is now known as petertr719:16
dstanekwe also need rels in our resource representations too19:16
dstanek... or headers19:16
bknudsonwe've got self links19:16
*** LukeHinds has quit IRC19:16
*** c_soukup has joined #openstack-keystone19:18
dstaneki think there are things missing like urls instead of or in addition to things like service_id19:19
dstanekright now the pattern we promote is templating a url19:19
*** jerrygb has joined #openstack-keystone19:20
bknudsonshould we be using os-testr for all the keystone projects?19:20
bknudsonit's used in keystoneauth and I don't see why that needs to be a special snowflake.19:20
dstanekwhat is os-testr?19:21
*** tonytan4ever has joined #openstack-keystone19:21
shalehbknudson: is that different from the testr used for keystone?19:21
bknudsonin order to run a single test on keystoneauth I need to do tox -e py27 -- --regex <whatever>19:21
bknudsonwhereas for keystone I just do tox -e py27 <whatever>19:21
*** csoukup has quit IRC19:22
bknudson"A testr wrapper to provide functionality for OpenStack projects"19:22
shalehbknudson: so maybe keystone is the special snowflake?19:22
*** spandhe has joined #openstack-keystone19:22
bknudsonkeystoneauth is newer than keystone19:22
dstanekbknudson: i don't care if we use it or not. doesn't seem to be anything in there that's useful to me, but also nothing that would hurt19:23
bknudsonthe other option is to change keystoneauth to work like keystone and the rest of the projects19:23
dstanekbknudson: does anyone else use that?19:24
*** hrou has joined #openstack-keystone19:25
bknudsondstanek: ./nova/tox.ini:  ostestr --blacklist_file tests-py3.txt19:25
bknudson./neutron/tox.ini:  ostestr --regex '{posargs}'19:25
bknudson6 projects use it19:25
bknudsonout of 41619:25
*** jbell8 has quit IRC19:26
*** bradjones has quit IRC19:26
*** tellesnobrega is now known as tellesnobrega_af19:26
dstaneki actually like the blacklist in the tox.ini so it's very "in your face"19:26
shalehthat might reflect people not updating to new tools19:26
bknudsonthe list of tests in keystone's tox.ini is pretty in your face19:26
shalehdstanek: maybe once your patch is ready for review you could try it out and give an opinion?19:27
*** tellesnobrega_af is now known as tellesnobrega19:27
*** jsavak has quit IRC19:40
*** NM has joined #openstack-keystone19:44
*** su_zhang has quit IRC19:46
*** su_zhang has joined #openstack-keystone19:46
*** doug-fish has quit IRC19:47
*** doug-fish has joined #openstack-keystone19:49
*** ctina has quit IRC19:49
*** jsavak has joined #openstack-keystone19:58
*** ayoung has quit IRC20:00
*** jbell8 has joined #openstack-keystone20:00
*** tellesnobrega is now known as tellesnobrega_af20:02
*** jsavak has quit IRC20:02
*** su_zhang has quit IRC20:04
*** su_zhang has joined #openstack-keystone20:06
*** su_zhang has quit IRC20:09
*** jsavak has joined #openstack-keystone20:09
*** su_zhang has joined #openstack-keystone20:11
*** timcline has quit IRC20:11
*** tellesnobrega_af is now known as tellesnobrega20:12
openstackgerritHenrique Truta proposed openstack/keystone: Constraint to prevent duplicates endpoints
openstackgerritHenrique Truta proposed openstack/keystone: Change endpoint.url column type to String
*** su_zhang has quit IRC20:25
*** khomkrit has quit IRC20:26
*** fawadkhaliq has joined #openstack-keystone20:31
*** jamielennox|away is now known as jamielennox20:36
*** timcline has joined #openstack-keystone20:37
*** fangzhou has quit IRC20:38
*** flwang has joined #openstack-keystone20:50
*** raildo is now known as raildo-afk20:56
*** ayoung has joined #openstack-keystone21:03
*** ChanServ sets mode: +v ayoung21:03
*** mylu has joined #openstack-keystone21:03
*** petertr7 is now known as petertr7_away21:04
*** e0ne has quit IRC21:06
*** urulama has quit IRC21:08
*** urulama has joined #openstack-keystone21:08
*** timcline has quit IRC21:12
andrewbogottshaleh: I didn’t find an existing bug, although there may be one.  Indeed, I’m not clear on if there is even a bug category for the openstack client?  Anyway, here’s my best attempt:
openstackLaunchpad bug 1513216 in OpenStack Identity (keystone) "Mismatched keystone api version produces cryptic 'Error: Openstack'" [Undecided,New]21:14
*** su_zhang has joined #openstack-keystone21:15
shalehandrewbogott: thank you21:19
shalehsomething for bug friday21:19
bknudsonprobably nobody's working on it since it's reported against keystone for some reason when it's an openstackclient bug.21:20
*** jasonsb has quit IRC21:22
*** phalmos has quit IRC21:23
*** e0ne has joined #openstack-keystone21:26
*** petertr7_away is now known as petertr721:26
*** pece has quit IRC21:27
*** fangzhou has joined #openstack-keystone21:27
*** e0ne has quit IRC21:29
*** jamielennox is now known as jamielennox|away21:30
*** topol has quit IRC21:31
*** jsavak has quit IRC21:35
*** jerrygb has quit IRC21:36
*** jamielennox|away is now known as jamielennox21:37
*** jerrygb has joined #openstack-keystone21:38
*** aix has joined #openstack-keystone21:39
*** e0ne has joined #openstack-keystone21:40
*** e0ne has quit IRC21:41
*** pauloewerton has quit IRC21:43
*** jorge_munoz has joined #openstack-keystone21:44
*** jsavak has joined #openstack-keystone21:51
kfox1111_is there any issues running a liberty keystone with fernet tokens and kilo or other services on different nodes?21:55
kfox1111_we're looking at setting up one keystone to rule over multiple regions.21:55
*** petertr7 is now known as petertr7_away21:56
*** phalmos has joined #openstack-keystone21:57
dolphmkfox1111_: including a race condition that operators at the summit concluded was dwarfed by clock skew, but is summarized here
openstackLaunchpad bug 1473567 in OpenStack Identity (keystone) "Fernet tokens fail tempest runs" [High,In progress] - Assigned to Dolph Mathews (dolph)21:57
*** petertr7_away is now known as petertr721:58
bknudsondolphm: I think kfox1111_ is asking about different levels of services.21:59
bknudsone.g., new keystone old nova21:59
bknudsonwhich I think people have asked before and we said there was no known issue21:59
dolphmbknudson: ah - yeah. no known issues, none expected.21:59
dolphmooh, except you need kilo horizon at minumum for fernet22:00
*** su_zhang has quit IRC22:01
*** gildub has joined #openstack-keystone22:04
openstackgerritTom Cocozzello proposed openstack/keystone: Validate Distinguished Names
openstackgerritTom Cocozzello proposed openstack/keystone: Change tests that are setting incorrect Distinguished Names
*** e0ne has joined #openstack-keystone22:07
*** e0ne has quit IRC22:08
*** petertr7 is now known as petertr7_away22:10
*** jsavak has quit IRC22:11
jorge_munozdolphm: It seem that removing domain revocation events will have problem if you disable and reenable a domain. Meaning that a token should be revoked if a domain was disabled, and should stay invalid even if the domain gets reenabled.22:11
*** henrynash has joined #openstack-keystone22:11
*** ChanServ sets mode: +v henrynash22:11
*** su_zhang has joined #openstack-keystone22:12
dolphmjorge_munoz: i think that's an expectation we have to break. after all, what's the use case for keeping it disabled?22:13
*** phalmos has quit IRC22:15
jorge_munozdolphm: I don’t see where this would happen very often, but its a security risk. I just want to make sure this is something we are willing to live with.22:17
dolphmjorge_munoz: what is the security risk? what's the attack vector?22:18
jorge_munozdolphm: Ex: Some accounts got compromised in a domain, and a user wanted to disable the domains to invalidate all tokens and reenabled to allow usage again to user in that domain.22:20
dolphmjorge_munoz: wouldn't you disable the domain, delete the compromised users, and then re-enable the domain without risk?22:23
*** lhcheng has joined #openstack-keystone22:24
*** ChanServ sets mode: +v lhcheng22:24
*** jasonsb has joined #openstack-keystone22:25
*** daemontool has joined #openstack-keystone22:26
*** doug-fish has quit IRC22:26
jorge_munozdolphm: Yes, in that workflow that would work just fine, but what if some tokens where compromised and the domain admin is unsure which are the compromisied users.22:28
dolphmjorge_munoz: then you'd leave the domain disabled?22:30
*** pumaranikar has quit IRC22:31
*** pumaranikar has joined #openstack-keystone22:31
dolphmjorge_munoz: the "what if" is missing a surgical fix - you can't safely revert the emergency sledgehammer fix until you have a surgically precise fix in place.22:31
*** ctina has joined #openstack-keystone22:32
*** henrynash has quit IRC22:33
jorge_munozdolphm: Its changing the current funcionality, and allowing a token to be valid where it technically shouldn’t.22:36
*** pumaranikar has quit IRC22:36
dolphmjorge_munoz: (you're skipping the "why")22:37
dolphmchange itself is not necessarily bad, and we don't have a use case to say the token should remain invalid22:38
jorge_munozdolphm: but its an inconsistency on the api, right? I just want to cover my bases..22:41
dolphmjorge_munoz: well it's a matter of documenting expectations, but what's the inconsistency? you disable a project, you can't scope to it, you re-enable the project, they can scope to it. you disable a service, it disappears from the catalog, you re-enable it, it re-appears. right?22:44
*** c_soukup has quit IRC22:44
jorge_munozWell getting a 401 and then getting a 200. Thats fine, we can document expection and explain why a token may be invalid when a domain is disabled and valid when a domain gets re-enabled. Since the token never did get explicitly revoke, it makes sense the it would remain valid.22:47
jorge_munozmay -> is*22:48
*** mylu has quit IRC22:50
*** mylu has joined #openstack-keystone22:51
*** tonytan4ever has quit IRC22:51
openstackgerritTom Cocozzello proposed openstack/keystone: Change tests that are setting incorrect Distinguished Names
*** mylu has quit IRC22:55
notmorganno stevemar22:57
*** ctina has quit IRC22:57
shalehhave not seen him all day22:57
notmorgandolphm, ayoung, jamielennox: so i've been thinking about this22:57
*** ctina has joined #openstack-keystone22:58
notmorgandolphm, ayoung, jamielennox: i think we might need to provide a new indicator in keystone projects that is not disabled...but locked.22:58
notmorganbasically a way to signal to other projects that this project should not be allowed to have more resources allocated to it. locking a project would still invalidate the tokens (so new tokens are needed)22:59
notmorganbut disabled has further reaching effects.22:59
*** ctina has quit IRC23:02
*** fangzhou has quit IRC23:05
*** slberger has left #openstack-keystone23:11
*** su_zhang has quit IRC23:12
jamielennoxnotmorgan: so what do you think you can do with a locked project vs a disabled project, and wouldn't that require keysotne having an understanding of how the roles are set up?23:17
jamielennoxguess we can always add it to the token23:17
*** jasonsb has quit IRC23:18
notmorganthat's the thought23:18
notmorganor the validated body at least23:18
*** jasonsb has joined #openstack-keystone23:18
shalehbut why locked v. disabled? What can one do with a locked project?23:19
notmorgandisabled is like deleted outside of keystone23:19
notmorganlocked could let someone tear down resources / act on resources but not allocate more. no new vms. no neutron ports etc23:20
*** jbell8 has quit IRC23:20
notmorganthat is my thought at least.23:20
shalehnotmorgan: so perhaps you want to use a term like "frozen" or some such?23:20
notmorganterminology doesn't matter when we are just talking concept23:21
shalehmy point here is a standard user could still be expected to auth and have a project scoped token for this project, right?23:21
shalehthey could access anything currently working23:21
*** su_zhang has joined #openstack-keystone23:21
jamielennoxmarekd: so works with ecp? i couldn't figure it out with mod_auth_mellon, but probably because it's unsupported23:21
jamielennoxmarekd: (not expecting you to be here)23:22
dolphmnotmorgan: couldn't we achieve that today with disabled? since it doesn't actually disable anything besides auth23:23
dolphmnotmorgan: communicate that to services and handle it in policy?23:24
jamielennoxdolphm: you can't get a token scoped to that disabled project23:25
*** edmondsw has quit IRC23:25
ayoungif we indicated that a project was disabled, but still allowed tokens to be created it would have the same effect.23:26
ayoungLets not add a new state23:26
shalehjamielennox: has Lasso caught up with ECP support?23:26
jamielennoxshaleh: yes, if you're compiling from source23:27
jamielennoxmaybe fedora 2323:27
jamielennoxprobably fedora 2323:27
jamielennoxdefinetly rhel 7.223:27
shalehjamielennox: good to know23:27
shalehjamielennox: I looked a few months back, it still seemed in flux then23:28
shalehayoung: why disable a project but allow people access to it? What would be the point in disabled then?23:29
ayoungdeleting resources23:29
shalehseems like bad UX to me23:29
shalehayoung: but notmorgan is talking about more than delete. Simply the user cannot allocate more.23:29
ayoungshaleh, locked means the user cannot create more resources.  THat is waht disabled would mean, too.  If you disable a project in Keystone, it can be reneabled.  While it is locked you cannot get tokens scoped to that project.23:30
ayoungThe only reason to have another status would be to deal with the gap between when we added it and when the other services wrote a policy role for it.23:31
*** gordc has quit IRC23:31
ayoungSo, instead, lets have a config option that says you can or cannot get a token for a disabled project.  It is the same net effect23:31
shalehayoung: that is not my understanding of notmorgan's request. I will let him talk for himself though.23:32
ayoungshaleh, "no more resources" can be done with quoata23:32
*** fangzhou has joined #openstack-keystone23:32
shalehayoung: but I stand by my statement that allowing users to auth and use a project marked 'disabled' is bad UX23:32
shalehthe cleanup case is a special one, I can see a use for that23:33
*** hrou has quit IRC23:34
*** jbell8 has joined #openstack-keystone23:34
*** jbell8 has quit IRC23:37
notmorganayoung: it depends on if we want to change "disabled" state functionality23:42
notmorgani was assuming we didn't want to change things.23:42
*** jerrygb has quit IRC23:56

Generated by 2.14.0 by Marius Gedminas - find it at!