Thursday, 2016-06-16

« Wednesday, 2016-06-15 Index Friday, 2016-06-17 »
*** openstack has joined #openstack-keystone05:42
*** openstack has joined #openstack-keystone05:57
*** orwell.freenode.net sets mode: +ns 05:57
*** orwell.freenode.net sets mode: -o openstack05:57
-orwell.freenode.net- *** Notice -- TS for #openstack-keystone changed from 1466056639 to 137738402405:57
*** orwell.freenode.net sets mode: +cgt-s 05:57
*** jaosorior has joined #openstack-keystone05:57
*** GB21 has joined #openstack-keystone05:57
*** EinstCrazy has joined #openstack-keystone05:57
*** david-lyle_ has joined #openstack-keystone05:57
*** sheel has joined #openstack-keystone05:57
*** mvk_ has joined #openstack-keystone05:57
*** jefrite has joined #openstack-keystone05:57
*** mkoderer__ has joined #openstack-keystone05:57
*** markvoelker_ has joined #openstack-keystone05:57
*** SpamapS has joined #openstack-keystone05:57
*** mordred has joined #openstack-keystone05:57
*** mdavidson has joined #openstack-keystone05:57
*** _sigmavirus24 has joined #openstack-keystone05:57
*** NikitaKonovalov has joined #openstack-keystone05:57
*** DinaBelova has joined #openstack-keystone05:57
*** freerunner has joined #openstack-keystone05:57
*** htruta` has joined #openstack-keystone05:57
*** bj0rnar- has joined #openstack-keystone05:57
*** bknudson_ has joined #openstack-keystone05:57
*** bapalm has joined #openstack-keystone05:57
*** adam_g has joined #openstack-keystone05:57
*** robcresswell has joined #openstack-keystone05:57
*** BAKfr has joined #openstack-keystone05:57
*** barclaac_ has joined #openstack-keystone05:57
*** raildo-a` has joined #openstack-keystone05:57
*** bigjools has joined #openstack-keystone05:57
*** breton_ has joined #openstack-keystone05:57
*** kragniz has joined #openstack-keystone05:57
*** x58 has joined #openstack-keystone05:57
*** pleia2 has joined #openstack-keystone05:57
*** Daviey_ has joined #openstack-keystone05:57
*** Anticime1 has joined #openstack-keystone05:57
*** boltR_ has joined #openstack-keystone05:57
*** rmstar_ has joined #openstack-keystone05:57
*** patchbot has joined #openstack-keystone05:57
*** haneef_ has joined #openstack-keystone05:57
*** woodburn has joined #openstack-keystone05:57
*** openstackgerrit has joined #openstack-keystone05:57
*** shewless has joined #openstack-keystone05:57
*** afred312 has joined #openstack-keystone05:57
*** ktychkova has joined #openstack-keystone05:57
*** rodrigods has joined #openstack-keystone05:57
*** wasmum has joined #openstack-keystone05:57
*** aloga has joined #openstack-keystone05:57
*** permalac has joined #openstack-keystone05:57
*** orwell.freenode.net sets mode: +v bknudson_05:57
*** Dinesh_Bhor has joined #openstack-keystone05:57
*** dancn has joined #openstack-keystone05:57
*** zzzeek has joined #openstack-keystone05:57
*** dhellmann has joined #openstack-keystone05:57
*** nkinder has joined #openstack-keystone05:57
*** sileht has joined #openstack-keystone05:57
*** harlowja_ has joined #openstack-keystone05:57
*** lifeless has joined #openstack-keystone05:57
*** elmiko has joined #openstack-keystone05:57
*** alex_xu has joined #openstack-keystone05:57
*** clenimar has joined #openstack-keystone05:57
*** vnogin has joined #openstack-keystone05:57
*** ericksonsantos has joined #openstack-keystone05:57
*** ashokt has joined #openstack-keystone05:57
*** dulek has joined #openstack-keystone05:57
*** opilotte- has joined #openstack-keystone05:57
*** anteaya has joined #openstack-keystone05:57
*** chlong has joined #openstack-keystone05:57
*** hoonetorg has joined #openstack-keystone05:57
*** dobson has joined #openstack-keystone05:57
*** agireud has joined #openstack-keystone05:57
*** jdennis has joined #openstack-keystone05:57
*** amoralej|off has joined #openstack-keystone05:57
*** flaper87 has joined #openstack-keystone05:57
*** iurygregory has joined #openstack-keystone05:57
*** wanghua has joined #openstack-keystone05:57
*** amrith has joined #openstack-keystone05:57
*** gabriel-bezerra has joined #openstack-keystone05:57
*** lunarlamp has joined #openstack-keystone05:57
*** jamielennox has joined #openstack-keystone05:57
*** zigo has joined #openstack-keystone05:57
*** nikhil has joined #openstack-keystone05:57
*** andreykurilin__ has joined #openstack-keystone05:57
*** briancurtin has joined #openstack-keystone05:57
*** DuncanT has joined #openstack-keystone05:57
*** serverascode has joined #openstack-keystone05:57
*** andrewbogott has joined #openstack-keystone05:57
*** ctracey has joined #openstack-keystone05:57
*** clayton has joined #openstack-keystone05:57
*** mgagne has joined #openstack-keystone05:57
*** mtreinish has joined #openstack-keystone05:57
*** timburke has joined #openstack-keystone05:57
*** tpeoples has joined #openstack-keystone05:57
*** chris_hultin has joined #openstack-keystone05:57
*** lmiccini has joined #openstack-keystone05:57
*** orwell.freenode.net sets mode: +v jamielennox05:57
*** d0ugal has joined #openstack-keystone05:57
*** rdo has joined #openstack-keystone05:57
*** boris-42 has joined #openstack-keystone05:57
*** zhiyan has joined #openstack-keystone05:57
*** jraim has joined #openstack-keystone05:57
*** frickler has joined #openstack-keystone05:57
*** martinus__ has joined #openstack-keystone05:57
*** toddnni has joined #openstack-keystone05:57
*** rm_work has joined #openstack-keystone05:57
*** krotscheck has joined #openstack-keystone05:57
*** dgonzalez has joined #openstack-keystone05:57
*** mancdaz has joined #openstack-keystone05:57
*** amakarov has joined #openstack-keystone05:57
*** jistr has joined #openstack-keystone05:57
*** med_ has joined #openstack-keystone05:57
*** cburgess has joined #openstack-keystone05:57
*** nonameentername has joined #openstack-keystone05:57
*** topol has joined #openstack-keystone05:57
*** dmellado has joined #openstack-keystone05:57
*** Tridde has joined #openstack-keystone05:57
*** sudorandom has joined #openstack-keystone05:57
*** briancline has joined #openstack-keystone05:57
*** auggy has joined #openstack-keystone05:57
*** mugsie has joined #openstack-keystone05:57
*** hogepodge has joined #openstack-keystone05:57
*** basilAB has joined #openstack-keystone05:57
*** johnthetubaguy has joined #openstack-keystone05:57
*** samueldmq has joined #openstack-keystone05:57
*** charz_ has joined #openstack-keystone05:57
*** bradjones has joined #openstack-keystone05:57
*** tonyb has joined #openstack-keystone05:57
*** BrAsS_mOnKeY has joined #openstack-keystone05:57
*** crinkle has joined #openstack-keystone05:57
*** tlbr has joined #openstack-keystone05:57
*** afazekas has joined #openstack-keystone05:57
*** notmorgan has joined #openstack-keystone05:57
*** xek has joined #openstack-keystone05:57
*** david_cu has joined #openstack-keystone05:57
*** dims has joined #openstack-keystone05:57
*** dtroyer has joined #openstack-keystone05:57
*** henrynash has joined #openstack-keystone05:57
*** d34dh0r53 has joined #openstack-keystone05:57
*** knikolla has joined #openstack-keystone05:57
*** _fortis has joined #openstack-keystone05:57
*** akscram has joined #openstack-keystone05:57
*** orwell.freenode.net sets mode: +vvv topol samueldmq henrynash05:57
*** baffle has joined #openstack-keystone05:57
*** ianw has joined #openstack-keystone05:57
*** rha has joined #openstack-keystone05:57
*** buhman has joined #openstack-keystone05:57
*** hockeynut has joined #openstack-keystone05:57
*** jlk has joined #openstack-keystone05:57
*** BlackDex has joined #openstack-keystone05:57
*** mhu has joined #openstack-keystone05:57
*** brad[] has joined #openstack-keystone05:57
*** hugokuo has joined #openstack-keystone05:57
*** dolphm has joined #openstack-keystone05:57
*** hughsaunders has joined #openstack-keystone05:57
*** stian_ has joined #openstack-keystone05:57
*** gus has joined #openstack-keystone05:57
*** eglute has joined #openstack-keystone05:57
*** mjb has joined #openstack-keystone05:57
*** dutsmoc has joined #openstack-keystone05:57
*** odyssey4me has joined #openstack-keystone05:57
*** lbragstad has joined #openstack-keystone05:57
*** dstanek has joined #openstack-keystone05:57
*** jhesketh has joined #openstack-keystone05:57
*** skoude_ has joined #openstack-keystone05:57
*** Dave has joined #openstack-keystone05:57
*** darrenc has joined #openstack-keystone05:57
*** yarkot has joined #openstack-keystone05:57
*** Nakato has joined #openstack-keystone05:57
*** sshen_ has joined #openstack-keystone05:57
*** kfox1111 has joined #openstack-keystone05:57
*** Kimmo__ has joined #openstack-keystone05:57
*** evrardjp has joined #openstack-keystone05:57
*** yarkot1 has joined #openstack-keystone05:57
*** vkmc has joined #openstack-keystone05:57
*** kevinbenton has joined #openstack-keystone05:57
*** gsilvis has joined #openstack-keystone05:57
*** zeus has joined #openstack-keystone05:57
*** ekarlso has joined #openstack-keystone05:57
*** stevemar has joined #openstack-keystone05:57
*** tsufiev has joined #openstack-keystone05:57
*** jidar has joined #openstack-keystone05:57
*** mnaser has joined #openstack-keystone05:57
*** trey has joined #openstack-keystone05:57
*** rvba has joined #openstack-keystone05:57
*** andreaf has joined #openstack-keystone05:57
*** fungi has joined #openstack-keystone05:57
*** jlvillal has joined #openstack-keystone05:57
*** orwell.freenode.net sets mode: +ovo dolphm dstanek stevemar05:57
*** ChanServ has joined #openstack-keystone05:57
*** notmyname has joined #openstack-keystone05:57
*** redrobot has joined #openstack-keystone05:57
*** EmilienM has joined #openstack-keystone05:57
*** orwell.freenode.net sets mode: +o ChanServ05:57
*** orwell.freenode.net sets mode: +bbbb *!bjornar_@* bjornar!*@* bjornar__!*@* *!awrbgh@197.123.75.19105:57
*** orwell.freenode.net sets mode: +qq uvirtbot!*@* uvirbot!*@*05:57
*** orwell.freenode.net changes topic to "Newton Deadlines: http://releases.openstack.org/newton/schedule.html | Midcycle (July 20-22, San Jose, CA) wiki https://wiki.openstack.org/wiki/Sprints/KeystoneNewtonSprint | Meeting Etherpad https://etherpad.openstack.org/p/keystone-weekly-meeting"05:57
*** alex_xu has quit IRC06:03
*** alex_xu has joined #openstack-keystone06:06
openstackgerritJamie Lennox proposed openstack/keystone-specs: Reservations (a working title)  https://review.openstack.org/33032906:12
*** yolanda has joined #openstack-keystone06:18
jamielennoxstevemar: still here?06:19
*** yolanda has quit IRC06:21
*** yolanda has joined #openstack-keystone06:24
*** rcernin has joined #openstack-keystone06:24
*** EinstCrazy has quit IRC06:28
*** EinstCrazy has joined #openstack-keystone06:29
*** EinstCrazy has quit IRC06:30
*** EinstCrazy has joined #openstack-keystone06:30
*** EinstCrazy has quit IRC06:41
*** EinstCrazy has joined #openstack-keystone06:45
*** afazekas is now known as afazekas|dentist06:52
openstackgerritJamie Lennox proposed openstack/keystone-specs: Reservations (a working title)  https://review.openstack.org/33032906:58
jamielennox@channel: please read ^06:58
*** markvoelker_ has quit IRC07:01
*** markvoelker has joined #openstack-keystone07:01
*** amoralej|off is now known as amoralej07:05
*** tesseract has joined #openstack-keystone07:09
*** jamielennox is now known as jamielennox|away07:12
*** jed56 has joined #openstack-keystone07:16
*** pcaruana has joined #openstack-keystone07:17
*** permalac has quit IRC07:19
*** zengchen has joined #openstack-keystone07:23
*** roxanaghe has joined #openstack-keystone07:27
zengchenHi guys, please give me a help. how to get the nova or cinder's endpoint in my service if the catalog in the token is empty? i see the policy for 'list_endpoits' is admin, but i am not the admin. thanks.07:28
*** GB21 has quit IRC07:31
*** roxanaghe has quit IRC07:32
*** nisha_ has joined #openstack-keystone07:37
*** ebarrera has joined #openstack-keystone07:42
*** henrynash_ has joined #openstack-keystone07:44
*** ChanServ sets mode: +v henrynash_07:44
notmorganjamielennox|away: interesting07:52
*** jinquan has joined #openstack-keystone07:59
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** pnavarro has joined #openstack-keystone08:07
*** jaosorior has quit IRC08:07
*** jaosorior has joined #openstack-keystone08:08
*** permalac has joined #openstack-keystone08:09
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844708:20
*** GB21 has joined #openstack-keystone08:32
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Disable inactive users requirements  https://review.openstack.org/32844708:39
*** jamie_h has joined #openstack-keystone08:43
*** nisha_ has quit IRC08:53
*** nisha_ has joined #openstack-keystone08:53
*** roxanaghe has joined #openstack-keystone09:00
*** dmk0202 has joined #openstack-keystone09:02
*** roxanaghe has quit IRC09:06
openstackgerritMerged openstack/keystone: Move TestAuth unscoped token tests to TokenAPITests  https://review.openstack.org/32958909:10
*** mkoderer__ has quit IRC09:28
*** TxGVNN has joined #openstack-keystone09:32
*** TxGVNN has quit IRC09:37
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843510:10
*** zqfan has joined #openstack-keystone10:10
*** jamielennox|away is now known as jamielennox10:15
*** mvk_ has quit IRC10:26
*** sdake has joined #openstack-keystone10:40
*** sdake_ has joined #openstack-keystone10:42
*** rakhmerov has joined #openstack-keystone10:44
*** sdake has quit IRC10:45
*** gnuoy has joined #openstack-keystone10:46
*** mvk_ has joined #openstack-keystone10:53
*** GB21 has quit IRC10:53
*** nisha__ has joined #openstack-keystone10:54
*** nisha_ has quit IRC10:57
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000610:58
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: move scope into _OidcBase  https://review.openstack.org/33046310:58
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: add discovery document support  https://review.openstack.org/33046410:58
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: remove grant_type argument  https://review.openstack.org/33046510:58
*** roxanaghe has joined #openstack-keystone11:02
*** roxanaghe has quit IRC11:07
*** sdake_ has quit IRC11:10
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Validate impersonation in trust redelegation  https://review.openstack.org/33004511:26
*** jed56 has quit IRC11:34
*** jed56 has joined #openstack-keystone11:34
*** ddieterly has joined #openstack-keystone11:47
*** GB21 has joined #openstack-keystone11:48
*** amoralej is now known as amoralej|lunch11:58
*** roxanaghe has joined #openstack-keystone12:03
*** sdake has joined #openstack-keystone12:05
samueldmqjamielennox: auth_token.__init__ imported opts, and opts needed auth_token._opts. when evaluating auth_token._opts, it passes by auth_token.__init__ again12:05
*** ddieterly is now known as ddieterly[away]12:05
*** henrynash_ has quit IRC12:06
*** nisha__ is now known as nisha_12:07
*** roxanaghe has quit IRC12:08
*** GB21 has quit IRC12:15
*** GB21 has joined #openstack-keystone12:17
*** rcernin has quit IRC12:24
*** nisha_ has quit IRC12:25
*** nisha_ has joined #openstack-keystone12:25
*** lamt has joined #openstack-keystone12:31
*** ddieterly has joined #openstack-keystone12:32
stevemaro/12:33
stevemarmorning folks12:33
*** pauloewerton has joined #openstack-keystone12:35
*** rcernin has joined #openstack-keystone12:39
samueldmqstevemar: o/12:39
*** julim has joined #openstack-keystone12:39
*** mwheckmann has joined #openstack-keystone12:40
*** ddieterly is now known as ddieterly[away]12:41
*** ddieterly[away] has quit IRC12:41
*** edmondsw has joined #openstack-keystone12:45
*** rodrigods has quit IRC12:46
*** rodrigods has joined #openstack-keystone12:46
*** elmiko has left #openstack-keystone12:52
*** GB21 has quit IRC12:53
*** rcernin has quit IRC12:54
*** nisha__ has joined #openstack-keystone12:55
*** jsavak has joined #openstack-keystone12:55
*** nisha_ has quit IRC12:57
alogastevemar: hi there13:02
*** roxanaghe has joined #openstack-keystone13:04
*** amoralej|lunch is now known as amoralej13:05
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add domain functional tests  https://review.openstack.org/32959813:06
*** rcernin has joined #openstack-keystone13:07
openstackgerritMerged openstack/keystone: Update driver versioning documentation  https://review.openstack.org/33011813:08
*** roxanaghe has quit IRC13:08
*** pnavarro has quit IRC13:09
*** nisha_ has joined #openstack-keystone13:14
*** nisha_ has quit IRC13:14
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix some nits in integration tests  https://review.openstack.org/33053713:16
*** EinstCrazy has quit IRC13:20
*** EinstCrazy has joined #openstack-keystone13:21
*** EinstCrazy has quit IRC13:26
*** raildo-a` is now known as raildo13:27
*** frontrunner has joined #openstack-keystone13:30
*** roxanaghe has joined #openstack-keystone13:32
*** roxanaghe has quit IRC13:32
*** roxanaghe has joined #openstack-keystone13:33
*** roxanaghe has quit IRC13:33
*** ddieterly has joined #openstack-keystone13:40
stevemaraloga: good morning (or good evening for you)13:41
*** ddieterly is now known as ddieterly[away]13:44
*** _sigmavirus24 is now known as sigmavirus2413:46
*** sigmavirus24 has joined #openstack-keystone13:46
*** rderose has joined #openstack-keystone13:47
rderosehenrynash: are you there?13:48
*** ddieterly[away] is now known as ddieterly13:49
shewlessHi. Does anyone here know if there is an easy way to query an Identity provider for a list of attributes that it provides?  I have a working SP connected to testshib but I'm having trouble determining what attributes are available to me.13:50
*** adrian_otto has joined #openstack-keystone13:52
*** adrian_otto has quit IRC13:54
rodrigodsshewless, as a Service Provider: https://www.testshib.org/test.html13:55
shewlessrodrigods: thanks! I've been there.. and I've tried accessing https://yourhost.org/Shibboleth.sso/Session but I think it only shows me the attributes I've already requested (not all available).13:56
*** richm has joined #openstack-keystone13:58
*** jaugustine has joined #openstack-keystone14:00
*** jaugustine has quit IRC14:00
*** jaugustine has joined #openstack-keystone14:01
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Unified delegation assignment driver  https://review.openstack.org/29131814:01
openstackgerritAlexander Makarov proposed openstack/keystone: Delegation parent discovery function  https://review.openstack.org/33057314:01
*** woodster_ has joined #openstack-keystone14:01
*** rderose_ has joined #openstack-keystone14:05
*** sheel has quit IRC14:05
shewlessrodrigods: I confirmed that the Session page only shows me what I ask for in /etc/shibboleth/attribute-map.xml. I'd like to find a "username" of such field (without the email part) but I dont' know what's available on the IDP side14:06
*** nisha__ is now known as nisha_14:08
*** rderose has quit IRC14:08
*** jaugustine has quit IRC14:16
*** daemontool has joined #openstack-keystone14:19
*** lucas___ has joined #openstack-keystone14:23
stevemarbiab, dental app14:23
*** jistr is now known as jistr|mtg14:28
*** ayoung has joined #openstack-keystone14:30
*** ChanServ sets mode: +v ayoung14:30
*** sheel has joined #openstack-keystone14:30
*** jorge_munoz has joined #openstack-keystone14:31
*** edtubill has joined #openstack-keystone14:32
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428414:33
*** adrian_otto has joined #openstack-keystone14:34
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428414:35
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428414:36
*** jaugustine has joined #openstack-keystone14:37
*** adrian_otto has quit IRC14:38
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Password SQL model changes  https://review.openstack.org/31428414:40
*** pcaruana has quit IRC14:41
*** henrynash_ has joined #openstack-keystone14:42
*** ChanServ sets mode: +v henrynash_14:42
henrynashredrose: hi14:42
henrynashrderose: hi14:43
*** gordc has joined #openstack-keystone14:45
*** adrian_otto has joined #openstack-keystone14:46
*** timcline has joined #openstack-keystone14:46
*** timcline has quit IRC14:46
notmorgano/14:46
*** timcline has joined #openstack-keystone14:47
*** roxanaghe has joined #openstack-keystone14:47
*** jaosorior has quit IRC14:49
*** roxanaghe has quit IRC14:52
*** sdake has quit IRC14:54
*** nisha__ has joined #openstack-keystone14:54
lbragstadrderose_ ^14:54
rderose_lbragstad: yes14:55
lbragstadrderose_ henrynash was looking for you14:55
rderose_ah, thx14:55
henrynashlbragstad:….only ‘cause he was looking for me :-)14:55
lbragstadrderose_ also, it doesn't look like much changed with https://review.openstack.org/#/c/314284/84 except addressing henrynash's comment on patchset 80?14:55
patchbotlbragstad: patch 314284 - keystone - PCI-DSS Password SQL model changes14:55
rderose_henrynash: hi, had a question regarding your comment on disable active users14:56
rderose_henrynash: but see you've responded, let me read your latest comment14:57
*** nisha_ has quit IRC14:57
henrynashrederose_: sure…Ok, yes - I should ahve explained my concern in more detail….I may just be misunderstanding what you intended14:57
*** EinstCrazy has joined #openstack-keystone14:58
notmorganlbragstad: patchset 80... and not becsuse of back/forth/bikeshedding14:58
notmorganlbragstad: rderose_ is trying to get the alltime-patchset-count-for-a-review-in-keystone award14:58
lbragstadnotmorgan he's getting close :)14:59
*** sdake has joined #openstack-keystone14:59
rderose_henrynash: no, I think you are understanding my intent. hmm...14:59
rderose_henrynash: maybe migrated_at would be better...  not sure I like that, but see your point regarding created_at15:00
*** david-lyle_ is now known as david-lyle15:00
rderose_henrynash: thx15:00
rderose_notmorgan: hahah, yeah15:01
henrynashrederose_: ok15:01
rderose_notmorgan: what's the record?15:01
notmorganrderose_: 80-something... but like 120 if you include the followup patch for trusts :P15:02
notmorganrderose_: since it landed: code, tests in two patches15:02
notmorganotherwise i think stevemar holds the record15:02
rderose_notmorgan: cool, I'll aim for that :)15:02
henrynashrderose_: I guess I would also say, that the reult of this approach, hwoever, would be you haev this field in the DB that is effectively olny used for a temporary period….seems wasteful (although downright terrible)15:02
*** walharthi has joined #openstack-keystone15:03
*** pushkaru has joined #openstack-keystone15:03
rderose_henrynash: yeah, maybe...15:03
henrynashrderose_: your objection to setting last_auth_at to now() on migration is, I assume, that it is a little misleading? (Even through the audit even on auth is the notifcation that gets sent….peopel shouldn’t really be using these DB fields for audit purposes)15:04
henrynashredrose_: (typo in my early messge… I meanst to say “although not downright terrible”..freudian slip!15:05
*** ebarrera has quit IRC15:06
rderose_henrynash: well, my intent is to only set last_auth_at to now when authentication happens15:06
henrynashrderose_: which in general is exactly right, of course, it’s all about how we handle this period between migation and next auth15:07
rderose_henrynash: exactly15:07
henrynashrderose_: however, we know last_auth_at can only tend towards correctness for the user population as a whole (i.e. a value of None just means “I don’t know when/if this person last authenticated, but I know it is not since you migrated to Newton”)15:11
*** jistr|mtg is now known as jistr15:19
*** aratus has joined #openstack-keystone15:24
shewlessokay I see I was missing in the log it mentions which oids are available but skipped.15:33
shewlessbut my problem now is I'm trying to ask for an attribute specifically and it's still being "skipped".  <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>.  I know this isn't a "SP/IDP" board but I'm hoping you can help me .15:34
*** openstackgerrit has quit IRC15:34
*** openstackgerrit has joined #openstack-keystone15:34
*** adrian_otto has quit IRC15:34
*** raddaoui has joined #openstack-keystone15:36
*** jaugustine has quit IRC15:37
*** adrian_otto has joined #openstack-keystone15:44
*** nkinder has quit IRC15:47
*** aratus has quit IRC15:47
*** roxanaghe has joined #openstack-keystone15:48
*** ddieterly is now known as ddieterly[away]15:51
*** ddieterly[away] is now known as ddieterly15:51
*** aratus has joined #openstack-keystone15:52
*** roxanaghe has quit IRC15:53
*** EinstCrazy has quit IRC15:53
*** belmoreira has joined #openstack-keystone15:56
shewlessI couldn't get the manager one to work but I was able to get all of the other skipped ones to work.  Now I've mapped the "name" field to "sn" - but I still get a 404 error15:58
shewlesshere is my mapping file: http://paste.ubuntu.com/17400397/15:58
*** nkinder has joined #openstack-keystone15:58
*** tesseract has quit IRC16:00
*** lucas___ has quit IRC16:00
*** lucas___ has joined #openstack-keystone16:01
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Unified delegation assignment driver  https://review.openstack.org/29131816:03
*** gyee has joined #openstack-keystone16:06
*** ChanServ sets mode: +v gyee16:06
*** lucas___ has quit IRC16:06
*** BjoernT has joined #openstack-keystone16:06
shewlessIf I only have 1 identity provider do I need to set the remote id using a command like this:  openstack identity provider set --remote-id <remote-id>  <idp-id>16:08
shewlessor is it enough to specify it in my metadata only?16:09
shewlessdstanek: any chance you are around? I'm close to getting federation to work but I'm stuck. I get a "page not found" error for v3/auth/OS-FEDERATION/websso/saml216:10
shewlessI see that I'm getting attributes from the IDP (testshib) but I'm not sure why the page not found error is occuring16:10
*** roxanaghe has joined #openstack-keystone16:10
*** roxanaghe has quit IRC16:10
shewlesswhat is responsible for ensuring that v3/auth/OS-FEDERATION/websso/saml2 is available?16:11
openstackgerritAlexander Makarov proposed openstack/keystone: Delegation parent discovery function  https://review.openstack.org/33057316:11
openstackgerritAlexander Makarov proposed openstack/keystone: WIP/DNM Unified delegation assignment driver  https://review.openstack.org/29131816:13
*** permalac has quit IRC16:15
*** timcline_ has joined #openstack-keystone16:15
stevemarnotmorgan: rderose_ the record is held by ayoung for revoke events :)16:17
stevemari come in second16:17
openstackgerrithenry-nash proposed openstack/keystone: WIP - Add framework for supporting microversions  https://review.openstack.org/33067416:17
*** timcline has quit IRC16:19
*** sdake has quit IRC16:20
*** timcline_ has quit IRC16:21
*** bunting has joined #openstack-keystone16:21
*** timcline has joined #openstack-keystone16:21
*** bunting has left #openstack-keystone16:22
gyeehenrynash, a question for ya on DSR16:23
henrynashgyee: shot16:23
henrynashshoot even16:23
gyeecan both prior and implied role be in the same domain?16:24
*** jsavak has quit IRC16:24
shewlessanyone? I'm really stuck on this part16:24
gyeeI am guessing yes16:24
henrynashgyee: you mean can one dsr imply another drs?16:24
henrynash(dsr)16:25
gyeehenrynash, yes16:25
henrynashgyee: yes, as far as I know16:25
gyeewith the vanilla policy.json this is allowed, but not policy.v316:25
gyeeso this is a bug then16:26
*** bunting has joined #openstack-keystone16:26
gyeehenrynash, I will file a bug to earn more karma points :-)16:26
henrynashgyee: you be rackin’ up, bro16:27
*** jsavak has joined #openstack-keystone16:27
gyeeshewless, you are trying to setup WebSSO?16:28
dstanekshewless: is that url configured to go to keystone and is the 404 an apache error or keystone one?16:28
*** sdake has joined #openstack-keystone16:28
*** ddieterly is now known as ddieterly[away]16:29
shewlessgyee: yes, dstanek: I have configured that URL in apache but I'm not sure what you mean about keystone. The 404 is an apache error16:29
henrynashjamielennox: hi16:29
buntingHi, would someone be able to tell me the current state of service tokens? I heard they were being deprecated?16:30
shewlessdstanek: here is what I have in my apache config: http://paste.ubuntu.com/1740207616:32
*** lucas___ has joined #openstack-keystone16:33
gyeeshewless, what does your /etc/apache2/sites-enabled/keystone.conf looks like?16:34
*** david-lyle has quit IRC16:35
shewlessgyee: I'm on Mitaka and have wsgi-keystone-public.conf.. is that what you're after?16:35
gyeeshewless, yes16:35
gyeecan you pastebin it?16:35
*** dan_nguyen has joined #openstack-keystone16:35
shewlessgyee, dstanek: the whole file: http://paste.ubuntu.com/1740229016:36
*** lucas___ has quit IRC16:38
gyeeshewless, you have /v3/auth/FEDERATION there, but you are trying to access /v3/FEDERATION16:38
gyeeso there's a mismatch somewhere16:38
gyeemay want to check your horizon local_settings.py16:39
gyeebunting, I haven't heard of that rumor16:40
openstackgerrithenry-nash proposed openstack/keystone: WIP - Add framework for supporting microversions  https://review.openstack.org/33067416:40
openstackgerritBrant Knudson proposed openstack/keystone: Use upper-constraints for cover job  https://review.openstack.org/33069116:41
*** lucas___ has joined #openstack-keystone16:41
shewlessgyee: not sure what you mean. The error I'm getting is: Not found: /v3/auth/OS-FEDERATION/websso/saml2 and in apache I have <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">16:42
*** dmk0202 has quit IRC16:42
*** lucas___ has quit IRC16:44
*** lucas___ has joined #openstack-keystone16:44
shewlessgyee: what would I check in local_settings.py? OPENSTACK_KEYSTONE_URL? or something else?16:47
gyeeshewless, you see the request in apache access log?16:47
shewlessgyee: in the apache2/error.log I see this: [Thu Jun 16 16:48:51.944406 2016] [wsgi:error] [pid 17849:tid 140076990158592] Not Found: /v3/auth/OS-FEDERATION/websso/saml216:49
*** david-lyle has joined #openstack-keystone16:50
*** ebarrera has joined #openstack-keystone16:50
shewlessgyee: in the apache2/access.log I see this: 192.168.216.117 - "" [16/Jun/2016:16:48:51 +0000] "GET /v3/auth/OS-FEDERATION/websso/saml2?origin=https://mycloud.foo.com/auth/websso/ HTTP/1.1" 404 5616 "https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"16:51
*** jdennis has quit IRC16:51
gyeeshewless, arrrg16:52
gyeethe <location> should be inside <VirtualHost>16:52
shewlessgyee: Just that one locatoin? (not the other LocationMatch stuff)?16:52
gyeeall of them16:53
shewlessgyee: I will try that. I was using dstanek's example.. maybe I misread it: http://paste.openstack.org/show/508990/16:53
*** nisha__ has quit IRC16:54
gyeeI think that example is incorrect16:54
*** ddieterly[away] is now known as ddieterly16:54
*** nisha__ has joined #openstack-keystone16:54
*** amakarov has quit IRC16:55
shewlessgyee: I'm getting an error now about not finding this page: https://mycloud.foo.com/Shibboleth.sso/SAML2/POST. I wonder if I have to re-upload my metadata?16:56
ayoungstevemar, I actually claim it for Trusts.  You have to include the dolphm patch for the tests there, and the two together were well over 120 revisions16:56
*** amakarov has joined #openstack-keystone16:57
gyeeshewless, which IdP are you testing with? ADFS?17:00
*** belmoreira has quit IRC17:00
shewlessgyee: testshib right now.. adfs in the future.  So... this section has to be outside the virtualhost block: <Location /Shibboleth.sso>     SetHandler shib </Location>17:01
shewlessgyee: If I put everything inside the virtualhost EXCEPT the <Location /Shibboleth.sso> stuff I end up with the same error (Not Found: /v3/auth/OS-FEDERATION/websso/saml2)17:05
shewlessgyee: If I put the /Shiboleth.sso inside the virtualhost I can't even generate metadata..17:05
*** mvk_ has quit IRC17:06
ayounggyee, I took your Anchor Certmonger helper and started a repo.  is this OK? https://github.com/admiyo/anchor-certmonger-helper17:06
ayoungAdded a readme, and put in an Apache license header17:07
*** daemontool has quit IRC17:08
shewlessgyee: Is there any other place that I need to "enable" or specify /v3/auth/OS-FEDERATION/websso/saml2 for that page to be available?17:08
gyeeayoung, go for it, thanks man17:08
ayounggyee, cool17:09
shewlessgyee: my trusted_dashboard is trusted_dashboard = https://mycloud.foo.com/auth/websso - is that correct?17:09
gyeeshewless, that's fine, if you are using devstack, I think it should be /dashboard/auth/websso17:11
ayoungshewless, no17:11
gyeebut we haven't get to that step yet17:11
ayoung https://mycloud.foo.com/auth/websso  not necess17:11
ayoungshould be your Horizon server17:11
*** roxanaghe has joined #openstack-keystone17:11
ayoungshewless, I think /websso is Keystone17:12
gyeeayoung, that's the Horizon callback url17:12
gyees/callback/redirect back/17:12
ayounggyee, trusted desktop is the one that initially started to convo,17:12
ayoungI used...17:12
* ayoung still looking17:14
ayounggyee, can't find it.  Anyway, I think that is too low17:15
ayoungI think it can be just the Horizon server, and Horizon should be  https://mycloud.foo.com/  or  https://mycloud.foo.com/desktop  or maybe even  https://mycloud.foo.com/auth17:15
ayoungthe websso might mess things up17:15
shewlessgyee, ayoung: not using devstack.. so so what is responsible for providing the /v3/auth/OS-FEDERATION/websso/saml2 page? Aside from apache I don't have that config anywhere17:15
gyeeshewless, /v3/auth/OS-FEDERATION/websso/saml2 is a Keystone endpoint17:16
*** roxanaghe has quit IRC17:16
gyeeprotected by Shibboleth17:16
ayoungI totally lied17:16
ayoungtrusted_dashboard = https://openstack.ayoung.rhsso.oslab.test/dashboard/auth/websso/17:16
shewlessgyee: is it possible a mapping problem could cause this?17:17
ayoungshewless, so qwhen you set up Federation, you have to make 3 keystone calls17:17
ayoungthose create the Sub URL:17:17
gyeeshewless <Location /Shiboleth.sso> should also be inside <VirtualHost>17:17
ayoung /v3/auth/OS-FEDERATION/<idp>17:17
ayoungand17:17
ayoung /v3/auth/OS-FEDERATION/<idp>/protocol17:17
ayounger /v3/auth/OS-FEDERATION/<idp>/<protocol>17:17
ayoungshewless, Yout can test it by hitting it with curl17:18
ayoung404 means it does not exist, 401 means it works OK17:18
shewlessgyee: If I do that I cannot access https://mycloud.foo.com/Shibboleth.sso/Metadata.  I should be able to right?17:18
*** roxanaghe has joined #openstack-keystone17:18
shewlessayoung what's the curl line?17:18
gyeehttps://mycloud.foo.com:5000/Shibboleth.sso/Metadata17:19
*** javis has joined #openstack-keystone17:19
ayoungshewless so for me it was curl https://ipa.ayoung.rhsso.oslab.test/auth/realms/openstack/protocol/saml17:19
ayoungnope17:19
ayoung curl -g -i -X GET https://openstack.ayoung.rhsso.oslab.test:5000/v3/OS-FEDERATION/identity_providers/rhsso/protocols/saml2/auth17:19
ayoungthat is for ECP17:20
ayoungtry variations on that17:20
ayoung https://openstack.ayoung.rhsso.oslab.test:5000/v3/OS-FEDERATION/identity_providers/rhsso  is my IdP.  so for you...17:21
*** rcernin has quit IRC17:21
shewlessgyee: in that case I guess I should upload my new metadata then17:23
*** browne has joined #openstack-keystone17:23
shewlessgyee: if I do that https doesn't work anymore.. should I add SSL stuff do my virtualhost *.5000?17:23
*** ddieterly is now known as ddieterly[away]17:24
gyeeshewless, sorry, you can leave that one outside17:24
gyeenow back to the 40417:24
javiscan someone point me in the direction of the required binary dependencies when install keystone from source?17:25
shewlessgyee: okay back to the 40417:25
ayoungjavis, look in packstack17:26
gyeeshewless, lets start with your Horizon local_settings.py17:26
ayoungjavis, let me try that again17:26
ayoungjavis, look in devstack17:26
gyeeshewless, what does your OPENSTACK_KEYSTONE_URL set to?17:27
*** boltR_ has quit IRC17:27
shewlessgyee: http://paste.ubuntu.com/1740451417:28
ayoungjavis, for debs http://git.openstack.org/cgit/openstack-dev/devstack/tree/files/debs17:28
ayounghttp://git.openstack.org/cgit/openstack-dev/devstack/tree/files/debs/keystone17:28
ayoungfor RPMs17:28
shewlessgyee: OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST17:28
javisayoung: yea I saw that, oh thanks. debs are fine17:28
ayounghttp://git.openstack.org/cgit/openstack-dev/devstack/tree/files/rpms/keystone17:28
ayoungjavis, another approach is to install the keystone debs, get the dependencies installed, then uninstall keystone17:29
gyeeshewless, and your <location> block is inside <VirtualHost *:5000>?17:30
gyeeshewless, <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2"> I mean17:31
*** tqtran has joined #openstack-keystone17:31
shewlessgyee: here is what I did.. I moved everything inside except the shiboleth.sso part: http://paste.ubuntu.com/1740464517:31
openstackgerrithenry-nash proposed openstack/keystone: Pass request back into wsgi render_reponse  https://review.openstack.org/33072017:32
gyeeshewless, and what error are you getting now?17:33
javisayoung, ahh I see. I will try using bindep with an other-requirements.txt file.17:33
ayoungjavis, what are you trying to do?17:33
shewlessgyee: same  as beforev [Thu Jun 16 17:36:10.407472 2016] [wsgi:error] [pid 28789:tid 139944201254656] Not Found: /v3/auth/OS-FEDERATION/websso/saml217:36
*** nisha_ has joined #openstack-keystone17:36
openstackgerrithenry-nash proposed openstack/keystone: WIP - Add framework for supporting microversions  https://review.openstack.org/33067417:36
gyeeshewless, did you restart Apache?17:38
javisayoung, setting up keystone on a docker container. I know there is kolla but was going the manual route for kicks17:38
*** nisha__ has quit IRC17:38
shewlessgyee: many times. along with shibd.  but hmm.. I changed the OPENSTACK_HOST line.. because it was my "internal hostname" and not the name I'm hitting.. I think that got me a different error (401)17:39
*** mvk_ has joined #openstack-keystone17:39
shewlessgyee: yup.. now I get: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}17:39
lbragstadgetting a run in over lunch quick - biab17:39
shewlessgyee: is that better or worse?17:39
gyeeshewless, that's better17:40
shewlessgyee: hurray! looking at keystone logs now17:40
gyeenow Keystone should send you to the IdP to authenticate17:40
openstackgerritMerged openstack/keystone: Move project scoped tests to TokenAPITests  https://review.openstack.org/33011617:40
shewlessgyee: http://foo.sandvine.com/auth/websso/ is not a trusted dashboard host17:41
shewlessgyee: I notice that there is no https for some reason.. do you know why that would be?17:42
shewlessgyee: Just FYI even before I was already authenitcating against the IdP17:42
shewlessgyee: and I was able to get attributes17:42
gyeeshewless, change it to /dashboard/auth/websso17:42
openstackgerritMerged openstack/keystone: Move project scoped catalog tests to TokenAPITests  https://review.openstack.org/33016117:42
shewlessgyee: I think it's because I put in https:// instead of http://17:43
gyeeshewless, yes, it must march the original Horizon URL17:43
shewlessgyee: but the original horizon URL is https:17:43
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: fix OpenID Connect authorization code grant_type  https://review.openstack.org/33000617:44
gyeeshewless, I think you miss /dashboard in the path17:44
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: add discovery document support  https://review.openstack.org/33046417:44
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: oidc: remove grant_type argument  https://review.openstack.org/33046517:44
shewlessgyee: I don't see anything referencing the dashboard part.. I'll try it though17:44
gyeeshewless, if in doubt, 2x check your /etc/apache2/sites-enabled/horizon17:45
shewlessgyee: would that be 000-default in Mitaka (there is no horizon file)17:46
shewlessgyee: I changed it to https://mycloud.foo.com/dashboard/auth/websso17:47
openstackgerritMerged openstack/keystone: Move more project scoped behavior tests to TokenAPITests  https://review.openstack.org/33016217:48
shewlessgyee: but I get the same error: https://mycloud.foo.com/auth/websso/ is not a trusted dashboard host17:48
openstackgerritMerged openstack/keystone: Consolidate domain token tests into TokenAPITests  https://review.openstack.org/33016317:48
shewlessgyee: I think the problem is that the port 5000 stuff is http and the other stuff is https..17:49
gyeethis has nothing to do with port 500017:50
gyeethis is horizon url17:50
gyeeis your Horizon HTTP or HTTPS?17:51
gyeeshewless, what's in your /etc/apache2/sites-enabled/17:51
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: WIP - oidc: remove grant_type argument  https://review.openstack.org/33046517:52
shewlessgyee: My horizon that I'm accessing it https (https://mycloud.foo.com).  Here is in sites-enabled: 000-default.conf  wsgi-keystone-internal.conf  wsgi-keystone-public.conf17:52
openstackgerritMerged openstack/keystone: Move negative domain scope test to TokenAPITests  https://review.openstack.org/33021517:54
shewlessgyee: does it make sense that I need a trailing slash on this line? trusted_dashboard = https://mycloud.foo.com/auth/websso/17:54
gyeeshewless, grep 'origin=' keystone.log17:54
openstackgerritMerged openstack/keystone: Move unscoped token test to TokenAPITests  https://review.openstack.org/33021617:55
shewlessgyee: that seems to get rid of my trusted dashboard problem17:55
openstackgerritMerged openstack/keystone: Move negative token tests to TokenAPITests  https://review.openstack.org/33021717:55
gyeeyes,, the trailing slash matters17:55
gyeeshewless, it has to match exactly what's in the 'origin' query param17:55
gyeeshewless, can you do a 'grep 'origin=' keystone.log'?17:56
gyeeI want to see what's coming in17:56
shewlessgyee: GET http://mycloud.foo.com:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=https://mycloud.foo.com/auth/websso/17:56
shewlessgyee: so I think that trailing '/' is what was missing.. now I get this error:17:57
shewless{"error": {"message": "Could not find Identity Provider: https://idp.testshib.org/idp/shibboleth", "code": 404, "title": "Not Found"}}17:57
shewlessgyee: thjat's after I login to the idp17:58
*** rderose_ has quit IRC17:59
gyeeshewless, now its getting into your IdP meta file17:59
shewlessgyee: that's cool. Why the 404 error? That page exists if I browse to it18:00
*** jsavak has quit IRC18:03
*** amoralej is now known as amoralej|off18:04
*** ebalduf has joined #openstack-keystone18:06
*** jsavak has joined #openstack-keystone18:06
gyeeshewless, that error coming from Keystone or Horizon?18:07
*** rcernin has joined #openstack-keystone18:07
shewlessgyee: that message is in /var/log/apache2/keystone-public.log... so I guess keystone18:08
shewlessgyee: the weird part to me is that I can view this: https://mycloud.foo.com/Shibboleth.sso/Session and it'll tell me all the attributes of the user I've logged in as..18:08
shewlessgyee: I've been able to to that for awihle though18:08
gyeeshewless, in your keystone.conf, what does remote_id_attribute set to?18:10
gyeethat attribute in your saml2 should map to the IdP you created in Keystone18:10
shewlessgyee: remote_id_attribute = Shib-Identity-Provider18:10
gyeeKeystone use that to lookup the IdP18:11
shewlessgyee: hmm. where do I put that in keystone?18:11
shewlessgyee: like openstack identity provider show "provider_name"18:12
shewlessgyee: the --remote_ids field? I've left that blank up until now.. that's bad isn't it?18:12
gyeeyes --remote_ids field18:13
*** jaugustine has joined #openstack-keystone18:13
shewlessgyee: so should it be https://idp.testshib.org/idp/shibboleth or Shib-Identity-Provider18:14
gyeeset your remote_ids to "https://idp.testshib.org/idp/shibboleth"18:14
shewlessgyee: SUCCESS!!!!!!!!18:15
gyeenice18:15
gyeeshewless, I have to dash to a meeting, good luck the rest of the way18:16
shewlessgyee, dstanek, ayoung: thank you so much! that was a battle18:16
shewlessgyee: thanks.. still have a lot to do..18:16
*** aratus has quit IRC18:17
ayoungshewless, working on making it less painful in the future, albeing not for Shib, but other18:19
shewlessayoung: I would choose other to avoid that pain :)18:19
shewlessso.. my user name is some crazy hash string.. I'm guessing I need to update my mapping file to make that clearer?18:20
ayoungshewless, I have ansible playbooks I am working on for Red Hat SSO, based on Keycloak, and and older one for Ipsilon18:21
shewlessayoung: that's cool. I'll actually be putting my stuff into a playbook as well18:22
*** aratus has joined #openstack-keystone18:22
ayoungthey are not perfect.  I just realized that they assume mod_auth_mellon has already been installed18:22
ayoungcuz, we do that early on18:22
ayoungbut that should be in the playbook.18:22
ayounger, the role18:22
ayounghttps://github.com/admiyo/rippowam/tree/master/roles/rhsso18:22
ayoungfor rhsso18:23
shewlessayoung: I'll have a look. thanks18:23
ayounghttps://github.com/admiyo/rippowam/tree/master/roles/keycloak-saml-idp  is the KEystone side of it for Keycloak18:23
shewlessayoung: do you know how I would get the top right login name to be the "Name" and not the "ID" ?18:23
ayounghttps://github.com/admiyo/rippowam/tree/master/roles/rhsso-saml-idp18:23
ayoungshewless, fix the bug assigned to me?18:23
shewlessayoung: lol..18:23
ayoungshewless, https://bugs.launchpad.net/keystone/+bug/159042618:24
openstackLaunchpad bug 1590426 in OpenStack Identity (keystone) "Keystone Federated Identity assertion name not included in token" [Undecided,New] - Assigned to Adam Young (ayoung)18:24
shewlessayoung: so no workaround?18:24
*** mkoderer__ has joined #openstack-keystone18:24
ayoungshewless, workaround involves editing python files...18:24
ayoungdoes that count>?18:24
*** ddieterly[away] has quit IRC18:24
shewlessayoung: yes if there isn't too much to modify!18:24
ayoungheh18:24
ayoungI have not yet looked at it18:24
ayoungits in the token, and that is as far as I got18:25
shewlessayoung: lol okay I'll put up with what it is for now18:25
*** gyee has quit IRC18:25
shewlessayoung: I want each user to have their own project assigned to them. Do you know if there is a "project" field in the mapping file?18:26
ayoungshewless, heh18:26
*** dan_nguyen has quit IRC18:26
ayoungdolphm, is working on an autoprovisioning spec even as we speak18:26
shewlessayoung: cool. for now I'm okay if I create the project ahead of time.. I just need to map it correctly18:26
ayoungshewless, nah, you still need a role assignment18:27
shewlessayoung: that's okay. It's the same for ldap.  When we have new users join the company I can run 2 command to assign their role and create a project18:27
*** ddieterly has joined #openstack-keystone18:30
shewlessayoung: I bet I'd have to create a unique group for every user and have a role associated with each group with a default project. Is that right?18:34
ayoungshewless, today?  Yep18:34
ayoungyou can use the "empty blacklist" approach though so you don;'t need to have each in the mapping18:34
shewlessayoung: oh? that sounds interesting.  How do I do that?18:35
ayounghave each user be their own group, create the group in the SQL backend18:35
ayoungshewless, so instead of https://github.com/admiyo/rippowam/blob/master/roles/keyfed/files/mapping_ipsilon_saml2.json#L3018:36
shewlessayoung: right.. then the mapping would be group "name" : {1}18:36
ayoungdo  "blacklist": []18:36
shewlessayoung: okay. .can I just remove the whitelist/blacklist completely from the mapping?18:37
ayoungyou can map the remote  "type": "MELLON_NAME_ID" to "local": [{18:37
ayoung                "groups": "{0}",18:37
ayoungnahm, you need one or the other18:37
*** aratus has quit IRC18:39
*** rderose has joined #openstack-keystone18:39
*** pushkaru has quit IRC18:40
*** tonytan4ever has joined #openstack-keystone18:43
*** dmk0202 has joined #openstack-keystone18:44
*** dmk0202 has quit IRC18:45
*** ebarrera has quit IRC18:46
*** amit213 has joined #openstack-keystone18:51
mwheckmannhello. Wondering if anyone saw the thread I started in openstack-operators ML: http://lists.openstack.org/pipermail/openstack-operators/2016-June/010694.html18:53
mwheckmannactually, ayoung noticed it, but the Operator community doesn't really have much to say about it, so I'm turning to the dev community.18:54
*** nisha__ has joined #openstack-keystone18:54
mwheckmannIs there anyway to do what I'm trying to achieve? Or do I have to wait for https://review.openstack.org/#/c/324055/2/specs/keystone/newton/shadow-mapping.rst ?18:55
patchbotmwheckmann: patch 324055 - keystone-specs - Mapping shadow users into projects and roles18:55
*** nisha_ has quit IRC18:57
mwheckmannThe main blocker for me is that all users who come in from federation are thrown into the special "Federated" domain18:58
*** yolanda has quit IRC19:00
*** rderose_ has joined #openstack-keystone19:01
*** rderose has quit IRC19:05
*** jsavak has quit IRC19:05
lbragstadhere is a refactor review if anyone is interested - https://review.openstack.org/#/c/330218/119:08
patchbotlbragstad: patch 330218 - keystone - Move cross domain/group/project auth tests19:08
lbragstadonce that lands i'm going to rebase and fix all the merge conflicts on the dependent patches19:08
*** ebalduf has quit IRC19:09
*** jdennis has joined #openstack-keystone19:12
*** roxanagh_ has joined #openstack-keystone19:13
*** roxanagh_ has quit IRC19:17
*** aratus has joined #openstack-keystone19:25
lbragstadi'm going to perform some updates to the performance job19:27
*** rderose_ has quit IRC19:27
lbragstadpatches in review with 'check performance' will be logged and the jobs will be run later19:27
*** nisha__ is now known as nisha_19:32
*** rderose has joined #openstack-keystone19:32
*** aratus has quit IRC19:38
*** jdennis has quit IRC19:39
*** dmk0202 has joined #openstack-keystone19:40
*** dmk0202 has quit IRC19:43
*** aratus has joined #openstack-keystone19:47
*** djc_ has joined #openstack-keystone19:49
djc_why is the default keystone token expiration set to 24 hours? what are the ramifications of increasing beyond 24 hours?19:49
*** jsavak has joined #openstack-keystone19:55
*** ebalduf has joined #openstack-keystone20:01
*** rderose has quit IRC20:02
*** rderose_ has joined #openstack-keystone20:02
*** dan_nguyen has joined #openstack-keystone20:02
*** lucas___ has quit IRC20:04
*** sheel has quit IRC20:05
brownedjc_:  default token timeout is 1 hour (3600 seconds)20:08
djc_browne: is the default 1 hour for security purposes?20:10
browneyes, because the tokens are bearer tokens.  the longer the expiration, the more time someone can use the token if stolen20:11
djc_browne: we are using swift and keystone. does the 1 hour expiration time pose a problem for transfers longer than 1 hour?20:12
notmynameno20:12
* notmyname lurks in here too20:12
brownedjc_:  not if swift properly acquires a new token when its expired20:12
*** djc_ has quit IRC20:13
brownei think most projects use keystonemiddleware which handles this20:13
notmynamethe token is validated near the start of the request. so if it's validated and then data is transferred for the next 2 hours, that's ok. no need to re-auth in the middle, because that's the same request20:14
*** ddieterly is now known as ddieterly[away]20:14
browneoh ok20:14
*** ayoung has quit IRC20:18
*** openstackstatus has joined #openstack-keystone20:19
*** ChanServ sets mode: +v openstackstatus20:19
*** tonytan4ever has quit IRC20:19
*** dmk0202 has joined #openstack-keystone20:23
*** gyee has joined #openstack-keystone20:24
*** ChanServ sets mode: +v gyee20:24
*** henrynash_ has quit IRC20:29
*** jsavak has quit IRC20:31
*** jsavak has joined #openstack-keystone20:32
shewlesshey guys. I think I'm hitting a weird bug in with my federation setup.  When I first try and "connect" via horizon I see an error apache error: Not Found: /v3/auth/OS-FEDERATION/websso/saml2.  But when I try and connect subsequently it works as expected.20:32
shewlessI can reproduce this on all browsers or after I restart apache220:32
*** mwheckmann has quit IRC20:32
*** nisha_ has quit IRC20:32
shewlessIE when I restart apache I will always get a "page not found" error the first time I try to connect with each browser.. and then subsequent attempts to connect work perfectly20:33
*** ddieterly[away] is now known as ddieterly20:44
*** dan_nguyen has quit IRC20:48
*** aratus has quit IRC20:49
*** aratus has joined #openstack-keystone20:50
*** jaugustine has quit IRC20:52
*** jamie_h has quit IRC20:57
*** aratus has quit IRC21:03
*** aratus has joined #openstack-keystone21:10
*** roxanagh_ has joined #openstack-keystone21:14
*** pauloewerton has quit IRC21:15
openstackgerritMerged openstack/keystone: Move cross domain/group/project auth tests  https://review.openstack.org/33021821:16
openstackgerritMerged openstack/keystone: Use request object in auth plugins  https://review.openstack.org/33029021:17
*** roxanagh_ has quit IRC21:18
adrian_ottoI'm trying to debug a trust configuration issue, and I'm not able to figure out how to list identity domains.  I don't see them in Horizon, and I cant find them in the "openstack" client either.21:23
adrian_ottowhere should I be looking for that?21:23
lbragstadadrian_otto it looks like osc has domains as it's own subcommand - http://docs.openstack.org/developer/python-openstackclient/command-objects/domain.html21:30
jamielennoxo/21:31
lbragstadjamielennox o/21:31
adrian_ottothanks lbragstad. Looks like my osc client is older, because it's not in there.21:32
adrian_otto2.6.021:32
lbragstadadrian_otto ah ha - that could be why21:33
*** aratus has quit IRC21:34
*** rcernin has quit IRC21:36
*** dmk0202 has quit IRC21:38
*** aratus has joined #openstack-keystone21:41
jamielennoxnotmorgan: interesting like good?21:43
*** woodster_ has quit IRC21:48
*** adrian_otto has quit IRC21:50
*** dan_nguyen has joined #openstack-keystone21:53
*** jsavak has quit IRC21:53
*** jsavak has joined #openstack-keystone21:53
tqtranhello, i have a question regarding how sso_callback_template.html how is keystone hosting this file?21:57
tqtranstevemar: ^-- since i know you did some work on this way back21:58
jamielennoxtqtran: from memory it's not hosted by default, you need to stick it in your apache conf in the appropriate place22:00
jamielennoxbut it has been a little while22:00
*** dmk0202 has joined #openstack-keystone22:04
*** browne has quit IRC22:04
*** BjoernT has quit IRC22:04
*** sigmavirus24 is now known as sigmavirus24_22:05
*** timcline has quit IRC22:07
*** ayoung has joined #openstack-keystone22:07
*** ChanServ sets mode: +v ayoung22:07
*** timcline has joined #openstack-keystone22:08
*** edtubill has quit IRC22:09
dstanektqtran: jamielennox: actually keystone serves this from the federation controller22:10
jamielennoxdstanek: oh? then i will shut back up again :p22:11
dstanekjamielennox: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/federation/controllers.py#n33822:11
*** timcline has quit IRC22:12
dstaneki've been looking at federation waaaaay too much22:13
dstanekbknudson_: so what do you think of the response object approach to request_id in keystone client?22:16
bknudson_dstanek: I don't know what that means22:16
dstanekhttps://review.openstack.org/#/c/329913 - you mentioned it in a review22:17
dstanektqtran: does that answer your question22:17
*** javis has quit IRC22:18
bknudson_dstanek: so you have to use .data to get the data?22:18
bknudson_not a fan just because I don't think that's how any other client library implemented this.22:19
dstanekbknudson_: yes22:19
dstanekbknudson_: i just don't want to jump off the bridge because everyone else is doing it22:19
dstanekclient libs are harder to change22:19
*** walharthi has quit IRC22:21
dstanekbknudson_: what do you think would be the right way to do this if we were doing greenfield development22:22
bknudson_just think of osc - it has to work with all these libraries and keystone is going to be totally different22:22
bknudson_I believe the session object has a way to register a callback so I'd have applications do that so they can opt in to getting the request ID22:23
bknudson_also it would be totally async22:23
*** ebalduf has quit IRC22:23
bknudson_and generated dynamically22:23
bknudson_and unicorns would dance22:24
dstanek:-) so magic22:24
bknudson_so it would be similar to your proposal but be a callback instead of changing the return value22:25
*** jsavak has quit IRC22:26
bknudson_the callback would provide more info like the URL that was requested... maybe some timing info?22:26
dstaneki think that would be much better than what was proposed22:26
dstanekbknudson_: right, that's the kind of stuff that i would put in the response object22:27
openstackgerritJamie Lennox proposed openstack/keystone: Use http_proxy_to_wsgi from oslo.middleware  https://review.openstack.org/32741822:27
bknudson_dstanek: http://docs.python-requests.org/en/master/user/advanced/#event-hooks22:28
bknudson_might not need any changes to keystoneclient to use this22:29
*** ddieterly is now known as ddieterly[away]22:32
dstanekbknudson_: you wouldn't with that22:32
*** ddieterly[away] has quit IRC22:32
*** darrenc is now known as darren_afk22:34
lbragstadkeystone performance review if anyone has feedback https://github.com/lbragstad/keystone-performance/pull/1122:36
tqtrandstanek: yep, thanks for the lead. zaqar is trying to do something similar for their subscription confirmation page22:36
bknudson_lbragstad: just put it in gerrit already!22:36
lbragstadbknudson_ soon!22:37
jamielennoxayoung: so your ipa.younglogic.net - what's an ECP protected target i can test it with?22:37
bknudson_lbragstad: doesn't need to clean up?22:38
lbragstadbknudson_ nope - it's in a container that gets deleted when the performance results are done22:39
*** dmk0202 has quit IRC22:39
dstaneklbragstad: does that do a run before and a run after the commit it's testing?22:43
lbragstadnope it does it only in the set up22:43
lbragstadso it standup keystone, populates it with garbage,22:43
lbragstadrun benchmarks on master22:44
lbragstadthen runs benchmarks on the patch22:44
*** darren_afk is now known as darrenc22:55
*** gordc has quit IRC22:55
*** browne has joined #openstack-keystone22:57
*** ayoung has quit IRC23:07
*** edmondsw has quit IRC23:07
*** browne has quit IRC23:10
*** rderose has joined #openstack-keystone23:13
*** rderose_ has quit IRC23:15
*** roxanagh_ has joined #openstack-keystone23:15
*** raddaoui has quit IRC23:17
*** adrian_otto has joined #openstack-keystone23:19
*** roxanagh_ has quit IRC23:20
*** rderose has quit IRC23:22
*** roxanaghe has quit IRC23:23
*** aratus has quit IRC23:26
dstaneklbragstad: i was thinking that in addition to those two links it puts in there that it could show the before/after in a single txt file23:29
*** aratus has joined #openstack-keystone23:30
dstaneksorry shewless; got busy on a call and didn't realize that you responded. were you able to get what you needed from the others?23:32
*** iurygregory_ has joined #openstack-keystone23:34
*** aratus has quit IRC23:35
*** aratus has joined #openstack-keystone23:38
*** chlong has quit IRC23:42
openstackgerritJamie Lennox proposed openstack/keystone: Use request.params instead of context['query_string']  https://review.openstack.org/33082223:42
*** sshen_ has quit IRC23:43
openstackgerritJamie Lennox proposed openstack/keystone: Use http_proxy_to_wsgi from oslo.middleware  https://review.openstack.org/32741823:44
*** ayoung has joined #openstack-keystone23:44
*** ChanServ sets mode: +v ayoung23:44
*** rderose has joined #openstack-keystone23:45
*** sshen has joined #openstack-keystone23:48
*** jdennis has joined #openstack-keystone23:51
lbragstaddstanek yeah - I have an issue open to simplify all of that23:53
lbragstaddstanek https://github.com/lbragstad/keystone-performance/issues/523:53
*** rderose has quit IRC23:54
ayoungjamielennox, there is a good chance that the Rippowam deploy will fail on upgrade.  if it does, I'll reinstall the IPA server23:54
jamielennoxayoung: i won't need it for long, if you've got something that i can test against for the next few hours that will be enough23:55
jamielennoxayoung: also did you see my reservations spec?23:55
ayoungjamielennox, everything else is inside the RH firewall23:55
ayoungjamielennox, packstack is broken right now23:57
*** sdake has quit IRC23:57
ayoungwait...but this should not be23:57
ayoungbutno, I don't have anything set up.  jamielennox want to throw some app up to hit?  Can even do a Keystone instance if you have an easy way to set it up[23:58
jamielennoxayoung: i regret to say i'd need to read all the docs again - but the app is as simple as pretty print the environ23:58
ayoungwe had one of those, I thought.23:59
jamielennoxi had a test script that rippowam used to deploy and comment out23:59
jamielennoxi don't know how you've deployed your public instance23:59
« Wednesday, 2016-06-15 Index Friday, 2016-06-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!