Tuesday, 2016-09-06

*** roxanaghe has joined #openstack-keystone00:22
*** roxanaghe has quit IRC00:27
*** markvoelker has joined #openstack-keystone00:53
*** davechen has joined #openstack-keystone01:23
*** roxanaghe has joined #openstack-keystone01:38
*** roxanaghe has quit IRC01:43
*** wangqun has joined #openstack-keystone01:43
*** raddaoui has quit IRC01:43
*** raddaoui has joined #openstack-keystone01:44
*** marekd2 has joined #openstack-keystone01:47
*** marekd2 has quit IRC01:52
*** code-R has joined #openstack-keystone02:00
*** EinstCrazy has joined #openstack-keystone02:01
*** code-R_ has joined #openstack-keystone02:03
*** wangqun has quit IRC02:03
*** wangqun_ has joined #openstack-keystone02:03
*** code-R has quit IRC02:06
openstackgerritHa Van Tu proposed openstack/keystone: Correct link type  https://review.openstack.org/36581602:10
*** code-R_ has quit IRC02:17
*** agireud has quit IRC02:18
*** agireud has joined #openstack-keystone02:25
openstackgerritNguyen Phuong An proposed openstack/keystone: [api-ref] Correcting parameter's type  https://review.openstack.org/36554902:26
*** agireud has quit IRC02:30
*** annp has joined #openstack-keystone02:35
*** agireud has joined #openstack-keystone02:40
*** markvoelker has quit IRC02:53
*** chrisshattuck has joined #openstack-keystone03:07
*** roxanaghe has joined #openstack-keystone03:09
*** roxanaghe has quit IRC03:13
*** zhugaoxiao has quit IRC03:14
*** zhugaoxiao has joined #openstack-keystone03:14
hugokuoanyone knows what situation will Keystone response " HTTP Error: 429: 429 Too Many Requests" like this ?03:17
hugokuoany auth request rate limit could be configured in the keystone server ?03:18
dstanekhugokuo: i don't think keystone itself ever returns a 42903:18
stevemardstanek: hugokuo doesn't look like it: https://github.com/openstack/keystone/blob/master/keystone/exception.py03:19
hugokuok. Perpas the front end http server does it03:19
stevemarhugokuo: likely03:19
dstanekhugokuo: you may be able to tell via the server header03:19
dstanekhowdy stevemar!03:19
stevemardstanek: o/03:19
hugokuothx. I'll try to get the response headers for checking. Appreciate03:20
stevemardstanek: whats up on your end?03:21
stevemardstanek: you've been online all day, on and off03:21
dstanekstevemar: :-) i took off Friday and Tuesday as vacation days and today is a US holiday. i'm just hanging around03:22
stevemardstanek: this thursday and friday?03:22
stevemardstanek: we have the same holiday :P03:22
dstanekno, this past friday and tomorrow03:23
stevemari can't read03:24
dstanekyou may just be ready for your vacation already :-)03:25
stevemardstanek: so ready for it03:25
dstanekgot plans?03:26
stevemardstanek: survive03:26
stevemardstanek: my usual vacation plans don't really gel with a 3.5 month old :)03:26
dstaneklol, been there03:27
*** chrisshattuck has quit IRC03:48
*** sdake has joined #openstack-keystone04:05
*** marekd2 has joined #openstack-keystone04:07
*** marekd2 has quit IRC04:12
openstackgerritNguyen Phuong An proposed openstack/keystone: [api-ref] Correcting parameter's type  https://review.openstack.org/36554904:19
*** roxanaghe has joined #openstack-keystone04:25
*** sdake has quit IRC04:25
*** roxanaghe has quit IRC04:30
*** links has joined #openstack-keystone04:39
*** sdake has joined #openstack-keystone04:50
*** dikonoor has joined #openstack-keystone04:55
*** su_zhang has joined #openstack-keystone04:57
*** adriant has quit IRC04:59
*** sdake has quit IRC05:01
*** dikonoor has quit IRC05:06
*** sdake has joined #openstack-keystone05:10
*** itisha has quit IRC05:11
*** wangqun_ has quit IRC05:11
*** wangqun_ has joined #openstack-keystone05:11
*** sdake has quit IRC05:17
*** su_zhang has quit IRC05:21
*** jaosorior has joined #openstack-keystone05:21
*** su_zhang has joined #openstack-keystone05:22
*** su_zhang has quit IRC05:26
*** zzzeek has quit IRC05:30
*** EinstCrazy has quit IRC05:40
*** hoonetorg has quit IRC05:48
*** EinstCrazy has joined #openstack-keystone05:52
*** hoonetorg has joined #openstack-keystone06:12
*** roxanaghe has joined #openstack-keystone06:13
*** roxanaghe has quit IRC06:18
*** EinstCrazy has quit IRC06:21
*** EinstCrazy has joined #openstack-keystone06:23
openstackgerritCao ShuFeng proposed openstack/python-keystoneclient: Add wrapper classes for return-request-id-to-caller  https://review.openstack.org/26118806:41
openstackgerritCao ShuFeng proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744906:41
*** pcaruana has joined #openstack-keystone06:48
*** markvoelker has joined #openstack-keystone06:54
*** markvoelker has quit IRC06:59
*** namnh has joined #openstack-keystone06:59
*** tesseract- has joined #openstack-keystone07:00
*** EinstCra_ has joined #openstack-keystone07:00
*** EinstCrazy has quit IRC07:00
*** wangqun has joined #openstack-keystone07:05
*** wangqun_ has quit IRC07:06
*** jpena|off is now known as jpena07:08
*** EinstCra_ has quit IRC07:09
*** rvba has joined #openstack-keystone07:14
*** rvba has quit IRC07:14
*** rvba has joined #openstack-keystone07:14
*** EinstCrazy has joined #openstack-keystone07:17
*** jdennis1 has joined #openstack-keystone07:24
*** chrichip has quit IRC07:25
*** jdennis has quit IRC07:25
*** joerch has joined #openstack-keystone07:32
*** daemontool has joined #openstack-keystone07:54
*** roxanaghe has joined #openstack-keystone08:01
*** roxanaghe has quit IRC08:05
*** jistr is now known as jistr|dentist08:07
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** asettle has joined #openstack-keystone08:11
*** EinstCrazy has quit IRC08:11
openstackgerritCao ShuFeng proposed openstack/python-keystoneclient: Add return-request-id-to-caller function(v2_0)  https://review.openstack.org/26744908:12
*** tsufiev_ is now known as tsufiev08:13
*** markvoelker has joined #openstack-keystone08:19
*** code-R has joined #openstack-keystone08:20
*** mvk has quit IRC08:22
*** code-R_ has joined #openstack-keystone08:22
*** markvoelker has quit IRC08:24
*** code-R has quit IRC08:25
*** EinstCrazy has joined #openstack-keystone08:27
*** EinstCrazy has quit IRC08:28
*** EinstCrazy has joined #openstack-keystone08:28
*** pnavarro has joined #openstack-keystone08:40
*** evrardjp has quit IRC08:42
*** evrardjp has joined #openstack-keystone08:42
openstackgerritNguyen Phuong An proposed openstack/keystone: [api-ref] Remove parameters unused in keystone v2  https://review.openstack.org/36594708:44
*** mvk has joined #openstack-keystone08:51
*** EinstCrazy has quit IRC08:59
*** EinstCrazy has joined #openstack-keystone09:01
*** jistr|dentist is now known as jistr09:23
*** daemontool has quit IRC09:29
openstackgerritNguyen Phuong An proposed openstack/keystone: [api-ref] Remove parameters unused in keystone v3  https://review.openstack.org/36600609:29
*** mvk has quit IRC09:38
*** sdake has joined #openstack-keystone09:45
*** roxanaghe has joined #openstack-keystone09:49
*** roxanaghe has quit IRC09:54
*** namnh has quit IRC09:54
*** annp has quit IRC09:57
*** mvk has joined #openstack-keystone09:58
*** amrith has joined #openstack-keystone10:03
amrithyowza! anybody home? stevemar topol ayoung g'morning10:04
*** asettle has quit IRC10:26
*** ntpttr has quit IRC10:30
*** ntpttr has joined #openstack-keystone10:31
*** sdake has quit IRC10:33
*** wangqun has quit IRC10:38
*** code-R_ has quit IRC10:39
*** davechen has left #openstack-keystone10:42
*** HenryG_ is now known as HenryG10:46
*** zzzeek has joined #openstack-keystone10:51
*** EinstCrazy has quit IRC10:54
samueldmqmorning keystone10:56
*** zzzeek has quit IRC10:56
*** zzzeek has joined #openstack-keystone10:57
*** marekd2 has joined #openstack-keystone11:16
*** amrith has left #openstack-keystone11:17
*** amakarov_away is now known as amakarov11:34
amakarovrderose_, hi! Do you plan to backport PCI-DSS patches?11:35
*** asettle has joined #openstack-keystone11:37
*** roxanaghe has joined #openstack-keystone11:37
rodrigodsamakarov, afaik we don't backport features11:39
amakarovrodrigods, point taken, thank you11:39
*** roxanaghe has quit IRC11:42
*** jpena is now known as jpena|lunch11:48
*** asettle has quit IRC11:52
*** code-R has joined #openstack-keystone11:54
*** asettle has joined #openstack-keystone11:58
*** code-R_ has joined #openstack-keystone11:58
*** code-R has quit IRC12:01
*** daemontool has joined #openstack-keystone12:04
*** daemontool_ has joined #openstack-keystone12:10
*** daemontool has quit IRC12:12
*** edmondsw has joined #openstack-keystone12:13
*** __zouyee has joined #openstack-keystone12:17
*** __zouyee has quit IRC12:17
*** woodster_ has joined #openstack-keystone12:26
*** clenimar has quit IRC12:26
*** clenimar has joined #openstack-keystone12:31
*** jdennis1 has quit IRC12:37
*** EinstCrazy has joined #openstack-keystone12:43
*** jpena|lunch is now known as jpena12:48
*** jaosorior has quit IRC12:48
*** jaosorior has joined #openstack-keystone12:49
*** jaosorior has quit IRC12:49
*** pcaruana has quit IRC12:50
*** jaosorior has joined #openstack-keystone12:51
*** Marcellin__ has joined #openstack-keystone12:59
*** javis has quit IRC13:02
rderose_amakarov: hi13:05
rderose_amakarov: yeah, wasn't planning to backport13:05
amakarovrderose_, thank you for update - I'm doing some paperwork right now and since I've worked on the matter I need to understand the status )13:07
rderose_amakarov: got it13:12
*** Guest36215 has quit IRC13:15
*** jpena is now known as jpena|off13:19
*** roxanaghe has joined #openstack-keystone13:25
*** ddieterly has joined #openstack-keystone13:27
*** roxanaghe has quit IRC13:30
*** jpena|off is now known as jpena13:36
*** markvoelker has joined #openstack-keystone13:36
*** woodburn has joined #openstack-keystone13:37
*** browne has joined #openstack-keystone13:57
*** javis has joined #openstack-keystone13:58
*** ashyoung has joined #openstack-keystone14:02
*** ametts has joined #openstack-keystone14:06
*** ravelar has joined #openstack-keystone14:15
stevemaramakarov: howdy14:17
amakarovstevemar, hi!14:17
stevemaramakarov: howdy14:17
*** michauds has joined #openstack-keystone14:17
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model  https://review.openstack.org/20848814:20
*** links has quit IRC14:21
openstackgerrithenry-nash proposed openstack/keystone-specs: Revert spec change for Microversions  https://review.openstack.org/36616314:23
*** ametts has quit IRC14:24
*** BjoernT has joined #openstack-keystone14:25
*** zigo has quit IRC14:25
*** roxanaghe has joined #openstack-keystone14:26
*** ametts has joined #openstack-keystone14:29
bretonstevemar: what is attic in keystone-specs for?14:31
*** roxanaghe has quit IRC14:31
henrynashbreton: it is where old specs go to die14:31
bretongot it, thanks14:31
stevemarbreton: when we were moving the APIs from specs.o.org to the new place14:32
*** zigo has joined #openstack-keystone14:32
stevemarbreton: i wanted to move them to a spot for people to stop updating, rather than delete, just move for now, we can delete later (or never)14:32
*** zigo is now known as Guest3914714:33
*** gagehugo_ has joined #openstack-keystone14:33
*** gagehugo has quit IRC14:33
*** gagehugo_ has quit IRC14:33
*** gagehugo has joined #openstack-keystone14:33
*** jaugustine_ is now known as jaugustine14:37
*** Guest39147 has quit IRC14:39
*** zigo_ has joined #openstack-keystone14:42
*** sdake has joined #openstack-keystone14:44
*** joerch has quit IRC14:45
*** richm has joined #openstack-keystone14:46
*** daemontool_ has quit IRC14:47
*** zigo_ has quit IRC14:47
*** daemontool has joined #openstack-keystone14:48
*** zigo_ has joined #openstack-keystone14:48
lbragstadstevemar do you know the original reason for use making all federated users a part of the Federated domain?14:50
stevemarlbragstad: they needed a domain in their token, but they didn't live anywhere14:50
*** gagehugo has quit IRC14:51
stevemarif they didn't have one, they would be living in nowheresville14:51
stevemarlbragstad: but as ayoung says, we should have made idps domains a long time ago14:52
dolphmstevemar: ++14:52
lbragstadstevemar ah - so it was simply a way to get a domain in their token since all we really cared about was what group they mapped into...14:52
ayoungand a way to not put them in the default domain14:52
stevemarlbragstad: righto14:52
lbragstadah - ha14:52
dolphmi think our original thought was that it would be a 1:1 relationship -- a domain *may* be federated, in which case it would have an IdP14:52
lbragstadstevemar and I suppose there is no was to work around that now?14:52
stevemarlbragstad: not really14:53
dolphmlbragstad: i think we should introduce a domain_id attribute to idps14:53
*** scarlisle has joined #openstack-keystone14:53
stevemarlbragstad: that's why i'm really pumped for that mapping spec we approved, where you can specify a domain in the mapping14:53
lbragstador at least until the smarter mapping tool comes along14:53
lbragstadscarlisle o/14:53
*** gagehugo has joined #openstack-keystone14:54
lbragstadstevemar do you remember if we merged that spec?14:54
stevemarlbragstad: https://review.openstack.org/#/c/324055/14:54
EmilienMstevemar: hey, I need a reminder about credential-keys14:54
stevemarlbragstad: we did not14:54
stevemarEmilienM: certainly sir14:54
lbragstadcc scarlisle ^14:54
EmilienMstevemar: I need to run the keystone credential setup on one node right?14:54
EmilienMstevemar: in a cluster environment14:55
EmilienMstevemar: and then, scp credentials on other keystone nodes?14:55
lbragstadscarlisle that spec (written by dolphm) will help you a lot once it is merged14:55
lbragstadand implemented14:55
lbragstadscarlisle you were kind of describing it earlier - it was a discussion we had in Austin14:56
dolphmlbragstad: are you going to implement it? :D14:56
stevemardolphm & lbragstad can you answer EmilienM's question about the cluster environment for credential setup?14:56
lbragstaddolphm lol you tell me :)14:56
dolphmlbragstad: i would +114:57
EmilienMor is it a problem if I run it on all keystone nodes?14:57
lbragstadEmilienM you should only run keystone-manage credential_setup on a single node and then scp your credential keys to the other nodes in the deployment (it's a very similar flow to the fernet key rotation)14:57
EmilienMlbragstad: ok I see14:57
EmilienMlbragstad: thanks14:58
lbragstadEmilienM yep14:58
ayoungdolphm, what was that you were saying about the approach to defaulting Credentials?14:58
*** diltram_ is now known as diltram14:58
lbragstadEmilienM i documented a rolling upgrade from Mitaka to Newton that migrates credentials here - https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#file-migration-md14:58
dolphmayoung: defaulting credentials?14:58
ayoung"that is what the staged key handles for you"14:59
EmilienMlbragstad: thanks14:59
lbragstadEmilienM no problem14:59
ayoungdolphm, your response ^^ to my griping14:59
lbragstadscarlisle so it sounds like there currently isn't a way to have multiple domains for federation15:00
dolphmayoung: in IRC?15:00
ayoungdolphm, Twitter, actually15:00
*** ashyoung has quit IRC15:01
dolphmayoung: ah, the staged key negates the need to keep fernet repositories in a multi-node deployment exactly in sync15:01
dolphmayoung: the staged key does not have to exist everywhere at once; it just has to exist everywhere eventually15:02
*** rodrigods has quit IRC15:02
scarlislelbragstad that's what I was afraid of. Thank you very much for your help!15:02
*** rodrigods has joined #openstack-keystone15:02
*** jpena is now known as jpena|away15:03
ayoungdolphm, OK, so this does not, I think, help us out.  On Friday, the Keystone change broke Tripleo, which runs Tempest.  Tempest assumes that Credentials are encryptable, due to having a Key...I just realize that this is   not the same as the Fernet key repo, just using the same mechanism?15:03
dolphmayoung: correct15:03
lbragstadscarlisle anytime - i'll keep you posted if we end up moving forward with that spec or going with a different approach15:04
stevemarlbragstad: scarlisle oh i hope we go forward with that spec :O15:04
*** spedione|AWAY is now known as spedione15:05
ayoungdolphm, so we have to have some way to do the "eventually" with credentials, and I think that needs to be done up front.15:05
ayoungdolphm, I wrote this in haste:15:05
ayoungdolphm, that would at least keep from breaking people, and give an approach to work around forcing a key sync15:06
ayoungdolphm, I would even be OK with not making it the default, as asking people to set a config option is probabl OK at this point15:07
dolphmayoung: we had a similar discussion in code review; my opinion is that we shouldn't support insecure defaults, and we certainly shouldn't default keystone.conf to be non-production friendly. i understand the need to develop a bit of new orchestration, but it shouldn't be a huge burden. you don't need a fancy rotation strategy for this or anything15:08
dolphmayoung: literally just drop a couple keys on disk and you're done15:09
ayoungdolphm, hehehehehehehehehehe15:09
ayoungdolphm, there is LITERALY niothing simple about Tripleo15:10
*** spzala has joined #openstack-keystone15:13
dolphmayoung: does it support fernet tokens?15:13
ayoungdolphm, not yet. No key distribution and rotation15:15
*** zigo_ is now known as zigo15:20
openstackgerritBoris Bobrov proposed openstack/keystone-specs: [wip] Quota limits  https://review.openstack.org/36376515:21
openstackgerritBoris Bobrov proposed openstack/keystone: Docs for quota limits in keystone  https://review.openstack.org/36620215:22
*** spzala has quit IRC15:26
*** EinstCrazy has quit IRC15:26
*** gokrokve has joined #openstack-keystone15:27
openstackgerritRichard Avelar proposed openstack/keystone: POC sql query revoked tokens  https://review.openstack.org/35937115:31
*** spzala has joined #openstack-keystone15:35
stevemardolphm: some token formats have microsecond precision and some don't?15:36
*** tonytan4ever has joined #openstack-keystone15:38
*** tonytan_brb has joined #openstack-keystone15:39
*** pcaruana has joined #openstack-keystone15:42
*** roxanaghe has joined #openstack-keystone15:42
*** tonytan4ever has quit IRC15:42
*** sdake has quit IRC15:44
lbragstadayoung you're noop patch might need to modify the data migration for credential encryption15:47
lbragstadcc dolphm15:47
*** roxanaghe has quit IRC15:47
lbragstadayoung right now the data migration for encrypted credentials will expect a credential key repository15:48
lbragstadin order to do a proper migration from the `blob` column to the `encrypted_blob` column15:48
ayounglbragstad, that should be done, I think.15:48
lbragstadonce that is done - the noop driver won't be able to return whatever is passed into it because i think it would be returning the cipher text from the backend (assuming the database upgrade was complete15:49
*** tonytan_brb has quit IRC15:51
*** tonytan4ever has joined #openstack-keystone15:53
*** gyee has joined #openstack-keystone15:55
*** spzala has quit IRC15:57
*** adrian_otto has joined #openstack-keystone16:00
*** spzala has joined #openstack-keystone16:03
*** javis has quit IRC16:04
*** gokrokve has quit IRC16:05
*** david-lyle_ has joined #openstack-keystone16:05
*** david-lyle_ has quit IRC16:05
*** spzala has quit IRC16:08
*** daemontool has quit IRC16:21
*** daemontool has joined #openstack-keystone16:25
*** ninag has joined #openstack-keystone16:26
*** spedione is now known as chris_hultin16:26
*** tonytan_brb has joined #openstack-keystone16:29
*** daemontool has quit IRC16:29
*** SamYaple has quit IRC16:29
*** SamYaple has joined #openstack-keystone16:30
*** sto has quit IRC16:31
*** stevemar has quit IRC16:31
*** tonytan4ever has quit IRC16:32
*** NishaYadav has joined #openstack-keystone16:33
*** topol has quit IRC16:34
*** tonytan_brb is now known as tonytan4ever16:37
*** sto has joined #openstack-keystone16:38
openstackgerritLance Bragstad proposed openstack/keystone: Only cache callables in the base manager  https://review.openstack.org/36456216:42
*** roxanaghe has joined #openstack-keystone16:43
*** roxanaghe has quit IRC16:47
*** javis has joined #openstack-keystone16:51
NishaYadavsamueldmq, hey!16:56
*** chrisshattuck has joined #openstack-keystone16:57
*** sdake has joined #openstack-keystone16:57
*** asettle has quit IRC16:57
*** hogepodge has quit IRC16:58
*** hogepodge has joined #openstack-keystone17:03
*** evrardjp has quit IRC17:05
*** bradjones has quit IRC17:06
*** code-R_ has quit IRC17:07
*** Gorian has joined #openstack-keystone17:08
*** su_zhang has joined #openstack-keystone17:09
*** henrynash has quit IRC17:10
*** evrardjp has joined #openstack-keystone17:11
*** bradjones has joined #openstack-keystone17:11
*** bradjones has quit IRC17:11
*** bradjones has joined #openstack-keystone17:11
*** sdake_ has joined #openstack-keystone17:12
*** chrisshattuck has quit IRC17:12
*** chrisshattuck has joined #openstack-keystone17:14
*** sdake has quit IRC17:15
*** ddieterly is now known as ddieterly[away]17:19
*** chrisshattuck has quit IRC17:20
*** stevemar has joined #openstack-keystone17:26
*** ChanServ sets mode: +o stevemar17:26
*** michauds has quit IRC17:28
*** sdake_ has quit IRC17:28
*** sdake has joined #openstack-keystone17:29
*** su_zhang has quit IRC17:30
*** su_zhang has joined #openstack-keystone17:30
*** tqtran has joined #openstack-keystone17:31
*** tonytan4ever has quit IRC17:33
*** jaosorior has quit IRC17:36
*** LamT_ has joined #openstack-keystone17:37
openstackgerritSteve Martinelli proposed openstack/keystone-specs: clean up the spec repo for newton  https://review.openstack.org/36626817:38
*** harlowja has joined #openstack-keystone17:38
*** thiagolib has joined #openstack-keystone17:40
*** esp has joined #openstack-keystone17:41
*** richm has quit IRC17:43
*** spzala has joined #openstack-keystone17:43
openstackgerritSteve Martinelli proposed openstack/keystone-specs: prime the ocata release  https://review.openstack.org/36627017:43
*** tonytan4ever has joined #openstack-keystone17:44
*** roxanaghe has joined #openstack-keystone17:45
*** michauds has joined #openstack-keystone17:45
*** lamt has joined #openstack-keystone17:45
*** marekd2 has quit IRC17:46
*** marekd2 has joined #openstack-keystone17:46
*** sdake has quit IRC17:49
*** fangxu has joined #openstack-keystone17:53
*** fangxu has quit IRC17:54
*** marekd2 has quit IRC17:55
*** shaleh has joined #openstack-keystone17:56
*** sdake has joined #openstack-keystone17:56
*** rderose_ is now known as rderose17:56
*** spzala has quit IRC17:57
stevemarmeeting time!17:58
stevemarping for meeting ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gagehugo, gyee, henrynash, hogepodge, htruta, jamielennox, jaugustine, joesavak, jorge_munoz, knikolla, lbragstad, MaxPC, morgan, nkinder, notmorgan, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, xek, nishaYadav17:58
samueldmqNishaYadav: hi18:00
NishaYadavsamueldmq, o/18:00
*** bknudson has joined #openstack-keystone18:00
*** ChanServ sets mode: +v bknudson18:00
stevemar#agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting18:00
*** spzala has joined #openstack-keystone18:00
*** thiagolib has quit IRC18:00
*** thiagolib has joined #openstack-keystone18:01
*** henrynash has joined #openstack-keystone18:01
*** ChanServ sets mode: +v henrynash18:01
openstackgerritayoung proposed openstack/keystone: No Op provider for credential encryption  https://review.openstack.org/36508718:01
*** topol has joined #openstack-keystone18:01
*** ChanServ sets mode: +v topol18:01
*** spzala has quit IRC18:04
*** chrisshattuck has joined #openstack-keystone18:06
*** crinkle_ is now known as crinkle18:07
*** ddieterly[away] has quit IRC18:19
Anticimexis keystone still sort of in ownership of openstackclient?18:24
Anticimexoh meeting ongoing18:24
*** antipsychiatry has joined #openstack-keystone18:25
*** spzala has joined #openstack-keystone18:25
antipsychiatryDestroy " Israel" !!!!!!! They are antichrist !!!!!!!!!!!!!!!!!!! They are synagogue of Satan!!!!!!!!!!18:25
*** antipsychiatry has quit IRC18:27
stevemarAnticimex: nope, OSC is its own project18:27
stevemarAnticimex: check openstack-sdks18:27
Anticimexit grew up, cool18:27
Anticimexack will do18:27
*** spzala has quit IRC18:28
*** spzala has joined #openstack-keystone18:28
*** roxanagh_ has joined #openstack-keystone18:31
*** roxanagh_ has quit IRC18:35
*** chrisshattuck has quit IRC18:36
*** asettle has joined #openstack-keystone18:37
*** chrisshattuck has joined #openstack-keystone18:37
*** lamt has quit IRC18:40
*** asettle has quit IRC18:42
*** lamt has joined #openstack-keystone18:44
*** asettle has joined #openstack-keystone18:45
*** chrisshattuck has quit IRC18:46
*** asettle has quit IRC18:46
*** chrisshattuck has joined #openstack-keystone18:46
*** michauds has quit IRC18:56
*** ddieterly has joined #openstack-keystone18:58
ayoungI don't have a solution.  We canFix things in Tripleo, and point others at our fixes, but we've caused a firedrill in the other projects, and that is not the way we should do things19:00
dolphmbreton: you were asking about the null key -- the AAA...= thing is the result of: base64.urlsafe_b64encode(chr(0)* 32)19:01
shalehstevemar: hey, I just replied to your -1 on my review 365177. When you have a moment I would like to clear it up.19:01
dolphmbreton: where chr(0)*32 is a known value instead of the usual os.urandom(32) that fernet uses19:01
ayoungAnticimex, the way things work is that a feature goes into keystone server ,then keystone  client, then we enable a plugin for it in OSC19:01
Anticimexi may have overloaded stevemars history of releasing openstackclient with him also chairing keystone, or something changed19:02
Anticimexanyway, irssi room 341 (#openstack-sdks) appeared tonight in my client19:02
stevemarAnticimex: i wear many hats, OSC and keystone are 2 of them :)19:03
Anticimexi see :)19:03
bretondolphm: yep. Implementation detail-ish19:04
*** amakarov is now known as amakarov_away19:05
*** javis has quit IRC19:07
scarlisleIs anyone around who can speak to henry-nash's comments here? https://github.com/openstack/keystone/blob/b47f10290ed83415149f3d2ab6b0dc64646e578a/keystone/tests/unit/test_v3_federation.py#L2008-L202519:07
*** michauds has joined #openstack-keystone19:08
bknudsoninherited roles only apply to the projects in the domain not to the domain itself.19:08
lbragstadhenrynash ^19:11
*** pcaruana has quit IRC19:11
*** fangxu has joined #openstack-keystone19:12
scarlislebknudson If you need a user to have a role for both the projects as well as the domain, do you need to define the role assignment twice (once with inherited=true and once with inherited=false)?19:13
bknudsonscarlisle: yes, that's my understanding19:14
*** Guest78236 is now known as melwitt19:14
scarlisleInteresting. Alright, thanks for clarifying. I may have follow-up questions once I do some more poking.19:18
mfischbknudson: were you asking me before about running keystone under wsgi?19:18
stevemarmfisch: we have all sorts of questions for you19:19
bknudsonmfisch: probably related to the caching issue(s)? I think we figured it out.19:19
mfischbknudson: was wondering if you had someone else running it that way, I had a question on the config19:19
bknudsonwe figured it out for the uwsgi case, not sure what apache wsgi does.19:20
*** fangxu has quit IRC19:20
lbragstadstevemar so - what about the FFE19:20
lbragstadstevemar are we holding off on that discussion?19:20
bknudsonmfisch: we're running keystone under uwsgi.19:20
mfischbknudson: do you change the buffer-size setting in your config?19:21
bknudsonmfisch: yes.19:21
*** shaleh is now known as shaleh|away19:21
mfischbknudson: can you share your uwsgi config with me19:21
bknudsonmfisch: sure, gimme a sec19:22
* mfisch tries to remember where bknudson works19:22
mfischsomewhere cold I remember that ;)19:22
bknudsonmfisch: IBM19:22
mfischah yes they have a prescense there19:22
bknudsonmfisch: http://paste.openstack.org/show/567258/ -- there's been no tuning of any of this.19:23
*** lamt has quit IRC19:24
mfischbknudson: what made you tune buffer-size?19:24
bknudsonthe important ones are lazy-apps , and you were asking about buffer-size19:24
bknudsonwell, you're going to need it for PKI tokens, and maybe this was set when PKI tokens were all the rage19:24
*** tesseract- has quit IRC19:25
bknudsonhttp://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html says to adjust buffer-size19:25
bknudsonprobably set it to the max just to avoid failures due to not big enough19:25
*** pnavarro has quit IRC19:26
mfischI'm occassionally getting connection reset by peer that I thought might be relaed19:26
mfischsince I'm out of other things to tweak19:26
mfischdo you see those?19:26
bknudsonwe've seen that error in another deployment but haven't had a chance to look into it much19:27
bknudsonwould have to figure out where it's coming from since there's a few different connections involved (HAProxy -> Apache -> UWSGI)19:27
mfischits pretty rarte19:28
stevemarlbragstad: can we have that discussion in 30 minutes? :)19:28
mfischrare enough that I can't use tracing in haproxy to figure it out19:28
lbragstadstevemar sure19:28
mfischbknudson: we see it in every service running uwsgi19:28
stevemarlbragstad: it's pretty much a formality at this point, since it's umm... merged :)19:29
stevemarlbragstad: it's just whether or not we pull it out19:29
bknudsonmfisch: any way you could do some profiling to set the # connections allowed through haproxy to the different servers?19:29
bknudsonthis is something on our to-do list19:29
lbragstadstevemar right19:30
mfischbknudson: not sure what you mean?19:30
bknudsonmfisch: you can tell haproxy how many connections to allow to each backend.19:31
bknudsonto ensure that a server doesn't get overloaded19:31
*** roxanagh_ has joined #openstack-keystone19:32
mfischbknudson: I dont think its load related, it might be keep alive related19:32
bknudsonwe use uwsgi protocol to go from apache -> uwsgi19:32
mfischor it might be excessively large requests, although I can't repro it that way19:32
mfischwe're just haproxy -> uwsgi19:33
bknudsonnot sure if there's any keep-alive on that19:33
mfischbknudson: lets stay in touch about this since you see it too, I spoke briefly to jlk about it19:33
bknudsonFor devstack I had "Connection-Close" since it didn't seem to work with persistent connections at all19:34
mfischI have somethnig like that set in haproxy19:34
bknudsonthat's a backend config and not front-end?19:34
mfischyeah thats on haproxy19:36
mfischI'll look at this stuff that devstack does19:36
*** roxanagh_ has quit IRC19:36
bknudsonthere's a few options related to http-server-close: http://www.haproxy.org/download/1.4/doc/configuration.txt19:37
bknudsonit's not obvious what they all do.19:38
*** rcernin has joined #openstack-keystone19:41
*** sdake has quit IRC19:46
*** rcernin has quit IRC19:48
*** chrisshattuck has quit IRC19:51
*** LamT_ has quit IRC19:51
*** chrisshattuck has joined #openstack-keystone19:54
*** tqtran has quit IRC19:55
*** NishaYadav has quit IRC19:57
*** asettle has joined #openstack-keystone19:58
*** mvk has quit IRC20:01
*** gyee has quit IRC20:01
*** fangxu has joined #openstack-keystone20:02
*** sdake has joined #openstack-keystone20:03
dolphmayoung: if we hard code an encryption key into keystone https://etherpad.openstack.org/p/keystone-credential-encryption-null-key20:11
ayoungdolphm, disable with a config option, too?20:12
ayoungdeprecate it right out the gate?20:12
dolphmayoung: i don't *think* we would need to... by simply populating the credential repository and performing a credential migration (credential_setup + credential_migrate), the null key would never be used again20:12
dolphmayoung: but we'd always have to load it: if there are no keys on disk, then we need the null key to encrypt credentials. if there are keys on disk, then we need the null key in case any credentials are encrypted with it.20:13
*** edmondsw has quit IRC20:13
dolphmayoung: so, it would just need to be last in the list of fernet keys that we load for credentials20:14
ayoungdolphm, ah, right20:14
ayoungdolphm, so only the first is used to encrypt, but any could be useed to decryp, right?20:15
*** jpena|away is now known as jpena|off20:15
dolphmayoung: yes20:15
jlkmfisch: bknudson: you rang?20:21
SamYaplemfisch: can haproxy talk uwsgi? or are you using http mode?20:22
ayoungdolphm, you OK with this approach?20:27
openstackgerritMerged openstack/keystone: Only cache callables in the base manager  https://review.openstack.org/36456220:29
mfischSamYaple: yep20:29
dolphmayoung: it sucks that we have to support something with scary security implications for a long time (forever?), but i see the need20:29
ayoungdolphm, with a credentials rotate, we don't reencrypt the existing credentials?20:30
dolphmayoung: you call credential_rotate first, sync up the keys across all your nodes, then run credential_migrate to use the latest key20:30
bknudsonayoung: see https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#encrypted-credential-key-management20:30
bknudsonapparently credential_rotate will fail if your credentials would become unusable.20:31
bknudsonso whereas I could do fernet_rotate on a non-keystone system I'd have to do credential_rotate on a keystone system??20:32
SamYaplemfisch: heh. i asked two questions. youre saying haproxy can talk uwsgi directly right?20:33
dolphmbknudson: not sure i understand what you're distinguishing20:33
SamYaplemfisch: ok thanks :)20:33
dolphmbknudson: it's part of keystone-manage, yes20:34
bknudsondolphm: fernet_rotate doesn't need access to the database20:34
dolphmbknudson: right, because we don't persist tokens20:34
bknudsonso I could install the keystone code somewhere and just run it20:34
SamYaplemfisch: im thinking about doing that for a new deploy. any tips/config things I should be aware of?20:34
*** tqtran has joined #openstack-keystone20:34
mfischSamYaple: let me finish this call im on and get back to you20:35
SamYaplemfisch: cool thanks20:35
dolphmbknudson: "somewhere" being somewhere in your deployment, with access to your current credential keys, but without access to read the database?20:35
*** akscram has quit IRC20:36
*** ddieterly is now known as ddieterly[away]20:37
bknudsondolphm: right, before if I had a system that I was using for rotating keys it didn't need access to the database20:37
*** akscram has joined #openstack-keystone20:37
dolphmbknudson: didn't need or didn't have?20:38
bknudsondolphm: I probably wouldn't have bothered setting up the system to access the db given it didn't need it.20:39
dolphmbknudson: why did you bother using keystone at all?20:39
*** javis has joined #openstack-keystone20:40
bknudsondolphm: for the service catalog and the tokens.20:40
*** ayoung has quit IRC20:41
bknudsonrole assignments, that kind of stuff20:41
dolphmbknudson: you need access to the database for the service catalog, no?20:41
bknudsonkeystone needs access to the db, but rotating the fernet keys doesn't.20:42
dolphmbknudson: okay, then i'm not sure what point you're trying to make20:42
bknudsonwhen rotating token keys I don't need access to the db whereas when rotating credential keys I need access to the db20:43
dolphmbknudson: your system has access to the database, and credential rotate uses the database to ensure that you don't shoot yourself in the foot. is there a problem, or are you just making an observation?20:43
bknudsonthat's the only point20:43
mfischSamYaple: nothing major really to report, we do set http-server-close20:43
SamYapleit does seem the way to go when the plan would just be haproxy -> apache2/nginx -> uwsgi anyway20:44
SamYaplecut out the middleman20:44
*** roxanagh_ has joined #openstack-keystone20:47
jlksadly I can't cut out the middle of apache2, due to federation.20:50
SamYaplejlk: oh right.20:50
SamYapleright :(20:50
bknudsonjlk: dstanek is working on that20:51
*** agireud has quit IRC20:52
*** roxanagh_ has quit IRC20:52
*** ddieterly[away] is now known as ddieterly20:59
*** agireud has joined #openstack-keystone20:59
*** raildo has quit IRC21:01
*** chrisshattuck has quit IRC21:01
*** sdake has quit IRC21:02
*** chris_hultin is now known as spedione|AWAY21:07
*** pauloewerton has quit IRC21:10
*** mvk has joined #openstack-keystone21:13
*** tonytan_brb has joined #openstack-keystone21:17
*** topol has quit IRC21:19
*** tonytan4ever has quit IRC21:19
*** ametts has quit IRC21:30
*** ddieterly is now known as ddieterly[away]21:30
*** ddieterly[away] is now known as ddieterly21:36
*** gagehugo has quit IRC21:38
*** adrian_otto has quit IRC21:38
*** chrisshattuck has joined #openstack-keystone21:39
*** adriant has joined #openstack-keystone21:44
*** stevemar has quit IRC21:52
*** spedione|AWAY is now known as spedione21:53
lbragstaddolphm sweet - so our plan forward is essentially just implementing the proposed solution in the etherpad21:59
*** ddieterly is now known as ddieterly[away]22:00
*** asettle has joined #openstack-keystone22:05
*** gyee has joined #openstack-keystone22:05
*** ChanServ sets mode: +v gyee22:05
dolphmlbragstad: i'd say that up to ayoung22:05
*** BjoernT has quit IRC22:05
*** asettle has quit IRC22:06
*** asettle has joined #openstack-keystone22:07
lbragstadawww - he left22:07
dolphmlbragstad: last thing he said on the topic: <ayoung> dolphm, you OK with this approach?22:08
*** swatson has joined #openstack-keystone22:08
*** swatson has left #openstack-keystone22:08
lbragstaddolphm and he was referring to the proposed solution in the etherpad?22:09
dolphmlbragstad: yes22:09
lbragstaddolphm cool22:09
lbragstadi'll get started on it22:09
dolphmlbragstad: sweet22:09
*** ddieterly[away] is now known as ddieterly22:12
*** su_zhang has quit IRC22:14
dolphmlbragstad: left a -1 on https://review.openstack.org/#/c/365087/ with an explanation of the upgrade problem22:14
*** ravelar has quit IRC22:15
*** topol has joined #openstack-keystone22:17
*** ChanServ sets mode: +v topol22:17
*** ddieterly is now known as ddieterly[away]22:17
*** ninag has quit IRC22:18
*** javis has quit IRC22:18
*** topol has quit IRC22:21
lbragstaddolphm awesome22:22
*** stevemar has joined #openstack-keystone22:24
*** ChanServ sets mode: +o stevemar22:24
*** ddieterly[away] is now known as ddieterly22:24
*** stevemar has quit IRC22:26
*** stevemar has joined #openstack-keystone22:26
*** ChanServ sets mode: +o stevemar22:26
*** ravelar has joined #openstack-keystone22:28
*** stevemar has quit IRC22:31
*** roxanagh_ has joined #openstack-keystone22:35
*** roxanagh_ has quit IRC22:40
*** michauds has quit IRC22:42
*** ddieterly has quit IRC22:43
*** asettle has quit IRC22:54
*** asettle has joined #openstack-keystone22:57
*** asettle has quit IRC22:57
*** thiagolib has quit IRC22:58
*** spzala has quit IRC23:05
*** chrisshattuck has quit IRC23:05
*** stevemar has joined #openstack-keystone23:07
*** ChanServ sets mode: +o stevemar23:07
*** asettle has joined #openstack-keystone23:09
*** ayoung has joined #openstack-keystone23:10
*** ChanServ sets mode: +v ayoung23:10
*** sdake has joined #openstack-keystone23:10
*** spedione is now known as spedione|AWAY23:13
*** adrian_otto has joined #openstack-keystone23:15
*** markvoelker has quit IRC23:19
*** ravelar has quit IRC23:19
*** fangxu has quit IRC23:20
*** javis has joined #openstack-keystone23:22
*** ravelar has joined #openstack-keystone23:30
EmilienMayoung: fyi https://review.openstack.org/#/q/topic:keystone/credentials23:30
*** bapalm has quit IRC23:35
*** fangxu has joined #openstack-keystone23:38
*** bapalm has joined #openstack-keystone23:41
*** ravelar has quit IRC23:41
*** roxanaghe has quit IRC23:52
*** ddieterly has joined #openstack-keystone23:56
*** markvoelker has joined #openstack-keystone23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!