Wednesday, 2016-06-08

*** dan_nguyen has quit IRC00:16
*** clenimar has quit IRC00:17
openstackgerritRyosuke Mizuno proposed openstack/keystone: Add validation rules for create token using a JSON schema
*** roxanaghe has quit IRC00:25
dstanek#success I was able to perform a roundtrip between keystone and using my new SAML2 middleware!00:26
openstackstatusdstanek: Added success to Success page00:26
dstanekopenstackstatus: thanks!00:28
*** clenimar has joined #openstack-keystone00:30
gyeedstanek, what does success smell like?00:30
openstackgerritMerged openstack/keystone: Return 404 instead of 401 for tokens w/o roles
*** raddaoui has quit IRC00:37
dstanekgyee: beer!00:46
*** lucas has joined #openstack-keystone00:55
*** lucas has quit IRC00:59
*** lucas has joined #openstack-keystone01:03
*** BjoernT has joined #openstack-keystone01:08
ayoungdstanek, the real test would be talking to ADFWS01:10
ayoungI think that is the most Common SAML IdP we have to work with.01:10
ayoungdstanek, have you looked at Ipsilon?01:11
*** markvoelker has joined #openstack-keystone01:13
*** tqtran has quit IRC01:16
*** markvoelker has quit IRC01:18
*** BjoernT has quit IRC01:27
*** frontrunner has quit IRC01:31
*** EinstCrazy has joined #openstack-keystone01:35
*** toddnni_ has joined #openstack-keystone01:39
*** toddnni has quit IRC01:40
*** toddnni_ is now known as toddnni01:40
*** EinstCra_ has joined #openstack-keystone01:41
*** EinstCr__ has joined #openstack-keystone01:44
*** EinstCrazy has quit IRC01:44
*** EinstCra_ has quit IRC01:46
*** lucas has quit IRC01:53
*** tonytan4ever has joined #openstack-keystone02:11
jamielennoxwhats the thing that provides the deprecated in version N+1 functions02:15
jamielennoxit's debtcollector underneath, but i thought there was something in oslo to handle the version naming02:16
jamielennoxoh, nvm - it's in oslo_log and not oslo.utils02:19
*** lucas has joined #openstack-keystone02:26
*** TxGVNN has joined #openstack-keystone02:29
*** sdake has joined #openstack-keystone02:32
*** sdake has quit IRC02:34
*** woodster_ has quit IRC02:38
*** richm has quit IRC02:45
*** openstackgerrit has quit IRC02:47
*** openstackgerrit has joined #openstack-keystone02:47
*** sheel has joined #openstack-keystone02:49
*** dan_nguyen has joined #openstack-keystone02:49
*** gyee has quit IRC02:50
*** dave-mccowan has quit IRC02:54
*** dan_nguyen has quit IRC02:59
stevemardstanek: nice :)02:59
stevemardstanek: got something for viewing? :)02:59
*** rderose has joined #openstack-keystone03:02
*** rderose has quit IRC03:03
jamielennoxnotmorgan, dstanek:
*** dan_nguyen has joined #openstack-keystone03:04
*** dan_nguyen has quit IRC03:06
*** jorge_munoz has quit IRC03:08
*** jorge_munoz has joined #openstack-keystone03:10
*** EinstCr__ has quit IRC03:13
*** sdake has joined #openstack-keystone03:28
*** spandhe has quit IRC03:32
*** links has joined #openstack-keystone03:35
*** lucas has quit IRC03:42
*** EinstCrazy has joined #openstack-keystone03:44
*** julim has quit IRC03:45
*** TxGVNN has quit IRC03:45
*** EinstCrazy has quit IRC03:47
stevemarjamielennox: so, what i miss? :)03:47
jamielennoxstevemar: are you back now?03:47
*** clenimar has quit IRC03:51
stevemarjamielennox: monday i'll be back03:51
*** TxGVNN has joined #openstack-keystone03:51
jamielennoxstevemar: and just can't wait till then?03:51
stevemarjamielennox: just got some free time now and looking to chat :)03:51
*** raddaoui has joined #openstack-keystone03:52
jamielennoxso really not much has happened03:52
stevemara few more specs i noticed03:52
jamielennoxi'm assuming you saw the meeting transcripts03:52
stevemarnot really03:52
stevemari suppose i should do that >.>03:52
*** sdake has quit IRC03:53
jamielennoxstevemar: probably easier than relating them seeing they're logged03:53
jamielennoxi think dolph's spec might have missed cut off but it will be good to have and easy to approve03:53
*** ebalduf_ has joined #openstack-keystone03:53
jamielennoxumm, henry's and my spec are both kind of blocked on ML discussions03:54
jamielennoxno problems with the release03:54
jamielennoxand you were around when we were discussing the ksa release - no fallout i've seen03:54
stevemarjamielennox: ah right, nice job on that, you fixed it up so kerb and saml have a path forward03:55
jamielennoxoh, yea that didn't make release03:55
*** TxGVNN has quit IRC03:55
jamielennoxand i got something wrong in py3 so the tests are failling, but the mechanism seems to work03:55
stevemari like dolph's spec, that'll be easy to approve, but i think there are a few comments around it03:56
stevemarthe whole project name constraint thing is ugh03:56
stevemarjust not something i wanted to deal with :)03:56
*** iurygregory_ has quit IRC03:57
jamielennoxstevemar: yea, i've written a draft reply or two to that - i just don't know what to say03:59
jamielennoxstevemar: hey ever seen/used [extras] on entrypoints?
stevemarjamielennox: want to take a gander at and it's related change?04:01
patchbotstevemar: patch 274400 - keystonemiddleware - Use extras for oslo.messaging dependency04:01
stevemarjamielennox: nope :\04:02
jamielennoxhaven't played with it yet, but maybe that would let us declare that the kerberos entrypoint required the kerberos extras installed?04:03
jamielennoxstevemar: auditing middleware shouldn't have lived in that repo :(04:03
stevemarjamielennox: :(04:04
openstackgerritEric Brown proposed openstack/keystone: Update the keystone-manage man page options
stevemarit's not the worst place for it04:04
jamielennoxstevemar: i'm inclined to just make it a direct dependency04:04
stevemarthe dependency on oslo.messaging is messy04:05
jamielennoxaudit is used much less than auth_token but it's likely to be installed anywhere auth_token is anyway04:05
stevemarthe audit bits will re-use the context04:06
*** tonytan_brb has joined #openstack-keystone04:07
*** tonytan4ever has quit IRC04:08
*** devananda has quit IRC04:11
stevemar(i'm confused as to what the question was)04:11
jamielennoxstevemar: why can't we just have a direct dependency on oslo.messaging04:13
*** browne has quit IRC04:13
stevemarjamielennox: good point... most services that use ksm will have oslo.messaging04:14
jamielennoxit shouldn't be that big a dependency and it's not a client side thing so i think just depend on it directly04:15
*** EinstCrazy has joined #openstack-keystone04:22
*** devananda has joined #openstack-keystone04:23
stevemarjamielennox: let me take a tally of projects that are using keystonemiddleware and *not* oslo.messaging04:25
jamielennoxstevemar: oslo.messaging needs to do some [extras] work04:26
*** shoutm has joined #openstack-keystone04:26
stevemarjamielennox: pretty short list of projects that don't use both ksm and oslo.messaging04:31
jamielennoxzaqar doesn't use oslo.messaging?04:31
stevemar12 out of 53 projects04:32
jamielennoxguess that makes sense04:32
stevemarjamielennox: yeah, that surprised me too04:32
jamielennoxstevemar: i think we just do it, it's a well known dependency, all the distros have it packaged already, everyone else won't notice04:32
jamielennoxas is audit middleware is unusable04:33
stevemarjamielennox: i doubt most both of those projects would even notice04:33
stevemarjamielennox: want me to post something on the ML?04:33
jamielennoxstevemar: your call, but i don't think it's necessary04:33
stevemarat least tag the bigger projects, like fuel and zaqar04:33
jamielennoxthey can't exactly opt out anyway04:34
jamielennoxwe should get audit more widely used, it seems weird as is04:34
stevemarjamielennox: why do you say it's unusable as is?04:34
jamielennoxoh, i guess not, everyone has the oslo.messaging dependency seperately so doesn't notice the addition04:35
*** tonytan_brb has quit IRC04:36
*** browne has joined #openstack-keystone04:36
*** edtubill has joined #openstack-keystone04:38
*** lhcheng has joined #openstack-keystone04:42
*** ChanServ sets mode: +v lhcheng04:42
*** jaosorior has joined #openstack-keystone04:50
*** browne has quit IRC04:53
*** spandhe has joined #openstack-keystone04:53
*** spandhe_ has joined #openstack-keystone04:54
openstackgerritJamie Lennox proposed openstack/keystone: Pass a request to controllers instead of a context
*** spandhe has quit IRC04:58
*** spandhe_ is now known as spandhe04:58
*** sdake has joined #openstack-keystone05:01
*** tonytan4ever has joined #openstack-keystone05:03
*** ebalduf_ has quit IRC05:05
*** tonytan4ever has quit IRC05:09
*** GB21 has joined #openstack-keystone05:09
stevemarjamielennox: meh
openstackLaunchpad bug 1590254 in keystonemiddleware "depend directly on oslo.messaging" [Undecided,New]05:11
*** edtubill has quit IRC05:15
openstackgerritMerged openstack/keystone: clean up test_resource_uuid
*** sdake has quit IRC05:32
*** fawadkhaliq has joined #openstack-keystone05:33
*** tonytan4ever has joined #openstack-keystone05:33
*** spandhe has quit IRC05:37
*** tonytan4ever has quit IRC05:38
*** GB21 has quit IRC05:44
*** EinstCrazy has quit IRC05:59
*** EinstCrazy has joined #openstack-keystone05:59
*** EinstCrazy has quit IRC05:59
*** EinstCrazy has joined #openstack-keystone06:05
*** GB21 has joined #openstack-keystone06:06
*** lifeless has quit IRC06:13
*** rcernin has joined #openstack-keystone06:13
*** shoutm_ has joined #openstack-keystone06:36
*** henrynash_ has joined #openstack-keystone06:37
*** ChanServ sets mode: +v henrynash_06:37
*** shoutm has quit IRC06:38
*** lhcheng has quit IRC06:47
*** openstackgerrit has quit IRC06:48
*** openstackgerrit has joined #openstack-keystone06:48
*** belmoreira has joined #openstack-keystone06:49
*** sdake has joined #openstack-keystone06:54
*** martinus__ has joined #openstack-keystone06:58
*** EinstCra_ has joined #openstack-keystone06:59
*** tesseract has joined #openstack-keystone07:00
*** EinstCrazy has quit IRC07:02
*** EinstCra_ has quit IRC07:05
*** EinstCrazy has joined #openstack-keystone07:05
openstackgerrithenry-nash proposed openstack/keystone: WIP - Cache fernet tokens the same way we do UUID
*** henrynash_ has quit IRC07:10
*** sdake has quit IRC07:10
*** fawadkhaliq has quit IRC07:23
*** henrynash_ has joined #openstack-keystone07:42
*** ChanServ sets mode: +v henrynash_07:42
*** openstackgerrit has quit IRC07:48
*** openstackgerrit has joined #openstack-keystone07:48
*** henrynash_ has quit IRC07:54
*** zzzeek has quit IRC08:00
*** zqfan has joined #openstack-keystone08:00
*** zzzeek has joined #openstack-keystone08:02
*** shoutm_ has quit IRC08:05
*** shoutm has joined #openstack-keystone08:05
*** fawadkhaliq has joined #openstack-keystone08:09
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c
*** fhubik has joined #openstack-keystone08:15
*** EinstCrazy has quit IRC08:15
*** EinstCrazy has joined #openstack-keystone08:18
*** jaosorior has quit IRC08:25
*** jaosorior has joined #openstack-keystone08:25
*** dmk0202 has joined #openstack-keystone08:37
*** raddaoui has quit IRC08:37
*** shoutm has quit IRC08:37
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS disable inactive users requirements
*** nisha_ has joined #openstack-keystone08:40
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS disable inactive users requirements
*** EinstCrazy has quit IRC08:43
*** EinstCrazy has joined #openstack-keystone08:43
*** EinstCrazy has quit IRC08:45
*** fawadkhaliq has quit IRC08:45
nisha_hey all!08:46
*** EinstCrazy has joined #openstack-keystone08:47
*** openstackgerrit has quit IRC08:48
*** openstackgerrit has joined #openstack-keystone08:48
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS disable inactive users requirements
*** arunkant has quit IRC08:52
*** arunkant has joined #openstack-keystone08:52
*** GB21 has quit IRC08:53
*** mvk has quit IRC09:03
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS disable inactive users requirements
nisha_I want to remove a downloaded patch from python-keystoneclient, so that I can download an updated version of the same patch, can anyone please help me?09:06
nisha_I just tried this, $ git review -R <patch_number> but it didnt work as expected09:07
*** GB21 has joined #openstack-keystone09:09
nisha_and btw I typed that command after going inside python-keystoneclient directory09:10
jamielennoxnisha_: normally jsut running git review -d <number> again should fetch the latest one09:14
nisha_jamielennox, when i use the -d command again, it says Downloading refs/changes/06/289306/20 from gerrit09:16
nisha_Branch already exists - reusing09:16
nisha_jamielennox, does that mean, i already have the latest updated patch09:16
*** sdake has joined #openstack-keystone09:16
jamielennoxnisha_: it should09:17
jamielennoxdo git log -1 and see the commit hash, it should match the latest review09:17
*** EinstCrazy has quit IRC09:18
*** GB21 has quit IRC09:18
*** nisha__ has joined #openstack-keystone09:19
*** belmoreira has quit IRC09:19
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS disable inactive users requirements
*** nisha_ has quit IRC09:21
*** EinstCrazy has joined #openstack-keystone09:21
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** nisha__ is now known as nisha_09:26
nisha_jamielennox, thanks09:29
*** fawadkhaliq has joined #openstack-keystone09:32
*** fawadkhaliq has quit IRC09:33
*** fawadkhaliq has joined #openstack-keystone09:33
*** fawadkhaliq has quit IRC09:33
*** mvk has joined #openstack-keystone09:34
*** GB21 has joined #openstack-keystone09:42
*** fawadkhaliq has joined #openstack-keystone09:42
*** belmoreira has joined #openstack-keystone09:48
*** sdake has quit IRC09:49
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** nisha__ has joined #openstack-keystone09:49
*** nisha_ has quit IRC09:52
*** markvoelker has joined #openstack-keystone09:53
*** henrynash_ has joined #openstack-keystone09:55
*** ChanServ sets mode: +v henrynash_09:55
*** nisha__ is now known as nisha_10:01
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
samueldmqmorning keystone10:09
*** rk4n has joined #openstack-keystone10:12
*** jamie_h has joined #openstack-keystone10:12
*** lifeless has joined #openstack-keystone10:35
openstackgerrithenry-nash proposed openstack/keystone: WIP - Cache fernet tokens the same way we do UUID
openstackgerrithenry-nash proposed openstack/keystone: Revert to caching fernet tokens the same way we do UUID
*** rk4n_ has joined #openstack-keystone10:43
*** rk4n__ has joined #openstack-keystone10:45
*** rk4n_ has quit IRC10:45
*** rk4n has quit IRC10:46
openstackgerrithenry-nash proposed openstack/keystone: Revert to caching fernet tokens the same way we do UUID
*** lifeless has quit IRC10:47
*** lifeless_ has joined #openstack-keystone10:47
*** tesseract has quit IRC10:50
*** tesseract has joined #openstack-keystone10:51
*** d0ugal has quit IRC10:59
*** yolanda has quit IRC10:59
*** d0ugal has joined #openstack-keystone11:00
openstackgerrithenry-nash proposed openstack/keystone-specs: Fix incorrect query example
*** afazekas is now known as __afazekas11:05
*** d0ugal has quit IRC11:09
*** doug-fish has joined #openstack-keystone11:09
*** fawadkhaliq has quit IRC11:12
*** fawadkhaliq has joined #openstack-keystone11:19
*** fawadkhaliq has quit IRC11:25
samueldmqhenrynash_: hi11:27
henrynash_samueldmq: hi11:28
*** henrynash_ has quit IRC11:29
*** d0ugal has joined #openstack-keystone11:32
*** henrynash_ has joined #openstack-keystone11:34
*** ChanServ sets mode: +v henrynash_11:34
henrynash_smaueldmq: hi11:34
*** fawadkhaliq has joined #openstack-keystone11:38
*** henrynash_ has quit IRC11:39
*** fawadkhaliq has quit IRC11:40
*** fawadkhaliq has joined #openstack-keystone11:40
samueldmqhenrynash: sorry went afk for a bit11:40
samueldmqhenrynash: about patch 32623411:41
patchbotsamueldmq: - keystone - Revert to caching fernet tokens the same way we do...11:41
*** doug-fish has quit IRC11:41
*** gordc has joined #openstack-keystone11:43
*** fawadk has joined #openstack-keystone11:43
*** sdake has joined #openstack-keystone11:44
*** fawadkhaliq has quit IRC11:44
*** fawadkhaliq has joined #openstack-keystone11:44
openstackgerritMerged openstack/keystone: Update the keystone-manage man page options
*** fawadk has quit IRC11:48
*** yolanda has joined #openstack-keystone11:49
*** nisha_ has quit IRC11:49
*** nisha_ has joined #openstack-keystone11:49
*** __afazekas is now known as afazekas11:49
*** jbell8 has quit IRC11:50
*** jbell8 has joined #openstack-keystone11:51
openstackgerritMerged openstack/keystone-specs: Fix incorrect query example
*** jbell8 has quit IRC11:55
*** markvoelker has quit IRC11:56
*** jbell8 has joined #openstack-keystone11:56
*** amrith is now known as _amrith_11:58
openstackgerritMikhail Nikolaenko proposed openstack/keystone-specs: WIP -Alternative policy enforcement
*** fawadkhaliq has quit IRC12:03
*** pnavarro has joined #openstack-keystone12:06
*** ayoung has quit IRC12:07
*** clenimar has joined #openstack-keystone12:11
*** markvoelker has joined #openstack-keystone12:12
*** zqfan has quit IRC12:13
*** sdake has quit IRC12:13
*** EinstCrazy has quit IRC12:14
*** EinstCrazy has joined #openstack-keystone12:14
*** frontrunner has joined #openstack-keystone12:14
*** henrynash_ has joined #openstack-keystone12:15
*** ChanServ sets mode: +v henrynash_12:15
henrynash_samueldmq: hi12:15
samueldmqhenrynash_: hey12:16
samueldmqhenrynash_: so, I was talking to henrynash :) (fyi there is henrynash and henrynash_ logged in the channel(12:16
henrynash_samueldmq: and there both me ;-)12:17
samueldmqhenrynash_: hehe12:17
samueldmqhenrynash_: so, about patch 32623412:18
patchbotsamueldmq: - keystone - Revert to caching fernet tokens the same way we do...12:18
henrynash_samueldmq: I’m still an IRCbouncer virgin…12:18
samueldmqhenrynash_: lol hehe12:18
henrynash_samueldmq: so yes, on the patch12:18
samueldmqhenrynash_: I ended up leaving a review12:19
*** EinstCrazy has quit IRC12:19
henrynash_samuedlmq: yes, was just replying12:19
samueldmqhenrynash_: basically I am confused why that never gets invalidated12:19
henrynash_samueldmq: so it’s true, the cache itself is never invlalidated, but token validation will fail if there is a relevant revoke event12:19
henrynash_samueldmq: this was teh same in Liberty12:20
samueldmqhenrynash_: gotcha12:20
*** aurelien__ has joined #openstack-keystone12:20
samueldmqhenrynash_: I have a pathc for invalidating the token cache when the token is deleted 31699112:21
henrynash_samueldmq: cool...12:21
samueldmqhenrynash_: so I was wondering if it wasn't good to make your dependent and add an invalidate to that method when the token is revoked (at least)12:21
*** aurelien__ has quit IRC12:21
*** fawadkhaliq has joined #openstack-keystone12:22
*** pnavarro has quit IRC12:22
*** GB21 has quit IRC12:23
henrynash_samueldmq: so was also thinking about at least invalidating it in the explcit revoke() case12:23
henrynashsamueldmq: I’d like to keep the two separate, since we are first just re-instating the old fucntionaly…and then we can enhance it for thing slike that12:24
henrynashlet me have another look, hoever12:24
samueldmqhenrynash or henrynash_  ?12:25
* samueldmq is confused12:25
henrynash_no idea why it keeps changing!!!!12:25
henrynash_damn, it did it again!12:25
samueldmqhenrynash[_]: yes take a look at that, I am just pulling the revocation logic to the provider, since fernet does not reach persistence code12:26
henrynash_yep, understand12:26
*** fawadkhaliq has quit IRC12:26
*** fawadkhaliq has joined #openstack-keystone12:33
openstackgerrithenry-nash proposed openstack/keystone: Revert to caching fernet tokens the same way we do UUID
openstackgerrithenry-nash proposed openstack/keystone: Revert to caching fernet tokens the same way we do UUID
*** rderose has joined #openstack-keystone12:44
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
shewlessHi there. Is there anyone who can help me get federation working with keystone? I've tried following the steps here: but I'm stuck. I'm trying to get an unscoped token (at the bottom of the instructions) but I keep getting an error. (Attempted to authenticate with an unsupported method).12:54
shewlessI'm using shibbeth as my service provider and right now I'm trying to use testshib as my IDP12:55
*** julim has joined #openstack-keystone12:55
*** rodrigods has quit IRC12:56
*** rodrigods has joined #openstack-keystone12:56
*** edmondsw has joined #openstack-keystone13:00
*** links has quit IRC13:03
*** pnavarro has joined #openstack-keystone13:03
*** ebalduf_ has joined #openstack-keystone13:03
*** fawadkhaliq has quit IRC13:04
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
openstackgerritMerged openstack/keystone-specs: Add spec for fernet key store backends
*** links has joined #openstack-keystone13:18
*** richm has joined #openstack-keystone13:20
*** sheel has quit IRC13:25
*** ayoung has joined #openstack-keystone13:26
*** ChanServ sets mode: +v ayoung13:26
*** nisha__ has joined #openstack-keystone13:29
*** nisha_ has quit IRC13:32
dstanekshewless: are you seeing any errors in your log?13:36
dstanekshewless: one common mistake is to have a broken mapping13:36
*** _amrith_ is now known as amrith13:40
*** fhubik has quit IRC13:42
*** edtubill has joined #openstack-keystone13:43
*** edtubill has quit IRC13:43
*** diazjf has joined #openstack-keystone13:44
shewless+dtanek: not seeing any errors in the log. but I think I found the problem. my apache config defines this location: <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>13:45
shewless+dstanek: but I think idp_1 and saml2 are just placeholders for the identity provider and protocol that I created - is that right?13:46
samueldmqrderose: hi!13:47
rderosesamueldmq: hi13:48
samueldmqrderose: I am willing to review PCI-DSS things13:48
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
samueldmqrderose: where should I start ?13:48
*** nisha__ has quit IRC13:49
*** nisha__ has joined #openstack-keystone13:50
rderosesamueldmq: start with
patchbotrderose: patch 314284 - keystone - Add password table columns to meet PCI-DSS change ...13:51
rderosesamueldmq: and then:
patchbotrderose: patch 320156 - keystone - PCI-DSS Change password requirements13:51
samueldmqrderose: cool, i got that chain13:52
samueldmqrderose: commit messages are pretty descriptive13:52
*** TxGVNN has joined #openstack-keystone13:52
shewlessfor the "protocol" in federation: is it freeform or does it "have" to be something specific? # openstack federation protocol create protocol-name --identity-provider provider-name --mapping mapping-name13:53
shewlessis "protocol-name" saml2 or can it be anything?13:53
rderosesamueldmq: thx13:57
*** clenimar has quit IRC13:59
shewless+dstanek: I'm now seeing this.. broken mapping?  Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details14:01
*** ametts has joined #openstack-keystone14:02
*** clenimar has joined #openstack-keystone14:04
*** ebalduf_ has quit IRC14:04
*** fhubik has joined #openstack-keystone14:05
*** yolanda_ has joined #openstack-keystone14:08
*** yolanda has quit IRC14:09
*** yolanda_ has quit IRC14:09
*** yolanda has joined #openstack-keystone14:09
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users and deprecate driver backend
*** TxGVNN has quit IRC14:16
*** TxGVNN has joined #openstack-keystone14:16
*** diazjf has quit IRC14:17
*** diazjf has joined #openstack-keystone14:19
*** dave-mccowan has joined #openstack-keystone14:26
*** jaosorior has quit IRC14:26
*** raddaoui has joined #openstack-keystone14:26
*** spzala has joined #openstack-keystone14:28
lbragstadhenrynash_ samueldmq I see your fernet patches - I just have a few more things to straighten up with the performance testing CI and we should be able to test those14:29
*** links has quit IRC14:29
*** diazjf has quit IRC14:30
openstackgerritRon De Rose proposed openstack/keystone-specs: Drop Support for Driver Versioning
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/python-keystoneclient: Handle EmptyCatalog exception in list federated projects
lbragstaddolphm here is what I came up with last night for the gerrit event stream listener
*** tonytan4ever has joined #openstack-keystone14:34
lbragstadusing pygerrit ^14:35
*** dan_nguyen has joined #openstack-keystone14:36
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/python-keystoneclient: Handle EmptyCatalog exception in list federated projects
*** julim has quit IRC14:37
bknudsonlbragstad: were you going to use the rest api or is this the ssh client?14:38
lbragstadbknudson i'm using the event stream -
lbragstadspecifically using pygerrit.client14:39
*** julim has joined #openstack-keystone14:40
*** julim has quit IRC14:40
*** clenimar has quit IRC14:41
lbragstadI've never played with pygerrit but figured I'd tinker with it14:42
*** pauloewerton has joined #openstack-keystone14:42
bknudsonI assume it's what 3rd party ci typically uses14:42
bknudsonyou'll need special access to use the ssh stream14:43
bknudsonanyone can use the rest api14:43
*** woodburn has quit IRC14:44
*** clenimar has joined #openstack-keystone14:45
lbragstadbknudson i had to supply some stuff to pygerrit in order to get it to work14:45
bknudsonoh, I thought you'd need another ID for the gerrit stream14:46
dolphmnonameentername: i said monday, but i think that was just when i came across the failure. this log was from the periodic stable mitaka build from last thursday:
lbragstadbknudson the only thing I need to supply was my gerrit id14:48
lbragstadbknudson and it used an ssh key from the box i was developing on (that was already uploaded to gerrit)14:49
bknudsonlbragstad: watch out if infra decides to disable your id14:49
dolphmbknudson: reading the stream should be no big deal14:49
dolphmunless they've changed that recently14:49
lbragstadwell - it seemed to be really easy to do - it was only a few lines of code14:49
*** timcline has joined #openstack-keystone14:49
dolphmlbragstad: but before you start posting review feedback, you should get a 3rd party CI account14:50
*** diazjf has joined #openstack-keystone14:50
lbragstadand all the events come back as nice little objects14:50
lbragstaddolphm yeah - that's on my list of things to do today14:50
samueldmqlbragstad: those are henrynash_'s patches, but yes, great you will be able to do the performance testing :D14:53
*** diazjf has quit IRC14:56
*** clenimar has quit IRC14:56
*** links has joined #openstack-keystone14:57
*** fhubik_brb has joined #openstack-keystone14:58
*** fhubik has quit IRC14:58
*** fhubik_brb has quit IRC14:58
*** clenimar has joined #openstack-keystone15:00
*** fawadkhaliq has joined #openstack-keystone15:00
*** clenimar has quit IRC15:01
*** tonytan4ever has quit IRC15:03
*** lucas___ has joined #openstack-keystone15:05
*** frickler has quit IRC15:06
*** frickler has joined #openstack-keystone15:06
*** sheel has joined #openstack-keystone15:07
*** tonytan4ever has joined #openstack-keystone15:09
*** KevinE has joined #openstack-keystone15:10
lbragstaddoes anyone have a preference on what the user id of the keystone performance service user should be?15:10
lbragstadalso - we will need a dedicated email address for the service user account because gerrit assumes user email addresses are  unique across the system15:13
*** browne has joined #openstack-keystone15:14
lbragstadI could create a 'keystone-performance' user in gerrit and hook it up to a dummy email address?15:15
bknudsonI think infra wants a prefix on the name15:15
lbragstadthis is what i'm reading
*** nisha__ has quit IRC15:17
*** nisha__ has joined #openstack-keystone15:17
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** julim has joined #openstack-keystone15:20
*** julim has quit IRC15:20
*** julim has joined #openstack-keystone15:21
*** david-lyle has joined #openstack-keystone15:21
*** julim has quit IRC15:22
*** julim has joined #openstack-keystone15:22
*** woodster_ has joined #openstack-keystone15:24
*** diazjf has joined #openstack-keystone15:26
*** lucas___ has quit IRC15:26
*** dmk0202 has quit IRC15:29
*** diazjf has quit IRC15:30
*** lucas____ has joined #openstack-keystone15:32
*** julim has quit IRC15:32
*** julim has joined #openstack-keystone15:42
*** julim has quit IRC15:43
*** julim has joined #openstack-keystone15:44
*** julim has quit IRC15:44
*** belmoreira has quit IRC15:46
*** julim has joined #openstack-keystone15:46
*** julim has quit IRC15:46
*** julim has joined #openstack-keystone15:47
*** diazjf has joined #openstack-keystone15:47
*** nisha_ has joined #openstack-keystone15:50
*** nisha__ has quit IRC15:51
*** julim has quit IRC15:57
*** chlong has quit IRC15:58
*** fawadkhaliq has quit IRC16:07
*** edtubill has joined #openstack-keystone16:07
*** julim has joined #openstack-keystone16:12
*** julim has quit IRC16:12
*** julim has joined #openstack-keystone16:13
*** gyee has joined #openstack-keystone16:15
*** ChanServ sets mode: +v gyee16:15
*** links has quit IRC16:15
shewlessI'm getting further in my keystone federation with testshib. I'm hitting a new error "Missing entity ID from environment" in the keystone log.  I have a --remote-id set for my identity provider.. I'm not sure what else I need. Any hints?16:16
dstanekshewless: sounds like your remote_id_attribute is incorrect16:19
dstanekshewless: for is should be 'Shib-Identity-Provider'16:20
*** rk4n has joined #openstack-keystone16:20
*** pushkaru has joined #openstack-keystone16:21
shewless+dstanek: that's what I though but I have it set to that exact string.  Do I have to setup my protocol or identity provider with that same 'Shib-Identity-Provider'?16:22
*** rk4n__ has quit IRC16:23
dstanekshewless: you shouldn't have to do anything else with that string. the error is because that key is not in the environment provided by mod_shib16:25
dstanekshewless: can you paste.o.o the environment from your log?16:25
shewless+dstanek: how do I paste the environment?16:25
dstanekshewless: grab it from the keystone.log and paste to paste.openstack.org16:26
*** daemontool has joined #openstack-keystone16:27
*** lucas____ has quit IRC16:28
*** browne has quit IRC16:30
shewless+dstanek: this is my apache2/keystone-public.log.. I doubt it's what you need but it's a start
dstanekshewless: try turing on debug logging16:31
*** lucas___ has joined #openstack-keystone16:31
*** tesseract has quit IRC16:31
shewless+dstanek: in keystone? I'm not sure how16:32
*** lucas____ has joined #openstack-keystone16:32
shewlesslike: debug=true in keystone.conf I guess16:32
dstanekshewless: look for the 'debug' settings in keystone.conf. there are a couple there16:33
*** d0ugal has quit IRC16:33
*** luca_____ has joined #openstack-keystone16:33
*** diazjf has quit IRC16:34
*** diazjf has joined #openstack-keystone16:34
*** luca_____ has quit IRC16:34
*** luc______ has joined #openstack-keystone16:34
dstanekshewless: also to step back for a second16:35
*** lucas___ has quit IRC16:35
dstanekyou are using as your IdP right? and you are using Horizon to login?16:35
*** frontrunner has quit IRC16:36
shewless+dstanek: any better:
shewless+dstanek: yes you are correct.16:36
*** lucas____ has quit IRC16:36
*** yolanda has quit IRC16:37
dstanekshewless: can you also paste your config?16:38
*** luc______ has quit IRC16:39
*** diazjf has quit IRC16:40
*** yolanda has joined #openstack-keystone16:40
*** Guest47242 is now known as med_16:41
*** med_ has joined #openstack-keystone16:41
*** lucas___ has joined #openstack-keystone16:41
*** rcernin has quit IRC16:42
*** fawadkhaliq has joined #openstack-keystone16:42
*** fawadkhaliq has quit IRC16:42
*** fawadkhaliq has joined #openstack-keystone16:42
*** lhcheng has joined #openstack-keystone16:45
*** ChanServ sets mode: +v lhcheng16:45
*** lucas___ has quit IRC16:46
*** frontrunner has joined #openstack-keystone16:47
*** d0ugal has joined #openstack-keystone16:49
*** mvk has quit IRC16:50
*** diazjf has joined #openstack-keystone16:55
dstanekshewless: so you are successfully getting redirected to to login, but on the redirect back you are getting the 500?16:56
*** rderose has quit IRC16:56
*** daemontool has quit IRC16:57
shewless+dstanek: I'm not even sure if that's happening.. I can do a tcpdump.. in my browser I see this: {"error": {"message": "Missing entity ID from environment (Disable insecure_debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}16:58
shewlessand the address bar is: http://...:5000/v3/auth/OS-FEDERATION/websso/testshib?origin=https://.../auth/websso/16:59
shewlessI can't figure out where OS_FEDERATION/websso/testshib? is coming from..16:59
*** rderose has joined #openstack-keystone17:00
*** ayoung has quit IRC17:01
shewless+dstanek: If I tcpdump the management interface where horizon/keystone is running I don't see any information going to testshib.. so maybe it's not getting that far?17:02
shewless+dstanek: or is my browser supposed to be doing that part?17:04
*** tonytan4ever has quit IRC17:04
dstanekshewless: tcp dumping isn't going to help. the redirect back to keystone is handled by the metadata (i think). i don't think you will ever seen keystone<->testshib traffic17:09
dstanekbut you are logging in and getting redirected back to keystone and then getting the 500?17:10
*** browne has joined #openstack-keystone17:10
*** sdake has joined #openstack-keystone17:10
shewless+dstanek: I get to the horizon login screen. It says "Authenticate using" and I have an entry in there called "Testshib SAML". I click connect and then I see this error: {"error": {"message": "Missing entity ID from environment (Disable insecure_debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}17:11
*** lucas___ has joined #openstack-keystone17:11
shewlessI don't have a chance to log in anywhere17:12
dstanekshewless: sounds like maybe mod_shib isn't correctly configured in apache? can you paste your keystone apache config?17:12
dstanekshewless: so i think the flow (in the brower) is something like horizon->keystone->testshib->keystone->horizon - the url on keystone's side should be protected with mod_shib to force it to redirect to the IdP if the user hasn't authed17:14
*** jsifantu has joined #openstack-keystone17:15
shewless+dstanek: here you go:
*** lucas___ has quit IRC17:17
dstanekshewless: are you using the saml2 protocol? an earlier error message led me to believe you created a testshib protocol17:18
dstanekshewless: also for websso i was using LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso"> in my config17:20
shewlessI created both.. but right now I'm using the saml2 protocol17:20
dstanekshewless: can you do a request now that you are using the saml2 protocola and paste the keystone log?17:22
*** tonytan4ever has joined #openstack-keystone17:23
shewless+dstanek: I think in I put the wrong value.. I put testshib and I think I should have put saml2. I'm trying again..17:23
*** TxGVNN has quit IRC17:23
dstanekshewless: that should change the URL to hopefully the protected one17:23
openstackgerritMatthew Edmonds proposed openstack/keystone: Honor ldap_filter on filtered group list
shewless+dstanek: darn still not working.. same problem.. I'll check the logs to see if they changed17:24
*** jorge_munoz_ has joined #openstack-keystone17:25
shewless+dstanek: the URL does look different but the end result is the same (same error about missing entity ID)17:25
*** jsifantu has quit IRC17:26
*** itisha has joined #openstack-keystone17:26
samueldmqrderose: so, patch 323596 changes the structure of the code, because now it acts as any other backend that can have a custom driver17:27
patchbotsamueldmq: - keystone - Refactor shadow users and deprecate driver backend17:27
samueldmqrderose: but it doesn't make that sense to shadow users17:27
*** jorge_munoz has quit IRC17:28
*** jorge_munoz_ is now known as jorge_munoz17:28
dstanekshewless: when you go directly to http://...:5000/v3/auth/OS-FEDERATION/websso/testshib?origin=https://.../auth/websso/ what happens?17:28
rderoseto me the backend is the data access layer if you will17:28
samueldmqrderose: yes?17:29
rderosesamueldmq: and I certainly don't think we should allow every backend to be customized17:29
rderosesamueldmq: it creates technical debt17:29
rderosesamueldmq: so core -> backend is okay, so core -> backend/ should be acceptable17:30
dstanekrderose: i don't know that i agree with that change. will 'shadow' be used as an identity backend?17:30
shewless+dstanek: I get this error17:30
shewless{"error": {"message": "Missing entity ID from environment (Disable insecure_debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}17:30
*** BjoernT has joined #openstack-keystone17:31
rderosesamueldmq: so is just another backend data access object, that is not customizable17:31
rderosedstanek: no, shadow will not be used as an identity backend17:31
dstanekrderose: i don't think it belongs in keystone.identity.backends then17:32
rderosedstanek: but it is identity backend code :)17:32
samueldmqrderose: why not just keep it as identity/shadow_backends/sql.py17:32
samueldmqrderose: the only difference is that there won't be a public generic driver that can be customized17:32
rderosedstanek: where do we put backend code that is not a driver then?17:32
samueldmqrderose: and plugged17:32
*** pushkaru has quit IRC17:33
rderosesamueldmq: because, so for every backend object, we're going to create these folders and structure?17:33
dstanekrderose: i think where it was17:33
rderosesamueldmq: to me that only makes sense if it is pluggable17:33
samueldmqrderose: isn't it a driver ? it does sql queries on entities to db17:33
rderosedstanek: so every backend should be pluggable; thus customizable?17:34
dstanekrderose: it's not for every backend object. the architecture is that when we have a driver interface that we put implementations in a separate package17:34
rderosesamueldmq: I think of it more as a database access object, then a driver17:34
dstanekrderose: what does it hurt?17:34
samueldmqdstanek: ++ and just remove the config option to plug drivers that implemnet that interface17:34
samueldmqeven the driver interface can be maintained, and used internally17:35
dstanekrderose: how will it be injected in the future?17:35
rderosedstanek: if everything is customizable, it makes changes slow, but we always have to be concerned about that.  and it makes referential integrity impossible.  lets stop the insanity :)17:35
rderose* changes slow, because we are always have to be concerned with the custom implementation (sorry)17:36
dstanekrderose: we only have to be concerned with the interface and semantics17:36
dstanekif someone writes a mongo version then who cares?17:36
dstanekmaybe this just need to be in the actual identity backends17:37
rderosedstanek: what about referential integrity?17:37
dstanekrderose: it's not needed17:37
*** thumpba has joined #openstack-keystone17:37
samueldmqrderose: my view is that every keystone subsystem has that structure with core owning the manager and driver signature and backends/ containing the drivers17:37
shewless+dstanek: in my shibboleth xml my entity is https://../shibboleth. But in my address bar the origin is https://../auth/websso - does that matter?17:37
rderosedstanek: it could improve performance17:37
samueldmqrderose: if the issue is to not allow custom drivers for shadow users, just deprecate the config option17:37
dstanekrderose: how would there be an improvment in performace?17:38
rderosesamueldmq: what's the point of the interface then17:38
samueldmqrderose: make sure the drivers we implement are in agreement with it17:38
rderosedstanek: if we have referential integrity between user table and other tables, faster queries17:39
samueldmqrderose: if we implemented an LDAP driver, it would need to follow the interface17:39
*** rk4n has quit IRC17:39
samueldmqrderose: and the only thing the manager needs to know if the interface17:39
openstackgerrithenry-nash proposed openstack/keystone: Revert to caching fernet tokens the same way we do UUID
samueldmqrderose: it's like a java interface (or an interface everywhere) :)17:39
rderosesamueldmq: :)17:39
dstanekrderose: doesn't your shadow users backend already use RI?17:39
dstanekisn't that why it needed to share tables?17:40
rderosedstanek: part of the goal of shadow users is to have RI.  My point is, is we always allow for custom drivers, then we can never really have referential integrity.  And not everything should be customizable, to me creates technical debt.17:41
*** rk4n has joined #openstack-keystone17:42
dstanekwhat about in this case? do we have RI?17:42
rderosedstanek: between the different user objects, yes17:42
dstaneki actually think it makes a cleaner architecture. not technical debt.17:42
rderosesamueldmq dstanek: if you want to keep structure, but eliminate the config option, I suppose I could live with that for now17:43
*** jsifantu has joined #openstack-keystone17:43
rderosesamueldmq dstanek: but I do think we need come up with a better design pattern17:43
dstaneki guess i just don't see the deficiency17:44
rderosedstanek: I do see some value; just don't like that every time I need a database object, I've got to do this whole driver thing17:44
dstanekrderose: that's probably a constant in most of our subsystems that won't go away17:45
dstanekat least not anytime soon17:45
dstanekwhat we have started to do is support less and less implementations17:45
dstanekbut we still need to declare interface17:46
rderosedstanek: okay, I can live with that17:46
rderosesamueldmq dstanek: I'll create a new refactor patch for shadows users :)17:46
bknudsonwe've had requests / ideas about switching to objects rather than passing around dicts before.17:46
rderosesamueldmq dstanek: adding it to my list17:46
rderosebknudson: ++17:46
dstanekbknudson: ++17:46
samueldmqand having an interface rather than a single implementation (sql) won't let us to do RI17:46
samueldmqbknudson: I think there was a spec from ayoung17:47
rderosesamueldmq: but not allowing everything to be customizable will17:47
samueldmqbknudson: that's a nice thing17:47
samueldmqrderose: you can only do RI if everything is sql right?17:48
dstaneksamueldmq: i think RI is a red herring here as there isn't any RI impact based on this change17:48
*** diazjf has quit IRC17:48
rderosesamueldmq: not everything, I'd settle for some :)  I mean we currently have a ton of island tables17:48
*** lucas___ has joined #openstack-keystone17:48
*** diazjf has joined #openstack-keystone17:49
samueldmqdstanek: yes, I was just thinking if there was a way to do opportunistic RI in the future, if we really needed it :)17:49
samueldmqbut we can't really do it right in databases if the objects are not in databases all the time (depends on the driver, maybe it's ldap)17:50
samueldmqso I think we're doing it right, because RI would be something driver specific, when we support multiple17:50
*** diazjf has quit IRC17:50
*** nisha_ has quit IRC17:50
henrynash_notmorgan, ayoung: I’m kind of at the point that I think will have to abandon the specs for both project hierarchical naming and namig relaxation - neither can provide the gurantee that an auth request before the upgrade will work after the upgrade without modification17:50
*** nisha__ has joined #openstack-keystone17:50
rderosesamueldmq: that's my point, not all drivers need a custom implementation17:50
*** pushkaru has joined #openstack-keystone17:51
dstanekrderose: which ones don't?17:51
notmorganhenrynash_: yeah, sorry :(17:51
notmorganhenrynash_: but you see my concern.17:51
notmorganwe *cant* break current auth requests.17:51
*** sdake has quit IRC17:51
samueldmqrderose: so you want to propose removing their driver config options? and do RI in sql?17:51
henrynash_notmorgan: yep, which was kind of why I was a bit cool on the hierarchical naming version…not sure it bought us TAHT much….tehy both break the auth17:52
dstanekhenrynash_: that's unfortunate17:52
rderosedstanek: well, shadow users for one, mapping_id probably not...17:52
samueldmqrderose: is it worth it to do half-RI?17:52
rderosedstanek: catalog, credential...17:52
samueldmqwe also don't control whether people have custom driver or not17:52
dstanekrderose: catalog and credential definitely need to be backends17:53
rderosesamueldmq: yeah, definitely17:53
samueldmqrderose: so yeah, that's one point :)17:53
dstanekthere should be RI within a subsystem and if we are not doing that then we are wrong17:53
samueldmqdstanek: ++ so RI inside idenity is okay, and expected, right ?17:54
samueldmqdstanek: between the shadow tables and the others17:54
dstaneksamueldmq: i would expect it17:54
rderosedstanek samueldmq: alright guys, new patch coming17:55
dstaneki'm actually used to not having RI between subsystems. on high volume websites i worked on we dropped RI on certain tables because it slows down inserts17:55
*** jsifantu has quit IRC17:55
samueldmqdstanek: and then you make sure things are as expected in the business logic (you narrow things there)17:57
samueldmqdstanek: I am also used to it, it makes sense to me at the point you think you may have different actual backends for the data (and drivers), so you just can't do it17:58
dstaneksamueldmq: right. enforce the RI in code.17:58
*** browne has quit IRC17:58
dstanekshewless: it sounds like mod_shib isn't picking up your request17:58
shewless+dstanek:  I have this in apache config: WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$17:59
samueldmqrderose: nice, looking forward to review it17:59
shewless+dstanek: but the URL is :5000/v3/auth/OS-FEDERATION/websso/saml2?17:59
samueldmqrderose: I left a review just to register our conversation/decision17:59
shewless+dstanek: I think that might be the problem... I'm not sure why the URL is showing like that..17:59
rderosesamueldmq: cool :)17:59
rderosesamueldmq dstanek: PCI patches are ready when you have time18:00
dstanekshewless: here is my current config on the code where i'm writing my saml2 middleware
*** adrian_otto has joined #openstack-keystone18:02
shewless+dstanek: thanks. do you think I would need the keystone.conf or any other conf as well?18:03
shewless+dstanek: do I need taht alias /identity stuff?18:03
dstanekshewless: not sure, but this should get your apache in the right state18:03
dstanekthe /identity is just what devstack currently does18:03
*** browne has joined #openstack-keystone18:03
shewless+dstanek.. you have a location for sso and a location for non sso18:04
*** chris_hultin has joined #openstack-keystone18:04
adrian_ottohey everyone. I am having a little trouble getting v3 to work with my OSAD setup. It seems to work just fine for generating v2 tokens. This is what happens when a client tries to get a v3 token: Any guidance?18:04
adrian_ottoit's definitely using a self-signed certificate. Does that matter?18:05
openstackgerrithenry-nash proposed openstack/keystone: Revert to caching fernet tokens the same way we do UUID
dstanekadrian_otto: is that the entire log? after the POST it really doesn't show what the error was18:06
dstanekare you getting 500s?18:06
adrian_ottothe client gets a 500 back, yeah18:06
adrian_ottothat's just the part of the log that was written at the time of the request18:07
lbragstadI don't think anything from that paste is issuing the 50018:07
*** jamie_h has quit IRC18:07
adrian_ottooh, interesting18:07
lbragstadthat's pretty normal output when using self-signed certs18:07
adrian_ottogood to know18:07
odyssey4meadrian_otto if the v2 endpoint is working then it's most likely that the request isn't providing a domain/project18:07
odyssey4mea v3 request needs a bit more info18:08
dstanekadrian_otto: do you have a detailed error message in the 500 response?18:08
adrian_ottohere is the trace from the client side:
bknudson"GET /mservices HTTP/1.1" 500 5918:08
*** henrynash_ has quit IRC18:09
dstanekadrian_otto: you are getting a token and then /mservices is failing18:09
adrian_ottothat's how the client gets the catalog of services from keystone, right?18:09
bknudsonno, keystone doesn't have an /mservices18:09
dstaneki'm assuming that's a magnum URL18:10
*** frontrunner has quit IRC18:10
bknudsonnot sure why that would cause a 500 error... should be 404 not found18:10
adrian_ottoyes, I did a magnum service-list18:10
-openstackstatus- NOTICE: Zuul has been restarted to correct an error condition. Events since 17:30 may have been missed; please 'recheck' your changes if they were uploaded since then, or have "NOT_REGISTERED" errors.18:10
dstanekadrian_otto: is there any info in the magnum log?18:10
adrian_ottobut I did not see an error come up in the magnum log file.18:11
adrian_ottolet me try it again18:11
odyssey4meis magnum configured to communicate using Keystone v3 on a service-service level?18:11
bknudsonif keystone and magnum are separate log files then /mservices should not show up in keystone log file18:11
bknudsonthat would indicate that the client is talking to keystone when it should be talking to magnum18:11
adrian_ottoyeah, magnum is in a different service container on this host, and has its own log18:12
dstanekbknudson: it wasn't. that was the client log18:12
adrian_ottomaybe I'm crashing magnum or something. I'll look there18:12
*** jsifantu has joined #openstack-keystone18:12
bknudsondstanek: makes sense. The log doesn't show the port.18:13
dstanekbased on the keystone log you have it doen't look like magnum ever gets around to calling back to keystone. not sure it it needs to or now18:13
adrian_ottothanks for the help, I'll chime in a bit later and let you know what I found. The cert error was throwing me off the scent here, sorry.18:13
dstanekadrian_otto: happy bug hunting18:13
bknudsonis the connectionpool logging from session?18:14
bknudsonmaybe we could improve that.18:14
bknudson"Starting new HTTP connection (1)" -- what does the (1) mean?  We need better logging18:15
dstaneki would guess that's a requests thing18:15
shewless+dstanek: praise the Lord I'm one step further!!!! Now I see a testshib page... but more work is needed. it's an ERROR.. in fact it says "Something horrible happened".. lol18:15
dstanekshewless: what does it say the error is?18:15
dstanekthere should me a one line message at the bottom of that paragraph18:16
zigonotmorgan: FYI, I gave up using uwsgi, and now the Debian package uses Apache directly. The reasoning is that it's what Ubuntu does, and I don't want to break puppet-openstack, so I prefer my packages behaves the same way as the one in Ubuntu.18:16
dstanekit's likely that your metadata isn't corect18:16
*** BjoernT has quit IRC18:16
shewlessError Message: SAML 2 SSO profile is not configured for relying party
dstanekshewless: did you upload the metadata?18:17
shewless+dstanek: I did. and I downloaded the corresponding shibboleth2.xml file and put it in /etc/shibboleth/18:18
shewless+dstanek: and the entityID of that file says: entityID="
shewless+dstanek: maybe I'll retry the upload.. I did it yesterday morning18:18
dstanekshewless: the metadata you uploaded was incorrect18:20
dstanekit says entity id is
dstanekbad paste...18:21
dstanekwith an uppercase s18:21
dstanekshewless: you can search for the entities here:
*** lucas___ has quit IRC18:22
shewless+dstanek: that link doesn't work: The page you were looking for doesn't exist18:22
dstanekthat's what you entity id is set to.18:23
shewless+dstanek: interesting.. let me try and upload a new one and see if that works18:25
*** welldannit has joined #openstack-keystone18:25
welldannithello. if anyone has a few minutes im having some troubles getting keystone/ldap working on liberty18:25
dstanekwelldannit: go ahead an just ask your questions. hopefully someone is around to answer them18:26
welldanniti did this a long time ago and back then i defined roles/project and users in ldap18:26
shewless+dstanek: well it worked... I just re-uploaded the metadata... I'm not sure how I went wrong the first time.. maybe it's because the apache config was screwed up18:26
welldannitnow it looks like the "right" way to do things is to use a domain and only define users/groups in ldap18:27
shewless+dstanek: next: Error Message: No peer endpoint available to which to send SAML response18:27
welldannitunforutnately i can't figure out how to get the user set up to have access to any projects18:27
*** pushkaru has quit IRC18:28
*** ayoung has joined #openstack-keystone18:28
*** ChanServ sets mode: +v ayoung18:28
*** jsifantu has quit IRC18:28
dstanekshewless: can you paste your metadata? for some reason it can't find the HTTP-POST url18:29
shewless+dstanek: does the identity provider need to POST to the service provider? My server is not publicly accessible..18:31
*** nisha_ has joined #openstack-keystone18:31
dstanekshewless: yes i think the IdP makes a metadata request from the service provider18:32
*** links has joined #openstack-keystone18:32
dstanekbut it may just be your metadata18:33
dstanekthat log is not just your stuff, but anyone running against testshib18:33
shewless+dstanek: hmm looks liek that might be the case.. I thought it would all happen a session initiated by my server..18:33
*** BjoernT has joined #openstack-keystone18:33
shewless+dstanek: maybe it's time to switch to my IT departments internal IDP and see if I can get that to work. I just wanted to work out the kinks first18:34
shewless+dstanek: thanks for all of your help. we'll see18:34
samueldmqrderose: you still around ?18:35
dstanekshewless: you could always fire up a cloud server and experiment with testshib18:35
samueldmqrderose: I am on the first patch on the chain ( patch 314284 )18:35
patchbotsamueldmq: - keystone - Add password table columns to meet PCI-DSS change ...18:35
*** nisha__ has quit IRC18:35
*** rk4n has quit IRC18:35
shewless+dstanek: good idea. I'm concerned about the mapping file and how the roles are setup.  Do you know if it's possible for each user to have their own project when logging in via federation?18:36
*** frontrunner has joined #openstack-keystone18:36
shewless+dstanek: I know when I used ldap I had to manually create the project ahead of time, but I could map the project id to the user id in keystone.conf (there is some option for that)18:36
dstanekshewless: if the projects already exists they you should be able to map to them. right now there is no mechansim to create them...yet. there is a spec for that18:37
*** sdake has joined #openstack-keystone18:37
shewless+dstanek: okay. Do I map them with shibboloeth/attribute-map.xml or the mapping in openstack itself?18:37
rodrigodsdstanek, ^ interesting... the timing of shewless question and the spec proposal :)18:37
shewless+rodrigods: it's a good idea :P18:38
rodrigodsshewless, yes it is!18:38
dstanekshewless: attribute-map.xml will them mod_shib what attributes to pull out of the assertion and what you want them called for keystone18:38
*** BjoernT has quit IRC18:38
dstanekthen you have to create a json mapping in keystone to match those things that do other things18:39
*** woodburn has joined #openstack-keystone18:39
dstaneki'm assuming you've at least seen the json with local and remote blocks...18:39
shewless+dstanek: yes I have. I took a crack at adding one.. I just don't really know what it all means18:40
shewless+dstanek: or how to relate it18:40
rodrigodsshewless, this might help:
dstanekshewless: basically when you login to an IdP it will provide the service providers some attributes about you like name/group/etc. the attribute-map.xml is just telling mod_shib which ones you care about.18:41
dstanekthe the link rodrigods shows how to take those and do something useful18:41
*** pushkaru has joined #openstack-keystone18:42
*** jsifantu has joined #openstack-keystone18:43
dstaneksetting up federation is an exercise in pain18:43
shewless+dstanek: thanks.. I'm feeling the pain. what's the local vs remote stuff?18:43
dstanekremote does the matching for example the IdP says the user is in a particular group18:44
dstanekif that matches the local declares who keystone thinks the user is. gives them a keystone group/etc18:44
rderosesamuelmq: hi, back now18:44
samueldmqrderose: left a review there :)18:45
dstanekshewless: for example keystone may have a group called 'developer' and IdP1 calls it 'Devs' - you create a mapping18:45
samueldmqrderose: in ""18:45
rderosesamuelmq: responding now18:45
samueldmqrderose: nice18:46
dstanekthat way when IdP2 calls it 'Engineers' you can just create a new mapping and keystone is IdP agnostic18:46
shewless+dstanek: okay I'll try and federate with my internal IDP and then I'll see about this mapping!!18:46
dstanekshewless: word of warning. you'll even after a successful auth through an IdP you'll get a 401 if the mappings don't match18:47
*** yolanda has quit IRC18:48
*** nisha_ has quit IRC18:49
*** pgbridge has joined #openstack-keystone18:49
rderosesamueldmq: let me know if that makes sense18:50
*** nisha_ has joined #openstack-keystone18:51
samueldmqrderose: sure, looking in a bit, just finishing another review18:54
rderosesamueldmq: cool18:55
samueldmqhenrynash: you still around ?19:02
*** alex_xu has quit IRC19:02
samueldmqhenrynash: had a question around ldap things ... nevermind I figured it out :)19:05
samueldmqhenrynash: something related to options_name and ldap_filter19:05
*** alex_xu has joined #openstack-keystone19:06
*** harlowja has quit IRC19:12
openstackgerritAndrew Laski proposed openstack/oslo.policy: Add helper scripts for generating policy info
samueldmqrderose: replied19:15
*** harlowja has joined #openstack-keystone19:15
rderosesamueldmq: yes, I added a default value utcnow() and doesn't work with sqlplus19:17
dolphmnonameentername: (in case you don't have scrollback) i said monday, but i think that was just when i came across the failure. this log was from the periodic stable mitaka build from last thursday:
rderosesamueldmq: I tried to get a default date value to work, spent a lot of time on this19:20
samueldmqgyee: patch 325939 waiting for you to get approved19:20
patchbotsamueldmq: - keystone - Honor ldap_filter on filtered group list19:20
*** frontrunner has quit IRC19:21
samueldmqrderose: how are you testing against the different rmdbs ? manually ?19:21
rderosetempest tests19:21
*** gagehugo has joined #openstack-keystone19:21
samueldmqrderose: ( I am asking because I don't know if we have a gate for sqlplus)19:21
rderosegates test postgres as well, right?19:22
rderosesamueldmq ^19:23
samueldmqrderose: I think so19:24
samueldmqrderose: did you see my other comment about not having expired column at all ?19:25
*** rcernin has joined #openstack-keystone19:25
rderosesamueldmq: it's a good point.  I think it's still convenient to have the flag.  Can you live with changing the name to enabled?19:26
samueldmqrderose: yes I can, but that's something very easy to identify (only lattest is valid)19:27
samueldmqrderose: instead of querying enabled=True, query the latest, doesn't seem that complex19:27
rderosesamueldmq: what if all password are expired?19:27
samueldmqrderose: we may get other's view on it too, I am not too hard on that19:27
samueldmqrderose: hmm, only last password is valid, and only if it has not expired (comparing with password_expires_days)19:28
samueldmqrderose: that can be done, but sure with enabled flag the logic seems much simpler, specially when querying19:29
rderosesamueldmq: yeah, I'll give it some thought though19:29
rderosesamueldmq: thx19:29
samueldmqrderose: sure19:30
*** links has quit IRC19:31
openstackgerritAndrew Laski proposed openstack/oslo.policy: Improve policy sample generation testing
gyeesamueldmq, yeah, 325939 looks good19:35
*** gyee has quit IRC19:40
*** chris_hultin has left #openstack-keystone19:40
*** spzala has quit IRC19:46
*** sdake_ has joined #openstack-keystone19:47
*** sdake has quit IRC19:48
rcerninayoung, hi! Is it possible to use domain functionality to segment users, projects and rights assigned to each others. In keystone v3, is it possible to activate multi-identity ldap backend based on each domain created.19:49
ayoungrcernin, yes and yes19:49
rcerninayoung, Keystone with APIv319:49
ayoungrcernin, the devil is in the details, but yes19:50
*** yolanda has joined #openstack-keystone19:50
rcerninayoung, yes and yes but we have an issue with configuring it, we think the issue lays in the policy.json, we get ERROR: openstack You are not authorized to perform the requested action: identity:list_domains (Disable debug mode to suppress these details.) (HTTP 403)19:51
ayoungrcernin, Deja View.  I was just looking at that this morning19:51
rcerninayoung, do you have time with me or are you going to sleep soon :)19:51
ayoungrcernin, I'm too drunk to sleep.19:51
rcerninayoung, yeah it's most likely it19:51
ayoungJust kidding19:51
ayoungits the middle of the afternoon here19:51
rcerninIts almost 10pm here, was waiting for you :-)19:52
ayoungstill on Coffee, have not switch to alcohol yet19:52
ayoungrcernin, I'm on US East Coast time19:52
rcerninWe are in Brno.19:52
ayoungand going to make more coffee19:52
rcerninCaffeine levels dropped?19:52
*** nisha_ has quit IRC19:54
ayoungrcernin, was talking about this with ebarrera this morning19:54
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users and deprecate driver backend
rcerninayoung, yes! thats him, I am his colleague. And I am trying to help him as he is not online during night and I am and I know you are here.19:55
ayoungrcernin, so,  what policy file are you using19:55
ayoungcloud samle?  OSP7  which is Kilo, right?19:55
rcerninayoung, /usr/share/keystone/policy.v3cloudsample.json19:55
rcerninayoung, yes19:56
ayoungrcernin, Horizon lacked support for Domain scoped tokens  in Kilo19:56
rcerninayoung, in the beginning we got a Newton since they downloaded the master branch but it's same with Kilo too.19:56
ayoungin Newton, I think Horizon has support for Domain scoped tokens19:57
ayoungwhich is what the cloud sample requires19:57
ayoungI think you want default policy for Kilo19:57
rcerninayoung, well they have Kilo, but first they used github to download the policy.json but they got master branch, we told them to get it for kilo or /usr/share.. folder19:57
ayoungrcernin, this is for an internal deploy, I think it is OK to let any user do "list domains"19:57
rcerninayoung, it doesn't work for them in CLI either19:58
rcerninayoung, not just Horizon19:58
rcerninayoung, we understand that Horizon lacked the support, maybe you told us already. But at least could we get it working in CLI?19:58
samueldmqrodrigods: do you have integration tests for federation mapping ?20:00
ayoungrcernin, the CLI with the policy you have right now needs a domain scoped token, not project.  To do that, edit your RC file like this:20:00
ayoungunset OS_PROJECT_DOMAIN_NAME20:00
ayoungunset OS_PROJECT_NAME20:00
ayoungunset OS_PROJECT_DOMAIN_ID20:00
ayoungunset OS_PROJECT_ID20:00
*** fawadkhaliq has quit IRC20:01
ayoungand do openstack token issue20:01
*** fawadkhaliq has joined #openstack-keystone20:01
ayoungrcernin, of course, if the user does not have a role on the Default domain, they will not get a token20:01
ayoungso you might need to do20:01
ayoungopenstack --os-cacert ~/.ossipee/deployments/ayoungosp8.oslab/ca.crt   role add --user admin --domain Default admin20:02
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
ayoungrcernin, make sense?20:05
rcerninayoung, whats difference between OS_USER_DOMAIN_NAME and OS_DOMAIN_NAME ?20:05
rcerninayoung, I am checking the RC we have now.20:05
*** fawadkhaliq has quit IRC20:05
rcerninso I will have
ayoungrcernin,  OS_USER_DOMAIN_NAME  is the namespace for the user lookup.  OS_DOMAIN_NAME  says "scope this token to a domain named=X"20:06
ayoungrcernin, looks right, assuming the name is 'default' and not 'Default'20:07
samueldmqrodrigods: change 307508 is the one addressing both protocols and mappings right ?20:08
rcerninayoung, could you look at
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users and deprecate driver backend
samueldmqpatch 30750820:08
patchbotsamueldmq: - keystone - Add protocols integration tests20:08
rcerninayoung, there is what we did.20:08
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
*** amrith is now known as _amrith_20:09
ayoungrcernin, not fair to the other room users to post something that needs a RH login20:09
rcerninI am sorry guys. can I pm you ?20:10
ayoungrcernin, nah, its ok20:11
rcerninJust ignore that :-)20:11
ayoungnothing private in that link but the paywall20:11
rcerninlet's say I am drunk too.20:11
rcerninyeah :_(20:11
ayoungI seee lots of CURL.  Someone was reading my blog20:11
*** pnavarro has quit IRC20:12
rcernin10% skill 20 percent curl :D20:12
samueldmqbknudson: rderose: dstanek: this is ayoung's patch I mentioned earlier about using python objects within keystone
patchbotsamueldmq: patch 184651 - keystone - IAM Models20:12
ayoungrcernin, so,  try what I suggested.  To do Domain operations using the v3cloud sample policyf file needs a domain scoped token.20:12
ayoungsamueldmq, I miss that code.20:13
rcerninayoung, will do thank you for you time.20:13
ayoungrcernin, anytime20:13
rderosesamueldmq: cool, will look at later. thx for sharing this.20:14
openstackgerritayoung proposed openstack/keystone: IAM Models
ayoungsamueldmq, running pep on that wshows everything that is wrong with our dev process. We are pedantic about code comments, but blaise about proper object oriented code20:16
ayoungMissing docstring in magic method20:16
ayoungFeh you should not need a docstring THERE!20:16
ayoungFirst line should be in imperative mood ('Determine', not 'Determines')20:16
ayounghow about "thou shalt not use dictionaries for thy domain model!"20:16
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
notmorganayoung: pep is a code style guide/linter20:18
notmorganayoung: it is NOT meant to address OO design20:18
notmorganayoung: show me static analysis that addresses OO design.20:18
ayoungnotmorgan, the fact that we place more ephasis on pep8 messages than on the code itself.20:19
*** mvk has joined #openstack-keystone20:19
notmorganwe can't automate oo design principles20:19
ayoungnotmorgan, the rules of pep8 are, for the most part busy work20:19
notmorganwe automate the peices we do so that we have a consistent style20:20
ayoungthey are random and I gives less than the gum I scraped off my shoe for them20:20
notmorganhave you ever stepped into a code base with no linting/style guides? it's awful20:20
notmorganso block code that isn't formatted right, this is so you, the reviewer, does not need to worry about it20:20
notmorganif the style is wrong but not caught by the linters - fix the linters or roll with it20:20
ayoungnotmorgan, forcing comments into code or even that a comment has to be imperetive?20:21
ayoungYeah. yeah...20:21
ayoungbut WE don't care about it20:21
notmorganso propose disabling that specific check:P20:21
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users and deprecate driver backend
ayoungthat is what bothers me20:21
ayoungas a team.  Hell, blame termie20:21
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users and deprecate driver backend
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
notmorgan*I* care about it. i care that the low bandwidth part of our dev process now (reviewers) is already overloaded20:21
ayoungblame me for not rewriting it back when I could get changes throutgh on this project without an act of congress20:21
notmorganso if i don't need to look at style of code -- with a couple minor excpetions (i'll complain about for/else)20:22
notmorgani am happy. i know the style is conforming to our accepted practices.20:22
notmorganso i can focus on OO design bits when needed20:22
ayoungI think the latter is the true statement. I am mad at myself for tjhe places I "went along" insted of holding tru to my principals WRT codiong20:22
ayoungand now thins are way too set to make the change easily20:22
ayoungI'm annoyed about Domains still20:23
ayoungI'm annoyed that bug 968696n is still open20:23
openstackbug 968696 in Glance ""admin"-ness not properly scoped" [High,In progress] - Assigned to Sharat Sharma (sharat-sharma)20:23
ayoungand I'm annoyed that we are working on a system built around bearer tokens20:23
bknudsonwe need to do a reset and redesign20:24
notmorganayoung: i have been trying to lay framework for getting us out from under that, and you have too.20:24
notmorganbknudson: keystone v4! and split auth!20:24
bknudsonset priorities that get us where we want to be20:24
ayoungnotmorgan, so..let me start by bringing that code back to life...20:24
bknudsonseems like something we should be able to do as a core team20:24
*** spzala has joined #openstack-keystone20:25
bknudsonrather than being at the whim of whatever specs are proposed20:25
notmorganbknudson: agreed. i honestly think it's not too far out to get done. unfortunately.....20:25
*** spzala has quit IRC20:26
*** spzala has joined #openstack-keystone20:26
notmorganit's still a lot of work.20:26
*** thumpba has quit IRC20:27
bknudsonthere's also a lot of overhead in the way we're working now, since there's a lack of focus.20:30
*** henrynash_ has joined #openstack-keystone20:31
*** ChanServ sets mode: +v henrynash_20:31
*** jbell8 has quit IRC20:31
dolphmlbragstad: i just approved this, but i'd be eager to see a performance delta with your benchmarking work
patchbotdolphm: patch 326234 - keystone - Revert to caching fernet tokens the same way we do...20:33
lbragstaddolphm sounds good - i'm getting there... working on the performance scheduler now (hoping to have something done by the end of the day)20:33
notmorganbknudson: truth20:35
*** devananda has quit IRC20:35
*** sheel has quit IRC20:35
ayoungdstanek, so...I was trying to verbalize why I was so opposed to your middleware approach. I think if we do SAML in middleware, and you develop against Shib, it will elevate Shib to a higher degree of support than other Federation providers.  I can't support that.20:36
ayoungAnd I don't want to provide preferential treatment for *any* specific Federation implementation if we can help it20:37
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
ayoungI'm already annoyed that DefCore defines shib compliance as a requirement20:37
dolphmayoung: it does?20:39
ayoungdolphm, yes....the registrastion step would20:39
dolphmayoung: in 2016.01?20:39
ayoungdolphm, defcore?20:39
dolphmayoung: ?20:39
ayoungdolphm, hmmmm, maybe it is compliance?20:40
ayoungdolphm, I'll get the letter of the law20:40
*** pushkaru has quit IRC20:40
dolphmayoung: i haven't gone deeper than that line20:40
ayoungmaybe it is not defcore, but some agreement enforced by the Federation20:40
*** chris_hultin has joined #openstack-keystone20:40
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users
openstackgerritRon De Rose proposed openstack/keystone: Shadow LDAP and custom driver users
*** dave-mccowan has quit IRC20:44
*** spzala has quit IRC20:45
*** openstackgerrit has quit IRC20:48
*** openstackgerrit has joined #openstack-keystone20:48
dstanekFTR, i hate shib20:49
ayoungdstanek, I have to admit, I've not touched it.  I am not overly found of SAML in general20:50
bknudsonayoung: what's wrong with saml?20:50
dstanekbknudson: mostly the ml part20:50
ayoungbknudson, ask the Swift team if we could make them support SAML20:50
ayoungthe amount of traffic required to do a simple auth is simply too high20:51
bknudsonI imagine that would be a tough sell due to overhead20:51
ayoungand yet we have to support it.20:51
bknudsonwhat would be swift's perfect system?20:52
ayoungso the end users still pay the price, just only when they talk to Keystone...and in doing so, we've broken the web20:52
ayoungwe now support tokens, which are not HTTP20:52
ayoungI mean, they look like it, but you can't just hit a website, your browser can't do it20:52
dstanekwhen i read the saml spec i get the feeling that they kept saying "this isn't complicated enough. how do we add more features so that things are not interoperable?"20:52
ayoungdstanek, its because they are doing at the HTTP layer stuff that really should be done at the network layer20:53
ayounghttps client cert is really the only way I can see Web AuthN making any sort of sense in an efficient manner20:53
ayoungSAML is like a short term certificate that you get via redirects20:53
notmynameayoung: bknudson: /me doesn't know anything about SAML, so couldn't tell you what swift's view on it is20:54
ayounghold SAML and X509 side by side, and squint, and you can see the family resemblance20:54
dstanekayoung: oauth is http and still simple20:54
ayoungnotmyname, I know based on how they threw a fit over PKI tokens20:54
ayoungdstanek, and still broken20:54
notmynameayoung: yeah, and those were terrible ;-)20:54
dstanek"once everyone hates the protocol we can consider it feature complete"20:55
*** gyee has joined #openstack-keystone20:55
*** ChanServ sets mode: +v gyee20:55
ayoungnotmyname, again, because I was trying to work within the restrictiones set by using Keystone20:55
ayoungReally, there are two secure ways to authenticate over the network.  Kerberso and X509 Client cert.  And Kerberos requires HTTPS.  So, if you want a singel authZ mechanism, use X50920:56
*** roxanaghe has joined #openstack-keystone20:56
ayoungBut, the world has decided it is too complicated20:56
bknudsonso we're stuck with web forms20:56
ayoungbknudson, so SAML is better than handing your password direct to some random application20:57
ayoungBut, again, there are many better ways to do that, too.20:57, lets deal with dstanek 's real issue.  Lets assume you got the middleware to work, and then the time came to write an API for adding a new IdP20:58
ayoungthat is the point that we have a nightmare on our hands20:58'd i get dragged into this :-)20:59
ayoungdstanek, you are writing the SAML middleware20:59
*** dave-mccowan has joined #openstack-keystone21:00
ayoungdstanek, the Kent folks had that in their POC 4 years ago.21:00
*** lhcheng has quit IRC21:00
dstanekayoung: saml outside of shib?21:00
*** gagehugo has quit IRC21:00
ayoungdstanek, I don't know what they used for an IdP, but the SAML processing was done inside Keystone, not via an Apache module21:01
ayoungI'm, assumigmn they used whatever the University of Kent had as an IdP21:01
dstanekayoung: do you have any links? i know that they often didn't use our tooling21:01
*** sdake_ has quit IRC21:01
ayoungdstanek, its irrelevant.  THe code is so different from what they proposed,21:02
dstanekthe work they did that i am familiar with is using mod_shib and that IdP federation that consists of many universities21:02
samueldmqdstanek: fyi: added you as a reviwer to patch 323596 (what we were discussing with rderose earlier)21:02
patchbotsamueldmq: - keystone - Refactor shadow users21:02
dstaneksamueldmq: yay!21:02
ayoung it is the registration of KEystone as a SP that is the hard problem to solve21:02
ayoungdstanek, prior to that21:02
*** julim has quit IRC21:04
*** lhcheng has joined #openstack-keystone21:05
*** ChanServ sets mode: +v lhcheng21:05
rodrigodssamueldmq, ^ right21:05
dstanekayoung: oh my, the abc talks to the cs backed by the cdc and watched by the fbi21:05
dstaneki don't think i'd be smart enough to go to kent21:05
rodrigodssamueldmq, mappings: protocols:
patchbotrodrigods: patch 305444 - keystone - Add mapping rules integration tests21:05
patchbotrodrigods: patch 307508 - keystone - Add protocols integration tests21:05
*** chlong has joined #openstack-keystone21:06
*** edtubill has quit IRC21:06
dstaneklol, did they leave off steps to make it harder?21:06
*** jbell8 has joined #openstack-keystone21:07
dstanekayoung: it's been a while since i have seen that movie21:07
ayoungdstanek, so are you going to go ahead with writing the SAML middleware piece?21:07
dstanekayoung: yeah, i have the acs flow working. i don't see a better option right now.21:08
ayoungdstanek, so, I know you can make that part work.  Its the follow on that worries me.21:09
samueldmqrodrigods: thanks21:09
dstanekayoung: me too21:09
ayoungdstanek, I'm a little worried about doing the crypto in python inside mod_wsgi, but I can see ways to mitigate that.  Its the registration of the Identity provider that we need to focus on.21:10
ayoungdstanek, lets say you were in my position, where the apache config was pretty much a requirement.21:10
dstanekayoung: yeah the default implementation actually shells out which isn't great21:10
ayoungwe can take the  tool that talks to Ipsilon, merge it with the Keycloak one to have a generic SAML IDP registration tool.  It would still be a configuration piece, though21:11
ayoungand calling that from an API would be tricky21:11
ayoungespecially once you consider HA etc21:11
ayoungOTOH, we need something that also does OpenIDC.21:12
dstanekayoung: i need to take some time to install and understand Ipsilon21:12
ayoungSo...the question is, are we going to turn Keystone into ADFS21:12
ayoungdstanek, I have an ansible role I can share with you for that21:13
dstanekayoung: that would be great21:13
ayoungdstanek, credit goes to jamielennox for writing it... link in a sec21:13
ayoungso, we used FreeIPA and supported Kerberos (GSSAPI)21:14
*** diazjf has joined #openstack-keystone21:14
ayoungdstanek, it has a UI for registering a new remote SP, too, I think21:14
*** ametts has quit IRC21:14
ayoungHave not run it in a while...might still have one somewhere...21:15
ayoungdstanek, nah, disabled it in Rippowam as I was working on Keycloak.21:16
dstanekthat's a good start though21:16
ayounghmmm. I wonder if I can just in stall that role...let me try21:16
ayoungdstanek, I might be able to set one up on Dreamhost21:19
ayoungOK, let me see if I have passwords21:19
bknudsonayoung: you mean your client cert, right?21:20
ayoungbknudson, I mean Kerberos passwords, actually21:23
ayoungdstanek, let me see if I can grant you access...21:23
*** mvk_ has joined #openstack-keystone21:25
*** jsifantu has quit IRC21:27
*** diazjf has quit IRC21:28
*** mvk has quit IRC21:28
notmorganlbragstad: found a bug in our token provider. also untested code path(s)21:29
lbragstadnotmorgan sweet21:29
notmorganlbragstad: "providers.common" is not exported via __all__ or in __init__ in keystone.token.providers21:30
openstackgerritRon De Rose proposed openstack/keystone: Add password table columns to meet PCI-DSS change password requirements
notmorganyou must explciitly import common *or* expose it via __init__ and __all__21:30
*** lifeless_ is now known as lifeless21:30
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements
notmorganlbragstad: so we're either randomly erroring and it hasn't been reported or we're not ever hitting that21:31
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements
notmorganlbragstad: which means... we should ditch it21:31
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** tonytan4ever has quit IRC21:31
notmorganlbragstad: would you mind poking at that and/or fixing it?21:32
lbragstadnotmorgan when i'm done with the performance work i will21:32
* notmorgan is looking at how hard it will be to fix the awfulness of multiple token paths.21:32
notmorgani think i have another possibility to fix the things with some minor restructureing.21:33
*** diazjf has joined #openstack-keystone21:35
*** rk4n has joined #openstack-keystone21:37
*** jbell8 has quit IRC21:41
notmorganlbragstad: found another bug =/21:45
notmorganlbragstad: it's again, mostly "correctness" but this is in the fernet formatter selector21:45
notmorganlbragstad: basically a fall through case that is possibly wrong21:46
notmorganin a for loop.21:46
*** pauloewerton has quit IRC21:48
lbragstadnotmorgan i think that stuff is based on order?21:49
openstackgerritMatthew Edmonds proposed openstack/keystone: fix ldap delete_user group member cleanup
*** sdake has joined #openstack-keystone21:49
notmorganright, so if nothing happens with reate_arguments_apply you fall through to the last payload thing always21:50
notmorganlbragstad: in the list21:50
*** diazjf has quit IRC21:51
notmorganbecuase of the way the for-loop works. ideally we should assert a correct version vs. just relying that the order "makes sense" and falls through correctly21:51
lbragstadthat makes sense21:52
notmorganso whatever is last in PAYLOAD_CLASSES is the "default" - it would be better to set an explicit default, and if create_arguments_apply matches, we override/break21:52
notmorganor if we don't set one that matches, raise a proper error vs an opaque (potentially) 500 error21:52
notmorganlbragstad: having some space from the token subsystem makes this a lot easier to identify errors :P21:53
openstackgerritMerged openstack/python-keystoneclient: Handle EmptyCatalog exception in list federated projects
*** rcernin is now known as rcernin|off21:54
*** sdake has quit IRC21:54
notmorganlbragstad: so a quick way to align validation - move unpack/pack into the main provider's ._get_token_id passthrough/.get_token_data, and then "store" the fernet payload adjacent to the body of the uuid so we can just call the reconstruction code paths, and strip that extra data if the "pull from db body" uuid prodiver is used.21:55
*** r-daneel has joined #openstack-keystone21:55
*** sdake has joined #openstack-keystone21:55
notmorganlbragstad: so simply do token_body = { _body: {<today's body>}, 'fernet_payload': <payload> } in the db.21:56
lbragstadis that going to break on upgrade?21:56
notmorganlbragstad: nah. it would break on downgrade21:56
lbragstadyou're talking about storing uuid tokens like that?21:56
notmorganlbragstad: basically we'd just switch/case if sql_result.has_key('fernet_payload') or ('_body')21:57
notmorganwe can validate either way: reconstruct/pull from the db directly21:57
notmorganand not pass the other data around.21:57
notmorganit means you wont be able to use <new> keystone [newton] issuing tokens for pre-newton keystones21:58
notmorganbut if the SQL result doesn't have either value in the db column, we just take the serialized version as-is21:58
notmorganso it looks like:21:58
notmorgansql-query => body21:58
notmorganif '<new key>' not in loaded_json: validate(loaded_json).21:59
lbragstadbut if you get a token from newton keystone and try to validate it against a pre-newton keystone it will break, right?21:59
notmorganin uuid yes.21:59
notmorganin fernet no22:00
notmorganfernet stays the same22:00
notmorganyou need the new simple switch/case thing to know what part of the token stored in the db to take.22:00
notmorganthe other alternative would be to extend the schema to have a fernet_payload22:01
notmorgan*shrug* it's just brutal to migrate the token table22:02
* notmorgan doesn't really care.22:02
lbragstadnotmorgan true22:02
openstackgerritMatthew Edmonds proposed openstack/keystone: fix ldap delete_user group member cleanup
notmorganlbragstad: i'd be fine with simply doing another token table columnb22:03
notmorgani was looking for a no-sql-migrate options22:03
lbragstadnotmorgan yeah - i'm fine with that22:04
*** jorge_munoz has quit IRC22:04
notmorganlbragstad: so the patch sets i'm going to propose: pass the unpack/pack through the main provider interface22:05
notmorganlbragstad: make "validate_non-persistent_token" something more like "validate_reconstruct_token"22:05
notmorganlbragstad: and then rework so we can switch on "reconstruct" from uuid or not with the same fernet formatters.22:06
notmorganlbragstad: i'll decide if i want to migrate a column in or not.22:06
lbragstadnotmorgan i wanted to start working on a patch to pull all token token formatter logic in to the controllers22:06
notmorganlbragstad: controller?22:07
lbragstader - out of the token provider22:07
notmorganyou mean v2 vs v3 format?22:07
notmorganah ok.22:07
notmorganyeah lets not do that until we validate tokens the same way [most of the time]22:07
lbragstadthe if statements for all the stuff makes my head spin22:08
notmorganif we simply finish the "always a v3 token" then v3->v222:08
notmorganfor "body" transformation22:08
notmorgani think we're good.22:08
notmorganbut lets fix the way we validate first.22:08
*** henrynash_ has quit IRC22:11
*** rcernin|off has quit IRC22:21
*** edmondsw has quit IRC22:37
*** fawadkhaliq has joined #openstack-keystone22:44
*** gordc has quit IRC22:44
samueldmqrderose: I like 'Drop Support for Driver Versioning'22:46
*** woodburn1 has joined #openstack-keystone22:46
samueldmqrderose: I always thought it was something hard to maintain; let's see what feedback we get from operators, and if we can drop it, deprecate and remove later :)22:47
*** lhcheng has quit IRC22:48
*** woodburn has quit IRC22:48
*** yolanda has quit IRC22:55
*** lhcheng has joined #openstack-keystone22:55
*** ChanServ sets mode: +v lhcheng22:55
*** KevinE has quit IRC22:59
*** markvoelker has quit IRC23:13
*** lhcheng has quit IRC23:14
*** lhcheng has joined #openstack-keystone23:15
*** ChanServ sets mode: +v lhcheng23:15
*** rk4n has quit IRC23:15
*** dan_nguyen has quit IRC23:16
*** fawadkhaliq has quit IRC23:17
*** fawadkhaliq has joined #openstack-keystone23:18
*** fawadkhaliq has quit IRC23:21
*** pgbridge has quit IRC23:26
*** timcline has quit IRC23:28
rderosesamueldmq: thanks, appreciate that. yeah, curious to see what feedback we'll get. I have hard time believing that folks would actually upgrade with changing and testing their custom drivers.23:28
*** timcline has joined #openstack-keystone23:28
*** lhcheng has quit IRC23:31
*** dan_nguyen has joined #openstack-keystone23:31
*** lhcheng has joined #openstack-keystone23:31
*** ChanServ sets mode: +v lhcheng23:31
*** timcline has quit IRC23:33
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Change password requirements
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password strength requirements
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password history requirements
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements
*** lhcheng has quit IRC23:40
*** markvoelker has joined #openstack-keystone23:44
openstackgerritJamie Lennox proposed openstack/keystone: Use http_proxy_to_wsgi from oslo.middleware
*** markvoelker has quit IRC23:49
rderosesamueldmq: * without changing and testing their custom drivers23:49
*** iurygregory_ has joined #openstack-keystone23:50
openstackgerritJamie Lennox proposed openstack/keystone: Use http_proxy_to_wsgi from oslo.middleware

Generated by 2.14.0 by Marius Gedminas - find it at!