Tuesday, 2017-01-31

*** lamt has quit IRC00:01
*** gatuus has joined #openstack-keystone00:01
*** jrist has quit IRC00:02
openstackgerritEric Brown proposed openstack/keystone: Use https for docs.openstack.org references  https://review.openstack.org/42694400:05
*** wasmum has joined #openstack-keystone00:07
*** jose-phillips has quit IRC00:29
*** jose-phillips has joined #openstack-keystone00:30
*** jamielennox is now known as jamielennox|away00:58
*** catintheroof has quit IRC01:02
*** lucas_ has joined #openstack-keystone01:03
*** gatuus has quit IRC01:07
morgandstanek: =/ i think we broke a validation bit in our tests to ensure load_backends is only ever called once.01:09
*** jamielennox|away is now known as jamielennox01:12
morganlbragstad: oh man i am down a rabbit hole... but it looks like the fernet token repository isn't being set properly for one of the apps01:12
*** thorst_ has joined #openstack-keystone01:16
morganmy test is seeing:     Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys/01:17
morganthis should not be the case01:17
*** jaosorior has quit IRC01:17
*** tqtran has quit IRC01:25
*** tqtran has joined #openstack-keystone01:27
*** lucas_ has quit IRC01:30
*** tqtran has quit IRC01:32
*** dims has quit IRC01:35
*** dims_ has joined #openstack-keystone01:35
*** lucas_ has joined #openstack-keystone01:37
*** catintheroof has joined #openstack-keystone01:37
*** catintheroof has quit IRC01:37
*** catintheroof has joined #openstack-keystone01:37
*** dims_ has quit IRC01:42
*** dims has joined #openstack-keystone01:42
*** edmondsw has joined #openstack-keystone01:43
*** edmondsw has quit IRC01:43
*** edmondsw has joined #openstack-keystone01:43
*** lucas_ has quit IRC01:47
*** edmondsw has quit IRC01:47
*** masber has quit IRC01:52
*** edmondsw has joined #openstack-keystone01:52
*** browne has quit IRC01:59
knikolla /o\02:04
*** edmondsw has quit IRC02:04
*** edmondsw has joined #openstack-keystone02:05
dstanekmorgan: what do you mean?02:09
*** edmondsw has quit IRC02:09
morgandstanek: unrelated.02:10
morgandstanek: well ffs i just ran into a hiesenbug02:11
morganlooks like i found a race in our unit test framework02:11
dstanekwhat's the race?02:12
*** chris_hultin is now known as chris_hultin|AWA02:13
morganoh FFS....02:13
morgannow it wont fail at all02:13
morganwhat the ..............02:14
morganor it wont succeed02:14
openstackgerritMorgan Fainberg proposed openstack/keystone: Add validation that token method isn't needed in MFARules  https://review.openstack.org/42695902:14
morgandstanek: ^ this test02:14
morgandstanek: the new one. it succeeds randomly02:14
morganand fails most of the time02:14
morganlooks like in gate last round py27 and 35 passed but coverage db didn't02:15
morgani can't for the life of me figure out why02:15
morgandstanek: so... i am insanely confused here. it's like... the wsgi-test app is loading the wrong fernet keys sometimes?02:16
morganbecause when it fails i always have02:17
morganFailed to validate token02:17
morgan    Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys02:17
morganand it is *only* this test i can get to fail this way.02:17
morganit fails more than it succeeds02:17
dstanekmorgan: does it fail locally for you?02:18
morganlocally i am seeing this02:18
morgannow it is failing once, then succeeding once, then failing once, then succeeding once02:18
morganin gate it passed p27,35 but not coverage.02:18
* morgan is baffled02:18
stevemarmorgan: i think your mucking around with the cleanup caused it02:19
morganstevemar: ?02:19
stevemarmorgan: in the test02:19
morganthe totp cleanup?02:19
morganthe fact that independant runs, it alternates between success and failure...02:19
morgani moved the cleanup to be more isolated so it should use normal cleanup now02:20
*** lucas_ has joined #openstack-keystone02:20
*** phalmos has joined #openstack-keystone02:20
stevemarlets see02:20
morganand when i put in an extra line of code...that does nothing in the main run... it always fails.02:22
morganthis type of stateful failure is ... annoying02:24
knikollafernet rotating keys maybe?02:26
morganin a single test?02:26
morganand now it is failing every time again.02:26
morganthe difference is i removed keystone.db02:26
morgannope that wasn't it02:27
morganit seems to be just rnadome timing02:27
*** lucas_ has quit IRC02:28
*** lucas_ has joined #openstack-keystone02:28
dstanekmorgan: it seems like the KeyRepository isn't overriding the directory or not early enough in the test02:29
morgandstanek: right?02:29
morgandstanek: except it works sometimes... and it is in the same place as other tests (in config_overrides()) which is hit before the apps are started02:29
morgani mean... maybe i should toss a sleep(4) into config_overrides02:30
*** lucas_ has quit IRC02:30
morgandstanek: interestingly if i add a blank exception line to the end of the test case (so i always see logs) it always fails to validate the token02:30
morgandstanek:  and it still claims it is loading keys for fernet from the temp dir.02:30
*** edmondsw has joined #openstack-keystone02:33
morganok this is being a schrodinger's bug now02:35
morgandstanek: anyway... any insight here would help02:36
dstanekmorgan: the test always fails for me02:36
morgansleep in config_overrides doesn't seem to help.02:36
morgandstanek: keep running it. i'm getting a ~20% success rate02:37
*** phalmos has quit IRC02:37
morganor so02:37
dstanekthe KeyRepository fixture mocks CONF.fernet.02:38
morganso you think the KeyRepository fixture is to blame?02:38
morganoooh also KeyRepository fixture doesn't cleanup the temp files02:39
dstaneki think you need to mock the CONF.credential.key_repository for this right?02:39
*** thorst_ has quit IRC02:39
morganoh wait... nvm02:39
*** browne has joined #openstack-keystone02:40
dstanekjust changing that string gives me a new error02:40
morganexcept that it sometimes succeeds....02:40
morganas is02:40
*** lucas_ has joined #openstack-keystone02:40
knikollai got 3 out of 3 failures02:40
dstaneki can't get it to succeed at all02:41
morganyeah i am getting it to fail a lot02:41
*** browne has quit IRC02:42
morgandstanek: with the failure you're seeing:     Failed to validate token02:42
morganit looks like the fernet keys are ... wrong somehow?02:43
* morgan considers making this a UUID test to see if it works02:43
morganlet me try that...02:43
*** lucas_ has quit IRC02:44
*** lucas_ has joined #openstack-keystone02:45
morgandstanek: w...h...a...t is going on02:46
morganeven if i set the provider to UUID it's loading the fernet stuff?!02:46
morganoh. ...02:46
morgani think we have a bug in the error code(s)02:46
morganbut it still wont validate the tokens02:47
morganeven as uuid?02:47
*** lucas_ has quit IRC02:47
morganstevemar: uhh02:47
morganstevemar: yep. someone copy/pasta'd error codes02:48
morganstevemar: no they used Fernet_utils and that has hard-coded strings for [fernet_tokens]02:49
morgan*rolls eyes*02:49
morganthat aside02:49
morganstill cannot validate the token, getting a Schrodinger's bug here, depending on how I look at it... it fails02:50
morgandstanek: ok so... even with UUID providers this isn't working02:50
*** phalmos has joined #openstack-keystone02:51
knikollait passed once, wow.02:58
morganknikolla: see why this is so frustrating?02:59
*** lucas_ has joined #openstack-keystone02:59
knikollamorgan: creating a scoped token in the first call makes it pass almost always.03:01
dstanekmorgan: the token isn't being validate for me because it's being revoked03:01
dstanek"if revoke_model.is_revoked(self.driver.list_events(token=token),03:01
dstanek" always failes03:01
*** phalmos has quit IRC03:03
morganwhy... is it being revoked sometimes?!03:03
dstanekmorgan: not sure yet. trying to dig in03:04
morganstevemar: *facepalm* someone half-baked the credential bit03:04
dstanekmorgan: find something?03:04
morgandstanek: different rabbit hole03:04
morgandstanek: trying to squash incorrect error messages i've discovered because of this.03:05
morgansince i need a break from the current bug for a moment while you look at it.03:05
morganmaybe fresh eyes will help, is my view03:05
morganstevemar: i'll have a fix for FernetUtils shortly03:06
morganstevemar: so it stops giving bogus errors03:06
*** catintheroof has quit IRC03:09
openstackgerritMorgan Fainberg proposed openstack/keystone: Fix bad error message from FernetUtils  https://review.openstack.org/42700403:11
*** catintheroof has joined #openstack-keystone03:11
morganstevemar: ^ *facepalms*03:11
morganthat is the annoying "wrong" option log error03:11
openstackgerritMorgan Fainberg proposed openstack/keystone: Fix bad error message from FernetUtils  https://review.openstack.org/42700403:11
* morgan gotes back to staring at the weird bug.03:11
morgandstanek: i figure it out03:13
morgandstanek: i know exactly why it is succeeding very limitedly03:13
*** lucas_ has quit IRC03:13
*** zzzeek has quit IRC03:13
morgandstanek: it is because revoke is called on update03:13
morganand the test suite is running fast03:13
morgani do an explicit update of the user, which issues a revoke03:14
morgandstanek: sometimes that is on the second barrier03:14
*** lucas_ has joined #openstack-keystone03:14
morgandstanek: most of the time it is not, the new token is revoked upon issuance03:14
*** agrebennikov__ has quit IRC03:14
*** zzzeek has joined #openstack-keystone03:15
morgandstanek: we may need to wedge a small bit of code that says that if a token is issued and revoked on issuance we increment it's issue time by 1s03:15
morgandstanek: *facepalm* anyyyyyyyyway03:15
*** catintheroof has quit IRC03:15
morgandstanek: thanks!03:15
morgani just needed a break for a second tot think about it03:15
knikollaeven if the update is issued before the token is created?03:15
*** phalmos has joined #openstack-keystone03:15
morgandstanek, knikolla: if you put a time.sleep(1) in right after the update, it'll succeed eveyr time03:15
stevemarnice one morgan03:16
morganknikolla: yes. because the resolution is 1s03:16
*** lucas_ has quit IRC03:16
morganstevemar: i'm going to put a wedge in that does a revoke check when we're about to issue a token, if it is revoked *on* issuance, we will increment the issued_at by 1s03:16
morganstevemar: and that should make user experience better overall03:16
stevemarhow is it ever revoked on issuance?03:17
morganif an update occurs, revoke is issues03:17
knikollamorgan: i see. revocation are a part of the code i've never really touched.03:17
morganrevoke has a revocation resoluton of 1s03:17
morganso, if a token is issued in the 1s that the revoke is created, it is revoked on issuance03:17
morgani bet we have some hiesenbugs lurking in keystone because of this03:18
dstanekmorgan: yeah, the token is created in the same second as it is revoked03:18
morganalso bad UX in fast acting servers03:18
morganlet me propose a fix to issue token03:18
* dstanek thinks some time needs frozen03:18
morgandstanek: i think this is a real production issue too03:18
morganin some cases03:18
morgandstanek: it would suck to ask for a token get one back and it's revoked the moment you use it03:19
morganbecause and update occured within the same second03:19
morganoh wait03:19
dstanekwhat is revoking it?03:19
knikollasurprised this wasn't picked up by prior tests03:19
morganthe updatE_user03:19
knikollaupdating mfa rules i assume03:20
morgandstanek: revocations suck. ugh03:20
dstanekmorgan: yep03:20
morgani think i'm going to just freeze time here. i'll need to circle back on the whole revocation engine now03:20
*** PramodJ has joined #openstack-keystone03:20
*** lucas_ has joined #openstack-keystone03:20
morgani think i need to store time in a non-time-y way to make UX better.03:20
* morgan has been thinking of storing time in a non-datetime column and non-time-specific format for a while (go all string iso860103:21
morgansince comparisons for it work *just fine*03:21
morganand in code always load it into a datetime object03:21
morganthough fernet might need some massaging too to make that work anyway... i'll just freeze time when the update occurs a few seconds earlier then unfreeze it before doing the MFA token checks for now03:22
*** lucas_ has quit IRC03:22
knikollaa bug should be created about this03:22
knikollabefore we forget03:22
*** pramodrj07 has quit IRC03:24
morganstevemar: hmmm.03:30
morgani think there is another bug.03:30
morganstevemar: yep.03:31
stevemari'm not sure if i like it that you're finding all these bugs03:31
morganuh... fix incoming03:31
morgani totally made a mistake03:31
*** stingaci has joined #openstack-keystone03:32
morganstevemar: ok i'll fix it in the next patch, i know what happened (I think)03:34
morganor rderose missed something, but in either case *oopse* will have it fixed03:34
*** stingaci has quit IRC03:37
*** PramodJ has quit IRC03:37
morganstevemar: somehow the pasword expiration is being triggered with a user_update in the past... even if password isn't being specified *wtf*?03:48
*** nicolasbock has quit IRC03:50
morganstevemar: oookay anyway... fixed.03:53
morganand not a bug03:54
openstackgerritMorgan Fainberg proposed openstack/keystone: Add validation that token method isn't needed in MFARules  https://review.openstack.org/42695903:57
morganlbragstad, stevemar, dstanek: ^ fixed test03:57
*** phalmos has quit IRC04:03
openstackgerritMerged openstack/keystone: Implement better validation for resource options  https://review.openstack.org/42643104:06
*** jose-phillips has quit IRC04:19
*** edmondsw has quit IRC04:19
stevemarmorgan: gahhh bunch of patches failed gate04:22
*** dave-mccowan has quit IRC04:26
*** edmondsw has joined #openstack-keystone04:34
*** thorst_ has joined #openstack-keystone04:40
morganstevemar: =/04:45
*** thorst_ has quit IRC04:45
morganstevemar: i'll come up with a release note-y thing for the mfa rules04:46
morganstevemar: and user docs, you said you'd do dev docs for the resource options?04:47
stevemarmorgan: yeah, i'll do them tomorrow-ish04:47
stevemarheading to bed soon04:47
morganstevemar: on the plus side... if you can convince someone to +2 the rest of the MFA things...we should be good04:48
morganstevemar: and we will have landed like everything :P04:49
stevemarmorgan: left comments on https://review.openstack.org/#/c/423548/04:53
stevemarmorgan: i'm twisting lbragstad's arm as much as i can!04:54
stevemarmorgan: i love https://review.openstack.org/#/c/426608/04:58
morganstevemar: check the 423548 again05:04
morganand i can address any comments/fix in a new patch as you see fit based upon what I said05:04
morganstevemar: haha, yea move all that common crap where it belongs05:05
morganstevemar: not in "controllers"05:05
morganif someone is extending authinfo or authcontext i might eat my hat05:05
morganit is so unlikely as those are so very specialized05:05
stevemarmorgan: skipping the parse would be nice, i think; but 99% of the time it's an empty comparison05:05
morganyeah. i think dropping the de-dupe would be the bigger win05:06
morganif parse see it is empty, it is almost a no-op anyway05:06
stevemarmorgan: i'm happy as-is, it was more of a few questions that i had05:07
morgansince parse does a "elif not rules: return rules"05:07
stevemarnothing against the code05:07
morgancoool. i think the de-dupe bit should be dropped tbh05:07
stevemarthe parsing is a bit funky05:07
stevemarcould used more comments05:07
morganwe break on the first matching ruleset anyway05:07
morgansince that is all we need05:07
stevemari've queued up the entire series05:08
morganan extra few rulesets barring someone like nate burton who might have tons of auth methods we don't know about05:08
stevemari'll leave it to lbragstad and dstanek to kick it through05:08
morganand complex sets of "if these methods to X but y for methods b,c,d"05:08
morgani'll toss a patch to drop the dedupe up05:08
morganand you can approve or not if you choose05:09
* stevemar yawns05:09
stevemarbed time05:09
*** dikonoor has joined #openstack-keystone05:11
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove de-dupe for MFA Rule parsing.  https://review.openstack.org/42702605:16
morganstevemar: ^05:16
*** jrist has joined #openstack-keystone05:19
*** jose-phillips has joined #openstack-keystone05:42
*** adriant has quit IRC05:47
*** Jack_I has joined #openstack-keystone06:13
openstackgerritMerged openstack/keystone: Test cross domain authentication via implied roles  https://review.openstack.org/42281906:26
*** lucas_ has joined #openstack-keystone06:31
*** edmondsw has quit IRC06:39
*** thorst_ has joined #openstack-keystone06:41
*** adrian_otto has joined #openstack-keystone06:43
*** thorst_ has quit IRC06:46
*** spotz is now known as spotz_zzz06:46
*** lucas_ has quit IRC06:47
*** spotz_zzz is now known as spotz06:52
*** richm has joined #openstack-keystone07:01
*** rcernin has joined #openstack-keystone07:12
*** adrian_otto has quit IRC07:24
*** stingaci has joined #openstack-keystone07:33
*** stingaci has quit IRC07:38
*** phalmos has joined #openstack-keystone07:53
*** tesseract has joined #openstack-keystone07:54
*** MasterOfBugs has joined #openstack-keystone07:58
*** MasterOfBugs has quit IRC07:58
*** nkinder has joined #openstack-keystone08:18
*** aloga has quit IRC08:27
*** thorst_ has joined #openstack-keystone08:42
*** thorst_ has quit IRC08:48
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:01
*** aloga has joined #openstack-keystone09:04
*** mvk has quit IRC09:24
*** dikonoor has quit IRC09:34
*** stingaci has joined #openstack-keystone09:35
*** stingaci has quit IRC09:39
*** itsuugo has joined #openstack-keystone09:51
itsuugohi guys, any clue how can I find the offending entry and delete it? My keystone is broken http://pastebin.com/dY2XGiLh09:52
itsuugothis happened after I added some users, I guess that some entry got bad populated in the mysql database and is making that all requests are failing with a 50309:53
*** richm has quit IRC09:54
*** mvk has joined #openstack-keystone09:55
*** lalit has joined #openstack-keystone10:18
*** stingaci has joined #openstack-keystone10:32
*** stingaci has quit IRC10:37
*** richm has joined #openstack-keystone10:38
*** thorst_ has joined #openstack-keystone10:44
*** thorst_ has quit IRC10:49
*** nkinder has quit IRC10:59
*** dmellado has quit IRC11:00
*** dmellado has joined #openstack-keystone11:03
*** lalit has quit IRC11:08
*** mvk has quit IRC11:10
*** nicolasbock has joined #openstack-keystone11:16
openstackgerritRodrigo Duarte proposed openstack/keystone: No need to enable infer_roles setting  https://review.openstack.org/42710911:17
*** mvk has joined #openstack-keystone11:23
*** dave-mccowan has joined #openstack-keystone12:06
rodrigodsmorgan, https://bugs.launchpad.net/keystone/+bug/1660603 so we don't forget about it :)12:06
openstackLaunchpad bug 1660603 in OpenStack Identity (keystone) "Difference in Implied Roles check API return code" [Undecided,New]12:06
*** nicolasbock has quit IRC12:06
*** catintheroof has joined #openstack-keystone12:22
*** nicolasbock has joined #openstack-keystone12:23
*** phalmos has quit IRC12:25
*** nkinder has joined #openstack-keystone12:30
*** thorst_ has joined #openstack-keystone12:35
stevemaritsuugo: have you been modifying the policy.json file? it looks like keystone cannot load it12:38
*** edmondsw has joined #openstack-keystone13:12
openstackgerritMerged openstack/keystone: Create user option `ignore_lockout_failure_attempts`  https://review.openstack.org/42422013:24
openstackgerritMerged openstack/keystone: cleanup release notes from PCI options  https://review.openstack.org/42646313:24
*** nkinder has quit IRC13:35
*** catinthe_ has joined #openstack-keystone13:36
*** catintheroof has quit IRC13:40
*** toddnni has quit IRC13:45
*** toddnni has joined #openstack-keystone13:48
*** cburgess has quit IRC13:48
*** cburgess has joined #openstack-keystone13:49
samueldmqmorning keystone13:56
*** lamt has joined #openstack-keystone13:58
*** nkinder has joined #openstack-keystone13:58
openstackgerritMerged openstack/keystone: Add MFA Rules and Enabled User options  https://review.openstack.org/41816614:03
openstackgerritMerged openstack/keystone: Auth Method Handlers now return a response object always  https://review.openstack.org/42095514:04
*** raildo has joined #openstack-keystone14:07
itsuugoyeah @stevemar , that was the cause, thx14:08
*** spzala has joined #openstack-keystone14:10
*** lucas_ has joined #openstack-keystone14:12
itsuugoshould be more descriptive the log error? it was very hard to pinpoint the problem14:13
*** lamt has quit IRC14:23
*** agrebennikov__ has joined #openstack-keystone14:27
*** lucas_ has quit IRC14:36
dstanekitsuugo: what did the log look like above that stacktrace?14:43
*** lamt has joined #openstack-keystone14:47
*** v1k0d3n has quit IRC14:49
*** v1k0d3n has joined #openstack-keystone14:50
*** stingaci has joined #openstack-keystone14:50
lbragstadmorgan were you able to figure out the token rescoping thing?14:51
*** lucas_ has joined #openstack-keystone14:57
lbragstadmorgan it looks like https://review.openstack.org/#/c/426959/3/keystone/tests/unit/test_v3_auth.py is passing14:59
morganlbragstad: yep15:01
morganlbragstad: freezegun issue with issues around revocations and fernet tokens being limited in time resolution15:01
morganlbragstad: all the stuff should be teed up for +2s15:03
morganand today will be docs and release note15:03
morganfor the MFA stuff15:03
lbragstadmorgan yeah - i'm working through the chain now15:03
morganand stevemar will be writing the dev docs for resource options15:03
morganftr: https://review.openstack.org/#/c/427026/ is optional, i offered it up but doesn't have to land15:04
morganit just simplifies some code.15:04
morganand eliminates a not-too-expensive-but-mostly-superfluous dedupe15:04
*** richm has quit IRC15:04
itsuugoI opened a bug https://bugs.launchpad.net/keystone/+bug/1660596, I put it as invalid, it has part of the stack trace dstanek15:05
openstackLaunchpad bug 1660596 in OpenStack Identity (keystone) "ValueError: Expecting property name enclosed in double quotes" [Undecided,Invalid]15:05
morganitsuugo: thanks for the update!15:06
morganitsuugo: appreaciate the follow up on the bug / marking as invalid once you had it fixed15:06
itsuugo:) you're welcome .15:07
*** adrian_otto has joined #openstack-keystone15:07
*** gitudaniel has joined #openstack-keystone15:08
knikollao/ morning15:11
*** nkinder has quit IRC15:13
*** adrian_otto has quit IRC15:14
gitudanielHello keystone, yesterday I asked a question that was missed since I asked it at a time when everyone was offline. I've gone through yesterdays logs and todays logs to make sure it wasn't answered in my absence. Do you mind if I ask it again. It deals with fernet_setup. Not sure if it's related to the issue morgan was facing though15:15
lbragstadgitudaniel go for it15:15
morganprobably different as mine was a test error15:15
morganbut please go for it :)15:16
gitudanielknikolla: I have a question for you it's more philosophical. Since its morning for you and evening for me. If I said good morning to you would you consider me to have lied?15:16
ayoungSamYaple, hey, looking through the Centos Docker file, I notice that you try to set up Apache etc using the Debian directory style.  Don't do that, you'll; mess up SELinux something fierce.15:16
gitudaniellbragstad: morgan: thanks here goes15:16
ayoungSamYaple, I'll have a Centos Standard style deploy for you in a little bit15:16
gitudanielon setting up the fernet using keystone-manage fernet_setup I get the error keystone.common.fernet_utils [-] Either [fernet_tokens] key_repository does not exist or kystone does not have sufficient permission to access it: /etc/keystone/fernet-keys/ while looking into it I came to15:17
gitudanielthe conclusion that since the development environment is being configured in a virtual environment it has no access to the host system so I tried sudo keystone-manage fernet_setup and got ImportError: No module named oslo_config. At this point I had noticed the etc folder within the repo that contains the keystone.conf file and I assumed that I could point to the config file using the15:17
gitudaniel--config-file PATH command. I ran the command keystone-manage –configfile PATH~/openstack/keystone/etc/keystone.conf and got keystone-manage: error: too few arguments. I then tried to specify the directory in which the .conf file is located by running keystone-manage --config-dir DIR~/openstack/keystone/etc it returns oslo_config.cfg.ConfigDirNotFoundError: Failed to read config file15:17
gitudanieldirectory: DIR~/openstack/keystone/etc/ where did I go wrong?15:17
lbragstadgitudaniel looks like you tried several things15:18
lbragstadgitudaniel i'd say we start at the top with the original error (keystone.common.fernet_utils [-] Either [fernet_tokens] key_repository does not exist or kystone does not have sufficient permission to access it: /etc/keystone/fernet-keys/)15:18
lbragstadgitudaniel this is a development environment, right?15:19
gitudanielyes, I did. I'm still finding my way around programming so I like to make sure I didn't overlook something before asking15:20
gitudaniellbragstad: yes it is15:20
knikollagitudaniel: i would consider that an alternative fact15:20
*** jaosorior has joined #openstack-keystone15:20
lbragstadgitudaniel cool - you have root access I imagine (judging that based on the fact your next attempt included sudo use)15:20
*** richm has joined #openstack-keystone15:21
*** nkinder has joined #openstack-keystone15:21
*** spilla has joined #openstack-keystone15:21
stevemarlbragstad: 2 more MFA patches: https://review.openstack.org/#/c/426959/ and https://review.openstack.org/#/c/426608/15:22
gitudaniellbragstad: yes I do15:22
lbragstadgitudaniel can you make sure the user you're running `keystone-manage fernet_setup` with has access to `/etc/keystone/fernet-keys`?15:23
lbragstadgitudaniel something like 2750 for permissions15:24
lbragstadstevemar sweet - looks like I've already reviewed the first one15:25
gitudaniellbragstad: I'm assuming the /etc/keystone/fernet-keys is supposed to be in my host etc directory.15:25
lbragstadgitudaniel well - it can be where ever you want it to be15:26
*** edtubill has joined #openstack-keystone15:26
lbragstadgitudaniel it can be in your user directory (~/ubuntu/keystone/fernet-keys/)15:26
lbragstadthe user running keystone and the user running `keystone-manage fernet_setup` just need to be able to read and write to that directory15:26
dstanekstevemar: can we still merge features?15:26
dstaneklbragstad: does the keystone user need write too?15:27
lbragstadgitudaniel and it needs to be updated in your keystone.conf15:27
gitudaniellbragstad: I can't find it in the etc directory the /etc/keystone/ directory15:27
*** gatuus has joined #openstack-keystone15:27
lbragstadgitudaniel are you specifying a value for key_repository in your keystone.conf?15:28
lbragstaddstanek who ever runs `keystone-manage fernet_setup` will need write access to the directory since that will write new keys to disk15:29
*** chris_hultin|AWA is now known as chris_hultin15:29
lbragstaddstanek same for `keystone-manage fernet_rotate`15:29
gitudaniellbragstad they keystone.conf I'm using is the one generated from best practices using the command cp /etc/keystone.conf.sample etc/keystone.conf15:29
dstanekgitudaniel:  the directory won't exist before fernet_setup15:29
lbragstadgitudaniel ok - so I bet you're using the default, which might not exist15:29
lbragstad`sudo mkdir /etc/keystone/fernet-keys/`15:30
dstaneklbragstad: right, the secure thing to do would be to not allow the user running the webserver to edit15:30
dstanekfernet_setup will create the directory if the user have permission to do so15:30
*** chris_hultin is now known as chris_hultin|AWA15:30
lbragstaddstanek ++ yeah, that would be more secure15:30
*** jaugustine has joined #openstack-keystone15:31
dstanekso if you don't already have the directory setup the the user running fernet_setup needs permission to create the directory15:31
lbragstadaha - yes15:32
lbragstadwhich ever user that is, they will need read and write access to the key_repository directory15:33
dstaneklbragstad: yep. so the user gitudaniel is using to run fernet_setup doesn't have permission to create the directory15:33
*** chris_hultin|AWA is now known as chris_hultin15:33
lbragstadyeah - that makes sense15:33
lbragstadif there is a separate user used to run keystone (like apache or something like that) that user should only need read access to that directory15:34
gitudanieldstanek: lbragstad: how do we ensure that because the LOG.error on line 82 of the fernet_utils.py file is what I'm getting15:34
lbragstad(in order to read the values of the keys to encrypt and decrypt things)15:34
dstanekgitudaniel: who owns /etc/keystone on your system and what user are you using to run the command?15:35
morgangitudaniel: this is a lot like SSL certificates for apache, you create the directory and give read access to apache even if it is owned by someone else. You don't want some compromise of apache to write bogus certificates- fernet keys are secrets used to encrypt the fernet (and sign) token15:35
lbragstadgitudaniel do you still have the environment up? Would you be able to run `keystone-manage fernet_setup` and provide the entire paste (using http://pasteraw.com/ or http://paste.openstack.org/ )?15:36
dstanekgitudaniel: for reference, i use root to do the fernet setup and rotation, and allow my apache user to read that directory15:37
dstanekgitudaniel: the default permissions won't allow apache to read so i fix that with ansible15:38
gitudanieldstanek: how do I find out who owns it I ran ls -l /etc/keystone and it returned total 015:39
*** richm has quit IRC15:39
dstanekgitudaniel: ls -l /etc | grep keystone15:39
dstanekgitudaniel: the command you are running shows the detailed listing inside /etc/keystone15:40
gitudaniellbragstad yes the environment is still set up let me do that15:40
gitudanieldstanek: this is what I get drwxr-xr-x  2 root root     4096 Jan 31 18:37 keystone15:40
*** richm has joined #openstack-keystone15:41
stevemardstanek: yep, we can still merge features as long as they were given an FFE15:41
dstanekgitudaniel: what user are you running the command with?15:41
dstanekstevemar: k, i'm assumning mfa is one of those things?15:41
stevemardstanek: yes, it was determined to be a priority at the summit, so it was an easy call to make15:42
dstanekstevemar: k, i'll look at those after this next meeting15:43
stevemardstanek: it also went through a re-architecture that lines up nicely, so really happy about that15:43
stevemardstanek: it's mostly been approved, but look at the topic15:43
stevemardstanek: it involved a bit of refactoring of the auth handlers, came out nice though15:43
*** catinthe_ has quit IRC15:45
gitudanielmorgan: this I'll have to rad up on a lot more on ssl certificates and apache. But yes I read up on fernet tokens so I can understand what you're saying15:47
gitudanielhere is the paste of what I get on running keystone-manage fernet_setup http://paste.openstack.org/show/597047/15:47
openstackgerritSamuel Pilla proposed openstack/keystone: Update endpoint api for optional region_id  https://review.openstack.org/42008515:48
gitudanieldstanek: how do I find out which user ran the command I ran grep -e "keystone-manage fernet_setup" /home/*/.bash_history and it gave me a list of the commands I ran here is the paste http://paste.openstack.org/show/597048/15:53
*** ravelar has joined #openstack-keystone15:53
morganlbragstad: responded to your comments on the new token not in MFA rules test15:55
morganlbragstad: but in short - no that test shouldn't have more validation. it is a token auth and should be only checking that auth occurs, we check rescope explicitly in other tests15:56
lbragstadgitudaniel checking15:56
gitudaniellbragstad: thanks15:56
*** richm has quit IRC15:58
* stevemar is trying to figure out the new expense tool and is super confused15:59
lbragstadgitudaniel from that trace it appears that https://github.com/openstack/keystone/blob/d4a1bbda0b29a8011416f83a4a9c5be32669ef2d/keystone/common/fernet_utils.py#L80 is failing15:59
lbragstadgitudaniel so what dstanek was saying would totally fix your issue16:00
dstanekgitudaniel: who are you logged in as?16:00
dstanekgitudaniel: if you don't know then you can run 'whoami'16:00
gitudanieldstanek: i ran that I'm logged in as the usual user. That is grenouille I don't have multiple users16:01
dstanekgitudaniel: are you trying to setup a system to test with? or a prodution like system?16:02
gitudanieldstanek: a system to test with so that I can understand the codebase16:02
*** rcernin has quit IRC16:04
*** richm has joined #openstack-keystone16:10
*** richm has quit IRC16:10
*** richm has joined #openstack-keystone16:13
*** richm has quit IRC16:14
gitudaniellbragstad: where dstanek was talking about using root to do fernet setup and rotation and allowing his apache user to read that directory using ansible since default permissions won't allow apache to read16:15
*** d0ugal has quit IRC16:16
*** d0ugal has joined #openstack-keystone16:17
*** d0ugal has quit IRC16:17
*** d0ugal has joined #openstack-keystone16:17
*** nkinder has quit IRC16:19
SamYapleayoung: i didnt write the centos piece. that was portdiect. I am happy with whatever is "proper" and "official" in these files16:19
*** richm has joined #openstack-keystone16:20
*** adrian_otto has joined #openstack-keystone16:24
*** nkinder has joined #openstack-keystone16:25
*** richm has left #openstack-keystone16:31
*** richm has joined #openstack-keystone16:31
morganlbragstad, stevemar: fixing all the new MFA tests they are subject to the same ... "issue" with update/freeze16:41
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add support for endpoint group CRUD  https://review.openstack.org/41726316:46
samueldmqjamielennox: stevemar: ^ now includes functional tests. not really a priority at this points, just a heads up16:46
*** spzala has quit IRC16:47
*** spzala has joined #openstack-keystone16:48
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354816:48
morganlbragstad, stevemar: ^ fix16:49
stevemarmorgan: re-approved16:50
morganstevemar: rebasing now16:50
morganother ones16:50
openstackgerritMorgan Fainberg proposed openstack/keystone: Add validation that token method isn't needed in MFARules  https://review.openstack.org/42695916:52
openstackgerritMorgan Fainberg proposed openstack/keystone: Add validation for mfa rule validator (storage)  https://review.openstack.org/42695516:52
*** spzala has quit IRC16:52
openstackgerritMorgan Fainberg proposed openstack/keystone: Cleanup TODO about auth.controller code moved to core  https://review.openstack.org/42660716:52
openstackgerritMorgan Fainberg proposed openstack/keystone: Cleanup TODO, AuthContext and AuthInfo to auth.core  https://review.openstack.org/42660816:52
openstackgerritSteve Martinelli proposed openstack/keystone: Add comment to clarify resource-options jsonschema  https://review.openstack.org/42660416:52
morganstevemar: ok there we go16:53
morganshould be all rebased16:53
stevemarlbragstad: samueldmq two more need approvals: https://review.openstack.org/#/c/426959/ and https://review.openstack.org/#/c/426608/16:53
openstackgerritRichard Avelar proposed openstack/keystone: Extend User API to support federated attributes  https://review.openstack.org/42644916:56
*** mriedem has joined #openstack-keystone16:56
*** tesseract has quit IRC16:56
mriedemstevemar: are you aware of anything still using this OS_NO_CACHE env var? http://git.openstack.org/cgit/openstack-dev/devstack/tree/openrc#n5616:56
mriedemlooks like dead code on master, lots of things setting it, nothing using it http://codesearch.openstack.org/?q=OS_NO_CACHE&i=nope&files=&repos=16:57
morganmriedem: i hope no one is using that16:57
morganmriedem: it should be dead. it was transitional16:57
mriedemok i'll start the funeral planning16:58
*** itsuugo has quit IRC17:00
* morgan goes to write a release note and some docs.17:04
*** lamt has quit IRC17:08
*** lamt has joined #openstack-keystone17:11
*** browne has joined #openstack-keystone17:13
*** lucas_ has quit IRC17:23
openstackgerritRichard Avelar proposed openstack/keystone: Api-refs for extending user api for fed attributes  https://review.openstack.org/42732017:33
samueldmqstevemar: done with one, looking at the other17:33
openstackgerritRichard Avelar proposed openstack/keystone: Extend User API to support federated attributes  https://review.openstack.org/42644917:36
openstackgerritMorgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note  https://review.openstack.org/42732817:37
morganstevemar: ^17:37
* morgan wonders if he can rope someone to translate that release note into real docs too17:38
openstackgerritRichard Avelar proposed openstack/keystone: Api-refs for extending user api for fed attributes  https://review.openstack.org/42732017:38
*** lamt has quit IRC17:39
ayoungSamYaple, https://adam.younglogic.com/2017/01/functional-keystone-docker/17:40
ayoungSamYaple, I'm still working towards a Kubernetes deploy, though17:41
*** richm has quit IRC17:42
SamYapleayoung: cool. though, i would encourage you to do this with official images17:43
*** adrian_otto has quit IRC17:43
ayoungSamYaple, when I get there.  There is too much noise right now for me to do that.  I need to understand what is happening at the DOcker, Network, K8S, Config and Database layers before I can do that17:44
ayoungOnce I get it, I'll contribute back, if  portdiect  doesn't grab it first17:44
SamYaplei meant official like mariadb images17:45
SamYaplerather than rolling your own17:45
*** nkinder has quit IRC17:46
*** jaugustine has quit IRC17:46
ayoungSamYaple, oh, I used official Mariadb.  Just not official HTTPD17:47
ayoungSamYaple, longer term it should be Gallera anyway17:47
SamYapleoh i see 1127467c0b2b        mariadb:latest17:47
*** ravelar has quit IRC17:48
*** ravelar has joined #openstack-keystone17:48
SamYaplemariadb:10.1 has galera baked in17:48
SamYaplethats what i use17:48
morgantopol: poke17:48
morgantopol: you should read https://review.openstack.org/#/c/427328/1/releasenotes/notes/MFA-Rules-User-Options-Added-feb95fd907be4b40.yaml and let me know if it covers everything17:49
*** jose-phillips has quit IRC17:52
*** gatuus has quit IRC17:53
*** lucas_ has joined #openstack-keystone17:54
*** mvk has quit IRC17:54
*** catintheroof has joined #openstack-keystone17:55
*** richm has joined #openstack-keystone17:56
*** lamt has joined #openstack-keystone17:57
openstackgerritMorgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note  https://review.openstack.org/42732817:57
morgantopol: ^ actually... here that one17:57
*** jamielennox is now known as jamielennox|away17:58
*** jaugustine has joined #openstack-keystone17:58
stevemarping agrebennikov, amakarov, annakoppad, antwash, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nishaYadav, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, spilla, srwilkers, StefanPaetowJisc18:00
stevemar, stevemar, topol, portdirect, SamYaple18:00
*** jaugustine_ has joined #openstack-keystone18:02
*** jaugustine_ has quit IRC18:03
*** jaugustine_ has joined #openstack-keystone18:04
*** jaugustine_ has quit IRC18:07
*** jperry has joined #openstack-keystone18:10
portdirectayoung: the reason for bringing in the debian dir style was that a number of deploy tools expect it - happy to dump that if its a blocker for you, though if you get it up to scratch that'd be even better :)18:10
*** henrynash has joined #openstack-keystone18:11
*** ChanServ sets mode: +v henrynash18:11
ayoungportdirect, I'm working through a deploy myself using docker then k8s.  Once I "get it", i can loop back around and help.  But, yeah, its not going to fly long term to try and manage RPM based systems with Debian based assumptions.  We need to meet in the middle. I can help there18:12
portdirectayoung: sounds great, i knew it was a short-term hack - but if you can help with a solution that gives the best of both world that would be fantastic18:15
*** browne has quit IRC18:15
ayoungportdirect, start is here: https://adam.younglogic.com/2017/01/functional-keystone-docker/18:15
*** stingaci has quit IRC18:15
*** richm has quit IRC18:18
portdirectayoung: nice - that looks great - when it comes to getting a k8s workflow I should be able to help there18:20
ayoungportdirect, I'm still setting up kubernetes.  I'll bug you in a bit, but it won't be long18:20
*** tqtran has joined #openstack-keystone18:23
*** jlk has quit IRC18:26
*** gitudaniel has quit IRC18:27
*** mvk has joined #openstack-keystone18:28
*** spzala has joined #openstack-keystone18:44
*** browne has joined #openstack-keystone18:54
stevemarcrinkle: lbragstad morgan o/19:00
stevemarso this fix needs to land in ocata19:00
morganso. yeah we should make sure if federated users have a domain we provide it19:00
lbragstadwow - that meeting went quick!19:00
ayounglbragstad, was autoprovisioning  implemented?19:00
morganif that is fixing the formatter, yay, easy19:00
lbragstadayoung yes19:00
ayoungthat should let them get into Horizon19:01
stevemarcrinkle: it blows up because it goes to v2 because of no domain stuff right?19:01
crinklestevemar: there's really a few problems i think19:01
lbragstada user - even a shadow user - should now belong to a domain (and by default that should be the domain of the IdP) thanks to all the work rderose did19:01
crinkleone of them is that novaclient is trying to rescope the token even though the user is already logged in19:02
morganthat should be a safe thing to do19:02
morgansilly in some cases19:02
morganbut safe19:02
crinklethe problem isn't just getting the domain into horizon it's how horizon passes it on to the clients and what they do with it19:02
morganso if we provided domain info for you for federated users, always19:03
morgancould you fix horizon?19:03
morganthen keep chasing down the path of other projects/clients (though it should be "easy-ish" at that point if anything19:03
crinklei'm not really sure right now, my horizon expertise is pretty limited19:04
morganmy guess is if domain info is there, it'll work like any v3 user19:04
morganno more v2 fallback19:04
morganbut that is a guess at best19:04
rodrigodsdo we still have keystone/horizon meetings?19:05
lbragstadrodrigods we do19:05
lbragstadrodrigods we didn't last week because r1chardj0n3s was on vacation and we were swamped with last minute keystone things19:06
*** jaugustine_ has joined #openstack-keystone19:06
rodrigodsnot having websso working is a huge regression :(19:08
crinklemorgan: i think my confusion is that horizon should already have the domain info because it used it to log the user in initially, but it's not storing it in the request - here is where we would need it http://paste.openstack.org/show/596933/19:10
morgancrinkle: horizon leans on the token info19:11
morganif the token doesn't have domain info in the user data, it might get wonky19:11
rodrigodsit can fetch the user info anyways?19:11
rodrigodswith the domain_id?19:11
morganrodrigods: admin. but user info is in the token body19:11
david-lylecrinkle: what domain info??19:12
david-lylewe store the domain scoped token in the session19:12
rodrigodsso I think it is just matter of getting the token from the session with the domain_id?19:13
crinklenovaclient specifically wants the project domain info and it's getting None for those values http://git.openstack.org/cgit/openstack/python-novaclient/tree/novaclient/client.py#n13719:14
*** jaugustine_ has quit IRC19:14
rodrigodscrinkle, hmm19:15
morganyeah i think we just need to pass the data from the token and/or horizon.19:15
morganit also depends on if horizon is set to use v3 or v219:16
morganif it's set to use v2....19:16
rodrigodsthe project domain_id should also be in the token, right?19:16
morgannot a lot we can do19:16
morganrodrigods: yes19:16
*** stingaci has joined #openstack-keystone19:16
morganrodrigods: iirc19:16
* morgan checks19:16
crinklemorgan: in my setup it's set to use v319:17
*** lamt has quit IRC19:17
rodrigodsmorgan, not the domain_id, but the project_id19:17
morganrodrigods: yes.19:17
rodrigodswhich novaclient doesn't need, if the project_id is provided19:17
morganit should be in the project scope information19:17
morganif it exists19:17
*** jaosorior has quit IRC19:18
morganand domain name19:18
*** jaosorior has joined #openstack-keystone19:18
rodrigodsso the token should be enough19:18
*** stingaci has quit IRC19:20
openstackgerritMerged openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse  https://review.openstack.org/42291219:20
stevemarback in a bit19:21
*** jaugustine has quit IRC19:22
*** jaugustine has joined #openstack-keystone19:23
dstaneki hate meetings19:24
ravelarrodrigods trying to understand comment on https://review.openstack.org/#/c/427018/19:26
*** jaugustine has quit IRC19:27
rodrigodsravelar, replying there19:27
*** pcaruana has quit IRC19:31
*** MasterOfBugs has joined #openstack-keystone19:35
*** jaugustine has joined #openstack-keystone19:44
*** adrian_otto has joined #openstack-keystone19:46
*** adrian_otto has quit IRC19:46
*** jose-phillips has joined #openstack-keystone19:53
morganbreton: so.19:57
morganbreton: we can talk about trusts now a bit more19:57
morganbreton: with SAML2 we cannot assert anything beyond the life of the assertion19:58
morganbaffle: but we can create trusts that exist for the life of the assertion19:58
morganbreton: (not baffle)19:58
morganbreton: with OIDC and other mechanisms it is possible to look at the grant itself and expect communication about a revocation and/or verify the token19:59
morganbreton: but likewise the easiest is for the "lifespan" of the authorization.19:59
morganwe cannot really do indefinite trusts.20:00
morganwe can setup the feedback system for federated auth, but this is not really super well supported20:00
*** jaugustine has quit IRC20:02
*** lamt has joined #openstack-keystone20:02
*** jaugustine has joined #openstack-keystone20:02
morganstevemar: ^ cc20:07
*** pramodrj07 has joined #openstack-keystone20:07
stevemarmorgan: seems like the cafe's spotty wifi made me miss things, what are you cc'ing ^ ?20:09
morganstevemar: oh breton trust things20:09
stevemarlet me read the logs20:09
morganit's not interactive20:10
morgani can just re-type20:10
morganbasically saml2, we can only create trusts that last as long as the assertion does (or a fixed session window)20:10
bretonstevemar: in your private messages20:10
*** MasterOfBugs has quit IRC20:10
morganwith other federation we can use more active validation(s) but it is easiest to construct the same model20:10
morgantime-bounded as an active "session"20:10
morganwe can re-fresh the session as long as a login occurs20:11
morganbut similar to most web-apps we need to set bounds on how long these can last20:11
bretonthat sounds good to me. Add users to groups with expiration?20:11
morgannope, trust itself would have expiration20:11
morgansince we already have that technology20:11
stevemaroh right, trusts can be time-bombed20:12
morganyou still want the trustor to actively be granting to the trustee20:12
bretonok. How do we pass saml expiration to trust creation?20:12
bretonor trust usage20:12
morganwe will probably need to extract the expiration *or* we just set an option in keystone.conf20:12
morganthat says "federated trusts last for X <period>"20:12
morgan(and zero/indefinite is not allowed)20:12
morganand we would need to store the extra trust data since the group etc info is not persisted20:13
morganwhich would be an expansion of the trust tables.20:13
morgansince adding shadowing of the assertion data as not-ocata20:13
stevemari'm assuming this won't happen in ocata - since we're still hashing things out and it's a problem that has existed before ocata20:13
morganif we opt for shadowing assertion-data we can set a "last refreshed time" and make it work like a session that expires without a re-login every-so-often20:14
morganso 2 ways to do this:20:14
morgan1) Link into trust expirations20:14
morgan2) make federated logins have a "session" like mechanism20:14
morganand trusts can last as long as there is a valid "session"20:14
morganwith option 1 we can either extract the data from the assertion/response from the idp. OR we cna make ti a fixed window in keystone.conf20:15
morgananything that makes indefinite trusts on ephemeral data is a no-go (short story)20:15
bretoni am a federated user, i authenticate and get keystone token20:15
morganbreton: if that helps you out. we should build a spec for the preferred model20:15
morganwith option 1, trusts would need to be re-created when they expire20:16
morganwith option 2, we in theory could just extend the session on successful re-login....20:16
morganFWIW, this all feels like breaking federation horribly20:16
bretonthen i go to trust creation. How does trust_api knows about data from assertion?20:16
morgansince in reality keystone is proxying IDP stuffs20:16
morganbreton: we'd need to add the assertion expriation to the token datA?20:16
morganor something similar so the trust api could consume it20:17
morganopenstack is a bit weird on this front because really keystone is both an IDP, SP, and IDP Proxy20:17
morganwith federated logins we're doing that last thing20:17
*** stingaci has joined #openstack-keystone20:17
morganand then when you add trusts, we're doring another federated like grant on federated supplied data... this is not how federated auth *typically* works20:18
morganusually in this case keystone would have all local users and the idp would supply only AuthN20:18
bretoni agree20:18
morganand perhaps hints for some authz (aka admin_allowed) but all authz data would be supplied from keystone20:19
morganall *real*20:19
morganit would make it a lot easier if we pushed towards where keystone was the authorizing source and the idp was simply an authn provider20:19
morganwe could still auto-create users, even with templates (*yay resource-specific options*)20:20
morganbut the authz could be 100% held in keystone20:20
bretonanother issue is trusts usage. On usage keystone checks that the user still has roles in project.20:20
morganthen the issue is mitigated in a number of ways. the downside is that deletion from the IDP needs reconcilliation20:21
morganright hence the move towards everything being based on local users and federation just maps AuthN to <user> in keystone20:21
morganwould be the most complete/secure/proper setup20:22
morgansince then keystone is the SP only (ignore the rest of openstack pretending it is the IDP)20:22
stevemardolphm: o/20:23
*** stingaci has quit IRC20:23
dolphmstevemar: o/20:23
bretonmorgan: but how do we solve trusts usage now or in pike?20:23
breton*trust usage issue20:23
stevemardolphm: you had volunteered to look at https://bugs.launchpad.net/keystone/+bug/1636495 -- but i'm guessing you haven't yet :)20:24
openstackLaunchpad bug 1636495 in OpenStack Identity (keystone) "Failures during db_sync --contract during Mitaka to Newton (live) upgrade" [High,Confirmed]20:24
morganin ocata, this is likely not sovable20:24
morganin pike we could implement this.20:24
*** jaugustine has quit IRC20:24
morganin pike most of this would be doable, even the complex options20:25
stevemardolphm: since the failure is based off of someone running rally to pound keystone during the upgrade i'm inclined to lower the severity...20:26
dolphmstevemar: i have & am -- just haven't repro'd anything yet20:26
dolphmstevemar: well, that's exactly the kind of failure triggers should be guarding against20:27
stevemardolphm: ah, no news is bad news, dang it20:27
stevemardolphm: right20:27
stevemardolphm: we need tests for this :|20:28
dolphmstevemar: i read through the migrations and they look correct to me (situation should not be possible), so all i've got left is to try to repro20:28
dolphmstevemar: yeah, we've got several people working to have grenade exercise multinode zero downtime upgrades for each project20:29
dolphmstevemar: and actually test for zero downtime20:29
*** lucas_ has quit IRC20:29
* morgan makes hand-wavy remarks about triggers being notoriously hard to debug.20:29
dolphmmorgan: agree20:29
morganand being inconsistent20:29
*** lucas_ has joined #openstack-keystone20:29
morganhence why they are not used in MySQL (in Oracle they are rock solid)20:30
*** lamt has quit IRC20:30
morganand likewise in MSSQL20:30
morganno idea bout pgsql20:30
*** stingaci has joined #openstack-keystone20:30
morganand in sqlite... uh wut?!20:30
dolphmthey do work in sqlite, but they're not as fully implemented, of course :P20:30
morganyeah, i view SQLite as "oh looks it's cute, you want something relational...but ... sortof half-assed in most cases"20:31
morgan[it's fine for a single user application]20:31
*** lamt has joined #openstack-keystone20:31
dolphmi.e. mobile apps20:32
morganor even things like say gertty20:32
morganthough i think gertty is pushing the limits20:32
* morgan likes getting access to SQLite in mobile apps and messing with the data...especially games20:32
morgani am not surprised there are oddities with triggers and upgrades in mysql with load.20:33
morgani also can't offer much help debugging it20:33
*** jaugustine has joined #openstack-keystone20:41
*** jaugustine has quit IRC20:44
stevemarrodrigods: we will have to fix the implied role status code mis-match in pike20:45
stevemarrodrigods: once we implement microversions20:45
stevemarwhich i'll be advocating that we do in pike20:45
*** jaugustine has joined #openstack-keystone20:45
*** dave-mccowan has quit IRC20:46
*** henrynash has quit IRC20:46
*** adrian_otto has joined #openstack-keystone20:54
*** lamt has quit IRC20:56
*** jaugustine has quit IRC21:00
*** edmondsw has quit IRC21:05
openstackgerritRichard Avelar proposed openstack/keystone: Extend User API to support federated attributes  https://review.openstack.org/42644921:09
*** ravelar has quit IRC21:16
*** jaugustine has joined #openstack-keystone21:18
*** adriant has joined #openstack-keystone21:18
*** lamt has joined #openstack-keystone21:18
*** jaosorior has quit IRC21:23
*** henrynash has joined #openstack-keystone21:29
*** ChanServ sets mode: +v henrynash21:29
openstackgerritMorgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note  https://review.openstack.org/42732821:30
morganspilla: ^ answered comments21:31
morgansamueldmq: https://review.openstack.org/#/c/426959/ we can add the bug (if one) after the fact, but this comment is replicated in the other tests21:32
morgansamueldmq: if you wouldn't mind pushing that through21:32
morganlbragstad: we can expand on comments here https://review.openstack.org/#/c/427026/ any time.21:32
lbragstadmorgan that patch looks like it needs to be rebased21:35
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove de-dupe for MFA Rule parsing.  https://review.openstack.org/42702621:36
morganlbragstad: a +a would have probably still worked since it was clean rebasable.21:36
*** ravelar has joined #openstack-keystone21:36
lbragstadmorgan thanks21:37
morganlbragstad: also your eyes on https://review.openstack.org/#/c/426959/ wouldn't hurt.21:37
morganlbragstad: should be straight forward. and that will clear out all hte MFA patches except the release note21:37
morganwhich stevemar is on the hook to determine if it ineeds to be paired down21:38
morganlbragstad: pared*21:38
stevemarmorgan: :)21:38
*** catintheroof has quit IRC21:38
*** catintheroof has joined #openstack-keystone21:38
morganstevemar: now it's babysitting + release note21:39
*** catintheroof has quit IRC21:39
*** Jack_I has quit IRC21:39
*** ravelar1 has joined #openstack-keystone21:47
morganstevemar: it's a bit late but i realized i should have passed back in the exception for MFA Rules what options are needed so horizon can act on it.21:47
morganstevemar: we can do that in pike easily21:48
*** martinlopes has quit IRC21:49
*** martinlopes has joined #openstack-keystone21:49
*** ravelar1 has quit IRC21:51
*** jaosorior has joined #openstack-keystone21:55
*** richm has joined #openstack-keystone21:55
*** ravelar has quit IRC21:55
*** thorst_ has quit IRC22:00
stevemarmorgan: minor cleanup for mfa rel note for consistency please22:00
*** edmondsw has joined #openstack-keystone22:02
*** lucas_ has quit IRC22:04
*** chris_hultin is now known as chris_hultin|AWA22:05
stevemarmorgan: nice replies lol22:05
spillaagreed :)22:05
*** catintheroof has joined #openstack-keystone22:05
*** catintheroof has quit IRC22:05
*** catintheroof has joined #openstack-keystone22:06
*** lamt has quit IRC22:06
openstackgerritMorgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note  https://review.openstack.org/42732822:07
stevemarmorgan: time to see if theres a diff needed in our sample config22:07
*** lucas_ has joined #openstack-keystone22:08
*** lucas_ has quit IRC22:09
openstackgerritSteve Martinelli proposed openstack/keystone: update keystone.conf.sample for ocata-rc  https://review.openstack.org/42748322:10
*** catintheroof has quit IRC22:11
stevemarlbragstad: morgan easy +2/+A ^22:13
*** edmondsw has quit IRC22:13
*** lamt has joined #openstack-keystone22:14
morganstevemar: self approve it! dooooo eeeeet!22:15
*** jamielennox|away is now known as jamielennox22:15
stevemareh, we have people around22:15
lbragstadstevemar checking22:16
*** edmondsw has joined #openstack-keystone22:17
lbragstadstevemar your version has more changes in it than what I have locally22:18
* lbragstad shrug22:19
lbragstadall i did  was tox -e genconfig22:19
* stevemar shrugs back at lbragstad22:19
*** johndperkins has joined #openstack-keystone22:19
stevemarare you using an old .tox env?22:19
lbragstadstevemar recreating it now22:19
*** thorst_ has joined #openstack-keystone22:20
*** nkinder has joined #openstack-keystone22:23
*** thorst_ has quit IRC22:25
*** richm has quit IRC22:25
morganstevemar: did you base it on the MFA patches?22:26
morgani mean. it shouldn't matter22:26
morganbut... for posterity22:26
*** jaugustine has quit IRC22:27
*** edmondsw has quit IRC22:28
*** edmondsw has joined #openstack-keystone22:28
*** edmondsw has quit IRC22:29
*** edmondsw has joined #openstack-keystone22:29
*** spilla has quit IRC22:32
*** lamt has quit IRC22:33
*** lamt has joined #openstack-keystone22:34
*** edmondsw has quit IRC22:34
samueldmqmorgan: just got back, just checked and I don't need to look at it again, it's been approved22:37
morgansamueldmq: hehe22:38
*** adrian_otto has quit IRC22:43
*** phalmos has joined #openstack-keystone22:44
*** thorst_ has joined #openstack-keystone22:45
*** henrynash has quit IRC22:47
*** spzala has quit IRC22:56
*** phalmos has quit IRC22:57
*** markvoelker_ has joined #openstack-keystone22:58
*** markvoelker has quit IRC22:58
*** phalmos has joined #openstack-keystone23:00
*** phalmos has quit IRC23:00
*** edtubill has quit IRC23:02
stevemarmorgan: shouldn't be required..23:06
*** jperry has quit IRC23:10
*** adrian_otto has joined #openstack-keystone23:18
*** mriedem has left #openstack-keystone23:20
*** jperry has joined #openstack-keystone23:21
openstackgerritGage Hugo proposed openstack/keystone: WIP Fix multiple uuid warnings with pycadf  https://review.openstack.org/42641123:23
*** phalmos has joined #openstack-keystone23:38
*** dave-mccowan has joined #openstack-keystone23:43
*** lamt has quit IRC23:49
*** adrian_otto has quit IRC23:50
*** martinlopes has quit IRC23:51
*** henrynash has joined #openstack-keystone23:52
*** ChanServ sets mode: +v henrynash23:52
*** martinlopes has joined #openstack-keystone23:53

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!