Tuesday, 2017-02-07

morganstevemar, lbragstad: can I move "email" into a user-option?00:00
morganit would be nice if it could be dropped from extras00:00
morganwe should drop anything we support/legacy support from extras00:00
lbragstadmorgan yeah - i wouldn't mind seeing a patch for that. I can't think of a reason not to do that off the top of my head00:01
*** spzala has joined #openstack-keystone00:01
*** lucas_ has joined #openstack-keystone00:01
morganit'll need a bit of compat code, to move it from <extras> -> options00:01
morganbut that should be easy00:01
morganalso, we can then do actual RFC validation on the email ;)00:02
lbragstadmorgan using JSONschema?00:02
morganlbragstad: and the storage validator00:03
lbragstadoh - sure00:03
morganemail RFC is amazingly complex for what qualifies as an email address00:03
morganbut would ultimately be doable00:03
lbragstadyeah - i think i remember seeing the jsonschema library for python rely on an RFC implementation somewhere for it - but i've never looked at that code00:04
morganit's ugggggly00:05
lbragstadit kinda sounds like a can of worms00:05
lbragstadso long as the validation is consistent at the storage and API layers - i'm happy00:06
*** spzala has quit IRC00:06
lbragstadand bonus points if we can rely on a separate library for it00:06
*** agrebennikov has quit IRC00:06
*** lamt has quit IRC00:10
*** Mr_Smurf has quit IRC00:11
morganoh man...00:12
morganlbragstad: we can somewhat.00:12
* morgan is trying to do some restification in shade...00:12
morganwow. keystoneclient does all sorts of behind the scenes magic00:12
morganis keystoneclient still leaning on ksc.session?00:16
morganor did we convert that to KSA?00:16
* morgan slams head into desk.00:17
*** Mr_Smurf has joined #openstack-keystone00:18
*** thorst_ has joined #openstack-keystone00:19
jamielennoxmorgan: it's still ksc.session i think00:19
jamielennoxthere were just enough incompatibilities to make it annoying00:19
morganjamielennox: i'm looking at codesearch... so many things lean on ksc.session00:20
morganjamielennox: i just want to break them all to force people to change with a major bump to ksc00:20
jamielennoxmorgan: i'm still more concerned about the things that use ksc directly00:20
jamielennoxmorgan: i had reviews for that00:20
morganjamielennox: http://codesearch.openstack.org/?q=keystoneclient(%5C.%7C%20import%20)session&i=nope&files=&repos=00:20
morganclearly no-one-cares about deprecation warnings etc00:21
*** spzala has joined #openstack-keystone00:21
* morgan wants to throw hands up at OpenStack community some days00:21
morganclearly no one cares about maintained code00:21
jamielennoxif you want to dive down a rabbit hole00:21
jamielennoxthat's just getting people to actually use a session00:22
morganjamielennox: because FEATURE WORK IS MORE IMPORTANT /grump00:22
morganjamielennox: tbh i'm less worried now about direct use of KSC.00:22
morganmore worried about ksc.session00:22
morganbecause it is basically non-maintained00:22
morganat this point i'd rather get everyone off ksc.session00:23
morganthen delete it.00:23
morganthen get people who don't use session on ksa directly00:23
morganand i'd be more ok with another compat method to cover the case that you're deleting there.00:24
morganjamielennox: maybe we should just deprecate python-keystoneclient and roll a new package that is maintained that is just called "keystoneclient" that drops all the baggage at once.00:28
morganjamielennox: anyone who is using just KSC code would be seemless (aka OSC)00:28
morgananyone else would be about as much work but we don't carry legacy cruft.00:28
jamielennoxmorgan: i certainly understand the do it now attitude but at this point we've almost served the deprecation periods that we can just do it as a major version bump00:29
morgandhellmann, stevemar, dtroyer, mordred: how annoyed would you be if we rolled a new package called "keystoneclient" that dropped all the cruft to the side and we just stopped maintaining ksc itself.00:29
morganjamielennox: except i don't think we can. because how many things break00:29
morganjamielennox: basically... it wont be landable in requirements.00:30
jamielennoxonly core stuff is tested in requirements00:30
morgandhellmann, stevemar, dtroyer, mordred: note the dropping of "python-" prefix00:30
jamielennoxif anything in that list fails we do need to fix it00:30
jamielennoxwe jsut need people on board with the idea so it doesn't get reverted by the first person to come along complaining00:31
morganjamielennox: right but the volume of yelling and screaming and gnashing of teeth will probbbly result in a revert00:31
jamielennoxala devstack and v300:31
morgani don't think it's doable (call be pessimistic) in openstack land00:31
morganto do what you're saying at this point00:31
morgancall me*00:31
morganjamielennox: i'm looking at V3... even with buy-in, we're still fighting reverts most every time. Even with TC setting a deadline and gates coming... people complain when things are changed and they break00:33
* morgan thinks we should have spun off the CRUD stuff into a new lib back when we spun ksa off, we'd probably had gotten more traction that way00:34
morganand kept KSC as CLI-bits only.00:34
morganand legacy things like "make me a client"00:34
*** chris_hultin|AWA is now known as chris_hultin00:34
*** briancurtin has joined #openstack-keystone00:35
*** adriant has joined #openstack-keystone00:36
*** chris_hultin is now known as chris_hultin|AWA00:44
*** electrichead is now known as rerobot00:45
*** Mr_Smurf has quit IRC00:47
*** hoangcx has joined #openstack-keystone00:49
*** Mr_Smurf has joined #openstack-keystone00:54
*** spzala has quit IRC00:57
*** lucas_ has quit IRC01:01
openstackgerritAnthony Washington proposed openstack/keystone master: Clear the project ID from user information  https://review.openstack.org/42904701:02
*** david-lyle has quit IRC01:06
dtroyermorgan, jamielennox: I'm all for stepping tot he side on legacy bits and starting fresh when the compat story isn't tenable, after all, look at OSc itself :)01:08
*** spzala has joined #openstack-keystone01:09
*** thorst_ has quit IRC01:09
*** gyee has quit IRC01:10
*** zhangjl has joined #openstack-keystone01:21
*** jose-phillips has quit IRC01:31
Adobemanwhat is following in "keystone user-role-add" in neweton?01:31
*** stingaci has quit IRC01:32
AdobemanI know keystone command itself was removed from newton..01:33
*** spzala has quit IRC01:41
*** spzala has joined #openstack-keystone01:42
*** guoshan has joined #openstack-keystone01:44
morganAdobeman: openstack ... let me find the OSC command01:46
*** spzala has quit IRC01:46
morgandtroyer: yeah not sure how it'll fall out, but i'm looking at something a lot more basic for CRUD things since KSA does most of the work we needed keystoneclient for01:47
*** adrian_otto has quit IRC01:49
morganAdobeman: openstack role add01:50
morganAdobeman:   role add       Adds a role assignment to a user or group on a domain or project01:50
morganAdobeman: ^01:51
*** tqtran has quit IRC01:53
*** spzala has joined #openstack-keystone01:53
Adobemanoh ok...01:55
AdobemanI'm trying to get freeipa <-> openstack :)01:56
*** lucas_ has joined #openstack-keystone01:57
morganpssst dstanek, jamielennox, ayoung, stevemar: a quick +2/+A on this would go along way https://review.openstack.org/#/c/424862/ so we don't get into rebase hell since it removes a bunch of stuff01:59
morgansamueldmq, rderose ^01:59
Adobemanumm ok, why is this taking forever...02:00
samueldmqmorgan: done02:02
Adobemanis this command supposed to take like 10 minutes to kick in?02:02
morgansamueldmq: woot02:02
samueldmqmorgan: we can remove anything else left later, if any02:02
morganAdobeman: uhm. unlikely02:02
AdobemanI'm doing "openstack role add --user-id ospadmin --role admin --tenant admin"02:03
samueldmqnicely done02:03
morganAdobeman: it should be pretty quick, can you do a openstack user show for that user?02:04
morganAdobeman: check to make sure keystone is talking correctly to the LDAP backend.02:04
morganno errors in the log, this sounds like an issues with Keystone->IPA (at first glance)02:04
*** liujiong has joined #openstack-keystone02:04
Adobemanlemme see, maybe that's wrong..02:04
morganAdobeman: with per-domain backends, you will need to use V3 (including the domain) in most cases02:04
morgan--tenant looks like a V2-ism02:05
morganyou might need to pass --os-identity-api-version=302:05
morganto openstack client02:05
* morgan admits is a little rusty with CLI tools.02:05
Adobemanok, I was scratching head about that..02:07
*** masterjcool has quit IRC02:07
morganAdobeman: but, it should still have been relatively quick to say "this is not valid"02:09
morganAdobeman: so it sounds like some ocmmunication issues between keystone and FreeIPA (timeouts in sockets, etc)02:09
Adobemanok, I made a typo on the... ldap host.. now its responding much faster02:10
*** masterjcool has joined #openstack-keystone02:12
Adobemanso I swapped --tenant with "--os-identity-api-version=3" like you said, and I get this error02:12
AdobemanCannot use v2 authentication with domain scope02:12
*** MasterOfBugs has quit IRC02:30
*** masterjcool has quit IRC02:34
*** masterjcool has joined #openstack-keystone02:36
openstackgerritvegezcj proposed openstack/keystone master: Keystone ldap tree_dn does not support Chinese,moditfy defaultcoding is utf-8  https://review.openstack.org/42999302:39
Adobemanwhat's that02:41
*** spzala has quit IRC02:41
*** thorst_ has joined #openstack-keystone02:48
*** thorst_ has quit IRC02:48
morganAdobeman: so, lets backup. is your IPA a specific domain identity backend?02:52
morganAdobeman: or are you setting [identity] driver=ldap02:52
morganand configuring it explicitly in the main keystone.conf for all identity lookups?02:52
morganAdobeman: the error you received is that you are trying to get a domain-scoped token (not a project scoped token) and V2 authentication.02:53
*** stingaci has joined #openstack-keystone02:53
morganideally you should ensure you're not setting up V2 keystone authentication anywhere, my guess is your service catalog specifies v2 in it02:53
*** spzala has joined #openstack-keystone02:55
*** spzala has quit IRC03:00
*** thorst_ has joined #openstack-keystone03:04
*** thorst_ has quit IRC03:04
openstackgerritAnthony Washington proposed openstack/keystone master: Clear the project ID from user information  https://review.openstack.org/42904703:11
*** david-lyle has joined #openstack-keystone03:13
openstackgerritMorgan Fainberg proposed openstack/keystone master: Make use of Dict-base including extras explicit  https://review.openstack.org/42847203:16
openstackgerritMorgan Fainberg proposed openstack/keystone master: Deprecate (and emit message) AdminTokenAuthMiddleware  https://review.openstack.org/42787803:17
*** agrebennikov has joined #openstack-keystone03:19
*** adrian_otto has joined #openstack-keystone03:25
*** Mr_Smurf has quit IRC03:26
*** Mr_Smurf has joined #openstack-keystone03:33
*** spzala has joined #openstack-keystone03:36
*** edmondsw has joined #openstack-keystone03:37
*** links has joined #openstack-keystone03:41
*** spzala has quit IRC03:41
*** edmondsw has quit IRC03:41
*** lucas_ has quit IRC03:44
*** adrian_otto has quit IRC03:53
*** spzala has joined #openstack-keystone03:53
*** spzala has quit IRC03:58
*** thorst_ has joined #openstack-keystone03:59
*** thorst_ has quit IRC04:00
*** nicolasbock has quit IRC04:01
*** guoshan has quit IRC04:02
*** dave-mccowan has quit IRC04:14
*** jose-phillips has joined #openstack-keystone04:15
*** Nakato_ is now known as Nakato04:18
*** thorst_ has joined #openstack-keystone04:19
*** adrian_otto has joined #openstack-keystone04:21
*** jose-phillips has quit IRC04:25
*** adrian_otto has quit IRC04:30
*** lucas_ has joined #openstack-keystone04:31
*** lucas_ has quit IRC04:34
*** jose-phillips has joined #openstack-keystone04:40
openstackgerritMerged openstack/keystone master: Remove KVS code  https://review.openstack.org/42486204:41
*** adrian_otto has joined #openstack-keystone04:45
*** adrian_otto has quit IRC04:47
*** dikonoor has joined #openstack-keystone04:49
*** adrian_otto has joined #openstack-keystone04:51
*** adu has joined #openstack-keystone04:55
*** adu has quit IRC05:03
*** agrebennikov has quit IRC05:06
*** lucas_ has joined #openstack-keystone05:08
*** adu has joined #openstack-keystone05:11
*** Daviey has quit IRC05:11
*** spzala has joined #openstack-keystone05:15
*** adrian_otto has quit IRC05:17
*** spzala has quit IRC05:20
*** markvoelker_ has quit IRC05:28
*** markvoelker has joined #openstack-keystone05:28
*** markvoelker has quit IRC05:33
*** adu has left #openstack-keystone05:36
*** david-lyle has quit IRC05:40
*** lucas_ has quit IRC05:42
*** tqtran has joined #openstack-keystone05:51
*** links has quit IRC05:51
*** adrian_otto has joined #openstack-keystone05:53
*** tqtran has quit IRC05:55
*** ravelar has quit IRC05:57
*** rcernin has joined #openstack-keystone06:00
*** rcernin has quit IRC06:03
*** rcernin has joined #openstack-keystone06:04
*** links has joined #openstack-keystone06:07
*** thorst_ has joined #openstack-keystone06:20
*** links has quit IRC06:22
*** jose-phillips has quit IRC06:23
*** thorst_ has quit IRC06:25
*** adriant has quit IRC06:28
*** markvoelker has joined #openstack-keystone06:28
*** markvoelker has quit IRC06:33
*** ktychkova has quit IRC06:36
*** links has joined #openstack-keystone06:38
*** martinlopes has joined #openstack-keystone06:41
*** martinlopes has quit IRC06:46
*** stingaci has quit IRC06:56
*** adrian_otto has quit IRC06:58
*** links has quit IRC07:07
*** prashkre has joined #openstack-keystone07:09
*** edmondsw has joined #openstack-keystone07:15
*** edmondsw has quit IRC07:19
*** links has joined #openstack-keystone07:20
*** markvoelker has joined #openstack-keystone07:29
*** links has quit IRC07:30
*** tesseract has joined #openstack-keystone07:31
*** markvoelker has quit IRC07:35
*** guoshan has joined #openstack-keystone07:37
*** links has joined #openstack-keystone07:43
*** pcaruana has joined #openstack-keystone07:46
*** narasimha_SV_ has joined #openstack-keystone07:48
*** pcaruana has quit IRC07:48
narasimha_SV_how to configure cors with keystone ?07:49
*** pcaruana has joined #openstack-keystone07:55
*** jamielennox is now known as jamielennox|away07:59
*** jamielennox|away is now known as jamielennox08:06
*** thorst_ has joined #openstack-keystone08:21
*** thorst_ has quit IRC08:26
*** markvoelker has joined #openstack-keystone08:32
*** markvoelker has quit IRC08:38
*** tqtran has joined #openstack-keystone08:52
*** tqtran has quit IRC08:56
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** aloga_ has joined #openstack-keystone09:19
*** Daviey has joined #openstack-keystone09:21
*** jose-phillips has joined #openstack-keystone09:29
*** markvoelker has joined #openstack-keystone09:34
openstackgerritvegezcj proposed openstack/keystone master: Keystone ldap tree_dn does not support Chinese,moditfy defaultcoding is utf-8  https://review.openstack.org/43015309:36
*** markvoelker has quit IRC09:40
*** jose-phillips has quit IRC09:46
*** zhangjl1 has joined #openstack-keystone09:47
*** zhangjl has quit IRC09:48
*** Dave___ is now known as Dave09:52
*** tovin07 has quit IRC09:56
*** hoangcx has quit IRC10:08
*** thorst_ has joined #openstack-keystone10:22
robcresswellnarasimha_SV_: Same as every service. Modify the [cors] section in your keystone.conf (probably /etc/keystone/keystone.conf if you're using devstack) and then restart keystone.10:24
robcresswellnarasimha_SV_: Its a common oslo middleware, so its the same for most openstack services.10:24
*** thorst_ has quit IRC10:26
*** liujiong has quit IRC10:32
*** guoshan has quit IRC10:34
*** markvoelker has joined #openstack-keystone10:37
*** zhangjl1 has quit IRC10:42
*** markvoelker has quit IRC10:43
*** nicolasbock has joined #openstack-keystone11:01
narasimha_SV_robcresswell: thanks :)11:06
*** narasimha_SV_ has quit IRC11:06
*** prashkre_ has joined #openstack-keystone11:25
*** prashkre has quit IRC11:25
*** prashkre__ has joined #openstack-keystone11:26
*** prashkre_ has quit IRC11:26
*** mvk has quit IRC11:27
*** prashkre_ has joined #openstack-keystone11:28
*** prashkre__ has quit IRC11:28
*** prashkre has joined #openstack-keystone11:32
*** prashkre_ has quit IRC11:32
*** edmondsw has joined #openstack-keystone11:33
*** prashkre has quit IRC11:33
*** prashkre has joined #openstack-keystone11:33
*** edmondsw has quit IRC11:37
*** jmccarthy has joined #openstack-keystone11:38
*** markvoelker has joined #openstack-keystone11:39
jmccarthyHiya, is this the correct channel for general keystone questions ?11:41
jmccarthyShould Keystoneclient v3 work in Mitaka, I mean should the "grant()" method which is defined in /usr/lib/python2.7/site-packages/keystoneclient/v3/roles.py be usable ?11:41
*** markvoelker has quit IRC11:46
samueldmqmorning keystone!11:51
jmccarthyMorning :) ! Is this the correct channel for general keystone questions ? Should Keystoneclient v3 work in Mitaka, I mean should the "grant()" method which is defined in /usr/lib/python2.7/site-packages/keystoneclient/v3/roles.py be usable ?11:59
*** mvk has joined #openstack-keystone12:07
openstackgerritMerged openstack/oslo.policy master: Add optional exception for check_rules  https://review.openstack.org/37425112:31
*** thorst_ has joined #openstack-keystone12:39
*** markvoelker has joined #openstack-keystone12:41
*** markvoelker has quit IRC12:48
*** links has quit IRC12:48
*** aloga_ has quit IRC12:49
*** catintheroof has joined #openstack-keystone12:50
samueldmqjmccarthy: I'd expect that call to work12:53
*** tqtran has joined #openstack-keystone12:53
samueldmqjmccarthy: what error are you getting ?12:53
*** dave-mccowan has joined #openstack-keystone12:55
jmccarthysamueldmq: I'll have to check - with mitaka ? I mean was it a recent change maybe ?12:56
samueldmqjmccarthy: it should work in mitaka, granting roles for users has been there for ages12:57
samueldmqjmccarthy: if you're using openstackclient the --debug option may help.12:58
*** tqtran has quit IRC12:58
jmccarthyOk, with the python sdk though ? Ok yes with client it works alright12:59
dstanekjmccarthy: are you getting an error?12:59
jmccarthyI have to go back and see, I'm working from a sparse bug report :)13:00
jmccarthyHow would I do this with python sdk if I want to see it in action ?13:01
samueldmqjmccarthy: http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html may be helpful13:06
samueldmqthere are examples on how to instantiate the v3 client13:07
samueldmqand then http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#keystoneclient.v3.roles.RoleManager.grant13:07
samueldmqthis is the docs for the operation you're talking about ^13:07
samueldmqlet us know if you get an error13:07
jmccarthysamueldmq: Thanks ! I'm reading up some more now - appreciated ! :)13:09
*** chlong has joined #openstack-keystone13:14
*** edmondsw has joined #openstack-keystone13:23
*** markvoelker has joined #openstack-keystone13:44
*** markvoelker has quit IRC13:50
dikonoormorgan: Hi.This is about https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs14:01
dikonoormorgan:stevemar: I have an environment that uses ldap and we use only password plugin for authentication.14:06
*** spilla has joined #openstack-keystone14:08
dikonoormorgan: https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377 >> My user_ref does not have 'options'. due to which authentication fails14:08
*** lamt has joined #openstack-keystone14:09
dstanekdikonoor: what version of keystone are you using?14:10
dikonoorERROR keystone.common.wsgi KeyError: 'options'14:10
dstanekdikonoor: not the api version... the code version. are you running master?14:11
dikonoordstanek: yes14:12
dikonoordstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.14:15
dikonoordstanek: and how it gets populated14:15
dstanekdikonoor: it appears that it is mandatory and that we only added it to the SQL model14:17
*** lucas_ has joined #openstack-keystone14:17
dstaneki think maybe the LDAP model should always have an empty options dictionary as an attribute14:18
dstanekmorgan: ^ does that sound correct?14:18
dikonoordstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this14:20
dstanekdikonoor: i prefer empty to the models look the same14:21
*** jperry has joined #openstack-keystone14:22
*** lamt has quit IRC14:23
ayoungHey, look what port they chose!  No possible conflict there, right?  https://docs.docker.com/registry/deploying/14:26
dstanekayoung: lol14:26
* lbragstad shakes head14:27
ayoung$ getent services commplex-main14:28
ayoungcommplex-main         5000/tcp14:28
ayoungAnyone have any clue what that was originally?14:28
ayoungWow, it looks like Google has not a clue what commplex was originally.  Someone has a Sourceforge project, but since it is from 2013, I'm a guess thats not it14:32
*** lucas_ has quit IRC14:35
*** aloga_ has joined #openstack-keystone14:35
*** lucas_ has joined #openstack-keystone14:36
ayounghttp://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=87  nothing associated with port 5000 in the registry14:37
*** lamt has joined #openstack-keystone14:40
*** stingaci has joined #openstack-keystone14:42
*** markvoelker has joined #openstack-keystone14:46
*** markvoelker has quit IRC14:52
*** dikonoor has quit IRC14:55
*** tqtran has joined #openstack-keystone15:04
*** david-lyle has joined #openstack-keystone15:08
*** lucas_ has quit IRC15:08
*** david-lyle has quit IRC15:10
*** david-lyle has joined #openstack-keystone15:11
*** lucas_ has joined #openstack-keystone15:11
*** ravelar has joined #openstack-keystone15:13
*** david-lyle has quit IRC15:16
*** aloga_ has quit IRC15:18
*** adrian_otto has joined #openstack-keystone15:20
stevemarmorgan: lbragstad samueldmq dstanek thanks for holding down the fort, i was super sick yesterday, finally feeling human again15:22
lbragstadstevemar ++ good to hear15:22
samueldmqstevemar: nice, good you're feeling better15:23
openstackgerritRon De Rose proposed openstack/keystone master: WIP - Ensure migration file names are unique by requiring a prefix  https://review.openstack.org/42991215:24
*** dave-mccowan has quit IRC15:24
lbragstadantwash ping?15:28
lbragstadantwash i'm running https://review.openstack.org/#/c/429047/4 locally now, too15:28
*** zhurong has joined #openstack-keystone15:28
*** chris_hultin|AWA is now known as chris_hultin15:29
openstackgerritRon De Rose proposed openstack/keystone master: Ensure migration file names are unique to avoid caching errors  https://review.openstack.org/42991215:30
*** adrian_otto has quit IRC15:30
lbragstadantwash looks like all the failures in the current patch set are due to the same key error we saw originally - https://github.com/openstack/keystone/blob/66d3c3493c001528cd4e08c1acd078365feab9bd/keystone/tests/unit/resource/test_backends.py#L151715:30
lbragstadantwash ^ that assertion is failing before we even delete the project in the test15:30
antwashlbragstad: yeah I noticed that as well, I'm going to have to just rewrite the entire test -- it's failing the LDAP test specifically because it's readonly and the 'project_id' never exist from the start15:31
zhuronghello, anyone can help me, http://docs.openstack.org/developer/keystone/configuration.html#install-external-signing-certificate, follow this guide, I generated the signing_cert.pem and signing_key.pem, I want to know, where is the cacert.pem can I find? thanks15:32
lbragstadantwash i got the same results locally - i'm curious to see what that user reference is in the sql test!15:32
openstackgerritRichard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command  https://review.openstack.org/41638315:36
*** abqkawi1000 has joined #openstack-keystone15:37
abqkawi1000joined hoping for some guidance on where I should be looking to fix an auth problem.  Logs in my swift proxy box show "Identity server rejected authorization" "Unable to validate token: Identity server rejected auth necessary to fetch token data.15:42
abqkawi1000swift user added to admin project as admin role15:42
*** jaugustine has joined #openstack-keystone15:43
*** dave-mccowan has joined #openstack-keystone15:43
openstackgerritSamuel Pilla proposed openstack/keystone master: Remove unused api parameters  https://review.openstack.org/42979015:45
dstanekzhurong: if you are self signing you can create that using openssl15:48
dstanekzhurong: i think 'keystone-manage pki_setup' also did that, but it's deprecated (IIRC)15:48
dstanekzhurong: are you trying to setup a test machine?15:48
*** markvoelker has joined #openstack-keystone15:49
*** jaugustine has quit IRC15:49
dstanekabqkawi1000: have you looked in the keystone logs to see why the token is being rejected?15:49
zhurong+dstanek thanks, but we want multiple names on one certificate, so we need create ourself15:49
*** richm has joined #openstack-keystone15:50
abqkawi1000I am having a difficult time finding anything in Keystone logs that point to a rejection.  Do I need to enable a verbose logging to see these?15:50
abqkawi1000ran ito some15:51
dstanekzhurong: you pretty much always have to bring your own certs to keystone. you either get them from a CA or sign them yourself15:52
dstanekabqkawi1000: maybe. do don't see anything during that time?15:52
abqkawi1000looks like a cert issue.  2017-02-07 15:51:11.462 1632 WARNING keystone.common.wsgi [req-a26c63f1-73fb-46d5-9f10-a767d44300f1 - - - - -] Authorization failed. The request you have made requires authentication. from 2017-02-07 15:51:11.465 1632 INFO eventlet.wsgi.server [req-a26c63f1-73fb-46d5-9f10-a767d44300f1 - - - - -], - - [07/Feb/2017 15:51:11] "POST /v3/auth/tokens HTTP/1.1" 4015:52
*** david-lyle has joined #openstack-keystone15:53
abqkawi10002017-02-07 15:51:11.442 1632 DEBUG keystone.middleware.auth [req-a26c63f1-73fb-46d5-9f10-a767d44300f1 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:7115:53
zhurong+dstanek just using `openssl genrsa -des3 -out my-ca.key 2048` and `openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt` for sign them self right? and using my-ca.crt  for the ca_certs config? is it right?15:54
dstanekabqkawi1000: i would expect to also see some info messages saying something about why the cert was an issue if it was a cert thing15:55
*** markvoelker has quit IRC15:55
dstanekzhurong: no idea. i have to google it every time :-)15:55
abqkawi1000dstanek - entire error is just repeated "2017-02-07 15:55:02.783 1627 INFO keystone.common.wsgi [req-8633d364-1887-4fba-9217-2632c61d5b16 - - - - -] POST 2017-02-07 15:55:02.798 1627 WARNING keystone.common.wsgi [req-8633d364-1887-4fba-9217-2632c61d5b16 - - - - -] Authorization failed. The request you have made requires authentication. from 2017-02-07 15:55:02.802 1615:56
zhurongdstanek thanks anyway15:56
abqkawi1000dstanek 2017-02-07 15:55:18.071 1627 DEBUG keystone.middleware.auth [req-2caed38c-b2e5-4df7-af67-2df6b649e452 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:7115:56
abqkawi1000Doing a swift --insecure stat --debug shows I get a 200 from the identity endpoint and get a token.  Then I hit the swift proxy and get a 50315:59
dstanekabqkawi1000: can you use that token directly against keystone just to check it?16:00
abqkawi1000cee-infra037:Z[~] > swift --insecure stat --debug DEBUG:keystoneclient.auth.identity.v2:Making authentication request to https://destructo.domain:5000/v2.0/tokens DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): destructo.domain DEBUG:requests.packages.urllib3.connectionpool:https://destructo.domain:5000 "POST /v2.0/tokens HTTP/1.1" 200 3842 DEBUG:requests.packages.urllib3.connection16:00
abqkawi1000DEBUG:requests.packages.urllib3.connectionpool: "HEAD /v1/AUTH_e3bc5c043ba245a0b7518e33676d36f7 HTTP/1.1" 503 0 INFO:swiftclient:REQ: curl -i -I -H "X-Auth-Token: gAAAAABYme6Ey-_u8eJTxxaMMok295PPauXfklBrgUBtZmkSlQILRmBIHVNZBnfAyd72thsaE-1fptlWJzcB1xhpPCIhnM2x-Xw5coOC3WsfP57-O2_70Yz3ROGiWfN8iL8XabCpj6dueFX_YkJKdPVNG9DwakA0pg" IN16:02
dstanekabqkawi1000: try to validate that token16:02
*** adrian_otto has joined #openstack-keystone16:02
abqkawi1000dstanek  sure....umm I am a keystone rookie.  How do I do that  :/16:03
abqkawi1000looking up curl examples16:05
*** markvoelker has joined #openstack-keystone16:13
*** markvoelker has quit IRC16:14
*** markvoelker has joined #openstack-keystone16:14
*** rcernin has quit IRC16:16
*** pcaruana has quit IRC16:17
*** zhurong has quit IRC16:17
*** jaosorior has joined #openstack-keystone16:18
*** prashkre has quit IRC16:19
*** tqtran has quit IRC16:20
*** prashkre has joined #openstack-keystone16:21
*** MasterOfBugs has joined #openstack-keystone16:30
*** openstackgerrit has quit IRC16:35
*** aloga_ has joined #openstack-keystone16:38
abqkawi1000dstanek If you are still around.  Yup I can use that token against keystone without issue16:39
dstanekabqkawi1000: get it figured out?16:39
dstanekabqkawi1000: so i would guess that it's a swift proxy issue of some sort16:39
dstanekabqkawi1000: i just got out of a meeting :-)16:39
abqkawi1000yeah feels like swift-proxy.  logs in keystone confuse me " Unable to validate token: Identity server rejected authorization necessary to fetch token data"16:42
abqkawi1000this feels like Keystone is telling the swift-proxy service to go pound sand16:42
dstanekand you do see keystone logs that seem to happen at the same time as the request right?16:43
abqkawi1000yes right away when the curl, or horizon request is made16:43
dstanekabqkawi1000: then is has to be something that the proxy is doing. maybe it's not using the correct token?16:44
abqkawi1000dstanek:  I will dig through some more logs and see if anything sticks out.  Clearly the keystone portion works, and I am authenticating correctly.16:47
abqkawi1000dstanek:  Thanks a ton for your suggestions16:48
dstanekabqkawi1000: yw16:53
kfox1111so, just saw this on one of our clouds:16:53
kfox1111INFO keystone.token.providers.fernet.token_formatters [req-32ccac17-bdd6-48e5-b567-009a81ce9770 - - - - -] Fernet token created with length of 268 characters, which exceeds 255 characters16:53
kfox1111any idea's what badness that might cause?16:53
lbragstadkfox1111 it shouldn't cause any *badness*, it's more or less just a warning to advertise against token bloat16:54
kfox1111ah. ok. thanks.16:54
kfox1111sould we be trying to do something on our end to shrink it,16:55
kfox1111or is it more a message for keystone devs, not operators?16:55
lbragstadkfox1111 are your user id/project ids not uuid format?16:55
kfox1111oh. yeah, probbably. we had ldap pre-exist the option to map them.16:56
kfox1111thanks. :)16:57
lbragstadkfox1111 one of the things that we do to keep size maintainable (under 255 characters) is to convert uuid like strings to their byte representation16:57
kfox1111makes sense.16:57
*** lucas_ has quit IRC17:04
*** tqtran has joined #openstack-keystone17:11
*** jgrassler has quit IRC17:22
*** jaosorior has quit IRC17:22
*** jgr has joined #openstack-keystone17:23
*** jaosorior has joined #openstack-keystone17:23
*** jaosorior has quit IRC17:24
*** jaosorior has joined #openstack-keystone17:24
*** mvk has quit IRC17:37
*** lucas_ has joined #openstack-keystone17:43
*** adrian_otto has quit IRC17:53
*** adrian_otto has joined #openstack-keystone17:54
*** adrian_otto has quit IRC17:54
lbragstadstevemar just a heads up - but i have a conflict with the keystone meeting today. i'll be reading scroll back afterwords though - i just won't be available during it17:57
*** browne has joined #openstack-keystone17:57
*** jaugustine has joined #openstack-keystone17:58
stevemarlbragstad: ack17:59
stevemarmeeting time :)17:59
*** tesseract has quit IRC18:01
*** aloga_ has quit IRC18:03
dstanekstevemar: i am in the same meeting...18:03
*** prashkre has quit IRC18:20
*** prashkre has joined #openstack-keystone18:20
*** stingaci has quit IRC18:22
*** MasterOfBugs has quit IRC18:24
*** MasterOfBugs has joined #openstack-keystone18:25
*** ngupta has joined #openstack-keystone18:29
*** aloga_ has joined #openstack-keystone18:33
*** MasterOfBugs has quit IRC18:34
*** hrybacki is now known as hrybacki____18:42
*** aloga_ has quit IRC18:44
lbragstadrodrigods o/18:50
lbragstadrodrigods i missed the first part of the meeting and i'm reading scroll back now18:50
rodrigodslbragstad, hey18:50
lbragstadrodrigods sounds like we're going to start by adding documentation around functional tests?18:51
rodrigodslbragstad, right!18:51
rodrigodsgiving some guidelines on writing new tests18:51
lbragstadrodrigods sweet - are you going to write them? someone else didn't commit to writing them did they?18:51
rodrigodslbragstad, i'll start, improvements are welcome!18:52
rodrigodscreated this bug to not forget: https://bugs.launchpad.net/keystone/+bug/166262318:52
openstackLaunchpad bug 1662623 in OpenStack Identity (keystone) "Testing keystone docs are outdated" [Wishlist,Confirmed] - Assigned to Rodrigo Duarte (rodrigodsousa)18:52
lbragstadrodrigods i was just going to say that when you get a patch up for the docs, let me know18:52
rodrigodslbragstad, ++18:53
lbragstadrodrigods i'd be happy to be the guinea pig for that18:53
rodrigodsawesome! :)18:54
*** ngupta has quit IRC19:13
*** ngupta has joined #openstack-keystone19:14
*** lucas_ has quit IRC19:20
*** lucas_ has joined #openstack-keystone19:20
*** MasterOfBugs has joined #openstack-keystone19:22
*** stradling has joined #openstack-keystone19:34
*** adrian_otto has joined #openstack-keystone19:38
stradlingHi, folks. I am trying to get SSL configured for client interactions with keystone. All of the documentation I have seen so far refers to the [ssl] section of keystone.conf (seems to no longer be a thing) and to the keystone-manage command line tool (likewise gone). Any suggestions for a current doc that will discuss the config (endpoints, configs, default_catalog.templates)? Thanks in advance. :)19:40
dstanekstradling: you mean running keystone under SSL?19:51
dstanekstradling: if you are signing with a well-known CA the client should just work. if you self sign then you may have to somehow tell the client about the cert.19:52
dstaneknot sure where OSC hides that19:52
stradlingThanks, dstanek. What I'm understanding is that the endpoints, configs and default_catalog.templates should be fine with all of their references to http://controller:5000/v3 (no need for https) and that all of the SSL stuff will be handled by Apache in the standard ssl.conf. Correct?19:54
stradlingThe problem is that when I try to use an OS_AUTH_URL with https://, I routinely get something like19:55
stradlingSSL exception connecting to https://controller:5000/v3.0/auth/tokens: [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:765)19:55
dstanekstradling: what is service port 5000? i bet that it is not actually serving HTTPS19:55
dstanekstradling: the URL in the catalog should be what you expect the client to use. if you want them to use HTTPS you have to have an HTTPS link in there19:57
stradlingdstanek: Indeed. And this is where you start to see my newbie issues. :) Should I be declaring a port 443 endpoint in open stack? Should I be declaring a port 5000 VirtualHost in SSL? These are issues I don't yet grok, and was hoping there's new documentation. The old stuff is not getting me anywhere.19:57
stradlingOK, excellent. Now, when I added https://controller:5000/v2.0  endpoints  (per documentation) to the defaults and the catalog, I got no joy. I can continue combinatorially...19:59
stradlingIs 2.0 even a thing anymore?19:59
dstanekstradling: it is, but we're trying to make it go away20:00
stradlingOK -- I'll steer clear. What I'm trying now is20:00
stradlingopenstack endpoint create --region RegionOne keystone public https://controller:5000/v320:00
stradlingopenstack endpoint create --region RegionOne keystone internal https://controller:5000/v320:00
stradlingopenstack endpoint create --region RegionOne keystone admin https://controller:35357/v320:00
dstanekstradling: i would use an apache vhost running on 443 to serve up keystone. i'm pretty sure that's what devstack does now20:01
stradlingOK -- here's what I have in place there:20:01
stradlingLoadModule ssl_module modules/mod_ssl.so20:01
stradlingListen 44320:01
stradling<VirtualHost *:443>20:01
stradling    ServerName cdc-k14-41.storage.virginia.edu20:01
stradling    SSLEngine on20:01
stradling    SSLCertificateFile /etc/pki/tls/certs/cdc-k14-41_storage_virginia_edu_cert.cer20:01
stradling    SSLCertificateKeyFile /etc/pki/tls/private/uva_openstack.key20:01
stradlingShall I just create a 443 endpoint with https?20:01
stradlingAlso -- if I work through all of this successfully, is there an appropriate place to contribute documentation of the process?20:02
dstanekstradling: i'm surprised that this isn't in one of the install guides or the admin guide20:05
stradlingAnd that worked, to an extent! Now on to [SSL: CERTIFICATE_VERIFY_FAILED]. Much appreciated.20:05
stradlingstank -- Yeah, I think it just hasn't come along with the changes. I'd be happy to be shown otherwise... but will be documenting as I go.20:06
stradling(Dang it -- sorry. Autocorrect changed the dstanek reference!)20:06
*** lucas_ has quit IRC20:10
dstanekstradling: np. i think we don't have anything in keystone docs because it's an apache (or other webserver) problem20:10
*** lucas_ has joined #openstack-keystone20:11
stradlingdstanek Yeah, the cert verification is certainly Apache. To get a new admin up to the point of using and validating SSL in that context, however, will require an update.20:12
dstanekstradling: beyond configuring apache is there anything you had to do?20:13
stradlingFor example, http://docs.openstack.org/admin-guide/identity-troubleshoot.html still mentions keystone-manage (last mod 2017-02-07)20:13
stradlingSo far -- defining a correct endpoint. Not much of a change, but still a source of flailing. (At least for me. :)20:14
dstanekstradling: hmm....that actually hasn't been the recommended way to manage certs for as long as i can remember20:15
stradlingdstanek Indeed. It's causing me headaches as we speak.20:15
*** dave-mccowan has quit IRC20:19
dstanekstradling: the pki_setup is actually deprecated and has a nice warning about not using it20:20
dstaneki'm not sure if the docs is references are updated though20:20
stradlingYeah, I agree. I'm guessing this is a bit of documentation rot. I got to this one through the main documentation links via the admin docs.20:21
stradlingHere's another that discusses keystone-manage pki_setup20:23
dstanekstradling: just took a look at this keystone docs and they seem to be correct for pki_setup20:24
stradlingOK. Then I'll start trusting it. Thanks!20:25
stradlingdstanek Thanks -- for that and all of the patient explanation. :)20:29
dstanekstradling: np20:34
* morgan summons termie via twitter and braces for impact :P20:36
*** dave-mccowan has joined #openstack-keystone20:37
*** jaosorior has quit IRC20:40
*** openstackgerrit has joined #openstack-keystone20:44
openstackgerritAnthony Washington proposed openstack/keystone master: WIP: Clear the project ID from user information  https://review.openstack.org/43043420:44
* dolphm expects nothing less from termie https://www.youtube.com/watch?v=EwUilIo036g&t=8s20:48
*** iurygregory has quit IRC20:50
morgandolphm: ping need your help with something20:50
morgandstanek: if you have a moment20:50
morgandolphm: no rush though, wanted to check something in gerrit. (functionality) [actually any core would work]20:52
dolphmmorgan: i have about 15 minutes20:52
morgandolphm: ok sec20:52
lbragstaddolphm "you know that's really hard on your knees" lol20:52
openstackgerritMorgan Fainberg proposed openstack/keystone master: DNM: Testing  https://review.openstack.org/43043620:52
morgandolphm: can you -1 workflow that ^20:52
morganfor me20:52
dolphmmorgan: done20:52
openstackgerritMorgan Fainberg proposed openstack/keystone master: DNM: Testin  https://review.openstack.org/43043620:53
morgandolphm: thanks20:53
morganadrian_otto: ^20:53
morganadrian_otto: just to confirm for you, new patch cleared it20:53
morgandolphm: much appreciated! (i saw you typing, or i would have poked another core)20:54
morgandolphm: hehe20:54
dolphmmorgan: i didn't have time to -120:54
stevemarmorgan: wat20:54
dolphmmorgan: fixed20:54
morgandolphm: LOL20:54
dstanekmorgan: rackers are not just interchangeable cogs20:54
morgandstanek: prove it20:54
morgandolphm: hehe was confirming that workflow -1 wasnb't sticky20:55
dolphmmorgan: it shouldn't be, but it could be a project-specific setting?20:55
morgandstanek: it's the same trap as mor<tab> in lots of channels20:55
morgandolphm: nah it looked like in the project in question it was either a rebase (simple) or no subsequent patch posted20:55
dstanekmorgan: :P20:56
morgandolphm: but this was just a 2x check, because i was sure it wasn't sticky... but you know, i have occasionally been wrong20:56
lbragstadantwash i like the approach to add cascade for default_project_id20:57
antwashlbragstad : ++ rderose20:57
dolphmlbragstad: cascade delete users with a default project iD?20:57
morganlbragstad:  i want default_project_id to die... i really do =/20:57
*** adu has joined #openstack-keystone20:57
morgandolphm: hahahahah oh that would be awesome20:57
rderosemorgan: me too20:57
morganlbragstad: warning that change in LARGE users will lock up keystone for a while btw20:58
morganlbragstad: it has potential to be ugly.20:58
lbragstaddolphm cascade set default project id to none when a project is deleted20:58
lbragstadmorgan dolphm yeah - antwash is currently pealing back all the layers of the onion20:58
morganlbragstad: default_project_id is *not* indexed20:59
antwashmorgan : i was honored to hear a rant about default_project_id this morning haha20:59
morganlbragstad: that must be indexed before we accept the code20:59
morganantwash: ^ cc20:59
lbragstadmorgan it must be indexed before we can add a constraint you mean?21:00
dolphmlbragstad: yeah, that'd be a good idea21:00
antwashindex.. meaning?21:00
dolphmlbragstad: add the index in an expand?21:00
morganyu cannot use FKs21:01
morganresource and user are not guaranteed to be in the same DB.. backend, or anything21:01
morganthe earlier option with the listener that did an iterative update of users was the correct form21:01
lbragstaddolphm morgan antwash just proposed this https://review.openstack.org/#/c/430434/1/keystone/common/sql/expand_repo/versions/022_expand_add_user_project_fk_constraint.py,unified21:01
morganlbragstad: ^ sorry21:01
morgani saw21:01
morgan-1, actually -2 (because we can't FK that)21:02
morganno FKs across subsystems21:02
morgani didn't -2 since antwash is here :)21:02
morganand active.21:02
morganbut we can't add that FK.21:02
dolphmwhile morgan is right, i'd like him to be wrong21:02
stevemarmorgan: why is magnum creating their own governance doc?21:03
*** raildo has quit IRC21:03
morganit would require that you can never ever use a resource backend that isnt' the same DB/backend as the user table21:03
dolphmstevemar: what21:03
morganstevemar: because they want to outline the principles for the team21:03
morganand how the team itself / project runs.21:03
morganinstead of relying on tribal knowledge21:03
lbragstadmorgan would you be so kind to document that in the latest review?21:03
morgani did, but i can expand if needed21:04
morgandolphm: yes i wish i was wrong on this front too.21:04
lbragstadmorgan antwash has another proposal that registers a notification callback to pass the project id to the backend21:04
*** nicolasbock has quit IRC21:04
morganlbragstad: yes, that was the one i was referring to when i said we need to index default_project_id column21:04
lbragstadantwash sorry for the bum advice earlier :(21:05
antwashmorgan : thanks for the feedback, I'll continue working on the other approach :)21:06
antwashlbragstad: it's no biggie -- all learning over here lol21:06
*** ianw has quit IRC21:07
*** ianw has joined #openstack-keystone21:08
morganantwash: :) hey, just know i prefer the automatic cascade stuff... i wish we could take it, but design of keystone prevents it21:08
stevemarmorgan: i just dont want every project doing their own governance doc21:08
morganstevemar: i actually would encourage it.21:08
morganstevemar: if they project has specifics, it is worth having21:08
morganstevemar: the TC does not dictate specifics of what a -2 must include when issuing it.21:09
morganthe TC does not dictate how cores are selected, if the PTL wishes to delegate that to a vote, they may21:09
openstackgerritAnthony Washington proposed openstack/keystone master: Clear the project ID from user information  https://review.openstack.org/42904721:09
morganthose types of things make a lot of sense to have encoded outside of tribal knowledge21:09
*** harlowja has quit IRC21:09
stevemarmorgan: i agree that it may make sense for kolla/magnum/cinder/neutron to have additional docs, but i can see other projects abusing this21:10
*** dave-mccowan has quit IRC21:10
morganstevemar: ok, so stop that. do not attribute malice pre-emptively here21:11
morganstevemar: it is a trap openstack falls into a lot. Trust until you have a reason not to.21:11
morganhave the projects given you reason to distrust them writing an open doc like magnum has?21:11
* morgan has not seen anything to that point21:11
*** nicolasbock has joined #openstack-keystone21:11
morganif you want to block these things, lets have a TC proposal and a stronger involvement of the TC outlining how thse things work21:12
morganotherwise this is the right direction for projects to avoid "oh how are cores selected"21:12
dolphmif every project documented their culture, maybe we'd have a better way to spot differences, spread better ideas, and conform with consensus when & where it makes sense?21:12
morganand needing to get an answer (or similar)21:13
morgandolphm: ++21:13
morgani think keystone should very much do exactly the same thing21:13
morganand document the culture in a clear way21:13
stevemarguess we'll see how the magnum one shakes out21:14
dolphmstevemar: just curious, how did you hear about the magnum one?21:15
dstanekdolphm: ++21:15
stevemardolphm: tc was added to review21:17
stevemardolphm: just interested in the 'why' this became to be21:19
*** prashkre has quit IRC21:28
*** harlowja has joined #openstack-keystone21:35
*** jamielennox is now known as jamielennox|away21:42
*** catintheroof has quit IRC21:48
*** catintheroof has joined #openstack-keystone21:49
*** catintheroof has quit IRC21:54
*** adrian_otto has quit IRC21:59
*** tesseract has joined #openstack-keystone21:59
*** tesseract- has joined #openstack-keystone22:00
*** thorst_ has quit IRC22:01
*** thorst_ has joined #openstack-keystone22:03
*** tesseract has quit IRC22:07
*** tesseract- has quit IRC22:07
*** thorst_ has quit IRC22:08
*** tesseract has joined #openstack-keystone22:08
lbragstadantwash the latest revision of your patch is much cleaner!22:12
*** lucas_ has quit IRC22:13
antwashlbragstad: gracias, thanks for the review, I forgot to make that read/write change22:13
*** chris_hultin is now known as chris_hultin|AWA22:16
*** spilla has quit IRC22:18
*** martinlopes has joined #openstack-keystone22:20
*** thorst_ has joined #openstack-keystone22:20
*** thorst_ has quit IRC22:25
*** tesseract is now known as tesseract-RH22:26
*** adriant has joined #openstack-keystone22:27
*** edmondsw has quit IRC22:29
*** tesseract-RH is now known as tesseract22:31
*** stradling has quit IRC22:36
*** jamielennox|away is now known as jamielennox22:42
rodrigodsstevemar, hey... we removed "saml2" from auth methods only in ocata, right?22:51
*** gyee has joined #openstack-keystone22:57
stevemarrodrigods: i believe so22:58
*** edmondsw has joined #openstack-keystone22:59
*** chris_hultin|AWA is now known as chris_hultin23:00
*** tesseract has quit IRC23:00
*** tesseract has joined #openstack-keystone23:00
*** tesseract-RH has joined #openstack-keystone23:01
*** tesseract has quit IRC23:01
*** tesseract-RH has quit IRC23:01
*** jperry has quit IRC23:03
*** edmondsw has quit IRC23:04
*** gyee has quit IRC23:11
*** ngupta has quit IRC23:11
*** lamt has quit IRC23:25
*** zhurong has joined #openstack-keystone23:26
*** zhurong has quit IRC23:28
adriantis there any API method to reparent a project or do I have to do some SQL?23:32
adriantbecause trying to do it with the cli I get: "Update of `parent_id` is not allowed. (HTTP 403)"23:32
*** stradling has joined #openstack-keystone23:33
morganadriant: reparent?23:35
morganadriant: that is a massive security flaw.23:35
morganerm issue23:35
morganwe explicitly do not allow it23:35
adriantblast :(23:35
morganand it can't be added. Due to the way roles work, inheritance, etc on projects, you suddenly have users / groups with access to things they shouldn't (possibly)23:36
morgansame reason domain_id is imutable23:36
morganadriant: what are you trying to solve?23:36
adriantIt's because I want to try and clean up an awful single layer domain and reparent top level projects under a new one.23:36
*** adu has quit IRC23:36
morganunfortunately the answer is create new projects and migrate to the new project spaces23:37
morganit's not smooth but it's the best (secure) way to do it23:37
morganyou could write direct SQL to updat eparent_ids23:37
adriantSecure isn't a problem here23:37
morganas an operator i can't say "don't do that"23:37
adriantI'm doing this as admin to known projects23:37
morganbut from a "secure API that is consistent" implementing what you're asking for would be bad (tm) for us.23:38
morganas the upstream project23:38
morganthe best answer is probably to do some direct SQL updates to the parent_id columns (not recommended but since it's known, it is the work-around)23:38
morganbut you can see why we don't support that functionality23:38
morganfrom a security standpoint23:39
adriantIt doesn't really seem very much of a security flaw if done knowingly.23:39
adriantThis would be a stupid user feature23:39
adriantbut hugely useful for admins23:39
morgannot really a good one though23:39
morganso, i have roles on project X, and they are inherited23:39
morganan admin moves a prohject under X, not realizing it23:40
morganor x under a project with other inherited roles23:40
morganthat a domain admin set23:40
morganit opens all sorts of wonky security concerns23:40
adriantI'd assume anyone doing that would be aware of the inheritance if not, why do they have admin?23:40
morgannot guaranteed23:41
morganso user B has the ability to grant roles on Y23:41
morganadmin moves X under Y, user B shouldn't have access, but now grants himself a role inherited23:41
morganit's just a ton of moving parts to consider23:41
morganand it is specifically a security hardening thing to start.23:42
adriantbut he already had admin so has access to X anyway if he wants it?23:42
morganno that is not a guarantee23:42
morganthe user may not be an admin23:42
morgananyway, my answer stands, we don't suppor shuffling hierarchy for the same reason we don't allow shuffling domain_ids23:43
adriantyes, but we're not talking about cloud_admins rather true superuser admins23:43
morganthat is not something i want to encode in APIs23:43
morgansuper user admin = access to SQL, might as well just update the rows23:43
morgannothing i can do to stop that23:43
adriantyeah... I guess23:44
adriantupdating the parent_id field won't break anything right?23:44
morgani don't think it'd be an issue23:44
morganbut... honestly we don't test that23:44
adriantThe links should all still work the same23:44
adriantI'll play with it and see.23:44
morganit isn't a FK or anyting magic23:44
morganit's just a reference to another ID23:44
morganso it should be fine(ish) to move. but if you have heirarchical quotas in other projects23:45
morganthose would be broken23:45
morgan(cinder/nova) [ not sure of the state of impl on that front ]23:45
adriantThis would only be a one-time thing to allow me to start transitioning everyone to and HMT like structure23:45
morganseriously the best case is create new projects and have people migrate to them.23:45
adrianttoo hard23:45
adrianttoo many projects, too many resources23:46
* morgan shrugs.23:46
morganit's what I would insist on if i was the cloud operator. but i'd help folks do it.23:46
adriantheirarchical quotas don't exist yet that I'm aware of...23:46
morganbut thats me.23:46
samueldmqwe have a new PTL23:46
samueldmqcongrats lbragstad :D23:46
morganoh we do?23:46
samueldmqwell deserved23:46
morganoh goodie, time to make lbragstad's life hard instead of stevemar's ;)23:46
morganlbragstad: congrats man23:47
lbragstadsamueldmq morgan thanks!23:47
* morgan quickly -2s all of lbragstad's patches23:47
samueldmqI can see the results in the link from the email I received to vote23:47
adriantlbragstad, congrats!23:47
lbragstadayoung thanks!23:47
lbragstadmorgan i don't have any patches muahahaha23:47
morganlbragstad: there is a bunch of launchpad things that will need updates23:47
morganlbragstad: it's gonna be "fun"(tm)23:48
* lbragstad so it begins23:48
*** jaugustine has quit IRC23:48
morganadriant: i like that your real-name in irc is set to "realname" :P23:48
adriantmorgan: I'll play with the sql in a few dev deploys, but since we can't live migrate between projects I think sql will be the only option for some of them. :(23:48
adriantthat's me being lazy and forgetting to remove a default23:48
*** chris_hultin is now known as chris_hultin|AWA23:48
morganadriant: well the way I'd do it is i'd make new projects and as you spin down resources i'd spin them up in the new place. legacy things would be a planned migration down the line. but thats me.23:49
morganadriant: but i am also very picky about things when i run a system like a cloud23:49
morgani don't muck with the SQL23:49
morganrelated: damn i knew we should have made the db schema obscured and all binary blobs :P23:49
adriantmorgan: we try to avoid it as well, that's why I was hoping for an API23:49
* morgan proposes a change to obfuscate the keystone schema, data, all via ROT26 :P23:50
morgani mean...23:50
adriantI've been trying to migrate us to a sort of HMT like structure for ages, but everyone keeps creating top level projects and it is such a huge mess23:50
morganadriant: remove their ability to do so23:50
morganno new project creation at the top23:50
morganonly in the new location(s) :P23:50
morganpolicy.json and RBAC updates ;)23:51
adriantI'm working on it... My goal is that all new project creation comes through my management/task service23:51
adriantsince project creation for us means linking to details in the ERP system as well...23:51
adriantwhich people forget to do23:51
adriantAutomate all the things! Get rid of pesky human error.23:52
morganadriant: so can i rely on you to do the KSA auth plugin stuff?23:52
morganor should i plan to start making the changes23:52
adriantYes, I'll play with that for Pike23:52
morgansince that and some changes for ksc to support "options" need to land23:52
adriantAnd I'll see about how the hell to make it work in horizon as well.23:54
adriantI have a feeling that will end up a mess, but we'll see.23:54
morgani have a feeling we need to improve data sent back in the 401 exception23:56
morganbut that should be doable23:56
morganbut that isn't a huge hurdle23:56
adriantoh, morgan, something that might terrify you a little. Our ops team had a tally on the whiteboard: "SQL is my API" because of how often we'd need to do some SQL to clean up things the API didn't do right.23:57
morgansince the type of exception wont even be changed.23:57
morgandepends on for which db23:57
morgani'm not surprised23:57
adriantnova, neutron quite often23:58
adriantfor hung instances or routers23:58
morganhaving run openstack clouds from grizzly -> icehouse, i am really not surprised23:58
adriantyeah, we started with havana23:58
morganactually... folsom->icehouse23:58
adriantback before we switched to UUID tokens for keystone, we had to table truncate since a token clean-up command would stall and kill keystone.23:58
adriantIt's been an interesting journey23:59
morganyep we have a general fix for that because of that issue23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!