Tuesday, 2017-02-07

morgan	stevemar, lbragstad: can I move "email" into a user-option?	00:00
morgan	it would be nice if it could be dropped from extras	00:00
morgan	we should drop anything we support/legacy support from extras	00:00
lbragstad	morgan yeah - i wouldn't mind seeing a patch for that. I can't think of a reason not to do that off the top of my head	00:01
morgan	cool	00:01
*** spzala has joined #openstack-keystone		00:01
*** lucas_ has joined #openstack-keystone		00:01
morgan	it'll need a bit of compat code, to move it from <extras> -> options	00:01
morgan	but that should be easy	00:01
morgan	also, we can then do actual RFC validation on the email ;)	00:02
lbragstad	morgan using JSONschema?	00:02
morgan	lbragstad: and the storage validator	00:03
lbragstad	oh - sure	00:03
morgan	email RFC is amazingly complex for what qualifies as an email address	00:03
morgan	but would ultimately be doable	00:03
lbragstad	yeah - i think i remember seeing the jsonschema library for python rely on an RFC implementation somewhere for it - but i've never looked at that code	00:04
morgan	it's ugggggly	00:05
lbragstad	it kinda sounds like a can of worms	00:05
lbragstad	so long as the validation is consistent at the storage and API layers - i'm happy	00:06
*** spzala has quit IRC		00:06
lbragstad	and bonus points if we can rely on a separate library for it	00:06
*** agrebennikov has quit IRC		00:06
*** lamt has quit IRC		00:10
*** Mr_Smurf has quit IRC		00:11
morgan	oh man...	00:12
morgan	lbragstad: we can somewhat.	00:12
* morgan is trying to do some restification in shade...		00:12
morgan	wow. keystoneclient does all sorts of behind the scenes magic	00:12
morgan	uhhh...	00:16
morgan	is keystoneclient still leaning on ksc.session?	00:16
morgan	or did we convert that to KSA?	00:16
* morgan slams head into desk.		00:17
*** Mr_Smurf has joined #openstack-keystone		00:18
*** thorst_ has joined #openstack-keystone		00:19
jamielennox	morgan: it's still ksc.session i think	00:19
jamielennox	there were just enough incompatibilities to make it annoying	00:19
morgan	jamielennox: i'm looking at codesearch... so many things lean on ksc.session	00:20
morgan	jamielennox: i just want to break them all to force people to change with a major bump to ksc	00:20
jamielennox	morgan: i'm still more concerned about the things that use ksc directly	00:20
jamielennox	morgan: i had reviews for that	00:20
morgan	jamielennox: http://codesearch.openstack.org/?q=keystoneclient(%5C.%7C%20import%20)session&i=nope&files=&repos=	00:20
morgan	clearly no-one-cares about deprecation warnings etc	00:21
*** spzala has joined #openstack-keystone		00:21
* morgan wants to throw hands up at OpenStack community some days		00:21
morgan	clearly no one cares about maintained code	00:21
jamielennox	https://review.openstack.org/#/c/359707/2	00:21
jamielennox	if you want to dive down a rabbit hole	00:21
jamielennox	that's just getting people to actually use a session	00:22
morgan	jamielennox: because FEATURE WORK IS MORE IMPORTANT /grump	00:22
morgan	jamielennox: tbh i'm less worried now about direct use of KSC.	00:22
morgan	more worried about ksc.session	00:22
morgan	because it is basically non-maintained	00:22
morgan	at this point i'd rather get everyone off ksc.session	00:23
morgan	then delete it.	00:23
morgan	then get people who don't use session on ksa directly	00:23
morgan	and i'd be more ok with another compat method to cover the case that you're deleting there.	00:24
morgan	jamielennox: maybe we should just deprecate python-keystoneclient and roll a new package that is maintained that is just called "keystoneclient" that drops all the baggage at once.	00:28
morgan	jamielennox: anyone who is using just KSC code would be seemless (aka OSC)	00:28
morgan	seamless*	00:28
morgan	anyone else would be about as much work but we don't carry legacy cruft.	00:28
jamielennox	morgan: i certainly understand the do it now attitude but at this point we've almost served the deprecation periods that we can just do it as a major version bump	00:29
morgan	dhellmann, stevemar, dtroyer, mordred: how annoyed would you be if we rolled a new package called "keystoneclient" that dropped all the cruft to the side and we just stopped maintaining ksc itself.	00:29
morgan	jamielennox: except i don't think we can. because how many things break	00:29
morgan	jamielennox: basically... it wont be landable in requirements.	00:30
jamielennox	only core stuff is tested in requirements	00:30
morgan	dhellmann, stevemar, dtroyer, mordred: note the dropping of "python-" prefix	00:30
jamielennox	if anything in that list fails we do need to fix it	00:30
jamielennox	we jsut need people on board with the idea so it doesn't get reverted by the first person to come along complaining	00:31
morgan	jamielennox: right but the volume of yelling and screaming and gnashing of teeth will probbbly result in a revert	00:31
jamielennox	ala devstack and v3	00:31
morgan	i don't think it's doable (call be pessimistic) in openstack land	00:31
morgan	to do what you're saying at this point	00:31
morgan	call me*	00:31
morgan	jamielennox: i'm looking at V3... even with buy-in, we're still fighting reverts most every time. Even with TC setting a deadline and gates coming... people complain when things are changed and they break	00:33
* morgan thinks we should have spun off the CRUD stuff into a new lib back when we spun ksa off, we'd probably had gotten more traction that way		00:34
morgan	and kept KSC as CLI-bits only.	00:34
morgan	and legacy things like "make me a client"	00:34
*** chris_hultin\|AWA is now known as chris_hultin		00:34
*** briancurtin has joined #openstack-keystone		00:35
*** adriant has joined #openstack-keystone		00:36
*** chris_hultin is now known as chris_hultin\|AWA		00:44
*** electrichead is now known as rerobot		00:45
*** Mr_Smurf has quit IRC		00:47
*** hoangcx has joined #openstack-keystone		00:49
*** Mr_Smurf has joined #openstack-keystone		00:54
*** spzala has quit IRC		00:57
*** lucas_ has quit IRC		01:01
openstackgerrit	Anthony Washington proposed openstack/keystone master: Clear the project ID from user information https://review.openstack.org/429047	01:02
*** david-lyle has quit IRC		01:06
dtroyer	morgan, jamielennox: I'm all for stepping tot he side on legacy bits and starting fresh when the compat story isn't tenable, after all, look at OSc itself :)	01:08
*** spzala has joined #openstack-keystone		01:09
*** thorst_ has quit IRC		01:09
*** gyee has quit IRC		01:10
*** zhangjl has joined #openstack-keystone		01:21
*** jose-phillips has quit IRC		01:31
Adobeman	what is following in "keystone user-role-add" in neweton?	01:31
*** stingaci has quit IRC		01:32
Adobeman	I know keystone command itself was removed from newton..	01:33
*** spzala has quit IRC		01:41
*** spzala has joined #openstack-keystone		01:42
*** guoshan has joined #openstack-keystone		01:44
morgan	Adobeman: openstack ... let me find the OSC command	01:46
*** spzala has quit IRC		01:46
morgan	dtroyer: yeah not sure how it'll fall out, but i'm looking at something a lot more basic for CRUD things since KSA does most of the work we needed keystoneclient for	01:47
*** adrian_otto has quit IRC		01:49
morgan	Adobeman: openstack role add	01:50
morgan	Adobeman: role add Adds a role assignment to a user or group on a domain or project	01:50
morgan	https://www.irccloud.com/pastebin/0M3l0L8Y/	01:51
morgan	Adobeman: ^	01:51
*** tqtran has quit IRC		01:53
*** spzala has joined #openstack-keystone		01:53
Adobeman	oh ok...	01:55
Adobeman	thanks	01:55
Adobeman	I'm trying to get freeipa <-> openstack :)	01:56
*** lucas_ has joined #openstack-keystone		01:57
morgan	pssst dstanek, jamielennox, ayoung, stevemar: a quick +2/+A on this would go along way https://review.openstack.org/#/c/424862/ so we don't get into rebase hell since it removes a bunch of stuff	01:59
morgan	samueldmq, rderose ^	01:59
Adobeman	umm ok, why is this taking forever...	02:00
samueldmq	morgan: done	02:02
Adobeman	is this command supposed to take like 10 minutes to kick in?	02:02
morgan	samueldmq: woot	02:02
samueldmq	morgan: we can remove anything else left later, if any	02:02
morgan	Adobeman: uhm. unlikely	02:02
Adobeman	I'm doing "openstack role add --user-id ospadmin --role admin --tenant admin"	02:03
samueldmq	nicely done	02:03
morgan	Adobeman: it should be pretty quick, can you do a openstack user show for that user?	02:04
morgan	Adobeman: check to make sure keystone is talking correctly to the LDAP backend.	02:04
morgan	no errors in the log, this sounds like an issues with Keystone->IPA (at first glance)	02:04
*** liujiong has joined #openstack-keystone		02:04
Adobeman	lemme see, maybe that's wrong..	02:04
morgan	Adobeman: with per-domain backends, you will need to use V3 (including the domain) in most cases	02:04
morgan	--tenant looks like a V2-ism	02:05
morgan	you might need to pass --os-identity-api-version=3	02:05
morgan	to openstack client	02:05
* morgan admits is a little rusty with CLI tools.		02:05
Adobeman	ok, I was scratching head about that..	02:07
*** masterjcool has quit IRC		02:07
morgan	:)	02:07
morgan	Adobeman: but, it should still have been relatively quick to say "this is not valid"	02:09
morgan	Adobeman: so it sounds like some ocmmunication issues between keystone and FreeIPA (timeouts in sockets, etc)	02:09
Adobeman	ok, I made a typo on the... ldap host.. now its responding much faster	02:10
morgan	woot	02:11
morgan	:)	02:11
Adobeman	ummm	02:11
*** masterjcool has joined #openstack-keystone		02:12
Adobeman	so I swapped --tenant with "--os-identity-api-version=3" like you said, and I get this error	02:12
Adobeman	Cannot use v2 authentication with domain scope	02:12
*** MasterOfBugs has quit IRC		02:30
*** masterjcool has quit IRC		02:34
*** masterjcool has joined #openstack-keystone		02:36
openstackgerrit	vegezcj proposed openstack/keystone master: Keystone ldap tree_dn does not support Chinese,moditfy defaultcoding is utf-8 https://review.openstack.org/429993	02:39
Adobeman	what's that	02:41
*** spzala has quit IRC		02:41
*** thorst_ has joined #openstack-keystone		02:48
*** thorst_ has quit IRC		02:48
morgan	Adobeman: so, lets backup. is your IPA a specific domain identity backend?	02:52
morgan	Adobeman: or are you setting [identity] driver=ldap	02:52
morgan	and configuring it explicitly in the main keystone.conf for all identity lookups?	02:52
morgan	Adobeman: the error you received is that you are trying to get a domain-scoped token (not a project scoped token) and V2 authentication.	02:53
morgan	somehow.	02:53
*** stingaci has joined #openstack-keystone		02:53
morgan	ideally you should ensure you're not setting up V2 keystone authentication anywhere, my guess is your service catalog specifies v2 in it	02:53
*** spzala has joined #openstack-keystone		02:55
*** spzala has quit IRC		03:00
*** thorst_ has joined #openstack-keystone		03:04
*** thorst_ has quit IRC		03:04
openstackgerrit	Anthony Washington proposed openstack/keystone master: Clear the project ID from user information https://review.openstack.org/429047	03:11
*** david-lyle has joined #openstack-keystone		03:13
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Make use of Dict-base including extras explicit https://review.openstack.org/428472	03:16
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Deprecate (and emit message) AdminTokenAuthMiddleware https://review.openstack.org/427878	03:17
*** agrebennikov has joined #openstack-keystone		03:19
*** adrian_otto has joined #openstack-keystone		03:25
*** Mr_Smurf has quit IRC		03:26
*** Mr_Smurf has joined #openstack-keystone		03:33
*** spzala has joined #openstack-keystone		03:36
*** edmondsw has joined #openstack-keystone		03:37
*** links has joined #openstack-keystone		03:41
*** spzala has quit IRC		03:41
*** edmondsw has quit IRC		03:41
*** lucas_ has quit IRC		03:44
*** adrian_otto has quit IRC		03:53
*** spzala has joined #openstack-keystone		03:53
*** spzala has quit IRC		03:58
*** thorst_ has joined #openstack-keystone		03:59
*** thorst_ has quit IRC		04:00
*** nicolasbock has quit IRC		04:01
*** guoshan has quit IRC		04:02
*** dave-mccowan has quit IRC		04:14
*** jose-phillips has joined #openstack-keystone		04:15
*** Nakato_ is now known as Nakato		04:18
*** thorst_ has joined #openstack-keystone		04:19
*** adrian_otto has joined #openstack-keystone		04:21
*** jose-phillips has quit IRC		04:25
*** adrian_otto has quit IRC		04:30
*** lucas_ has joined #openstack-keystone		04:31
*** lucas_ has quit IRC		04:34
*** jose-phillips has joined #openstack-keystone		04:40
openstackgerrit	Merged openstack/keystone master: Remove KVS code https://review.openstack.org/424862	04:41
*** adrian_otto has joined #openstack-keystone		04:45
*** adrian_otto has quit IRC		04:47
*** dikonoor has joined #openstack-keystone		04:49
*** adrian_otto has joined #openstack-keystone		04:51
*** adu has joined #openstack-keystone		04:55
*** adu has quit IRC		05:03
*** agrebennikov has quit IRC		05:06
*** lucas_ has joined #openstack-keystone		05:08
*** adu has joined #openstack-keystone		05:11
*** Daviey has quit IRC		05:11
*** spzala has joined #openstack-keystone		05:15
*** adrian_otto has quit IRC		05:17
*** spzala has quit IRC		05:20
*** markvoelker_ has quit IRC		05:28
*** markvoelker has joined #openstack-keystone		05:28
*** markvoelker has quit IRC		05:33
*** adu has left #openstack-keystone		05:36
*** david-lyle has quit IRC		05:40
*** lucas_ has quit IRC		05:42
*** tqtran has joined #openstack-keystone		05:51
*** links has quit IRC		05:51
*** adrian_otto has joined #openstack-keystone		05:53
*** tqtran has quit IRC		05:55
*** ravelar has quit IRC		05:57
*** rcernin has joined #openstack-keystone		06:00
*** rcernin has quit IRC		06:03
*** rcernin has joined #openstack-keystone		06:04
*** links has joined #openstack-keystone		06:07
*** thorst_ has joined #openstack-keystone		06:20
*** links has quit IRC		06:22
*** jose-phillips has quit IRC		06:23
*** thorst_ has quit IRC		06:25
*** adriant has quit IRC		06:28
*** markvoelker has joined #openstack-keystone		06:28
*** markvoelker has quit IRC		06:33
*** ktychkova has quit IRC		06:36
*** links has joined #openstack-keystone		06:38
*** martinlopes has joined #openstack-keystone		06:41
*** martinlopes has quit IRC		06:46
*** stingaci has quit IRC		06:56
*** adrian_otto has quit IRC		06:58
*** links has quit IRC		07:07
*** prashkre has joined #openstack-keystone		07:09
*** edmondsw has joined #openstack-keystone		07:15
*** edmondsw has quit IRC		07:19
*** links has joined #openstack-keystone		07:20
*** markvoelker has joined #openstack-keystone		07:29
*** links has quit IRC		07:30
*** tesseract has joined #openstack-keystone		07:31
*** markvoelker has quit IRC		07:35
*** guoshan has joined #openstack-keystone		07:37
*** links has joined #openstack-keystone		07:43
*** pcaruana has joined #openstack-keystone		07:46
*** narasimha_SV_ has joined #openstack-keystone		07:48
*** pcaruana has quit IRC		07:48
narasimha_SV_	how to configure cors with keystone ?	07:49
*** pcaruana has joined #openstack-keystone		07:55
*** jamielennox is now known as jamielennox\|away		07:59
*** jamielennox\|away is now known as jamielennox		08:06
*** thorst_ has joined #openstack-keystone		08:21
*** thorst_ has quit IRC		08:26
*** markvoelker has joined #openstack-keystone		08:32
*** markvoelker has quit IRC		08:38
*** tqtran has joined #openstack-keystone		08:52
*** tqtran has quit IRC		08:56
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** aloga_ has joined #openstack-keystone		09:19
*** Daviey has joined #openstack-keystone		09:21
*** jose-phillips has joined #openstack-keystone		09:29
*** markvoelker has joined #openstack-keystone		09:34
openstackgerrit	vegezcj proposed openstack/keystone master: Keystone ldap tree_dn does not support Chinese,moditfy defaultcoding is utf-8 https://review.openstack.org/430153	09:36
*** markvoelker has quit IRC		09:40
*** jose-phillips has quit IRC		09:46
*** zhangjl1 has joined #openstack-keystone		09:47
*** zhangjl has quit IRC		09:48
*** Dave___ is now known as Dave		09:52
*** tovin07 has quit IRC		09:56
*** hoangcx has quit IRC		10:08
*** thorst_ has joined #openstack-keystone		10:22
robcresswell	narasimha_SV_: Same as every service. Modify the [cors] section in your keystone.conf (probably /etc/keystone/keystone.conf if you're using devstack) and then restart keystone.	10:24
robcresswell	narasimha_SV_: Its a common oslo middleware, so its the same for most openstack services.	10:24
*** thorst_ has quit IRC		10:26
*** liujiong has quit IRC		10:32
*** guoshan has quit IRC		10:34
*** markvoelker has joined #openstack-keystone		10:37
*** zhangjl1 has quit IRC		10:42
*** markvoelker has quit IRC		10:43
*** nicolasbock has joined #openstack-keystone		11:01
narasimha_SV_	robcresswell: thanks :)	11:06
*** narasimha_SV_ has quit IRC		11:06
*** prashkre_ has joined #openstack-keystone		11:25
*** prashkre has quit IRC		11:25
*** prashkre__ has joined #openstack-keystone		11:26
*** prashkre_ has quit IRC		11:26
*** mvk has quit IRC		11:27
*** prashkre_ has joined #openstack-keystone		11:28
*** prashkre__ has quit IRC		11:28
*** prashkre has joined #openstack-keystone		11:32
*** prashkre_ has quit IRC		11:32
*** edmondsw has joined #openstack-keystone		11:33
*** prashkre has quit IRC		11:33
*** prashkre has joined #openstack-keystone		11:33
*** edmondsw has quit IRC		11:37
*** jmccarthy has joined #openstack-keystone		11:38
*** markvoelker has joined #openstack-keystone		11:39
jmccarthy	Hiya, is this the correct channel for general keystone questions ?	11:41
jmccarthy	Should Keystoneclient v3 work in Mitaka, I mean should the "grant()" method which is defined in /usr/lib/python2.7/site-packages/keystoneclient/v3/roles.py be usable ?	11:41
*** markvoelker has quit IRC		11:46
samueldmq	morning keystone!	11:51
jmccarthy	Morning :) ! Is this the correct channel for general keystone questions ? Should Keystoneclient v3 work in Mitaka, I mean should the "grant()" method which is defined in /usr/lib/python2.7/site-packages/keystoneclient/v3/roles.py be usable ?	11:59
*** mvk has joined #openstack-keystone		12:07
openstackgerrit	Merged openstack/oslo.policy master: Add optional exception for check_rules https://review.openstack.org/374251	12:31
*** thorst_ has joined #openstack-keystone		12:39
*** markvoelker has joined #openstack-keystone		12:41
*** markvoelker has quit IRC		12:48
*** links has quit IRC		12:48
*** aloga_ has quit IRC		12:49
*** catintheroof has joined #openstack-keystone		12:50
samueldmq	jmccarthy: I'd expect that call to work	12:53
*** tqtran has joined #openstack-keystone		12:53
samueldmq	jmccarthy: what error are you getting ?	12:53
*** dave-mccowan has joined #openstack-keystone		12:55
jmccarthy	samueldmq: I'll have to check - with mitaka ? I mean was it a recent change maybe ?	12:56
samueldmq	jmccarthy: it should work in mitaka, granting roles for users has been there for ages	12:57
samueldmq	jmccarthy: if you're using openstackclient the --debug option may help.	12:58
*** tqtran has quit IRC		12:58
jmccarthy	Ok, with the python sdk though ? Ok yes with client it works alright	12:59
dstanek	jmccarthy: are you getting an error?	12:59
jmccarthy	I have to go back and see, I'm working from a sparse bug report :)	13:00
jmccarthy	How would I do this with python sdk if I want to see it in action ?	13:01
samueldmq	jmccarthy: http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html may be helpful	13:06
samueldmq	there are examples on how to instantiate the v3 client	13:07
samueldmq	and then http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v3.html#keystoneclient.v3.roles.RoleManager.grant	13:07
samueldmq	this is the docs for the operation you're talking about ^	13:07
samueldmq	let us know if you get an error	13:07
jmccarthy	samueldmq: Thanks ! I'm reading up some more now - appreciated ! :)	13:09
samueldmq	anytime	13:09
*** chlong has joined #openstack-keystone		13:14
*** edmondsw has joined #openstack-keystone		13:23
*** markvoelker has joined #openstack-keystone		13:44
*** markvoelker has quit IRC		13:50
dikonoor	morgan: Hi.This is about https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs	14:01
dikonoor	morgan:stevemar: I have an environment that uses ldap and we use only password plugin for authentication.	14:06
*** spilla has joined #openstack-keystone		14:08
dikonoor	morgan: https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377 >> My user_ref does not have 'options'. due to which authentication fails	14:08
*** lamt has joined #openstack-keystone		14:09
dstanek	dikonoor: what version of keystone are you using?	14:10
dikonoor	ERROR keystone.common.wsgi KeyError: 'options'	14:10
dikonoor	v3	14:11
dstanek	dikonoor: not the api version... the code version. are you running master?	14:11
dikonoor	dstanek: yes	14:12
dikonoor	dstanek:I am trying to understand if 'options' is a mandatory attribute in user_ref.	14:15
dikonoor	dstanek: and how it gets populated	14:15
dstanek	dikonoor: it appears that it is mandatory and that we only added it to the SQL model	14:17
*** lucas_ has joined #openstack-keystone		14:17
dstanek	i think maybe the LDAP model should always have an empty options dictionary as an attribute	14:18
dstanek	morgan: ^ does that sound correct?	14:18
dikonoor	dstanek:morgan: either an empty options attribute should be added or the MFA rule check code above must be modified to make it user_ref.get('options') ..Let me go ahead and open a defect for this	14:20
dstanek	dikonoor: i prefer empty to the models look the same	14:21
dikonoor	ok	14:22
*** jperry has joined #openstack-keystone		14:22
*** lamt has quit IRC		14:23
ayoung	Hey, look what port they chose! No possible conflict there, right? https://docs.docker.com/registry/deploying/	14:26
dstanek	ayoung: lol	14:26
* lbragstad shakes head		14:27
ayoung	$ getent services commplex-main	14:28
ayoung	commplex-main 5000/tcp	14:28
ayoung	Anyone have any clue what that was originally?	14:28
ayoung	Wow, it looks like Google has not a clue what commplex was originally. Someone has a Sourceforge project, but since it is from 2013, I'm a guess thats not it	14:32
*** lucas_ has quit IRC		14:35
*** aloga_ has joined #openstack-keystone		14:35
*** lucas_ has joined #openstack-keystone		14:36
ayoung	http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=87 nothing associated with port 5000 in the registry	14:37
*** lamt has joined #openstack-keystone		14:40
*** stingaci has joined #openstack-keystone		14:42
*** markvoelker has joined #openstack-keystone		14:46
*** markvoelker has quit IRC		14:52
*** dikonoor has quit IRC		14:55
*** tqtran has joined #openstack-keystone		15:04
*** david-lyle has joined #openstack-keystone		15:08
*** lucas_ has quit IRC		15:08
*** david-lyle has quit IRC		15:10
*** david-lyle has joined #openstack-keystone		15:11
*** lucas_ has joined #openstack-keystone		15:11
*** ravelar has joined #openstack-keystone		15:13
*** david-lyle has quit IRC		15:16
*** aloga_ has quit IRC		15:18
knikolla	o/.	15:18
*** adrian_otto has joined #openstack-keystone		15:20
stevemar	morgan: lbragstad samueldmq dstanek thanks for holding down the fort, i was super sick yesterday, finally feeling human again	15:22
lbragstad	stevemar ++ good to hear	15:22
samueldmq	stevemar: nice, good you're feeling better	15:23
openstackgerrit	Ron De Rose proposed openstack/keystone master: WIP - Ensure migration file names are unique by requiring a prefix https://review.openstack.org/429912	15:24
*** dave-mccowan has quit IRC		15:24
lbragstad	antwash ping?	15:28
lbragstad	antwash i'm running https://review.openstack.org/#/c/429047/4 locally now, too	15:28
*** zhurong has joined #openstack-keystone		15:28
*** chris_hultin\|AWA is now known as chris_hultin		15:29
openstackgerrit	Ron De Rose proposed openstack/keystone master: Ensure migration file names are unique to avoid caching errors https://review.openstack.org/429912	15:30
*** adrian_otto has quit IRC		15:30
lbragstad	antwash looks like all the failures in the current patch set are due to the same key error we saw originally - https://github.com/openstack/keystone/blob/66d3c3493c001528cd4e08c1acd078365feab9bd/keystone/tests/unit/resource/test_backends.py#L1517	15:30
lbragstad	antwash ^ that assertion is failing before we even delete the project in the test	15:30
antwash	lbragstad: yeah I noticed that as well, I'm going to have to just rewrite the entire test -- it's failing the LDAP test specifically because it's readonly and the 'project_id' never exist from the start	15:31
zhurong	hello, anyone can help me, http://docs.openstack.org/developer/keystone/configuration.html#install-external-signing-certificate, follow this guide, I generated the signing_cert.pem and signing_key.pem, I want to know, where is the cacert.pem can I find? thanks	15:32
lbragstad	antwash i got the same results locally - i'm curious to see what that user reference is in the sql test!	15:32
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add --check to keystone-manage db_sync command https://review.openstack.org/416383	15:36
*** abqkawi1000 has joined #openstack-keystone		15:37
abqkawi1000	joined hoping for some guidance on where I should be looking to fix an auth problem. Logs in my swift proxy box show "Identity server rejected authorization" "Unable to validate token: Identity server rejected auth necessary to fetch token data.	15:42
abqkawi1000	swift user added to admin project as admin role	15:42
*** jaugustine has joined #openstack-keystone		15:43
*** dave-mccowan has joined #openstack-keystone		15:43
openstackgerrit	Samuel Pilla proposed openstack/keystone master: Remove unused api parameters https://review.openstack.org/429790	15:45
dstanek	zhurong: if you are self signing you can create that using openssl	15:48
dstanek	zhurong: i think 'keystone-manage pki_setup' also did that, but it's deprecated (IIRC)	15:48
dstanek	zhurong: are you trying to setup a test machine?	15:48
*** markvoelker has joined #openstack-keystone		15:49
*** jaugustine has quit IRC		15:49
dstanek	abqkawi1000: have you looked in the keystone logs to see why the token is being rejected?	15:49
zhurong	+dstanek thanks, but we want multiple names on one certificate, so we need create ourself	15:49
*** richm has joined #openstack-keystone		15:50
abqkawi1000	I am having a difficult time finding anything in Keystone logs that point to a rejection. Do I need to enable a verbose logging to see these?	15:50
abqkawi1000	nm	15:51
abqkawi1000	ran ito some	15:51
dstanek	zhurong: you pretty much always have to bring your own certs to keystone. you either get them from a CA or sign them yourself	15:52
dstanek	abqkawi1000: maybe. do don't see anything during that time?	15:52
abqkawi1000	looks like a cert issue. 2017-02-07 15:51:11.462 1632 WARNING keystone.common.wsgi [req-a26c63f1-73fb-46d5-9f10-a767d44300f1 - - - - -] Authorization failed. The request you have made requires authentication. from 10.203.2.9 2017-02-07 15:51:11.465 1632 INFO eventlet.wsgi.server [req-a26c63f1-73fb-46d5-9f10-a767d44300f1 - - - - -] 10.203.0.101,10.203.2.9 - - [07/Feb/2017 15:51:11] "POST /v3/auth/tokens HTTP/1.1" 40	15:52
*** david-lyle has joined #openstack-keystone		15:53
abqkawi1000	2017-02-07 15:51:11.442 1632 DEBUG keystone.middleware.auth [req-a26c63f1-73fb-46d5-9f10-a767d44300f1 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71	15:53
zhurong	+dstanek just using `openssl genrsa -des3 -out my-ca.key 2048` and `openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt` for sign them self right? and using my-ca.crt for the ca_certs config? is it right?	15:54
dstanek	abqkawi1000: i would expect to also see some info messages saying something about why the cert was an issue if it was a cert thing	15:55
*** markvoelker has quit IRC		15:55
dstanek	zhurong: no idea. i have to google it every time :-)	15:55
abqkawi1000	dstanek - entire error is just repeated "2017-02-07 15:55:02.783 1627 INFO keystone.common.wsgi [req-8633d364-1887-4fba-9217-2632c61d5b16 - - - - -] POST http://10.203.2.1:35357/v3/auth/tokens 2017-02-07 15:55:02.798 1627 WARNING keystone.common.wsgi [req-8633d364-1887-4fba-9217-2632c61d5b16 - - - - -] Authorization failed. The request you have made requires authentication. from 10.203.2.9 2017-02-07 15:55:02.802 16	15:56
zhurong	dstanek thanks anyway	15:56
abqkawi1000	dstanek 2017-02-07 15:55:18.071 1627 DEBUG keystone.middleware.auth [req-2caed38c-b2e5-4df7-af67-2df6b649e452 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71	15:56
abqkawi1000	Doing a swift --insecure stat --debug shows I get a 200 from the identity endpoint and get a token. Then I hit the swift proxy and get a 503	15:59
dstanek	abqkawi1000: can you use that token directly against keystone just to check it?	16:00
abqkawi1000	cee-infra037:Z[~] > swift --insecure stat --debug DEBUG:keystoneclient.auth.identity.v2:Making authentication request to https://destructo.domain:5000/v2.0/tokens DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): destructo.domain DEBUG:requests.packages.urllib3.connectionpool:https://destructo.domain:5000 "POST /v2.0/tokens HTTP/1.1" 200 3842 DEBUG:requests.packages.urllib3.connection	16:00
abqkawi1000	DEBUG:requests.packages.urllib3.connectionpool:http://10.203.0.101:8080 "HEAD /v1/AUTH_e3bc5c043ba245a0b7518e33676d36f7 HTTP/1.1" 503 0 INFO:swiftclient:REQ: curl -i http://10.203.0.101:8080/v1/AUTH_e3bc5c043ba245a0b7518e33676d36f7 -I -H "X-Auth-Token: gAAAAABYme6Ey-_u8eJTxxaMMok295PPauXfklBrgUBtZmkSlQILRmBIHVNZBnfAyd72thsaE-1fptlWJzcB1xhpPCIhnM2x-Xw5coOC3WsfP57-O2_70Yz3ROGiWfN8iL8XabCpj6dueFX_YkJKdPVNG9DwakA0pg" IN	16:02
dstanek	abqkawi1000: try to validate that token	16:02
*** adrian_otto has joined #openstack-keystone		16:02
abqkawi1000	dstanek sure....umm I am a keystone rookie. How do I do that :/	16:03
abqkawi1000	looking up curl examples	16:05
*** markvoelker has joined #openstack-keystone		16:13
*** markvoelker has quit IRC		16:14
*** markvoelker has joined #openstack-keystone		16:14
*** rcernin has quit IRC		16:16
*** pcaruana has quit IRC		16:17
*** zhurong has quit IRC		16:17
*** jaosorior has joined #openstack-keystone		16:18
*** prashkre has quit IRC		16:19
*** tqtran has quit IRC		16:20
*** prashkre has joined #openstack-keystone		16:21
*** MasterOfBugs has joined #openstack-keystone		16:30
*** openstackgerrit has quit IRC		16:35
*** aloga_ has joined #openstack-keystone		16:38
abqkawi1000	dstanek If you are still around. Yup I can use that token against keystone without issue	16:39
dstanek	abqkawi1000: get it figured out?	16:39
abqkawi1000	lol	16:39
dstanek	abqkawi1000: so i would guess that it's a swift proxy issue of some sort	16:39
dstanek	abqkawi1000: i just got out of a meeting :-)	16:39
abqkawi1000	yeah feels like swift-proxy. logs in keystone confuse me " Unable to validate token: Identity server rejected authorization necessary to fetch token data"	16:42
abqkawi1000	this feels like Keystone is telling the swift-proxy service to go pound sand	16:42
dstanek	and you do see keystone logs that seem to happen at the same time as the request right?	16:43
abqkawi1000	yes right away when the curl, or horizon request is made	16:43
dstanek	abqkawi1000: then is has to be something that the proxy is doing. maybe it's not using the correct token?	16:44
abqkawi1000	dstanek: I will dig through some more logs and see if anything sticks out. Clearly the keystone portion works, and I am authenticating correctly.	16:47
abqkawi1000	dstanek: Thanks a ton for your suggestions	16:48
dstanek	abqkawi1000: yw	16:53
kfox1111	so, just saw this on one of our clouds:	16:53
kfox1111	INFO keystone.token.providers.fernet.token_formatters [req-32ccac17-bdd6-48e5-b567-009a81ce9770 - - - - -] Fernet token created with length of 268 characters, which exceeds 255 characters	16:53
kfox1111	any idea's what badness that might cause?	16:53
lbragstad	kfox1111 it shouldn't cause any badness, it's more or less just a warning to advertise against token bloat	16:54
kfox1111	ah. ok. thanks.	16:54
kfox1111	sould we be trying to do something on our end to shrink it,	16:55
kfox1111	or is it more a message for keystone devs, not operators?	16:55
lbragstad	kfox1111 are your user id/project ids not uuid format?	16:55
kfox1111	oh. yeah, probbably. we had ldap pre-exist the option to map them.	16:56
kfox1111	thanks. :)	16:57
lbragstad	kfox1111 one of the things that we do to keep size maintainable (under 255 characters) is to convert uuid like strings to their byte representation	16:57
kfox1111	makes sense.	16:57
*** lucas_ has quit IRC		17:04
*** tqtran has joined #openstack-keystone		17:11
*** jgrassler has quit IRC		17:22
*** jaosorior has quit IRC		17:22
*** jgr has joined #openstack-keystone		17:23
*** jaosorior has joined #openstack-keystone		17:23
*** jaosorior has quit IRC		17:24
*** jaosorior has joined #openstack-keystone		17:24
*** mvk has quit IRC		17:37
*** lucas_ has joined #openstack-keystone		17:43
*** adrian_otto has quit IRC		17:53
*** adrian_otto has joined #openstack-keystone		17:54
*** adrian_otto has quit IRC		17:54
lbragstad	stevemar just a heads up - but i have a conflict with the keystone meeting today. i'll be reading scroll back afterwords though - i just won't be available during it	17:57
*** browne has joined #openstack-keystone		17:57
*** jaugustine has joined #openstack-keystone		17:58
stevemar	lbragstad: ack	17:59
stevemar	meeting time :)	17:59
*** tesseract has quit IRC		18:01
*** aloga_ has quit IRC		18:03
dstanek	stevemar: i am in the same meeting...	18:03
*** prashkre has quit IRC		18:20
*** prashkre has joined #openstack-keystone		18:20
*** stingaci has quit IRC		18:22
*** MasterOfBugs has quit IRC		18:24
*** MasterOfBugs has joined #openstack-keystone		18:25
*** ngupta has joined #openstack-keystone		18:29
*** aloga_ has joined #openstack-keystone		18:33
*** MasterOfBugs has quit IRC		18:34
*** hrybacki is now known as hrybacki____		18:42
*** aloga_ has quit IRC		18:44
lbragstad	rodrigods o/	18:50
lbragstad	rodrigods i missed the first part of the meeting and i'm reading scroll back now	18:50
rodrigods	lbragstad, hey	18:50
lbragstad	rodrigods sounds like we're going to start by adding documentation around functional tests?	18:51
rodrigods	lbragstad, right!	18:51
rodrigods	giving some guidelines on writing new tests	18:51
lbragstad	rodrigods sweet - are you going to write them? someone else didn't commit to writing them did they?	18:51
rodrigods	lbragstad, i'll start, improvements are welcome!	18:52
rodrigods	created this bug to not forget: https://bugs.launchpad.net/keystone/+bug/1662623	18:52
openstack	Launchpad bug 1662623 in OpenStack Identity (keystone) "Testing keystone docs are outdated" [Wishlist,Confirmed] - Assigned to Rodrigo Duarte (rodrigodsousa)	18:52
lbragstad	rodrigods i was just going to say that when you get a patch up for the docs, let me know	18:52
rodrigods	lbragstad, ++	18:53
rodrigods	thanks	18:53
lbragstad	rodrigods i'd be happy to be the guinea pig for that	18:53
rodrigods	awesome! :)	18:54
*** ngupta has quit IRC		19:13
*** ngupta has joined #openstack-keystone		19:14
*** lucas_ has quit IRC		19:20
*** lucas_ has joined #openstack-keystone		19:20
*** MasterOfBugs has joined #openstack-keystone		19:22
*** stradling has joined #openstack-keystone		19:34
*** adrian_otto has joined #openstack-keystone		19:38
stradling	Hi, folks. I am trying to get SSL configured for client interactions with keystone. All of the documentation I have seen so far refers to the [ssl] section of keystone.conf (seems to no longer be a thing) and to the keystone-manage command line tool (likewise gone). Any suggestions for a current doc that will discuss the config (endpoints, configs, default_catalog.templates)? Thanks in advance. :)	19:40
dstanek	stradling: you mean running keystone under SSL?	19:51
stradling	Yes.	19:51
dstanek	stradling: if you are signing with a well-known CA the client should just work. if you self sign then you may have to somehow tell the client about the cert.	19:52
dstanek	not sure where OSC hides that	19:52
stradling	Thanks, dstanek. What I'm understanding is that the endpoints, configs and default_catalog.templates should be fine with all of their references to http://controller:5000/v3 (no need for https) and that all of the SSL stuff will be handled by Apache in the standard ssl.conf. Correct?	19:54
stradling	The problem is that when I try to use an OS_AUTH_URL with https://, I routinely get something like	19:55
stradling	SSL exception connecting to https://controller:5000/v3.0/auth/tokens: [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:765)	19:55
dstanek	stradling: what is service port 5000? i bet that it is not actually serving HTTPS	19:55
dstanek	stradling: the URL in the catalog should be what you expect the client to use. if you want them to use HTTPS you have to have an HTTPS link in there	19:57
stradling	dstanek: Indeed. And this is where you start to see my newbie issues. :) Should I be declaring a port 443 endpoint in open stack? Should I be declaring a port 5000 VirtualHost in SSL? These are issues I don't yet grok, and was hoping there's new documentation. The old stuff is not getting me anywhere.	19:57
stradling	OK, excellent. Now, when I added https://controller:5000/v2.0 endpoints (per documentation) to the defaults and the catalog, I got no joy. I can continue combinatorially...	19:59
stradling	Is 2.0 even a thing anymore?	19:59
dstanek	stradling: it is, but we're trying to make it go away	20:00
stradling	OK -- I'll steer clear. What I'm trying now is	20:00
stradling	openstack endpoint create --region RegionOne keystone public https://controller:5000/v3	20:00
stradling	openstack endpoint create --region RegionOne keystone internal https://controller:5000/v3	20:00
stradling	openstack endpoint create --region RegionOne keystone admin https://controller:35357/v3	20:00
dstanek	stradling: i would use an apache vhost running on 443 to serve up keystone. i'm pretty sure that's what devstack does now	20:01
stradling	OK -- here's what I have in place there:	20:01
stradling	LoadModule ssl_module modules/mod_ssl.so	20:01
stradling	Listen 443	20:01
stradling	<VirtualHost *:443>	20:01
stradling	ServerName cdc-k14-41.storage.virginia.edu	20:01
stradling	SSLEngine on	20:01
stradling	SSLCertificateFile /etc/pki/tls/certs/cdc-k14-41_storage_virginia_edu_cert.cer	20:01
stradling	SSLCertificateKeyFile /etc/pki/tls/private/uva_openstack.key	20:01
stradling	</VirtualHost>	20:01
stradling	Shall I just create a 443 endpoint with https?	20:01
stradling	Also -- if I work through all of this successfully, is there an appropriate place to contribute documentation of the process?	20:02
dstanek	stradling: i'm surprised that this isn't in one of the install guides or the admin guide	20:05
stradling	And that worked, to an extent! Now on to [SSL: CERTIFICATE_VERIFY_FAILED]. Much appreciated.	20:05
stradling	stank -- Yeah, I think it just hasn't come along with the changes. I'd be happy to be shown otherwise... but will be documenting as I go.	20:06
stradling	(Dang it -- sorry. Autocorrect changed the dstanek reference!)	20:06
*** lucas_ has quit IRC		20:10
dstanek	stradling: np. i think we don't have anything in keystone docs because it's an apache (or other webserver) problem	20:10
*** lucas_ has joined #openstack-keystone		20:11
stradling	dstanek Yeah, the cert verification is certainly Apache. To get a new admin up to the point of using and validating SSL in that context, however, will require an update.	20:12
dstanek	stradling: beyond configuring apache is there anything you had to do?	20:13
stradling	For example, http://docs.openstack.org/admin-guide/identity-troubleshoot.html still mentions keystone-manage (last mod 2017-02-07)	20:13
stradling	So far -- defining a correct endpoint. Not much of a change, but still a source of flailing. (At least for me. :)	20:14
dstanek	stradling: hmm....that actually hasn't been the recommended way to manage certs for as long as i can remember	20:15
stradling	dstanek Indeed. It's causing me headaches as we speak.	20:15
*** dave-mccowan has quit IRC		20:19
dstanek	stradling: the pki_setup is actually deprecated and has a nice warning about not using it	20:20
dstanek	i'm not sure if the docs is references are updated though	20:20
stradling	Yeah, I agree. I'm guessing this is a bit of documentation rot. I got to this one through the main documentation links via the admin docs.	20:21
stradling	Here's another that discusses keystone-manage pki_setup	20:23
stradling	http://docs.openstack.org/admin-guide/identity-certificates-for-pki.html	20:23
dstanek	stradling: just took a look at this keystone docs and they seem to be correct for pki_setup	20:24
stradling	OK. Then I'll start trusting it. Thanks!	20:25
dstanek	http://docs.openstack.org/developer/keystone/configuration.html#generating-a-signing-certificate-using-pki-setup	20:26
stradling	dstanek Thanks -- for that and all of the patient explanation. :)	20:29
dstanek	stradling: np	20:34
* morgan summons termie via twitter and braces for impact :P		20:36
*** dave-mccowan has joined #openstack-keystone		20:37
*** jaosorior has quit IRC		20:40
*** openstackgerrit has joined #openstack-keystone		20:44
openstackgerrit	Anthony Washington proposed openstack/keystone master: WIP: Clear the project ID from user information https://review.openstack.org/430434	20:44
* dolphm expects nothing less from termie https://www.youtube.com/watch?v=EwUilIo036g&t=8s		20:48
*** iurygregory has quit IRC		20:50
morgan	dolphm: ping need your help with something	20:50
morgan	dstanek: if you have a moment	20:50
morgan	s/dstanek/dolphm	20:51
morgan	dolphm: no rush though, wanted to check something in gerrit. (functionality) [actually any core would work]	20:52
dolphm	morgan: i have about 15 minutes	20:52
morgan	dolphm: ok sec	20:52
lbragstad	dolphm "you know that's really hard on your knees" lol	20:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: DNM: Testing https://review.openstack.org/430436	20:52
morgan	dolphm: can you -1 workflow that ^	20:52
morgan	for me	20:52
dolphm	morgan: done	20:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: DNM: Testin https://review.openstack.org/430436	20:53
morgan	dolphm: thanks	20:53
morgan	adrian_otto: ^	20:53
morgan	adrian_otto: just to confirm for you, new patch cleared it	20:53
morgan	dolphm: much appreciated! (i saw you typing, or i would have poked another core)	20:54
morgan	dolphm: hehe	20:54
dolphm	morgan: i didn't have time to -1	20:54
stevemar	morgan: wat	20:54
dolphm	morgan: fixed	20:54
morgan	dolphm: LOL	20:54
dstanek	morgan: rackers are not just interchangeable cogs	20:54
morgan	dstanek: prove it	20:54
morgan	dolphm: hehe was confirming that workflow -1 wasnb't sticky	20:55
dolphm	morgan: it shouldn't be, but it could be a project-specific setting?	20:55
morgan	dstanek: it's the same trap as mor<tab> in lots of channels	20:55
morgan	dolphm: nah it looked like in the project in question it was either a rebase (simple) or no subsequent patch posted	20:55
dstanek	morgan: :P	20:56
morgan	dolphm: but this was just a 2x check, because i was sure it wasn't sticky... but you know, i have occasionally been wrong	20:56
lbragstad	antwash i like the approach to add cascade for default_project_id	20:57
antwash	lbragstad : ++ rderose	20:57
dolphm	lbragstad: cascade delete users with a default project iD?	20:57
morgan	lbragstad: i want default_project_id to die... i really do =/	20:57
*** adu has joined #openstack-keystone		20:57
morgan	dolphm: hahahahah oh that would be awesome	20:57
rderose	morgan: me too	20:57
morgan	lbragstad: warning that change in LARGE users will lock up keystone for a while btw	20:58
morgan	lbragstad: it has potential to be ugly.	20:58
lbragstad	dolphm cascade set default project id to none when a project is deleted	20:58
lbragstad	morgan dolphm yeah - antwash is currently pealing back all the layers of the onion	20:58
morgan	lbragstad: default_project_id is not indexed	20:59
antwash	morgan : i was honored to hear a rant about default_project_id this morning haha	20:59
morgan	lbragstad: that must be indexed before we accept the code	20:59
morgan	antwash: ^ cc	20:59
lbragstad	morgan it must be indexed before we can add a constraint you mean?	21:00
dolphm	lbragstad: yeah, that'd be a good idea	21:00
antwash	index.. meaning?	21:00
dolphm	lbragstad: add the index in an expand?	21:00
morgan	yu cannot use FKs	21:01
morgan	resource and user are not guaranteed to be in the same DB.. backend, or anything	21:01
morgan	the earlier option with the listener that did an iterative update of users was the correct form	21:01
lbragstad	dolphm morgan antwash just proposed this https://review.openstack.org/#/c/430434/1/keystone/common/sql/expand_repo/versions/022_expand_add_user_project_fk_constraint.py,unified	21:01
morgan	lbragstad: ^ sorry	21:01
morgan	yeah	21:01
morgan	i saw	21:01
morgan	-1, actually -2 (because we can't FK that)	21:02
morgan	no FKs across subsystems	21:02
morgan	i didn't -2 since antwash is here :)	21:02
morgan	and active.	21:02
morgan	but we can't add that FK.	21:02
dolphm	while morgan is right, i'd like him to be wrong	21:02
stevemar	morgan: why is magnum creating their own governance doc?	21:03
*** raildo has quit IRC		21:03
morgan	it would require that you can never ever use a resource backend that isnt' the same DB/backend as the user table	21:03
dolphm	stevemar: what	21:03
morgan	stevemar: because they want to outline the principles for the team	21:03
morgan	and how the team itself / project runs.	21:03
morgan	instead of relying on tribal knowledge	21:03
lbragstad	morgan would you be so kind to document that in the latest review?	21:03
morgan	i did, but i can expand if needed	21:04
morgan	dolphm: yes i wish i was wrong on this front too.	21:04
lbragstad	morgan antwash has another proposal that registers a notification callback to pass the project id to the backend	21:04
*** nicolasbock has quit IRC		21:04
morgan	lbragstad: yes, that was the one i was referring to when i said we need to index default_project_id column	21:04
lbragstad	antwash sorry for the bum advice earlier :(	21:05
antwash	morgan : thanks for the feedback, I'll continue working on the other approach :)	21:06
antwash	lbragstad: it's no biggie -- all learning over here lol	21:06
*** ianw has quit IRC		21:07
*** ianw has joined #openstack-keystone		21:08
morgan	antwash: :) hey, just know i prefer the automatic cascade stuff... i wish we could take it, but design of keystone prevents it	21:08
stevemar	morgan: i just dont want every project doing their own governance doc	21:08
morgan	stevemar: i actually would encourage it.	21:08
morgan	stevemar: if they project has specifics, it is worth having	21:08
morgan	stevemar: the TC does not dictate specifics of what a -2 must include when issuing it.	21:09
morgan	the TC does not dictate how cores are selected, if the PTL wishes to delegate that to a vote, they may	21:09
openstackgerrit	Anthony Washington proposed openstack/keystone master: Clear the project ID from user information https://review.openstack.org/429047	21:09
morgan	those types of things make a lot of sense to have encoded outside of tribal knowledge	21:09
*** harlowja has quit IRC		21:09
stevemar	morgan: i agree that it may make sense for kolla/magnum/cinder/neutron to have additional docs, but i can see other projects abusing this	21:10
*** dave-mccowan has quit IRC		21:10
morgan	stevemar: ok, so stop that. do not attribute malice pre-emptively here	21:11
morgan	stevemar: it is a trap openstack falls into a lot. Trust until you have a reason not to.	21:11
morgan	have the projects given you reason to distrust them writing an open doc like magnum has?	21:11
* morgan has not seen anything to that point		21:11
*** nicolasbock has joined #openstack-keystone		21:11
morgan	if you want to block these things, lets have a TC proposal and a stronger involvement of the TC outlining how thse things work	21:12
morgan	otherwise this is the right direction for projects to avoid "oh how are cores selected"	21:12
dolphm	if every project documented their culture, maybe we'd have a better way to spot differences, spread better ideas, and conform with consensus when & where it makes sense?	21:12
morgan	and needing to get an answer (or similar)	21:13
morgan	dolphm: ++	21:13
morgan	i think keystone should very much do exactly the same thing	21:13
morgan	and document the culture in a clear way	21:13
stevemar	guess we'll see how the magnum one shakes out	21:14
dolphm	stevemar: just curious, how did you hear about the magnum one?	21:15
dstanek	dolphm: ++	21:15
stevemar	dolphm: tc was added to review	21:17
dolphm	ha	21:17
stevemar	dolphm: just interested in the 'why' this became to be	21:19
*** prashkre has quit IRC		21:28
*** harlowja has joined #openstack-keystone		21:35
*** jamielennox is now known as jamielennox\|away		21:42
*** catintheroof has quit IRC		21:48
*** catintheroof has joined #openstack-keystone		21:49
*** catintheroof has quit IRC		21:54
*** adrian_otto has quit IRC		21:59
*** tesseract has joined #openstack-keystone		21:59
*** tesseract- has joined #openstack-keystone		22:00
*** thorst_ has quit IRC		22:01
*** thorst_ has joined #openstack-keystone		22:03
*** tesseract has quit IRC		22:07
*** tesseract- has quit IRC		22:07
*** thorst_ has quit IRC		22:08
*** tesseract has joined #openstack-keystone		22:08
lbragstad	antwash the latest revision of your patch is much cleaner!	22:12
*** lucas_ has quit IRC		22:13
antwash	lbragstad: gracias, thanks for the review, I forgot to make that read/write change	22:13
*** chris_hultin is now known as chris_hultin\|AWA		22:16
*** spilla has quit IRC		22:18
*** martinlopes has joined #openstack-keystone		22:20
*** thorst_ has joined #openstack-keystone		22:20
*** thorst_ has quit IRC		22:25
*** tesseract is now known as tesseract-RH		22:26
*** adriant has joined #openstack-keystone		22:27
*** edmondsw has quit IRC		22:29
*** tesseract-RH is now known as tesseract		22:31
*** stradling has quit IRC		22:36
*** jamielennox\|away is now known as jamielennox		22:42
rodrigods	stevemar, hey... we removed "saml2" from auth methods only in ocata, right?	22:51
*** gyee has joined #openstack-keystone		22:57
stevemar	rodrigods: i believe so	22:58
*** edmondsw has joined #openstack-keystone		22:59
*** chris_hultin\|AWA is now known as chris_hultin		23:00
*** tesseract has quit IRC		23:00
*** tesseract has joined #openstack-keystone		23:00
*** tesseract-RH has joined #openstack-keystone		23:01
*** tesseract has quit IRC		23:01
*** tesseract-RH has quit IRC		23:01
*** jperry has quit IRC		23:03
*** edmondsw has quit IRC		23:04
*** gyee has quit IRC		23:11
*** ngupta has quit IRC		23:11
*** lamt has quit IRC		23:25
*** zhurong has joined #openstack-keystone		23:26
*** zhurong has quit IRC		23:28
adriant	is there any API method to reparent a project or do I have to do some SQL?	23:32
adriant	because trying to do it with the cli I get: "Update of `parent_id` is not allowed. (HTTP 403)"	23:32
*** stradling has joined #openstack-keystone		23:33
morgan	adriant: reparent?	23:35
morgan	adriant: that is a massive security flaw.	23:35
morgan	erm issue	23:35
morgan	we explicitly do not allow it	23:35
adriant	blast :(	23:35
morgan	and it can't be added. Due to the way roles work, inheritance, etc on projects, you suddenly have users / groups with access to things they shouldn't (possibly)	23:36
morgan	same reason domain_id is imutable	23:36
morgan	adriant: what are you trying to solve?	23:36
adriant	It's because I want to try and clean up an awful single layer domain and reparent top level projects under a new one.	23:36
*** adu has quit IRC		23:36
morgan	unfortunately the answer is create new projects and migrate to the new project spaces	23:37
morgan	it's not smooth but it's the best (secure) way to do it	23:37
morgan	you could write direct SQL to updat eparent_ids	23:37
adriant	Secure isn't a problem here	23:37
morgan	as an operator i can't say "don't do that"	23:37
adriant	I'm doing this as admin to known projects	23:37
morgan	but from a "secure API that is consistent" implementing what you're asking for would be bad (tm) for us.	23:38
morgan	as the upstream project	23:38
morgan	the best answer is probably to do some direct SQL updates to the parent_id columns (not recommended but since it's known, it is the work-around)	23:38
morgan	but you can see why we don't support that functionality	23:38
morgan	from a security standpoint	23:39
adriant	It doesn't really seem very much of a security flaw if done knowingly.	23:39
adriant	This would be a stupid user feature	23:39
adriant	but hugely useful for admins	23:39
morgan	not really a good one though	23:39
morgan	so, i have roles on project X, and they are inherited	23:39
morgan	an admin moves a prohject under X, not realizing it	23:40
morgan	or x under a project with other inherited roles	23:40
morgan	that a domain admin set	23:40
morgan	it opens all sorts of wonky security concerns	23:40
adriant	I'd assume anyone doing that would be aware of the inheritance if not, why do they have admin?	23:40
morgan	not guaranteed	23:41
morgan	so user B has the ability to grant roles on Y	23:41
morgan	admin moves X under Y, user B shouldn't have access, but now grants himself a role inherited	23:41
morgan	it's just a ton of moving parts to consider	23:41
morgan	and it is specifically a security hardening thing to start.	23:42
adriant	but he already had admin so has access to X anyway if he wants it?	23:42
morgan	no that is not a guarantee	23:42
morgan	the user may not be an admin	23:42
morgan	anyway, my answer stands, we don't suppor shuffling hierarchy for the same reason we don't allow shuffling domain_ids	23:43
adriant	yes, but we're not talking about cloud_admins rather true superuser admins	23:43
morgan	that is not something i want to encode in APIs	23:43
morgan	super user admin = access to SQL, might as well just update the rows	23:43
morgan	nothing i can do to stop that	23:43
adriant	yeah... I guess	23:44
adriant	updating the parent_id field won't break anything right?	23:44
morgan	i don't think it'd be an issue	23:44
morgan	but... honestly we don't test that	23:44
adriant	The links should all still work the same	23:44
adriant	I'll play with it and see.	23:44
morgan	it isn't a FK or anyting magic	23:44
morgan	it's just a reference to another ID	23:44
morgan	so it should be fine(ish) to move. but if you have heirarchical quotas in other projects	23:45
morgan	those would be broken	23:45
morgan	(cinder/nova) [ not sure of the state of impl on that front ]	23:45
adriant	This would only be a one-time thing to allow me to start transitioning everyone to and HMT like structure	23:45
morgan	seriously the best case is create new projects and have people migrate to them.	23:45
adriant	too hard	23:45
adriant	too many projects, too many resources	23:46
* morgan shrugs.		23:46
morgan	it's what I would insist on if i was the cloud operator. but i'd help folks do it.	23:46
adriant	heirarchical quotas don't exist yet that I'm aware of...	23:46
morgan	scripting.	23:46
morgan	but thats me.	23:46
samueldmq	we have a new PTL	23:46
samueldmq	congrats lbragstad :D	23:46
morgan	oh we do?	23:46
samueldmq	well deserved	23:46
morgan	oh goodie, time to make lbragstad's life hard instead of stevemar's ;)	23:46
morgan	lbragstad: congrats man	23:47
lbragstad	samueldmq morgan thanks!	23:47
* morgan quickly -2s all of lbragstad's patches		23:47
samueldmq	I can see the results in the link from the email I received to vote	23:47
adriant	lbragstad, congrats!	23:47
lbragstad	ayoung thanks!	23:47
lbragstad	morgan i don't have any patches muahahaha	23:47
morgan	lbragstad: there is a bunch of launchpad things that will need updates	23:47
morgan	lbragstad: it's gonna be "fun"(tm)	23:48
* lbragstad so it begins		23:48
*** jaugustine has quit IRC		23:48
morgan	adriant: i like that your real-name in irc is set to "realname" :P	23:48
adriant	morgan: I'll play with the sql in a few dev deploys, but since we can't live migrate between projects I think sql will be the only option for some of them. :(	23:48
adriant	hahah	23:48
adriant	that's me being lazy and forgetting to remove a default	23:48
*** chris_hultin is now known as chris_hultin\|AWA		23:48
morgan	adriant: well the way I'd do it is i'd make new projects and as you spin down resources i'd spin them up in the new place. legacy things would be a planned migration down the line. but thats me.	23:49
morgan	adriant: but i am also very picky about things when i run a system like a cloud	23:49
morgan	i don't muck with the SQL	23:49
morgan	related: damn i knew we should have made the db schema obscured and all binary blobs :P	23:49
adriant	morgan: we try to avoid it as well, that's why I was hoping for an API	23:49
* morgan proposes a change to obfuscate the keystone schema, data, all via ROT26 :P		23:50
morgan	i mean...	23:50
morgan	>>	23:50
morgan	<<	23:50
adriant	I've been trying to migrate us to a sort of HMT like structure for ages, but everyone keeps creating top level projects and it is such a huge mess	23:50
morgan	adriant: remove their ability to do so	23:50
morgan	no new project creation at the top	23:50
morgan	only in the new location(s) :P	23:50
morgan	policy.json and RBAC updates ;)	23:51
adriant	I'm working on it... My goal is that all new project creation comes through my management/task service	23:51
adriant	since project creation for us means linking to details in the ERP system as well...	23:51
adriant	which people forget to do	23:51
morgan	ayup	23:51
adriant	Automate all the things! Get rid of pesky human error.	23:52
morgan	adriant: so can i rely on you to do the KSA auth plugin stuff?	23:52
morgan	or should i plan to start making the changes	23:52
adriant	Yes, I'll play with that for Pike	23:52
morgan	since that and some changes for ksc to support "options" need to land	23:52
adriant	And I'll see about how the hell to make it work in horizon as well.	23:54
adriant	I have a feeling that will end up a mess, but we'll see.	23:54
morgan	i have a feeling we need to improve data sent back in the 401 exception	23:56
morgan	but that should be doable	23:56
morgan	but that isn't a huge hurdle	23:56
adriant	oh, morgan, something that might terrify you a little. Our ops team had a tally on the whiteboard: "SQL is my API" because of how often we'd need to do some SQL to clean up things the API didn't do right.	23:57
morgan	since the type of exception wont even be changed.	23:57
morgan	depends on for which db	23:57
morgan	i'm not surprised	23:57
adriant	nova, neutron quite often	23:58
adriant	for hung instances or routers	23:58
morgan	having run openstack clouds from grizzly -> icehouse, i am really not surprised	23:58
adriant	yeah, we started with havana	23:58
morgan	actually... folsom->icehouse	23:58
adriant	back before we switched to UUID tokens for keystone, we had to table truncate since a token clean-up command would stall and kill keystone.	23:58
adriant	It's been an interesting journey	23:59
morgan	yep we have a general fix for that because of that issue	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!