Wednesday, 2016-10-05

*** haplo37_ has joined #openstack-keystone00:00
*** phalmos has quit IRC00:09
*** sdake_ has quit IRC00:16
openstackgerritJamie Lennox proposed openstack/keystone: Move audit initiator creation to request
*** browne has quit IRC00:52
*** david-lyle has quit IRC00:52
*** sdake has joined #openstack-keystone00:53
*** tqtran has quit IRC00:56
*** spzala has joined #openstack-keystone00:59
*** samueldmq has quit IRC01:01
*** spzala has quit IRC01:03
*** spzala has joined #openstack-keystone01:03
*** agireud has quit IRC01:10
*** samueldmq has joined #openstack-keystone01:14
*** ChanServ sets mode: +v samueldmq01:14
*** iurygregory_ has quit IRC01:26
*** phalmos has joined #openstack-keystone01:29
*** hoangcx has joined #openstack-keystone01:30
*** gyee has quit IRC01:46
*** woodster_ has quit IRC01:50
*** prometheanfire has joined #openstack-keystone02:06
prometheanfireis keystone going to warn be about this every time it starts now?02:06
prometheanfire2016-10-04 21:00:06.240 7140 WARNING keystone.assignment.core [-] Deprecated: Use of the identity driver config to automatically configure the same assignment driver has been deprecated, in the "O" release, the assignment driver will need to be expicitly configured if different than the default (SQL).02:06
*** browne has joined #openstack-keystone02:17
*** sdake has quit IRC02:18
*** sdake has joined #openstack-keystone02:20
trananhkmalbragstad, o/02:57
trananhkmalbragstad, in your comment at: -- what token provider (`CONF [token] provider`)02:59
openstackLaunchpad bug 1630259 in OpenStack Identity (keystone) "KeyError: 'is_domain' during mitaka -> newton rolling upgrade" [High,Triaged] - Assigned to Lance Bragstad (lbragstad)02:59
trananhkmalbragstad, in my nova.conf file, under [token], there is only one option: driver = sql03:00
trananhkmalbragstad, Is that what's you want?03:01
trananhkmalbragstad, 's/nova.conf/keystone.conf/g'03:03
*** agireud has joined #openstack-keystone03:14
*** spzala has quit IRC03:20
*** browne has quit IRC03:27
dolphmtrananhkma: token provider is a different option than the driver; if you haven't set it, then it'll default to uuid03:28
trananhkmadolphm, yes, I haven't set it03:29
dolphmtrananhkma: can you leave a comment in the bug that you haven't set [token] provider, so it should be the default value (uuid)?03:30
trananhkmadolphm, yes, sure :)03:31
dolphmtrananhkma: thank you!03:31
* prometheanfire wishes the other services would switch to wsgi...03:40
*** sdake has quit IRC03:43
*** sdake has joined #openstack-keystone03:43
*** links has joined #openstack-keystone03:45
*** markvoelker has quit IRC03:48
stevemarjays win!!03:54
*** dikonoor has joined #openstack-keystone03:55
*** tqtran has joined #openstack-keystone03:55
stevemarprometheanfire: file a bug, i'll take a look at it03:55
stevemarprometheanfire: if it's happening by default we should get rid of the warning or not make it the default03:55
prometheanfirestevemar: sure03:55
stevemarprometheanfire: i think i know what it is03:56
stevemarprometheanfire: has no default03:56
stevemarit should be sql03:56
stevemarsince thats the only backend we provide (we removed ldap)03:56
stevemarprometheanfire: i'll file a bug03:57
prometheanfirestevemar: thanks03:57
stevemarit's a bit intertwined03:57
*** tqtran has quit IRC03:59
openstackLaunchpad bug 1630435 in OpenStack Identity (keystone) "make the assignment backend default to sql" [High,Confirmed]04:05
*** nicolasbock has quit IRC04:05
stevemardolphm: sounds like we should consider getting lbragstad's fix in, maybe rc304:06
prometheanfirestevemar: I have updated keystone though04:06
dolphmstevemar: ++04:06
prometheanfireno problem this release :P04:06
stevemardolphm: have you (or lbragstad) reviewed and tested the fix?04:07
dolphmstevemar: i have not04:07
*** spzala has joined #openstack-keystone04:07
*** spzala has quit IRC04:07
stevemardolphm: lbragstad's comment in the bug report is very good, i think the fix is fine too04:13
stevemarnot sure if unit testing it is possible (easily anyway)04:13
dolphmwas trananhkma able to test it?04:13
*** code-R has joined #openstack-keystone04:14
dolphmstevemar: ^04:17
stevemardolphm: not AFAIK, trananhkma?04:18
trananhkmadolphm, I will test it04:18
trananhkmastevemar, sorry?04:19
stevemartrananhkma: oh i was just wondering if you had a chance to test the lbragstad's fix  :)04:19
trananhkmastevemar, ah, ok04:21
openstackgerritDolph Mathews proposed openstack/keystone: Make returning is_domain conditional
dolphmtrananhkma: stevemar: ^04:23
stevemardolphm: y, i saw04:24
stevemardolphm: i feel like this is safe to merge as it04:24
stevemarits a simple check before accessing a key04:24
dolphmstevemar: i just revised the message04:25
*** sdake has quit IRC04:25
dolphmtrananhkma: stevemar: lbragstad: clean backport
stevemardolphm: jumping the gun :P04:26
dolphmstevemar: it's time :)04:26
stevemardolphm: if we get it merged in newton i can tag rc3 soon and only get a minor whooping from the release team04:27
*** adriant has quit IRC04:28
dolphmstevemar: this bug should be reproducible without a rolling upgrade scenario04:28
stevemardolphm: we could also merge
dolphmstevemar: i think i'd be down for that04:29
stevemardolphm: removed my -W04:29
*** adriant has joined #openstack-keystone04:30
dolphmstevemar: went ahead and +2'd the backport, but i'd rather know that it's been tested by trananhkma04:34
dolphmworst case, i'd expect that backtrace to be fixed, only to be replaced by another similar backtrace elsewhere04:35
*** phalmos has quit IRC04:37
*** annp has joined #openstack-keystone04:39
stevemardolphm: right04:43
*** GB21 has joined #openstack-keystone04:46
*** markvoelker has joined #openstack-keystone04:49
*** sdake has joined #openstack-keystone04:51
stevemardolphm: i'd prefer knowing it actually fixes the issue04:51
stevemari'll try and recreate the problem (and test with the fix)04:51
*** HenryG has quit IRC04:51
*** HenryG has joined #openstack-keystone04:52
*** markvoelker has quit IRC04:54
*** bjolo_ has joined #openstack-keystone04:58
trananhkmadolphm, stevemar, lbragstad, the fix worked very well, thank you so much!04:59
stevemartrananhkma: ++04:59
stevemartrananhkma: i'll approve it04:59
stevemartrananhkma: thanks for finding the bug and testing the fix so quickly05:04
*** jaosorior has joined #openstack-keystone05:07
prometheanfirestevemar: guess what05:11
prometheanfirestevemar: it's not keystone that fails migrations on postgres this release but nova :D05:12
prometheanfireI kinda wonder if it's just because I never used aggregates05:12
stevemarprometheanfire: you scared me for a sec05:14
prometheanfirenow it's another team member I get to scare05:14
openstackgerritMerged openstack/keystone: Add tests for validating expired tokens
*** adriant has quit IRC05:19
*** agireud has quit IRC05:19
*** code-R has quit IRC05:22
*** denismakogon has joined #openstack-keystone05:24
*** jaosorior has quit IRC05:35
*** amoralej|off has quit IRC05:35
*** akrzos has quit IRC05:35
*** jaosorior has joined #openstack-keystone05:35
*** akrzos has joined #openstack-keystone05:35
*** agireud has joined #openstack-keystone05:38
*** GB21 has quit IRC05:38
*** richm has quit IRC05:40
*** amoralej has joined #openstack-keystone05:41
*** markvoelker has joined #openstack-keystone05:50
*** GB21 has joined #openstack-keystone05:50
*** denismakogon has quit IRC05:52
*** prometheanfire has left #openstack-keystone05:53
*** denismakogon has joined #openstack-keystone05:54
*** markvoelker has quit IRC05:55
bretonmorning, keystoneers06:01
*** david-lyle has joined #openstack-keystone06:08
*** bjolo_ has quit IRC06:24
*** pnavarro has joined #openstack-keystone06:41
*** pcaruana has joined #openstack-keystone06:46
*** markvoelker has joined #openstack-keystone06:51
*** rcernin has joined #openstack-keystone06:53
*** code-R has joined #openstack-keystone06:54
*** code-R_ has joined #openstack-keystone06:56
*** markvoelker has quit IRC06:56
*** code-R has quit IRC06:59
*** tqtran has joined #openstack-keystone07:00
*** david-lyle has quit IRC07:02
*** tqtran has quit IRC07:05
*** AlexeyAbashkin has quit IRC07:07
*** tesseract- has joined #openstack-keystone07:07
*** rcernin has quit IRC07:12
*** rcernin has joined #openstack-keystone07:12
*** hogepodge has quit IRC07:21
*** AlexeyAbashkin has joined #openstack-keystone07:46
*** GB21 has quit IRC07:49
*** markvoelker has joined #openstack-keystone07:51
*** asettle has joined #openstack-keystone07:54
*** markvoelker has quit IRC07:56
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
openstackgerritMerged openstack/keystone: Make returning is_domain conditional
*** hogepodge has joined #openstack-keystone08:11
*** EinstCrazy has joined #openstack-keystone08:16
*** GB21 has joined #openstack-keystone08:36
bjolostevemar, still up?08:47
*** denismakogon has quit IRC08:49
*** jaosorior is now known as jaosorior_lunch08:50
*** markvoelker has joined #openstack-keystone08:52
*** markvoelker has quit IRC08:57
*** sdake has quit IRC08:59
*** josecastroleon has joined #openstack-keystone09:16
*** TonyXu has joined #openstack-keystone09:18
*** EinstCrazy has quit IRC09:23
*** EinstCrazy has joined #openstack-keystone09:32
*** EinstCrazy has quit IRC09:34
*** jaosorior_lunch is now known as jaosorior09:46
*** code-R_ has quit IRC09:46
*** markvoelker has joined #openstack-keystone09:53
*** code-R has joined #openstack-keystone09:57
*** markvoelker has quit IRC09:58
*** annp has quit IRC10:01
*** denismakogon_ has joined #openstack-keystone10:01
*** tqtran has joined #openstack-keystone10:02
*** code-R has quit IRC10:02
*** code-R has joined #openstack-keystone10:03
*** tqtran has quit IRC10:06
*** mvk has quit IRC10:09
*** richm has joined #openstack-keystone10:10
bjolosilly question perhaps. working with setting up a ldap domain config. Are all the config options for [ldap] applicable for a domain config file as well?10:10
*** code-R has quit IRC10:13
*** code-R has joined #openstack-keystone10:18
*** dikonoor has quit IRC10:23
*** code-R has quit IRC10:28
*** GB21 has quit IRC10:30
*** hoangcx has quit IRC10:31
*** code-R has joined #openstack-keystone10:31
*** code-R has quit IRC10:33
*** vkramskikh has joined #openstack-keystone10:34
vkramskikhhey folks, where can I see the change list between API v3.6 and v3.7?10:35
*** denismakogon_ has quit IRC10:35
*** GB21 has joined #openstack-keystone10:39
*** pnavarro has quit IRC10:40
*** code-R has joined #openstack-keystone10:40
*** nicolasbock has joined #openstack-keystone10:40
*** mvk has joined #openstack-keystone10:41
*** code-R has quit IRC10:52
*** markvoelker has joined #openstack-keystone10:54
*** code-R has joined #openstack-keystone10:58
*** markvoelker has quit IRC10:59
*** code-R has quit IRC11:01
*** code-R has joined #openstack-keystone11:28
*** code-R_ has joined #openstack-keystone11:30
*** code-R has quit IRC11:33
*** msno has joined #openstack-keystone11:51
*** pnavarro has joined #openstack-keystone11:51
msnohi guyz.. i am using a curl command to fetch some details .. but its giving me " Token validation experienced an error communicating with Keystone  "11:53
msnoi am using "openstack token issue"then11:53
msnorunning the following comand with that token11:53
msno curl -X GET -H "Content-Type: application/json" -H "X-Auth-Token: e741c5135a0646b49c8eb1c6be10d7d5"; echo11:54
*** markvoelker has joined #openstack-keystone11:54
bretonmsno: what is the service you are trying to send the request to?11:59
*** markvoelker has quit IRC11:59
bretonmsno: there are no errors like this in keystonemiddleware, so you probably should talk to the authors of the service you are trying to use12:00
bretonmsno: is that openvim?12:00
msnobreton, haproxy12:00
msno9085 is haproxy service .. novamon12:00
*** pjm6_ has joined #openstack-keystone12:01
bretonmsno: i have no idea what novamon is :) but you should talk to the guys who wrote it.12:01
msnobreton, ok.. but its not the issue with service or the curl command.. in another setup .. its working12:02
msnobreton, the token fetched in this setup is the culprit12:02
msnoany pointers on that area\12:02
bretoni can't think of any.12:03
*** pjm6 has quit IRC12:04
*** amoralej is now known as amoralej|lunch12:06
*** beddari has joined #openstack-keystone12:09
*** code-R_ has quit IRC12:11
beddarisimple question I think, but I'm coming up short: how can I allow my normal, non-admin, local v3 user, created in a domain, list what projects it has access to?12:12
beddarikeystone of course does this already, but I wasn't able to comprehend how to do what it does, api or command line wise12:12
*** code-R has joined #openstack-keystone12:14
beddariargh. _horizon_ as a keystone client can already list projects for a user, was my point.12:16
bretonGet available project scopes12:17
beddaribreton: how did I not find that, will try ... thanks!12:17
mahHi all, How to let openstack use Nova access API v2.0 instead of v2.1 ?12:19
*** sdake has joined #openstack-keystone12:19
bretonmah: have you tried asking in #openstack-nova or #openstack-dev?12:20
* breton doesn't know12:20
mahI asked in #openstack-dev but did not got answers12:20
mahwill try #openstack-nova12:21
*** raildo has joined #openstack-keystone12:22
beddarimah: I think perhaps the question is too generic, having 3-4 years experience with operating I don't understand it :P12:29
mahNow there is microversions introduced by openstack12:31
mahso Nova API may have v212:32
mahor v2.112:32
mahWhen I open the API access in the dashboard, I found the Compute Service is using this endpoint :
mahI need it to use v2 not v2.112:33
bretonmah: you need to change endpoint in the catalog12:35
mahwill that mess up anything ?12:38
*** markvoelker has joined #openstack-keystone12:44
beddarinot likely12:45
beddarimah: the easiest would probably be to just update it in the db :)12:48
beddarimah: but you might have to find out how that enpoint url was created in the first place ...12:49
mahok thanks /beddari12:52
*** raildo has quit IRC12:55
*** GB21 has quit IRC12:56
*** josecastroleon has quit IRC12:57
*** raildo has joined #openstack-keystone12:57
*** edmondsw has joined #openstack-keystone12:59
*** ash__ has joined #openstack-keystone13:13
*** EinstCrazy has joined #openstack-keystone13:15
*** EinstCrazy has quit IRC13:15
ash__Hello. I want to contribute to OpenStack for Outreachy. I want to work on the Keystone/Infra - Improving Keystone jobs for new scenarios project. Can anyone give me any pointers on where/how to get started? Thanks.13:16
*** amoralej|lunch is now known as amoralej13:21
dimsrodrigods : raildo : i see your names on as possible mentors, can one of you please help with ash__ 's query?13:29
dimsrodrigods : raildo : (see above :)13:29
raildodims, thanks for the ping :)13:30
raildohey ash__ :) It's one idea to improve some functional tests related to Keystone, and maybe create new jobs for this scenarios, for any doubts related to the outreachy process I suggest go to #openstack-opw, and we can clarify any doubts about it13:32
raildoash__, besides that you have to submit an application for the outreachy program: and the deadline for apply is October 17, 2016.13:33
raildoash__, since you get the approval, the internship will be made in the period of December 2016 until March 201713:33
lbragstaddolphm thanks for the backport and the commit message clean up13:34
lbragstadstevemar thanks for the reviews13:34
lbragstadtrananhkma thanks for testing :)13:34
raildolbragstad, ++ it was a quickly fix  :) thanks sir!13:35
lbragstadraildo no problem - thanks for reviewing!13:35
*** jaosorior has quit IRC13:36
ash__I asked about the keystone project there and they directed me to this channel13:36
*** jaosorior has joined #openstack-keystone13:36
ash__"there" being #openstack-opw13:36
raildoash__, great :) so, do you have any experience with openstack?13:39
*** jed56 has left #openstack-keystone13:42
*** ayoung has quit IRC13:47
*** TonyXu has quit IRC13:49
*** dave-mccowan has joined #openstack-keystone13:50
*** alex_xu has quit IRC13:55
stevemarlbragstad: we are spinning up rc3 for the upgrade fix13:57
openstackgerritLance Bragstad proposed openstack/keystone: Default the assignment backend to SQL
lbragstadstevemar sweet13:57
stevemarlbragstad: oh nice, i was just going to pick that up13:57
lbragstadstevemar totally missed that part when I was mucking with that bug and i opened it for Newton13:57
stevemarlbragstad: there's one more thing we can remove ^13:57
lbragstadstevemar what's that?13:58
stevemartrying to find i13:58
knikollao/ morning!13:58
lbragstadknikolla o/13:58
stevemarlbragstad: this stuff
stevemarlbragstad: also it'll be great to get this merged:
lbragstadstevemar ooof - that's a beast14:00
stevemarlbragstad: yeah, sizeable, but nothing complicated14:00
openstackgerritLance Bragstad proposed openstack/keystone: Default the assignment backend to SQL
*** alex_xu has joined #openstack-keystone14:02
*** chris_hultin|AWA is now known as chris_hultin14:03
lbragstadstevemar so every driver is just going to have a base class - right?14:04
stevemarlbragstad: right, no more Vx classes14:04
*** TonyXu has joined #openstack-keystone14:04
stevemarand the base class should have the same functions that the driver has14:05
stevemarrather, backend14:05
lbragstadthe base class is the driver interface - right?14:05
lbragstadand then the specific backends implement that interface?14:05
bretonyey, finally14:06
bretonthe Vx thing was messy :(14:06
lbragstadstevemar I'm reviewing it now - but it probably wouldn't be a bad idea to have dstanek give it a once over, too14:06
lbragstadsince he did quite a bit of work initially on it14:07
stevemarbreton: bad experiment :)14:08
lbragstadoh - nice...14:09
stevemarerrr :(14:09
lbragstadthis breaks the core -> driver thing14:09
dstaneklbragstad: stevemar: which one?14:09
dstanekcool, i'll take a look14:09
*** LamT__ has joined #openstack-keystone14:10
stevemarlbragstad: can you add to abt the assignment driver stuff14:10
stevemarlbragstad: theres also
*** dims has quit IRC14:11
stevemarlbragstad: same issue for resource driver:
lbragstadstevemar do you want a separate release note in my patch for the assignment config default?14:12
lbragstadstevemar do we have a bug open for the resource driver?14:12
stevemarlbragstad: add it to mine, i'll keep a running tally14:12
*** links has quit IRC14:14
*** jaosorior has quit IRC14:16
openstackgerritLance Bragstad proposed openstack/keystone: create release notes for removed functionality
*** dims has joined #openstack-keystone14:17
bretonsome time ago we had a page where we wrote "what's new in 3.x API". Do we have such page now?14:18
*** lamt has joined #openstack-keystone14:20
openstackgerritLance Bragstad proposed openstack/keystone: Default the assignment backend to SQL
openstackgerritLance Bragstad proposed openstack/keystone: Default the resource backend to SQL
*** phalmos has joined #openstack-keystone14:22
*** gagehugo has joined #openstack-keystone14:22
*** phalmos has quit IRC14:23
*** alee has joined #openstack-keystone14:23
stevemarbreton: we kind of added that to some parts in the API reg14:24
bknudsonbreton: used to be at the top of the api ref14:28
bknudsonthere must be some way to add a section to the new v3 api ref with this info14:28
*** ash__ has quit IRC14:28
stevemarbknudson: for sure there is14:30
dstaneklbragstad: stevemar: i only had a few minor comments that could be fixed in a follow up review14:30
stevemarbreton: you can add a "" file here and add it to the top of index.rst of course14:31
lbragstaddstanek cool - i'll let you kick it through the door14:31
bretonstevemar: i'll probably do that a little later, after finishing working on a patch14:31
dstaneklbragstad: kicked14:31
*** rodrigods has quit IRC14:32
stevemarbreton: cool, the old APIs are still around in for reference14:32
*** rodrigods has joined #openstack-keystone14:32
lbragstaddstanek sweet!14:32
*** jorge_munoz has joined #openstack-keystone14:32
*** spzala has joined #openstack-keystone14:35
dstanekso i created a domain domain1, a group domain1_admins and gave the group the admin role on the domain - but i can't login to horizon with a user from that group14:37
dstanekdo i actually need a member role too?14:37
*** jorge_munoz has quit IRC14:37
*** LamT__ has quit IRC14:38
*** edmondsw has quit IRC14:38
*** pjm6_ has quit IRC14:38
*** richm has quit IRC14:38
*** hogepodge has quit IRC14:38
*** tesseract- has quit IRC14:38
*** akrzos has quit IRC14:38
*** samueldmq has quit IRC14:38
*** alee has quit IRC14:38
*** clenimar has quit IRC14:38
*** mugsie has quit IRC14:38
*** mugsie has joined #openstack-keystone14:39
*** pjm6 has joined #openstack-keystone14:39
*** edmondsw has joined #openstack-keystone14:39
*** clenimar has joined #openstack-keystone14:39
*** alee has joined #openstack-keystone14:39
*** hogepodge has joined #openstack-keystone14:39
*** akrzos has joined #openstack-keystone14:39
*** jorge_munoz has joined #openstack-keystone14:39
*** richm has joined #openstack-keystone14:39
*** tesseract- has joined #openstack-keystone14:39
*** DuncanT has quit IRC14:41
*** LamT__ has joined #openstack-keystone14:43
*** samueldmq has joined #openstack-keystone14:44
*** ChanServ sets mode: +v samueldmq14:44
*** david-lyle has joined #openstack-keystone14:45
*** DuncanT has joined #openstack-keystone14:47
*** david-lyle has quit IRC14:54
bretondstanek: have you tried mocking dogpile.cache in ? Or you just left a comment?14:56
bretoni am trying to replace it with mock and it is pita with weird isinstance() calls14:57
dstanekbreton: i actually think that comment can just be removed14:58
*** woodburn has quit IRC14:59
openstackgerritSteve Martinelli proposed openstack/keystone: re-add valid comment about None domain ID
stevemardstanek: so, i made the one change, but i don't think the other suggestion makes sense15:00
*** david-lyle has joined #openstack-keystone15:00
dstanekstevemar: the name one doesn't make sense?15:00
stevemardstanek: right, the token provider needs a base class15:00
dstanekstevemar: is it actually a base class to something else?15:00
stevemardstanek: the other base classes are called FooDriverBase15:00
*** jistr is now known as jistr|call15:01
*** ravelar has joined #openstack-keystone15:04
*** ddieterly has joined #openstack-keystone15:05
openstackgerritLance Bragstad proposed openstack/keystone: Simplify the KeystoneToken model
*** rcernin has quit IRC15:12
openstackgerritLance Bragstad proposed openstack/keystone: Use validate_v3_token instead of validate_token
openstackgerritLance Bragstad proposed openstack/keystone: Ensure all v2.0 tokens are validated the same way
openstackgerritLance Bragstad proposed openstack/keystone: One validate method to rule them all...
openstackgerritLance Bragstad proposed openstack/keystone: Remove validate_v2_token() method
openstackgerritLance Bragstad proposed openstack/keystone: Make sure all v3 tokens are validated the same way
*** pcaruana has quit IRC15:13
*** jistr|call is now known as jistr15:13
openstackgerritSteve Martinelli proposed openstack/keystone: remove legacy driver tox target
stevemardstanek: ^ and if you're interested15:18
*** phalmos has joined #openstack-keystone15:19
*** ddieterly is now known as ddieterly[away]15:22
*** tesseract- has quit IRC15:24
*** code-R has quit IRC15:25
*** code-R has joined #openstack-keystone15:25
*** david-lyle has quit IRC15:26
*** ddieterly[away] is now known as ddieterly15:26
openstackgerritMerged openstack/keystone: Remove stable driver interfaces
*** adrian_otto has joined #openstack-keystone15:31
stevemar+50, -291715:31
*** david-lyle has joined #openstack-keystone15:32
dstanekstevemar: shore15:34
*** jaosorior has joined #openstack-keystone15:37
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
*** david-lyle has quit IRC15:53
*** code-R_ has joined #openstack-keystone15:57
*** code-R has quit IRC16:00
*** gyee has joined #openstack-keystone16:00
*** adrian_otto has quit IRC16:00
*** cnf has joined #openstack-keystone16:01
*** adrian_otto has joined #openstack-keystone16:02
cnfanyone know of a good resource to learn about keystone? I can't figure out what combination of roles profiles domains etc you need to do something16:02
*** phalmos has quit IRC16:02
*** code-R_ has quit IRC16:09
*** phalmos has joined #openstack-keystone16:10
*** mvk has quit IRC16:11
knikollacnf: what are you trying to accomplish?16:12
cnfI have users that can't do a damn thing16:13
cnfand I don't understand what needs to be done to make it work16:14
*** pnavarro has quit IRC16:15
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event indexes
cnfI though I had made an admin user16:17
cnfbut it can't see any resources in horizon, and can't edit most things16:17
openstackgerritRon De Rose proposed openstack/keystone: Improve check_token validation performance
cnfI don't get the Project tab in horizon, either16:18
*** haplo37_ has quit IRC16:18
*** haplo37_ has joined #openstack-keystone16:21
cnfugh, i though I had assigned the user to a project, but in horizon i can't see it belonging to a project16:21
cnfi think16:21
*** woodster_ has joined #openstack-keystone16:26
*** ddieterly is now known as ddieterly[away]16:27
*** ayoung has joined #openstack-keystone16:28
*** ChanServ sets mode: +v ayoung16:28
*** ddieterly[away] is now known as ddieterly16:30
ayoungrodrigods, trying to think through what it would mean to do Key rotations in a Tripleo environment.  I do not want to be putting tarballs into swift with keys in them.16:30
ayoungThe best I can come up with is this:16:30
ayounguser the keystone_manage pki_setup to generate a keypair and a cert.  Send that cert to the undercloud.  Undercloud encrypts the fernet key with the public key in the cert, and puts that in the tarball.  Tarball goes to the Keystone server and gets unpacked.  Keystone decrypts the fernet key and sticks it into rotation.16:32
ayoungFor people with a real CA, the pki_setup can be replaced with something that gets a certificate signed for real16:33
*** msno has quit IRC16:33
cnfwhat would enable a service on a domain?16:33
*** gus_ is now known as gus16:33
ayoungactually, I wouldnot mind getting pki_setup talking to certmonger if it is going to stay arounnd, but I think it is one the chopping block16:33
ayoungcnf  can you clarify what you are asking?16:34
* ayoung might have missed the context...looks in evesdrop16:34
cnfI have services (nova and swift) that are not showing on one domain, and are on another16:34
cnfwhile glance and neutron show in both16:35
ayoungcnf, you mean that when you get a token scoped to one domain, it is missing elements of the service catalog?16:35
cnfwhen I get a what now?16:35
cnfi'm just looking in horizon16:35
ayoungAre you sure the tokens are scoped to the domain, or are you just using users that are managed by a differnt domain16:35
ayoungcnf, we really made Keystone confusing when we introduced the term domain16:35
ayounglet me see if i can explain16:36
ayoungno, is too much,  let me sum up16:36
ayoungwhen a user tries to get a token from Keystone, there are 2 different domains that come into play16:36
ayoungthe first is the domain where the user is managed.  The second is the domain where the project is managed16:36
ayoungWhen a user requests a token, you want it scoped to a project16:37
ayoungotherwise, you don't geta service catalog.16:37
ayoungand, since I wrote that, I've learned that we really want to clear out all old env vars that start with OS_16:38
ayoungI'd recommend adding something like this16:38
cnfI'm not sure I understand what you are trying to tell me16:39
ayoungunset `env | awk -F= ‘/OS_/ {print $1}’ | xargs`16:40
ayoungcnf, My work here is done.16:40
cnfalso for myenv in `env|grep OS_|awk -F= '{print $1}'`; do unset $myenv; done16:40
cnfor that16:40
ayoungyep, that works16:40
ayoungpiping grep into awk makes awk sad16:40
ayoung"I COULD HAVE DONE THAT FOR YOU!"  awk cries16:41
jlkthat's like catting and piping into grep16:41
cnfI still have no idea what I am supposed to do16:41
ayounganyway, can you restart your question now that I've made the water nice and muddy>16:41
cnfI don't understand anything at all about how permissions etc work, it seems16:41
cnfI have 2 domains16:42
cnfdefault, and USers16:42
*** jaosorior has quit IRC16:42
cnfif I log in with a user under the Users domain on horizon16:42
cnfhalf the options are missing, and what I have a lot of the functions don't work16:43
ayoungOK, let's start with that16:43
cnfI can't select a project at the top16:43
cnfeven though I added the user to the project16:43
ayoungHorizon hides a lot from you.  I'd recommend using the Command line to understand what is going on.  OK?16:43
cnfi think, I have no idea how to check anything with the cli16:43
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event indexes
*** phalmos has quit IRC16:43
ayoungcnf, so start with the template I gave you, and create a keystone.rc file16:44
ayoung. ./keystone.rc ;  openstack token issue16:44
cnfwith what credentials?16:45
cnfmy current one uses the super admin token16:45
ayoungcnf, I know, a CLI.  How barbaric.  You come to #openstack-keystone, its like going back through time....16:45
cnfI live on a CLI16:45
cnfI just do NOT understand the openstack one, at all16:45
cnfso what credentials are you wanting me to enter?16:46
cnfso far, I have done everything with OS_TOKEN=16:47
cnfassuming that would always show me everything16:47
openstackgerritRon De Rose proposed openstack/keystone: Add revocation event indexes
cnfayoung: ?16:47
jlkTokens are... special16:48
ayoungcnf, No not OS_TOKEN16:48
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
ayoungcnf, the template in the first link I set shows the env vars you want to set16:48
cnfwith what login...16:49
cnfwhat username and password am I using with that16:49
ayoungcnf, whatever you use in Horizon16:49
ayoungcnf, when you log in to horizon, here is, roughly what happens16:50
ayoungyou pass in userid and password.  THose get sent to Keystone to fetch atoken for you.16:50
ayoungthat token might be scoped to a project by default, or it might be unscoped.16:50
ayoungTHe reasons why vary based on your server set up16:50
cnfI have an admin user that can _ONLY_ see the default domain16:51
cnfand I have a Users domain where NO user works right16:51
ayoungOK,  let's use the Admin user to start16:51
ayoungWhen you log in to horizon, the Admin user gets a token scoped to some project, probably called"Admin" as well16:51
ayoungso OS_USERNAME=Admin  OS_USER_DOMAIN_NAME=Default16:52
*** david-lyle has joined #openstack-keystone16:52
ayoungusually the domain is set up with and ID of default and a Domain Name of Default, note the capitalization difference16:53
cnf# openstack token issue16:53
cnfThe request you have made requires authentication. (HTTP 401) (Request-ID: req-89110583-d7ce-4c3c-be6a-b6997c694317)16:53
ayoungcnf did you createa keystone.rc and source it?  If so, then one of more of the env vars are wrong16:54
cnfyes, I did16:54
cnfok, default is not Default16:55
ayoungthat is one reason I'd recommend clearing the environment at the start, to make sure there is no bleed over from earlier attempts16:55
cnfall my files clear all OS_ on source16:55
jlkjust to be sure, you've got a password too, right?16:56
cnfwhat do you mean, a password too?16:57
jlkWhen you auth to Keystone, as a user (not the OS_TOKEN), you need to provide a user name, a password, a project, and a domain16:57
cnfayoung:  so I have sourced that one, with the admin user on the default domain16:57
cnfjlk:  yes, that's what I am using now16:57
*** spilla has joined #openstack-keystone16:58
jlkThe username and password are specific to the user.  The project and domain are specific to the _session_. Your user could have roles in multiple projects and domains. You generally have to pick one for the session.16:58
*** ddieterly is now known as ddieterly[away]16:58
ayoungso whate jlk is asking is do you have a valid valud for OS_PASSWORD set16:59
* ayoung can't type16:59
cnfwell, yes...16:59
cnfas I have said it works16:59
cnfwell, the token issue bit, anyway17:00
ayoungoke, what about openstack user list?17:00
cnfso now what?17:00
cnfI see the service users, and demo17:00
cnfyou know, nova, neutron, glance etc17:00
ayoungright, they are all in the default domain, too.  Are you seeing the users in the other domain?17:01
cnfI see them with # openstack user list --domain Users though17:01
ayoungthere are some conifg options which would affect that.  But that is good17:02
ayoungok,  so now you want to look at the roles assigned to a user in the Users domain17:02
cnfyeah, no idea how to do that17:02
ayoungopenstack role assignment list17:02
cnfany way to have that show names instead of Ds?17:03
*** ddieterly[away] is now known as ddieterly17:03
cnfright, --names17:04
ayoungcnf, to answer that requires more time and more alcohol than I currently have available.17:04
ayoungsuffice to say, I don't actually have a working openstack server where I have admin on it right now17:05
*** adrian_otto has quit IRC17:05
jlkI have the sads for that17:05
ayoungcnf, so, you need to get to the point where one of the users in the Users domain has a role assignment on a project, and have them request a token for that project17:05
jlkI should do a session at summit on using Ursula so you can point at any openStack you have some access to boot VMs so you can get a solid 3 node openstack built17:06
ayoungjlk, its cuz Iwork on Tripleo, and am resource constrained...had just taken down my system for a reinstall17:06
cnfI have a NUC with ESXi to test17:06
openstackgerritAlexander Makarov proposed openstack/keystone: Redis cache backend using hash as a native region
cnfso a role has to be assigned to a project?17:07
ayoungcnf, yep17:07
jlkcnf: what he's trying to say is that if you want to be able to see the catalog from the Users domain, the user you are logging in as will need to have at least a _member_ role in a project that exists in the Users domain.17:07
ayoungcnf a role assignment is a tuple: user, project,  role17:07
ayoungjlk I was thinking of trying to get a Null role defined.  It can't do anything in the project expect show you that you can't do anything.17:08
jlkcnf: Access to things is driven by roles. Roles link together a user and a project17:08
ayoungjlk that is the way my mind has been warped by being on Keystone this long.17:08
jlkand when you add Domains to the mix, a project may be specific to a single domain17:08
*** adrian_otto has joined #openstack-keystone17:09
ayoungHaving a Null role defined would show us how 90% of policy is way too permissive17:09
ayoungjlk I wish we never introduced domains.  I wish we had made projects hierarchical from the get go and left it at that17:09
cnfwow, this stuff is confusing17:10
* ayoung gets the sads from Keystone history17:10
*** tqtran has joined #openstack-keystone17:10
jlkit does make things awkward, even before talking about projects that span domains, or having domain level roles17:10
ayoungjlk, yep.  Yuck.17:10
*** phalmos has joined #openstack-keystone17:10
* ayoung needs food. 17:10
cnfand all I need domains for is to have LDAP auth17:10
ayoungcnf making a lunchrun.  Back in a bit.17:10
jlkcnf: sadly, yes. This is a thing that has grown "organically" over time.17:10
cnfthanks so far17:11
cnfstill confused as fuck, but I did learn some things17:11
jlkBottom line, there should be some projects that exist in the Users domain17:11
*** adrian_otto has quit IRC17:11
jlkand within those projects, you can assign some roles (such as _member_) to your LDAP users17:11
cnfyeah, I _think_ I have something working17:11
jlkso that when they log in, they log in with the magic combo of domain, user, and project.17:11
cnfwhat is _member_ ? I have seen it, but I have no idea what is special about it17:12
jlkit's a defacto standard for the base level of rights17:12
cnfhmm, ok17:12
cnfI just have admin and user roles, i think17:12
jlkI hesitate to say that it's not hardcoded anywhere in the actual code, other than policy17:12
jlkcnf: it's quite likely then that your policy files have been modified.17:12
cnfidno, I just followed the install docs on openstack.org17:13
cnfwhich has led me up weird places before, admitedly17:13
jlkdid you edit any policy.json files?17:13
cnfuhm, I don't think so17:14
jlkthose are the files that enforce the access levels.17:14
jlkHow did the "user" role get created?17:14
jlkI'm assuming you have access, so check out your keystone's policy.json file17:14
*** ddieterly is now known as ddieterly[away]17:15
cnfmember_role_name is not set anywhere, so it's still default17:15
cnfI have no idea what policy.json does, or what I am looking for17:15
jlkPolicy.json is what is used to check specific API actions against a user's role(s) to decide whether the action should be allowed or not17:16
jlkit's how the difference between admin and non-admin is handled17:16
cnfit has neither user, nor _member_ as a specifit string in it, though17:16
jlkyeah, because I think it relies on the "member_role_name" configuration option17:17
jlkactually no17:17
jlkthat's something different (even more confusing)17:17
jlkso keystone is fairly permissive17:18
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
jlkI think ht mostly concerns itself with admin level actions, and then it allows any user to do the rest. I may be wrong, but that's what I'm seeing.17:18
*** adrian_otto has joined #openstack-keystone17:18
jlkmaybe stevemar can lend a brain here.17:18
jlkcnf: other services are more explicit about _member_17:18
*** adrian_otto has quit IRC17:19
jlkAnyway, your getting of the catalog may very well work with just the "user" role17:20
*** ash__ has joined #openstack-keystone17:21
stevemarjlk: ha, i'm stepping out to lunch (for reals, not trying to squirm out of a convo)17:22
*** mvk has joined #openstack-keystone17:25
cnfwell, my brain hurts17:27
cnfi'm going to take a shower17:27
cnfand then try figure out why swift won't work with keystone17:27
*** browne has joined #openstack-keystone17:30
jlkoh that's another pile of fun!17:30
cnfswift works, with SWauth17:31
cnfcan;t get it to do anything with keystone17:31
cnfopenstack is great when it works17:32
cnfbut boy, getting it there...17:32
stevemarcnf: the folks in #openstack-swift are a good source for integrating the two17:32
cnfstevemar:  they sent me here for the keystone questions :P17:32
stevemarcnf timezone are you?17:32
stevemarcnf: im lunching, ill help when i get back17:33
cnfthat's cool, thanks17:33
cnfenjoy your lunch first, it's important :P17:33
cnfi'm off for a bit anyway17:33
*** dikonoor has joined #openstack-keystone17:37
*** bjolo_ has joined #openstack-keystone17:41
jlkso yeah, there's specific swift configuration entries to have it talk to Keystone17:41
jlkswift-proxy in particular17:41
jlkYou'l have to have a "keystoneauth" in your pipeline, and have two [filter:<something>] sections. One is [filter:keystoneauth] where details about roles go, and a "use = egg:swift#keystoneauth" line17:43
jlkthen in [filter:authtoken] details about keystone go in, such as the URIs, an admin_password, an admin_tenant_name, an admin_user, and a few other details17:44
jlk(those admin_whatever details are usually a service account created for swift, like in our case it's a "swift" user)17:44
cnfjlk:  i have authtoken keystoneauth17:48
cnfand both those sections17:48
cnfswift user exists, the urls are set17:48
*** gagehugo has quit IRC17:48
jlkMaybe this will help:17:48
cnfyeah, gone over that a few douzen times17:49
jlkwell, this one is the template we use in production17:49
jlkIf you turn up swift proxy debugging, you might be able to catch it attempt to talk to keystone to sort out the auth17:49
jlkclient software (like openstack client) will first get a token from keystone, then hit swift-proxy and provide that token17:50
*** phalmos has quit IRC17:50
jlkswift-proxy will use the keystone details to attempt to validate the token17:50
*** amoralej is now known as amoralej|off17:50
cnfI also don't have any decent client to talk to swift, really17:52
jlkthe openstack client17:52
jlkopenstack object list17:52
jlkopenstack container list17:53
cnfhmm, that doesn't like a hostname I set, and I don't get where it gets it from17:54
cnfSSL error hostname A doesn't match hostname B17:54
jlkit gets the name for swift from the catalog17:54
jlkopenstack catalog list17:55
jlkor openstack catalog show object-store17:55
cnfyeah, that shows the right hostname17:56
jlkso try "openstack --debug container list" and you will see more details about where it tries to connect to17:56
*** spzala has quit IRC17:56
cnfyeah, I did that17:56
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: DO NOT MERGE: test revocation search to sql
cnfwth is it doing?17:58
cnfoh, hmz17:58
cnfdamn urrlib doesn't know SNI17:58
jlkIs it the client throwing the error, or is it swift-proxy reporting the error back when it can't talk to keystone?18:02
cnfother clients also don't work, so that's not my only problem by far18:03
*** SamYaple_ has joined #openstack-keystone18:04
*** SamYaple_ has quit IRC18:04
*** SamYaple has quit IRC18:04
*** SamYaple has joined #openstack-keystone18:04
cnfugh, it seems I have no hosts where this works18:05
*** gyee has quit IRC18:05
cnfSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version great18:05
cnfright, and if I run with --insecure, I get a 50018:08
jlkwell, that sounds like then the swift-proxy threw an error18:10
jlkand should be discoverable in the log18:10
jlkinteresting that TLS works enough to get the token from keystone, but not to talk to swift. Are you using that different of a TLS setup between the two?18:10
cnfraise exceptions.DiscoveryFailure('Could not determine a suitable URL '#012DiscoveryFailure: Could not determine a suitable URL for the plugin (txn: tx5e5579fae6ad4a67bb7df-0057f541ef)18:10
jlkhrm, what's the URL you're providing? versioned, unversioned?18:11
cnfuhm, where?18:11
*** LamT__ has quit IRC18:11
cnfin proxy-server ?18:12
*** gyee has joined #openstack-keystone18:13
cnfit's just http://ip:5000/18:13
*** tqtran has quit IRC18:13
jlkokay, so that means the keystone client code in swift's python environment is going to attempt to determine an API version to connect to18:14
jlkv2.0 or v318:15
*** ddieterly[away] has quit IRC18:15
jlkbut yes, this is indicating swift-proxy is having difficulty talking to keystone. Crank up that debugging18:16
*** ash__ has quit IRC18:18
cnfit's already on18:20
cnfthe debug18:20
*** spzala has joined #openstack-keystone18:24
*** david-lyle has quit IRC18:25
cnfjlk:  it was a dns issue18:30
cnfso i'm at 401 Unauthorized now18:30
cnfat least that's something18:30
*** gagehugo has joined #openstack-keystone18:30
jlkit's a step in a direction18:32
jlkin swift at least there is configuration for what user roles are allowed to do things18:32
jlksuch as operator_roles18:33
jlkthose need to line up with keystone roles18:33
jlkso if your keystone role is "user", then "user" needs to be listed for operator_roles18:33
openstackgerritMerged openstack/keystonemiddleware: Use the mocking fixture in notifier tests
*** ddieterly has joined #openstack-keystone18:34
*** dikonoor has quit IRC18:34
*** code-R has joined #openstack-keystone18:35
cnfok, that wasn't it18:36
cnfanyway, I need a break ^^;18:36
cnfoff to play some warframe, i'll be back after that18:36
cnfjlk:  thanks for the help so far18:38
jlkNo problem, cheers18:38
*** code-R_ has joined #openstack-keystone18:38
*** code-R has quit IRC18:41
*** haplo37_ has quit IRC18:53
openstackgerritMerged openstack/keystonemiddleware: Extract oslo_messaging specific audit tests
*** haplo37_ has joined #openstack-keystone18:56
*** code-R_ has quit IRC18:56
*** code-R has joined #openstack-keystone18:56
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
*** gyee has quit IRC19:03
*** lamt has quit IRC19:08
*** phalmos has joined #openstack-keystone19:09
*** tqtran has joined #openstack-keystone19:09
openstackgerritMerged openstack/keystone: re-add valid comment about None domain ID
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
*** ddieterly is now known as ddieterly[away]19:23
*** david-lyle has joined #openstack-keystone19:23
*** ddieterly[away] is now known as ddieterly19:26
*** code-R has quit IRC19:29
*** bjolo_ has quit IRC19:33
*** alee is now known as alee_afk19:43
*** sdake has quit IRC19:45
*** sdake has joined #openstack-keystone19:46
*** knikolla_ has joined #openstack-keystone19:53
*** knikolla_ has quit IRC19:58
*** ddieterly is now known as ddieterly[away]19:58
*** knikolla_ has joined #openstack-keystone19:58
*** ddieterly[away] is now known as ddieterly19:59
*** knikolla_ has quit IRC20:00
cnfhmm, now keystone is giving me tracebacks saying it can't find domain default20:05
cnf2016-10-05 20:05:20.744 24 ERROR keystone.auth.controllers     raise exception.DomainNotFound(domain_id=domain_id)20:05
cnf2016-10-05 20:05:20.744 24 ERROR keystone.auth.controllers DomainNotFound: Could not find domain: default20:05
cnfdomain list shows it, though20:06
*** adrian_otto has joined #openstack-keystone20:06
*** adrian_otto has quit IRC20:06
*** asettle has quit IRC20:09
cnfany one have an idea why I would get that?20:13
*** adrian_otto has joined #openstack-keystone20:14
*** adrian_otto has quit IRC20:16
*** adrian_otto has joined #openstack-keystone20:16
*** adrian_otto has quit IRC20:18
*** adrian_otto has joined #openstack-keystone20:18
*** adrian_otto has quit IRC20:20
dstanekcnf: put the full stack track on paste.openstack.org20:20
*** adrian_otto has joined #openstack-keystone20:21
dstanekcnf: what's the different between my.domain and the ip address?20:24
cnfmy.domain is a dns entry20:24
cnfwhich points to that ip20:24
*** phalmos has quit IRC20:24
cnfdstanek:  that's what I get when I do openstack container list --insecure20:26
cnfand openstack domain list does show an entry default20:26
dstanekcnf: also if looks like you are auth-ing on both 5000 and 35357 - is that intentional?20:27
*** phalmos has joined #openstack-keystone20:28
cnfuhm, idno? one is user and one is admin, isn't it?20:29
cnf5000 is public and internal, and 35357 is admin20:31
*** ddieterly is now known as ddieterly[away]20:34
dstanekcnf: that true for the v2 api, but not the v3 api20:34
cnfI just followed the online docs20:34
dstaneki mentioned it because auths seemed to work on the 5000 port just fine20:34
dstanekcnf: which docs?20:35
cnfat the bottom20:35
openstackgerritMerged openstack/keystonemiddleware: Use oslo_messaging conf fixture
cnfalso, it only fails for swift, everything else seems to work just fine20:37
dstanekcnf: is swift what's using that different url?20:37
cnfthe url is set as an endpoint as well20:38
dstanekwhat happens when you do a 'domain show default' using the openstackclient?20:39
dstanekwith v3 it shouldn't matter what port you go to as long as they both point to the same keystone instance20:39
cnfit shows me the domain entry20:40
dstanekdo you know what url it's hitting?20:40
cnf btw20:42
cnfI found the reference to the IP20:42
*** ddieterly[away] is now known as ddieterly20:42
cnfand changed it to use the domain entry20:42
dstaneki think you are still using different ports20:43
cnfand this is domain show default:
*** adrian_otto has quit IRC20:44
*** adrian_otto1 has joined #openstack-keystone20:44
dstanekcnf: it looks like the GET returned a 404. did you get an error?20:45
cnf  404?20:46
dstanekcnf: that's what it shows in the paste20:46
cnfI don't see a 404?20:46
*** mriedem has joined #openstack-keystone20:46
cnfI see 200 and 201?20:46
mriedemstevemar: ayoung: fyi
dstanek2016-10-05 20:44:14.720 24 INFO eventlet.wsgi.server [req-2fb804a3-cced-4ccf-a512-0ddf0c3189b5 71327a7c1a4e4484b1a45bdfe10fc647 314e7e971f3a49129406c148cb7dd9d4 - 04d7c2fcba9e436096f789360a8cf14e 04d7c2fcba9e436096f789360a8cf14e] - - [05/Oct/2016 20:44:14] "GET /v3/domains/default HTTP/1.1" 404 340 0.03200120:47
cnfso /v3/domains/default doesn't work, but /v3/domains?name=default does20:48
ayoungmriedem, looks good20:48
*** adrian_otto1 has quit IRC20:49
cnfdstanek:  I have no idea what causes that :(20:50
mriedemstevemar: yeah, just pointing out the session, i put it at a time that doesn't conflict with keystone sessions20:51
stevemarmriedem: danke20:51
stevemarmriedem: hopefully we can have something you can test out by the summit20:51
dstanekcnf: is 'default' the name or id?20:51
cnfdstanek:  uhm, name, can an id be "default"? o,O20:52
dstanekcnf: usually for default domain id=default and name=Default20:52
cnfuhm, I just followed the docs...20:53
cnfI have no idea how to get a domain with id=default20:53
dstanekthe 404 is because it was checking to see if you have 'domain show' the id and the name= query was seeing if it could find it by name20:53
dstanekcnf: so maybe use the actual id in your swift configuration20:53
cnfdstanek:  same error20:55
*** lamt has joined #openstack-keystone20:55
cnfassuming i did it right20:55
cnfstill get "ERROR keystone.auth.controllers DomainNotFound: Could not find domain: default"20:55
*** raildo has quit IRC20:55
*** ddieterly is now known as ddieterly[away]20:56
cnfalso, it is configured the same way in nova and glance etc20:56
cnfand it works there20:56
cnfso swift is stupid20:57
cnfdstanek:  so that seems to have worked20:57
cnfI kid you not, it is set by name in nova and glance etc20:57
cnfdstanek:  thanks, that actually seems to do it21:00
cnf why do all the docs put the word "default" there?21:00
cnfif you can't actually make a domain with ID "default"?21:00
*** phalmos has quit IRC21:01
*** phalmos has joined #openstack-keystone21:01
*** adrian_otto has joined #openstack-keystone21:02
jamielennoxstevemar: can you remove W-1 from
cnfdstanek:  project_domain_ID vs project_domain_NAME21:06
stevemarjamielennox: done21:07
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
cnfdstanek:  so I have something that mostly works now, thanks for the help21:10
cnftomorrow, i need to learn more on how keystone works21:10
dstanekcnf: yw...that i can help you with...i know almost nothing about how swift works21:10
cnfthat's ok, I need lots of keystone help, as well :P21:11
*** ayoung has quit IRC21:12
cnflike the difference between internal, public and admin endpoints21:12
cnfthat still confuses me21:12
stevemarcnf: internal is meant to hit if you dont want to go external and use up bandwidth21:15
stevemarpublic and admin may as well be the same, it's only different for keystone for historical reasons, but if you're using v3 then it doesn't matter21:15
cnfstevemar:  so... who decides that?21:15
cnfinternal vs public?21:15
stevemarcnf: you can decide the "interface" you want to use upon creating a connection to keystone21:16
dstanekcnf: public is what you give customers, internal is unmetered (like you'd want between services) and admin is for special admin functionaltiy21:16
cnfso uhm21:17
cnfif a client connects to say swift21:17
cnfit needs to then get a url for keystone21:17
cnfwhich one does that client get?21:17
dstanekcnf: so what url does swift use to talk to keystone?21:18
dstaneki would guess it uses the public url21:18
cnfI thought that the endpoints in keystone where used for service discovery?21:19
dstanekyes, keystone's own URL is often the exception... how do you get the catalog if you don't know how to connect to keystone?21:20
dstanek(unless you used an alternative discovery mechanism for keystone, like DNS)21:20
cnfright, but then you connect to keystone21:21
cnfhow does a component pick a public or internal endpoint?21:21
dstanekcnf: i'm guessing each one picks what they want based on what they are doing. you can specify the interface using the client21:23
dstanekcnf: for example, in OSC i think the param is --os-interface21:23
cnfwhat client?21:23
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
*** haplo37_ has quit IRC21:24
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
*** ddieterly[away] is now known as ddieterly21:25
dstanekcnf: if you are talking to a service you are likly using a client to do it21:25
cnfwell, say nova, or glance etc21:25
cnfor horizon, it discovers all available services through keystone, from what I get21:26
*** haplo37_ has joined #openstack-keystone21:26
*** spilla has quit IRC21:26
cnfhow does horizon decide what interface to use?21:26
dstanekcnf: for nova look at for a list of client it requires21:26
dstanekwhen it talks to cinder it uses the cinderclient, glance the glanceclient, etc21:26
cnfyeah, so how does it decide what endpoint to use?21:27
dstaneki'm assuming nova specifies the one it wants. maybe it's configurable, but i have no idea21:28
cnfi'll play with defining silly ones21:28
cnfand see when it breaks21:28
jamielennoxas a tip most services call interface endpoint_type - they're exactly the same21:30
stevemarjamielennox: rebase that ksm patch21:30
jamielennoxstevemar: i just rechecked it, i don't see any reason it'd only fail on py3521:30
stevemarjamielennox: yes i see that now21:31
dstanekcnf: i don't think anything will break if you add unused ones21:31
stevemarjamielennox: i approved it, zuul is happy about it21:31
cnfno, i mean replace exisitng ones21:31
cnflike change the public one for nova21:31
cnfand see if everything still works21:31
dstanekcnf: ah, i see.21:32
cnfdstanek:  I have a weird way of learning, I guess21:32
cnfI break shit, then I get frustrated trying to fix it21:33
cnfbut learning how to fix things you broke makes it stick, you know21:33
*** adrian_otto has quit IRC21:33
jamielennoxstevemar: oh, that ksm patch21:33
*** adrian_otto has joined #openstack-keystone21:34
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Specify that unknown arguments can be passed to fetch_token
*** mriedem has quit IRC21:38
openstackgerritRichard Avelar proposed openstack/keystone: Improve check_token validation performance
stevemarjamielennox: generic client was never deprecated
jamielennoxstevemar: gah, really? i think most people just forgot about it, it hasn't worked in v321:43
*** knikolla_ has joined #openstack-keystone21:44
*** knikolla_ has quit IRC21:44
*** ravelar has quit IRC21:45
jamielennoxas noticed by the fact that i completely removed it and nothing complained21:45
*** knikolla_ has joined #openstack-keystone21:45
stevemarjamielennox: actually, bknudson may have saved your bacon21:45
bknudsonstill a long ways to go with removing that stuff21:46
bknudsonsince there's tests that use a lot of stuff that's deprecated21:46
jamielennoxstevemar: nope, it looks like it was moved to avoid the deprecation warning21:46
jamielennoxstevemar, bknudson: i'm not so concerned about not removing it now, basically rechecking that chain shows up places that are still using client incorrectly so we can go off and fix them21:47
*** ddieterly is now known as ddieterly[away]21:47
jamielennoxthough it's been a few weeks since i dived into that rabbit hole21:47
openstackgerritMerged openstack/python-keystoneclient: Use fixtures from keystoneauth
stevemarjamielennox: frustrating21:49
*** iurygregory_ has joined #openstack-keystone21:49
openstackgerritMerged openstack/python-keystoneclient: Use AUTH_INTERFACE object from keystoneauth
stevemarjamielennox: lots of places using "access" too:
*** phalmos has quit IRC21:50
stevemarwhich is deprecated21:50
jamielennoxstevemar, lbragstad: can you have another look at
jamielennoxi need to do more codesearch.o.o21:50
stevemarjamielennox: jah21:50
jamielennoxactually horizon is a big one i really need to get back into21:51
dstanekjamielennox: ++ i'm trying to get into it as we speak21:53
*** edmondsw has quit IRC21:53
dstaneki don't get how horizon's is_domain_admin can possibly work21:54
jamielennoxi've never understood how much of what horizon does it can possibly do21:56
jamielennoxthe token juggling and number of requests it does is impressive in a weird sort of way21:57
*** spzala has quit IRC21:57
*** knikolla_ has quit IRC21:57
*** ddieterly[away] is now known as ddieterly21:58
*** lamt has quit IRC21:59
jamielennoxstevemar, dstanek: this is one of the other "features" i want to get into ksa:
*** adrian_otto has quit IRC22:02
*** adrian_otto has joined #openstack-keystone22:03
*** adriant has joined #openstack-keystone22:03
*** alee_afk is now known as alee22:04
*** lamt has joined #openstack-keystone22:04
*** adrian_otto has quit IRC22:19
*** chris_hultin is now known as chris_hultin|AWA22:23
*** spzala has joined #openstack-keystone22:27
*** adrian_otto has joined #openstack-keystone22:28
*** adrian_otto has quit IRC22:29
*** ddieterly has quit IRC22:29
*** spzala has quit IRC22:32
*** gyee has joined #openstack-keystone22:33
*** thebloggu has joined #openstack-keystone22:36
*** lamt has quit IRC22:44
*** knikolla_ has joined #openstack-keystone22:46
bigjoolsIs it possible to delete a project that is defined as another project's parent? Or is that disallowed?22:52
*** knikolla_ has quit IRC22:53
*** jamielennox is now known as jamielennox|away23:09
*** nicolasbock has quit IRC23:09
*** ddieterly has joined #openstack-keystone23:09
*** ddieterly has quit IRC23:09
*** asettle has joined #openstack-keystone23:15
*** asettle has quit IRC23:20
*** markvoelker has quit IRC23:22
openstackgerritMerged openstack/keystonemiddleware: Refactor audit tests to use create_middleware
*** lamt has joined #openstack-keystone23:24
rodrigodsbigjools, nope, only leafs23:25
bigjoolsthank you rodrigods23:25
*** gyee has quit IRC23:31
*** knikolla_ has joined #openstack-keystone23:42
*** phalmos has joined #openstack-keystone23:45
*** knikolla_ has quit IRC23:45
*** knikolla_ has joined #openstack-keystone23:46
*** david-lyle has quit IRC23:47
*** sdake has quit IRC23:48
*** arunkant__ has quit IRC23:53
*** phalmos has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!