Monday, 2017-01-30

« Sunday, 2017-01-29 Index Tuesday, 2017-01-31 »
*** thorst_ has joined #openstack-keystone00:00
*** thorst_ has quit IRC00:04
*** spotz_zzz is now known as spotz00:08
*** thorst_ has joined #openstack-keystone00:13
*** spotz is now known as spotz_zzz00:18
*** martinlopes has quit IRC00:50
*** martinlopes has joined #openstack-keystone00:52
*** martinlopes has quit IRC01:37
*** martinlopes has joined #openstack-keystone01:40
*** martinlopes has quit IRC01:43
*** thorst_ has joined #openstack-keystone01:44
*** thorst_ has quit IRC01:49
*** v1k0d3n has quit IRC02:00
*** v1k0d3n has joined #openstack-keystone02:02
*** thorst_ has joined #openstack-keystone02:09
*** spotz_zzz is now known as spotz02:09
*** thorst_ has quit IRC02:12
*** spotz is now known as spotz_zzz02:20
*** thorst_ has joined #openstack-keystone02:57
*** thorst_ has quit IRC02:57
*** thorst_ has joined #openstack-keystone03:07
*** thorst_ has quit IRC03:07
*** rcernin has joined #openstack-keystone03:11
*** rcernin has quit IRC03:13
*** rcernin has joined #openstack-keystone03:14
*** martinlopes has joined #openstack-keystone03:22
*** rcernin has quit IRC03:25
*** martinlopes has quit IRC03:29
*** martinlopes has joined #openstack-keystone03:31
*** nicolasbock has quit IRC03:34
*** links has joined #openstack-keystone03:56
morganyeah that would be the wya to do it adriant03:57
*** links has quit IRC03:57
morganadriant: FYI, v2 auth is not affected by the MFA rules04:01
morgansooooo if you want to enforce use of MFA, you have to force the use of V3 auth04:01
adriantmorgan: yep, although... you can hack the V2 code if you want. Which is what I'm doing for our deployment unless we can phase out v2.04:04
adriantbut yes, v3 is needed for MFA04:04
adriantI'm simply disabling users with MFA like features if they try to use V204:04
adriantwell, failing their auth and telling them to use V304:04
adriantSo to whatever docs you write, I would loudly specify that V2 has to be disabled for MFA to actually make sense.04:06
morganright.04:09
morganthat is the plan04:09
morganthe main reason i'm not touching v2 is because of the long-standing policy of providing zero updates to v2 unless it is a security flaw (CVE/OSSA level) not intentional design like this04:10
morganit's the main carrot to get people to V3 and to disable v2 auth04:10
*** spotz_zzz is now known as spotz04:12
*** lamt has joined #openstack-keystone04:16
*** spotz is now known as spotz_zzz04:21
stevemarmorgan: code looks good04:22
*** maestropandy has joined #openstack-keystone04:31
morganstevemar: test patch incoming shortly04:31
morganoopse... heh, i found a bug already :P04:32
openstackgerritGage Hugo proposed openstack/keystone: WIP Fix multiple uuid warnings with pycadf  https://review.openstack.org/42641104:37
*** lamt has quit IRC04:38
*** adrian_otto has joined #openstack-keystone04:41
*** lamt has joined #openstack-keystone04:41
gagehugomorgan knikolla ^ I will be out (probably all day) tomorrow but I am slowly working on that04:42
gagehugoif there is anything that you want to do with that, go ahead, otherwise I will resume when I get back04:43
*** adrian_otto has quit IRC04:51
*** dikonoo has joined #openstack-keystone04:51
*** martinlopes has quit IRC04:53
morganstevemar: gonna need to rebase in a few the two cleanups... but should be relatively easy04:53
*** lamt has quit IRC05:00
*** martinlopes has joined #openstack-keystone05:02
*** lamt has joined #openstack-keystone05:03
*** dikonoor has joined #openstack-keystone05:05
*** dikonoo has quit IRC05:05
*** spotz_zzz is now known as spotz05:12
*** spotz is now known as spotz_zzz05:22
*** dikonoor has quit IRC05:27
*** maestropandy has left #openstack-keystone05:33
*** dikonoor has joined #openstack-keystone05:38
*** Dinesh_Bhor has joined #openstack-keystone05:47
*** thorst_ has joined #openstack-keystone05:49
*** adriant has quit IRC05:54
*** thorst_ has quit IRC05:55
*** jvarlamova_ has joined #openstack-keystone06:01
*** Jack_I has joined #openstack-keystone06:02
*** spotz_zzz is now known as spotz06:13
*** lamt has quit IRC06:15
*** adrian_otto has joined #openstack-keystone06:17
*** martinlopes_ has joined #openstack-keystone06:23
*** spotz is now known as spotz_zzz06:23
*** martinlopes has quit IRC06:26
*** adrian_otto has quit IRC06:45
*** rcernin has joined #openstack-keystone07:11
*** rcernin has quit IRC07:12
*** rcernin has joined #openstack-keystone07:12
*** spotz_zzz is now known as spotz07:14
*** spotz is now known as spotz_zzz07:24
*** tesseract has joined #openstack-keystone07:50
*** thorst_ has joined #openstack-keystone07:51
*** thorst_ has quit IRC07:56
*** spotz_zzz is now known as spotz08:15
*** pcaruana has joined #openstack-keystone08:15
*** spotz is now known as spotz_zzz08:25
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** rcernin has quit IRC09:31
*** rcernin has joined #openstack-keystone09:33
*** jistr has quit IRC09:49
*** jistr has joined #openstack-keystone09:51
*** thorst_ has joined #openstack-keystone09:52
*** maestropandy has joined #openstack-keystone09:56
*** thorst_ has quit IRC09:57
*** maestropandy has quit IRC10:00
*** gitudaniel has joined #openstack-keystone10:02
gitudanielo/10:02
*** maestropandy has joined #openstack-keystone10:05
*** maestropandy has left #openstack-keystone10:05
*** thiagolib has joined #openstack-keystone10:07
*** spotz_zzz is now known as spotz10:16
*** dikonoor has quit IRC10:18
*** spotz is now known as spotz_zzz10:26
*** mvk has quit IRC10:28
*** dikonoor has joined #openstack-keystone10:33
*** gitudaniel has quit IRC10:40
*** mvk has joined #openstack-keystone10:57
*** gitudaniel has joined #openstack-keystone10:59
*** dikonoor has quit IRC11:08
gitudanielon setting up the fernet using keystone-manage fernet_setup I get the error keystone.common.fernet_utils [-] Either [fernet_tokens] key_repository does not exist or kystone does not have sufficient permission to access it: /etc/keystone/fernet-keys/ while looking into it I came to the conclusion that since the development environment is being configured in a virtual environment it has no11:17
gitudanielaccess to the host system so I tried sudo keystone-manage fernet_setup and got ImportError: No module named oslo_config. At this point I had noticed the etc folder within the repo that contains the keystone.conf file and I assumed that I could point to the config file using the --config-file PATH command. I ran the command keystone-manage --config-file11:17
gitudanielPATH~/openstack/keystone/etc/keystone.conf and got keystone-manage: error: too few arguments. I then tried to specify the directory in which the .conf file is located by running keystone-manage --config-dir DIR~/openstack/keystone/etc it returns oslo_config.cfg.ConfigDirNotFoundError: Failed to read config file directory: DIR~/openstack/keystone/etc/ where did I go wrong?11:17
*** spotz_zzz is now known as spotz11:17
*** richm has joined #openstack-keystone11:18
*** lamt has joined #openstack-keystone11:18
*** lamt has quit IRC11:19
*** dikonoor has joined #openstack-keystone11:21
*** dims has joined #openstack-keystone11:26
*** spotz is now known as spotz_zzz11:27
*** richm has quit IRC11:27
*** richm has joined #openstack-keystone11:27
*** richm has quit IRC11:35
*** richm has joined #openstack-keystone11:37
*** nicolasbock has joined #openstack-keystone11:52
*** thorst_ has joined #openstack-keystone11:53
*** thorst_ has quit IRC11:57
*** spotz_zzz is now known as spotz12:18
*** richm has quit IRC12:20
*** richm has joined #openstack-keystone12:22
*** catintheroof has joined #openstack-keystone12:25
*** spotz is now known as spotz_zzz12:28
*** raildo has joined #openstack-keystone12:28
*** thorst_ has joined #openstack-keystone12:41
*** jaugustine has joined #openstack-keystone13:00
*** dave-mccowan has joined #openstack-keystone13:00
*** raildo has quit IRC13:01
*** wasmum has quit IRC13:03
*** edmondsw has joined #openstack-keystone13:07
*** gitudaniel has quit IRC13:19
*** spotz_zzz is now known as spotz13:19
*** spotz is now known as spotz_zzz13:29
*** gitudaniel has joined #openstack-keystone13:54
*** clenimar has quit IRC14:12
*** gitudaniel has quit IRC14:13
*** clenimar has joined #openstack-keystone14:16
*** dikonoor has quit IRC14:17
*** gitudaniel has joined #openstack-keystone14:20
*** lamt has joined #openstack-keystone14:25
*** jperry has joined #openstack-keystone14:26
openstackgerritKen Johnston proposed openstack/keystone: Readability enhancements to architecture doc  https://review.openstack.org/42237514:30
*** agrebennikov__ has joined #openstack-keystone14:31
*** jperry has quit IRC14:36
*** lamt has quit IRC14:36
samueldmqmorning keystone14:37
*** jperry has joined #openstack-keystone14:38
lbragstado/14:38
*** edtubill has joined #openstack-keystone14:38
samueldmqlbragstad: howdy14:38
dstanekmorning samueldmq14:40
samueldmqdstanek: o/14:40
lbragstaddstanek morgan are we allowed to add new strings during StringFreeze?14:45
dstaneklbragstad: i don't think we're supposed to add or change any14:46
lbragstaddstanek morgan or does that only apply to changing strings?14:46
*** rcernin has quit IRC14:48
dstaneklbragstad: in the soft string freeze they can be added and not changed14:51
lbragstaddstanek aha - ok that makes sense14:51
dstanekhttp://docs.openstack.org/project-team-guide/release-management.html14:52
lbragstaddstanek yeah - i was just reading that, too14:52
*** lamt has joined #openstack-keystone14:57
*** rcernin has joined #openstack-keystone15:00
knikollao/ morning15:01
*** mvk has quit IRC15:02
*** chris_hultin|AWA is now known as chris_hultin15:06
*** spotz_zzz is now known as spotz15:10
kencjohnstono/ good morning keystone team.15:12
kencjohnstonCan someone help me resolve a bit of confusion in this review - https://review.openstack.org/#/c/42237515:12
kencjohnston?15:12
dstanekkencjohnston: good morning15:12
kencjohnstonThe original sentence I was trying to clarify was - "While the general data model allows a many-to-many relationship between users15:13
kencjohnstonand groups to projects and domains; the actual backend ..."15:13
kencjohnstonI'm starting to wonder if the first part of that sentence isn't correct, there is no many-to-many relationship between users and groups to projects.15:13
dstaneki'm not sure what rodrigods is saying there15:14
*** adrian_otto has joined #openstack-keystone15:14
Adobemanuhm... so I was digging around a bit more, there is a possiblity that keystone will not talk to ldap properly without TLS enable.  Is this true?15:15
dstanekkencjohnston: it's not really clear to me what the original test was trying to say. was is talking about assignment as the association?15:15
dstanekAdobeman: why do you say that? (i have no idea, but TSL is generally the way to go)15:16
lbragstaddstanek kencjohnston i think what rodrigods meant was that he didn't want to make it sound like projects owns users and groups15:16
Adobemanwas reading some blog about it.. matt fisher..15:16
*** nkinder has joined #openstack-keystone15:16
lbragstaddstanek kencjohnston right now - we create users and groups within a domain15:16
kencjohnstondstanek: I took the original text to mean that there could be the relationships stated, but that often times backends might limit it.15:16
dstaneklbragstad: to me that whole thing (the older version too) sounds like ownership and that isn't true15:17
lbragstadAdobeman he is usually hanging around here15:17
AdobemanI didnt think it was a big deal not to have TLS enable, but I may be mistaken about not enable TLS.  Yes, I didnt enable TLS out of the box cuz this is still in staging15:17
lbragstadmfisch ^15:17
kencjohnstonlbragstad: dstanek - So perhaps take out the word "Projects" and just leave it as users and groups to domains?15:17
Adobemanhrm? he is??15:17
Adobemannot sure I ever seem him talk...?15:18
*** mvk has joined #openstack-keystone15:18
Adobemannow he's going to run away haha15:18
lbragstadkencjohnston dstanek well - domains technically *own* projects, users, and groups but users and groups can also have assignments to both projects and domains15:18
knikollakencjohnston: I think the entire paragraph should be rephrased.15:19
dstaneka user can only be in 1 domain, but have assignments across domains. the original test reads to me like users can be in multiple domains15:19
kencjohnstonknikolla: I'm fishing for suggestions :)15:19
dstanekmaybe is the word associated that's somewhat ambiguous15:19
lbragstadkencjohnston dstanek would it make more sense to clarify that users and groups must reside within a domain, but they have multiple role assignments across domains (this is where the many to many relationship comes in)15:19
knikollathere is no many to many relation between user and domain like dstanek said15:19
kencjohnstonI read the whole point of that paragraph to just be a warning, essentially - "What we said is true, but your  mileage may vary depending on backend."15:20
*** adrian_otto has quit IRC15:20
kencjohnstonIf we aren't happy with the definition of15:20
kencjohnston"what we said is true" that is in the bulleted list above.15:21
knikollakencjohnston: actually i'm not sure the mileage may vary is even true15:21
dstanekkencjohnston: if that's the point of that paragraph, then i'd just change it to be a softer version of that and leave out the g/u & p/d details15:21
knikollai think every backend supports that stuff?15:21
kencjohnstonknikolla: dstanek - So just delete it?15:22
knikolladstanek lbragstad correct me if i'm wrong15:22
lbragstadknikolla not every backend might support assignments across domains though, right?15:22
dstanekknikolla: the ones we supply do i believe, but others may not15:22
knikollathen we say:15:22
*** jaosorior has joined #openstack-keystone15:23
knikolla"In this model, users and groups are contained within domains and have a many to many relationship to projects. While most backends allow this relation to be in different domain, some may not."15:24
*** adrian_otto has joined #openstack-keystone15:25
*** gitudaniel has quit IRC15:25
kencjohnstonknikolla: Cool, new patch coming. Thanks!15:25
dstanekthat data model section seems wrong in general15:26
knikolladstanek: yes15:26
knikolla**User**: has account credentials, is associated with one or more projects or domains15:26
dstanekExtras should be deleted15:26
knikolla^^ domain part is wrong15:26
knikollaone domain only15:26
dstanekknikolla: it depends on is associated mean asssigned or owned15:26
dstaneks/is/if/15:26
dstanekit's very imprecise language15:27
knikolladstanek: i don't agree on describing the data model with ambiguous terms15:27
dstanekProjects don't contain users15:27
*** jaosorior has quit IRC15:27
dstanekthis is why i hate reading docs. i feel compelled to fix them15:28
openstackgerritKen Johnston proposed openstack/keystone: Readability enhancements to architecture doc  https://review.openstack.org/42237515:28
dstaneki think i'm going to finish up my mapping doc changes right now actually15:28
knikolladstanek: i'd be happy to review15:29
*** jaosorior has joined #openstack-keystone15:32
*** lucas_ has joined #openstack-keystone15:35
*** adrian_otto has quit IRC15:37
*** adrian_otto has joined #openstack-keystone15:39
*** mvk has quit IRC15:40
*** spzala has joined #openstack-keystone15:51
*** mvk has joined #openstack-keystone15:53
*** jperry has quit IRC15:56
*** richm has quit IRC16:02
*** richm has joined #openstack-keystone16:08
openstackgerritRon De Rose proposed openstack/keystone: Update PCI documenation  https://review.openstack.org/42682316:09
*** ravelar has joined #openstack-keystone16:10
openstackgerritRon De Rose proposed openstack/keystone: Update PCI documenation  https://review.openstack.org/42682316:13
*** ayoung has quit IRC16:23
*** rcernin has quit IRC16:24
lbragstaddstanek jamielennox curious if either of you have a follow up on this? https://review.openstack.org/#/c/285757/2116:25
*** ayoung has joined #openstack-keystone16:33
*** ChanServ sets mode: +v ayoung16:33
*** nkinder has quit IRC16:34
*** spzala has quit IRC16:34
dstaneklbragstad: i didn't +2 because i fixed and pushed a patchset. i think stevemar wanted jamielennox to take a final look16:34
lbragstaddstanek sounds good16:35
*** spzala has joined #openstack-keystone16:35
*** spzala has quit IRC16:40
morganadding strings is not the end of the world16:51
morganchanging strings is16:51
stevemarmorgan: dstanek lbragstad sure, do it up16:51
morganAt the same time as Feature Freeze, is Soft String Freeze. Translators start to translate the strings after $SERIES-3. To aid their work, it is important to avoid changing existing strings, as this will invalidate some of their translation work. New strings are allowed for things like new log messages, as in many cases leaving those strings untranslated is16:51
morganbetter than not having any message at all.16:51
morgan(from the guidelines)16:52
lbragstadyeah - i read that16:52
morganstevemar, dstanek, lbragstad: i'm still debugging an issue with the tests for MFA16:52
morgani can't figure out how password is always sneaking in even when i only sent totp16:52
*** adrian_otto has quit IRC16:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354816:53
morgan^16:53
morganwith tests16:53
morganit should fail.16:53
morganat least one16:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Cleanup TODO about auth.controller code moved to core  https://review.openstack.org/42660716:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Cleanup TODO, AuthContext and AuthInfo to auth.core  https://review.openstack.org/42660816:53
morgan    User 574b10a0291a4ca99b8157994a2ec73e auth methods set([u'password']) did not match a MFA rule in [[u'password', u'totp']].16:55
morgan    Insufficient auth methods received for 574b10a0291a4ca99b8157994a2ec73e. Auth Methods Provided: [u'password'].16:55
morgan16:55
morganis what i'm getting16:55
morgani sent password + totp16:55
morganso i know where the issue is.16:55
morgani'll dig through in a moment16:55
*** tesseract has quit IRC16:58
*** slberger has joined #openstack-keystone17:00
*** adrian_otto has joined #openstack-keystone17:01
*** nkinder has joined #openstack-keystone17:07
morganahahaha it's a bug in the test suite...17:14
morgandoh17:14
*** nkinder has quit IRC17:17
*** jose-phillips has joined #openstack-keystone17:19
knikolla#success openstackclient supports k2k17:21
openstackstatusknikolla: Added success to Success page17:21
*** jsavak has joined #openstack-keystone17:22
*** mvk has quit IRC17:24
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354817:29
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354817:30
openstackgerritMorgan Fainberg proposed openstack/keystone: Cleanup TODO about auth.controller code moved to core  https://review.openstack.org/42660717:30
openstackgerritMorgan Fainberg proposed openstack/keystone: Cleanup TODO, AuthContext and AuthInfo to auth.core  https://review.openstack.org/42660817:30
morganstevemar, dstanek, lbragstad, knikolla, rderose: ^ whole stack for MFA ready for review.17:30
morgantests included.17:31
morganneeds docs but i'll work on that once the code is looking right17:31
lbragstadmorgan sweet17:32
Jack_IHi Folks! any workarounds https://bugs.launchpad.net/heat/+bug/1660395 ?17:34
openstackLaunchpad bug 1660395 in heat "You are not authorized to perform the requested action: identity:list_endpoints" [Undecided,New]17:34
morganlbragstad: i def want to get your feedback today on that code if you don't mind. looking to get the view on landing it (since the user options code) landed already17:35
morganlbragstad: :)17:35
morgans/)landed already/landed already)17:35
lbragstadmorgan yep - i'll review it today for sure17:36
morganlbragstad: the lockout option stuff should be easy to +2/+A. the MFA stuff needs the more in depth eyes.17:36
stevemarmorgan: rderose already approved that17:37
morganstevemar: ah nice17:39
morganstevemar: i updated my comment on the config validator17:39
morgansaid i'd rescind my -2 if it was installed like keystone-manage is17:40
morgan*and* has unit tests17:40
morganbut it def. does not belong in /tools17:40
morganand a helper script makes sense since the command is beastly17:40
morganstevemar: but the patch the lockout depends on hasn't been approved yet17:42
*** adrian_otto has quit IRC17:42
morganstevemar: sooooo :P statement stands, prob easy to +2/+A.17:42
morganlbragstad: also replied to the comment about the TypeError "list of lists of strings"17:44
morganlbragstad: in short, dev error (suspenders and a belt) in the case that someone is submitting things not validated by jsonschema17:44
morganlbragstad: jsonschema does validate the MFA Rules to be a list of lists of strings17:45
lbragstadmorgan ok - chceking17:45
morganknikolla: yay MFA things are all done and proposed.17:52
rodrigodsanyone already at -qa channel? we are discussing something really strange there (related to keystone)17:52
morganlbragstad, stevemar, dstanek: NOTE- MFA rules are only processed on V3 auth17:52
morganrderose: ^17:52
*** jsavak has quit IRC17:57
*** adrian_otto has joined #openstack-keystone17:59
*** adrian_otto has quit IRC18:02
*** harlowja has joined #openstack-keystone18:02
*** mvk has joined #openstack-keystone18:07
dstanekmorgan: cool, i'll start looking at those today then18:09
*** raildo has joined #openstack-keystone18:22
*** htruta` is now known as htruta18:23
*** spzala has joined #openstack-keystone18:24
* morgan is about to be very irritated at a lot of code that landed that custom constructs responses without a call to wsgi.render_response18:26
morganbasically we've broken HTTP spec18:26
morganagain18:26
morganand we circumvented the tests to prevent us from doing it18:27
morganand now it is an API incompatible change to fix18:27
* morgan is very annoyed18:27
* morgan goes to cook bagels for an hour before coming back and trying to be less annoyed18:28
morganrodrigods: ^ cc18:28
* rodrigods has nothing to do with it :)18:28
rodrigodskidding18:29
*** tqtran has joined #openstack-keystone18:29
Adobemanok, at least the tls stuff was confirmed working.. finally got that sorted out, except openstack is still throwing a fit at me about peer certificate issuer has been marked as not trusted by user..18:37
stevemarrodrigods morgan whats up now? more head/get 204/200 trouble?18:38
rodrigodsstevemar, yeah, basically18:38
stevemarwhich API calls?18:38
morganstevemar: yep18:38
rodrigodsstevemar, the discussion started because keystone returns 200 in ubuntu trusty and 204 in xenial for the same API18:39
morganlooks like a fair amount of them18:39
morgansanything that doesn't call render_response in wsgi18:39
morganis probably "wrong"18:39
morganalso anything that mucks with response codes for HEAD and says 204 is just flat wrong18:40
dstanekrodrigods: whoa, really?18:51
rodrigodsdstanek, yep heh18:52
rodrigodsdstanek, https://review.openstack.org/#/c/426882/18:52
rodrigodswait for jenkins18:52
dstanekrodrigods: why is it different?18:53
rodrigodsdstanek, we didn't dig in too much, but the guess is some lib fault18:53
*** browne has joined #openstack-keystone18:54
Adobemanso..18:55
Adobemanis keystone going to have a fit with self signed cert..?18:55
Adobemanor is it not a keystone issue...18:56
dstanekAdobeman: i'm guessing that it's a library question. i would home that we are as strict as possible by default though18:58
rodrigodslbragstad, samueldmq, ayoung any of you want to +A https://review.openstack.org/#/c/422819/ ?19:00
dstanekrodrigods: well, i don't :-P19:01
Adobemanok, all these keystone/ldap/tls are really fun, I am just really at a point I had enough of it... :P I just like it to all play nice and work :P19:01
dstanekAdobeman: are you still having issues?19:02
AdobemanPeer's certificate issuer has been marked as not trusted by the user.", 'desc': "Can't contact LDAP server"}19:02
Adobemanyes, different issue19:02
AdobemanI read up matt's blog that TLS absolutely needs to work for ldap to work..19:03
Adobemanso I tested my ldap server, make sure tls is working.  tested via ldapsearch even ssh...19:03
Adobemannow keystone is throwing a fit at me about cert19:03
dstanekAdobeman: does ldapsearch work over TLS?19:04
Adobemanyes19:04
AdobemanSTARTTLS all work properly19:04
Adobemanopenssl direct query also works, it just says its self signed cert19:05
dstanekAdobeman: not sure then. when i had that same error message is happened for both the cli and keystone on that box19:05
dstanekit was because i was not trusting the cA19:05
Adobemanright.. so I actually use system's CQ-Bundle..19:05
AdobemanCA*-Bundle.crt19:05
Adobemanwhich what keystone is pointing at19:06
dstanekAdobeman: but you're not getting signed by a proper CA right?19:06
Adobemanwhat is this..? LDAPTLS_CACERT19:06
AdobemanI thought was TLS_CACERT19:07
Adobeman(i'm still reading stuff..)19:07
* Adobeman falls over19:09
Adobemankeystone.common.wsgi AssertionError: Invalid TLS / LDAPS combination19:09
Adobemanok.. what did I take out lol19:09
dstanekAdobeman: i thought with self signed certs you can use specify the CA file as an option (although i'm not sure that you can do that in keystone directly)19:10
morganAdobeman: the ldap python modules kindof suck in this regard19:10
morganand for that, i'm sorry.19:10
AdobemanI'm specifying it now, I have taken it off it didnt appear to make a difference19:11
Adobemanmorgan that's so over my head I'm not following19:11
Adobeman:(19:11
dstanekAdobeman: what did you take off?19:11
lbragstadmorgan we had existing tests in place for https://review.openstack.org/#/c/426431/3 ?19:12
AdobemanTLS_CACERT19:12
Adobemanin keystone.conf19:12
Adobemanhoping it will take system default and go with it19:12
dstanekAdobeman: oh, weird. looking at that i would think it would work. and you are getting that error message in your log after restarting?19:13
Adobemanyep19:13
AdobemanERROR keystone.common.wsgi BackendError: {'info': "TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", 'desc': 'Connect error'}19:13
Adobemanno real difference with that line enable or not19:14
dstanekAdobeman: you're using the tls_cacertfile option in the config?19:15
Adobemanyou mean this ? TLS_CACERT = /etc/pki/tls/certs/ca-bundle.crt19:15
Adobemanyes19:15
morganlbragstad: what do you mean? existing tests?19:15
dstaneki'm not sure what that is19:15
morganlbragstad: some of that is just hooking into json-schema and is tested by the schema validator tests19:16
morganlbragstad: so ... yes?19:16
Adobemanthat's the only TLS_cacertfile config parameter I'm aware of in keystone.conf? am I wrong?19:16
lbragstadmorgan that patch doesn't have any tests for adding the jsonschema attributes - but it is tested in the schema validator19:16
lbragstader - keystone/tests/unit/test_validation.py19:16
dstanekAdobeman: i've never seen that before - http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n141219:16
morganlbragstad: correct19:17
morganlbragstad: no new tests for the schema properties, but it is tested by the validator test(s)19:17
Adobemandstanek: :O19:17
lbragstadmorgan don't we have to deprecate configuration options/19:17
morganlbragstad: if it built bad schemas the validator tests already exist(s)19:17
morganlbragstad: stevemar says no, that option was added in ocata19:17
morganlbragstad: the password_expiry one was deprecated because it was added in newton19:18
AdobemanI think you're right ...19:18
Adobemanwhere the heck did I get this..19:18
openstackgerritRon De Rose proposed openstack/keystone: Update PCI documenation  https://review.openstack.org/42682319:18
Adobemanhttp://www.mattfischer.com/blog/?p=54519:18
Adobemanoh.. there..19:18
Adobemanconfig file is tls_cacertfile19:18
AdobemanBLAAAAAAAAAAAAH19:18
Adobemanpull it from wrong file19:18
Adobeman)#&%)#!&%)#!&%!19:19
Adobemanthanks for pointing that out..19:20
lbragstadmorgan ah - right19:20
lbragstadmorgan looks like it was introduced in https://review.openstack.org/#/c/398571/19:20
lbragstadmorgan which merged 10 days ago19:20
lbragstadmorgan s/days/weeks/19:20
* Adobeman falls over19:20
*** richm has quit IRC19:21
stevemarlbragstad: yeah, only went into ocata19:21
lbragstadstevemar ok - cool19:21
morganlbragstad: yep19:22
*** richm has joined #openstack-keystone19:22
AdobemanI swapped out that line with tls_cacertfile, still didnt change the outcome when I do a "openstack user list"19:23
*** jaosorior is now known as jaosorior_lunch19:28
Adobemanso I'm guessing it was ignoring the entry19:28
*** richm has quit IRC19:30
*** richm has joined #openstack-keystone19:31
*** richm has quit IRC19:31
dstanekAdobeman: you may have to debug it and make sure the option is being set properly19:31
Adobemanlets see19:32
Adobemanopenstack user list is a valid way of testing, right?19:32
Adobemaninstead of doing it over the web19:32
*** diazjf has joined #openstack-keystone19:35
*** stingaci has joined #openstack-keystone19:36
dstanekAdobeman: yeah, that would be fine. i'm surprised that you are still getting that error in your keystone log19:37
*** ravelar has quit IRC19:37
*** spzala has quit IRC19:37
Adobemanwell, I was not using ldap-tls last week19:39
AdobemanI still havent get to that point after I try to enable tls19:40
dstanekAdobeman: gotten to what point?19:40
Adobemanthe point ldap is telling me user is disabled19:41
Adobemanok, now let me confirm another thing...19:49
Adobemanputting keystone in debug is by doing this.. under [ldap]   debug_level = 409519:50
Adobemanthat's what you meant, right?19:50
ayoungrodrigods, -2.  I mean +2A19:51
*** MasterOfBugs has joined #openstack-keystone19:52
dstanekAdobeman: no i mean actually debug the code either using PDB or extra logging20:01
stevemarlbragstad: around?20:03
lbragstadstevemar i think so (in a meeting too)20:04
stevemarlbragstad: wanted to talk about https://review.openstack.org/#/c/418166/20:05
stevemarlbragstad: i think its safe to merge, even if we don't land the other bits of MFA we just have extra user attributes, meh20:05
lbragstadstevemar sure - but they won't really be doing anything even if they are set, right?20:06
stevemarlbragstad: righto20:06
lbragstad(if that's the case and what ends up in ocata - we'll have to be explicit about saying that *loudly*)20:06
stevemareh20:08
stevemarits underlying implementation anyway20:08
stevemarbut lets look at the whole chain20:08
lbragstadstevemar agreed - I'm still reviewing that chain20:10
*** ravelar has joined #openstack-keystone20:19
morganlbragstad: i will get some docs generated, but i wanted to be sure the code was up to snuff first. and stevemar is going to write docs for the resource options (dev docs)20:19
lbragstadmorgan sweet20:20
morganbecause docs are much easier to land than code20:20
stevemarmorgan: and they can land in master :)20:22
stevemaror after we tag rc120:22
morganyah20:23
morganstevemar: and we're going to land the minus-kvs patch once RC opens20:23
*** jose-phillips has quit IRC20:23
stevemaryup20:24
stevemaronce we cut stable/ocat20:24
stevemara20:24
morgancause woot minus over 2000 lines20:24
morganstevemar: well an RC branch if we do that20:24
morganwhatever the actuall "no more master code goes here" time20:24
*** ravelar1 has joined #openstack-keystone20:26
stevemarmorgan: as soon as we tag rc1 we create stable/ocata at the same time now :) the release team is awesome :)20:26
stevemarmorgan: so theres less of a need to go around -2'ing everything these days20:27
morganhaha20:27
morganstevemar: but... i wanted to -2 all the things20:27
morgan:P20:27
*** jose-phillips has joined #openstack-keystone20:29
*** diazjf has left #openstack-keystone20:35
stevemarmorgan: it is fun to do20:36
Adobemandstanek: 4095 is ... as high as I can go..?20:36
dstanekAdobeman: no idea, the only ldap i've done is with devstack20:37
*** ravelar1 has quit IRC20:38
Adobemanoh I'm not using anything fancier compares to you20:38
Adobemanthis is rdo openstack :P20:38
Adobemaneverything in single box20:38
dstanekAdobeman: yeah, i don't use ldap at all on a regular basis20:38
Adobemanapart from.. fischer, I currently do not know anyone uses ldap with openstack.20:40
Adobemannot devstack, not rdo openstack, not standard full openstack deployment..20:41
Adobemanin fact, I dont know of anyone using newton with openldap..20:41
*** adriant has joined #openstack-keystone20:43
morganAdobeman: Cern does (Active Directory), mostly federation, but they extensively used LDAP connector as well20:44
morganAdobeman: i know a few other orgs do, but tehy aren't super vocal about it. HPE used to (dunno if Suse is doing so/ HPE still does or not)20:45
morganAdobeman: IBM has deployments that use LDAP20:45
morganAdobeman: like i said, they're just not super vocal about it20:45
Adobemanoh yes, that's why I'm having hard time finding information..20:47
AdobemanI was reading some IBM documentation other day..20:47
Adobemanmajority of people just goes with AD since they already exist20:47
AdobemanI dont have an AD to tight this into it, almost tempting to set one up at this point..20:47
morganstevemar: *poke* maybe henry-nash has info for Adobeman if we can chase down henry20:48
morganAdobeman: ayoung (if you can catch him) is a great resource for openldap stuff.20:48
ayounglies20:48
stevemarmorgan: henry is a hard man to find these days :(20:48
morganAdobeman: are you just looking for "what the scheema" should be?20:48
AdobemanI'm currently not even at the point I can even ask that question20:48
morganAdobeman: because the default schema in FreeIPA is pretty darn good once you map the attributes20:48
ayoung++20:48
AdobemanI heard about FreeIPA..20:49
ayoungGo FreeIPA20:49
morganand FreeIPA makes it a lot easier (you just need to configure some minor things in keystone to point at the right place and use the smarter "enabled" flag)20:49
AdobemanI have an cert issue right now..20:49
stevemarAdobeman: i blogged about it ealier ...20:49
stevemarbut never ended up using certs20:49
morganah, TLSstuff.20:49
Adobemanyes20:49
morganit should work with self-signed certs fwiw20:49
morganbut it probably requires a single file with the whole chain in it20:50
Adobemanmfisch supposedly have cert stuff working, he blogged about it.20:50
morgani can't remember the best format off the top of my head.20:50
Adobemanaccording to him, TLS is an requiremment for this to work properly..20:50
morganTLS is a requirement for this work with any level of security20:50
Adobemanit just flat out break .. only if I can get this cert issue out of the way..20:50
morganwhich i take as "not usable otherwise"20:50
Adobemanof course, not disagreeing20:50
morganiirc i think you need the whole chain in the supplied Cert file and specify the proper CA-Cert as well20:51
morganit has been a while since I did a FreeIPA keystone deploy20:51
morgani assume you're not trying to use LDAP as the main identity backend, but as a specific domain backend20:51
morganif you're trying to do the whole idnetity backend as LDAP, you're going to be in for a rough ride as a lot of features will not work correctly within keystone20:52
morganLDAP is really (at this point) designed to back specific domains for identity information20:52
morganso we can lean on the more flexible SQL stuff for things like service users (or even so service users can be isolated to a separate DN in LDAP trees)20:52
morganbut in short, FreeIPA is damn good and makes the whole "getting LDAP stood up right" a lot easier20:53
morganalso nkinder is a good resource if he's ever online.20:53
Adobemanmorgan: I am trying to use it as main idenity backend...20:53
AdobemanI have not drift off to multiple domain setup yet20:53
morganah, that is going to be a lot more rough to setup20:54
Adobemanokay20:54
morganIMO it is much much better to setup a keystone running SQL backend, setup a new domain and back it with LDAP20:54
AdobemanI thought it would be easier..?20:54
morganit used to be20:54
ayoungFreeIPA is a CA20:54
ayounguse it to sign your certs20:54
morganbut with all the more advanced features it is much easier to drop in LDAP behind a specific domain20:55
Adobemanso I can stop staring at this error? Peer's certificate issuer has been marked as not trusted by the user20:55
morganit does mean you have to use V3 keystone20:55
AdobemanI am using v3..20:55
Adobemanwell, I see some v2 fly by..20:55
morganAdobeman: that is likely to be an issue you'll still see, that tells me that either the chain or the ca cert files is wrong20:55
morganand i think OpenLDAP needs to have the same CA cert in it's config20:56
morganso it can know the issuer is sane20:56
morganyou *might* be able to get it to work by adding the CA to the system CA20:57
morganCA trust20:57
Adobemanthe bundle file I have got at least..167 certs20:57
Adobemancame with the system ..20:57
morganlikely the issue is OpenLDAP not trusting the CA then.20:57
ayoungUse FreeIPA please and make this all go away20:58
morgani *think* again... i haven't done this in a looong time20:58
morganFreeIPA likely will make this much easier20:58
dstanekmorgan: the tls_cacertfile should have fixed the issue though20:58
morgandstanek: maybe.20:58
morgansadly, we don't test this stuff20:58
morgansooooo it might be broken20:58
morgans/might/has a higher than average chance/20:58
morganif we can drop in a FreeIPA on a devstack... we could make this work.20:59
morganand be tested20:59
ayoungcan't21:00
ayoungIPA needs a stand alone machine21:00
ayoungdoes not play nice with others21:00
*** lucas_ has quit IRC21:01
morganit needs a standalone ip/vhost21:01
ayoungmaybe if we did a container based deploy AKA Kolla21:01
morganit doesn't need a standalone machine.21:01
dstanekayoung: same machine with a difference container?21:01
morgancontainer would work too21:01
morganwe also have multi- node gating possible now21:01
ayoungI was able to get container based to work21:01
morganit wouldn't be impossible to setup IPA21:01
morganon the multi-node21:01
ayoungdo multi-nodes get a known resolvable hostname and IP addres?21:01
morganshould21:02
morganwel hostnames... probably not21:02
morganip's yes.21:02
morganyou need to be able to reference the IPs from another host21:02
ayoungIP should be enough21:02
morganaka, compute on host A, rest of openstack on B21:02
ayounggetting the initial nameserver resolution set up tends to be the pain point21:02
ayoungI usually just hack /etc/hosts21:02
ayounghttps://adam.younglogic.com/2015/06/install-freeipa-ansible/21:03
Adobemanthis question is most likely beyond this channel... getting open openldap to be same CA?21:04
ayoungAdobeman, do you have an openldap setup already?21:04
Adobemanyes21:04
Adobemanopendlap is up and running, authenticate user ssh/linux setup..21:05
Adobemantalk tls too, tested that's working..21:05
ayoungAdobeman, what are you using for a CA?21:05
Adobemanwhatever came with the OS..21:06
AdobemanI just generated self sign cert and go with it21:06
AdobemanI threw cert files into ldap directory already21:07
*** lucas_ has joined #openstack-keystone21:08
Adobemangenerated this morning :P21:08
Adobeman-rw-r--r-- 1 ldap ldap   1363 Jan 30 06:42 /etc/openldap/certs/server.crt21:08
Adobeman /etc/openldap/certs/ca-bundle.crt  /etc/openldap/certs/server.key ..etc21:09
Adobemanthey are all defined in olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile21:09
*** raildo has quit IRC21:11
ayoungAdobeman, yeah...if this is going to be any form of production run, you'll want a real CA21:18
ayoungAdobeman, just IPA it...unless you are solidly vested in the OpenLDAP approach, it is not worth the effort to set all the things you need up manually21:19
*** jaosorior_lunch is now known as jaosorior21:21
*** ravelar has quit IRC21:22
morganayoung: thanks for jumping in here21:24
ayoungmorgan, just don't let it happen again21:24
morganayoung: appreciate the added commentary (helps me because i'ts been a while sine i pokedd at this stuff)21:24
Adobemanok, let me look into IPA21:25
* morgan makes note ayoung is the person who'll respond for all LDAP questions >.>21:25
morgan<.<21:25
morgan^_^21:25
ayoungmorgan, I lie21:25
lbragstadmorgan looking at https://review.openstack.org/#/c/418166/14/keystone/identity/backends/resource_options.py21:28
morganlbragstad:  yep.21:28
lbragstadwe have a json schema definition at line 75 - but we also have the _mfa_rules_validator_list_of_lists_of_strings_no_duplicates method21:29
morganyes. this validator is used when storing data to the db21:29
morganbefore being written to the option.21:29
morganthe json-schema is used at the edge21:29
lbragstadmorgan you mean at the controller/api layer21:29
Adobemanmorgan: haha...21:29
morganyeah schema is at the controller level21:29
lbragstadright21:30
morganand this is used to protect against code that manipulates options21:30
morganit is suspenders and a belt21:30
lbragstadif we validate things there - whats the purpose of having the homegrown method/21:30
morganif code (not API calls) touch mfa options21:30
stevemarlbragstad: validation is for stuff we can't check with json schema21:30
morganwe want it to be proper form21:30
lbragstadoh21:31
morganif the MFA Rules are not list-of-lists comprised of strings (aka [["thing", "thing"], ["other", "thing2"]]21:31
lbragstadso something in one of the managers21:31
morganwe throw out the rules (possibly all of them) to ensure auth is possible21:31
morganauth > MFA rules. period21:31
lbragstador if there was business logic somewhere that did stuff with the mfa options21:31
morganright we add business logic that changed the user option(s)21:32
morganwe want to ensure the values are sane21:32
morganthis is in the .from_dict bits21:32
morganon the model21:32
lbragstadright21:32
stevemarlbragstad: something like this: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L66221:32
lbragstadok21:32
morganbefore we build the _resource_options dict that the SQL driver writes to the attribute_mapper21:32
morganwe run the validator over the data21:32
morganthe key is the validator always allows None, no matter how much you try and code around it21:33
morgansince we don't run the validator on None values21:33
morganotherwise the validator runs and raises an exception all the way back out21:33
morganif an end user sees that exception, it's a programming error21:33
morganjson-schema should prevent API users from ever seeing a type error/value error from that method21:33
morganbut json schema can't protect us (e.g.) in all of our unit tests or new business logic down the line21:34
lbragstadyeah - i see it now21:34
lbragstadhmm21:34
morganaka if we actually do totp-secret generation and more directed APIs to ensure the auth methods pass before setting MFA rules21:34
morganalso, the validator was written before the json schema bits were21:35
morganjson schema was an addon to make end user API requests better/more consistent21:35
morganseparation of concerns. data to the data-store vs validation of  RESTful request21:35
morganbody21:35
morganlbragstad: also, that is changed slightly when i added the test(s)21:36
morganlbragstad: https://review.openstack.org/#/c/423548/11/keystone/identity/backends/resource_options.py21:36
morgantest showed a few bugs.21:36
morgandidn't ratchet the fixes down the stack because if we're not landing 423548, we shouldn't land 41816621:37
lbragstadmorgan so all the tests here actually just test the api validation at the controller layer https://review.openstack.org/#/c/418166/14/keystone/tests/unit/test_validation.py,unified21:37
morgancorrect21:37
*** ravelar has joined #openstack-keystone21:37
morganthat JUSTvalidates the json-schema bits21:37
morgan423548 implements full data flow logic tests21:38
lbragstaddo we have anything that tests _mfa_rules_validator_list_of_lists_of_strings_no_duplicates does the same thing as the jsonschema bits?21:38
morganno, but should be easy to do so.21:38
morganwe could add a test in a followup.21:38
lbragstad(because they should be enforcing the same contract if I'm understanding that correctly)21:38
morganyes they should21:38
lbragstadok - cool21:38
morganwould be easy to just run the _mfa..........too-long-function-name validator21:39
morganagainst the same mfa_rules data the validator is run against21:39
*** catintheroof has quit IRC21:40
lbragstadyeah - that would work21:40
*** jose-phillips has quit IRC21:41
lbragstadi'd hate for either of those validation approaches to get out of sync with each other21:41
*** catintheroof has joined #openstack-keystone21:42
morgani'll spin up another patch for that21:42
morganat the end of the chain21:42
lbragstadmorgan works for me21:42
morganlbragstad: responded to your comment on the patch as well21:45
*** ravelar has quit IRC21:45
lbragstadmorgan sweet21:45
*** jose-phillips has joined #openstack-keystone21:48
lbragstadmorgan are we expecting folks who maintain their own auth plugins to return a `base.AuthHandlerResponse()` object?21:51
morganlbragstad: yep21:51
lbragstadok21:51
morganif they don't, it wont work now ;)21:51
*** catinthe_ has joined #openstack-keystone21:52
*** catintheroof has quit IRC21:53
stevemarcrinkle: does the federated auth problem only happen if you have v2 enabled in horizon?21:54
stevemarcrinkle: or is it always happening?21:54
stevemarcrinkle: lbragstad https://bugs.launchpad.net/keystoneauth/+bug/166043621:55
openstackLaunchpad bug 1660436 in python-novaclient "Federated users cannot log into horizon" [Undecided,New]21:55
openstackgerritEric Brown proposed openstack/keystone: Use https for docs.openstack.org references  https://review.openstack.org/42694421:55
crinklestevemar: I don't think I have v2 enabled in horizon, I have OPENSTACK_API_VERSIONS={"identity":3} and OPENSTACK_KEYSTONE_URL="http://192.168.122.105/identity/v3"21:57
stevemarcrinkle: gah!21:58
stevemarcrinkle: using master right?21:59
lbragstadmorgan whats the difference between response_body and response_data?21:59
crinklestevemar: yep21:59
lbragstadmorgan i see that response_data holds stuff formally in auth_context21:59
lbragstadmorgan so far I don't think I see response_body set or used anywhere(?)22:00
stevemarcrinkle: shouldn't the federated user have domain information now? that stuff merged a few days ago22:00
*** catintheroof has joined #openstack-keystone22:04
*** jaugustine has quit IRC22:04
jamielennoxso ideally horizon should never be hitting that section of novaclient22:04
jamielennoxhorizon would create the session having already done auth with domain information and then just pass that on through to novaclient22:04
jamielennoxanything that hits that code is doing (at least one) additional round trip to keystone that shouldn't be necessary22:05
crinklestevemar: I think if we'd continued on patchset 5 of https://review.openstack.org/#/c/389337 it might have the domain info but that was too big of a scope, so the final result only partially implemented it and i think that only gets us as far as the the user being able to log in, and this problem happens after that when novaclient is trying to reauthenticate22:05
crinklejamielennox: right22:05
jamielennoxpassing token in with project_X information is asking for a rescope22:05
*** catinthe_ has quit IRC22:07
morganlbragstad: it is used when a challnege response like pliugin is done22:10
morganlbragstad: it's mostly just for purposes of compat with previous behavior... we never implemented something that worked like that outside of tests22:10
robcresswellstevemar, crinkle: Assigned myself to that bug22:12
crinklethanks robcresswell22:13
openstackgerritMorgan Fainberg proposed openstack/keystone: Add validation for mfa rule validator (storage)  https://review.openstack.org/42695522:17
morganlbragstad: ^22:17
lbragstadmorgan sweet - thanks22:17
*** jose-phillips has quit IRC22:17
morgangonna have a pep8 issue22:17
morgangotta fix22:17
*** catinthe_ has joined #openstack-keystone22:17
openstackgerritMorgan Fainberg proposed openstack/keystone: Add validation for mfa rule validator (storage)  https://review.openstack.org/42695522:18
morganlbragstad: there ^22:18
*** catinth__ has joined #openstack-keystone22:18
*** catintheroof has quit IRC22:18
*** jose-phillips has joined #openstack-keystone22:19
stevemarcrinkle: jamielennox robcresswell won't this possible happen with other clients, like glance or cinder?22:19
jamielennoxstevemar: what exactly?22:20
jamielennoxthe rescope?22:20
stevemaryeah22:20
morganlbragstad:  just thought of another test i need to add for MFA22:21
robcresswellI'm gonna crash for the night, I'll catch up tomorrow22:21
jamielennoxstevemar: gah, probably - it's super hard to say exactly what behaviour you get with the clients when you pass through that information directly22:21
jamielennoxbut yea, most likely it'll rescope22:21
*** catinthe_ has quit IRC22:22
morganlbragstad: dealing with rescope and ensuring a token maintains the methods and passes MFA22:22
morganlbragstad: without explicitly needing to specify token22:23
stevemarjamielennox: yeah, we probably can assume clients will do silly things22:23
jamielennoxi know i once looked at fixing all this for horizon, but they have a fairly complex login process and there is a seperation between DOA and horizon itself that I'm not sure how to bridge22:28
jamielennoxi'm sure it could be figured out22:28
*** catinth__ has quit IRC22:29
*** Jack_I has quit IRC22:30
*** stingaci has quit IRC22:31
*** edmondsw has quit IRC22:34
*** thorst_ has quit IRC22:36
stevemarjamielennox: i'll mull it over, do the same. not really sure where the fix for this should go22:40
jamielennoxstevemar: i came into this quite late so i'm not aware of all the details, but really we should teach DOA/horizon to start using sessions22:40
stevemarjamielennox: i found out about it when i wrote stuff in irc :)22:40
morganlbragstad: huh. something is wonky again22:41
morgani can't seem to validate a token when trying to re-scope here.22:41
jamielennoxin theory it's an easy switch over, in practice there is a lot of support stuff there that horizon has done in the past they would need to remove22:41
morganlbragstad: let me post this and you can take a look.22:41
lbragstadmorgan ok22:41
david-lylerequests to horizon are not even guaranteed to  hit the same server, how big is the keystone session objecT?22:44
openstackgerritMorgan Fainberg proposed openstack/keystone: Add validation that token method isn't needed in MFARules  https://review.openstack.org/42695922:44
morganlbragstad: ^ that should add the test22:45
lbragstadmorgan  is that going to fail?22:45
morgandstanek: the token_id, and some metadata.22:45
morganlbragstad: it should fail22:45
morganlbragstad: i can't get the second auth_req to work22:45
morganthe token rescope says "failed to validate token"22:45
morganwill dig further.22:45
morganbut....22:45
morganaroooo?22:45
morganlbragstad: it's an addon test only patch to make sure the rest of the chain can land.22:46
morganlbragstad: :) and easy to review comparitive to lumping it in the big changes22:46
*** adrian_otto has joined #openstack-keystone22:47
*** pramodrj07 has joined #openstack-keystone22:49
jamielennoxdavid-lyle: it's not so much that it's big as that it's not serializable22:50
jamielennoxand actually thinking about it that might be why i failed last time22:50
lbragstadmorgan i'm having a hard time not mixing rule_lists with methods22:50
david-lylethat would be problematic22:51
jamielennoxsince then there is an inbuilt way to serialize most plugins, but i'm assuming horizon would want more control than that22:51
*** MasterOfBugs has quit IRC22:51
david-lylejamielennox: the issue for Horizon is we don't maintain session state for users on the Horizon server, we pass the information with the request, or it's stored in a user session backend22:52
jamielennoxi think we could mostly get around that but we would need to make a horizon specific auth plugin that is serializable in a way they can control22:52
jamielennoxyea22:52
morganlbragstad: explain?22:52
david-lyleagree22:52
jamielennoxso session can be shared, i think you could have a single object for all of horizon, and then just reconstitute the auth plugin from session backend on every request22:53
david-lylenot sure I follow about single object for all of horizon. All users share the same object??22:56
jamielennoxso session without auth is basically just pass through support for connection pooling and such23:00
jamielennoxwithout auth it basically just provides a few tweaks on requests.Session23:00
jamielennoxauth state is maintained in the plugin and you can pass Client(session, auth) to most clients instead of Session(auth)23:01
*** edtubill has quit IRC23:01
*** thorst_ has joined #openstack-keystone23:06
lbragstadmorgan i just automatically associate lists like ['password', 'totp'] or ['password', 'token'] to be method lists,23:06
*** slberger has left #openstack-keystone23:09
*** thorst_ has quit IRC23:10
morganlbragstad: haha okie23:12
*** adrian_otto has quit IRC23:13
morgantopol: ... no love ... no love at all23:13
*** jrist has quit IRC23:13
topolmorgan, bahahaha.  I have high standards on bagels :-)23:14
morgantopol: so do i... it's why i'm trying to make my own vs the doughy-gross west-coast things23:17
morgantopol: to be fair, i know what went wrong and mostly it was the dough being too sticky, so was hard to make nice and round23:17
topolmorgan, with a little time Im sure yours will be incredible, I would expect nothing less from you23:18
morgantopol: but the taste was almost perfectly spot on for nice east-coast style23:18
*** martinlopes_ has quit IRC23:19
morganlbragstad: i can't figure out why that token isn't validating correctly23:19
morganlbragstad: getting a 404 tokennotfound =/23:19
lbragstadmorgan nothing is jumping out at me either23:19
topolmorgan, NICE!23:20
morganlbragstad: gAAAAABYj8BmZiQeG-Au1gPbqDBGFgBH9YZwZJHs15ljq0yF6fiQTQt3D-WWOnVT8yV_awWTHx1hUw9sgQ6BlmI9rmpIa0pCQFYoy26Nxk1IF6Kql4kpQxzx2BM1C74ZcPJuDfAGHrCTiYF9YAHRc39zlz9OF6Y31g looks correct23:20
lbragstadmorgan i gotta run quick - but I'm going to poke at it tonight23:20
morganlbragstad: anyway, the rest of the stuff should still be good to land. and clearly we didn't break token rescoping, just that specific mechanism of testing rescope seems off somehow23:20
lbragstadmorgan yeah - i was going to check to make sure https://github.com/openstack/keystone/blob/781db8e67a08674ad27310be2aa21d73868f8a3b/keystone/auth/plugins/core.py#L44-L58 wasn't doing anything strange - but that's a wild guess23:21
morgani was digging into the provider now23:27
morganthe plugin seems sane23:27
morgansomething is weird.23:27
*** jrist has joined #openstack-keystone23:29
*** martinlopes has joined #openstack-keystone23:34
*** lucas_ has quit IRC23:35
*** sileht has quit IRC23:37
openstackgerritRichard Avelar proposed openstack/keystone: Extend User API to support federated attributes  https://review.openstack.org/42644923:38
*** martinlopes has quit IRC23:39
*** sileht has joined #openstack-keystone23:41
*** martinlopes has joined #openstack-keystone23:45
*** catintheroof has joined #openstack-keystone23:50
*** jamielennox is now known as jamielennox|away23:58
*** jamielennox|away is now known as jamielennox23:59
« Sunday, 2017-01-29 Index Tuesday, 2017-01-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!