Tuesday, 2016-10-18

*** lamt has quit IRC		00:00
*** markvoelker has joined #openstack-keystone		00:01
jamielennox	stevemar, ayoung: easy +A https://review.openstack.org/#/c/387415/	00:01
ayoung	jamielennox, so...what if we wanted to push for enforcing policy on the URLs instead of on the function names	00:02
jamielennox	ayoung: right - so agree and it depends	00:02
ayoung	jamielennox, would love to have it in two parts	00:02
*** hogepodge has quit IRC		00:02
jamielennox	ayoung: doing it properly from middleware is basically impossible when we have target dicts	00:02
ayoung	one pre and one post	00:02
ayoung	pre happens in middleware	00:02
ayoung	post (target dicts) will be done this way, or in code	00:03
ayoung	like Nova	00:03
ayoung	+2a on that	00:03
jamielennox	doing pre the problem is going to be url->name but i'm sure we can figure that out	00:03
jamielennox	whatever we push for is going to need a transition period	00:04
ayoung	jamielennox, I was thinkg we could probably autogenerate the policy for those from the routers	00:04
jamielennox	ayoung: nova did a whole bunch of stuff around autogenerating this stuff - i don't think we get to do that again	00:04
ayoung	we take what they did, move it to oslo-something and reuse it	00:05
jamielennox	well it'll be oslo.policy but ya	00:05
jamielennox	i don't really know how to use their new syntax	00:06
ayoung	most of their rules do not care about the actual role. THe URL based stuff should say the role	00:06
ayoung	theirs is all admin_or_owner or admin_api	00:06
*** markvoelker has quit IRC		00:06
ayoung	so at the router level, we just get to default to cloud_admin, project_admin, or Member. And then the deployers would go more specific	00:07
*** hogepodge has joined #openstack-keystone		00:08
*** david-lyle has quit IRC		00:09
jamielennox	so yea, i guess that's longer term than what i'm thinking but working in that direction, for now it'd be nice to at least be able to change a function name	00:15
jamielennox	or prevent that pattern of "if flag: call one protected function else: call another protected function	00:15
openstackgerrit	Eric Brown proposed openstack/keystone: Follow-on of memcache token persistence removal https://review.openstack.org/387730	00:20
*** hogepodge has quit IRC		00:20
openstackgerrit	Jesse Keating proposed openstack/keystone: Add healthcheck middleware to pipelines https://review.openstack.org/387731	00:21
*** hogepodge has joined #openstack-keystone		00:21
*** david-lyle has joined #openstack-keystone		00:21
*** gyee has quit IRC		00:25
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Show deprecation warning and limit features for KSC session https://review.openstack.org/387733	00:28
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Allow setting client_name, client_version on adapter https://review.openstack.org/387734	00:28
*** david-lyle has quit IRC		00:29
openstackgerrit	Jamie Lennox proposed openstack/keystoneauth: Allow setting client_name, client_version on adapter https://review.openstack.org/387734	00:30
*** david-lyle has joined #openstack-keystone		00:31
openstackgerrit	Jesse Keating proposed openstack/keystone: Add healthcheck middleware to pipelines https://review.openstack.org/387731	00:33
jlk	jamielennox: as I was comparing upstream paste to what we've got downstream, I realized I had meant to submit this a while ago, and forgot: https://review.openstack.org/387731	00:34
*** david-lyle has quit IRC		00:34
jamielennox	jlk: yea, i had noticed that one as well	00:35
jlk	I didn't write a spec, is that okay, or should I do a spec first?	00:35
*** david-lyle has joined #openstack-keystone		00:35
morgan	jlk: eh...	00:36
morgan	Spec is nice but might be ok do to after the fact if needed.	00:36
jlk	There's a spec that was done for glance, I could copy it pretty easily for keystone	00:36
morgan	You can always ask for a no spec exemption.	00:36
jlk	I plan to do the same for Nova, Heat, Neutron, etc...	00:36
*** haplo37_ has quit IRC		00:36
morgan	Then do that if it is easy	00:37
morgan	Spec never hurts short of slowing things down a bit.	00:37
jamielennox	jlk: meh, if there was a cross project one it'd be useful, but not just for us	00:37
jamielennox	probably more a bug than a spec	00:37
jamielennox	jlk: my -1 on that would be for config in the paste.ini which is not something we really do	00:38
morgan	Yes don't out config in paste.ini	00:38
jlk	I could take that config line out, and leave it up to operators, but that's how the middleware is configured :/	00:38
morgan	I would -2 that.	00:38
morgan	Fwiw	00:38
jamielennox	most middleware can also be configured via oslo.config and we would just need to make sure that the group is included in the sample config	00:38
*** haplo37_ has joined #openstack-keystone		00:39
morgan	Config in paste is bad.	00:39
jlk	http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html	00:39
morgan	jamielennox: ++	00:39
morgan	jlk: I'd argue Oslo is broken then.	00:39
morgan	Like really broken. If you can't configure it in the main config it is wrong.	00:39
jamielennox	jlk: it's one of https://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/base.py#L36 horrible things	00:39
morgan	Wedging config unto paste.ini is -2 worthy in my book	00:40
jamielennox	so docs advocate one thing, but you can do it the other way	00:40
morgan	jamielennox: we should fix those doc's.	00:40
jamielennox	although looking at that paste.ini would be the only way to modify per path	00:40
morgan	They are wrong on so many levels.	00:41
jamielennox	i don't know how you'd configure different disable_by_file_path per filter with oslo.config	00:41
*** maticue has quit IRC		00:42
jamielennox	lol - of course they never added healthcheck to the oslo.config opts that are exposed	00:42
*** gagehugo has joined #openstack-keystone		00:43
jlk	so... I could take out the config line in my change request, and point out in the doc that configuration _could_ be added downstream	00:44
jlk	would that still get -2?	00:44
jamielennox	jlk: it's fine to include the middleware in the pipeline (assuming that's a standard thing now), we just don't want to ship config in upstream paste.ini	00:45
jamielennox	how downstream actually configures it is up to them	00:45
jlk	kk	00:45
morgan	jlk: what jamielennox said. Shipping config in paste ini is the issue.	00:45
jlk	I'll adjust	00:45
jamielennox	jlk: assuming healtcheck in paste is pretty standard now? i would think it'd only be useful in fairly specific deploy scenarios?	00:45
jlk	Well, it's useful for anybody putting services behind a load balancer	00:46
jlk	haproxy in our case	00:46
jlk	or an f5 or whatever	00:46
openstackgerrit	Merged openstack/keystoneauth: Prevent changing content type in request https://review.openstack.org/387415	00:46
jlk	for keystone, it's also useful for like mod_status or whathaveyou	00:46
jamielennox	being basically that you'd use it for some internal monitoring and load balancing, but you'd want config to limit that to internal requests some how?	00:46
*** david-lyle has quit IRC		00:47
jlk	I see it as an alternative to just hitting the versions url (/)	00:47
jlk	something that could be consistent across the services	00:47
jlk	We also use it for our monitoring (sensu) of the service	00:48
*** david-lyle has joined #openstack-keystone		00:48
jamielennox	yep, just wondering if it's a) a problem to let the world readable, b) appropriate for the default install	00:48
jlk	I can't see how it would be a problem to be world readable	00:48
jamielennox	morgan: also, joy of joys, you actually can't configure healthcheck via oslo.config, they seem to be explicitly grabbing options from paste	00:49
*** guoshan has quit IRC		00:49
jamielennox	jlk: ok, cool	00:49
morgan	jamielennox: well then my view is that should never be allowed in keystone.	00:49
morgan	jamielennox: but seeing as I spend less time on OpenStack today... I won't fight too hard.	00:50
*** david-lyle has quit IRC		00:51
openstackgerrit	Jesse Keating proposed openstack/keystone: Add healthcheck middleware to pipelines https://review.openstack.org/387731	00:52
*** david-lyle has joined #openstack-keystone		00:52
*** hoangcx has joined #openstack-keystone		00:54
*** david-lyle has quit IRC		00:59
*** david-lyle has joined #openstack-keystone		01:00
*** jamielennox is now known as jamielennox\|away		01:01
*** lifeless has quit IRC		01:02
*** lifeless has joined #openstack-keystone		01:02
*** david-lyle has quit IRC		01:05
*** tqtran has quit IRC		01:05
*** asettle has joined #openstack-keystone		01:06
*** david-lyle has joined #openstack-keystone		01:06
*** Zer0Byte__ has quit IRC		01:07
*** david-lyle has quit IRC		01:07
*** jamielennox\|away is now known as jamielennox		01:08
*** asettle has quit IRC		01:10
*** david-lyle has joined #openstack-keystone		01:13
*** david-lyle has quit IRC		01:14
*** david-lyle has joined #openstack-keystone		01:15
*** hogepodge has quit IRC		01:16
openstackgerrit	Eric Brown proposed openstack/keystone: More configuration doc edits https://review.openstack.org/387742	01:16
*** david-lyle has quit IRC		01:19
*** LiYuenan has joined #openstack-keystone		01:19
*** david-lyle has joined #openstack-keystone		01:20
*** browne has quit IRC		01:21
*** david-lyle has quit IRC		01:21
*** guoshan has joined #openstack-keystone		01:21
*** david-lyle has joined #openstack-keystone		01:23
*** david-lyle has quit IRC		01:24
openstackgerrit	Merged openstack/keystone: Enable release notes translation https://review.openstack.org/383223	01:25
*** david-lyle has joined #openstack-keystone		01:25
*** davechen has joined #openstack-keystone		01:26
*** trananhkma has joined #openstack-keystone		01:30
*** david-lyle has quit IRC		01:32
*** david-lyle has joined #openstack-keystone		01:34
*** wangqun has joined #openstack-keystone		01:35
*** hogepodge has joined #openstack-keystone		01:35
*** david-lyle has quit IRC		01:37
*** david-lyle has joined #openstack-keystone		01:38
*** david-lyle has quit IRC		01:38
*** trananhkma_ has joined #openstack-keystone		01:41
*** trananhkma has quit IRC		01:41
*** stack_ has quit IRC		01:41
*** trananhkma_ is now known as trananhkma		01:42
*** david-lyle has joined #openstack-keystone		01:44
*** david-lyle has quit IRC		01:44
*** david-lyle has joined #openstack-keystone		01:45
*** david-lyle has quit IRC		01:46
*** david-lyle has joined #openstack-keystone		01:46
*** david-lyle has quit IRC		01:47
*** trananhkma has quit IRC		01:50
*** trananhkma has joined #openstack-keystone		01:50
*** trananhkma has quit IRC		01:50
*** trananhkma has joined #openstack-keystone		01:51
*** david-lyle has joined #openstack-keystone		01:56
*** david-lyle has quit IRC		01:57
*** david-lyle has joined #openstack-keystone		01:58
*** david-lyle has quit IRC		02:00
*** david-lyle has joined #openstack-keystone		02:01
*** david-lyle has quit IRC		02:02
*** david-lyle has joined #openstack-keystone		02:02
*** markvoelker has joined #openstack-keystone		02:03
*** david-lyle has quit IRC		02:03
*** david-lyle has joined #openstack-keystone		02:04
*** david-lyle has quit IRC		02:04
*** david-lyle has joined #openstack-keystone		02:05
*** david-lyle has quit IRC		02:05
*** david-lyle has joined #openstack-keystone		02:07
*** markvoelker has quit IRC		02:08
*** david-lyle has quit IRC		02:08
*** david-lyle has joined #openstack-keystone		02:10
*** david-lyle has quit IRC		02:11
*** david-lyle has joined #openstack-keystone		02:12
*** namnh has joined #openstack-keystone		02:12
*** david-lyle has quit IRC		02:14
trananhkma	Hi fork, I am going to test rolling upgrade for keystone.	02:16
trananhkma	In last 2 weeks, after upgrade keystone from mitaka to neuton, I just tested Keystone with some commands, but I think that it's not ennough (not cover all cases) to ensure OpenStack worked well after upgraded.	02:17
*** david-lyle has joined #openstack-keystone		02:17
stevemar	trananhkma: cool, let us know if we can help	02:17
*** david-lyle has quit IRC		02:18
trananhkma	So, I tried to find a tool to help me cover all cases, I found Grenade.	02:18
trananhkma	But, When I looking to the source code of Grenade, I saw that it just be scripts to do Rolling-upgrade and create some resources.	02:18
*** david-lyle has joined #openstack-keystone		02:18
trananhkma	Is it ennough to ensure OpenStack worked well?	02:19
*** david-lyle has quit IRC		02:19
trananhkma	BTW, do you have any suggestion for me to test Rolling-upgrade? Somethings like functionals test or unit test, which I can cover all the cases.	02:19
*** AndyWojo has quit IRC		02:19
trananhkma	stevemar, hello :) could you give me any suggestion?	02:20
*** david-lyle has joined #openstack-keystone		02:20
stevemar	trananhkma: when testing he upgrade, how did you do it?	02:20
stevemar	trananhkma: did you follow the steps here: http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime ?	02:21
stevemar	specifically... keystone-manage db_sync --expand ; keystone-manage db_sync --migrate; keystone-manage db_sync --contract ?	02:21
*** david-lyle has quit IRC		02:21
trananhkma	stevemar, yes, I did	02:21
trananhkma	stevemar, but I want to makesure OpenStack worked well	02:22
stevemar	trananhkma: did you have any credentials created? the ones created with /v3/credentials?	02:22
trananhkma	yes I tried	02:22
*** AndyWojo has joined #openstack-keystone		02:23
stevemar	i think a good test would be creating credentials while the ``keystone-manage db_sync --migrate`` step is running	02:23
stevemar	the only tricky part about the rolling upgrade for M->N is that we encrypted existing credentials	02:24
stevemar	so it would be good to see what happens if new credentials are created while we're going through the encryption process	02:24
stevemar	the encryption process occurs when you do the --migrate command	02:25
*** david-lyle has joined #openstack-keystone		02:26
*** dave-mccowan has quit IRC		02:26
trananhkma	stevemar, yes, I see, but do we have any test tool - like unit test, which we can cover all cases? include other projects	02:27
stevemar	trananhkma: not that i know of :(	02:28
jamielennox	jlk, morgan: because i'm a sucker: https://review.openstack.org/#/c/387752/	02:32
trananhkma	stevemar, I already tried like your suggestion, but I afraid that we can missed something, so I want to find an official tool which can do that. thank you :)	02:32
stevemar	jamielennox: hehe	02:32
stevemar	jamielennox: i think you mean "because I'm awesome"	02:32
jamielennox	stevemar: depends on your point of view i gues	02:32
jamielennox	stevemar: awesome could be getting some sucker to deal with problems	02:33
jamielennox	stevemar: you've already +2ed it, but https://review.openstack.org/#/c/387733/ sunk my user_agent plans	02:34
*** hogepodge has quit IRC		02:40
openstackgerrit	Dave Chen proposed openstack/keystone: [api-ref]Remove the duplicated sample https://review.openstack.org/387758	02:40
openstackgerrit	Dave Chen proposed openstack/keystone: [api-ref] Remove the duplicated sample https://review.openstack.org/387758	02:41
stevemar	jamielennox: we can release another version soon	02:55
*** sheel has joined #openstack-keystone		02:55
*** jamielennox is now known as jamielennox\|away		03:01
*** phalmos has joined #openstack-keystone		03:03
*** hogepodge has joined #openstack-keystone		03:04
*** gagehugo has quit IRC		03:22
*** david-lyle has quit IRC		03:23
*** david-lyle has joined #openstack-keystone		03:24
*** david-lyle has quit IRC		03:25
*** david-lyle has joined #openstack-keystone		03:26
*** david-lyle has quit IRC		03:27
*** david-lyle has joined #openstack-keystone		03:28
*** david-lyle has quit IRC		03:29
*** david-lyle has joined #openstack-keystone		03:30
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	03:31
*** david-lyle has quit IRC		03:33
*** jamielennox\|away is now known as jamielennox		03:33
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	03:34
*** david-lyle has joined #openstack-keystone		03:34
*** links has joined #openstack-keystone		03:35
*** david-lyle has quit IRC		03:36
*** phalmos has quit IRC		03:44
*** browne has joined #openstack-keystone		03:45
openstackgerrit	Praveen N proposed openstack/keystone: changed domain id to name in JSON request https://review.openstack.org/387162	03:45
*** david-lyle has joined #openstack-keystone		03:46
*** david-lyle has quit IRC		03:46
*** browne has quit IRC		03:48
*** david-lyle has joined #openstack-keystone		03:50
*** david-lyle has quit IRC		03:51
*** code-R has joined #openstack-keystone		03:52
*** david-lyle has joined #openstack-keystone		03:53
*** david-lyle has quit IRC		03:54
*** code-R_ has joined #openstack-keystone		03:54
*** david-lyle has joined #openstack-keystone		03:55
*** david-lyle has quit IRC		03:55
*** tqtran has joined #openstack-keystone		03:57
*** david-lyle has joined #openstack-keystone		03:57
*** code-R has quit IRC		03:57
*** david-lyle has quit IRC		03:57
*** guoshan has quit IRC		03:58
*** david-lyle has joined #openstack-keystone		03:58
*** david-lyle has quit IRC		03:59
*** david-lyle has joined #openstack-keystone		04:00
*** david-lyle has quit IRC		04:01
*** david-lyle has joined #openstack-keystone		04:01
*** phalmos has joined #openstack-keystone		04:03
*** david-lyle has quit IRC		04:04
*** david-lyle has joined #openstack-keystone		04:04
*** markvoelker has joined #openstack-keystone		04:04
*** david-lyle has quit IRC		04:05
*** david-lyle has joined #openstack-keystone		04:06
openstackgerrit	Merged openstack/keystone: More configuration doc edits https://review.openstack.org/387742	04:08
*** david-lyle has quit IRC		04:08
*** markvoelker has quit IRC		04:09
*** david-lyle has joined #openstack-keystone		04:10
*** david-lyle has quit IRC		04:11
*** haplo37_ has quit IRC		04:11
*** david-lyle has joined #openstack-keystone		04:12
*** david-lyle has quit IRC		04:13
*** haplo37_ has joined #openstack-keystone		04:13
*** david-lyle has joined #openstack-keystone		04:14
*** david-lyle has quit IRC		04:15
*** david-lyle has joined #openstack-keystone		04:15
*** david-lyle has quit IRC		04:16
*** david-lyle has joined #openstack-keystone		04:17
*** phalmos has quit IRC		04:18
*** david-lyle has quit IRC		04:18
*** david-lyle has joined #openstack-keystone		04:19
*** david-lyle has quit IRC		04:20
*** flwang1 has quit IRC		04:20
*** david-lyle has joined #openstack-keystone		04:21
*** code-R_ has quit IRC		04:30
*** GB21 has joined #openstack-keystone		04:34
*** markvoelker has joined #openstack-keystone		04:41
*** markvoelker_ has joined #openstack-keystone		04:42
*** markvoelker has quit IRC		04:45
*** flwang1 has joined #openstack-keystone		04:56
*** markvoelker_ has quit IRC		04:58
*** dancn has quit IRC		05:04
openstackgerrit	Eric Brown proposed openstack/keystone: Follow-on of memcache token persistence removal https://review.openstack.org/387730	05:05
*** sc68cal has quit IRC		05:07
*** markvoelker has joined #openstack-keystone		05:13
*** adriant has quit IRC		05:14
*** markvoelker_ has joined #openstack-keystone		05:14
*** code-R has joined #openstack-keystone		05:17
*** agireud has quit IRC		05:17
*** markvoelker has quit IRC		05:18
*** jaosorior has joined #openstack-keystone		05:18
*** agireud has joined #openstack-keystone		05:26
*** code-R has quit IRC		05:27
*** tqtran has quit IRC		05:32
*** code-R has joined #openstack-keystone		05:33
*** namnh has quit IRC		05:35
*** richm has quit IRC		05:41
*** markvoelker_ has quit IRC		05:45
*** chlong has quit IRC		05:47
breton	morning, keystone	05:55
*** rcernin has joined #openstack-keystone		06:01
*** links has quit IRC		06:01
*** chlong has joined #openstack-keystone		06:01
openstackgerrit	Merged openstack/keystone: changed domain id to name in JSON request https://review.openstack.org/387162	06:04
*** sc68cal has joined #openstack-keystone		06:06
*** pcaruana has joined #openstack-keystone		06:18
*** code-R has quit IRC		06:18
*** kiran-r has joined #openstack-keystone		06:20
*** voelzmo has joined #openstack-keystone		06:21
*** hogepodge has quit IRC		06:30
*** jdennis has quit IRC		06:38
*** jdennis has joined #openstack-keystone		06:43
*** code-R has joined #openstack-keystone		06:45
*** belmoreira has joined #openstack-keystone		06:47
*** tesseract has joined #openstack-keystone		07:03
*** tesseract is now known as Guest85855		07:03
*** odyssey4me has quit IRC		07:16
*** kiran-r has quit IRC		07:16
*** amoralej\|off is now known as amoralej		07:16
*** jlwhite has quit IRC		07:16
*** clayton has quit IRC		07:16
*** pnavarro has joined #openstack-keystone		07:16
*** evrardjp has quit IRC		07:17
*** antwash has quit IRC		07:17
*** nkinder has quit IRC		07:18
*** jlwhite has joined #openstack-keystone		07:18
*** odyssey4me has joined #openstack-keystone		07:18
*** antwash has joined #openstack-keystone		07:19
*** clayton has joined #openstack-keystone		07:19
*** nkinder has joined #openstack-keystone		07:20
*** evrardjp has joined #openstack-keystone		07:20
*** belmoreira has quit IRC		07:34
*** hogepodge has joined #openstack-keystone		07:40
*** code-R has quit IRC		07:43
*** belmoreira has joined #openstack-keystone		07:52
*** haplo37_ has quit IRC		07:56
*** haplo37_ has joined #openstack-keystone		07:58
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** openstackgerrit has quit IRC		08:04
*** openstackgerrit has joined #openstack-keystone		08:04
openstackgerrit	Roman Bogorodskiy proposed openstack/python-keystoneclient: Allow send null value in extra properties https://review.openstack.org/375239	08:05
openstackgerrit	Roman Bogorodskiy proposed openstack/python-keystoneclient: Allow send null value in extra properties https://review.openstack.org/375239	08:20
openstackgerrit	Dave Chen proposed openstack/keystone: [api-ref] Remove the duplicated sample https://review.openstack.org/387758	08:40
*** asettle has joined #openstack-keystone		08:55
*** markvoelker has joined #openstack-keystone		08:57
*** dancn has joined #openstack-keystone		09:02
*** GB21 has quit IRC		09:03
*** openstackgerrit has quit IRC		09:04
*** openstackgerrit has joined #openstack-keystone		09:04
*** voelzmo has quit IRC		09:10
*** GB21 has joined #openstack-keystone		09:14
*** code-R has joined #openstack-keystone		09:17
*** asettle has quit IRC		09:20
*** asettle has joined #openstack-keystone		09:21
*** voelzmo has joined #openstack-keystone		09:31
*** code-R has quit IRC		09:32
*** markvoelker has quit IRC		09:38
*** markvoelker has joined #openstack-keystone		09:38
*** markvoelker has quit IRC		09:40
*** beddari1 is now known as beddari		09:41
*** jaosorior has quit IRC		09:42
*** jaosorior has joined #openstack-keystone		09:42
*** asettle has quit IRC		09:49
*** code-R has joined #openstack-keystone		09:53
*** asettle has joined #openstack-keystone		09:54
*** code-R_ has joined #openstack-keystone		09:55
*** thebloggu has joined #openstack-keystone		09:56
*** asettle has quit IRC		09:57
*** asettle has joined #openstack-keystone		09:57
*** asettle has quit IRC		09:58
*** code-R has quit IRC		09:58
*** davechen has left #openstack-keystone		09:59
*** asettle has joined #openstack-keystone		10:00
*** mvk has quit IRC		10:01
openstackgerrit	Roman Bogorodskiy proposed openstack/python-keystoneclient: Allow send null value in extra properties https://review.openstack.org/375239	10:06
openstackgerrit	Roman Bogorodskiy proposed openstack/python-keystoneclient: Allow send null value in extra properties https://review.openstack.org/375239	10:07
*** richm has joined #openstack-keystone		10:09
*** belmoreira has quit IRC		10:23
*** trananhkma has quit IRC		10:32
*** hoangcx has quit IRC		10:33
*** nicolasbock has joined #openstack-keystone		10:34
*** phalmos has joined #openstack-keystone		10:34
*** code-R_ has quit IRC		10:35
openstackgerrit	ChangBo Guo(gcb) proposed openstack/oslo.policy: Add missing parameter description in module _cache_handler https://review.openstack.org/387917	10:35
*** code-R has joined #openstack-keystone		10:35
*** wangqun has quit IRC		10:36
openstackgerrit	Merged openstack/keystone: [api-ref] Remove the duplicated sample https://review.openstack.org/387758	10:37
*** phalmos has quit IRC		10:42
*** chlong has quit IRC		10:46
*** guoshan has joined #openstack-keystone		10:46
*** code-R has quit IRC		10:50
*** aswadr_ has joined #openstack-keystone		11:03
*** mvk has joined #openstack-keystone		11:04
*** haplo37_ has quit IRC		11:10
*** markvoelker has joined #openstack-keystone		11:10
*** haplo37_ has joined #openstack-keystone		11:12
*** code-R has joined #openstack-keystone		11:15
*** asettle has quit IRC		11:21
*** belmoreira has joined #openstack-keystone		11:27
*** guoshan has quit IRC		11:28
*** code-R has quit IRC		11:30
*** ayoung has quit IRC		11:34
*** code-R has joined #openstack-keystone		11:37
*** guoshan has joined #openstack-keystone		11:37
*** code-R_ has joined #openstack-keystone		11:39
*** code-R has quit IRC		11:42
*** alex_xu_ has quit IRC		11:50
*** alex_xu has joined #openstack-keystone		11:51
*** markvoelker has quit IRC		11:56
*** qwertyco has joined #openstack-keystone		12:04
*** dave-mccowan has joined #openstack-keystone		12:10
*** markvoelker has joined #openstack-keystone		12:12
*** edmondsw has joined #openstack-keystone		12:16
*** maticue has joined #openstack-keystone		12:20
*** asettle has joined #openstack-keystone		12:25
*** code-R_ has quit IRC		12:30
*** raildo has joined #openstack-keystone		12:30
*** code-R has joined #openstack-keystone		12:31
*** GB21 has quit IRC		12:41
*** amoralej is now known as amoralej\|lunch		12:43
*** code-R has quit IRC		12:51
*** markvoelker has quit IRC		12:53
*** code-R has joined #openstack-keystone		12:53
*** guoshan has quit IRC		12:56
*** ayoung has joined #openstack-keystone		13:01
*** ChanServ sets mode: +v ayoung		13:01
*** jaosorior is now known as jaosorior_mtg		13:04
*** guoshan has joined #openstack-keystone		13:12
*** jperry has joined #openstack-keystone		13:17
*** markvoelker has joined #openstack-keystone		13:19
*** dikonoor has joined #openstack-keystone		13:20
*** jrist has quit IRC		13:22
*** dikonoor has quit IRC		13:22
*** dikonoor has joined #openstack-keystone		13:22
*** jrist has joined #openstack-keystone		13:22
*** guoshan has quit IRC		13:23
*** code-R has quit IRC		13:23
*** code-R has joined #openstack-keystone		13:23
*** jrist has quit IRC		13:24
lbragstad	o/	13:29
*** jrist has joined #openstack-keystone		13:30
dstanek	morning	13:32
*** LamT__ has joined #openstack-keystone		13:34
*** jaugustine has joined #openstack-keystone		13:38
*** amoralej\|lunch is now known as amoralej		13:44
*** jaosorior_mtg is now known as jaosorior		13:46
*** code-R_ has joined #openstack-keystone		13:57
*** mvk has quit IRC		13:58
*** code-R has quit IRC		14:00
*** Guest62846 is now known as med_		14:00
*** med_ has quit IRC		14:00
*** med_ has joined #openstack-keystone		14:00
*** gagehugo has joined #openstack-keystone		14:00
*** asettle has quit IRC		14:00
*** asettle has joined #openstack-keystone		14:02
-openstackstatus- NOTICE: We are away of pycparser failures in the gate and working to address the issue.		14:05
*** haplo37_ has quit IRC		14:12
*** ravelar has joined #openstack-keystone		14:13
openstackgerrit	Gage Hugo proposed openstack/keystone: Doctor check for LDAP domain specific configs https://review.openstack.org/361435	14:14
*** haplo37_ has joined #openstack-keystone		14:15
*** jaosorior has quit IRC		14:16
*** qwertyco has quit IRC		14:17
*** hoonetorg has quit IRC		14:28
*** dikonoor has quit IRC		14:30
*** markvoelker has quit IRC		14:34
*** michauds has joined #openstack-keystone		14:40
knikolla	morning	14:40
knikolla	anyone got any resources on how to setup k2k with mod_auth_mellon?	14:41
*** gagehugo_ has joined #openstack-keystone		14:41
*** asettle has quit IRC		14:42
*** gagehugo has quit IRC		14:43
*** chris_hultin\|AWA is now known as chris_hultin		14:43
ayoung	stevemar, so, everyone went and added "[resource]/n admin_project_name = admin/n admin_project_domain_name = Default/n" to their tempest setups, but we didn't enforce on it. Now that I am trying to actually get changes in that use it, it turns out they all did it wrong. Bass Ackwards	14:46
ayoung	Is that devstack...	14:46
ayoung	or tempest?	14:46
ayoung	https://review.openstack.org/#/c/257636/	14:46
*** gagehugo has joined #openstack-keystone		14:50
*** agrebennikov has joined #openstack-keystone		14:52
*** gagehugo_ has quit IRC		14:52
*** gagehugo has quit IRC		14:54
knikolla	rodrigods, hi	14:56
*** bjolo has quit IRC		14:57
*** bjolo has joined #openstack-keystone		14:59
ayoung	knikolla, he's travelling, might not actually be on	15:01
ayoung	knikolla, no one I know of has tried K2k with mod_auth_mellon	15:01
gsilvis	ayoung: it's awkward, because centos/redhat don't really support shibboleth, and that's all people have done K2K with, it seems	15:02
knikolla	ayoung, thanks. thought so.	15:02
ayoung	gsilvis, the Keystone side should be the same as regular Federation, though, right?	15:02
ayoung	er	15:02
ayoung	the keystone-as-service-provider	15:02
gsilvis	My understanding is that it's similar, but ECP causes problems	15:03
ayoung	gsilvis, we have ECP working with mellon	15:03
ayoung	do you have a test setup?	15:03
knikolla	ayoung, i keep getting gsilvis, this is the error i'm getting: Could not find a supported SingleSignOnService endpoint for the IdP "http://192.168.0.13:5000/v3/OS-FEDERATION/saml2/idp"	15:03
knikolla	i keep getting:	15:03
knikolla	^^	15:03
ayoung	"http://192.168.0.13:5000/v3/OS-FEDERATION/saml2/idp looks ,like a strange url	15:04
ayoung	shouldn't it be like	15:04
ayoung	http://192.168.0.13:5000/v3/OS-FEDERATION/idp/keystone/protocol/saml2	15:05
*** mvk has joined #openstack-keystone		15:06
knikolla	ayoung, thats the IdP remote_id. as specified here http://docs.openstack.org/developer/keystone/federation/federated_identity.html?highlight=federation#configuration-options	15:07
knikolla	er, entity_id	15:08
ayoung	knikolla, is that covered by a config option in the httpd.c/*conf file you are using? Can you paste that conf file?	15:08
*** BrAsS_mOnKeY is now known as g2`		15:09
knikolla	ayoung, http://paste.openstack.org/show/nUlAQh8YRYPoHPExiZTl/ i tried both IdP as dsvm-idp and as the url specified above.	15:09
ayoung	knikolla, I don't see one that matches	15:11
ayoung	WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.?/protocols/.?/auth)$ /var/www/keystone/main/$1	15:11
ayoung	knikolla, to debug, add in a stanza like the one under that, but with the AliasMatch like your full URL	15:11
ayoung	actually...I don't like that	15:12
ayoung	<VirtualHost *:5000> is too specific	15:12
ayoung	make it a Location one	15:12
ayoung	although <Location /v3> should match it, I think	15:13
gsilvis	we have both horizon and keystone running on this apache---don't we need to make sure it only matches on the keystone ports?	15:14
ayoung	gsilvis, meh	15:14
knikolla	ayoung, it does match, as i see mellon loading the correct idp metadata (it complains when it doesn't saying)	15:14
knikolla	* couldn't find IdP)	15:15
*** adrian_otto has joined #openstack-keystone		15:16
*** nicolasbock has quit IRC		15:16
knikolla	ayoung, if they're helpful. sp metadata http://paste.openstack.org/show/AHfm1DZ2AVS2dim4CeCu/ and idp metadata http://paste.openstack.org/show/mJM76lc9R06jVVY2ifpG/	15:19
*** sheel has quit IRC		15:20
*** nicolasbock has joined #openstack-keystone		15:21
ayoung	knikolla, I don;t see a SingleSignOnService entry in there, but it is hard to read	15:22
ayoung	<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://192.168.0.13:5000/v3/OS-FEDERATION/saml2/sso" />	15:22
ayoung	ah, maybe IP address versus FQDN?	15:22
ayoung	sso	15:22
ayoung	saml2/sso	15:22
*** edtubill has joined #openstack-keystone		15:23
knikolla	ayoung, i don't think it matters. but i don't have any other ideas. worth a try.	15:24
ayoung	knikolla, so change the keystone config for the endpoint to be that URL	15:25
ayoung	or change the metadata to generate the URL that you are using	15:25
ayoung	its a string match, and it is not matching	15:25
knikolla	ayoung, roger. i'll try that. thanks for the support.	15:28
ayoung	Who is this roger guy and why does he get all my credit?	15:34
gsilvis	do we have clearance, clarence?	15:35
ayoung	What's your vector, Victor?	15:35
* knikolla shrugs		15:36
ayoung	knikolla, shared cultural references http://www.imdb.com/title/tt0080339/quotes	15:36
gsilvis	I still can't believe they managed to make that movie in 1980	15:37
knikolla	I still can't believe i haven't seen that movie	15:39
*** asettle has joined #openstack-keystone		15:39
ayoung	I was 9. You were -9	15:39
ayoung	https://www.youtube.com/watch?v=NfDUkR3DOFw	15:41
*** Zer0Byte__ has joined #openstack-keystone		15:42
gsilvis	I was -12!	15:43
*** belmoreira has quit IRC		15:44
ayoung	I'm sure I didn't get to see until I was at least 12.	15:44
knikolla	never too late to watch classic movies.	15:47
knikolla	ayoung, when are you flying to barcelona?	15:47
ayoung	knikolla, Friday night	15:47
*** adrian_otto has quit IRC		15:48
knikolla	ayoung, cool, that's quite early. we're flying sunday afternoon.	15:48
*** mugsie has quit IRC		15:50
*** scarlisle has joined #openstack-keystone		15:52
scarlisle	o/	15:53
scarlisle	Anyone in here familiar with Keystone federation and CORS?	15:57
*** adrian_otto has joined #openstack-keystone		15:59
*** gagehugo has joined #openstack-keystone		16:01
*** voelzmo has quit IRC		16:05
*** gagehugo has quit IRC		16:06
*** gagehugo has joined #openstack-keystone		16:06
-openstackstatus- NOTICE: pycparser 2.16 released to fix assertion error from today.		16:11
*** clenimar has joined #openstack-keystone		16:13
knikolla	ayoung, what should be the sp_url and auth_url when registering the service provider?	16:17
ayoung	knikolla, auth_url is the /v3 Keystone	16:17
*** browne has joined #openstack-keystone		16:17
ayoung	knikolla, er, and for k2k it is the keystone as the sp	16:17
ayoung	fo sp_url...duh....	16:18
ayoung	not sure	16:18
ayoung	what does the K2k doc say?	16:18
*** markvoelker has joined #openstack-keystone		16:19
knikolla	ayoung, http://docs.openstack.org/developer/keystone/federation/federated_identity.html?highlight=federation#create-a-service-provider-sp	16:21
knikolla	quoting: In this example we are creating a new Service Provider with an ID of mysp, a sp_url of http://mysp.example.com/Shibboleth.sso/SAML2/ECP and a auth_url of http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth .	16:21
*** gagehugo has quit IRC		16:21
ayoung	knikolla, I've never done K2K. gsilvis would know better than I	16:22
gsilvis	uh-oh	16:23
knikolla	ayoung, logs from the client http://paste.openstack.org/show/NyijxOIliO3kfivrOmoR/	16:24
knikolla	ayoung, mod_auth_mellon does a 303, and then 500	16:24
gsilvis	I'm pretty sure knikolla has more experience than me by now... which is why I was really hoping rodrigods would be available	16:25
ayoung	knikolla, I take it you need this for a demo next week, too	16:25
*** Guest85855 has quit IRC		16:25
*** gagehugo has joined #openstack-keystone		16:25
gsilvis	ayoung: ideally, yeah	16:25
gsilvis	I'm working on throwing together some shibboleth packages that work on centos, but I'm ont sure how well it'll go	16:25
gsilvis	/hopefully/ just rebuilding the opensuse packages should work	16:26
ayoung	SOK, so there are 2 Keystone, one is the IdP, the other is the SP	16:26
ayoung	the call you are making is on the IDP Keystone, to create the SP entry in its database	16:26
ayoung	and the path should be where the /ECP URL will be in the final location.	16:27
ayoung	Judging by the Doc, that URL should be something in the SP KEystone path like	16:27
*** dikonoor has joined #openstack-keystone		16:28
ayoung	God that doc is confusing	16:28
*** ganesh_ has joined #openstack-keystone		16:31
ganesh_	join #openstack	16:31
ayoung	Ok, so I don't know how the ECP URL is created. I don;t think that is SHib or Mellon, but rather something done in Python code	16:31
ayoung	ganesh_, need a slash...	16:32
*** code-R_ has quit IRC		16:32
ayoung	knikolla, I have to be honest. I don't know this.;	16:34
ganesh_	ayoung I am facing some problem while installing kilo versioned keystone component on Ubuntu 14.04 from this http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-services.html	16:39
ayoung	ganesh_, I'm not an Ubuntu guy	16:40
ayoung	suspect you have library versioning issues, as Kilo is kindof old.	16:40
ganesh_	ayoung: But, it is not failing while running this `$ openstack service create --name keystone --description "OpenStack Identity" identity`	16:40
ganesh_	with an error HTTP 500	16:41
ayoung	ganesh_, looking the keystone log to find the stack trace	16:42
ayoung	gotta run	16:42
*** ayoung has quit IRC		16:42
*** tqtran has joined #openstack-keystone		16:42
knikolla	ayoung, no worries. thanks for the help. docs are terrible, and there is mostly nothing on mod_auth_mellon with ECP.	16:43
*** ganesh_ has quit IRC		16:43
openstackgerrit	Gage Hugo proposed openstack/keystone-specs: PCI-DSS Expired Password Users https://review.openstack.org/383832	16:47
openstackgerrit	Ron De Rose proposed openstack/keystone: Validate mapping exists when creating/updating a protocol https://review.openstack.org/362397	16:49
*** gagehugo has quit IRC		16:50
*** scarlisle has quit IRC		16:50
*** rcernin has quit IRC		16:51
*** sheel has joined #openstack-keystone		16:53
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Devstack plugin for Federation https://review.openstack.org/320623	17:02
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Devstack plugin for Federation https://review.openstack.org/320623	17:05
*** code-R has joined #openstack-keystone		17:08
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Devstack plugin for Federation https://review.openstack.org/320623	17:10
*** code-R has quit IRC		17:10
*** code-R has joined #openstack-keystone		17:10
*** edtubill has quit IRC		17:11
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	17:11
*** ravelar has quit IRC		17:14
*** code-R_ has joined #openstack-keystone		17:14
*** code-R has quit IRC		17:17
*** xenogear_ has quit IRC		17:33
*** auggy has quit IRC		17:33
*** jistr has quit IRC		17:33
*** lbragstad has quit IRC		17:33
*** beddari has quit IRC		17:33
*** topol has quit IRC		17:33
*** dolphm has quit IRC		17:33
*** nikhil has quit IRC		17:33
*** raddaoui has quit IRC		17:33
*** cargonza has quit IRC		17:33
*** flaper87 has quit IRC		17:33
*** Anticimex has quit IRC		17:33
*** DuncanT has quit IRC		17:33
*** vern has quit IRC		17:33
*** basilAB has quit IRC		17:33
*** Guest66666 has quit IRC		17:33
*** redrobot has quit IRC		17:33
*** AlexOughton has quit IRC		17:33
*** dobson has quit IRC		17:33
*** EmilienM has quit IRC		17:33
*** timburke has quit IRC		17:33
*** SpamapS has quit IRC		17:33
*** jgrassler has quit IRC		17:33
*** kevinbenton has quit IRC		17:33
*** boris-42 has quit IRC		17:33
*** madorn has quit IRC		17:33
*** dims has quit IRC		17:33
*** sigmavirus has quit IRC		17:33
*** mancdaz has quit IRC		17:33
*** pkoraca has quit IRC		17:33
*** briancline has quit IRC		17:33
*** johnthetubaguy has quit IRC		17:33
*** cburgess has quit IRC		17:33
*** tonyb has quit IRC		17:33
*** breton has quit IRC		17:33
*** jgrassle1 has joined #openstack-keystone		17:33
*** briancli1e has joined #openstack-keystone		17:33
*** Alex_Oughton has joined #openstack-keystone		17:33
*** dolphm_ has joined #openstack-keystone		17:33
*** ChanServ sets mode: +o dolphm_		17:33
*** Guest66666 has joined #openstack-keystone		17:33
*** Anticimex has joined #openstack-keystone		17:33
*** breton has joined #openstack-keystone		17:33
*** dims has joined #openstack-keystone		17:33
*** tonyb has joined #openstack-keystone		17:33
*** cburgess has joined #openstack-keystone		17:33
*** mancdaz_ has joined #openstack-keystone		17:33
*** redrobot has joined #openstack-keystone		17:33
*** mancdaz_ is now known as mancdaz		17:33
*** johnthetubaguy_ has joined #openstack-keystone		17:33
*** topol_ has joined #openstack-keystone		17:33
*** timburke has joined #openstack-keystone		17:34
*** dolphm_ is now known as dolphm		17:34
*** vern has joined #openstack-keystone		17:34
*** redrobot is now known as Guest41366		17:34
*** beddari has joined #openstack-keystone		17:34
*** johnthetubaguy_ is now known as johnthetubaguy		17:34
*** basilAB has joined #openstack-keystone		17:34
*** SpamapS has joined #openstack-keystone		17:34
*** jistr has joined #openstack-keystone		17:34
*** EmilienM has joined #openstack-keystone		17:34
*** dobson has joined #openstack-keystone		17:34
*** _sigmavirus24 has joined #openstack-keystone		17:34
*** madorn has joined #openstack-keystone		17:35
*** michauds has quit IRC		17:35
*** EmilienM has quit IRC		17:35
*** EmilienM has joined #openstack-keystone		17:35
*** jperry has quit IRC		17:36
*** kevinbenton has joined #openstack-keystone		17:36
*** _sigmavirus24 is now known as sigmavirus		17:36
*** sigmavirus has quit IRC		17:37
*** sigmavirus has joined #openstack-keystone		17:37
*** lbragstad has joined #openstack-keystone		17:37
*** nikhil has joined #openstack-keystone		17:38
*** xenogear has joined #openstack-keystone		17:38
*** SpamapS has quit IRC		17:39
*** SpamapS has joined #openstack-keystone		17:39
*** asettle has quit IRC		17:39
*** Zer0Byte__ has quit IRC		17:39
*** boris-42 has joined #openstack-keystone		17:40
*** gagehugo has joined #openstack-keystone		17:40
*** raddaoui has joined #openstack-keystone		17:40
*** haplo37_ has quit IRC		17:41
*** DuncanT has joined #openstack-keystone		17:41
*** auggy has joined #openstack-keystone		17:43
*** haplo37_ has joined #openstack-keystone		17:43
stevemar	short agenda this week	17:43
*** cargonza has joined #openstack-keystone		17:44
*** pkoraca has joined #openstack-keystone		17:44
*** mvk has quit IRC		17:44
*** gagehugo has quit IRC		17:48
knikolla	stevemar, it's been pretty packed for the last weeks.	17:48
stevemar	knikolla: yep	17:48
stevemar	i'm totally OK with a short agenda this week :)	17:49
knikolla	:)	17:49
*** Zer0Byte__ has joined #openstack-keystone		17:50
*** adrian_otto1 has joined #openstack-keystone		17:50
*** jperry has joined #openstack-keystone		17:51
*** gagehugo has joined #openstack-keystone		17:51
*** lbragstad__ has joined #openstack-keystone		17:51
*** asettle has joined #openstack-keystone		17:52
*** adrian_otto has quit IRC		17:52
*** pnavarro has quit IRC		17:56
*** gyee has joined #openstack-keystone		17:57
*** lbragstad__ has quit IRC		17:57
*** lbragstad__ has joined #openstack-keystone		17:59
stevemar	ping for meeting: ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gagehugo, gyee, henrynash, hogepodge, htruta, jamielennox, jaugustine, joesavak, jorge_munoz, knikolla, lbragstad, MaxPC, morgan, nishaYadav, nkinder, notmorgan, raildo, ravelar, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, xek	17:59
*** nk2527 has joined #openstack-keystone		18:03
*** asettle has quit IRC		18:07
*** dikonoor has quit IRC		18:10
*** ganesh has joined #openstack-keystone		18:12
*** ganesh is now known as Guest96232		18:12
Guest96232	Kilo keystone installation process is failing	18:12
Guest96232	while running the command "openstack service create \ --name keystone --description "OpenStack Identity" identity" with the following message "ERROR: openstack Internal Server Error (HTTP 500)"	18:13
breton	Guest96232: kilo was a very long time ago :(	18:14
Guest96232	This is with OpenStack kilo version	18:14
breton	Guest96232: could you please post the error in your keystone log?	18:14
dstanek	Guest96232: what's the error?	18:14
Guest96232	But, for some purpose I was compelled to use this.	18:14
Guest96232	I have followed the instructions as mentioned in the document	18:15
*** mserngawy_ has joined #openstack-keystone		18:15
*** kiran-r has joined #openstack-keystone		18:15
Guest96232	Check this http://paste.openstack.org/show/586251/	18:16
dstanek	Guest96232: you'll need to provide the relevant error from the server log	18:17
Guest96232	You mean, keystone.log	18:17
dstanek	yes	18:17
dstanek	that should have a traceback	18:17
Guest96232	http://paste.openstack.org/show/586253/	18:18
Guest96232	keystone.log	18:18
breton	Guest96232: try finding there word "Traceback" and post everything from it to the end of the traceback	18:19
Guest96232	Ok	18:20
dstanek	althought seeing children killed like that is odd	18:20
Guest96232	http://paste.openstack.org/show/586254/	18:21
openstackgerrit	Jesse Keating proposed openstack/keystone: Add healthcheck middleware to pipelines https://review.openstack.org/387731	18:21
Guest96232	Actually, if I start keystone service, apache2 service is getting stopped	18:22
jlk	stevemar: gagehugo I've updated the healthcheck review based on your feedback. Thanks!	18:22
dstanek	Guest96232: are you running keystone in apache?	18:22
stevemar	jlk: you see what jamielennox spun up?	18:22
Guest96232	Yes	18:22
jlk	stevemar: I did see that. If/when that lands we can update docs	18:23
stevemar	jlk: https://review.openstack.org/#/c/387752/2	18:23
dstanek	those errors look more like you are running keystone-all	18:23
Guest96232	I was following this link http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-services.html	18:23
stevemar	jlk: yep :)	18:23
breton	Guest96232: what is the ip you are running keystone on? Is it localhost? Try running `curl localhost:5000` and post the output	18:24
dstanek	Guest96232: what keystone service are you starting?	18:24
Guest96232	http://paste.openstack.org/show/586257/	18:25
Guest96232	About keystone service, clearly I have no idea.	18:26
dstanek	Guest96232: you said 'if i start keystone service' - what does that mean?	18:26
Guest96232	I am really very about that	18:26
Guest96232	If I do "sudo service keystone restart", then If I start "sudo service apache2 restart"	18:28
Guest96232	it is not working	18:28
Guest96232	Looks, keystone is taking that 5000 or 35357	18:28
dstanek	you can't do both. either you run keystone as a service (i'm assuming that is using keystone-all) or you use apache	18:28
*** adrian_otto1 has quit IRC		18:28
Guest96232	Ok	18:28
*** Zer0Byte__ has quit IRC		18:28
Guest96232	That is fair	18:29
Guest96232	Now, I am using only apache2 service	18:30
dstanek	Guest96232: assuming you have one running do you have a traceback?	18:30
jlk	Well.	18:30
jlk	to be fair, You can run keystone as a wsgi process that binds to a socket, and then use Apache to listen for connections on a port, that then uses the socket.	18:31
jlk	so in my setup, I have both apache service running _and_ keystone wsgi service running, but only one binds to network ports.	18:31
dstanek	jlk: that is completely different from the guide Guest96232 is using	18:32
jlk	correct	18:32
jlk	sorry for confusing things :(	18:32
Guest96232	Ok. Do you suggest any changes in this http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-install.html	18:32
breton	Guest96232: no. The manual doesn't say anything about running "service keystone start"	18:34
Guest96232	Yup.	18:34
Guest96232	Now, I am running apache2 alone	18:34
Guest96232	But, I am getting this error	18:34
Guest96232	ERROR: openstack Internal Server Error (HTTP 500)	18:35
*** lbragstad__ has quit IRC		18:35
*** amoralej is now known as amoralej\|off		18:36
*** code-R_ has quit IRC		18:38
*** aswadr_ has quit IRC		18:39
dstanek	Guest96232: can you find the error in the log	18:42
openstackgerrit	Merged openstack/keystone: Remove backend dependencies from token provider https://review.openstack.org/386136	18:44
*** edtubill has joined #openstack-keystone		18:45
Guest96232	Which log	18:45
Guest96232	apache2.log	18:45
Guest96232	dstanek: Mean, apache2 logs	18:46
*** flaper87 has joined #openstack-keystone		18:46
*** flaper87 has quit IRC		18:46
*** flaper87 has joined #openstack-keystone		18:46
*** thebloggu has quit IRC		18:46
*** thiagolib has quit IRC		18:48
*** thebloggu has joined #openstack-keystone		18:50
*** rvba has joined #openstack-keystone		18:50
*** rvba has quit IRC		18:50
*** rvba has joined #openstack-keystone		18:50
*** thebloggu has quit IRC		18:50
Guest96232	dstanek: keystone-error.log http://paste.openstack.org/show/586258/	18:50
dstanek	Guest96232: it looks like your python scripts are actually html	18:53
dstanek	Guest96232: can you confirm that /var/www/cgi-bin/keystone/admin is python code?	18:53
Guest96232	dstanek: http://paste.openstack.org/show/586259/	18:53
Guest96232	html	18:54
breton	<div class='content'><div class='error'>Invalid branch: stable/kilo</div>	18:54
breton	there is no more stable/kilo i guess	18:55
Guest96232	breton: But, I want to install kilo version keytone	18:58
Guest96232	breton: Is there any alternative?	18:59
*** thebloggu has joined #openstack-keystone		19:01
Guest96232	dstanek: http://heavenkong.blogspot.in/2015/08/openstack-kilo-error-openstack-internal.html	19:07
dstanek	Guest96232: you can get a really old version from git at about that time	19:07
Guest96232	dstanek: Do you suggest any other way to install keystone?	19:08
bknudson	breton: there should be a tag for kilo-eol	19:09
dstanek	Guest96232: for kilo? no. it's unsupported now. i don't think you'd have better luck anywhere else	19:09
bknudson	Guest96232: http://git.openstack.org/cgit/openstack/keystone/tree/?h=kilo-eol	19:10
dstanek	Guest96232: i think this is the file you wanthttp://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py?h=kilo-eol	19:10
*** thebloggu has quit IRC		19:20
Guest96232	dstanek: Looks, Issue is different.	19:21
Guest96232	I have replaced the stable/kilo url with the one you gave	19:21
*** gagehugo has quit IRC		19:23
dstanek	Guest96232: different issue?	19:23
Guest96232	Even I changed the url, error is common	19:24
Guest96232	ERROR: openstack Internal Server Error (HTTP 500)	19:24
dstanek	Guest96232: what is the error?	19:25
Guest96232	http://paste.openstack.org/show/586266/	19:26
*** voelzmo has joined #openstack-keystone		19:26
dstanek	Guest96232: same issue. did you get the HTML verison of that file or the raw version?	19:28
Guest96232	html version	19:28
dstanek	you have to get the raw Python code	19:28
Guest96232	Yes. I got python now	19:30
dstanek	Guest96232: working now?	19:31
Guest96232	ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-e7d7c91f-0100-40b7-af19-553efd9e7fc9)	19:33
Guest96232	Error changed http 500 to 401	19:33
breton	Guest96232: well, keystone is working now, congratulations.	19:34
*** Zer0Byte__ has joined #openstack-keystone		19:34
Guest96232	Thanks. But, openstack service create \ > --name keystone --description "OpenStack Identity" identity	19:35
Guest96232	is not successful	19:35
dstanek	Guest96232: are you using valid credentials?	19:35
Guest96232	According to document, initially I have used OS_TOKEN and OS_URL	19:36
*** phalmos has joined #openstack-keystone		19:36
dstanek	Guest96232: is the token an admin token? meaning the one that's in your keystone config?	19:37
Guest96232	yes	19:37
*** scarab_ has joined #openstack-keystone		19:38
*** kiran-r has quit IRC		19:39
*** scarab_ has quit IRC		19:39
breton	Guest96232: could you please post output of `curl localhost:5000`?	19:41
Guest96232	http://paste.openstack.org/show/586268/	19:42
*** kiran-r has joined #openstack-keystone		19:46
*** Zer0Byte__ has quit IRC		19:53
*** gyee has quit IRC		19:56
*** gyee has joined #openstack-keystone		19:56
breton	that's indeed looks like kilo	19:58
* breton shrugs		19:58
breton	you should double-check your credentials	19:58
*** kiran-r has quit IRC		19:59
*** flwang1 has quit IRC		19:59
*** Zer0Byte__ has joined #openstack-keystone		19:59
*** asettle has joined #openstack-keystone		20:00
Guest96232	I am very sure that I am using the matchi OS_TOKEN env and admin_token in /etc/keystone/keystone.conf	20:01
Guest96232	breton	20:02
Guest96232	dstanek	20:02
breton	Guest96232: try sending a request to keystone with curl	20:02
breton	compose it manually	20:03
Guest96232	breton: I didn't understand	20:03
*** asettle has quit IRC		20:03
*** ChanServ sets mode: +v topol_		20:06
*** topol_ is now known as topol		20:06
dstanek	Guest96232: is your environment var properly exported?	20:07
Guest96232	breton: Can you suggest one url post or get with curl	20:07
Guest96232	Yes	20:07
dstanek	Guest96232: do you have the admin token middleware enabled?	20:07
dstanek	Guest96232: http://docs.openstack.org/developer/keystone/api_curl_examples.html#get-v3-projects	20:08
Guest96232	I dont have any idea about admin token middleware ?	20:08
*** dave-mccowan has quit IRC		20:09
*** phalmos has quit IRC		20:11
Guest96232	dstanek: curl command also responds with unauthorized	20:12
Guest96232	http://paste.openstack.org/show/586272/	20:13
dstanek	Guest96232: you would have admin_token_auth in you paste.ini pipelines like http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini?h=stable/mitaka#n54	20:14
dstanek	Guest96232: my guess is that if you haven't edited that file then it's fine	20:14
dstanek	Guest96232: does 'echo $OS_TOKEN' come back as you expect?	20:15
Guest96232	Yes	20:16
Guest96232	Ok	20:16
Guest96232	Let me check whether I have edited or not?	20:16
dstanek	Guest96232: did you restart keystone after you set the admin_token in the keystone.conf?	20:16
Guest96232	I am not running keystone	20:17
breton	did you restart apache2 after you set the admin_token in the keystone.conf?	20:19
Guest96232	Yes	20:19
Guest96232	I did changes to keystone-paste.ini	20:20
Guest96232	I revert back those changes	20:20
Guest96232	Thanks a lot dstanek	20:21
Guest96232	It worked	20:21
*** phalmos has joined #openstack-keystone		20:25
*** browne has quit IRC		20:26
dstanek	Guest96232: was it changes you made to the pipeline that broke it?	20:30
Guest96232	Yes.	20:30
Guest96232	dstanek: vedams@controller:~$ nova service-list ERROR (EndpointNotFound): publicURL endpoint for compute service not found vedams@controller:~$ neutron agent-list publicURL endpoint for network service not found	20:31
dstanek	Guest96232: that means you don't have entries in the catalog for nova	20:34
Guest96232	So, I have to do all agian	20:34
dstanek	you have to add the correct catalog entries. i don't know where in that install guide it does that	20:35
dstanek	also after you bootstrap keystone you would disable the admin token	20:35
*** gagehugo has joined #openstack-keystone		20:38
*** akrzos has quit IRC		20:40
*** sheel has quit IRC		20:40
*** akrzos has joined #openstack-keystone		20:42
*** voelzmo has quit IRC		20:45
*** browne has joined #openstack-keystone		20:51
*** ayoung has joined #openstack-keystone		20:51
*** ChanServ sets mode: +v ayoung		20:51
*** asettle has joined #openstack-keystone		20:59
*** raildo has quit IRC		20:59
*** flwang1 has joined #openstack-keystone		21:01
*** chris_hultin is now known as chris_hultin\|AWA		21:03
openstackgerrit	Samuel Pilla proposed openstack/keystone: Document OS-SIMPLE-CERT Routes https://review.openstack.org/385028	21:05
*** Guest96232 has quit IRC		21:08
stevemar	Guest41366: i'd really recommend using a newer version (mitaka/newton) and following the install guide	21:08
*** gyee has quit IRC		21:08
stevemar	http://docs.openstack.org/mitaka/install-guide-ubuntu/	21:09
stevemar	Guest41366: or even newton: http://docs.openstack.org/newton/install-guide-ubuntu/	21:09
dstanek	newton++	21:10
openstackgerrit	Samuel Pilla proposed openstack/keystone: Document OS-SIMPLE-CERT Routes https://review.openstack.org/385028	21:12
*** adriant has joined #openstack-keystone		21:12
*** lbragstad has quit IRC		21:15
*** AndyWojo has quit IRC		21:15
*** LamT__ has quit IRC		21:15
*** AndyWojo has joined #openstack-keystone		21:16
*** LamT__ has joined #openstack-keystone		21:16
*** dolphm has quit IRC		21:17
*** knikolla has quit IRC		21:17
*** wasmum has quit IRC		21:17
*** jmccrory has quit IRC		21:17
*** dolphm has joined #openstack-keystone		21:19
*** ChanServ sets mode: +o dolphm		21:19
*** jmccrory has joined #openstack-keystone		21:20
*** lbragstad has joined #openstack-keystone		21:20
*** mvk has joined #openstack-keystone		21:23
*** wasmum has joined #openstack-keystone		21:23
*** maticue has quit IRC		21:24
openstackgerrit	Samuel Pilla proposed openstack/keystone: Document OS-SIMPLE-CERT Routes https://review.openstack.org/385028	21:28
openstackgerrit	Richard Avelar proposed openstack/keystone: Remove unused statements in matches https://review.openstack.org/387548	21:30
*** haplo37_ has quit IRC		21:34
*** haplo37_ has joined #openstack-keystone		21:37
*** hoonetorg has joined #openstack-keystone		21:40
*** edtubill has quit IRC		21:46
*** flwang1 has quit IRC		21:52
*** flwang1 has joined #openstack-keystone		21:52
*** gagehugo has quit IRC		21:56
*** jperry has quit IRC		22:01
*** nk2527 has quit IRC		22:12
openstackgerrit	Lance Bragstad proposed openstack/keystone: Use issue_v3_token instead of issue_v2_token https://review.openstack.org/386665	22:21
*** dave-mccowan has joined #openstack-keystone		22:24
*** dave-mccowan has quit IRC		22:34
openstackgerrit	Lance Bragstad proposed openstack/keystone: refactor the token controller https://review.openstack.org/386726	22:37
*** markvoelker has quit IRC		22:41
*** edmondsw has quit IRC		22:42
*** asettle has quit IRC		22:43
*** jaugustine has quit IRC		23:03
*** kiran-r has joined #openstack-keystone		23:08
*** gagehugo has joined #openstack-keystone		23:17
*** dave-mccowan has joined #openstack-keystone		23:19
*** markvoelker has joined #openstack-keystone		23:41
*** markvoelker has quit IRC		23:46
*** iurygregory_ has joined #openstack-keystone		23:51
*** guoshan has joined #openstack-keystone		23:53

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!