Tuesday, 2016-12-20

Zer0Byte__and question stevemar  is possible send a os_user_domain_id and os_user_domain_name00:00
stevemarZer0Byte__: no, one or the other00:01
Zer0Byte__another question stevemar00:04
Zer0Byte__i can use user_domain_id and project_domain_id00:04
Zer0Byte__or is the same?00:04
Zer0Byte__sorry i can mix both on keystone?00:05
*** chris_hultin is now known as chris_hultin|AWA00:07
*** ravelar has quit IRC00:09
ayoungbreton, nope.00:17
ayoungbreton, pulling up the archives now00:18
*** Zer0Byte__ has quit IRC00:19
ayoungbreton, and....wonderful short sightedness on the crypto folks part.00:19
*** tqtran has quit IRC00:24
*** guoshan has joined #openstack-keystone00:27
*** catintheroof has quit IRC00:29
*** lamt has joined #openstack-keystone00:54
*** hoangcx has joined #openstack-keystone00:58
*** chlong has quit IRC00:59
*** guoshan has quit IRC01:05
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987401:08
*** edmondsw has joined #openstack-keystone01:13
*** edmondsw has quit IRC01:18
*** zhangjl has joined #openstack-keystone01:22
*** adrian_otto has joined #openstack-keystone01:23
*** liujiong has joined #openstack-keystone01:25
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Delete Python optimized bytecode before test runs  https://review.openstack.org/37133501:26
*** guoshan has joined #openstack-keystone01:26
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675201:39
*** adrian_otto has quit IRC01:46
*** browne has quit IRC01:59
*** adrian_otto has joined #openstack-keystone02:09
*** liujiong_66 has joined #openstack-keystone02:16
*** liujiong has quit IRC02:16
*** agrebennikov has joined #openstack-keystone02:17
*** liujiong_66 is now known as liujiong02:17
*** trananhkma has joined #openstack-keystone02:22
*** adrian_otto has quit IRC02:29
*** davechen has joined #openstack-keystone02:38
*** browne has joined #openstack-keystone02:39
*** adrian_otto has joined #openstack-keystone02:44
*** adrian_otto has quit IRC02:53
*** liyuenan has joined #openstack-keystone02:55
*** browne has quit IRC02:59
*** liyuenan has quit IRC03:01
*** jamielennox is now known as jamielennox|away03:08
*** chrisplo_ has joined #openstack-keystone03:10
*** jamielennox|away is now known as jamielennox03:22
*** chrisplo_ has quit IRC03:23
*** agrebennikov has quit IRC03:25
*** liyuenan has joined #openstack-keystone03:27
liyuenanhi team! I have a problem about keystone. When I initialize Fernet key repositories, I run "keystone-manage credential_setup --keystone-user keystone --keystone-group keystone"03:29
liyuenanbut there is a error. It seems that keystone-manage doesn't have credential_setup03:30
*** udesale has joined #openstack-keystone03:30
openstackgerritTony Breeds proposed openstack/oslo.policy: Add Constraints support  https://review.openstack.org/41002403:34
openstackgerritTony Breeds proposed openstack/pycadf: Add Constraints support  https://review.openstack.org/41003603:35
stevemarliyuenan: the "credential_setup" was only added in newton i believe03:36
tonybstevemar: thanks again for the quick reviews03:39
stevemartonyb: diff ps1:ps3 = added "03:40
stevemarand the tab fix :)03:40
stevemarerr, indent03:40
stevemari just think it's funy you had to redo for all the patches out there lol03:40
*** liyuenan has quit IRC03:43
*** chrisplo_ has joined #openstack-keystone04:03
*** namnh has joined #openstack-keystone04:05
*** chrisplo_ has quit IRC04:15
*** liyuenan has joined #openstack-keystone04:26
*** liyuenan has quit IRC04:30
*** trananhkma has quit IRC04:39
*** liyuenan has joined #openstack-keystone04:41
openstackgerritSteve Martinelli proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947204:43
*** liyuenan has quit IRC04:45
*** guoshan has quit IRC04:46
*** r1chardj0n3s is now known as r1chardj0n3s_afk04:46
*** links has joined #openstack-keystone04:52
tonybstevemar: Yeah real funny ;P05:04
stevemartonyb: well, maybe not for you :)05:04
tonybstevemar: still I wrote a bunch of one off (at least I hoep they're one off) tools to help with it05:04
tonybstevemar: I hummed and harred about leavign them alone as they had some +2's but if the aim is to make them all the same and they're open I decided to just to it05:05
stevemartonyb: the linter gods will happy with you05:06
stevemarwill be*05:06
tonybstevemar: also once they land I'll be ATC in $all_the_projects :)05:06
*** adrian_otto has joined #openstack-keystone05:07
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987405:07
stevemartonyb: your grand plan is finally revealed05:13
*** Zer0Byte__ has joined #openstack-keystone05:26
*** adrian_otto has quit IRC05:28
*** adrian_otto has joined #openstack-keystone05:39
*** guoshan has joined #openstack-keystone05:46
*** adrian_otto has quit IRC05:47
*** guoshan has quit IRC05:51
*** adriant has quit IRC05:53
*** jaosorior has joined #openstack-keystone05:57
*** phalmos has joined #openstack-keystone06:08
*** shuquan_ has joined #openstack-keystone06:12
*** phalmos has quit IRC06:14
*** guoshan has joined #openstack-keystone06:15
*** jaosorior has quit IRC06:41
*** jaosorior has joined #openstack-keystone06:42
*** rcernin has quit IRC06:59
*** tobberydberg has joined #openstack-keystone07:01
*** shuquan_ has quit IRC07:08
*** rcernin has joined #openstack-keystone07:10
*** tesseract has joined #openstack-keystone07:11
*** tesseract is now known as Guest1497207:11
*** rcernin has quit IRC07:26
*** jamielennox is now known as jamielennox|away07:28
*** rcernin has joined #openstack-keystone07:42
*** Zer0Byte__ has quit IRC07:43
openstackgerrityunfeng zhou proposed openstack/keystone-specs: add CONTRIBUTING.rst  https://review.openstack.org/41286108:15
*** pcaruana has joined #openstack-keystone08:19
*** shoutm has joined #openstack-keystone08:22
*** liyuenan has joined #openstack-keystone08:23
*** amoralej|off is now known as amoralej08:35
*** rcernin has quit IRC08:36
*** shoutm has quit IRC08:38
*** jaosorior has quit IRC08:41
*** jaosorior has joined #openstack-keystone08:43
*** rcernin has joined #openstack-keystone08:58
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** ktychkova_ has joined #openstack-keystone09:46
*** ktychkova has quit IRC09:47
*** ktychkova_ has quit IRC10:02
*** ktychkova has joined #openstack-keystone10:02
*** namnh has quit IRC10:03
openstackgerrityunfeng zhou proposed openstack/keystone-specs: add CONTRIBUTING.rst  https://review.openstack.org/41286110:04
*** GB21 has joined #openstack-keystone10:11
*** hoangcx has quit IRC10:22
*** guoshan has quit IRC10:24
*** liujiong has quit IRC10:24
*** GB21 has quit IRC10:40
*** zhangjl has quit IRC10:40
bretonayoung: what do you think, should we work on a new project, try to convince crypto folks or do it in keystone?10:41
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947210:44
*** mvk has quit IRC10:53
*** asettle has quit IRC10:53
*** udesale has quit IRC10:58
*** asettle has joined #openstack-keystone10:58
*** GB21 has joined #openstack-keystone11:07
*** amac has quit IRC11:17
*** adriant has joined #openstack-keystone11:23
*** guoshan has joined #openstack-keystone11:25
*** mvk has joined #openstack-keystone11:26
*** thiagolib has joined #openstack-keystone11:28
*** guoshan has quit IRC11:29
samueldmqmorning keystone11:37
stevemarsamueldmq: morning sir11:55
stevemarbreton: sounds like the fernet backend stuff may not make it in O?11:55
samueldmqstevemar: o/11:57
*** adriant has quit IRC12:01
*** nicolasbock has joined #openstack-keystone12:06
*** iurygregory has joined #openstack-keystone12:08
*** GB21 has quit IRC12:09
bretonstevemar: yes. But it depends on what we decide with ayoung. If we do it outside of keystone, it won't make it. If in keystone, the code is there and i will just rebase it.12:10
stevemarbreton: ack12:13
openstackgerritRodrigo Duarte proposed openstack/keystone: Federated authentication via ECP functional tests  https://review.openstack.org/32476912:18
openstackgerritRodrigo Duarte proposed openstack/keystone: Settings for test cases  https://review.openstack.org/41020512:18
*** guoshan has joined #openstack-keystone12:26
*** GB21 has joined #openstack-keystone12:27
*** guoshan has quit IRC12:30
*** catintheroof has joined #openstack-keystone12:37
*** edmondsw has joined #openstack-keystone12:38
*** GB21 has quit IRC12:38
*** GB21 has joined #openstack-keystone12:50
*** chlong has joined #openstack-keystone12:53
*** asettle has quit IRC12:59
*** pcaruana has quit IRC13:01
samueldmqstevemar: lbragstad: should https://review.openstack.org/#/c/389364 have closed https://bugs.launchpad.net/keystone/+bug/1634568 ?13:06
openstackLaunchpad bug 1634568 in OpenStack Identity (keystone) "[api] Inconsistency between v3 API and keystone token timestamps" [Low,New]13:06
*** pcaruana has joined #openstack-keystone13:06
*** dave-mccowan has joined #openstack-keystone13:07
openstackgerritMerged openstack/keystone-specs: add CONTRIBUTING.rst  https://review.openstack.org/41286113:13
stevemarsamueldmq: nope, see Brant's last comment13:13
samueldmqstevemar: docs13:13
*** lamt has quit IRC13:14
*** pooja_j has quit IRC13:16
stevemarsamueldmq: well specifically the api-ref docs13:16
samueldmqstevemar: gotcha13:17
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947213:21
*** guoshan has joined #openstack-keystone13:26
*** pooja_j has joined #openstack-keystone13:28
ayoungbreton, so we went crazy down this path before.  https://github.com/openstack/kite13:28
ayoungthat was for the distribution, not storage of keys, but the twain are entwined13:29
samueldmqstevemar: regarding bug 163456813:30
openstackbug 1634568 in OpenStack Identity (keystone) "[api] Inconsistency between v3 API and keystone token timestamps" [Low,New] https://launchpad.net/bugs/163456813:30
*** nishaYadav has joined #openstack-keystone13:31
samueldmqstevemar: if it's only a matter of docs update, timestamps are not being returned with Z anymore?13:31
*** guoshan has quit IRC13:31
samueldmqstevemar: but with +-hh:mm instead? (to be in conformance with CCYY-MM-DDThh:mm:ss±hh:mm)13:31
nishaYadavhey, samueldmq stevemar13:31
samueldmqnishaYadav: hi, how are you ?13:32
stevemarnishaYadav: o/13:32
nishaYadavsamueldmq, thanks I am good13:33
stevemarsamueldmq: gotta update https://github.com/openstack/keystone/blob/master/api-ref/source/v3/samples/admin/auth-token-scoped-response.json#L12 and https://github.com/openstack/keystone/blob/master/api-ref/source/v3/samples/admin/auth-token-scoped-response.json#L401 for that bug13:34
stevemarand https://github.com/openstack/keystone/blob/b4aa883bcbb259f54225bb69f8105026f6fade3c/api-ref/source/v3/parameters.yaml#L108813:35
samueldmqstevemar:  I got it, but about the update13:35
samueldmqstevemar: is it, for example, replace 2015-11-05T22:00:11.000000Z with 2015-11-05T22:00:11+000013:36
ayoungbreton, I'm going to back off and let you go ahead with it.  It belongs in python-cryptography, but we don't have time for the fight13:37
stevemarsamueldmq: i think so, you can make a token create call for v2 and v3 and see what it comes back with13:37
stevemarsamueldmq: check the expires_at and issued_at times13:37
samueldmqstevemar: kk thanks13:38
stevemarayoung & breton thanks for working out a compromise13:40
*** amoralej is now known as amoralej|lunch13:43
*** amac has joined #openstack-keystone13:45
*** GB21 has quit IRC13:59
bretonayoung: thank you. I am going to talk to Barbican folks about it at the ptg, maybe we come up with something.13:59
*** GB21 has joined #openstack-keystone14:00
*** catinthe_ has joined #openstack-keystone14:06
*** catintheroof has quit IRC14:08
*** lamt has joined #openstack-keystone14:12
*** chlong has quit IRC14:16
*** pcaruana has quit IRC14:23
*** guoshan has joined #openstack-keystone14:27
*** nishaYadav has quit IRC14:30
*** nishaYadav has joined #openstack-keystone14:31
*** guoshan has quit IRC14:31
*** links has quit IRC14:32
*** pcaruana has joined #openstack-keystone14:37
*** clayton has quit IRC14:38
rderoselbragstad: around?14:39
lbragstadrderose yep!14:40
*** clayton has joined #openstack-keystone14:40
rderoselbragstad: how do I run a patch through the performance bot?14:40
rderoselbragstad: also, need to run it while a config option is set14:41
lbragstadrderose leave a comment in the review with 'check performance'14:41
lbragstadthe performance bot currently uses osa to set all configuration options14:41
rderosesorry, what's osa?14:42
lbragstadrderose openstack-ansible14:42
rderoselbragstad: oh great ;)14:42
lbragstadrderose it's the thing that the OSIC performance bot uses to deploy and setup keystone14:42
lbragstadbefore running any of the performance test14:42
rderoselbragstad: if I set the default config option in the patch, it should be set during performance bot testing, right?14:46
lbragstadrderose correct - it should14:46
rderoselbragstad: thx14:46
lbragstadrderose unless openstack-ansible overrides it14:46
lbragstadrderose which patch?14:46
rderoselbragstad: https://review.openstack.org/#/c/403916/14:47
lbragstadrderose i assume you want to test performance when setting change_password_required_after_reset to True?14:48
rderoselbragstad: yes14:48
*** Guest67717 is now known as med_14:48
*** med_ has quit IRC14:48
*** med_ has joined #openstack-keystone14:48
*** jaosorior has quit IRC14:48
lbragstadrderose yeah - that should work if you do it in the patch because I don't think openstack-ansible will know about it yet, so they can't override the value14:49
*** GB21 has quit IRC14:49
rderoselbragstad: okay, I'll create a dummy patch with it set14:49
lbragstadrderose awesome14:49
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS 8.2.6 Performance test  https://review.openstack.org/41312614:51
openstackgerritMerged openstack/keystone: Settings for test cases  https://review.openstack.org/41020514:53
*** udesale has joined #openstack-keystone15:00
openstackgerritRodrigo Duarte proposed openstack/keystone: Federated authentication via ECP functional tests  https://review.openstack.org/32476915:02
*** amoralej|lunch is now known as amoralej15:02
openstackgerritRon De Rose proposed openstack/keystone: WIP - Add domain_id to the user table  https://review.openstack.org/40987415:04
openstackgerritSteve Martinelli proposed openstack/keystone: test perf for last auth write  https://review.openstack.org/41312815:04
*** raildo has joined #openstack-keystone15:09
lbragstadwhew - performance bot's getting a workout today115:10
rderoselbragstad: ++15:11
*** jaugustine has joined #openstack-keystone15:17
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39968415:20
*** ravelar has joined #openstack-keystone15:22
*** tobberyd_ has joined #openstack-keystone15:28
*** guoshan has joined #openstack-keystone15:28
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39968415:28
lbragstadrderose stevemar having a bit of a hiccup with the performance bot, running tests manually now15:30
*** ayoung has quit IRC15:30
lbragstadrderose stevemar i should have it squared away shortly15:30
*** ayoung has joined #openstack-keystone15:30
*** ChanServ sets mode: +v ayoung15:30
*** tobberydberg has quit IRC15:31
*** tobberyd_ has quit IRC15:32
*** guoshan has quit IRC15:32
*** nklenke has joined #openstack-keystone15:33
*** ayoung has quit IRC15:34
*** ayoung has joined #openstack-keystone15:34
*** ChanServ sets mode: +v ayoung15:34
openstackgerritSteve Martinelli proposed openstack/keystone: [doc] point release note docs to project team guide  https://review.openstack.org/41314215:36
stevemarhmm, where in the world is henrynash at :)15:37
stevemarayoung: btw, i proposed https://review.openstack.org/#/c/412236/ over the weekend15:39
ayoungstevemar, thanks15:39
stevemarayoung: it should be backwards compatible15:39
ayoungstevemar, It was the Green M&M15:40
rderoselbragstad: cool15:40
* stevemar is confused15:40
ayoungsorry, Brown M&M15:43
*** chris_hultin|AWA is now known as chris_hultin15:43
*** dave-mccowan has quit IRC15:44
ayoungstevemar, the fact that bugs are now being reported means that it is actually being tried.15:45
stevemarayoung: you reported both bugs :)15:46
ayoungI know, but you fixed it15:46
ayoungstevemar, was that just dilligence, or due to people bugging you about them,?15:47
stevemarayoung: diligence / OCD on my part15:47
stevemarayoung: i wanted to fix the OSC review, but then i saw the bug, and i went down the rabbit hole15:48
ayoungstevemar, fair enough, but this is a powerful tool.  GLad that you know the internals now15:48
stevemarayoung: i just wanted a simple bug to shake off some rust15:48
ayoungI was trying to get an end to end proof of concept working, but then got "redirected" onto other things15:48
*** udesale has quit IRC15:48
ayoungwas just coming back to close the loop with the implied roles CLI piece, as that is needed for the RBAC stuff, and delegation, and all that15:49
*** harlowja has joined #openstack-keystone15:49
stevemaryeah, i assumed something like that must have happened15:49
ayoungI'm looking for someone to help out on this, someone looking for a way to make a name and get involved15:49
stevemarayoung: i heard theres a fella named dolphm that is looking to get involved in keystone15:50
ayoungstevemar, heh15:50
ayoungstevemar, I'm trying to get another RHer in here, since you guys poached my last one15:51
ayoungcourse, he didn't stop working on Keystone, so that was actually a good thing15:51
lbragstadstevemar rderose so - i'm running https://review.openstack.org/#/c/403916/ locally and it appears the change it what is breaking in the performance test (digging to get some logs now)15:52
stevemarlbragstad: yay?15:53
stevemarayoung: get jdennis working on keystone! :D15:53
*** chlong has joined #openstack-keystone15:53
stevemari could review jdennis patches all day <315:54
stevemarpatch = 10 lines, commit message = 50 lines15:54
ayoungstevemar, he is dilligent.  And no one understands the Federation protocols internals as well.15:55
ayoungstevemar, he'll be working on the Federation stuff, but I think it is mostly going to be Puppet and Tripleo-heat-template work15:55
*** adrian_otto has joined #openstack-keystone15:56
ayoungstevemar, my reaction, too15:56
ayoungbut if we can't actually use a feature in our product, that feature does not exist15:56
stevemartoo true15:59
jdennisaww, you guys are my Christmas present :-)15:59
ayoungjdennis, and Tripleo is the lump of coal in your stocking16:00
*** chlong has quit IRC16:01
*** markvoelker_ has joined #openstack-keystone16:01
lbragstadrderose hmm - after I install your change and try to authenticate, i get this error http://cdn.pasteraw.com/dxmt8qwxybqs8j27fteii7hysz98nno16:02
lbragstadwhich doesn't seem related to your change at all...16:02
*** dave-mccowan has joined #openstack-keystone16:03
*** markvoelker has quit IRC16:03
*** markvoelker has joined #openstack-keystone16:04
*** markvoelker_ has quit IRC16:07
*** chlong has joined #openstack-keystone16:17
amacayoung lbragstad Thanks for the help yesterday. After throwing things at the wall, I think my major issue came from having a bad clock in my Keystone test VM. With NTP in and working, I can issue a token using LDAP.16:18
ayoungamac, ++16:18
*** clayton has quit IRC16:21
*** mvk has quit IRC16:22
*** clayton has joined #openstack-keystone16:22
*** chlong has quit IRC16:28
*** guoshan has joined #openstack-keystone16:29
lbragstadamac awesome - glad you were able to make some progress!16:30
*** guoshan has quit IRC16:33
*** catintheroof has joined #openstack-keystone16:39
*** catinthe_ has quit IRC16:42
*** harlowja has quit IRC16:42
*** chlong has joined #openstack-keystone16:42
*** amac has quit IRC16:43
*** amac has joined #openstack-keystone16:48
*** Guest14972 has quit IRC17:03
stevemaramac: ahhaha17:10
stevemaramac: great to hear you've progressed17:11
rderoselbragstad: yeah, that's doesn't seem to be related17:13
rderoselbragstad: were you able to figure it out?17:14
*** Zer0Byte__ has joined #openstack-keystone17:16
lbragstadrderose not yet17:19
lbragstadrderose still working on it17:19
rderoselbragstad: okay, thanks17:20
*** aloga has quit IRC17:28
*** aloga has joined #openstack-keystone17:28
*** guoshan has joined #openstack-keystone17:29
*** tqtran has joined #openstack-keystone17:30
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39968417:33
*** guoshan has quit IRC17:34
stevemardstanek: lbragstad i think this patch is ready: https://review.openstack.org/#/c/316991/617:39
stevemargagehugo: whats up with https://review.openstack.org/#/c/404022/ -- seems like it's perpetually in WIP, do you need help? :)17:40
*** adrian_otto has quit IRC17:43
*** harlowja has joined #openstack-keystone17:53
morganerm... o/17:55
gagehugostevemar: sure!  I was hoping to get more work done on it last week but I ended up being sick half the week.  I do have some questions about where to proceed on that though17:55
stevemarmorgan: o/17:55
stevemargagehugo: ah alright, i'll actually review it17:55
gagehugostevemar: I'll leave a comment on what I'm considering about it17:56
stevemarsounds good17:56
*** pcaruana has quit IRC17:59
samueldmqping agrebennikov, amakarov, annakoppad, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh,18:00
samueldmqspilla, srwilkers, StefanPaetowJisc, stevemar, topol18:00
samueldmqit's that time again - #openstack-meeting18:00
*** catinthe_ has joined #openstack-keystone18:03
*** catintheroof has quit IRC18:06
*** rcernin has quit IRC18:29
*** guoshan has joined #openstack-keystone18:30
*** nishaYadav_ has joined #openstack-keystone18:33
*** nishaYadav has quit IRC18:34
*** guoshan has quit IRC18:35
*** amoralej is now known as amoralej|off18:40
*** mvk has joined #openstack-keystone18:54
*** chlong has quit IRC18:56
lbragstadrderose ok - i think i finally got it to work locally19:02
lbragstadrderose so i need to do this to re-enable my user? http://developer.openstack.org/api-ref/identity/v3/index.html?expanded=change-password-for-user-detail19:02
rderoselbragstad: yes19:04
rderoseso that there not forced to change their password (password expires next auth)19:04
lbragstadrderose do I need to pass a valid token?19:05
lbragstadrderose I'm assuming I do19:06
rderoselbragstad: yes19:06
rderoseyou do19:06
lbragstadbut - after the password has been changed, i can't get a new token, can i?19:07
lbragstadah ha -19:08
lbragstadmy testing doesn't take into consideration the database migration :(19:08
rderoselbragstad: oh, I see19:08
*** nishaYadav_ has quit IRC19:09
lbragstadrderose this migration doesn't force password updates does it? I just did a `keystone-manage db_sync` from the new code, verified the new columns exist, and i went to authenticate more than once and I get unauthorized19:10
rderoselbragstad: doesn't force password updates?19:11
lbragstadWARNING keystone.common.wsgi [req-59f34019-2b79-42bd-869c-e94883b38897 - - - - -] Authorization failed. The password is expired and needs to be reset by an administrator for user: 02bd433f50274a179a4321fce2b43d3c from
lbragstadi went to authenticate after I did the `keystone-manage db_sync` and I was able to get a token19:11
lbragstadthen i went to authenticate again and I get ^19:11
rderoselbragstad: the migration only adds a new column; the code will set the password expired after first auth19:12
lbragstadrderose so in the upgrade scenario, if I'm a deployer, will I be requiring all my users to update passwords after I roll out a new release?19:12
*** chlong has joined #openstack-keystone19:13
rderoselbragstad: yeah, if not self-service password change, then all users would be required to change their password after they auth19:13
rderoselbragstad: so operators add this feature, any users that didn't change their password would be allowed to authenticate and then be required to change their password19:14
lbragstadah - i'm only seeing this because i'm testing a change that made it default to true19:14
rderoselbragstad: rigth19:14
stevemarrderose: eh? shouldn't the requirement only be enforced if they fail to auth?19:15
stevemarnot upon a successful auth?19:15
rderosestevemar: no, because they are allowed to auth the first time19:15
rderoseso after that, they should be required to change their password19:16
*** adrian_otto has joined #openstack-keystone19:16
lbragstadrderose hmm - so I have an admin user, and I'm using the self-service password api to change their password and I get this:19:17
rderoselbragstad: hmm19:18
stevemarrderose: how is that backwards compatible?19:19
stevemarrderose: as a admin you flip that switch and you just locked out service accounts and a 1000 users19:19
stevemaryou took down your cloud19:19
rderosestevemar: no19:19
rderosestevemar: you flip the switch, users are still able to auth, but now required to change their password19:19
stevemarright, so auth once and then you're done?19:20
stevemarservice accounts will be screwed19:20
rderoselbragstad: 1) admin user creates user 2) admin users changes their password via api 3) and the user tries to auth?19:20
stevemarthey send 100s of requests per minute19:20
stevemaryou just failed 99 requests19:20
*** adrian_otto has quit IRC19:20
lbragstadrderose my steps to reproduce were the following:19:21
lbragstad1.) upgrade with your patch19:21
rderosestevemar: so once auth and if you don't change your password, then it's expired19:21
*** adrian_otto has joined #openstack-keystone19:21
rderosestevemar: we may need to ignore service accounts19:21
lbragstad2.) enable change_password_required_after_reset = True using https://review.openstack.org/#/c/413126/119:22
rderosestevemar: but that is the gist of the PCI requirement, users must change their password after first auth19:22
lbragstad3.) authenticate for a new token19:22
stevemarfirst auth != any succesful auth19:23
lbragstad4.) use new token to change admin's password http://cdn.pasteraw.com/5p6is40jk2028e54zg2va6pdirg5dqz19:23
rderosestevemar: huh? first auth implies next successful auth, right?19:23
lbragstadfor me step 4 fails but I'm also unable to get anther token becuase I've already authed19:24
*** adrian_otto has quit IRC19:25
rderoselbragstad: can you change the password at step 3?19:26
lbragstadi'm not sure - that's a good question19:27
rderoselbragstad: step 3 you get a token (1st auth) and step 4 you get another new token (too late)19:27
lbragstadrderose oh - no19:28
lbragstadrderose sorry - i'm using the token from step 3 *in* step 419:28
rderoselbragstad: hmm...19:29
lbragstadalso - i'm not sure how likely this is... but i just tried to set change_password_required_after_reset=False to try and easily recover my admin account, but the state of the database seems to be preventing my admin user from authenticating19:30
rderoselbragstad: the state of the database?19:30
rderoselbragstad: no migration, but it probably set your admin's password to expired after you authenticated19:31
lbragstadrderose right19:31
*** guoshan has joined #openstack-keystone19:31
lbragstadso at this point - i don't think i'd be able to get back to the previous state19:31
rderoselbragstad: you could do an admin password reset for that user, but still trying to figure out why you couldn't use the token to change your password19:32
lbragstadrderose yeah - that part is confusing me, too19:33
rderoselbragstad: it's like you authenticated twice or something, but it doesn't sound like it19:33
lbragstadbecause it shouldn't matter if that account is the admin account, I'm passing it the token I just got in order to change my password19:33
rderoselbragstad: yeah, there is nothing about admin19:34
rderoselbragstad: change_password API would make it a self-service password change19:34
*** tobberydberg has joined #openstack-keystone19:35
rderoselbragstad: and when you change your password, it creates a revocation event19:35
*** harlowja has quit IRC19:35
rderoselbragstad: but you're not getting that far19:35
*** guoshan has quit IRC19:35
lbragstadrderose right - i seem to be stumbling on the mandatory password change19:36
rderoselbragstad: let me see if I can recreate the issue manually19:36
*** catintheroof has joined #openstack-keystone19:37
lbragstadrderose this is what my database is telling me - http://cdn.pasteraw.com/48qmmzj9ef6c1k4u5ibqxwnirbkwlid19:39
*** catinthe_ has quit IRC19:40
rderoselbragstad: ah, so that's the issue, self_service == 019:40
rderoselbragstad: wait, keep forgetting, you're not getting that far19:41
lbragstadrderose in step 4, i should be coming in through https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/routers.py#L41-L4819:42
lbragstadand then moving along to the manager - https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/core.py#L128419:42
rderoselbragstad: right19:43
lbragstadrderose and then into authenticate - https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/core.py#L88019:44
lbragstadbut - that's the *old* password, right?19:44
lbragstadwhich means the driver implementation of authenticate would be here - https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/backends/sql.py#L55-L7319:46
rderoselbragstad: looking...19:46
lbragstadand it would be authenticating the old_password19:46
lbragstadwhich would be tripping this check? https://github.com/openstack/keystone/blob/91167ad58a7b6cfdf74c101f7c9861d5ad0f3eaa/keystone/identity/backends/sql.py#L68-L6919:47
rderoselbragstad: yep, I thought I was accounting for that and ignoring if the password was expired19:47
lbragstadok - cool19:47
rderoselbragstad: so change_password authenticates again for the old password19:47
lbragstadrderose yes - it appears it will check the "old_password"19:48
lbragstadwhich is passed in the request body19:48
rderoselbragstad: could swear that I accounted for that19:48
lbragstadrderose :)19:48
lbragstadrderose i'm surprised the tests didn't fail for that case19:48
rderoselbragstad: totally19:49
lbragstadso - the problem is that the self service password API will validate the old password, but that validation fails because the identity driver's authenticate implementation will consider the old password expired since it was marked as expired on the last successful authenticate call (thus forcing the password to be updated)19:49
rderoseyeah, I'll do a try/except there and allow expired password19:50
lbragstadrderose cool - i'll clean up my testing environment19:51
rderoselbragstad: alright19:51
lbragstadrderose and do another manual test for performance numbers when you get a new patch up19:51
rderoselbragstad: and thanks for your work on this, can't believe I missed that19:51
lbragstadrderose no problem - I probably should have tested that sooner ;)19:51
lbragstadrderose i'm also going to remove those patch sets from the performance test queue19:52
rderoselbragstad: cool19:52
*** amac is now known as stradling20:01
*** stradling has quit IRC20:02
*** clenimar has quit IRC20:12
*** chlong has quit IRC20:15
*** raildo has quit IRC20:20
*** chlong has joined #openstack-keystone20:27
*** guoshan has joined #openstack-keystone20:32
*** guoshan has quit IRC20:37
*** jamielennox|away is now known as jamielennox20:44
*** catintheroof has quit IRC20:47
*** ayoung has quit IRC21:01
*** ayoung has joined #openstack-keystone21:01
*** ChanServ sets mode: +v ayoung21:01
*** stingaci has joined #openstack-keystone21:04
*** ravelar1 has joined #openstack-keystone21:12
Zer0Byte__hey guys21:16
Zer0Byte__im just want to confirm something21:16
*** ravelar1 has quit IRC21:17
Zer0Byte__os_project_domain_id and os_project_domain_name   is for older versions os keystone?21:17
Zer0Byte__newest version use os_user_domin_id and os_user_domain_name21:17
knikollaZer0Byte__: Both are needed if you use keystone v321:23
Zer0Byte__and os_user_domain_id?21:23
knikollaZer0Byte__: yes. project_domain_id is for the domain of the project you are scoping to, and user_domain_id is for the user domain.21:24
Zer0Byte__for for connect the client is not on the template21:26
stevemarrderose: Why not update the user record when an administrators sets the password (with a boolean (needs_new_password)) -- and if it's set when they auth, then do not allow the auth to go through?21:26
*** dave-mccowan has quit IRC21:26
rderosestevemar: if needs_new_password, allow them to auth, right?21:27
knikollaZer0Byte__: are you using keystone v2 or v3?21:27
rderosestevemar: because first time, they should be able to21:28
Zer0Byte__knikolla check the templace of rc21:28
knikollaZer0Byte__: can you link me to it?21:28
knikollaZer0Byte__: you don't need to provide the domain for a user or a project, if you are using user_id or project_id instead of username or project_name respectively.21:29
openstackgerritMerged openstack/keystone: Invalidate token cache after token delete  https://review.openstack.org/31699121:29
stevemarrderose: so theres two cases: 1) admin just created a new user and emailed the person with a temp password, and 2) admin reset a password and emailed the person with a new password21:30
knikollaZer0Byte__: as I said, if you use project_id, you don't need project_domain_id.21:31
stevemarrderose: we may need to handle the two a bit differently21:31
stevemarlemme think on it21:31
rderosestevemar: why?21:31
rderosestevemar: it's the same thing, right21:31
rderosestevemar: but yeah, think on it21:32
stevemarrderose: not really, one has never authed before, the other has21:32
Zer0Byte__knikolla i guess i do the question wrong21:32
Zer0Byte__the variable is os_project_domain_id21:32
rderosestevemar: but from a PCI perspective, they need to change their password21:32
knikollaZer0Byte__: and you can use *_domain_name instead of *_domain_id.21:32
rderosestevemar: see your point though21:32
*** guoshan has joined #openstack-keystone21:32
Zer0Byte__i can use project_domain_id ?21:33
rderosestevemar: the other thing to consider here is how to let horizon know the user needs to change their password21:33
Zer0Byte__or is old variable21:33
stevemarZer0Byte__: all 4 have worked for a long time, just don't use name and ID together21:34
stevemarone option is for projects, the other is for users21:34
*** guoshan has quit IRC21:37
knikollastevemar: i always get confused looks when i explain names and IDs to someone.21:38
stevemarrderose: we need to allow prevent access to APIs that aren't related to `change_password`21:39
rderosestevemar: you mean only allow change_password?21:40
rderoseand don't allow any other API calls?21:41
rderosestevemar: hmm...21:42
rderosestevemar: I think that would be the strictest interpretation of the rule21:42
rderosestevemar: but I tend to agree21:43
rderosestevemar: let me give it some thought21:44
stevemarrderose: yeah, i'm mulling it over now21:44
stevemarrderose: we can't do anything backwards incompatible, if a user is able to auth now, a switch is flipped, they should continue to be able to auth21:45
stevemarthey're not "new users"21:45
stevemarrderose: is this an OSIC initiative? or did you just want to be a PCI completionist?21:45
rderosestevemar: but it's not a backwards compatible issue, I mean an operator should be able to change their security rules21:46
*** chlong has quit IRC21:46
rderoseand require users to change their passwords by flipping a switch21:46
rderosestevemar: both21:46
stevemarthat would be a terrible UX, i have no idea why anyone would want to do that to their users21:47
rderosestevemar: user authenticates and is required to change their password21:47
rderosestevemar: that doesn't seem so bad21:47
rderosestevemar: or, what you are suggesting, a user password never expires?21:48
rderoseif they are an existing user21:48
stevemarthey should expire when the config option says so21:48
rderosestevemar: so you are thinking that this is just forward looking feature21:49
rderosethat any user created after flipping the switch would be impacted?21:49
stevemarrderose: your solution to backwards incompatability is either: 1) service interruption (service users get owned), 2) tuning a bunch of knobs (adding service users to blacklist), or 3) terrible UX21:50
stevemarall of which i think are no-go's21:50
stevemari'm thinking this is not worth the effort21:50
stevemaror we restrict users to just the self-service password API if they are newly created OR admin reset their password21:51
rderosestevemar: I just don't think if your users are using the same password that you gave them a year ago, why that would be such a big deal to make them change it.21:51
rderoseyeah, we definitely would need to do something with service users.21:51
rderosestevemar: I just want us to be PCI compliant; without this patch, we are not21:52
stevemarokay, i think i know what you're getting at now21:52
stevemaryou added 30/60/90 days to the PCI compliant option, but all the users are still able to auth with their old passwords, this new option would force them to change21:53
rderosestevemar: yes21:53
stevemarin which case I would say that is a very loose interpretation of the PCI rule -- those users are not "new"21:54
rderosestevemar: well, if you flip the switch at 90 days, going forward, you will PCI compliant21:54
stevemari think this needs more thought, the patch was representing one idea, but in essence trying to solve somethign else21:55
stevemaryou're looking for a migration strategy for users21:55
stevemarand trying to leverage this option to do that21:55
rderosestevemar: so you send your users a notice to change their password within 30 days and 30 days later you flip the switch21:55
stevemarrderose: but we have no way of controling that an admin does step 121:56
stevemarif they do step 2, they are toast21:56
stevemar(without step 1)21:56
rderosestevemar: hmm...21:56
rderosestevemar: if we have an ignore list or domain configurable, they are not toast21:57
stevemarrderose: shit, if i wanted to, as an admin i could list all users, loop over each entry, call update user with the ID, generate a new password, make the API call and send an email21:57
rderosebecause service users wouldn't be impacted21:57
rderosestevemar: haha21:57
rderosestevemar: that's true21:57
stevemarwe have to be able to say "this is an operator issue" at some point21:58
stevemarlets take some time to think it over21:58
rderosestevemar: sounds good21:58
openstackgerritLance Bragstad proposed openstack/keystone: Fix import ordering in tempest plugins  https://review.openstack.org/41324422:03
*** edmondsw has quit IRC22:04
*** chris_hultin is now known as chris_hultin|AWA22:05
lbragstaddstanek for when you're back from vacation - this would be a good one for you to look at https://review.openstack.org/#/c/32476922:06
gagehugorderose stevemar: I feel like https://review.openstack.org/#/c/404022/ will also affect users required to change their passwords22:13
*** tobberydberg has quit IRC22:14
rderosegagehugo: true22:15
rderosegagehugo: mulling this over now22:15
lbragstadstevemar configuration error - no? https://bugs.launchpad.net/keystone/+bug/164875322:21
openstackLaunchpad bug 1648753 in OpenStack Identity (keystone) "Tempest test ServicesTestJSON.test_create_update_get_service fails for HA Keystone" [Undecided,New]22:21
lbragstadstevemar also - i think we can make https://bugs.launchpad.net/keystone/+bug/1648798 a dup of https://bugs.launchpad.net/keystone/+bug/1557238 and reopen it if what sylvain says is true22:25
openstackLaunchpad bug 1648798 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [Undecided,New]22:25
openstackLaunchpad bug 1557238 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [High,Fix released] - Assigned to Guang Yee (guang-yee)22:25
*** guoshan has joined #openstack-keystone22:33
*** guoshan has quit IRC22:38
*** chlong has joined #openstack-keystone22:57
*** adriant has joined #openstack-keystone23:00
*** chris_hultin|AWA is now known as chris_hultin23:01
stevemarlbragstad: for 1648753, let's let julya run with that one, she seems to have a plan for testing HA / rolling upgrade23:14
stevemaroops, julia, my bad23:14
stevemarlbragstad: oh shes online as jvarlamova -- i'll ping her tomorrow about it23:14
stevemarlbragstad: i wouldn't mark https://bugs.launchpad.net/keystone/+bug/1648798 as a dupe, the creator explicitly called out the dupe and said the fix is insufficient23:15
openstackLaunchpad bug 1648798 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [Undecided,New]23:15
*** stingaci has quit IRC23:23
*** stingaci has joined #openstack-keystone23:24
stevemarayoung: just a heads up about https://review.openstack.org/#/c/363065/ -- i replied to your comment. I was just re-targeting the spec, it was already approved and backlogged.23:25
ayoungstevemar, its still wrong23:25
ayoungstevemar, honestly, you call that a spec?23:25
ayoungits like a placeholder.23:25
ayoungwhy did that one go through without any details?23:26
ayoungPLus, that was what is linked to from the Blueprint, need to figure out which is the original23:26
stevemarayoung: i think folks thought it was just meant to be like an abstraction layer23:26
*** stingaci_ has joined #openstack-keystone23:26
ayoungstevemar, at an absolute minimum it needs to cover credentials as well as Fernet23:27
ayoungit really should do the passwords for the databases as well, but that might be competing with oslo.policy.  Then again, the fernet keys could be handled via oslo,.policy the same way23:27
ayoungneeds perspective23:28
ayoungjust compare that with the drubbing I got on both implied roles and now RBAC and you can see why we are not being consistent in the standard we expect.23:28
stevemarthe way i remember this was: the file system approach to managing fernet keys wasn't nice -- create an abstraction layer, set file system as the default driver, and folks can implement their own custom driver23:28
ayoungAnd, I am not saying that as bitter...the high standard for RBAC is where we should be23:29
ayoungNot sufficient23:29
ayoung what we have baked in rotation for a single machine23:29
ayoungbut makes no effort to export or import23:29
ayoungand that is as uimportant as the storage...or more23:29
*** stingaci has quit IRC23:29
ayoungand I have to go pick up my kid now...23:29
stevemarayoung: ttyl23:30
stevemarayoung: it was up for a while, chalk its approval up to hindsight?  neither I nor you reviewed it :\23:31
stevemarayoung: this is why I've wanted a roll-call feature for the specs23:31
stevemarthe implied roles stuff was a fast merge, that was merged in 2 days :P -- and the RBAC stuf, well like you said, we want a high standard there23:32
*** guoshan has joined #openstack-keystone23:34
stevemarayoung: i think there are two things at play for the fernet backend thing. 1) oversimplification, the idea presented an easy way to appease operators without enough due diligence, and 2) the proposed work is diverting from the spec.23:35
* rodrigods is going through old in progress tempest bugs23:35
rodrigods90% are invalid23:35
rodrigodsi guess we have the same in keystone*?23:35
stevemarrodrigods: for bugs?23:36
stevemarrodrigods: doubtful, lbragstad and I have been keeping a pretty tight lid on the bugs23:36
rodrigodsstevemar, ++23:36
stevemarrodrigods: you're more than welcome to go through them and triage ;)23:36
rodrigodsi know heh23:37
rodrigodstempest has a huge pile of staled bugs23:37
rodrigodshelping out them right now23:37
stevemarayoung: anyway, cooking time, we can chat later -- sorry if you are feeling bitter23:37
*** guoshan has quit IRC23:39
*** stingaci_ has quit IRC23:40
*** stingaci has joined #openstack-keystone23:41
*** lamt has quit IRC23:45
*** chris_hultin is now known as chris_hultin|AWA23:46
*** lamt has joined #openstack-keystone23:46
*** lamt has quit IRC23:51
ayoungNot bitter.  This one is important, I just want it done right, and it seems like it is not thought through23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!