Tuesday, 2017-01-31

*** lamt has quit IRC		00:01
*** gatuus has joined #openstack-keystone		00:01
*** jrist has quit IRC		00:02
openstackgerrit	Eric Brown proposed openstack/keystone: Use https for docs.openstack.org references https://review.openstack.org/426944	00:05
*** wasmum has joined #openstack-keystone		00:07
*** jose-phillips has quit IRC		00:29
*** jose-phillips has joined #openstack-keystone		00:30
*** jamielennox is now known as jamielennox\|away		00:58
*** catintheroof has quit IRC		01:02
*** lucas_ has joined #openstack-keystone		01:03
*** gatuus has quit IRC		01:07
morgan	dstanek: =/ i think we broke a validation bit in our tests to ensure load_backends is only ever called once.	01:09
*** jamielennox\|away is now known as jamielennox		01:12
morgan	lbragstad: oh man i am down a rabbit hole... but it looks like the fernet token repository isn't being set properly for one of the apps	01:12
morgan	...	01:12
*** thorst_ has joined #openstack-keystone		01:16
morgan	my test is seeing: Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys/	01:17
morgan	this should not be the case	01:17
*** jaosorior has quit IRC		01:17
*** tqtran has quit IRC		01:25
*** tqtran has joined #openstack-keystone		01:27
*** lucas_ has quit IRC		01:30
*** tqtran has quit IRC		01:32
*** dims has quit IRC		01:35
*** dims_ has joined #openstack-keystone		01:35
*** lucas_ has joined #openstack-keystone		01:37
*** catintheroof has joined #openstack-keystone		01:37
*** catintheroof has quit IRC		01:37
*** catintheroof has joined #openstack-keystone		01:37
*** dims_ has quit IRC		01:42
*** dims has joined #openstack-keystone		01:42
*** edmondsw has joined #openstack-keystone		01:43
*** edmondsw has quit IRC		01:43
*** edmondsw has joined #openstack-keystone		01:43
*** lucas_ has quit IRC		01:47
*** edmondsw has quit IRC		01:47
*** masber has quit IRC		01:52
*** edmondsw has joined #openstack-keystone		01:52
*** browne has quit IRC		01:59
knikolla	/o\	02:04
*** edmondsw has quit IRC		02:04
*** edmondsw has joined #openstack-keystone		02:05
dstanek	morgan: what do you mean?	02:09
*** edmondsw has quit IRC		02:09
morgan	dstanek: unrelated.	02:10
morgan	dstanek: well ffs i just ran into a hiesenbug	02:11
morgan	looks like i found a race in our unit test framework	02:11
dstanek	what's the race?	02:12
*** chris_hultin is now known as chris_hultin\|AWA		02:13
morgan	oh FFS....	02:13
morgan	now it wont fail at all	02:13
morgan	ugh	02:14
morgan	what the ..............	02:14
morgan	or it wont succeed	02:14
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add validation that token method isn't needed in MFARules https://review.openstack.org/426959	02:14
morgan	dstanek: ^ this test	02:14
morgan	dstanek: the new one. it succeeds randomly	02:14
morgan	and fails most of the time	02:14
morgan	looks like in gate last round py27 and 35 passed but coverage db didn't	02:15
morgan	i can't for the life of me figure out why	02:15
morgan	dstanek: so... i am insanely confused here. it's like... the wsgi-test app is loading the wrong fernet keys sometimes?	02:16
morgan	because when it fails i always have	02:17
morgan	Failed to validate token	02:17
morgan	Either [fernet_tokens] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys	02:17
morgan	and it is only this test i can get to fail this way.	02:17
morgan	it fails more than it succeeds	02:17
dstanek	morgan: does it fail locally for you?	02:18
morgan	yep	02:18
morgan	locally i am seeing this	02:18
morgan	now it is failing once, then succeeding once, then failing once, then succeeding once	02:18
morgan	in gate it passed p27,35 but not coverage.	02:18
* morgan is baffled		02:18
stevemar	hehe	02:19
stevemar	morgan: i think your mucking around with the cleanup caused it	02:19
morgan	stevemar: ?	02:19
stevemar	morgan: in the test	02:19
morgan	the totp cleanup?	02:19
morgan	the fact that independant runs, it alternates between success and failure...	02:19
morgan	i moved the cleanup to be more isolated so it should use normal cleanup now	02:20
*** lucas_ has joined #openstack-keystone		02:20
*** phalmos has joined #openstack-keystone		02:20
stevemar	lets see	02:20
morgan	and when i put in an extra line of code...that does nothing in the main run... it always fails.	02:22
morgan	this type of stateful failure is ... annoying	02:24
knikolla	fernet rotating keys maybe?	02:26
morgan	in a single test?	02:26
morgan	and now it is failing every time again.	02:26
morgan	the difference is i removed keystone.db	02:26
morgan	nope that wasn't it	02:27
morgan	it seems to be just rnadome timing	02:27
*** lucas_ has quit IRC		02:28
*** lucas_ has joined #openstack-keystone		02:28
dstanek	morgan: it seems like the KeyRepository isn't overriding the directory or not early enough in the test	02:29
morgan	dstanek: right?	02:29
morgan	dstanek: except it works sometimes... and it is in the same place as other tests (in config_overrides()) which is hit before the apps are started	02:29
morgan	i mean... maybe i should toss a sleep(4) into config_overrides	02:30
*** lucas_ has quit IRC		02:30
morgan	dstanek: interestingly if i add a blank exception line to the end of the test case (so i always see logs) it always fails to validate the token	02:30
morgan	dstanek: and it still claims it is loading keys for fernet from the temp dir.	02:30
*** edmondsw has joined #openstack-keystone		02:33
morgan	ok this is being a schrodinger's bug now	02:35
morgan	dstanek: anyway... any insight here would help	02:36
dstanek	morgan: the test always fails for me	02:36
morgan	sleep in config_overrides doesn't seem to help.	02:36
morgan	dstanek: keep running it. i'm getting a ~20% success rate	02:37
*** phalmos has quit IRC		02:37
morgan	or so	02:37
dstanek	the KeyRepository fixture mocks CONF.fernet.	02:38
morgan	ugh	02:38
morgan	so you think the KeyRepository fixture is to blame?	02:38
morgan	oooh also KeyRepository fixture doesn't cleanup the temp files	02:39
dstanek	i think you need to mock the CONF.credential.key_repository for this right?	02:39
*** thorst_ has quit IRC		02:39
morgan	oh wait... nvm	02:39
morgan	really?	02:39
*** browne has joined #openstack-keystone		02:40
dstanek	just changing that string gives me a new error	02:40
morgan	except that it sometimes succeeds....	02:40
morgan	as is	02:40
*** lucas_ has joined #openstack-keystone		02:40
knikolla	i got 3 out of 3 failures	02:40
dstanek	i can't get it to succeed at all	02:41
morgan	yeah i am getting it to fail a lot	02:41
*** browne has quit IRC		02:42
morgan	dstanek: with the failure you're seeing: Failed to validate token	02:42
morgan	right?	02:42
dstanek	yes	02:42
morgan	it looks like the fernet keys are ... wrong somehow?	02:43
* morgan considers making this a UUID test to see if it works		02:43
morgan	let me try that...	02:43
*** lucas_ has quit IRC		02:44
*** lucas_ has joined #openstack-keystone		02:45
morgan	dstanek: w...h...a...t is going on	02:46
morgan	even if i set the provider to UUID it's loading the fernet stuff?!	02:46
morgan	oh. ...	02:46
morgan	i think we have a bug in the error code(s)	02:46
morgan	but it still wont validate the tokens	02:47
morgan	even as uuid?	02:47
*** lucas_ has quit IRC		02:47
morgan	stevemar: uhh	02:47
morgan	stevemar: yep. someone copy/pasta'd error codes	02:48
stevemar	nice	02:48
morgan	stevemar: no they used Fernet_utils and that has hard-coded strings for [fernet_tokens]	02:49
morgan	rolls eyes	02:49
morgan	annnnyway	02:49
morgan	that aside	02:49
morgan	still cannot validate the token, getting a Schrodinger's bug here, depending on how I look at it... it fails	02:50
morgan	dstanek: ok so... even with UUID providers this isn't working	02:50
*** phalmos has joined #openstack-keystone		02:51
knikolla	it passed once, wow.	02:58
morgan	knikolla: see why this is so frustrating?	02:59
*** lucas_ has joined #openstack-keystone		02:59
knikolla	morgan: creating a scoped token in the first call makes it pass almost always.	03:01
dstanek	morgan: the token isn't being validate for me because it's being revoked	03:01
dstanek	"if revoke_model.is_revoked(self.driver.list_events(token=token),	03:01
dstanek	" always failes	03:01
dstanek	*fails	03:01
*** phalmos has quit IRC		03:03
morgan	why... is it being revoked sometimes?!	03:03
morgan	blink	03:03
dstanek	morgan: not sure yet. trying to dig in	03:04
morgan	stevemar: facepalm someone half-baked the credential bit	03:04
dstanek	morgan: find something?	03:04
morgan	dstanek: different rabbit hole	03:04
dstanek	kk	03:04
morgan	dstanek: trying to squash incorrect error messages i've discovered because of this.	03:05
morgan	since i need a break from the current bug for a moment while you look at it.	03:05
morgan	maybe fresh eyes will help, is my view	03:05
morgan	stevemar: i'll have a fix for FernetUtils shortly	03:06
morgan	stevemar: so it stops giving bogus errors	03:06
*** catintheroof has quit IRC		03:09
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Fix bad error message from FernetUtils https://review.openstack.org/427004	03:11
*** catintheroof has joined #openstack-keystone		03:11
morgan	stevemar: ^ facepalms	03:11
morgan	anyway	03:11
morgan	that is the annoying "wrong" option log error	03:11
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Fix bad error message from FernetUtils https://review.openstack.org/427004	03:11
* morgan gotes back to staring at the weird bug.		03:11
morgan	dstanek: i figure it out	03:13
morgan	figured*	03:13
morgan	dstanek: i know exactly why it is succeeding very limitedly	03:13
*** lucas_ has quit IRC		03:13
*** zzzeek has quit IRC		03:13
morgan	dstanek: it is because revoke is called on update	03:13
morgan	and the test suite is running fast	03:13
morgan	i do an explicit update of the user, which issues a revoke	03:14
morgan	dstanek: sometimes that is on the second barrier	03:14
*** lucas_ has joined #openstack-keystone		03:14
morgan	dstanek: most of the time it is not, the new token is revoked upon issuance	03:14
*** agrebennikov__ has quit IRC		03:14
*** zzzeek has joined #openstack-keystone		03:15
morgan	dstanek: we may need to wedge a small bit of code that says that if a token is issued and revoked on issuance we increment it's issue time by 1s	03:15
morgan	dstanek: facepalm anyyyyyyyyway	03:15
*** catintheroof has quit IRC		03:15
morgan	dstanek: thanks!	03:15
morgan	i just needed a break for a second tot think about it	03:15
knikolla	even if the update is issued before the token is created?	03:15
*** phalmos has joined #openstack-keystone		03:15
morgan	dstanek, knikolla: if you put a time.sleep(1) in right after the update, it'll succeed eveyr time	03:15
stevemar	ahhh	03:15
stevemar	nice one morgan	03:16
morgan	knikolla: yes. because the resolution is 1s	03:16
*** lucas_ has quit IRC		03:16
morgan	stevemar: i'm going to put a wedge in that does a revoke check when we're about to issue a token, if it is revoked on issuance, we will increment the issued_at by 1s	03:16
morgan	stevemar: and that should make user experience better overall	03:16
stevemar	how is it ever revoked on issuance?	03:17
morgan	if an update occurs, revoke is issues	03:17
knikolla	morgan: i see. revocation are a part of the code i've never really touched.	03:17
morgan	revoke has a revocation resoluton of 1s	03:17
morgan	so, if a token is issued in the 1s that the revoke is created, it is revoked on issuance	03:17
morgan	i bet we have some hiesenbugs lurking in keystone because of this	03:18
dstanek	morgan: yeah, the token is created in the same second as it is revoked	03:18
morgan	also bad UX in fast acting servers	03:18
morgan	let me propose a fix to issue token	03:18
* dstanek thinks some time needs frozen		03:18
morgan	dstanek: i think this is a real production issue too	03:18
morgan	in some cases	03:18
morgan	dstanek: it would suck to ask for a token get one back and it's revoked the moment you use it	03:19
morgan	because and update occured within the same second	03:19
morgan	oh wait	03:19
dstanek	what is revoking it?	03:19
knikolla	surprised this wasn't picked up by prior tests	03:19
morgan	the updatE_user	03:19
knikolla	updating mfa rules i assume	03:20
morgan	dstanek: revocations suck. ugh	03:20
dstanek	morgan: yep	03:20
morgan	i think i'm going to just freeze time here. i'll need to circle back on the whole revocation engine now	03:20
*** PramodJ has joined #openstack-keystone		03:20
*** lucas_ has joined #openstack-keystone		03:20
morgan	i think i need to store time in a non-time-y way to make UX better.	03:20
* morgan has been thinking of storing time in a non-datetime column and non-time-specific format for a while (go all string iso8601		03:21
morgan	since comparisons for it work just fine	03:21
morgan	and in code always load it into a datetime object	03:21
morgan	though fernet might need some massaging too to make that work anyway... i'll just freeze time when the update occurs a few seconds earlier then unfreeze it before doing the MFA token checks for now	03:22
*** lucas_ has quit IRC		03:22
knikolla	a bug should be created about this	03:22
knikolla	before we forget	03:22
*** pramodrj07 has quit IRC		03:24
morgan	stevemar: hmmm.	03:30
morgan	i think there is another bug.	03:30
morgan	stevemar: yep.	03:31
morgan	oopse	03:31
stevemar	i'm not sure if i like it that you're finding all these bugs	03:31
morgan	uh... fix incoming	03:31
morgan	i totally made a mistake	03:31
*** stingaci has joined #openstack-keystone		03:32
morgan	stevemar: ok i'll fix it in the next patch, i know what happened (I think)	03:34
morgan	or rderose missed something, but in either case oopse will have it fixed	03:34
*** stingaci has quit IRC		03:37
*** PramodJ has quit IRC		03:37
morgan	stevemar: somehow the pasword expiration is being triggered with a user_update in the past... even if password isn't being specified wtf?	03:48
*** nicolasbock has quit IRC		03:50
morgan	stevemar: oookay anyway... fixed.	03:53
morgan	and not a bug	03:54
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add validation that token method isn't needed in MFARules https://review.openstack.org/426959	03:57
morgan	lbragstad, stevemar, dstanek: ^ fixed test	03:57
*** phalmos has quit IRC		04:03
openstackgerrit	Merged openstack/keystone: Implement better validation for resource options https://review.openstack.org/426431	04:06
*** jose-phillips has quit IRC		04:19
*** edmondsw has quit IRC		04:19
stevemar	morgan: gahhh bunch of patches failed gate	04:22
*** dave-mccowan has quit IRC		04:26
*** edmondsw has joined #openstack-keystone		04:34
*** thorst_ has joined #openstack-keystone		04:40
morgan	stevemar: =/	04:45
*** thorst_ has quit IRC		04:45
morgan	stevemar: i'll come up with a release note-y thing for the mfa rules	04:46
morgan	stevemar: and user docs, you said you'd do dev docs for the resource options?	04:47
stevemar	morgan: yeah, i'll do them tomorrow-ish	04:47
stevemar	heading to bed soon	04:47
morgan	stevemar: on the plus side... if you can convince someone to +2 the rest of the MFA things...we should be good	04:48
morgan	stevemar: and we will have landed like everything :P	04:49
stevemar	morgan: left comments on https://review.openstack.org/#/c/423548/	04:53
stevemar	morgan: i'm twisting lbragstad's arm as much as i can!	04:54
stevemar	morgan: i love https://review.openstack.org/#/c/426608/	04:58
morgan	stevemar: check the 423548 again	05:04
morgan	and i can address any comments/fix in a new patch as you see fit based upon what I said	05:04
morgan	stevemar: haha, yea move all that common crap where it belongs	05:05
morgan	stevemar: not in "controllers"	05:05
morgan	if someone is extending authinfo or authcontext i might eat my hat	05:05
morgan	it is so unlikely as those are so very specialized	05:05
stevemar	morgan: skipping the parse would be nice, i think; but 99% of the time it's an empty comparison	05:05
morgan	yeah. i think dropping the de-dupe would be the bigger win	05:06
morgan	if parse see it is empty, it is almost a no-op anyway	05:06
stevemar	morgan: i'm happy as-is, it was more of a few questions that i had	05:07
morgan	since parse does a "elif not rules: return rules"	05:07
stevemar	nothing against the code	05:07
morgan	coool. i think the de-dupe bit should be dropped tbh	05:07
stevemar	the parsing is a bit funky	05:07
stevemar	could used more comments	05:07
morgan	we break on the first matching ruleset anyway	05:07
morgan	since that is all we need	05:07
stevemar	yep	05:08
stevemar	i've queued up the entire series	05:08
morgan	an extra few rulesets barring someone like nate burton who might have tons of auth methods we don't know about	05:08
stevemar	i'll leave it to lbragstad and dstanek to kick it through	05:08
morgan	and complex sets of "if these methods to X but y for methods b,c,d"	05:08
morgan	i'll toss a patch to drop the dedupe up	05:08
morgan	and you can approve or not if you choose	05:09
stevemar	++	05:09
* stevemar yawns		05:09
stevemar	bed time	05:09
*** dikonoor has joined #openstack-keystone		05:11
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Remove de-dupe for MFA Rule parsing. https://review.openstack.org/427026	05:16
morgan	stevemar: ^	05:16
*** jrist has joined #openstack-keystone		05:19
*** jose-phillips has joined #openstack-keystone		05:42
*** adriant has quit IRC		05:47
*** Jack_I has joined #openstack-keystone		06:13
openstackgerrit	Merged openstack/keystone: Test cross domain authentication via implied roles https://review.openstack.org/422819	06:26
*** lucas_ has joined #openstack-keystone		06:31
*** edmondsw has quit IRC		06:39
*** thorst_ has joined #openstack-keystone		06:41
*** adrian_otto has joined #openstack-keystone		06:43
*** thorst_ has quit IRC		06:46
*** spotz is now known as spotz_zzz		06:46
*** lucas_ has quit IRC		06:47
*** spotz_zzz is now known as spotz		06:52
*** richm has joined #openstack-keystone		07:01
*** rcernin has joined #openstack-keystone		07:12
*** adrian_otto has quit IRC		07:24
*** stingaci has joined #openstack-keystone		07:33
*** stingaci has quit IRC		07:38
*** phalmos has joined #openstack-keystone		07:53
*** tesseract has joined #openstack-keystone		07:54
*** MasterOfBugs has joined #openstack-keystone		07:58
*** MasterOfBugs has quit IRC		07:58
*** nkinder has joined #openstack-keystone		08:18
*** aloga has quit IRC		08:27
*** thorst_ has joined #openstack-keystone		08:42
*** thorst_ has quit IRC		08:48
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:01
*** aloga has joined #openstack-keystone		09:04
*** mvk has quit IRC		09:24
*** dikonoor has quit IRC		09:34
*** stingaci has joined #openstack-keystone		09:35
*** stingaci has quit IRC		09:39
*** itsuugo has joined #openstack-keystone		09:51
itsuugo	hi guys, any clue how can I find the offending entry and delete it? My keystone is broken http://pastebin.com/dY2XGiLh	09:52
itsuugo	this happened after I added some users, I guess that some entry got bad populated in the mysql database and is making that all requests are failing with a 503	09:53
*** richm has quit IRC		09:54
*** mvk has joined #openstack-keystone		09:55
*** lalit has joined #openstack-keystone		10:18
*** stingaci has joined #openstack-keystone		10:32
*** stingaci has quit IRC		10:37
*** richm has joined #openstack-keystone		10:38
*** thorst_ has joined #openstack-keystone		10:44
*** thorst_ has quit IRC		10:49
*** nkinder has quit IRC		10:59
*** dmellado has quit IRC		11:00
*** dmellado has joined #openstack-keystone		11:03
*** lalit has quit IRC		11:08
*** mvk has quit IRC		11:10
*** nicolasbock has joined #openstack-keystone		11:16
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: No need to enable infer_roles setting https://review.openstack.org/427109	11:17
*** mvk has joined #openstack-keystone		11:23
*** dave-mccowan has joined #openstack-keystone		12:06
rodrigods	morgan, https://bugs.launchpad.net/keystone/+bug/1660603 so we don't forget about it :)	12:06
openstack	Launchpad bug 1660603 in OpenStack Identity (keystone) "Difference in Implied Roles check API return code" [Undecided,New]	12:06
*** nicolasbock has quit IRC		12:06
*** catintheroof has joined #openstack-keystone		12:22
*** nicolasbock has joined #openstack-keystone		12:23
*** phalmos has quit IRC		12:25
*** nkinder has joined #openstack-keystone		12:30
*** thorst_ has joined #openstack-keystone		12:35
stevemar	itsuugo: have you been modifying the policy.json file? it looks like keystone cannot load it	12:38
*** edmondsw has joined #openstack-keystone		13:12
openstackgerrit	Merged openstack/keystone: Create user option `ignore_lockout_failure_attempts` https://review.openstack.org/424220	13:24
openstackgerrit	Merged openstack/keystone: cleanup release notes from PCI options https://review.openstack.org/426463	13:24
*** nkinder has quit IRC		13:35
*** catinthe_ has joined #openstack-keystone		13:36
*** catintheroof has quit IRC		13:40
*** toddnni has quit IRC		13:45
*** toddnni has joined #openstack-keystone		13:48
*** cburgess has quit IRC		13:48
*** cburgess has joined #openstack-keystone		13:49
samueldmq	morning keystone	13:56
*** lamt has joined #openstack-keystone		13:58
*** nkinder has joined #openstack-keystone		13:58
openstackgerrit	Merged openstack/keystone: Add MFA Rules and Enabled User options https://review.openstack.org/418166	14:03
openstackgerrit	Merged openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955	14:04
*** raildo has joined #openstack-keystone		14:07
itsuugo	yeah @stevemar , that was the cause, thx	14:08
*** spzala has joined #openstack-keystone		14:10
*** lucas_ has joined #openstack-keystone		14:12
itsuugo	should be more descriptive the log error? it was very hard to pinpoint the problem	14:13
*** lamt has quit IRC		14:23
*** agrebennikov__ has joined #openstack-keystone		14:27
*** lucas_ has quit IRC		14:36
dstanek	itsuugo: what did the log look like above that stacktrace?	14:43
*** lamt has joined #openstack-keystone		14:47
*** v1k0d3n has quit IRC		14:49
*** v1k0d3n has joined #openstack-keystone		14:50
*** stingaci has joined #openstack-keystone		14:50
lbragstad	morgan were you able to figure out the token rescoping thing?	14:51
*** lucas_ has joined #openstack-keystone		14:57
lbragstad	morgan it looks like https://review.openstack.org/#/c/426959/3/keystone/tests/unit/test_v3_auth.py is passing	14:59
morgan	lbragstad: yep	15:01
morgan	lbragstad: freezegun issue with issues around revocations and fernet tokens being limited in time resolution	15:01
lbragstad	ah	15:01
morgan	lbragstad: all the stuff should be teed up for +2s	15:03
morgan	and today will be docs and release note	15:03
morgan	for the MFA stuff	15:03
lbragstad	morgan yeah - i'm working through the chain now	15:03
morgan	:)	15:03
morgan	and stevemar will be writing the dev docs for resource options	15:03
morgan	ftr: https://review.openstack.org/#/c/427026/ is optional, i offered it up but doesn't have to land	15:04
morgan	it just simplifies some code.	15:04
morgan	and eliminates a not-too-expensive-but-mostly-superfluous dedupe	15:04
*** richm has quit IRC		15:04
lbragstad	ok	15:04
itsuugo	I opened a bug https://bugs.launchpad.net/keystone/+bug/1660596, I put it as invalid, it has part of the stack trace dstanek	15:05
openstack	Launchpad bug 1660596 in OpenStack Identity (keystone) "ValueError: Expecting property name enclosed in double quotes" [Undecided,Invalid]	15:05
morgan	itsuugo: thanks for the update!	15:06
morgan	itsuugo: appreaciate the follow up on the bug / marking as invalid once you had it fixed	15:06
itsuugo	:) you're welcome .	15:07
*** adrian_otto has joined #openstack-keystone		15:07
*** gitudaniel has joined #openstack-keystone		15:08
gitudaniel	o/	15:08
knikolla	o/ morning	15:11
*** nkinder has quit IRC		15:13
*** adrian_otto has quit IRC		15:14
gitudaniel	Hello keystone, yesterday I asked a question that was missed since I asked it at a time when everyone was offline. I've gone through yesterdays logs and todays logs to make sure it wasn't answered in my absence. Do you mind if I ask it again. It deals with fernet_setup. Not sure if it's related to the issue morgan was facing though	15:15
lbragstad	gitudaniel go for it	15:15
morgan	probably different as mine was a test error	15:15
morgan	but please go for it :)	15:16
gitudaniel	knikolla: I have a question for you it's more philosophical. Since its morning for you and evening for me. If I said good morning to you would you consider me to have lied?	15:16
ayoung	SamYaple, hey, looking through the Centos Docker file, I notice that you try to set up Apache etc using the Debian directory style. Don't do that, you'll; mess up SELinux something fierce.	15:16
gitudaniel	lbragstad: morgan: thanks here goes	15:16
ayoung	SamYaple, I'll have a Centos Standard style deploy for you in a little bit	15:16
gitudaniel	on setting up the fernet using keystone-manage fernet_setup I get the error keystone.common.fernet_utils [-] Either [fernet_tokens] key_repository does not exist or kystone does not have sufficient permission to access it: /etc/keystone/fernet-keys/ while looking into it I came to	15:17
gitudaniel	the conclusion that since the development environment is being configured in a virtual environment it has no access to the host system so I tried sudo keystone-manage fernet_setup and got ImportError: No module named oslo_config. At this point I had noticed the etc folder within the repo that contains the keystone.conf file and I assumed that I could point to the config file using the	15:17
gitudaniel	--config-file PATH command. I ran the command keystone-manage –configfile PATH~/openstack/keystone/etc/keystone.conf and got keystone-manage: error: too few arguments. I then tried to specify the directory in which the .conf file is located by running keystone-manage --config-dir DIR~/openstack/keystone/etc it returns oslo_config.cfg.ConfigDirNotFoundError: Failed to read config file	15:17
gitudaniel	directory: DIR~/openstack/keystone/etc/ where did I go wrong?	15:17
lbragstad	gitudaniel looks like you tried several things	15:18
lbragstad	gitudaniel i'd say we start at the top with the original error (keystone.common.fernet_utils [-] Either [fernet_tokens] key_repository does not exist or kystone does not have sufficient permission to access it: /etc/keystone/fernet-keys/)	15:18
lbragstad	gitudaniel this is a development environment, right?	15:19
gitudaniel	yes, I did. I'm still finding my way around programming so I like to make sure I didn't overlook something before asking	15:20
gitudaniel	lbragstad: yes it is	15:20
knikolla	gitudaniel: i would consider that an alternative fact	15:20
*** jaosorior has joined #openstack-keystone		15:20
lbragstad	gitudaniel cool - you have root access I imagine (judging that based on the fact your next attempt included sudo use)	15:20
*** richm has joined #openstack-keystone		15:21
*** nkinder has joined #openstack-keystone		15:21
*** spilla has joined #openstack-keystone		15:21
stevemar	lbragstad: 2 more MFA patches: https://review.openstack.org/#/c/426959/ and https://review.openstack.org/#/c/426608/	15:22
gitudaniel	lbragstad: yes I do	15:22
lbragstad	gitudaniel can you make sure the user you're running `keystone-manage fernet_setup` with has access to `/etc/keystone/fernet-keys`?	15:23
lbragstad	gitudaniel something like 2750 for permissions	15:24
lbragstad	stevemar sweet - looks like I've already reviewed the first one	15:25
gitudaniel	lbragstad: I'm assuming the /etc/keystone/fernet-keys is supposed to be in my host etc directory.	15:25
lbragstad	gitudaniel well - it can be where ever you want it to be	15:26
*** edtubill has joined #openstack-keystone		15:26
lbragstad	gitudaniel it can be in your user directory (~/ubuntu/keystone/fernet-keys/)	15:26
lbragstad	the user running keystone and the user running `keystone-manage fernet_setup` just need to be able to read and write to that directory	15:26
dstanek	stevemar: can we still merge features?	15:26
dstanek	lbragstad: does the keystone user need write too?	15:27
lbragstad	gitudaniel and it needs to be updated in your keystone.conf	15:27
gitudaniel	lbragstad: I can't find it in the etc directory the /etc/keystone/ directory	15:27
*** gatuus has joined #openstack-keystone		15:27
lbragstad	gitudaniel are you specifying a value for key_repository in your keystone.conf?	15:28
lbragstad	dstanek who ever runs `keystone-manage fernet_setup` will need write access to the directory since that will write new keys to disk	15:29
*** chris_hultin\|AWA is now known as chris_hultin		15:29
lbragstad	dstanek same for `keystone-manage fernet_rotate`	15:29
gitudaniel	lbragstad they keystone.conf I'm using is the one generated from best practices using the command cp /etc/keystone.conf.sample etc/keystone.conf	15:29
dstanek	gitudaniel: the directory won't exist before fernet_setup	15:29
lbragstad	gitudaniel ok - so I bet you're using the default, which might not exist	15:29
lbragstad	`sudo mkdir /etc/keystone/fernet-keys/`	15:30
dstanek	lbragstad: right, the secure thing to do would be to not allow the user running the webserver to edit	15:30
dstanek	fernet_setup will create the directory if the user have permission to do so	15:30
*** chris_hultin is now known as chris_hultin\|AWA		15:30
lbragstad	dstanek ++ yeah, that would be more secure	15:30
*** jaugustine has joined #openstack-keystone		15:31
dstanek	so if you don't already have the directory setup the the user running fernet_setup needs permission to create the directory	15:31
lbragstad	aha - yes	15:32
lbragstad	https://github.com/openstack/keystone/blob/d4a1bbda0b29a8011416f83a4a9c5be32669ef2d/keystone/common/fernet_utils.py#L80	15:32
lbragstad	which ever user that is, they will need read and write access to the key_repository directory	15:33
dstanek	lbragstad: yep. so the user gitudaniel is using to run fernet_setup doesn't have permission to create the directory	15:33
*** chris_hultin\|AWA is now known as chris_hultin		15:33
lbragstad	yeah - that makes sense	15:33
lbragstad	if there is a separate user used to run keystone (like apache or something like that) that user should only need read access to that directory	15:34
morgan	++	15:34
gitudaniel	dstanek: lbragstad: how do we ensure that because the LOG.error on line 82 of the fernet_utils.py file is what I'm getting	15:34
lbragstad	(in order to read the values of the keys to encrypt and decrypt things)	15:34
dstanek	gitudaniel: who owns /etc/keystone on your system and what user are you using to run the command?	15:35
morgan	gitudaniel: this is a lot like SSL certificates for apache, you create the directory and give read access to apache even if it is owned by someone else. You don't want some compromise of apache to write bogus certificates- fernet keys are secrets used to encrypt the fernet (and sign) token	15:35
lbragstad	gitudaniel do you still have the environment up? Would you be able to run `keystone-manage fernet_setup` and provide the entire paste (using http://pasteraw.com/ or http://paste.openstack.org/ )?	15:36
dstanek	gitudaniel: for reference, i use root to do the fernet setup and rotation, and allow my apache user to read that directory	15:37
dstanek	gitudaniel: the default permissions won't allow apache to read so i fix that with ansible	15:38
gitudaniel	dstanek: how do I find out who owns it I ran ls -l /etc/keystone and it returned total 0	15:39
*** richm has quit IRC		15:39
dstanek	gitudaniel: ls -l /etc \| grep keystone	15:39
dstanek	gitudaniel: the command you are running shows the detailed listing inside /etc/keystone	15:40
gitudaniel	lbragstad yes the environment is still set up let me do that	15:40
gitudaniel	dstanek: this is what I get drwxr-xr-x 2 root root 4096 Jan 31 18:37 keystone	15:40
*** richm has joined #openstack-keystone		15:41
stevemar	dstanek: yep, we can still merge features as long as they were given an FFE	15:41
dstanek	gitudaniel: what user are you running the command with?	15:41
dstanek	stevemar: k, i'm assumning mfa is one of those things?	15:41
stevemar	dstanek: yes, it was determined to be a priority at the summit, so it was an easy call to make	15:42
dstanek	stevemar: k, i'll look at those after this next meeting	15:43
stevemar	dstanek: it also went through a re-architecture that lines up nicely, so really happy about that	15:43
stevemar	dstanek: it's mostly been approved, but look at the topic	15:43
stevemar	dstanek: it involved a bit of refactoring of the auth handlers, came out nice though	15:43
*** catinthe_ has quit IRC		15:45
gitudaniel	morgan: this I'll have to rad up on a lot more on ssl certificates and apache. But yes I read up on fernet tokens so I can understand what you're saying	15:47
gitudaniel	here is the paste of what I get on running keystone-manage fernet_setup http://paste.openstack.org/show/597047/	15:47
openstackgerrit	Samuel Pilla proposed openstack/keystone: Update endpoint api for optional region_id https://review.openstack.org/420085	15:48
gitudaniel	dstanek: how do I find out which user ran the command I ran grep -e "keystone-manage fernet_setup" /home/*/.bash_history and it gave me a list of the commands I ran here is the paste http://paste.openstack.org/show/597048/	15:53
*** ravelar has joined #openstack-keystone		15:53
morgan	lbragstad: responded to your comments on the new token not in MFA rules test	15:55
morgan	lbragstad: but in short - no that test shouldn't have more validation. it is a token auth and should be only checking that auth occurs, we check rescope explicitly in other tests	15:56
lbragstad	gitudaniel checking	15:56
gitudaniel	lbragstad: thanks	15:56
*** richm has quit IRC		15:58
* stevemar is trying to figure out the new expense tool and is super confused		15:59
lbragstad	gitudaniel from that trace it appears that https://github.com/openstack/keystone/blob/d4a1bbda0b29a8011416f83a4a9c5be32669ef2d/keystone/common/fernet_utils.py#L80 is failing	15:59
lbragstad	gitudaniel so what dstanek was saying would totally fix your issue	16:00
dstanek	gitudaniel: who are you logged in as?	16:00
dstanek	gitudaniel: if you don't know then you can run 'whoami'	16:00
gitudaniel	dstanek: i ran that I'm logged in as the usual user. That is grenouille I don't have multiple users	16:01
dstanek	gitudaniel: are you trying to setup a system to test with? or a prodution like system?	16:02
gitudaniel	dstanek: a system to test with so that I can understand the codebase	16:02
*** rcernin has quit IRC		16:04
*** richm has joined #openstack-keystone		16:10
*** richm has quit IRC		16:10
*** richm has joined #openstack-keystone		16:13
*** richm has quit IRC		16:14
gitudaniel	lbragstad: where dstanek was talking about using root to do fernet setup and rotation and allowing his apache user to read that directory using ansible since default permissions won't allow apache to read	16:15
*** d0ugal has quit IRC		16:16
*** d0ugal has joined #openstack-keystone		16:17
*** d0ugal has quit IRC		16:17
*** d0ugal has joined #openstack-keystone		16:17
*** nkinder has quit IRC		16:19
SamYaple	ayoung: i didnt write the centos piece. that was portdiect. I am happy with whatever is "proper" and "official" in these files	16:19
*** richm has joined #openstack-keystone		16:20
*** adrian_otto has joined #openstack-keystone		16:24
*** nkinder has joined #openstack-keystone		16:25
*** richm has left #openstack-keystone		16:31
*** richm has joined #openstack-keystone		16:31
morgan	lbragstad, stevemar: fixing all the new MFA tests they are subject to the same ... "issue" with update/freeze	16:41
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Add support for endpoint group CRUD https://review.openstack.org/417263	16:46
samueldmq	jamielennox: stevemar: ^ now includes functional tests. not really a priority at this points, just a heads up	16:46
*** spzala has quit IRC		16:47
*** spzala has joined #openstack-keystone		16:48
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules https://review.openstack.org/423548	16:48
morgan	lbragstad, stevemar: ^ fix	16:49
stevemar	morgan: re-approved	16:50
morgan	stevemar: rebasing now	16:50
morgan	other ones	16:50
stevemar	da	16:50
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add validation that token method isn't needed in MFARules https://review.openstack.org/426959	16:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add validation for mfa rule validator (storage) https://review.openstack.org/426955	16:52
*** spzala has quit IRC		16:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Cleanup TODO about auth.controller code moved to core https://review.openstack.org/426607	16:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Cleanup TODO, AuthContext and AuthInfo to auth.core https://review.openstack.org/426608	16:52
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add comment to clarify resource-options jsonschema https://review.openstack.org/426604	16:52
morgan	stevemar: ok there we go	16:53
morgan	should be all rebased	16:53
stevemar	lbragstad: samueldmq two more need approvals: https://review.openstack.org/#/c/426959/ and https://review.openstack.org/#/c/426608/	16:53
openstackgerrit	Richard Avelar proposed openstack/keystone: Extend User API to support federated attributes https://review.openstack.org/426449	16:56
*** mriedem has joined #openstack-keystone		16:56
*** tesseract has quit IRC		16:56
mriedem	stevemar: are you aware of anything still using this OS_NO_CACHE env var? http://git.openstack.org/cgit/openstack-dev/devstack/tree/openrc#n56	16:56
mriedem	looks like dead code on master, lots of things setting it, nothing using it http://codesearch.openstack.org/?q=OS_NO_CACHE&i=nope&files=&repos=	16:57
morgan	mriedem: i hope no one is using that	16:57
morgan	mriedem: it should be dead. it was transitional	16:57
morgan	iirc	16:58
mriedem	ok i'll start the funeral planning	16:58
morgan	:)	16:58
*** itsuugo has quit IRC		17:00
* morgan goes to write a release note and some docs.		17:04
*** lamt has quit IRC		17:08
*** lamt has joined #openstack-keystone		17:11
*** browne has joined #openstack-keystone		17:13
*** lucas_ has quit IRC		17:23
openstackgerrit	Richard Avelar proposed openstack/keystone: Api-refs for extending user api for fed attributes https://review.openstack.org/427320	17:33
samueldmq	stevemar: done with one, looking at the other	17:33
openstackgerrit	Richard Avelar proposed openstack/keystone: Extend User API to support federated attributes https://review.openstack.org/426449	17:36
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note https://review.openstack.org/427328	17:37
morgan	stevemar: ^	17:37
* morgan wonders if he can rope someone to translate that release note into real docs too		17:38
openstackgerrit	Richard Avelar proposed openstack/keystone: Api-refs for extending user api for fed attributes https://review.openstack.org/427320	17:38
*** lamt has quit IRC		17:39
ayoung	SamYaple, https://adam.younglogic.com/2017/01/functional-keystone-docker/	17:40
ayoung	SamYaple, I'm still working towards a Kubernetes deploy, though	17:41
*** richm has quit IRC		17:42
SamYaple	ayoung: cool. though, i would encourage you to do this with official images	17:43
*** adrian_otto has quit IRC		17:43
ayoung	SamYaple, when I get there. There is too much noise right now for me to do that. I need to understand what is happening at the DOcker, Network, K8S, Config and Database layers before I can do that	17:44
ayoung	Once I get it, I'll contribute back, if portdiect doesn't grab it first	17:44
SamYaple	i meant official like mariadb images	17:45
SamYaple	rather than rolling your own	17:45
*** nkinder has quit IRC		17:46
*** jaugustine has quit IRC		17:46
ayoung	SamYaple, oh, I used official Mariadb. Just not official HTTPD	17:47
ayoung	SamYaple, longer term it should be Gallera anyway	17:47
SamYaple	oh i see 1127467c0b2b mariadb:latest	17:47
*** ravelar has quit IRC		17:48
*** ravelar has joined #openstack-keystone		17:48
SamYaple	mariadb:10.1 has galera baked in	17:48
SamYaple	thats what i use	17:48
morgan	topol: poke	17:48
morgan	topol: you should read https://review.openstack.org/#/c/427328/1/releasenotes/notes/MFA-Rules-User-Options-Added-feb95fd907be4b40.yaml and let me know if it covers everything	17:49
*** jose-phillips has quit IRC		17:52
*** gatuus has quit IRC		17:53
*** lucas_ has joined #openstack-keystone		17:54
*** mvk has quit IRC		17:54
*** catintheroof has joined #openstack-keystone		17:55
*** richm has joined #openstack-keystone		17:56
*** lamt has joined #openstack-keystone		17:57
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note https://review.openstack.org/427328	17:57
morgan	topol: ^ actually... here that one	17:57
*** jamielennox is now known as jamielennox\|away		17:58
*** jaugustine has joined #openstack-keystone		17:58
stevemar	ping agrebennikov, amakarov, annakoppad, antwash, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nishaYadav, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, spilla, srwilkers, StefanPaetowJisc	18:00
stevemar	, stevemar, topol, portdirect, SamYaple	18:00
*** jaugustine_ has joined #openstack-keystone		18:02
portdirect	o/	18:02
*** jaugustine_ has quit IRC		18:03
*** jaugustine_ has joined #openstack-keystone		18:04
*** jaugustine_ has quit IRC		18:07
*** jperry has joined #openstack-keystone		18:10
portdirect	ayoung: the reason for bringing in the debian dir style was that a number of deploy tools expect it - happy to dump that if its a blocker for you, though if you get it up to scratch that'd be even better :)	18:10
*** henrynash has joined #openstack-keystone		18:11
*** ChanServ sets mode: +v henrynash		18:11
ayoung	portdirect, I'm working through a deploy myself using docker then k8s. Once I "get it", i can loop back around and help. But, yeah, its not going to fly long term to try and manage RPM based systems with Debian based assumptions. We need to meet in the middle. I can help there	18:12
portdirect	ayoung: sounds great, i knew it was a short-term hack - but if you can help with a solution that gives the best of both world that would be fantastic	18:15
*** browne has quit IRC		18:15
ayoung	portdirect, start is here: https://adam.younglogic.com/2017/01/functional-keystone-docker/	18:15
*** stingaci has quit IRC		18:15
*** richm has quit IRC		18:18
portdirect	ayoung: nice - that looks great - when it comes to getting a k8s workflow I should be able to help there	18:20
ayoung	portdirect, I'm still setting up kubernetes. I'll bug you in a bit, but it won't be long	18:20
*** tqtran has joined #openstack-keystone		18:23
*** jlk has quit IRC		18:26
*** gitudaniel has quit IRC		18:27
*** mvk has joined #openstack-keystone		18:28
*** spzala has joined #openstack-keystone		18:44
*** browne has joined #openstack-keystone		18:54
morgan	ooookay	19:00
stevemar	crinkle: lbragstad morgan o/	19:00
crinkle	o/	19:00
stevemar	so this fix needs to land in ocata	19:00
morgan	so. yeah we should make sure if federated users have a domain we provide it	19:00
lbragstad	wow - that meeting went quick!	19:00
ayoung	lbragstad, was autoprovisioning implemented?	19:00
morgan	if that is fixing the formatter, yay, easy	19:00
lbragstad	ayoung yes	19:00
ayoung	that should let them get into Horizon	19:01
stevemar	crinkle: it blows up because it goes to v2 because of no domain stuff right?	19:01
crinkle	stevemar: there's really a few problems i think	19:01
stevemar	oye	19:01
lbragstad	a user - even a shadow user - should now belong to a domain (and by default that should be the domain of the IdP) thanks to all the work rderose did	19:01
crinkle	one of them is that novaclient is trying to rescope the token even though the user is already logged in	19:02
morgan	that should be a safe thing to do	19:02
morgan	tbh	19:02
morgan	silly in some cases	19:02
stevemar	agreed	19:02
morgan	but safe	19:02
crinkle	the problem isn't just getting the domain into horizon it's how horizon passes it on to the clients and what they do with it	19:02
morgan	so if we provided domain info for you for federated users, always	19:03
morgan	could you fix horizon?	19:03
morgan	then keep chasing down the path of other projects/clients (though it should be "easy-ish" at that point if anything	19:03
crinkle	i'm not really sure right now, my horizon expertise is pretty limited	19:04
morgan	my guess is if domain info is there, it'll work like any v3 user	19:04
morgan	no more v2 fallback	19:04
morgan	but that is a guess at best	19:04
rodrigods	do we still have keystone/horizon meetings?	19:05
lbragstad	rodrigods we do	19:05
lbragstad	rodrigods we didn't last week because r1chardj0n3s was on vacation and we were swamped with last minute keystone things	19:06
stevemar	ughhhh	19:06
*** jaugustine_ has joined #openstack-keystone		19:06
rodrigods	not having websso working is a huge regression :(	19:08
crinkle	morgan: i think my confusion is that horizon should already have the domain info because it used it to log the user in initially, but it's not storing it in the request - here is where we would need it http://paste.openstack.org/show/596933/	19:10
morgan	crinkle: horizon leans on the token info	19:11
morgan	if the token doesn't have domain info in the user data, it might get wonky	19:11
rodrigods	it can fetch the user info anyways?	19:11
rodrigods	with the domain_id?	19:11
morgan	rodrigods: admin. but user info is in the token body	19:11
david-lyle	crinkle: what domain info??	19:12
david-lyle	we store the domain scoped token in the session	19:12
rodrigods	so I think it is just matter of getting the token from the session with the domain_id?	19:13
crinkle	novaclient specifically wants the project domain info and it's getting None for those values http://git.openstack.org/cgit/openstack/python-novaclient/tree/novaclient/client.py#n137	19:14
*** jaugustine_ has quit IRC		19:14
rodrigods	crinkle, hmm	19:15
morgan	yeah i think we just need to pass the data from the token and/or horizon.	19:15
morgan	it also depends on if horizon is set to use v3 or v2	19:16
morgan	if it's set to use v2....	19:16
rodrigods	the project domain_id should also be in the token, right?	19:16
morgan	not a lot we can do	19:16
morgan	rodrigods: yes	19:16
*** stingaci has joined #openstack-keystone		19:16
morgan	rodrigods: iirc	19:16
* morgan checks		19:16
crinkle	morgan: in my setup it's set to use v3	19:17
*** lamt has quit IRC		19:17
rodrigods	morgan, not the domain_id, but the project_id	19:17
morgan	rodrigods: yes.	19:17
rodrigods	which novaclient doesn't need, if the project_id is provided	19:17
morgan	https://www.irccloud.com/pastebin/Ex7unjxz/	19:17
morgan	it should be in the project scope information	19:17
morgan	if it exists	19:17
*** jaosorior has quit IRC		19:18
morgan	and domain name	19:18
morgan	https://www.irccloud.com/pastebin/wkj5vTAe/	19:18
rodrigods	cool	19:18
*** jaosorior has joined #openstack-keystone		19:18
rodrigods	so the token should be enough	19:18
morgan	yep	19:19
*** stingaci has quit IRC		19:20
openstackgerrit	Merged openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912	19:20
stevemar	back in a bit	19:21
*** jaugustine has quit IRC		19:22
*** jaugustine has joined #openstack-keystone		19:23
dstanek	i hate meetings	19:24
ravelar	rodrigods trying to understand comment on https://review.openstack.org/#/c/427018/	19:26
*** jaugustine has quit IRC		19:27
rodrigods	ravelar, replying there	19:27
*** pcaruana has quit IRC		19:31
*** MasterOfBugs has joined #openstack-keystone		19:35
*** jaugustine has joined #openstack-keystone		19:44
*** adrian_otto has joined #openstack-keystone		19:46
*** adrian_otto has quit IRC		19:46
*** jose-phillips has joined #openstack-keystone		19:53
morgan	breton: so.	19:57
morgan	breton: we can talk about trusts now a bit more	19:57
morgan	breton: with SAML2 we cannot assert anything beyond the life of the assertion	19:58
morgan	baffle: but we can create trusts that exist for the life of the assertion	19:58
morgan	breton: (not baffle)	19:58
morgan	breton: with OIDC and other mechanisms it is possible to look at the grant itself and expect communication about a revocation and/or verify the token	19:59
morgan	breton: but likewise the easiest is for the "lifespan" of the authorization.	19:59
morgan	we cannot really do indefinite trusts.	20:00
morgan	we can setup the feedback system for federated auth, but this is not really super well supported	20:00
*** jaugustine has quit IRC		20:02
*** lamt has joined #openstack-keystone		20:02
*** jaugustine has joined #openstack-keystone		20:02
stevemar	o/	20:06
morgan	stevemar: ^ cc	20:07
*** pramodrj07 has joined #openstack-keystone		20:07
stevemar	morgan: seems like the cafe's spotty wifi made me miss things, what are you cc'ing ^ ?	20:09
morgan	stevemar: oh breton trust things	20:09
stevemar	let me read the logs	20:09
morgan	it's not interactive	20:10
morgan	i can just re-type	20:10
morgan	basically saml2, we can only create trusts that last as long as the assertion does (or a fixed session window)	20:10
breton	stevemar: in your private messages	20:10
*** MasterOfBugs has quit IRC		20:10
morgan	with other federation we can use more active validation(s) but it is easiest to construct the same model	20:10
morgan	time-bounded as an active "session"	20:10
morgan	we can re-fresh the session as long as a login occurs	20:11
morgan	but similar to most web-apps we need to set bounds on how long these can last	20:11
breton	that sounds good to me. Add users to groups with expiration?	20:11
morgan	nope, trust itself would have expiration	20:11
morgan	imo	20:11
morgan	since we already have that technology	20:11
stevemar	oh right, trusts can be time-bombed	20:12
morgan	you still want the trustor to actively be granting to the trustee	20:12
breton	ok. How do we pass saml expiration to trust creation?	20:12
breton	or trust usage	20:12
morgan	we will probably need to extract the expiration or we just set an option in keystone.conf	20:12
morgan	that says "federated trusts last for X <period>"	20:12
morgan	(and zero/indefinite is not allowed)	20:12
morgan	and we would need to store the extra trust data since the group etc info is not persisted	20:13
morgan	which would be an expansion of the trust tables.	20:13
morgan	since adding shadowing of the assertion data as not-ocata	20:13
stevemar	i'm assuming this won't happen in ocata - since we're still hashing things out and it's a problem that has existed before ocata	20:13
morgan	if we opt for shadowing assertion-data we can set a "last refreshed time" and make it work like a session that expires without a re-login every-so-often	20:14
morgan	so 2 ways to do this:	20:14
morgan	1) Link into trust expirations	20:14
morgan	2) make federated logins have a "session" like mechanism	20:14
morgan	and trusts can last as long as there is a valid "session"	20:14
morgan	with option 1 we can either extract the data from the assertion/response from the idp. OR we cna make ti a fixed window in keystone.conf	20:15
morgan	anything that makes indefinite trusts on ephemeral data is a no-go (short story)	20:15
breton	i am a federated user, i authenticate and get keystone token	20:15
morgan	breton: if that helps you out. we should build a spec for the preferred model	20:15
morgan	with option 1, trusts would need to be re-created when they expire	20:16
morgan	with option 2, we in theory could just extend the session on successful re-login....	20:16
morgan	FWIW, this all feels like breaking federation horribly	20:16
breton	then i go to trust creation. How does trust_api knows about data from assertion?	20:16
morgan	since in reality keystone is proxying IDP stuffs	20:16
morgan	breton: we'd need to add the assertion expriation to the token datA?	20:16
morgan	or something similar so the trust api could consume it	20:17
morgan	openstack is a bit weird on this front because really keystone is both an IDP, SP, and IDP Proxy	20:17
morgan	with federated logins we're doing that last thing	20:17
*** stingaci has joined #openstack-keystone		20:17
morgan	and then when you add trusts, we're doring another federated like grant on federated supplied data... this is not how federated auth typically works	20:18
morgan	usually in this case keystone would have all local users and the idp would supply only AuthN	20:18
breton	i agree	20:18
morgan	and perhaps hints for some authz (aka admin_allowed) but all authz data would be supplied from keystone	20:19
morgan	all real	20:19
morgan	it would make it a lot easier if we pushed towards where keystone was the authorizing source and the idp was simply an authn provider	20:19
morgan	we could still auto-create users, even with templates (yay resource-specific options)	20:20
morgan	but the authz could be 100% held in keystone	20:20
breton	another issue is trusts usage. On usage keystone checks that the user still has roles in project.	20:20
morgan	then the issue is mitigated in a number of ways. the downside is that deletion from the IDP needs reconcilliation	20:21
morgan	right hence the move towards everything being based on local users and federation just maps AuthN to <user> in keystone	20:21
morgan	would be the most complete/secure/proper setup	20:22
morgan	imo	20:22
morgan	since then keystone is the SP only (ignore the rest of openstack pretending it is the IDP)	20:22
stevemar	dolphm: o/	20:23
*** stingaci has quit IRC		20:23
dolphm	stevemar: o/	20:23
breton	morgan: but how do we solve trusts usage now or in pike?	20:23
breton	*trust usage issue	20:23
stevemar	dolphm: you had volunteered to look at https://bugs.launchpad.net/keystone/+bug/1636495 -- but i'm guessing you haven't yet :)	20:24
openstack	Launchpad bug 1636495 in OpenStack Identity (keystone) "Failures during db_sync --contract during Mitaka to Newton (live) upgrade" [High,Confirmed]	20:24
morgan	in ocata, this is likely not sovable	20:24
morgan	in pike we could implement this.	20:24
*** jaugustine has quit IRC		20:24
morgan	in pike most of this would be doable, even the complex options	20:25
stevemar	dolphm: since the failure is based off of someone running rally to pound keystone during the upgrade i'm inclined to lower the severity...	20:26
dolphm	stevemar: i have & am -- just haven't repro'd anything yet	20:26
dolphm	stevemar: well, that's exactly the kind of failure triggers should be guarding against	20:27
stevemar	dolphm: ah, no news is bad news, dang it	20:27
stevemar	dolphm: right	20:27
stevemar	dolphm: we need tests for this :\|	20:28
dolphm	stevemar: i read through the migrations and they look correct to me (situation should not be possible), so all i've got left is to try to repro	20:28
dolphm	stevemar: yeah, we've got several people working to have grenade exercise multinode zero downtime upgrades for each project	20:29
dolphm	stevemar: and actually test for zero downtime	20:29
*** lucas_ has quit IRC		20:29
* morgan makes hand-wavy remarks about triggers being notoriously hard to debug.		20:29
dolphm	morgan: agree	20:29
morgan	and being inconsistent	20:29
*** lucas_ has joined #openstack-keystone		20:29
morgan	hence why they are not used in MySQL (in Oracle they are rock solid)	20:30
*** lamt has quit IRC		20:30
morgan	and likewise in MSSQL	20:30
morgan	no idea bout pgsql	20:30
*** stingaci has joined #openstack-keystone		20:30
morgan	and in sqlite... uh wut?!	20:30
dolphm	they do work in sqlite, but they're not as fully implemented, of course :P	20:30
morgan	yeah, i view SQLite as "oh looks it's cute, you want something relational...but ... sortof half-assed in most cases"	20:31
morgan	[it's fine for a single user application]	20:31
*** lamt has joined #openstack-keystone		20:31
dolphm	i.e. mobile apps	20:32
morgan	yep	20:32
morgan	or even things like say gertty	20:32
dolphm	maaaybe	20:32
morgan	though i think gertty is pushing the limits	20:32
* morgan likes getting access to SQLite in mobile apps and messing with the data...especially games		20:32
morgan	i am not surprised there are oddities with triggers and upgrades in mysql with load.	20:33
morgan	i also can't offer much help debugging it	20:33
*** jaugustine has joined #openstack-keystone		20:41
*** jaugustine has quit IRC		20:44
stevemar	rodrigods: we will have to fix the implied role status code mis-match in pike	20:45
stevemar	rodrigods: once we implement microversions	20:45
stevemar	which i'll be advocating that we do in pike	20:45
*** jaugustine has joined #openstack-keystone		20:45
*** dave-mccowan has quit IRC		20:46
*** henrynash has quit IRC		20:46
*** adrian_otto has joined #openstack-keystone		20:54
*** lamt has quit IRC		20:56
*** jaugustine has quit IRC		21:00
*** edmondsw has quit IRC		21:05
openstackgerrit	Richard Avelar proposed openstack/keystone: Extend User API to support federated attributes https://review.openstack.org/426449	21:09
*** ravelar has quit IRC		21:16
*** jaugustine has joined #openstack-keystone		21:18
*** adriant has joined #openstack-keystone		21:18
*** lamt has joined #openstack-keystone		21:18
*** jaosorior has quit IRC		21:23
*** henrynash has joined #openstack-keystone		21:29
*** ChanServ sets mode: +v henrynash		21:29
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note https://review.openstack.org/427328	21:30
morgan	spilla: ^ answered comments	21:31
morgan	samueldmq: https://review.openstack.org/#/c/426959/ we can add the bug (if one) after the fact, but this comment is replicated in the other tests	21:32
morgan	samueldmq: if you wouldn't mind pushing that through	21:32
morgan	lbragstad: we can expand on comments here https://review.openstack.org/#/c/427026/ any time.	21:32
lbragstad	morgan that patch looks like it needs to be rebased	21:35
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Remove de-dupe for MFA Rule parsing. https://review.openstack.org/427026	21:36
morgan	lbragstad: a +a would have probably still worked since it was clean rebasable.	21:36
*** ravelar has joined #openstack-keystone		21:36
morgan	anyway	21:36
morgan	there	21:36
lbragstad	morgan thanks	21:37
morgan	:)	21:37
morgan	lbragstad: also your eyes on https://review.openstack.org/#/c/426959/ wouldn't hurt.	21:37
morgan	lbragstad: should be straight forward. and that will clear out all hte MFA patches except the release note	21:37
morgan	which stevemar is on the hook to determine if it ineeds to be paired down	21:38
morgan	lbragstad: pared*	21:38
stevemar	morgan: :)	21:38
*** catintheroof has quit IRC		21:38
*** catintheroof has joined #openstack-keystone		21:38
morgan	stevemar: now it's babysitting + release note	21:39
*** catintheroof has quit IRC		21:39
*** Jack_I has quit IRC		21:39
*** ravelar1 has joined #openstack-keystone		21:47
morgan	stevemar: it's a bit late but i realized i should have passed back in the exception for MFA Rules what options are needed so horizon can act on it.	21:47
morgan	stevemar: we can do that in pike easily	21:48
*** martinlopes has quit IRC		21:49
*** martinlopes has joined #openstack-keystone		21:49
*** ravelar1 has quit IRC		21:51
*** jaosorior has joined #openstack-keystone		21:55
*** richm has joined #openstack-keystone		21:55
*** ravelar has quit IRC		21:55
*** thorst_ has quit IRC		22:00
stevemar	morgan: minor cleanup for mfa rel note for consistency please	22:00
*** edmondsw has joined #openstack-keystone		22:02
*** lucas_ has quit IRC		22:04
*** chris_hultin is now known as chris_hultin\|AWA		22:05
stevemar	morgan: nice replies lol	22:05
spilla	agreed :)	22:05
*** catintheroof has joined #openstack-keystone		22:05
*** catintheroof has quit IRC		22:05
*** catintheroof has joined #openstack-keystone		22:06
*** lamt has quit IRC		22:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add MFA Rules Release Note https://review.openstack.org/427328	22:07
stevemar	morgan: time to see if theres a diff needed in our sample config	22:07
*** lucas_ has joined #openstack-keystone		22:08
*** lucas_ has quit IRC		22:09
openstackgerrit	Steve Martinelli proposed openstack/keystone: update keystone.conf.sample for ocata-rc https://review.openstack.org/427483	22:10
*** catintheroof has quit IRC		22:11
stevemar	lbragstad: morgan easy +2/+A ^	22:13
*** edmondsw has quit IRC		22:13
*** lamt has joined #openstack-keystone		22:14
morgan	stevemar: self approve it! dooooo eeeeet!	22:15
*** jamielennox\|away is now known as jamielennox		22:15
stevemar	eh, we have people around	22:15
lbragstad	stevemar checking	22:16
*** edmondsw has joined #openstack-keystone		22:17
lbragstad	stevemar your version has more changes in it than what I have locally	22:18
* lbragstad shrug		22:19
lbragstad	all i did was tox -e genconfig	22:19
* stevemar shrugs back at lbragstad		22:19
*** johndperkins has joined #openstack-keystone		22:19
stevemar	are you using an old .tox env?	22:19
lbragstad	stevemar recreating it now	22:19
*** thorst_ has joined #openstack-keystone		22:20
*** nkinder has joined #openstack-keystone		22:23
*** thorst_ has quit IRC		22:25
*** richm has quit IRC		22:25
morgan	stevemar: did you base it on the MFA patches?	22:26
morgan	:P	22:26
morgan	i mean. it shouldn't matter	22:26
morgan	but... for posterity	22:26
*** jaugustine has quit IRC		22:27
*** edmondsw has quit IRC		22:28
*** edmondsw has joined #openstack-keystone		22:28
*** edmondsw has quit IRC		22:29
*** edmondsw has joined #openstack-keystone		22:29
*** spilla has quit IRC		22:32
*** lamt has quit IRC		22:33
*** lamt has joined #openstack-keystone		22:34
*** edmondsw has quit IRC		22:34
samueldmq	morgan: just got back, just checked and I don't need to look at it again, it's been approved	22:37
morgan	samueldmq: hehe	22:38
*** adrian_otto has quit IRC		22:43
*** phalmos has joined #openstack-keystone		22:44
*** thorst_ has joined #openstack-keystone		22:45
*** henrynash has quit IRC		22:47
*** spzala has quit IRC		22:56
*** phalmos has quit IRC		22:57
*** markvoelker_ has joined #openstack-keystone		22:58
*** markvoelker has quit IRC		22:58
*** phalmos has joined #openstack-keystone		23:00
*** phalmos has quit IRC		23:00
*** edtubill has quit IRC		23:02
stevemar	morgan: shouldn't be required..	23:06
*** jperry has quit IRC		23:10
*** adrian_otto has joined #openstack-keystone		23:18
*** mriedem has left #openstack-keystone		23:20
*** jperry has joined #openstack-keystone		23:21
openstackgerrit	Gage Hugo proposed openstack/keystone: WIP Fix multiple uuid warnings with pycadf https://review.openstack.org/426411	23:23
*** phalmos has joined #openstack-keystone		23:38
*** dave-mccowan has joined #openstack-keystone		23:43
*** lamt has quit IRC		23:49
*** adrian_otto has quit IRC		23:50
*** martinlopes has quit IRC		23:51
*** henrynash has joined #openstack-keystone		23:52
*** ChanServ sets mode: +v henrynash		23:52
*** martinlopes has joined #openstack-keystone		23:53

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!