Friday, 2016-09-09

*** arunkant__ has quit IRC00:00
*** javis has quit IRC00:01
*** markvoelker has joined #openstack-keystone00:13
*** gagehugo has joined #openstack-keystone00:14
*** gagehugo has quit IRC00:15
*** BjoernT has quit IRC00:16
*** tqtran has quit IRC00:16
*** adrian_otto has quit IRC00:17
*** scarlisle has quit IRC00:32
*** gyee has quit IRC00:37
*** wasmum has joined #openstack-keystone00:37
*** browne has quit IRC00:56
*** mtreinish has quit IRC01:01
*** mtreinish has joined #openstack-keystone01:05
*** tonytan4ever has joined #openstack-keystone01:05
ayoungdagnabit,  kerberos plugin has bit rotted01:16
*** davechen has joined #openstack-keystone01:20
*** spzala has joined #openstack-keystone01:21
*** wangqun has joined #openstack-keystone01:22
*** spzala has quit IRC01:26
stevemarayoung: no functional tests :(01:41
ayoungstevemar, hard to set them up.01:41
ayoungstevemar, but I think I was using the wrong "name" anyway01:42
ayoungnah, wait,01:42
ayoungit is v3fedkerb01:42
ayoungstevemar, OSC should not be tripping over any keystoneclient auth plugin stuff anymore should it?01:43
stevemarayoung: definitely not, it should use all the ksa plugins as of 3.x.y01:44
ayoungstevemar, I was seeing a deprecation warking, but buried in the debugger.  I wonder if our packaging is somehow getting the wrong version01:44
ayounglet me see what we have01:44
ayoung2.6.0  is that right?  lets check pip01:45
ayoungpython-openstackclient 3.2.001:47
ayoungstevemar, I is confooosed01:48
ayoungwhy does Pypi have such a high number?01:48
ayounggit tag shows 2.6, which is what the RPM is built from01:48
stevemarayoung: we released 3.0.0, 3.0.1, 3.1.0 and 3.2.0 since 2.6.0 :)01:53
stevemarayoung: yell at whoever packages osc!01:53
stevemarayoung: to be fair, we released all those 3.x.x releases in the last 2-3 weeks01:53
stevemarcould just be some lag in packaging the new one01:54
stevemarayoung: maybe install 3.2.0 in a fresh virtualenv so it doesn't conflict with what you have installed from package01:54
ayoungstevemar, we are not tagging them in git?01:54
stevemarthey should be...01:55
ayoungah...was stale01:55
ayoungok yep, that is way out of date01:55
stevemarayoung: i'm seeing the tags here
ayoungstevemar, nah, my repor was stale.01:55
ayoungthought I had synced more recently than that01:55
ayoungso 2.6.0 was June01:56
ayoungtag 3.0.001:57
ayoungTagger: Doug Hellmann <>01:57
ayoungDate:   Mon Aug 22 08:21:22 2016 -040001:57
ayoungah, so recent.  2.6 should be doing KSA too, then01:57
stevemarayoung: nope, 2.6.0 was released, but we hadn't integrated with KSA yet01:58
stevemarayoung: integrating with KSA was a huge PITA01:58
ayoungah...let me see if we even have KSA in our repo01:58
stevemarthats why we actually did a 3.0.0, we know we would screw up somewhere, and we did have some minor regressions...01:58
ayounglet me try and trigger a 3 series build01:59
openstackgerritMerged openstack/python-keystoneclient: standardize release note page ordering
*** esp has quit IRC01:59
*** adrian_otto has joined #openstack-keystone02:05
*** EinstCrazy has joined #openstack-keystone02:08
*** adrian_otto has quit IRC02:11
*** spedione|AWAY is now known as spedione02:13
*** adrian_otto has joined #openstack-keystone02:13
*** fangxu has quit IRC02:15
*** roxanagh_ has joined #openstack-keystone02:15
*** spzala has joined #openstack-keystone02:21
*** adrian_otto has quit IRC02:24
*** chlong has joined #openstack-keystone02:26
*** browne has joined #openstack-keystone02:28
*** topol has quit IRC02:29
*** topol has joined #openstack-keystone02:31
*** clayton has quit IRC02:32
*** clayton has joined #openstack-keystone02:33
*** chrisshattuck has joined #openstack-keystone02:38
*** namnh has joined #openstack-keystone02:40
*** browne has quit IRC02:43
*** ChanServ sets mode: +v topol02:44
*** tonytan4ever has quit IRC02:46
*** spzala has quit IRC02:48
openstackgerritJiWei proposed openstack/keystoneauth: Raise NotImplementedError instead of NotImplemented
*** spedione is now known as spedione|AWAY02:57
*** code-R has joined #openstack-keystone02:59
*** code-R_ has joined #openstack-keystone03:01
*** code-R has quit IRC03:04
*** roxanagh_ has quit IRC03:07
*** chrisshattuck has quit IRC03:09
*** tqtran has joined #openstack-keystone03:15
*** chrisshattuck has joined #openstack-keystone03:17
*** tqtran has quit IRC03:19
*** david-lyle_ has joined #openstack-keystone03:22
*** david-lyle_ has quit IRC03:22
*** roxanagh_ has joined #openstack-keystone03:23
*** chrisshattuck has quit IRC03:25
*** chrisshattuck has joined #openstack-keystone03:26
*** esp has joined #openstack-keystone03:33
*** roxanagh_ has quit IRC03:33
*** wangqun has quit IRC03:35
*** wangqun has joined #openstack-keystone03:35
*** dikonoor has joined #openstack-keystone03:41
*** tonytan4ever has joined #openstack-keystone03:44
*** roxanagh_ has joined #openstack-keystone03:57
*** annp has joined #openstack-keystone04:04
*** esp has quit IRC04:15
*** tqtran has joined #openstack-keystone04:16
*** spzala has joined #openstack-keystone04:17
*** su_zhang has joined #openstack-keystone04:17
*** spzala has quit IRC04:17
*** woodster_ has quit IRC04:19
*** tqtran has quit IRC04:21
*** rm_work has quit IRC04:31
*** rm_work has joined #openstack-keystone04:34
*** rm_work has quit IRC04:36
*** rm_work has joined #openstack-keystone04:38
*** chrisshattuck has quit IRC04:42
*** rkrum has joined #openstack-keystone04:47
*** roxanagh_ has quit IRC04:50
*** su_zhang has quit IRC04:55
*** su_zhang has joined #openstack-keystone04:56
*** roxanagh_ has joined #openstack-keystone05:00
*** roxanagh_ has quit IRC05:00
*** su_zhang has quit IRC05:00
*** roxanagh_ has joined #openstack-keystone05:02
*** roxanagh_ has quit IRC05:07
*** roxanagh_ has joined #openstack-keystone05:10
*** su_zhang has joined #openstack-keystone05:12
*** jaosorior has joined #openstack-keystone05:21
*** roxanagh_ has quit IRC05:28
*** chlong_ has joined #openstack-keystone05:31
*** roxanagh_ has joined #openstack-keystone05:33
*** ukesh has joined #openstack-keystone05:36
*** richm has quit IRC05:40
*** su_zhang has quit IRC05:40
*** su_zhang has joined #openstack-keystone05:41
*** su_zhang_ has joined #openstack-keystone05:42
*** su_zhang has quit IRC05:45
*** roxanagh_ has quit IRC05:49
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref doc for projects
*** adriant has quit IRC05:55
ukeshI am having query on,
openstackLaunchpad bug 1614069 in OpenStack Identity (keystone) "API v2.0 responds with HTTP 200 when trying to add a non-existent user to a project" [Medium,In progress] - Assigned to Ukesh (ukeshkumar)05:57
*** tonytan4ever has quit IRC06:00
*** tqtran has joined #openstack-keystone06:18
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref doc for services/endpoints
*** tqtran has quit IRC06:23
*** pcaruana has joined #openstack-keystone06:23
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref doc for v3 users
*** su_zhang_ has quit IRC06:45
*** su_zhang has joined #openstack-keystone06:46
*** ukesh has quit IRC06:48
*** Ukesh has joined #openstack-keystone06:48
*** su_zhang has quit IRC06:50
openstackgerritMerged openstack/keystone-specs: clean up the spec repo for newton
*** jamielennox|away is now known as jamielennox07:03
*** tesseract- has joined #openstack-keystone07:07
*** rkrum has quit IRC07:11
*** EinstCrazy has quit IRC07:14
*** jpena|off is now known as jpena07:18
*** chlong has quit IRC07:19
*** chlong_ has quit IRC07:19
*** EinstCrazy has joined #openstack-keystone07:24
*** annp has quit IRC07:27
*** annp has joined #openstack-keystone07:27
*** pnavarro has joined #openstack-keystone07:33
*** code-R_ has quit IRC07:34
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref for v3 groups
openstackgerritQiming Teng proposed openstack/keystone: Tweak api-ref doc for v3 roles
*** tonytan4ever has joined #openstack-keystone07:46
*** tonytan4ever has quit IRC07:52
*** EinstCrazy has quit IRC07:55
*** EinstCrazy has joined #openstack-keystone07:55
*** zzzeek has quit IRC08:00
*** EinstCrazy has quit IRC08:01
*** EinstCrazy has joined #openstack-keystone08:02
*** zzzeek has joined #openstack-keystone08:02
openstackgerritJiWei proposed openstack/keystone: Fix order of arguments in assertIs
*** lmiccini_ has joined #openstack-keystone08:09
*** lmiccini has quit IRC08:10
*** arunkant has quit IRC08:22
*** lmiccini_ is now known as lmiccini08:23
*** arunkant has joined #openstack-keystone08:23
*** EinstCrazy has quit IRC08:26
*** EinstCra_ has joined #openstack-keystone08:29
*** EinstCra_ has quit IRC08:30
*** EinstCrazy has joined #openstack-keystone08:33
*** EinstCrazy has quit IRC08:35
*** EinstCrazy has joined #openstack-keystone08:35
*** jaosorior is now known as jaosorior_lunch08:40
*** asettle has joined #openstack-keystone08:42
openstackgerritHa Van Tu proposed openstack/keystone: [api-ref] Refactor code for Keystone v2 - part 1
*** sdake has joined #openstack-keystone09:02
*** EinstCrazy has quit IRC09:06
*** EinstCrazy has joined #openstack-keystone09:08
*** code-R has joined #openstack-keystone09:12
*** code-R_ has joined #openstack-keystone09:13
*** amakarov_away is now known as amakarov09:15
*** sdake_ has joined #openstack-keystone09:16
*** code-R has quit IRC09:17
*** sdake has quit IRC09:18
*** aloga has quit IRC09:23
*** aloga has joined #openstack-keystone09:24
*** asettle has quit IRC09:41
*** asettle has joined #openstack-keystone09:41
openstackgerritHa Van Tu proposed openstack/keystone: [api-ref] Refactor Keystone API reference v2 - part 1
*** sdake has joined #openstack-keystone09:57
*** sdake_ has quit IRC10:00
*** annp has quit IRC10:05
*** richm has joined #openstack-keystone10:08
*** namnh has quit IRC10:09
*** EinstCrazy has quit IRC10:10
*** davechen has left #openstack-keystone10:11
openstackgerritAntoni Segura Puimedon proposed openstack/keystoneauth: doc: remove unused import
*** apuimedo has joined #openstack-keystone10:28
*** sdake_ has joined #openstack-keystone10:31
*** sdake has quit IRC10:33
*** jaosorior_lunch is now known as jaosorior10:41
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation model
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation assignment driver
openstackgerritAlexander Makarov proposed openstack/keystone: Move dependency-related trust logic to manager
openstackgerritAlexander Makarov proposed openstack/keystone: Unified delegation trust driver
*** jaugustine has quit IRC11:16
*** jaugustine has joined #openstack-keystone11:22
*** tqtran has joined #openstack-keystone11:23
*** tqtran has quit IRC11:28
*** dikonoor has quit IRC11:30
*** GB21 has joined #openstack-keystone11:31
*** dikonoor has joined #openstack-keystone11:34
*** tonytan4ever has joined #openstack-keystone11:48
*** wangqun has quit IRC11:52
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** tonytan4ever has quit IRC11:53
*** GB21 has quit IRC11:53
openstackgerritMikhail Nikolaenko proposed openstack/keystone: [WIP] Add sql backend for fernet keys
*** jed56 has quit IRC11:55
*** pauloewerton has joined #openstack-keystone11:59
*** code-R_ has quit IRC12:00
*** code-R has joined #openstack-keystone12:00
*** apuimedo has left #openstack-keystone12:03
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
*** code-R has quit IRC12:06
openstackgerritMikhail Nikolaenko proposed openstack/keystone: [WIP] Add sql backend for fernet keys
*** jpena is now known as jpena|lunch12:12
*** asettle has quit IRC12:14
*** nicolasbock has joined #openstack-keystone12:15
*** asettle has joined #openstack-keystone12:23
*** sdake_ is now known as sdake12:47
*** tonytan4ever has joined #openstack-keystone12:49
*** jaosorior has quit IRC12:52
*** jaosorior has joined #openstack-keystone12:52
*** tonytan4ever has quit IRC12:54
*** Ukesh has quit IRC12:55
stevemardstanek: i'll update the commit message in the assertIs patch12:57
dstanekstevemar: ok12:58
openstackgerritSteve Martinelli proposed openstack/keystone: Fix order of arguments in assertIs
stevemardstanek: ^12:58
stevemardstanek: yeah, i doubt it adds much value, but i'd rather have it not in our queue12:59
dstanekstevemar: i was thinking of taking that api-doc one breaking it up and listing the original author as a co-author, but want to give a little more time13:00
*** joerch has quit IRC13:00
*** joerch has joined #openstack-keystone13:00
stevemardstanek: these ones: ?13:00
stevemarugh, doubt we need that much detail for response codes13:01
stevemari'd rather see the parameters in a table with nice definitions13:01
stevemari also doubt many of the error codes have been verified in a long ass time13:01
dstanekstevemar: ++ i doubt it's correct.13:02
dstanekstevemar: i'd like to see a whitespace patch and a patch for each subsystem of things "fix tenant parameters in v2 api-doc" and stuff like that13:03
dstanekthis stuff isn't fun to look though because of all of the time it takes to cross reference things13:03
*** woodster_ has joined #openstack-keystone13:05
*** sdake has quit IRC13:05
stevemaryeah, not the easiest to compare13:07
*** admin0 has joined #openstack-keystone13:07
admin0hi all .. how do I upgrade keystone few versions up ?13:07
admin0i have a keystone db on icehouse .. i want to upgrade ( only keystone ) to mitaka13:08
admin0what is the best approach to do it ?13:08
stevemaradmin0: that's a rather loaded question :)13:08
stevemaradmin0: you still have to upgrade one version at a time13:08
admin0my thought was ..  setup a venv , git clone and then checkout each tag and run the db_migrate13:08
stevemarat least, you have to upgrade your databases one version at a time13:08
admin0my db shows version as 5513:09
admin0select * from migrate_version;13:09
admin0keystone 55, revoke 213:09
stevemaryeah, so you can't checkout the mitaka version, you'll get toasted13:09
admin0here is the case .. old openstack in icehouse,  new openstack = mitaka ..    want to share the auth details, so wondering if an upgraded keystone is still backward compatible with icehouse .. siuch that old is region1,  new is region213:10
admin0if the upgrade works, i can then re-use this same keystone13:10
stevemaradmin0: there are some notes here:
admin0how to find out what verion my kesytone is ?13:14
admin0like number 55 = icehouse type13:14
*** su_zhang has joined #openstack-keystone13:16
admin0for example, apt-get install keystone python-keystoneclient — if i do this now, this gets me from mitaka right .. how to get this from juno13:18
admin0i downloaded git of openstack-keysotne and then did a checkout of juno-eol13:18
admin0and strugglign there :)13:19
*** jpena|lunch is now known as jpena13:24
ayoungdstanek, stevemar, lbragstad what do we need to do with 'extras' in keystone auth to get them to load when they are auth plugins?13:25
openstackgerritMikhail Nikolaenko proposed openstack/keystone: [WIP] Move fernet utils to backend
ayoungI'm getting a "not found" error due to them being in a different namespace13:26
dstanekayoung: you mean to install the packages?13:26
ayoungdstanek, no, to load the entrypoints when running OSC13:27
ayoungexport OS_AUTH_TYPE=v3fedkerb13:27
ayoungleads to13:27
ayoungNoMatchingPlugin: The plugin v3fedkerb could not be found13:27
dstanekif the code is installed and on the python path it should be loaded13:27
dstanekunless you are creating your own entry points13:27
dstanekis that one of ours?13:27
*** BjoernT has joined #openstack-keystone13:28
*** BjoernT is now known as Bjoern_zZzZzZzZ13:28
dstanekadmin0: do you need the older keystoneclient?13:29
*** sdake has joined #openstack-keystone13:30
ayoungdstanek, it is a standard entrypoint, but tracing through the debugger it does not get found in the stevedore code13:33
ayoungepi group show  keystoneauth1.plugin  shows it13:34
ayoungv3fedkerb               | keystoneauth1.extras.kerberos._loading          | MappedKerberos                 | keystoneauth1 2.12.113:34
*** tonytan4ever has joined #openstack-keystone13:35
ayoungdstanek, I can load it as a python class
*** javis has joined #openstack-keystone13:35
*** Bjoern_zZzZzZzZ is now known as BjoernT13:41
*** ddieterly has joined #openstack-keystone13:42
ayoungis Colleen Murphy on here?13:43
ayoungshe did a bunch of auth work...13:43
*** ddieterly has quit IRC13:44
*** ddieterly has joined #openstack-keystone13:45
*** jed56 has joined #openstack-keystone13:45
admin0dstanek: older keystonecleint = for old region/existing openstack13:49
openstackgerritayoung proposed openstack/keystoneauth: Test that fedkerb plugin loads
*** joerch has quit IRC13:51
stevemarayoung: she'll be on later13:54
stevemarayoung: how did you install keystoneauth?13:54
stevemarwith the repo?13:54
ayoungstevemar, rpm13:54
lbragstadsamueldmq well - it looks like it passed my rechecks -
*** ddieterly is now known as ddieterly[away]13:55
*** AlexeyAbashkin has joined #openstack-keystone13:55
ayoungexport OS_AUTH_TYPE=v3kerberos13:56
ayoungit is similar13:56
ayoungnot uite the same plugin13:56
ayoungI have requests-kerberos13:57
admin0how do I translate ‘apt-get install keystone python-keystoneclient”   to   installation of keystone from git checkout keystone13:57
admin0pip install . (setup requirents ) are done13:57
stevemarayoung: cause keystoneauth will only make plugins discoverable if you have the necessary libraries, so for saml2 auth to be discovered, you need to have lxml installed, same with v3fedkerb and requests-kerberos, and v3oauth1 and oauthlib13:58
dstanekayoung: do you know if the python libs that are required for the auth type are insalled?13:58
stevemarayoung: that is as designed by jamielennox13:58
ayoungstevemar, I was able to load the entrypoint from the python interpreter13:58
dstanekadmin0: admin0 so you want to install from source?13:59
ayoung>>> for ep in pkg_resources.iter_entry_points(group='keystoneauth1.plugin'):13:59
ayoung...     named_objects.update({ ep.load()})13:59
ayoungprint (named_objects)  shows 'v3fedkerb': <class 'keystoneauth1.extras.kerberos._loading.MappedKerberos'13:59
admin0becacuse db is in icehouse, i want to db-migrate to mitaka13:59
admin0and then install mitaka and connect to this db and see if i can get the tokens and perform auth13:59
dstanekadmin0: from icehouse directly to mitaka?13:59
ayoungadmin0, python ....14:00
stevemarayoung: you can verify you are passing in --v3fedkerb into OSC using --debug, again double check that you're using osc 3.x14:00
stevemarpre 3.x it's flakey and depends on keystoneclient-kerberos or something silly14:00
ayoungopenstack --version14:00
ayoungWARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils14:00
ayoungopenstack 3.2.014:00
dstanekadmin0: i think you'll have to install each version after icehouse and apply their migrations in sequence. i don't think you can jump ahead like that14:01
admin0dstanek: context .. i have one openstack region on icehouse,  new one will be in mitaka .. so checking if i can re-use the same keystone db by upgrading the db to mitaka ..  and see if it still works for the icehouse as region1 and also for mitaka as region214:01
ayoungstevemar, I'm running pdb.  I see14:01
admin0dstanek: exactly which i was sking .. how to do step wise version migrations to save time as well14:01
dstanekadmin0: no, sharing a DB won't work14:01
ayoung print PLUGIN_NAMESPACE14:02
ayoungprint name14:02
ayoungmgr = stevedore.DriverManager(namespace=PLUGIN_NAMESPACE,14:02
ayoung 90                                           name=name,14:02
ayoung 91                                           invoke_on_load=False)14:02
stevemarthat's weird14:02
ayoungand when I call that I get14:02
admin0dstanek: so an upgraded kesytone cannot serve older client ?14:02
ayoungNo 'keystoneclient.auth.plugin' driver found, looking for 'v3fedkerb'14:02
ayoungyeah, it is a bazaar14:03
dstanekadmin0: what do you mean by client? if you have once icehouse server and one mitaka server they cannot share a database14:03
*** pnavarro has quit IRC14:04
admin0dstanek: then let me rephrase .. if there are 2 openstack clusters, one in icehouse and one in mitaka, can a single keystone be used for both of them,  icehouse as region1 and mitaka as region2 ?14:04
*** ddieterly[away] is now known as ddieterly14:04
dstanekadmin0: by keystone you mean client there?14:04
ayoungadmin0, only if you use keystone mitake for both14:05
dstanekadmin0: i doubt it. your versions are too far apart14:05
dstanekadmin0: i would expect that you'll need an older version of keystoneclient to talk to icehouse (unless you are doing just auth and then maybe?)14:06
admin0just to understand .. keystone needs to provide the api and validate tokens .. i thought those basic functions are the same .. what might have changed is the v2 and v3 .. so new ones can point to v3 and older one still to v214:06
admin0problem is thati cannot upgrade the current environment14:06
dstanekadmin0: your use of the word keystone keeps throwing me off14:07
dstanekadmin0: so you have a icehouse cluster and a mitaka cluster. you also have some application that uses keystoneclient to talk to them. you want to know if the same instance of the application can talk to both right?14:08
*** ravelar has joined #openstack-keystone14:08
ayoungadmin0, why can't you upgrade?  Need 0 downtime?14:09
ayoungcan't afford to reboot the apps?14:10
admin0i have one existing icehouse cluster — complete set .. Now we want to build a new openstack platfrom .. however the backend.billing.invoice are all tied to existing uuid and stuff ..  and we cannot upgrade the current openstack platfrom, because the old team hacked it to death  for all customizations14:13
admin0so i am trying to check if i can upgrade just keystone to mitaka in a new copy of database and server, so that for the new cluster,i will use this as the keystone database ( as region2 — so that all apis are different) and also hope that it works from the existing cluster — given there are no db/field changes14:14
*** edmondsw has joined #openstack-keystone14:15
*** spzala has joined #openstack-keystone14:15
dstanekadmin0: no db/field changes between icehouse and mitaka?14:15
admin0no clue .. that is what i am trying to find out14:16
admin0and here, because you guys know this best14:16
dstanekadmin0: there are tons14:16
dstanekin the last cycle alone the way the user records are handled were split from 1 table into (i think) 414:17
admin0then in another question, can neutron, nova etc (on icehouse release ) point to and still work wtih a single keystone that is on mitaka ?14:17
dstanekadmin0: i suspect yes, but i don't know. if they are just doing auth/token validation i think it would be OK as long as you are not using new token formats14:18
dstanekadmin0: someone else here may know a more detailed answer14:19
admin0the current is on icehouse with 4 patches from juno — token_reuse, tenant_name_to_id and otp14:19
samueldmqlbragstad: that'd odd14:20
admin0apart from user/pass i do not think we are using it for anything fancy14:20
lbragstadsamueldmq ++14:20
dstanekadmin0: also i don't think you can upgrade directly from icehouse to mitaka.14:20
lbragstadsamueldmq so we definitely have a race condition14:20
samueldmqlbragstad: I just left another recheck14:20
samueldmqlbragstad: let's retest a few times14:20
lbragstadsamueldmq i'm standing up a devstack14:20
admin0dstanek:  i am not trying ot upgrade directly14:20
dstaneki've heard of people having issues why they skipped releases14:20
admin0i am trying to upgrade  step by step14:20
dstanekadmin0: k14:20
admin0and asking for the best /quick way to do that14:20
lbragstadsamueldmq i hope i can recreate it locally14:20
nicolasbockI am running mitaka, keystone identity with domain_specific_drivers enabled.14:20
nicolasbockI created a new domain called 'ldap'14:20
samueldmqlbragstad: cool, hopefully14:21
nicolasbockcopied all LDAP relevant settings into keystone.ldap.conf14:21
nicolasbockwhat I can't figure out is how to do anything with the ldap domain14:21
admin0from setup, i did python  install  and it installed inside the virtualenv14:21
admin0now need to run db_migrate i guess14:21
nicolasbockhow do I run 'openstack user list' on that domain?14:21
admin0and then do the same for each version14:21
nicolasbockIf I run 'openstack --os-user-domain-name ldap --os-username $USER --os-password $PASS user list' I get 'The request you have made requires authentication.'14:23
*** ezpz has joined #openstack-keystone14:23
nicolasbockI am sure though that the username/password combo is correct14:23
nicolasbockwhat am I missing?14:24
*** tqtran has joined #openstack-keystone14:25
*** ezpz has quit IRC14:26
admin0from inside the virtualenv, i did python install .. created the kesytone.conf and logigng.conf ..when i run the db_sync says ImportError: No module named openstack14:27
*** dikonoor has quit IRC14:29
*** tqtran has quit IRC14:29
stevemarnicolasbock: you're not providing a project to authenticate with14:30
nicolasbockstevemar, you mean I need a user that lives in LDAP and is associated to a project?14:30
stevemarnicolasbock: i've blogged about domain specific drivers, others have found it useful, want to take a look?
nicolasbockstevemar, thanks for the link!14:31
stevemarnicolasbock: the os-* variables are for authentication14:31
stevemarnicolasbock: take a look and read, i'll be here to answer questions for a few hours ;)14:31
nicolasbockstevemar, thanks, I will!14:32
* nicolasbock goes reading...14:32
stevemardstanek: if you're around;
admin0ImportError: No module named openstack -guys , know what i need to install that is beyond pip ?14:35
openstackgerritRon De Rose proposed openstack/keystone: Fixes password created_at errors due to the server_default
stevemaradmin0: i think that comes from the sdk, what did you do in order to invoke that? :)14:35
*** michauds has joined #openstack-keystone14:37
*** su_zhang has quit IRC14:38
dstanekstevemar: yep, i'm around. just tracing through upgrade code14:38
*** su_zhang has joined #openstack-keystone14:38
dstanekstevemar: tsk, tsk. an extra newline :-P14:39
*** slberger has joined #openstack-keystone14:39
*** su_zhang_ has joined #openstack-keystone14:40
stevemardstanek: :)14:41
stevemarrderose: one day you'll have to teach me the secret to creating as many patch sets as you do14:41
stevemarrderose: you must like typing --amend a lot14:41
dstanekrderose: one amend per character changed?14:42
*** su_zhang has quit IRC14:42
openstackgerritMerged openstack/keystone-specs: prime the ocata release
*** asettle has quit IRC14:47
nicolasbockstevemar, that's an awesome post!14:47
nicolasbockstevemar, ok, so I got things almost working14:47
ayoungstevemar, it gets more fun.  I get different values from pkg_resources.iter_entry_points(group=PLUGIN_NAMESPACE)  in the debuggger then when I run it in the python command line14:48
nicolasbockstevemar, what's not working right now is doing anything as an LDAP user14:48
stevemarnicolasbock: ah14:48
stevemarnicolasbock: does an ldap user (via a group or individual assignment) have a role on a project?14:48
stevemarand is using that project to auth?14:49
nicolasbockstevemar, well, now that's a good question14:49
nicolasbockstevemar, I created a project as you advised in your post14:49
nicolasbockstevemar, and exported the OS_PROJECT_DOMAIN_NAME appropriately14:50
nicolasbockstevemar, is it important that LDAP provides group information on a user?14:51
nicolasbockstevemar, we don't have that in our LDAP14:51
*** roxanagh_ has joined #openstack-keystone14:59
*** ddieterly is now known as ddieterly[away]15:02
*** asettle has joined #openstack-keystone15:02
*** su_zhang_ has quit IRC15:04
*** su_zhang has joined #openstack-keystone15:04
*** jaosorior has quit IRC15:07
*** ddieterly[away] is now known as ddieterly15:07
*** pcaruana has quit IRC15:08
*** su_zhang has quit IRC15:09
*** wasmum has quit IRC15:10
nicolasbockstevemar, I got it to work~15:11
nicolasbockstevemar, the missing piece was the role assignment15:12
nicolasbockstevemar, I had to do that manually. Presumably, groups in LDAP would make that step unnecessary, right?15:12
*** asettle has quit IRC15:13
mfischdoes Keystone itself use authtoken middleware?15:13
ayoungmfisch, maybe now it does?15:20
ayoungmfisch, we were headed that way, but not sure the state15:20
stevemarmfisch: it does now, yes15:21
stevemarnicolasbock: not entirely, keystone knows about the ldap groups, but the role you can assign to the group (and on what project) could vary greatly, so it's not something we can assume15:21
nicolasbockstevemar, is there a way then to default assign an LDAP user to a project?15:22
nicolasbockstevemar, or do I have to add each individual one by hand?15:22
stevemarnicolasbock: you can give a group a role assignment and all the users in that group will get that relationship automagically15:23
*** javis has quit IRC15:23
nicolasbockstevemar, but in my situation this would only work if LDAP new about groups, right?15:24
stevemarnicolasbock: righto15:24
stevemarnicolasbock: i assumed you had a setup where all users were part of a group "employees" or something15:24
nicolasbockstevemar, oh, wait, maybe you are right15:24
stevemari think typically there exists such a group in most ldaps15:24
nicolasbockstevemar, let me check that15:24
* nicolasbock wrestles with LDAP...15:25
*** joerch has joined #openstack-keystone15:26
stevemarnicolasbock: give that ldap a full nelson15:26
nicolasbocknicolasbock, :) at least!15:26
bretonmfisch: it partially does15:27
*** browne has joined #openstack-keystone15:27
*** admin0 has quit IRC15:27
*** su_zhang has joined #openstack-keystone15:29
samueldmqlbragstad: jenkins keep passing15:32
samueldmqlbragstad: just left another recheck15:32
lbragstadi'm still fighting with devstack15:33
*** jistr is now known as jistr|biab15:35
rderosestevemar: haha I know15:37
*** javis has joined #openstack-keystone15:41
* lbragstad gives up and drop kicks his current devstack box15:48
*** openstackgerrit has quit IRC15:49
*** openstackgerrit has joined #openstack-keystone15:49
*** tesseract- has quit IRC15:49
-openstackstatus- NOTICE: New setuptools release appears to have a circular import which is breaking many jobs - check for ImportError: cannot import name monkey.15:53
*** ChanServ changes topic to "New setuptools release appears to have a circular import which is breaking many jobs - check for ImportError: cannot import name monkey."15:53
*** esp has joined #openstack-keystone15:56
ayoungprint self.namespace                                                                              |            LOG.debug('found extension %r', ep)15:57
lbragstadhuh - yep... i *just* hit that ^16:01
ayoungstevemar, lookie here
lbragstadsamueldmq i can reproduce locally16:01
ayoungkeystoneclient.auth.plugin  not16:01
stevemarlbragstad: why u do dis16:01
lbragstadstevemar do what?16:01
stevemarlbragstad: dropkick stuff16:02
lbragstadstevemar because it fixed the problem :)16:02
stevemarayoung: for some reason you are loading the keystoneclient plguins :P16:02
ayoungstevemar, that reason is that is waht we still tell keystoneclient to search for16:02
ayoungsee my link?16:02
*** ddieterly is now known as ddieterly[away]16:04
*** esp has quit IRC16:06
lbragstadsamueldmq ugh...16:07
lbragstadsamueldmq so i can recreate, but only when there aren't many revocation events in the revocation table16:07
lbragstadsamueldmq if the revocation event table has more than like 500 rows in it, the test will pass....16:08
*** ddieterly[away] is now known as ddieterly16:08
lbragstadsamueldmq so something about how long it takes to get the list of revocation events is playing into this somehow16:09
*** chrisshattuck has joined #openstack-keystone16:11
samueldmqlbragstad: lol16:15
samueldmqlbragstad: what is that then?16:15
samueldmqlbragstad: hmm, yes16:15
samueldmqlbragstad: but the test sleeps for 1 second16:15
lbragstadsamueldmq yep16:15
samueldmqlbragstad: and I don't assume it's taking more than a few ms to get the table16:15
lbragstadsamueldmq this is blowing my mind...16:15
samueldmqlbragstad: even if it's more than 500 items16:15
lbragstadi don't really understand how this is possible16:16
samueldmqlbragstad: yeah, can you try to reproduce it again? and see if the same pattern applies (500+ items in the revoke table)16:18
samueldmqlbragstad: that doesn't really make sense16:18
samueldmqlbragstad: shoudl be worth it to try to reproduce with other token format too16:19
samueldmqbecause it doesn't make sense to be a fernet only thing16:19
lbragstadsamueldmq the only thing that should be different between the two formats is the subsecond thing16:20
samueldmqlbragstad: yeah but doesn't make sense to me as the test has a sleep in it16:20
*** lmiccini has quit IRC16:21
lbragstadsamueldmq right16:21
*** spzala has quit IRC16:21
lbragstadi don't get that either16:21
ayoungstevemar, I think we have been running KSC with the keystoneclient auth plugs, not the keystoneauth plugins16:21
*** spzala has joined #openstack-keystone16:22
stevemarayoung: ohhh16:22
stevemaryou've been using ksc for all this16:22
*** jistr|biab is now known as jistr16:25
*** sdake has quit IRC16:28
*** su_zhang has quit IRC16:29
*** su_zhang has joined #openstack-keystone16:30
*** su_zhang_ has joined #openstack-keystone16:32
*** chrisshattuck has quit IRC16:32
*** su_zhang has quit IRC16:32
*** raildo has joined #openstack-keystone16:35
*** su_zhang_ has quit IRC16:37
*** su_zhang has joined #openstack-keystone16:38
*** su_zhang has quit IRC16:42
ayoungstevemar, what is our plan for the plugins inside of keystoneclient?  Right now there is a slew of tests that assume they load via entrypoints etc16:43
ayoungif we yank them, we are going to break some people16:44
ayoungand we need to change this, or KSC will not be using KSA plugins16:44
*** chrisshattuck has joined #openstack-keystone16:44
*** lmiccini has joined #openstack-keystone16:47
stevemarayoung: make them call the ksa ones16:48
ayoungstevemar, so we have at least one missing16:48
stevemarwhats that?16:48
*** Michaellaneous has joined #openstack-keystone16:49
ayoungv3unscopedsaml = keystoneclient.contrib.auth.v3.saml2:Saml2UnscopedToken16:49
ayoungno entrypoint for that16:49
MichaellaneousGot an LDAP question. When I used groupOfUniqueNames Openstack could list my groups16:49
MichaellaneousBut I swtitched to groupOfNames16:49
MichaellaneousAnd suddenly none are displayed.16:49
MichaellaneousAny idea why?16:49
ayoungMichaellaneous, try using ldapsearch16:50
browneMichaellaneous: depends on the schema of your ldap server16:50
ayoungwhen you turn on ldap debugging in the keystone server ,it spits out the ldap filters it uses.  Try those ,see what your server give you16:50
stevemarayoung: yeah, hmm, in keystoneauth jamie set it up to automatically get scope16:50
brownei also use Apache Directory Studio as a nice ldap browser16:50
Michaellaneoushow can I turn ldap debugging on?16:51
MichaellaneousOh debug_level16:52
ayoungstevemar, so if someone is using the old entrypoint, it will get an error if we change it.  We could set that entrypoint in KSA to be an existing plugin16:53
*** markd_ has quit IRC16:53
*** ChanServ changes topic to "Newton Deadlines: | Meeting Agenda"16:56
-openstackstatus- NOTICE: setuptools 27.1.2 addresses the circular import16:56
Michaellaneousdoesn't matter, it works16:57
MichaellaneousHad to restart apache216:57
MichaellaneousI forgot keystone is not the right server to restart16:57
MichaellaneousQuick question, how can I list members of a group?16:57
raildoMichaellaneous,  openstack user list --group <group_id>16:59
MichaellaneousI dont get it16:59
ayoungMichaellaneous, v3 api only17:00
Michaellaneousi mean i cant list users of a group17:00
Michaellaneousbut the other way it works17:00
ayoungMichaellaneous, v3 Keystone API for all group options17:00
ayoungotherwise, maybe old KSC?17:00
Michaellaneousnah I think it's an LDAP problem17:01
*** rodrigods has quit IRC17:03
*** rodrigods has joined #openstack-keystone17:03
*** tqtran has joined #openstack-keystone17:05
*** markd_ has joined #openstack-keystone17:05
mfischI think there's a bug or bad assumption in puppet-keystone17:08
mfischthe bootstrap command is resetting the admin password17:09
mfischwhen admin_password != admin_token17:09
stevemarbrowne: did you end up backporting that memcache fix?17:09
mfischdang it sorry guys17:09
mfischwrong room17:09
stevemarmfisch: :]17:09
stevemarmfisch: it's all good, you reminded me about the cache backport17:09
brownestevemar: i started a cherry-pick,, but there are issues since it requires dogpile.cache 0.6.217:10
brownemitaka upper-contraints is currently at 0.5.817:10
stevemarbrowne: hmm, i thought breton had an idea on how to get around that17:11
*** jpena is now known as jpena|off17:11
stevemarmonkeypatching something17:11
*** ddieterly is now known as ddieterly[away]17:11
*** Michaellaneous has quit IRC17:12
mfischstevemar: can you join #puppet-openstack and weigh in on somethnig17:12
stevemarmfisch: sure17:13
*** tonytan4ever has quit IRC17:16
lbragstadsamueldmq so - this is weird17:18
lbragstadhere is what i've done to keystone17:18
lbragstadwhich is just adding some logging17:18
lbragstadsamueldmq make sense?17:18
lbragstadsamueldmq here is what i've done to tempest -
lbragstadsamueldmq here is the tempest failure - which makes sense -
lbragstadsamueldmq but the token isn't even seen by keystone?!
*** su_zhang has joined #openstack-keystone17:24
*** Michaellaneous has joined #openstack-keystone17:25
*** fangxu has joined #openstack-keystone17:29
*** amakarov is now known as amakarov_away17:30
samueldmqlbragstad: that'd odd17:32
samueldmqlbragstad: where is the keystone log ? should be in /var/log/apache2/ right?17:32
dstaneksamueldmq: yep17:32
samueldmqthat should at least be logged, we're missing something in there17:32
lbragstadsamueldmq yep - /var/log/apache2/keystone.log17:32
lbragstadwhen the test is successful the token is actually logged by my print statements17:33
dstanekbrowne: stevemar: yes, if nobody else been able to do it i can work on it this weekend17:33
stevemardstanek: ha, i was actually just gonna ask you to take a look at the auth plugin loader has you written all over it ;)17:34
dstanekstevemar: sure17:34
brownedstanek: thanks, that would help.  you can take over my cherry-pick if you like17:34
stevemarthis one should be quicker than the cache beast17:34
lbragstadsamueldmq added some more stuff to tempest -
samueldmqlbragstad: in that case there is somethign else wrong17:35
samueldmqlbragstad: as we're not seeing the keystone logs at all17:35
lbragstadsamueldmq tempest doesn't look like its sending a request to keystone17:35
samueldmqlbragstad: and the test fails after that ^17:36
*** tonytan4ever has joined #openstack-keystone17:37
lbragstadsamueldmq thats what tempest is logging when the test fails17:37
lbragstadsamueldmq there is no request to /auth/tokens17:37
samueldmqlbragstad: so it either is not logging that call, or isn't calling at all17:37
samueldmqlbragstad: can you try the whole module : ./ tempest.api.identity.admin.v3.test_users.UsersV3TestJSON17:38
*** tonytan_brb has joined #openstack-keystone17:38
openstackgerritRichard Avelar proposed openstack/keystone: POC sql query revoked tokens
lbragstadsamueldmq successful run -
lbragstadwith logs17:40
*** admin0 has joined #openstack-keystone17:40
samueldmqlbragstad: and this time it called /users/<id>/password17:41
lbragstadlogging of a failed run -
samueldmqlbragstad: and it called v3/users/ac48b78cda32450ba143011b718dddf6/password17:42
*** tonytan4ever has quit IRC17:42
*** pnavarro has joined #openstack-keystone17:42
openstackgerritRichard Avelar proposed openstack/keystone: POC sql query revoked tokens
*** gyee has joined #openstack-keystone17:43
lbragstadsamueldmq weird... i think it's failing to validate the admin token17:44
lbragstadcheckout the captured standard output of
lbragstadx auth token = gAAAAABX0vNu6_AXGaXY-FZIGCDd_5o3vEh4xb5HG07HRdjPeSf069HSGrC7DJ_zqdMUxGh_y1yO7waauGxsHQ3cnePvwoPmduKLfnhdw95GjAIo5qYQU3evOznwuIWjPKZmxfdlfpbWUWAwvmVBbcsJGfABKSzIxA17:44
lbragstadthe new subject token is = gAAAAABX0vNv1lHx2Y0yLl7SXXHjmar61Gf3pgZiKRmCiQzwwM0smwtE89Rf5D2Mo3xrng2cyVdt96Rfg4SiZOPq8XTo4Z_fHjbN92dNW997MOCXPkpod9Q5j-jYmq1gZVPv2SJf6WhV3msVleEBdPWWnvYCQs8vNw17:44
samueldmqlbragstad: yeah the token looks to be correct17:56
samueldmqlbragstad: the same x-auth is used all the tiem17:56
lbragstadsamueldmq yeah17:56
lbragstadnew ones with the request times logged17:56
samueldmqlbragstad: even after to delete the test user17:56
lbragstadsuccess -
* lbragstad failure -
*** pnavarro has quit IRC18:00
*** chrisshattuck has quit IRC18:05
samueldmqlbragstad: keystone doesn't stdout anything when it fails18:05
lbragstadsamueldmq right - it's like it doesn't even see token18:06
samueldmqlbragstad: or does it ?18:06
lbragstadsamueldmq this is what i've added to keystone18:06
lbragstadsamueldmq when the test is successful - I can see the token in keystone's logs18:06
lbragstadwhich means keystone is getting it and actually validating it properly - meaning it compares it and it is revoked18:07
samueldmqlbragstad: but when it fails you can't even see the "checking ,, at "18:07
lbragstadfor example18:07
lbragstadin this failure18:07
lbragstadgAAAAABX0vdIJ4ND-r2WDnQtHc9EZodeYn12B6ecABg-EPQKvfUd82vFEPPIJzZdkpGu41lYAZrmKbPm9X7qyZbhyx3qvAa2P5YgKnb4R7wTNjD-DKLMt0ZT3wALZRtDJ_KVHxDuAogPg_4Oyg3DpymF5GS5XQ5J9w should be revoked18:07
lbragstadsamueldmq agree?18:07
samueldmqlbragstad: why?18:08
lbragstadsamueldmq  oh wait - it should be valid18:08
lbragstadsince it was obtained after the password was changed18:08
samueldmqthe issue is that it's getting 404 when it shouldn't18:09
lbragstadbut - if i check keystone for that token18:09
lbragstador the logs - it doesn't even see if18:10
lbragstad grep -R "4Oyg3DpymF5GS5XQ5J9w" /var/log/apache2/keystone.log18:10
lbragstaddoesn't return anything18:10
lbragstadbut - let's look at a successful run18:10
lbragstadsamueldmq for example -
lbragstadsamueldmq gAAAAABX0vc6WLGDxQ0uNL2DvnGKHWgCuJU10wlMNtwgwbHcyjCc7HJ9MxF2Hemmpz_PVQZnrTibyBdzfB9uX4ZB2lMCNGdQ-D0qnqGYAmc12FXn3brhoLjj-1iWfaVbXgRQGHpQcpZe1gq1vLGbPg018gGt8K8_1w is the token to be validated after the password change18:11
lbragstadsamueldmq and this is what keystone sees -
lbragstadsamueldmq strange - right?18:15
lbragstadsamueldmq it's like the failure cases  the token isn't even reaching the token_provider api18:16
samueldmqbut it's reaching keystone18:16
samueldmqright ?18:16
lbragstadsamueldmq in the failure cases?18:16
lbragstadwhere we get a 404?18:16
samueldmqlbragstad: the token is considered invalid18:18
samueldmqlbragstad: so keystone returns 40418:18
lbragstadsamueldmq i'd believe that if it was actually being validated18:18
samueldmqlbragstad: that what the test sees, I am tring to see if keystone receives the request in the case of a failure18:18
lbragstadsamueldmq it's not even entering the validation methods18:18
samueldmqlbragstad: entering validate_v3_token18:19
samueldmqlbragstad: leaving validate_v3_token18:19
lbragstadsamueldmq yes - but that's when the test passes18:19
*** admin0 has quit IRC18:19
lbragstadsamueldmq when the test fails with a 404 (expecting a 200) those statements don't even exist in the logs18:20
samueldmqlbragstad: and the token in the subject-token18:20
samueldmqlbragstad: doesn't show up in the logs18:21
lbragstadsamueldmq right18:21
lbragstadsamueldmq in here we should be validating gAAAAABX0vdIJ4ND-r2WDnQtHc9EZodeYn12B6ecABg-EPQKvfUd82vFEPPIJzZdkpGu41lYAZrmKbPm9X7qyZbhyx3qvAa2P5YgKnb4R7wTNjD-DKLMt0ZT3wALZRtDJ_KVHxDuAogPg_4Oyg3DpymF5GS5XQ5J9w18:22
lbragstadbut we don't18:22
lbragstadthat token *never* enters validate_v3_token()18:22
samueldmqlbragstad: can you put a print in the router entry ? and controller?18:22
samueldmqlbragstad: just to make sure the request never hits keysotne18:23
lbragstadsamueldmq where is the first entry point in keystone?18:23
samueldmqlbragstad: perhaps
samueldmqlbragstad: I think that __call__ is also called18:27
samueldmqfor any request18:27
lbragstadsamueldmq ah - yeah18:27
*** su_zhang has quit IRC18:28
samueldmqlbragstad: if that never hits keystone, it will be an error with the test18:28
lbragstadsamueldmq success -
openstackgerritMerged openstack/keystone: Updated from global requirements
lbragstadsamueldmq failure -
*** slberger has quit IRC18:30
*** slberger1 has joined #openstack-keystone18:30
samueldmqlbragstad: and what keystone logs say18:30
*** su_zhang has joined #openstack-keystone18:31
lbragstadsamueldmq ah - rerunning18:31
*** chrisshattuck has joined #openstack-keystone18:35
*** jed56 has quit IRC18:35
bretonstevemar: browne: i will heavily work on that next week. Sorry, this week i had to work on other things.18:35
*** BjoernT has quit IRC18:36
brownebreton:  np thanks!18:36
lbragstadsamueldmq weird18:37
lbragstadsamueldmq here another one -
lbragstad^ that's a failure18:37
lbragstadand it is logged in keystone.log
lbragstadbut it never makes it to the validate methods...18:38
samueldmqoh wow18:38
samueldmqthat's odd!18:38
lbragstadso - i guess it's time to trace what happens between keystone.common.wsgi and keystone.auth.controller18:39
samueldmqlbragstad: ++18:39
samueldmqlbragstad: narrow it down18:39
samueldmqlbragstad: and see where it disappears18:39
samueldmqlbragstad: and we will be able to find out what's going on18:39
*** Guest_95843 has joined #openstack-keystone18:40
lbragstadsamueldmq fyi - method: <bound method Auth.validate_token of <keystone.auth.controllers.Auth object at 0x7fde8bc47990>>18:42
lbragstadso it is getting routed properly - but it never makes it there18:42
*** Guest_95843 has left #openstack-keystone18:43
samueldmqlbragstad: odd and why hapens only for passwd reset?18:43
lbragstadsamueldmq apparently18:45
lbragstadsamueldmq that i know of so far18:45
samueldmqwhat does it say before and after callind method(kwargs...) there in the app code18:47
lbragstadI bet it's in the controller.protected() code18:48
samueldmqlbragstad: hmm so you might be right18:49
samueldmqlbragstad: the x-auth-token is the one invalid18:49
samueldmqlbragstad: ++18:49
lbragstadthat's the only thing in between keystone.common.wsgi and keystone.auth.controller18:50
*** Michaellaneous has quit IRC18:50
*** chrisshattuck has quit IRC18:51
samueldmqlbragstad: ++18:52
samueldmqit's pertty likely to be that18:52
lbragstadsamueldmq fresh failure with more logging - test output and lgos
openstackgerritMerged openstack/keystone: Use freezegun for change password tests
*** su_zhang has quit IRC18:56
*** ddieterly[away] is now known as ddieterly18:57
*** gagehugo has joined #openstack-keystone18:58
*** chrisshattuck has joined #openstack-keystone18:58
*** admin0 has joined #openstack-keystone18:59
ayoungstevemar, bknudson  this is probably a jamielennox question, but, why does the KSC Password plugin have a class level get_options but the KSA one des not? DIe we change a pattern?  THis is one thing breaking the tests moving KSC to use the KSA plugins19:00
*** chrissha_ has joined #openstack-keystone19:02
samueldmqlbragstad: if the x-auth-token is invalid, it should return 401 I think, not 40419:02
samueldmqlbragstad: can you dig in the protected wrapper?19:02
*** chrisshattuck has quit IRC19:03
*** chrisshattuck has joined #openstack-keystone19:04
*** chrissha_ has quit IRC19:04
stevemarbreton: it's all good :]19:07
lbragstadsamueldmq for some reason the admin user that changes the password has a revocation event19:10
lbragstadthat matches when it goes to validate the user's new token19:10
nicolasbockOMG, LDAP is a tough one...19:14
nicolasbockI can't get groups to map to LDAP19:14
samueldmqlbragstad: kk, gotta figure out why19:14
nicolasbock'openstack group list --domain ldap' is not returning anything19:14
nicolasbockand I can't see anything obviously wrong in the logs19:15
lbragstadsamueldmq adding more debugging19:15
nicolasbockthe base DN and the filter string look good (as far as I can tell)19:15
nicolasbockand when I run 'ldapsearch' manually I get a whole list of records19:15
nicolasbockAnyone any suggestions how I could debug this?19:16
samueldmqlbragstad: nice19:16
*** spzala has quit IRC19:17
*** lmiccini has quit IRC19:22
samueldmqlbragstad: it'd be nice if stored the origin of a revocation19:22
*** ddieterly is now known as ddieterly[away]19:24
*** lamt has joined #openstack-keystone19:26
openstackgerritayoung proposed openstack/python-keystoneclient: Use KeystoneAuth1 Plugins
*** chrissha_ has joined #openstack-keystone19:27
*** chrisshattuck has quit IRC19:29
*** ddieterly[away] is now known as ddieterly19:29
*** roxanagh_ has quit IRC19:31
*** sdake has joined #openstack-keystone19:38
stevemarnicolasbock: you can enable debug logging in keystone and see what keystone is actually running when you do the command19:41
nicolasbockI did19:41
stevemarit'll spit out some ldapsearch19:41
nicolasbockstevemar, and using that ldapsearch I get lots of items from ldap19:42
nicolasbockI tried to trace back where things go wrong19:42
*** sdake has quit IRC19:42
nicolasbockbut at some point I can't find where a `search_s` call goes19:42
*** BjoernT has joined #openstack-keystone19:43
*** admin0 has quit IRC19:43
nicolasbockstevemar, looking at the code, I don't understand why the call is not returning.19:44
*** sdake has joined #openstack-keystone19:44
nicolasbockstevemar, I am using my old school debugging tricks and peppered the code with LOG.debug() calls :)19:44
nicolasbockstevemar, but for some reason I can't trace where the call is going.19:45
nicolasbockstevemar, last known position: /usr/lib/python2.7/site-packages/keystone/common/ldap/
nicolasbockstevemar, then, next line: LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/
nicolasbockVery odd19:45
nicolasbockLDAP search: base=ou=accounts,cn=suse,cn=de scope=2 filterstr=(&(objectClass=account)(gidNumber=*)) attrs=['', 'gidNumber', 'ou'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/
nicolasbockis the search it's performing19:46
nicolasbockldapsearch -x  -b ou=accounts,dc=suse,dc=de -h "(objectClass=account)"19:47
nicolasbockreturns a ton of stuff19:47
*** admin0 has joined #openstack-keystone19:48
*** jaugustine_ has joined #openstack-keystone19:50
*** chrissha_ has quit IRC19:50
*** jaugustine has quit IRC19:50
*** jaugustine_ is now known as jaugustine19:50
*** jaugustine_ has joined #openstack-keystone19:52
*** chrisshattuck has joined #openstack-keystone19:54
*** fangxu has quit IRC19:54
*** ddieterly is now known as ddieterly[away]19:54
*** chrisshattuck has quit IRC19:57
*** chrisshattuck has joined #openstack-keystone19:58
*** slberger1 has quit IRC20:00
*** chrisshattuck has quit IRC20:00
*** chrisshattuck has joined #openstack-keystone20:01
*** gyee has quit IRC20:02
lbragstadsamueldmq i think i figured it out...20:03
*** slberger has joined #openstack-keystone20:06
*** michauds has quit IRC20:08
*** chrisshattuck has quit IRC20:08
lbragstadsamueldmq for some reason mysql is rounding up when storing the revocation event here -
*** chrisshattuck has joined #openstack-keystone20:12
openstackgerritGage Hugo proposed openstack/keystone: doctor check for domain specific configs
*** jlopezgu has joined #openstack-keystone20:16
jlopezguhi o/20:16
jlopezguexcuse me one question, when is the keystone.conf file created?20:17
jlopezguthat is created by the, right?20:17
stevemarjlopezgu: nope20:17
dstanekjlopezgu: most likely at installation by whatever you use to install20:17
dstanekjlopezgu: i don't even know what that is :-)20:17
samueldmqlbragstad: looking20:17
stevemarjlopezgu: you can auto create the .conf file yourself using $ tox -e genconfig  (you have to pull down the source)20:18
*** tonytan_brb has quit IRC20:18
*** ddieterly[away] is now known as ddieterly20:18
stevemarjlopezgu: orrrr more likely, whatever package you installed, created it for you20:18
dstanekstevemar: ++20:18
dstanekjlopezgu: how did you install keystone?20:18
stevemarnicolasbock: i'm actually wrapping up for the week, i can help you out on monday again with ldap20:19
jlopezgudstanek: in devstack and ./stack.sh20:19
stevemartheres been a bunch of ldap quetions these days20:19
nicolasbockstevemar, no problem, you already helped me out a lot today!20:19
nicolasbockstevemar, have a nice weekend!20:19
stevemarnicolasbock: you too!20:19
samueldmqlbragstad: what's going on there?20:19
lbragstadsamueldmq i'm pretty sure it's a rounding issue20:20
jlopezgudstanek: I'm working in an horizon's feature. I updated my code and I got updated a feature that I need for the feature but the keystone.conf was not updated20:20
lbragstadsamueldmq when the password is changed we store this20:21
lbragstadpersisting revocation event: {'revoked_at': '2016-09-09T19:54:49.664802Z', 'user_id': u'6878562382b6411baafd9c67c5879da6', 'issued_before': '2016-09-09T19:54:49.664802Z'}20:21
dstanekjlopezgu: i believe this is where the magic happens in devstack
lbragstadsamueldmq this is the event when we go to pull it out event: {'revoked_at': '2016-09-09T19:54:50.000000Z', 'user_id': u'6878562382b6411baafd9c67c5879da6', 'issued_before': '2016-09-09T19:54:50.000000Z'}20:21
samueldmqlbragstad: aah it's rounding rather than truncating20:22
lbragstadsamueldmq yep20:22
stevemarjlopezgu: we just pushed a patch to update keystone.conf20:22
samueldmqlbragstad: só even the sleep isnt enough20:22
samueldmqNeeded 2 seconds20:22
lbragstadsamueldmq right20:22
lbragstadsamueldmq or - we get rid of datetime completely20:23
lbragstadand give sql a float to store20:23
stevemarjlopezgu: it merged 21 hours ago20:23
lbragstadthat is exactly precise to what we need20:23
samueldmqlbragstad: agreed20:23
lbragstadsamueldmq this is the comparison20:23
lbragstad93828 event: {'revoked_at': '2016-09-09T19:54:50.000000Z', 'user_id': u'6878562382b6411baafd9c67c5879da6', 'issued_before': '2016-09-09T19:54:50.000000Z'}20:23
lbragstad93829 token_values: {'access_token_id': None, 'project_id': None, 'user_id': u'f0e706e9d8c74974bfdc802fc9edf0b0', 'roles': [u'd7ee7e440f7d4761b487940642b2391b'], 'audit_id': u'DUR8QCTRRqiiw0JWr1_FxA', 'trustee_id': None, 'trustor_id': None, 'expires_at': datetime.dateti      me(2016, 9, 9, 20, 54, 49), 'consumer_id': None, 'assignment_domain_id': u'default', 'issued_at': datetime.datetime(2016, 9, 9, 19, 54, 49), 'identity_domain_id':20:23
lbragstad u'default', 'audit_chain_id': u'DUR8QCTRRqiiw0JWr1_FxA', 'trust_id': None}20:23
lbragstadsorry for the spam20:23
lbragstadso the revocation logic is doing exactly what it should be doing20:24
samueldmqlbragstad: well debugged sir20:24
lbragstadsamueldmq completely frustrating... ;)20:24
*** fangxu has joined #openstack-keystone20:24
samueldmqlbragstad: so at the end the token validation was calling everything properly20:25
jlopezgudstanek, stevemar: Thank you very much! :)20:25
lbragstadsamueldmq yeah - not sure how i missed that before20:25
samueldmqIt was just the Event's timestamp20:25
lbragstadsamueldmq i believe so20:25
samueldmqAnyways you figured it out20:25
lbragstadat least according to the last few rounds of recreating it20:25
dstanekjlopezgu: yw20:26
*** ddieterly is now known as ddieterly[away]20:29
*** ddieterly[away] is now known as ddieterly20:31
*** javis has quit IRC20:31
*** ddieterly has quit IRC20:31
*** roxanagh_ has joined #openstack-keystone20:35
samueldmqlbragstad: add a 2 second sleep to tempest20:38
samueldmqlbragstad: and you will see you won't be able to reproduce it anymore20:39
lbragstadsamueldmq stevemar dolphm dstanek
openstackLaunchpad bug 1622010 in OpenStack Identity (keystone) "MySQL rounds timestamps" [Undecided,New]20:39
*** lmiccini has joined #openstack-keystone20:39
bknudsonlbragstad: did you see this?
dolphmlbragstad: what version of mysql?20:41
*** gyee has joined #openstack-keystone20:41
*** su_zhang has joined #openstack-keystone20:41
lbragstaddolphm Server version: 5.7.13-0ubuntu0.16.04.2 (Ubuntu)20:41
lbragstadbknudson that looks familiar20:42
lbragstadupdated the bug report20:42
samueldmqlbragstad: "This naturally works against the Fernet implementation because the Fernet implementation will *always* truncate it's issued_at time."20:42
samueldmqlbragstad: not sure I got that right20:42
*** javis has joined #openstack-keystone20:43
samueldmqlbragstad: you're testing against fernet20:43
samueldmqlbragstad: and it's failing20:43
lbragstadsamueldmq yep20:43
samueldmqlbragstad: so why "This naturally works against the Fernet implementation "20:43
samueldmqshouldn't be the opposite20:43
stevemarbknudson: increasing your twitter game20:44
bknudsonstevemar: it's a useful source of openstack info20:44
stevemarbknudson: it sure is20:44
stevemarbknudson: did you read that py3.6 has dicts ordered by default20:44
bknudsonI should "re-tweet" that one because it's useful20:45
lbragstadsamueldmq because if we generate a token at 2016-09-09T19:54:49.664802Z it's issued at time will always be 2016-09-09T19:54:49.000000Z20:45
bknudsonstevemar: ordered by what?20:45
lbragstadsamueldmq if we store a revocation event at 2016-09-09T19:54:49.664802Z it will be rounded to 2016-09-09T19:54:50.000000Z in some versions of sql20:46
lbragstadsamueldmq so for example20:46
lbragstadif we change our password at 2016-09-09T19:54:49.664802Z and get a token at 2016-09-09T19:54:49.674802Z it will fail20:46
stevemarbknudson: sorted*20:46
stevemari assume alphabetically20:46
lbragstadeven though it considered a valid situation20:46
lbragstadsamueldmq does that make sense?20:47
*** javis has quit IRC20:49
*** tonytan4ever has joined #openstack-keystone20:50
bknudsoninsertion order. weird.20:50
*** raildo has quit IRC20:53
mtreinishstevemar: ooh, now I don't have to use OrderedDict. Well if I ever write any py3.6 only code20:53
*** openstackstatus has quit IRC20:57
stevemarmtreinish: we'll eventually drop py2.x in a decade or so20:58
bknudsonaren't we (keystone) waiting on memcache?20:59
*** openstackstatus has joined #openstack-keystone20:59
*** ChanServ sets mode: +v openstackstatus20:59
*** jaugustine has quit IRC20:59
*** pauloewerton has quit IRC20:59
stevemarbknudson: don't draw back the curtain!20:59
*** gagehugo has quit IRC21:00
*** javis has joined #openstack-keystone21:00
lbragstadsamueldmq actually - you know how it happens?21:00
lbragstadsamueldmq let's say we change the password at 2016-09-09T19:54:49.500001Z and it gets rounded to 2016-09-09T19:54:50.000000Z21:01
lbragstadwe wait one second in tempest21:01
mtreinishstevemar: heh, sure. But how long until we won't have to support running on 3.5 anymore21:01
lbragstadso at 2016-09-09T19:54:50.500001Z we go to get a new token21:01
lbragstadand it's issued at time is 2016-09-09T19:54:50.000000Z (because it's truncated)... so it's a weird problem comprised of truncation and rounding issues21:02
*** slberger has quit IRC21:08
*** gyee has quit IRC21:12
*** haplo37__ has joined #openstack-keystone21:12
*** su_zhang has quit IRC21:13
*** slberger has joined #openstack-keystone21:13
ayoungstevemar, pretty sure that the OSC/KSA  contract is not being met yet21:13
*** gyee has joined #openstack-keystone21:15
lbragstadsamueldmq dolphm one way i think we can fix is by rounding down the datetime before we store it in mysql21:16
openstackLaunchpad bug 1622010 in OpenStack Identity (keystone) "MySQL rounds timestamps" [Undecided,New]21:16
lbragstadbut what would also require us to round down the issued_at times of uuid tokens21:16
lbragstador other alternatives?21:16
samueldmqlbragstad: ++21:18
samueldmqlbragstad: I think taht works well21:18
samueldmqlbragstad: hmm.. the complete solution would be to store precision in a separate field21:18
samueldmqwhile we implement that21:18
samueldmqI think w ecould increase the sleep by 1 second21:18
*** ddieterly has joined #openstack-keystone21:21
*** fangxu has quit IRC21:21
*** fangxu has joined #openstack-keystone21:22
openstackgerritayoung proposed openstack/python-keystoneclient: use KSA plugins to fulfill entrypoints
stevemarayoung: gorram reavers21:24
stevemarayoung: i'm hoping you are wrong21:24
ayoungstevemar, TA MA DA!21:25
stevemarlbragstad: can you determine if that bug is rc potential ?21:25
*** lamt has quit IRC21:25
*** admin0 has quit IRC21:28
lbragstadstevemar well - it only happens with fernet21:28
lbragstadi think...21:29
*** ddieterly has quit IRC21:29
samueldmqlbragstad: why wouldn't it happen with other formats ?21:29
lbragstadtesting it now21:30
samueldmqlbragstad: ah because the others have subsecond precision ?21:30
samueldmqlbragstad: +=21:30
lbragstadyeah - it wouldn't happen with uuid21:30
samueldmqstevemar: I classified as high priority21:30
samueldmqlbragstad: so for fernet drop the subsecond precision too21:32
openstackgerritayoung proposed openstack/python-keystoneclient: Update to working python version
*** haplo37__ has quit IRC21:32
samueldmqlbragstad: when storing revocation events21:32
samueldmqlbragstad: when storing a revocaiton event and the token format is fernet, take the floor of the timestamp (rounding down) ?21:32
samueldmqlbragstad: should be a quick fix21:33
lbragstadwell - we have to round down the revocation events issued_before and revoked_at21:33
lbragstadand we have to do the same with uuid's issued_at21:33
lbragstadthen we have to make sure we patch tempest with time.sleep(1) like we had to with fernet21:34
samueldmqlbragstad: why ? if we make the revoke timestamp to be rounded down, I think that's all?21:34
samueldmq2016-09-09T19:54:49.500001Z gets rounded to 2016-09-09T19:54:50.000000Z21:35
lbragstadbecause if we get a uuid token at 2016-09-09T19:54:49.500001Z then change passwords at 2016-09-09T19:54:49.550001Z21:35
samueldmq2016-09-09T19:54:49.500001Z would get rounded to 2016-09-09T19:54:49.000000Z21:35
lbragstadthen that tokne is now valid again21:35
lbragstadwhen it shouldn't me21:36
samueldmqlbragstad: we would only round down the revoke timestamp *if* the token format is fernet21:36
samueldmqlbragstad: for others we just leave as it is, because there is no bug for them21:36
lbragstadi feel like we should make it consistent regardless of the configuration21:37
samueldmqlbragstad: but different configurations offer a different level of precision already21:38
samueldmqso it's not consistent from there21:38
lbragstadsamueldmq i'm wonder if we should fix that entire problem21:38
*** wasmum has joined #openstack-keystone21:39
stevemarayoung: opening all the bugs!21:39
samueldmqlbragstad: the ideal solution is to store in a separate field21:39
samueldmqlbragstad: because for uuid, if the revoke event gets rounded up21:39
samueldmqlbragstad: a token issued right after (some ms) will be invalid21:39
samueldmqlbragstad: agree?21:39
lbragstadsamueldmq true - but i think we get around that with the waits in tempest now/21:40
samueldmqlbragstad: yeah, but it's still wrong, even if tempest passes21:40
samueldmqlbragstad: imo the best solution woud be to store precision in a separate field21:40
lbragstadyeah - or a migration and a patch to keystone that would always handle precision outside for the data later21:41
lbragstadlike storing everything as a long int 1473457302.08392721:41
samueldmqlbragstad: how ? if teh timestamps are retrieved rounded already21:42
samueldmqfrom the backend21:42
lbragstadsamueldmq we can override our slqalchemy type to handle that for use21:42
lbragstadand make a SafeDateTime object21:42
samueldmqlbragstad: can we tell it to just NOT round anything ?21:43
lbragstadsamueldmq i don't think we can do that if we use datetime in sql21:43
lbragstadbecause we've seen it operate differently across different versions21:43
samueldmqlbragstad: ok so you wanted to have a plain long int21:43
samueldmqlbragstad: and restore that as a datetime in python21:43
lbragstadwe would have complete control21:44
samueldmqafter retrieving the number from backend21:44
samueldmqlbragstad: that works too21:44
samueldmqlbragstad: hehe21:44
lbragstadyes - that would be one solution21:44
samueldmqlbragstad: so we have 221:44
lbragstadthen we wouldn't have to care what the backend does, so long as it supports a long int21:44
*** rakhmerov has quit IRC21:44
samueldmqif it doesn't support21:45
samueldmqplease drop that backend and write to a file21:45
lbragstadsamueldmq i contemplated doing this awhile ago -
samueldmqlbragstad: hmm might want to restore that and update21:45
*** rakhmerov has joined #openstack-keystone21:47
*** spedione|AWAY is now known as spedione21:47
*** spedione is now known as spedione|AWAY21:48
lbragstadsamueldmq yep21:48
*** fangxu has quit IRC22:00
*** chrisshattuck has quit IRC22:05
*** tonytan_brb has joined #openstack-keystone22:06
*** tonytan4ever has quit IRC22:07
openstackgerritLance Bragstad proposed openstack/keystone: Consistently round down timestamps
lbragstadsamueldmq ^22:13
openstackgerritLance Bragstad proposed openstack/keystone: WIP: Switch fernet to be the default token provider.
lbragstadsamueldmq running everything locally and all tempest.api.identity tests seem to pass22:16
samueldmqlbragstad: hmmm all that quick?22:17
samueldmqlbragstad: I will review it now then22:17
lbragstadwe'll see22:17
samueldmqlbragstad: with ?22:17
lbragstadsamueldmq nope22:17
lbragstadsamueldmq this one
*** slberger has left #openstack-keystone22:18
samueldmqlbragstad: yeah but that removes subsecond precision for every token format22:18
lbragstadall that does it round everything down before passing it to which ever backend is being used22:18
lbragstadsamueldmq it does22:19
samueldmqlbragstad: remove the expiry_at change22:19
samueldmqlbragstad: and that will still pass22:19
samueldmqonly thing is that token revocations will take efect in the next second22:19
samueldmqand it currently does, but with a shorter windows (ms)22:20
lbragstadyeah - but they will be truncated before writing to sql22:20
*** ddieterly has joined #openstack-keystone22:25
*** ddieterly has quit IRC22:27
*** javis has quit IRC22:31
*** ddieterly has joined #openstack-keystone22:31
*** ravelar has quit IRC22:37
*** sdake has quit IRC22:40
openstackgerritEric Brown proposed openstack/keystone: Remove the dead link in schema migration doc
*** ddieterly has quit IRC22:57
*** ddieterly has joined #openstack-keystone22:59
*** ddieterly has quit IRC23:06
*** ddieterly has joined #openstack-keystone23:13
*** sdake has joined #openstack-keystone23:22
*** BjoernT has quit IRC23:30
*** ravelar has joined #openstack-keystone23:32
*** roxanagh_ has quit IRC23:35
*** nicolasbock has quit IRC23:37
*** ravelar has quit IRC23:37
*** fangxu has joined #openstack-keystone23:37
*** ddieterly has quit IRC23:54
*** gyee_ has joined #openstack-keystone23:58
*** ddieterly has joined #openstack-keystone23:59
*** ddieterly has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!