Monday, 2016-08-08

« Sunday, 2016-08-07 Index Tuesday, 2016-08-09 »
*** itisha has quit IRC00:00
*** guoshan has joined #openstack-keystone00:05
*** code-R_ has quit IRC00:18
*** code-R has joined #openstack-keystone00:18
*** markvoelker has joined #openstack-keystone00:28
*** code-R_ has joined #openstack-keystone00:38
*** code-R has quit IRC00:38
*** edmondsw has joined #openstack-keystone00:54
*** guoshan has quit IRC00:57
*** code-R_ has quit IRC01:01
*** code-R has joined #openstack-keystone01:11
*** code-R has quit IRC01:11
*** guoshan has joined #openstack-keystone01:24
*** RA_ has joined #openstack-keystone01:26
*** RA_ is now known as RossKrumbeck01:29
*** RossKrumbeck is now known as rkrum01:35
*** rkrum has quit IRC01:40
*** rkrum has joined #openstack-keystone01:40
*** EinstCrazy has joined #openstack-keystone01:41
*** davechen has joined #openstack-keystone01:59
*** hoonetorg has quit IRC02:20
*** julim has joined #openstack-keystone02:36
*** markvoelker has quit IRC02:36
*** zhugaoxiao has quit IRC02:57
*** chlong has quit IRC03:25
*** julim has quit IRC03:28
*** zhugaoxiao has joined #openstack-keystone03:36
*** ayoung has quit IRC03:39
*** dave-mccowan has quit IRC03:47
*** sdake has joined #openstack-keystone03:58
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting V3 Services APIs  https://review.openstack.org/35159804:03
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting V3 Services APIs  https://review.openstack.org/35159804:06
*** roxanaghe has joined #openstack-keystone04:08
*** dikonoor has joined #openstack-keystone04:14
*** guoshan has quit IRC04:14
*** jaosorior has joined #openstack-keystone04:14
*** guoshan has joined #openstack-keystone04:14
*** guoshan has quit IRC04:19
*** korean101 has quit IRC04:25
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35198804:31
*** markvoelker has joined #openstack-keystone04:37
*** tonytan4ever has quit IRC04:39
*** markvoelker has quit IRC04:42
*** guoshan has joined #openstack-keystone04:50
*** guoshan has quit IRC04:56
*** roxanaghe has quit IRC05:03
*** pcaruana has quit IRC05:03
*** roxanaghe has joined #openstack-keystone05:03
*** roxanaghe has quit IRC05:04
*** roxanaghe has joined #openstack-keystone05:04
*** roxanaghe has quit IRC05:05
*** roxanaghe has joined #openstack-keystone05:05
*** roxanaghe has quit IRC05:06
*** roxanaghe has joined #openstack-keystone05:06
*** roxanaghe has quit IRC05:06
*** guoshan has joined #openstack-keystone05:44
*** guoshan has quit IRC05:49
*** adriant has quit IRC05:57
*** chlong has joined #openstack-keystone05:59
*** roxanaghe has joined #openstack-keystone06:02
*** roxanaghe has quit IRC06:06
*** dkehn_ has quit IRC06:10
*** code-R has joined #openstack-keystone06:12
*** code-R_ has joined #openstack-keystone06:12
*** code-R has quit IRC06:16
*** guoshan has joined #openstack-keystone06:21
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting V3 Endpoints APIs  https://review.openstack.org/35160006:23
*** dkehn_ has joined #openstack-keystone06:29
*** sdake has quit IRC06:38
*** markvoelker has joined #openstack-keystone06:38
*** pcaruana has joined #openstack-keystone06:38
*** rcernin has joined #openstack-keystone06:41
*** markvoelker has quit IRC06:42
*** maestropandy has joined #openstack-keystone06:48
*** tesseract- has joined #openstack-keystone06:53
*** code-R_ has quit IRC07:01
*** code-R has joined #openstack-keystone07:01
*** jpena|off is now known as jpena07:11
*** roxanaghe has joined #openstack-keystone07:12
*** dkehn_ has quit IRC07:14
*** roxanaghe has quit IRC07:17
*** rkrum has quit IRC07:23
*** permalac has joined #openstack-keystone07:24
*** maestropandy has quit IRC07:25
*** zouyapeng has joined #openstack-keystone07:27
*** danpawlik has joined #openstack-keystone07:43
*** code-R has quit IRC07:48
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting V3 Domain config APIs  https://review.openstack.org/35226007:52
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting V3 Domain config APIs  https://review.openstack.org/35226008:05
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** roxanaghe has joined #openstack-keystone08:13
*** roxanaghe has quit IRC08:18
*** amoralej|off is now known as amoralej08:20
-openstackstatus- NOTICE: Gerrit is going to be restarted08:38
*** dikonoor has quit IRC08:45
*** jistr|mtg is now known as jistr08:50
*** eileen has joined #openstack-keystone08:56
eileenhi,all08:56
*** roxanaghe has joined #openstack-keystone09:00
*** roxanaghe has quit IRC09:05
*** daemontool has joined #openstack-keystone09:14
*** pnavarro has joined #openstack-keystone09:22
*** mvk has joined #openstack-keystone09:24
*** mvk_ has joined #openstack-keystone09:27
*** daemontool has quit IRC09:31
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting V3 Authentication APIs  https://review.openstack.org/35229109:32
*** mvk_ has quit IRC09:38
openstackgerritKseniya Tychkova proposed openstack/oslo.policy: Refactoring of Enforcer class  https://review.openstack.org/34600209:39
*** rkrum has joined #openstack-keystone09:46
openstackgerritAnh Tran proposed openstack/keystone: api-ref: Correcting parameters of Policies APIs  https://review.openstack.org/35163610:04
rdoyo - having a problem with Horizon and keystone domains... I can get a domain scoped token from Keystone, and have configured Horizon for v3, but when I try and login it keeps redirecting me to the login page, never proceeds to the dashboard, any ideas? thanks!10:13
*** guoshan has quit IRC10:21
*** EinstCrazy has quit IRC10:24
*** amakarov_away is now known as amakarov10:37
*** rkrum has quit IRC10:38
*** eileen has quit IRC10:39
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35198810:42
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/35232210:42
*** dkehn has joined #openstack-keystone10:48
*** maestropandy has joined #openstack-keystone10:57
*** maestropandy has quit IRC11:01
openstackgerritBoris Bobrov proposed openstack/keystoneauth: Add 308 to the list of redirect statuses  https://review.openstack.org/35234611:02
*** guoshan has joined #openstack-keystone11:02
openstackgerritBoris Bobrov proposed openstack/keystoneauth: Add 308 to the list of redirect statuses  https://review.openstack.org/35234611:02
*** maestropandy has joined #openstack-keystone11:04
*** maestropandy has left #openstack-keystone11:05
*** pcaruana has quit IRC11:06
*** pcaruana has joined #openstack-keystone11:07
*** sdake has joined #openstack-keystone11:08
*** sdake has quit IRC11:08
*** sdake has joined #openstack-keystone11:08
*** permalac has quit IRC11:09
*** thiagolib has joined #openstack-keystone11:17
*** jaosorior has quit IRC11:27
*** jaosorior has joined #openstack-keystone11:28
*** maestropandy1 has joined #openstack-keystone11:28
*** rodrigods has quit IRC11:33
*** rodrigods has joined #openstack-keystone11:33
*** sdake has quit IRC11:36
*** sdake has joined #openstack-keystone11:39
*** pauloewerton has joined #openstack-keystone11:39
*** sdake has quit IRC11:41
*** gordc has joined #openstack-keystone11:43
*** sdake has joined #openstack-keystone11:43
*** markvoelker has joined #openstack-keystone11:45
*** raildo has joined #openstack-keystone11:56
*** jpena is now known as jpena|lunch11:58
*** amoralej is now known as amoralej|off12:02
*** amoralej|off is now known as amoralej|lunch12:03
*** davechen has quit IRC12:04
*** maestropandy1 has quit IRC12:09
*** guoshan has quit IRC12:12
openstackgerrityuyafei proposed openstack/python-keystoneclient: Add __ne__ built-in function  https://review.openstack.org/33743512:12
*** guoshan has joined #openstack-keystone12:28
*** rkrum has joined #openstack-keystone12:31
*** rkrum has left #openstack-keystone12:31
*** maestropandy has joined #openstack-keystone12:33
*** maestropandy has left #openstack-keystone12:34
*** zouyapeng has quit IRC12:42
openstackgerrithenry-nash proposed openstack/keystone: Add contract migrations to keystone-manage  https://review.openstack.org/34993912:51
*** dave-mccowan has joined #openstack-keystone12:52
openstackgerrithenry-nash proposed openstack/keystone: Add the migration phase status table  https://review.openstack.org/34970312:57
openstackgerrithenry-nash proposed openstack/keystone: Add support for rolling upgrades to keystone-manage  https://review.openstack.org/34971613:09
openstackgerrithenry-nash proposed openstack/keystone: Add contract migrations to keystone-manage  https://review.openstack.org/34993913:10
*** dkehn has quit IRC13:11
*** tonytan4ever has joined #openstack-keystone13:12
*** jpena|lunch is now known as jpena13:17
*** maestropandy1 has joined #openstack-keystone13:18
*** dkehn_ has joined #openstack-keystone13:24
*** julim has joined #openstack-keystone13:33
amakarovbknudson, good day! Can you please look at https://review.openstack.org/#/c/352343/13:33
patchbotamakarov: patch 352343 - keystoneauth - add status code 308 to _REDIRECT_STATUSES13:33
amakarovit's a quick fix13:33
*** ayoung has joined #openstack-keystone13:34
*** ChanServ sets mode: +v ayoung13:34
*** ayoung has quit IRC13:37
*** amoralej|lunch is now known as amoralej13:37
*** ayoung has joined #openstack-keystone13:43
*** ChanServ sets mode: +v ayoung13:43
*** guoshan has quit IRC13:50
*** guoshan has joined #openstack-keystone13:55
*** iurygregory has joined #openstack-keystone13:56
*** richm has joined #openstack-keystone13:57
bknudsonamakarov: if it's important then there should be a unit test.14:01
*** roxanaghe has joined #openstack-keystone14:02
amakarovbknudson, ack14:02
*** ezpz has joined #openstack-keystone14:02
*** roxanaghe has quit IRC14:06
*** EinstCrazy has joined #openstack-keystone14:07
openstackgerritAlexander Ignatyev proposed openstack/keystone: Support new osprofiler API  https://review.openstack.org/34140114:08
*** ravelar has joined #openstack-keystone14:09
*** spzala has joined #openstack-keystone14:10
*** woodster_ has joined #openstack-keystone14:11
*** maestropandy1 has quit IRC14:12
*** spzala has quit IRC14:15
*** spzala has joined #openstack-keystone14:15
*** code-R has joined #openstack-keystone14:16
*** spzala has quit IRC14:16
*** spzala has joined #openstack-keystone14:16
*** jaugustine_ is now known as jaugustine14:18
*** maestropandy1 has joined #openstack-keystone14:20
*** maestropandy1 has left #openstack-keystone14:20
*** code-R_ has joined #openstack-keystone14:20
*** maestropandy has joined #openstack-keystone14:21
*** permalac has joined #openstack-keystone14:21
*** maestropandy has left #openstack-keystone14:21
*** code-R has quit IRC14:23
*** slberger has joined #openstack-keystone14:24
*** EinstCrazy has quit IRC14:26
openstackgerritAlexander Makarov proposed openstack/keystoneauth: add status code 308 to _REDIRECT_STATUSES  https://review.openstack.org/35234314:27
amakarovbknudson, ^14:27
*** EinstCrazy has joined #openstack-keystone14:28
*** narengan has joined #openstack-keystone14:29
*** narengan has quit IRC14:30
*** HenryG has joined #openstack-keystone14:33
*** amoralej is now known as amoralej|brb14:34
*** roxanaghe has joined #openstack-keystone14:37
*** markvoelker has quit IRC14:41
*** guoshan has quit IRC14:53
*** markvoelker has joined #openstack-keystone14:54
*** eeiden has left #openstack-keystone14:55
*** jaosorior has quit IRC14:56
*** pnavarro has quit IRC14:57
*** narengan has joined #openstack-keystone14:59
*** kragniz has quit IRC15:00
*** ravelar has quit IRC15:02
*** KevinE has joined #openstack-keystone15:04
*** KevinE has joined #openstack-keystone15:05
*** amoralej|brb is now known as amoralej15:07
openstackgerrithenry-nash proposed openstack/keystone: Add support for rolling upgrades to keystone-manage  https://review.openstack.org/34971615:12
openstackgerrithenry-nash proposed openstack/keystone: Add contract migrations to keystone-manage  https://review.openstack.org/34993915:12
*** ravelar has joined #openstack-keystone15:22
*** EinstCrazy has quit IRC15:34
*** EinstCrazy has joined #openstack-keystone15:35
*** code-R_ has quit IRC15:37
*** pgbridge has joined #openstack-keystone15:38
*** woodburn has joined #openstack-keystone15:43
*** edmondsw has quit IRC15:50
*** michauds has joined #openstack-keystone15:57
*** haplo37__ has joined #openstack-keystone16:00
*** rcernin has quit IRC16:01
*** Nissmed has joined #openstack-keystone16:02
*** narengan1 has joined #openstack-keystone16:02
Nissmedhello, someone can help me ! I want to know ho i can display the consol with php opencloud 'openstack'16:03
*** narengan has quit IRC16:06
*** EinstCrazy has quit IRC16:09
*** dikonoor has joined #openstack-keystone16:11
*** pcaruana has quit IRC16:11
*** permalac has quit IRC16:12
*** adrian_otto has joined #openstack-keystone16:12
openstackgerritDolph Mathews proposed openstack/keystone-specs: Simplify manage-migration spec by introducing read-only mode  https://review.openstack.org/35179816:15
stevemarof course, the one time i book with delta....16:19
*** code-R has joined #openstack-keystone16:22
*** code-R_ has joined #openstack-keystone16:23
*** slberger has quit IRC16:24
lbragstadamakarov ping!16:24
amakarovlbragstad, o/16:24
lbragstadamakarov do you mind if we abandon https://review.openstack.org/#/c/324029/  since https://review.openstack.org/#/c/340074/ merged?16:25
patchbotlbragstad: patch 324029 - keystone - Add failed auth attempts logic to meet PCI-DSS16:25
patchbotlbragstad: patch 340074 - keystone - PCI-DSS Lockout requirements (MERGED)16:25
amakarovlbragstad, do I have a choice? ))16:25
lbragstadamakarov ha - I was just making sure there wasn't something else in there that needed to be done?16:26
lbragstadamakarov I was looking through the last review PCI patches and I saw that one still open16:26
*** code-R has quit IRC16:26
amakarovlbragstad, Ron did that his way and I support that - 1 man doing 1 feature16:26
lbragstadamakarov cool16:27
amakarovlbragstad, of course abandon that16:27
lbragstadamakarov sounds good - thanks for confirming :)16:27
amakarovlbragstad, and since you are here: https://review.openstack.org/#/c/309146/16:27
patchbotamakarov: patch 309146 - keystone - Pre-cache new tokens16:27
amakarovdo you performance test bot enables caching for tests?16:28
amakarovlbragstad, and where can I find it :)16:28
stevemaramakarov: https://github.com/lbragstad/keystone-performance16:28
*** catintheroof has joined #openstack-keystone16:28
*** doug-fish has joined #openstack-keystone16:29
lbragstadamakarov we use totally upstream openstack-ansible to standup keystone16:29
*** david-lyle_ has joined #openstack-keystone16:29
lbragstadamakarov which is all here - https://github.com/openstack/openstack-ansible-os_keystone16:30
amakarovlbragstad, the thing is: was my patch tested with caching enabled or not? It's value depends on it16:30
lbragstadamakarov token caching?16:31
lbragstadi believe so16:31
*** slberger has joined #openstack-keystone16:31
lbragstadcaching is enabled by default in keystone I think16:32
*** david-lyle has quit IRC16:33
amakarovlbragstad, if I test it on vanilla devstack - will I have the same keystone settings?16:33
lbragstadamakarov nope - probably not16:33
Nissmedhello, someone can help please ! I want to know ho i can display the consol with php opencloud 'openstack'16:33
lbragstaddevstack and openstack-ansible are both opinioned deployment tools for openstack16:33
*** gyee has joined #openstack-keystone16:33
*** tonytan4ever has quit IRC16:34
amakarovlbragstad, so I need an env deployed with openstack-ansible?16:34
lbragstadamakarov yeah - you could16:34
*** tonytan4ever has joined #openstack-keystone16:34
amakarovlbragstad, thank you for directions16:36
lbragstadamakarov i believe the openstack-ansible folks have some good documentation on deploying16:37
prometheanfire:D16:37
*** tonytan_brb has joined #openstack-keystone16:37
lbragstadamakarov absolutely!16:37
lbragstadamakarov my performance stuff setups a local keystone deployment16:37
lbragstadusing the keystone role16:37
lbragstadamakarov speaking of openstack-ansible, meet prometheanfire :)16:37
prometheanfirelol, I mostly do rpc-o but close enough16:38
*** tonytan4ever has quit IRC16:38
*** esp has joined #openstack-keystone16:38
amakarovlbragstad, you mean that smiling man above? )16:38
amakarovprometheanfire, hi!16:38
prometheanfirelaughing man, sure16:38
amakarovcan you please point me a row that specifies that token caching is enabled?16:39
prometheanfirein master?16:40
*** roxanaghe has quit IRC16:40
*** roxanaghe has joined #openstack-keystone16:41
amakarovprometheanfire, I want to find out why my shiny-brilliant-performance-boosting patch has next to no effect https://review.openstack.org/#/c/309146/ :)16:41
patchbotamakarov: patch 309146 - keystone - Pre-cache new tokens16:41
amakarovprometheanfire, so I try to figure out the setup of performance testing env16:42
prometheanfireyou want to set up a test env to make sure your patch works?16:42
amakarovprometheanfire, yes16:43
*** Nissmed has left #openstack-keystone16:43
prometheanfireeasiest way is to set up an AIO16:43
amakarovprometheanfire, and right now I'm deploying devstack for that16:43
amakarovAIO?16:43
prometheanfireall in one16:44
prometheanfirehttps://developer.rackspace.com/blog/life-without-devstack-openstack-development-with-osa/16:44
amakarovokay... so devstack...16:44
*** jpena is now known as jpena|off16:44
prometheanfirebasically16:44
prometheanfireI don't think anyone has made updated docs for our split out stuff16:44
amakarovprometheanfire, it's sooo slow (16:44
prometheanfireOSA is better in my experience at least16:45
amakarovprometheanfire, is there any "step-by-step OSA for dummies" available?16:46
prometheanfirehttp://docs.openstack.org/developer/openstack-ansible/16:46
prometheanfirethe newton section most likely16:47
*** amoralej is now known as amoralej|off16:47
*** code-R has joined #openstack-keystone16:47
*** code-R_ has quit IRC16:48
*** tesseract- has quit IRC16:57
*** amakarov has quit IRC17:00
*** browne has joined #openstack-keystone17:03
*** amakarov has joined #openstack-keystone17:03
*** sdake_ has joined #openstack-keystone17:13
*** sdake has quit IRC17:15
*** daemontool has joined #openstack-keystone17:16
*** narengan1 has quit IRC17:23
*** diazjf has joined #openstack-keystone17:23
henrynashdolphm: hi...I added your RO upgrade proposal to tomorrow's agenda....so we have a slot if we need one17:24
*** edmondsw has joined #openstack-keystone17:28
*** ezpz has quit IRC17:36
*** nishaYadav has joined #openstack-keystone17:37
* nishaYadav o/17:37
*** dikonoor has quit IRC17:37
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/35232217:39
*** diazjf has quit IRC17:41
*** code-R has quit IRC17:41
*** Nakato has quit IRC17:41
*** david-lyle_ has quit IRC17:42
*** Nakato has joined #openstack-keystone17:42
*** Gorian_ has joined #openstack-keystone17:43
ayoungstevemar, notmorgan, Ever test Federation code behind HA Proxy?17:45
*** david-lyle has joined #openstack-keystone17:45
ayoungjdennis, BTW,  does it make sense that mod_auth_mellon should check the Destination against its copy of the metadata instead of against a host URL it builds?17:47
notmorganayoung: nope.17:48
ayoungnotmorgan, I know you were doing a lot with HA proxy.  We've hit a bit of a speedbump here.17:48
ayoungnotmorgan, it seems that HA proxy likes things that start with https,  but apache is doing things with http.  If they are in headers, HA proxy can translate, but SAML puts things into the body of the messages that also need to be confirmed17:49
ayoungI've got the problems limited down to http vs https17:50
*** dikonoor has joined #openstack-keystone17:50
notmorganayoung: haven't even tried.17:50
ayoungnotmorgan, ok...we'll get it17:50
notmorganthe simplest solution might be to avoid that all together and TLS haproxy->apache17:51
notmorgani know it costs more cpu to do so17:51
jdennisayoung: I'm not sure I understand your question, it has to use the URL's in the metadata, that is the trusted piece of information17:51
ayoungnotmorgan, that is one thing we are considering17:52
ayoungjdennis, but that is not what it is checking17:52
notmorganbut it *is* the simplest.17:52
ayoungit is doing17:52
ayoung   url = am_reconstruct_url(r);17:52
openstackgerritEric Brown proposed openstack/keystone: Removal of deprecated direct driver loading  https://review.openstack.org/35081517:52
ayoungnotmorgan, yes, for us, but might not be a viable solution for everyone.  It means you are encryting for local traffic, too which may be more expense than people want.  But, yeah, that was my first thought, and probably what I will go with.17:53
jdennisayoung: sorry, not being clear, in this case the destination is set from the SP metadata by the IdP, SAML requires the endpoint the message was received on matches that, so am_reconstruct_url should (in theory) be the endpoint the message was received on17:54
notmorganayoung: not always. you could run a VHOST just for ssl for HAproxy and have a non-TLS vhost for everything else.17:54
gyeeayoung, are you hitting the famouse 'BindException' with request url mismatch?17:54
ayoungjdennis, so, I am looking to see if, instead of  am_reconstruct_url  we could pull the AssertionConsumerService Localtion value17:55
ayounggyee, not quite17:55
*** sdake has joined #openstack-keystone17:55
gyeewe hit that one last year, when ssl is terminated at ha proxy17:55
jdennisayoung: no, absolutely not17:55
ayounggyee, we are getting something similary, which is essentailly a string mismatch.  The host is OK, it is the https versus http that is messing us up right now17:55
jdennisayoung: that is bypassing the security check17:55
ayoungjdennis, why, if it is the local version of the metadata?17:56
ayoungit is parsed out of the file.17:56
gyeeyeah, problem is request URL is signed as part of relay state17:56
gyeeand signature is being validated at the apache instance17:56
jdennisayoung: no, it's not coming from the local copy on the SP, it's coming from the metadata loaded into the IdP17:56
gyeerequest URL is point to the VIP17:56
ayoungjdennis, so, that is not what I am suggesting17:56
ayoungthere is code that reads and stores it in cfg->sp_metadata_file17:57
ayoungit is read from the file system17:57
*** sdake_ has quit IRC17:57
jdennisayoung: no, that is not implementing the SAML requirement17:57
*** diazjf has joined #openstack-keystone17:57
*** ravelar has quit IRC17:58
ayoungjdennis, I've not read the requirment, but I assume it is along the lines of "verify that the destination value passed in is the one that you expect"17:59
ayoungand the "one that you expect" as defined by mod_auth_mellon today is not the same as what you need if there is a proxy17:59
jdennisayoung: the IdP says "I intend this message to go here (e.g. destination)", the SP must confirm the message was actually received at that endpoint, e.g. what is in the request18:00
*** code-R has joined #openstack-keystone18:00
ayoungjdennis, right, and the sp needs to determine "hey, what is my name" in order to confirm that. mellon is being to Apache based in answering that.18:00
jdennisayoung: there is a difference between "what you expect" and "what it actually is"18:01
ayoungI could see it be a mellon config option "MellonSPUrL"18:01
ayoungWhen I deposit a check to be cashed, I put it in an envelope that is addressed to BofA, not to the Actual name of the Teller behind the window.18:02
jdennisayoung: there isn't one "MellonSPUrl", there are many, all are in the SP metadata18:02
*** julim has quit IRC18:04
jdennisayoung: there is no point in trying to reinvent the SAML specification, it's very clear on the requirements and until proven otherwise I believe Mellon is enforcing the requirement18:04
ayoungjdennis, so why is it a problem if mod_auth_mellon reads those values out of its local config as opposed to regenerating it from what Apache thinks it is?18:05
*** doug-fish has quit IRC18:05
*** dikonoor has quit IRC18:05
ayoungthe spec can't say "you have to call ap_reconstruct_url"  it has to be more generic than that18:05
*** julim has joined #openstack-keystone18:05
jdennisayoung: because it's the difference between what is expected (what is in some copy of the metadata) and what is actually received18:07
jdennisayoung: it's akin to man-in-the-middle checks18:08
*** ravelar has joined #openstack-keystone18:09
ayoungjdennis, but in this case, mod_auth_mellon would be confirming that the value it got back matches what it expects. It just is a different definition of how to determine what it expects.18:09
*** daemontool has quit IRC18:10
ayoung<import namespace="urn:oasis:names:tc:SAML:2.0:assertion"18:10
ayoungschemaLocation="saml-schema-assertion-2.0.xsd"/>18:10
ayoung<import namespace="http://www.w3.org/2000/09/xmldsig#"18:10
ayoungschemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-18:10
ayoung20020212/xmldsig-core-schema.xsd"/>18:10
ayoung<annotation>18:10
ayoung<documentation>18:10
ayoungDocument identifier: saml-schema-protocol-2.018:10
ayoungLocation: http://docs.oasis-open.org/security/saml/v2.0/18:10
ayoungRevision history:18:10
ayoungV1.0 (November, 2002):18:10
ayoungInitial Standard Schema.18:10
ayoungV1.1 (September, 2003):18:10
ayoungUpdates within the same V1.0 namespace.18:10
ayoungV2.0 (March, 2005):18:10
ayoungNew protocol schema based in a SAML V2.0 namespace.18:10
ayoung</documentation>18:10
ayoung</annotation>18:10
ayoung...18:10
ayoung</schema>18:10
ayoung3.218:10
ayoungRequests18:10
ayoungand Responses18:11
ayoungThe following secti18:11
ayoungons define the SAML constru18:11
ayoungcts and basic18:11
ayoung require18:11
ayoungments that underlie all of the request18:11
ayoungand respon18:11
ayoungse messages used in SAML protocols.18:11
ayoung3.2.118:11
ayoungComplex T18:11
ayoungype Request18:11
ayoungAbstractT18:11
ayoungype18:11
ayoungAll SAML requests are of types that are derived from the abstract18:11
ayoungRequest18:11
ayoungAbstractType18:11
ayoung complex type.18:11
ayoungThis type defines common attributes and elements that are associated18:11
ayoung with all SAML request18:11
ayoungs:18:11
ayoungNote:18:11
ayoung The18:11
ayoung<18:11
ayoungRespondWith18:11
ayoung>18:11
ayoung element has been removed from18:11
ayoungRequestAbstractType18:11
ayoungfor V2.0 of SAML.18:11
ayoungID18:12
ayoung [Requi18:12
ayoungred]18:12
ayoungAn identifier for the request. It is of type18:12
ayoungxs:18:12
ayoungID18:12
ayoung and MUST follow the requi18:12
ayoungrements specified18:12
ayoung in Section18:12
ayoung1.3.418:12
ayoung for identifier uniqueness. The values of the18:12
ayoungID18:12
ayoung attribute in a request18:12
ayoung and the18:12
ayoungInResponseTo18:12
ayoungattribute in the corresponding18:12
ayoung respon18:12
ayoungse MUST match.18:12
ayoungVersion18:12
ayoung [Requi18:12
ayoungred]18:12
ayoungThe version of this request.18:12
ayoung The identifier for the version of SAML defined in this specification is "2.0".18:12
ayoungSAML versioning is d18:12
ayoungiscussed in Section18:12
ayoung418:12
ayoung.18:12
ayoungIssueInstant18:12
ayoung [Requi18:13
ayoungred]18:13
ayoungThe time instant of issue of the request.18:13
jdennisayoung: what did you paste into chat? It's long and coming through in slow tiny snippets18:13
ayoung The time value is encoded in18:13
ayoungUTC, as described in18:13
ayoung Section18:13
ayoung1.3.318:13
ayoung.18:13
ayoungDestination18:13
ayoung [Optional]18:13
*** doug-fish has joined #openstack-keystone18:13
ayoungA URI reference indicating the add18:13
ayoungress to which this request has been sent.18:13
ayoung This is useful to prevent18:13
ayoungmalicious18:13
ayoung forwarding of request18:13
ayoungs to unintende18:13
ayoungd recipients, a protection that is requi18:13
ayoungred by some18:13
ayoungprotocol18:13
ayoung bindings. If it is present,18:13
ayoung the actual recipient M18:13
ayoungAh  Sorry18:13
ayoungSorry to the whole room for that misclick...was not supposed to be in this window18:13
ayoungjdennis, anyway, I was looking at the spec: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf18:13
ayoungand what it says can be read if you read up in my crapflood about 10 lines to where it starts Destination18:13
ayoungjdennis, I did not mean to paste that in to chat.  It came from a PDF I was looking at and accidentally highlighted18:13
ayoungjdennis, I was reading https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf18:13
openstackgerritMerged openstack/keystone: remove test utilities related to adding extensions  https://review.openstack.org/35197918:14
jdennisayoung: yes, I know what it says, I've reread over the weekend and again this morning18:14
ayoungjdennis, I'll defer to you, but I do not see how reading the value from a config file could lead to a MITM attack.18:15
ayoungNow, I would agree that if it used the metadata as send in the SAML handshake across the wire, that would be untrustworthy18:15
*** adrian_otto has quit IRC18:16
jdennisayoung: "the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received."18:17
jdennisayoung: it's the last 4 words here that are the issue, Mellon is verifying where it was received18:18
SamYaple /kick ayoung spam18:18
jdennisthat is where the reconstruct_url is coming into play based off Apache's request rec18:18
jdennisk18:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/35198818:20
*** doug-fish has quit IRC18:20
ayoungSamYaple, sorry18:22
ayoungSamYaple, it was a bad compibantion of clicking in the wrong window and PDF forcing through newlines18:22
ayoungSamYaple, coupled by the fact that I had highlighted more than I really wanted...it ended up very ugly18:23
ayoungjdennis, I see no problem with mod_auth_mellon reading its copy of the metadata file for the url to confirm.  It is a local config file at that point.18:24
ayoungjdennis, anyway, gotta go pick up my son...Summer schedule only for one more week after this...18:25
SamYapleayoung: it gets me too. two paste buffers and i dont always paste the correct one18:26
*** ayoung has quit IRC18:27
*** Ephur has quit IRC18:40
*** ravelar has quit IRC18:43
notmorgani...18:43
notmorganwow18:43
* stevemar waves at notmorgan: 18:45
notmorgani came back to ayoung's misclick :P18:45
*** narengan has joined #openstack-keystone18:47
*** tsufiev_ has joined #openstack-keystone18:49
*** tsufiev has quit IRC18:49
*** Anticime1 has joined #openstack-keystone18:50
*** mtreinish_ has joined #openstack-keystone18:50
*** Kimmo___ has joined #openstack-keystone18:50
*** rderose_ has joined #openstack-keystone18:50
*** gsilvis_ has joined #openstack-keystone18:50
*** sto_ has joined #openstack-keystone18:50
*** ianw_ has joined #openstack-keystone18:50
*** dancn` has joined #openstack-keystone18:50
*** mfisch` has joined #openstack-keystone18:50
*** ntpttr has quit IRC18:50
*** mfisch has quit IRC18:50
*** ianw has quit IRC18:50
*** mtreinish has quit IRC18:50
*** Dave has quit IRC18:50
*** Anticimex has quit IRC18:50
*** sto has quit IRC18:50
*** nikhil has quit IRC18:50
*** rderose has quit IRC18:50
*** david_cu has quit IRC18:50
*** dancn has quit IRC18:50
*** gsilvis has quit IRC18:50
*** henrynash has quit IRC18:50
*** Kimmo__ has quit IRC18:50
*** ntpttr- has joined #openstack-keystone18:50
*** Dave__ has joined #openstack-keystone18:50
*** mtreinish_ is now known as mtreinish18:50
*** ianw_ is now known as ianw18:50
*** henrynash has joined #openstack-keystone18:50
*** gsilvis_ is now known as gsilvis18:51
*** nikhil has joined #openstack-keystone18:52
*** code-R has quit IRC18:56
*** code-R has joined #openstack-keystone18:59
prometheanfirestevemar: dolphm said you are doing it wrong19:00
prometheanfirekthnx19:00
prometheanfires/\./_/19:00
*** roxanaghe has quit IRC19:04
*** fifieldt has quit IRC19:07
*** narengan has quit IRC19:10
*** fifieldt has joined #openstack-keystone19:17
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Remove deprecated 'data' credential argument  https://review.openstack.org/35256719:20
*** narengan has joined #openstack-keystone19:20
samueldmqstevemar: dolphm: this ^ removes something that was supposed to be removed in ksc 2.0.019:20
samueldmqI created a bug for tracking it, as I was not sure a blueprint or something else was needed19:20
*** Ephur has joined #openstack-keystone19:22
*** diazjf1 has joined #openstack-keystone19:31
*** diazjf has quit IRC19:35
*** edmondsw has quit IRC19:42
*** jistr has quit IRC19:44
bknudsonwhy aren't reviews adequate for tracking?19:46
*** nikhil has quit IRC19:47
*** nikhil has joined #openstack-keystone19:47
*** tsufiev_ is now known as tsufiev19:47
*** jistr has joined #openstack-keystone19:48
samueldmqbknudson: they are. but for release notes we need a bug/bp afaik19:50
bknudsonI disagree that a bug is needed for release notes.19:51
bknudsonor a blueprint19:51
samueldmqok I may be wrong then19:51
samueldmqI will remove the bug19:52
bknudsonI just don't want to see people wasting their time maintaining bug reports.19:53
*** jistr has quit IRC19:53
bknudsonWe need to publicize problems. That's what bugs are for.19:53
samueldmqbknudson: that makes sense19:53
*** itisha has joined #openstack-keystone19:56
*** jistr has joined #openstack-keystone19:56
*** adrian_otto has joined #openstack-keystone19:57
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Remove deprecated 'data' credential argument  https://review.openstack.org/35256719:58
samueldmqbknudson: ^ thanks19:58
*** roxanaghe has joined #openstack-keystone20:06
bknudsonback to thinking about the caching problem -- what if we put the original key in the value. Then the code could check the original key matched the given key.20:09
openstackgerritHarini proposed openstack/keystone: EndpointPolicy driver doesn't inherit interface  https://review.openstack.org/35258620:14
*** narengan1 has joined #openstack-keystone20:16
*** tonytan_brb has quit IRC20:16
*** narengan has quit IRC20:19
*** spzala has quit IRC20:25
*** spzala has joined #openstack-keystone20:27
*** tqtran has joined #openstack-keystone20:29
*** edtubill has joined #openstack-keystone20:31
*** sdake has quit IRC20:33
*** gyee has quit IRC20:46
*** gyee has joined #openstack-keystone20:47
*** edmondsw has joined #openstack-keystone20:51
*** diazjf1 has quit IRC20:55
*** ayoung has joined #openstack-keystone20:55
*** ChanServ sets mode: +v ayoung20:55
*** raildo has quit IRC21:03
*** pauloewerton has quit IRC21:06
*** ravelar has joined #openstack-keystone21:07
*** haplo37__ has quit IRC21:08
*** pnavarro has joined #openstack-keystone21:10
openstackgerritDolph Mathews proposed openstack/keystone: Add basic upgrade documentation  https://review.openstack.org/35034121:12
*** tonytan4ever has joined #openstack-keystone21:17
*** asettle has joined #openstack-keystone21:21
*** julim has quit IRC21:21
asettledstanek lbragstad dolphm - pinging you all in one channel is easier. I'm going through the docs, and I might require config files for certain sections that I cannot find immediately on the federated identity site.21:21
asettleCan you guys help me source?21:21
dolphmasettle: absolutely21:22
dolphmcc- rderose_ ravelar21:22
*** tonytan4ever has quit IRC21:22
*** ravelar has quit IRC21:23
dstanekasettle: shore21:23
asettleCool. So, running through the docs as is. I'm looking at enabling federation within keystone. Step 1: "run keystone under apache" - can I have the command for this. Step 2: "configure apache to user a federation capable authentication method" - configuration file please, and Step 3: "configure federation in keystone" - configuration info for this one too please21:23
*** haplo37__ has joined #openstack-keystone21:23
*** adriant has joined #openstack-keystone21:24
dolphmasettle: there's no command - it's referring to configuring apache with a mod_wsgi virtual host(s) for keystone21:24
asettleAh I see. Makes sense. Cool. As long as "Run keystone under apache" makes sense on its own, happy to move on.21:25
dolphmasettle: so, http://docs.openstack.org/mitaka/install-guide-obs/keystone-install.html.wsgi21:25
asettleThat 404'd me21:26
dolphmasettle: whoops http://docs.openstack.org/mitaka/install-guide-obs/keystone-install.html21:26
asettle"Configure the apache HTTP server" ?21:27
dolphmasettle: oh, yes, i meant to link straight to that section21:27
asettleAll good :) found it. It'll be easy cause then I can link it up.21:27
dolphmasettle: step 2, that's sort of a big step. it's literally install something like shibboleth (libapache2-mod-shib2), configure your apache virtual host to be protected by shib, and setup shib itself21:29
dolphmasettle: which is mostly covered here http://docs.openstack.org/developer/keystone/federation/shibboleth.html21:29
asettleOkay, cool :)21:30
dolphmasettle: and you'd have to follow all of shib's docs https://wiki.shibboleth.net/confluence/display/SHIB2/Installation21:30
dstaneklbragstad: whoa, no worky worky21:31
lbragstaddstanek did you try set_time_override()?21:32
asettledolphm: why would I have to follow them all?21:32
dolphmasettle: i just mean the step implies "setup shibboleth itself, and setup apache to utilize shibboleth"21:32
asettleOh deary. Okay. This is getting web-like. I see :p21:32
asettleIs the wiki the best source of install information here?21:32
dolphmasettle: yeah, and shibboleth is just one example21:32
dolphmasettle: shibboleth's wiki?21:33
asettledolphm: yis21:33
asettleSo this is all for 'configuring apache to use a federatin capable authentication method'21:33
asettleOkay, might have to classify it as one example. Could you name some other examples I could list/21:33
asettle? *21:33
dolphmasettle: it's the best documentation i've found for it21:34
asettleCool :) thank you.21:34
dolphmasettle: mod_auth_melon is the other, slightly less popular one in our world https://github.com/UNINETT/mod_auth_mellon21:34
asettleThank you :)21:35
asettleWould it be fair to say 'we recommend' shibboleth?21:35
*** tonytan4ever has joined #openstack-keystone21:35
asettledolphm: ^21:36
openstackgerritNisha Yadav proposed openstack/python-keystoneclient: Add credential functional tests  https://review.openstack.org/34855721:39
nishaYadavsamueldmq, ^21:39
samueldmqnishaYadav: looking21:40
nishaYadavsamueldmq, thanks :)21:40
dolphmasettle: probably, for now? cc- dstanek21:40
dstanekasettle: dolphm: i think so. that's the one most people seem to be using and familiar with21:43
*** catintheroof has quit IRC21:43
dolphmdstanek: when are we going to be able to recommend pure python?21:43
asettleCool :) cheers.21:43
dstanekdolphm: would we ever do that?21:44
dolphmdstanek: if it's easier to deploy and operate, why not?21:44
*** diazjf has joined #openstack-keystone21:44
*** pnavarro has quit IRC21:45
*** prometheanfire has left #openstack-keystone21:46
asettleOkay, dolphm and dstanek on that third point, "configure federation in keystone" ?21:47
*** diazjf has quit IRC21:48
openstackgerritDolph Mathews proposed openstack/keystone: Add rolling upgrade documentation  https://review.openstack.org/35079321:48
*** spzala has quit IRC21:49
*** diazjf has joined #openstack-keystone21:49
dstanekasettle: ?21:56
asettleSorry, I'll recontext.21:57
asettleStep 3: "configure federation in keystone" - configuration info for this one. It relates to the enabling federation section21:58
*** narengan1 has quit IRC21:58
*** diazjf has quit IRC22:00
*** slberger has left #openstack-keystone22:00
*** diazjf has joined #openstack-keystone22:01
stevemardolphm: did you get promoetheanfire all settled?22:02
*** edtubill has quit IRC22:06
asettlelbragstad: what is this meant to mean? "What do you ean by federation?"22:07
asettleOh wait, nvm, that is obviously 'mean'22:07
dstanekasettle: if you told me to use federation i would assume you are just being mean22:08
asettleHhahaha it's not that bad, be nice to old fedo22:08
dstanekasettle: http://docs.openstack.org/developer/keystone/federation/federated_identity.html is almost entirely about configuring keystone federation. the extra apache bits, the new apache plugin, and some other stuf22:09
asettledstanek: yah that's where I"m basing my information from22:09
asettleBut I'm attempting to flesh out some of your steps to ensure that it is applicable for openstack-docs22:09
asettleHence, asking for the config info22:10
dstanekasettle: i can get something together for you22:12
asettledstanek: would love it :) thank you.22:12
*** nisha_ has joined #openstack-keystone22:18
*** julim has joined #openstack-keystone22:19
*** nishaYadav has quit IRC22:20
*** ChanServ sets mode: +v henrynash22:21
*** haplo37__ has quit IRC22:32
*** gordc has quit IRC22:34
*** chlong has quit IRC22:35
*** michauds has quit IRC22:37
*** asettle has quit IRC22:38
*** nisha_ is now known as nishaYadav22:42
*** code-R has quit IRC22:44
*** code-R has joined #openstack-keystone22:44
*** nishaYadav has quit IRC22:46
*** diazjf has quit IRC22:52
*** code-R has quit IRC23:12
*** roxanaghe has quit IRC23:18
*** roxanaghe has joined #openstack-keystone23:30
*** roxanaghe has quit IRC23:31
*** rkrum has joined #openstack-keystone23:32
*** markvoelker has quit IRC23:39
*** Gorian_ has quit IRC23:41
*** richm has quit IRC23:43
*** code-R has joined #openstack-keystone23:55
*** sdake has joined #openstack-keystone23:56
*** esp has quit IRC23:56
*** code-R_ has joined #openstack-keystone23:57
« Sunday, 2016-08-07 Index Tuesday, 2016-08-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!