Wednesday, 2017-10-04

« Tuesday, 2017-10-03 Index Thursday, 2017-10-05 »
*** jistr has quit IRC00:00
*** jistr has joined #openstack-keystone00:01
*** lnxnut has joined #openstack-keystone00:11
*** lnxnut has quit IRC00:21
*** tonytan4ever has quit IRC00:27
*** gyee has joined #openstack-keystone00:36
*** itlinux has joined #openstack-keystone00:36
*** itlinux has quit IRC00:58
*** markvoelker has joined #openstack-keystone01:01
*** lnxnut has joined #openstack-keystone01:18
*** tonytan4ever has joined #openstack-keystone01:20
*** nicolasbock_ has quit IRC01:26
*** lnxnut has quit IRC01:29
*** itlinux has joined #openstack-keystone01:35
*** oikiki has joined #openstack-keystone01:37
*** itlinux has quit IRC01:42
*** oikiki has quit IRC01:44
*** gyee has quit IRC01:47
*** catintheroof has joined #openstack-keystone02:03
*** catintheroof has quit IRC02:19
*** lnxnut has joined #openstack-keystone02:26
*** catintheroof has joined #openstack-keystone02:29
*** lnxnut has quit IRC02:36
*** MasterOfBugs has quit IRC02:56
*** erlon has quit IRC03:01
*** catintheroof has quit IRC03:09
*** itlinux has joined #openstack-keystone03:23
*** itlinux has quit IRC03:31
*** itlinux has joined #openstack-keystone03:32
*** lnxnut has joined #openstack-keystone03:34
*** itlinux has quit IRC03:41
*** lnxnut has quit IRC03:44
*** boris_42_ has quit IRC03:44
openstackgerritMerged openstack/oslo.policy master: External Policy hook should support SSL  https://review.openstack.org/49178303:52
openstackgerritMerged openstack/keystone master: Add test GET for member url in the Assignment API  https://review.openstack.org/49997703:54
*** tristanC has quit IRC04:16
*** tristanC has joined #openstack-keystone04:23
*** tbh_ has joined #openstack-keystone04:31
*** prashkre has joined #openstack-keystone04:38
*** lnxnut has joined #openstack-keystone04:40
*** prashkre has quit IRC05:00
*** lnxnut has quit IRC05:06
*** aojea has joined #openstack-keystone05:08
*** tonytan4ever has quit IRC05:12
*** prashkre has joined #openstack-keystone05:17
*** markvoelker has quit IRC05:20
*** prashkre has quit IRC05:22
*** prashkre has joined #openstack-keystone05:26
*** lnxnut has joined #openstack-keystone05:33
*** aojea has quit IRC05:35
*** lnxnut has quit IRC05:37
*** akrzos has quit IRC05:54
*** jmlowe has quit IRC05:55
*** jmlowe has joined #openstack-keystone05:56
*** aojea has joined #openstack-keystone05:57
*** oikiki has joined #openstack-keystone06:03
*** cfriesen has quit IRC06:04
*** prashkre_ has joined #openstack-keystone06:08
*** prashkre has quit IRC06:08
*** prashkre__ has joined #openstack-keystone06:09
*** aojea has quit IRC06:10
*** rm_work has quit IRC06:11
*** prashkre_ has quit IRC06:13
*** rm_work has joined #openstack-keystone06:14
*** akrzos has joined #openstack-keystone06:22
openstackgerritMerged openstack/keystone master: Remove middleware reference to PARAMS_ENV and CONTEXT_ENV  https://review.openstack.org/50841006:23
*** aselius has quit IRC06:28
*** rcernin has joined #openstack-keystone06:30
*** edmondsw has joined #openstack-keystone06:33
*** lnxnut has joined #openstack-keystone06:34
*** edmondsw has quit IRC06:37
*** belmoreira has joined #openstack-keystone06:38
openstackgerritMerged openstack/keystone master: Remove v2.0 token APIs  https://review.openstack.org/49978406:39
openstackgerritMerged openstack/keystone master: Remove v2.0 auth APIs  https://review.openstack.org/50446506:40
openstackgerritMerged openstack/keystone master: Remove v2.0 test plumbing  https://review.openstack.org/50674806:40
*** tonytan4ever has joined #openstack-keystone06:43
*** namnh has joined #openstack-keystone06:44
*** tonytan4ever has quit IRC06:48
*** pcaruana has joined #openstack-keystone06:48
*** ioggstream has joined #openstack-keystone06:51
*** tbh_ has quit IRC06:51
*** ioggstream has quit IRC06:53
*** spectr has quit IRC06:54
*** spectr has joined #openstack-keystone06:55
*** lnxnut has quit IRC06:57
*** tesseract has joined #openstack-keystone07:16
*** sdake_ has joined #openstack-keystone07:16
*** sdake_ is now known as Guest5227907:17
*** Guest52279 has quit IRC07:17
*** markvoelker has joined #openstack-keystone07:21
*** tonytan4ever has joined #openstack-keystone07:21
openstackgerritMerged openstack/keystone master: Refactor removal of duplicate projects/domains  https://review.openstack.org/49157407:23
*** markvoelker has quit IRC07:55
*** prashkre__ has quit IRC08:01
*** tonytan4ever has quit IRC08:02
*** tonytan4ever has joined #openstack-keystone08:02
*** prashkre__ has joined #openstack-keystone08:02
*** tonytan4ever has quit IRC08:03
*** namnh has quit IRC08:14
*** edmondsw has joined #openstack-keystone08:21
*** edmondsw has quit IRC08:26
*** lnxnut has joined #openstack-keystone08:28
openstackgerritColleen Murphy proposed openstack/keystonemiddleware master: Rename auth_uri to www_authenticate_uri  https://review.openstack.org/50852208:36
*** nkinder has quit IRC08:41
*** lnxnut has quit IRC08:47
*** jaosorior has quit IRC08:51
*** markvoelker has joined #openstack-keystone08:52
*** jaosorior has joined #openstack-keystone08:56
*** oikiki has quit IRC09:11
*** nkinder has joined #openstack-keystone09:15
*** markvoelker has quit IRC09:26
*** lnxnut has joined #openstack-keystone09:45
*** Suramya has joined #openstack-keystone09:53
*** lnxnut has quit IRC09:56
*** aojea has joined #openstack-keystone10:06
*** edmondsw has joined #openstack-keystone10:09
*** aojea has quit IRC10:10
*** edmondsw has quit IRC10:13
*** Suramya has quit IRC10:15
*** Suramya has joined #openstack-keystone10:20
*** markvoelker has joined #openstack-keystone10:23
*** tesseract has quit IRC10:40
*** tesseract has joined #openstack-keystone10:44
*** lnxnut has joined #openstack-keystone10:53
*** prashkre_ has joined #openstack-keystone10:54
*** markvoelker has quit IRC10:55
*** prashkre__ has quit IRC10:57
*** spectr-RH has joined #openstack-keystone10:59
*** dave-mccowan has joined #openstack-keystone11:01
*** spectr has quit IRC11:02
*** lnxnut has quit IRC11:03
*** nicolasbock_ has joined #openstack-keystone11:03
*** nicolasbock_ has quit IRC11:08
*** prashkre_ has quit IRC11:09
*** dave-mcc_ has joined #openstack-keystone11:11
*** dave-mccowan has quit IRC11:13
*** Suramya has quit IRC11:15
*** josecastroleon has quit IRC11:21
*** markvoelker has joined #openstack-keystone11:53
*** raildo has joined #openstack-keystone11:57
*** lnxnut has joined #openstack-keystone12:00
samueldmqmorning keystone12:03
samueldmqthis is really good to hear12:04
samueldmq"Keystone updated to Pike release at #CERN #Cloud. Most transparent update ever. Thanks to #OpenStack developers"12:04
samueldmq#link https://twitter.com/josecastroleon/status/91546126619342028812:04
*** lnxnut has quit IRC12:11
*** edmondsw has joined #openstack-keystone12:16
*** edmondsw_ has joined #openstack-keystone12:17
*** edmondsw has quit IRC12:21
*** markvoelker has quit IRC12:26
*** markvoelker has joined #openstack-keystone12:27
*** rodrigods has quit IRC12:54
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone master: Remove unnecessary dependency injection  https://review.openstack.org/50255012:57
*** spectr-RH has quit IRC13:00
*** rmascena has joined #openstack-keystone13:02
*** pcaruana has quit IRC13:02
*** raildo has quit IRC13:05
*** lbragstad has joined #openstack-keystone13:05
*** ChanServ sets mode: +o lbragstad13:05
*** lnxnut has joined #openstack-keystone13:08
*** spectr-RH has joined #openstack-keystone13:12
*** rmascena has quit IRC13:12
*** rmascena has joined #openstack-keystone13:13
*** pcaruana has joined #openstack-keystone13:15
*** spectr-RH has quit IRC13:16
*** rmascena is now known as raildo13:16
*** rodrigods has joined #openstack-keystone13:17
*** lnxnut has quit IRC13:17
*** spectr-RH has joined #openstack-keystone13:17
*** rodrigods has quit IRC13:17
*** rodrigods has joined #openstack-keystone13:17
lbragstadwell - all those patches that removed v2.0 merged last night13:18
*** chlong_ has joined #openstack-keystone13:22
*** lnxnut has joined #openstack-keystone13:23
*** catintheroof has joined #openstack-keystone13:24
raildolbragstad, that's awesome! great job dude13:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000513:36
*** Suramya has joined #openstack-keystone13:38
*** rodrigods has quit IRC13:43
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013713:43
*** rodrigods has joined #openstack-keystone13:53
*** edmondsw_ is now known as edmondsw14:07
*** rodrigods has quit IRC14:08
*** rodrigods has joined #openstack-keystone14:09
*** d0ugal has quit IRC14:10
*** lkwan_ has joined #openstack-keystone14:10
*** d0ugal has joined #openstack-keystone14:13
*** d0ugal has quit IRC14:13
*** d0ugal has joined #openstack-keystone14:13
*** smcginnis has joined #openstack-keystone14:14
*** panbalag has joined #openstack-keystone14:15
smcginnisHey, looking at a requirements job failure. Has anyone seen this before or know if it's a known issue? http://logs.openstack.org/22/509422/1/check/gate-cross-keystone-python35/cef3298/console.html#_2017-10-04_12_40_37_67435314:15
*** panbalag has left #openstack-keystone14:15
smcginnislbragstad: ^?14:16
lbragstadsmcginnis: let me dig into it quick14:18
smcginnislbragstad: We're running a recheck, so we'll see if it passes next time.14:18
smcginnislbragstad: Just thought I'd check if it was a known issue right now.14:19
cmurphysmcginnis: the line you linked looks like a passing test?14:19
lbragstadi think it's tripping on the domain bits below it14:19
smcginniscmurphy: Oops. Immediately after that line.14:19
lbragstad2017-10-04 12:40:37.676675 | Invalid domain name: d1bb128a948d4ac8a268272d622b51a014:20
smcginnisCould not find directory /etc/keystone/domains14:20
lbragstadthat also seems like something that shouldn't result in a failure?14:20
lbragstadit also shouldn't be causing or related to a timeout14:20
lbragstadwhich seems like the real cause?14:21
cmurphyi would blame zuulv314:21
smcginnisAh, good point it ends up timing out. Maybe just a red herring.14:21
smcginnisPlease ignore for now. If the recheck hits similar issues I'll dig into then.14:22
lbragstadi think it's just unlucky in that it's an informational error right before the timeout14:22
smcginnislbragstad: Yeah, probably right.14:22
lbragstadcool - keep us posted if you find out more14:22
*** pcaruana has quit IRC14:33
*** rodrigods has quit IRC14:34
*** rodrigods has joined #openstack-keystone14:36
*** cfriesen has joined #openstack-keystone14:38
*** spectr-RH has quit IRC14:41
*** spectr has joined #openstack-keystone14:42
*** rodrigods has quit IRC14:45
*** rodrigods has joined #openstack-keystone14:45
*** pcaruana has joined #openstack-keystone14:45
*** lnxnut_ has joined #openstack-keystone14:56
*** lnxnut has quit IRC14:58
knikollao/15:10
*** jamesbenson has joined #openstack-keystone15:10
*** rcernin has quit IRC15:13
*** smcginnis has left #openstack-keystone15:13
gagehugoo/15:14
*** Suramya has quit IRC15:19
*** erlon has joined #openstack-keystone15:24
ayounglbragstad, we're not doing the IAM  walkthrough during policy today, right?15:26
lbragstadayoung: no - not today i don't think15:26
lbragstadayoung: http://lists.openstack.org/pipermail/openstack-dev/2017-October/123069.html15:27
lbragstadi'm hoping we can get some consensus on ^15:27
*** pcaruana has quit IRC15:28
*** tesseract has quit IRC15:29
*** gyee has joined #openstack-keystone15:29
ayounglbragstad, cool, as I have lunch plans.  Won't be there today.  Gone next week for training.  I can follow up when I get back.15:30
lbragstadayoung:  sounds good - that should give us time to get  a solid session planned out15:30
ayoung++15:30
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 user APIs  https://review.openstack.org/50951015:35
*** belmoreira has quit IRC15:35
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 identity API documentation  https://review.openstack.org/50951015:36
*** mdavidson has quit IRC15:39
*** jamesbenson has quit IRC15:42
samueldmqlbragstad: cmurphy what are our current plans for keystone-tempest-plugin in terms of what we want to put there?15:44
samueldmqI want to create a tempest test for https://review.openstack.org/#/c/506340/15:45
cmurphysamueldmq: i'm not sure if we have rules but i feel like that would be a candidate to go in the regular tempest suite15:49
cmurphyright now the plugin is just doing ldap and federation stuff i think15:49
*** jamesbenson has joined #openstack-keystone15:49
openstackgerritGage Hugo proposed openstack/keystone master: Remove the v3 to v2 resource test case  https://review.openstack.org/50951915:50
*** jamesbenson has quit IRC15:52
samueldmqcmurphy: like under https://github.com/openstack/tempest/tree/master/tempest/api/identity/v315:52
samueldmq?15:52
*** jamesbenson has joined #openstack-keystone15:53
samueldmqor better ... https://github.com/openstack/tempest/blob/master/tempest/api/identity/admin/v3/test_domains.py15:53
samueldmqcmurphy: anyways, yes I think that makes sense ... thanks15:53
*** jamesbenson has quit IRC15:54
*** jamesbenson has joined #openstack-keystone15:55
openstackgerritMorgan Fainberg proposed openstack/keystone master: Remove deprecated secure_proxy_ssl_header config  https://review.openstack.org/49979815:55
cmurphysamueldmq: yeah maybe15:55
openstackgerritGage Hugo proposed openstack/keystone master: Add database migration for project tags  https://review.openstack.org/48445615:56
openstackgerritGage Hugo proposed openstack/keystone master: Implement backend logic for project tags  https://review.openstack.org/49972615:56
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone master: Remove unnecessary dependency injection  https://review.openstack.org/50255016:00
*** aselius has joined #openstack-keystone16:06
*** jamesbenson has quit IRC16:11
*** jamesbenson has joined #openstack-keystone16:16
*** magicboiz has joined #openstack-keystone16:18
magicboizHi16:18
magicboizIs it possible to configure LDAP backend + 2FA/One Time Password?16:19
magicboizthanks :)16:19
kmallocmagicboiz: in Pike it should be doable, depending on how you want to configure that. if the 2FA is built into your LDAP server auth, it will depend on how that is represented if you're usign keystone's 2FA code... I need to find the docs for you16:21
kmalloc(I think it was pike we landed the support, maybe it was late ocata?)16:21
magicboizkmalloc: thanks16:28
magicboizkmalloc: i thought it was possible to ask for user/pass to LDAP backend, and then TOTP passcode inside keystone....this might has no sense :)16:29
kmallocit should be16:29
kmallocwe implemented a chunk of that in a recent release16:30
magicboizkmalloc: if you find that doc, please let me know16:30
kmalloclooking16:30
kmallochmm. did we fail to write docs?16:32
kmalloclbragstad: ^16:32
kmalloci mean, i know we can support it, but it might require reading code to look into it. Also, I am unsure if we finished the keystoneauth mechanisms to support multiple auth plugins at once16:33
kmallocmagicboiz: basically we have a mechanism to require a combination of authentication methods.16:35
kmallocmagicboiz: but i don't see docs on this, i can point you at the code, but i think horizon and other such tools wont work with it yet, it would only work using the REST API16:36
lbragstadi thought i remember patches to ksa to do that kinda stuff16:36
kmalloclbragstad: yeah, i just don't know and we're missing docs =/16:37
*** jamesbenson has quit IRC16:37
lbragstadsweet...16:37
lbragstadi know we have this - https://docs.openstack.org/keystone/latest/advanced-topics/auth-totp.html16:37
lbragstadbut that's directly through the API16:37
lbragstadthat was around the newton time frame because we needed to implement encryption for the credential backend as a prerequisite16:39
lbragstad(which was done after I think)16:39
magicboizkmalloc, lbragstad : thanks, I thought the "Per user MFA" was related with these, a kind of auth chain....16:43
lbragstadyeah - it is16:43
kmallocyep16:43
lbragstadbut we might need to implement support through ksa so it's consumable via a library16:43
magicboizthen, the path would be something similar to http://bogott.net/unspecified/?p=2344 (he coded a custom Wmtotp(auth.AuthMethodHandler))...16:43
*** oikiki has joined #openstack-keystone16:50
* lbragstad steps away for a lunch quick16:59
*** oikiki has quit IRC17:13
*** efried is now known as efried_nomnom17:25
*** oikiki has joined #openstack-keystone17:28
*** markvoelker has quit IRC17:30
*** markvoelker has joined #openstack-keystone17:30
*** lbragstad has quit IRC17:34
openstackgerritMerged openstack/keystone master: Remove the v2.0 validate path from validate_token  https://review.openstack.org/38937117:40
*** prashkre_ has joined #openstack-keystone17:42
*** itlinux has joined #openstack-keystone17:49
*** jamesbenson has joined #openstack-keystone17:50
*** acormier has joined #openstack-keystone17:50
*** itlinux has quit IRC17:53
*** dulek_ has joined #openstack-keystone17:55
dulek_Hi! Is it normal that kestoneuWSGI worker 1 and 2 constantly use 100% CPU on both of my cores?17:56
dulek_(talking about simple DevStack installation)17:56
*** lbragstad has joined #openstack-keystone17:57
*** ChanServ sets mode: +o lbragstad17:57
*** MasterOfBugs has joined #openstack-keystone18:00
*** itlinux has joined #openstack-keystone18:04
*** dulek_ has quit IRC18:10
*** itlinux has quit IRC18:12
*** jdwidari has joined #openstack-keystone18:15
*** jdwidari has quit IRC18:15
*** jdwidari has joined #openstack-keystone18:18
*** jdwidari has quit IRC18:18
*** edmondsw has quit IRC18:20
*** jdwidari has joined #openstack-keystone18:21
*** edmondsw has joined #openstack-keystone18:23
*** edmondsw has quit IRC18:28
*** efried_nomnom is now known as efried18:32
*** edmondsw has joined #openstack-keystone18:48
*** MasterOfBugs has quit IRC18:59
*** oomichi is now known as oomichi_afk19:05
*** edmondsw has quit IRC19:06
*** edmondsw has joined #openstack-keystone19:06
openstackgerritGage Hugo proposed openstack/keystone master: Remove the v3 to v2 resource test case  https://review.openstack.org/50951919:08
*** prashkre_ has quit IRC19:10
*** chlong_ has quit IRC19:16
EmilienMI think https://github.com/openstack/keystone/commit/087b07bfd4f9e212f9d7b36b707babbf945f374f broke tripleo CI19:26
EmilienMhttps://logs.rdoproject.org/openstack-periodic-4hr/periodic-tripleo-ci-centos-7-multinode-1ctlr-featureset005-master/9155f0e/undercloud/var/log/nova/nova-api.log.txt.gz#_2017-10-04_16_36_27_06919:26
EmilienMbut I'm not sure at all19:26
EmilienMlbragstad: when you have time maybe you can look ^ you're author on the patch19:26
*** lbragstad has quit IRC19:35
*** nicolasbock has joined #openstack-keystone19:52
*** ayoung_ has joined #openstack-keystone20:03
*** ianw is now known as ianw|pto20:04
*** ayoung_ has quit IRC20:05
*** ayoung has quit IRC20:08
openstackgerritGage Hugo proposed openstack/keystone master: Implement backend logic for project tags  https://review.openstack.org/49972620:08
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags logic into manager  https://review.openstack.org/49972720:08
*** ayoung has joined #openstack-keystone20:08
*** lbragstad has joined #openstack-keystone20:27
*** ChanServ sets mode: +o lbragstad20:27
lbragstadEmilienM: i think this is probably what broke you https://review.openstack.org/#/c/504465/20:28
lbragstadhttps://review.openstack.org/#/c/389371/ is removing code that isn't actually used anymore20:29
EmilienMok20:29
lbragstadyeah (http://192.168.24.1:35357/v2.0/tokens) is removed20:30
lbragstadit looks like keystonemiddleware is looking for v2. 020:31
lbragstadand not using v320:31
openstackgerritGage Hugo proposed openstack/keystone master: Remove the v3 to v2 resource test case  https://review.openstack.org/50951920:31
lbragstadthat error should go away if keystonemiddleware validates tokens using v320:32
lbragstadEmilienM: do you have the keystonemiddleware configuration file handy for that change?20:32
EmilienMlbragstad: I'm not sure20:32
EmilienMlet me check20:32
EmilienMlbragstad: http://logs.openstack.org/17/507917/5/check/gate-tripleo-ci-centos-7-nonha-multinode-oooq/dc9619d/logs/etc/keystone/20:33
EmilienMlbragstad: which file exactly?20:33
lbragstadhttp://logs.openstack.org/17/507917/5/check/gate-tripleo-ci-centos-7-nonha-multinode-oooq/dc9619d/logs/etc/nova/nova.conf.txt.gz20:35
lbragstadthe error is coming from nova20:35
lbragstadvia keystonemiddleware20:35
EmilienMlbragstad: what's the config error?20:35
*** mwhahaha has joined #openstack-keystone20:36
EmilienMauth_uri=http://192.168.24.1:5000/v320:36
EmilienMshould be good no?20:36
lbragstadthat's auth_uri - which might not be the option you want (cmurphy is actually in the process of fixing that)20:36
lbragstadauth_url=http://192.168.24.1:3535720:37
EmilienMauth_url=http://192.168.24.1:3535720:37
EmilienMnot good?20:37
lbragstadEmilienM: it could be defaulting to v2.0 if that's deployed20:37
lbragstadEmilienM: context on what cmurphy is doing20:37
lbragstadhttps://review.openstack.org/#/c/508522/20:37
EmilienMlbragstad: how can we know?20:37
*** zzzeek has quit IRC20:39
lbragstadhttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_auth.py#L62-L6620:39
EmilienMlbragstad: what should we change in our config?20:40
lbragstadEmilienM: looking for an example20:41
cmurphyyou need both auth_url and auth_uri, that looks fine to me20:41
EmilienMbut we have them no?20:41
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags API controller and router  https://review.openstack.org/49972820:41
EmilienMauth_url=http://192.168.24.1:35357 and auth_uri=http://192.168.24.1:5000/v320:42
EmilienMit's not good?20:42
cmurphyEmilienM: ya i think that's fine20:42
EmilienMcmurphy: it doesn't work, https://logs.rdoproject.org/openstack-periodic-4hr/periodic-tripleo-ci-centos-7-multinode-1ctlr-featureset005-master/9155f0e/undercloud/var/log/nova/nova-api.log.txt.gz#_2017-10-04_16_36_27_06920:43
EmilienMAuthorization failed for token: NotFound: (http://192.168.24.1:35357/v2.0/tokens): The resource could not be found20:43
EmilienMlike lbragstad said, https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_auth.py#L62-L66 is maybe a reason20:43
EmilienMhow does it work in devstack?20:43
lbragstadthat's what i'm checking - along with osa20:44
EmilienMk20:44
lbragstadhttps://github.com/openstack/openstack-ansible-os_nova/blob/master/templates/nova.conf.j2#L183-L19320:44
lbragstadosa nova keystone_authtoken configs20:44
EmilienMwhich is?20:45
lbragstadthey are pulled from here i think https://github.com/openstack/openstack-ansible-os_keystone/blob/master/defaults/main.yml#L147-L15720:45
mwhahahaEmilienM: make sure we're properly defining the domain and stuff. that was the problem with our neutron bits where it was 'working' because it sliently used v220:46
mwhahahawe aren't explicitly configuring the domain20:48
lbragstadnova also sets https://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L19620:48
lbragstadactually - it looks like that's set in your config,too20:49
*** oikiki has quit IRC20:49
EmilienMmwhahaha: should we change default in nova::keystone::authtoken or in keystone::resource::authtoken you think?20:50
mwhahahanot sure, the problem in neutron was the cli usage in the provider https://review.openstack.org/#/c/509469/20:50
mwhahahawondering if it's a similar problem here where some code is improperly falling back without a domain defined20:50
EmilienMmwhahaha: I never remember if we want Default or default by default20:52
mwhahahaDefault i think20:52
EmilienMk20:52
*** panbalag has joined #openstack-keystone20:53
EmilienMmwhahaha: I think we should fix it at the highest level as possible and set the right defaults, so it works out of the box for our users without any change20:53
EmilienMmwhahaha: because if we go down to the path of updating nova::keystone::authtoken - we'll have to do it for all modules20:53
EmilienMsince v2 was removed, i think it's safe to set the default for both params20:54
mwhahahayea20:54
mwhahahabut shouldn't the highest level be in the python code itself20:55
EmilienMmwhahaha: that's a question for lbragstad or cmurphy20:55
*** zzzeek has joined #openstack-keystone20:57
cmurphyDefault is the *_domain_name and default is the *_domain_id20:58
EmilienMcmurphy: ok thanks!20:58
cmurphyEmilienM: mwhahaha what do you mean by the highest level?20:59
EmilienMlet me show20:59
EmilienMcmurphy: https://github.com/openstack/puppet-keystone/blob/master/manifests/resource/authtoken.pp#L226-L22720:59
EmilienMI'm about to change the default for these 2 values, and be "Default"21:00
EmilienMso all puppet-* who call this Define (all I think) will have Default domain in their *.conf file21:00
cmurphyEmilienM: gotcha21:00
EmilienMcmurphy: makes sense?21:01
*** oikiki has joined #openstack-keystone21:01
EmilienMcmurphy: the best option would be to fix it in Keystone itself21:01
EmilienMcmurphy: defaulting this param to Default21:01
EmilienMI would love this option but not sure if that would work for you21:01
cmurphyEmilienM: no i'm pretty sure we're always going to require the domain be set explicitly even if it's Default21:02
EmilienMcmurphy: why?21:02
clarkbiirc keystone doesn't actually have a default default21:02
clarkbits created at run time isn't it and oculd be arbitrary?21:03
mwhahahabut if not defined, it shouldn't be falling back to v221:03
mwhahahathat's the problem21:03
clarkboh defintely, I seem to recall having this argument back when devstack added in v3 support and things got weird21:03
cmurphymwhahaha: yeah that is a problem21:04
mwhahahaso it's fine if it needs to be defined, but that should be an error21:04
clarkbthat things should just work by default but iirc the response was there is no default default21:04
mwhahahanot a error cause v2 isn't there21:04
mwhahahaso if there's not a default, default it needs to not be defined in puppet and be a required param21:05
mwhahahain keystone the fix needs to be to properly error if the required bits are not passed21:05
mwhahahaor kestone auth21:05
*** panbalag has left #openstack-keystone21:05
EmilienMmwhahaha: so fix in puppet?21:06
mwhahahano21:06
mwhahahapuppet's fix is to make it required21:06
mwhahahatripleo needs to pass domain21:06
mwhahahakeystone needs to fix handling of requests w/o a domain now that v2 is dead21:07
EmilienMmwhahaha: ok21:07
EmilienMmwhahaha: so I'll change all modules to require the domain params, and tripleo to use them. Ok?21:07
mwhahahayes21:07
mwhahahaedit teh world21:07
EmilienMmwhahaha: ok21:07
clarkbya reading devstack its an explicit create of the Default domain then inisets for services keystone auth middle ware to use that daomin, implying it could be a completely arbitrary base/default domain21:09
clarkbiirc the weirdness was keystone had to be completely configured and running before we could start or configure any other serices as the domain had to be known or maybe it was the domain uuid21:09
mwhahahayea this seems to be an odd interaction in keystoneauth21:10
mwhahahanot necessarily keystone itself21:10
*** zzzeek has quit IRC21:19
*** ayoung has quit IRC21:20
*** zzzeek has joined #openstack-keystone21:20
*** ayoung has joined #openstack-keystone21:23
*** zzzeek has quit IRC21:23
*** zzzeek has joined #openstack-keystone21:25
*** edmondsw has quit IRC21:32
*** edmondsw has joined #openstack-keystone21:32
*** raildo has quit IRC21:35
*** edmondsw has quit IRC21:37
*** catintheroof has quit IRC21:41
*** jamesbenson has quit IRC21:57
*** acormier has quit IRC22:11
*** lbragstad has quit IRC22:38
*** edmondsw has joined #openstack-keystone22:41
*** edmondsw has quit IRC22:46
*** edmondsw has joined #openstack-keystone23:13
*** edmondsw has quit IRC23:35
*** oikiki has quit IRC23:49
*** oikiki has joined #openstack-keystone23:56
« Tuesday, 2017-10-03 Index Thursday, 2017-10-05 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!