Thursday, 2017-11-30

« Wednesday, 2017-11-29 Index Friday, 2017-12-01 »
ayoungjamielennox, so we need a conversion between when ATM runs and when oslo-context gets the values00:00
jamielennoxwhat i'm saying is that it's not something we made up00:00
jamielennoxayoung: so what i found yesterday is that the header setting is not happening in the thing we subclass00:00
jamielennoxso we can't do the from_environ thing in keystone00:00
ayoungright00:00
ayoungjamielennox, lookat my latest on your patch00:01
jamielennoxi'm guessing i expected to pull it from the token model instead because there's more variables for keystone to pull out00:01
ayoungjamielennox, how do you want to work it?00:02
jamielennoxso environ is out and it'd take too long to fix that, is the TokenModel interpretted anywhere here?00:03
*** david-lyle has quit IRC00:03
*** dklyle has joined #openstack-keystone00:03
jamielennoxwhat's putting those other vals in the environ00:03
*** rderose has joined #openstack-keystone00:03
ayoungI added the call in auth.py00:04
ayounghttps://review.openstack.org/#/c/523650/3/keystone/middleware/auth.py00:04
ayoungrequest.set_user_headers(request.token_auth.user)00:04
jamielennoxoh, right00:04
jamielennoxyea, ok that could work00:05
ayoungthe base class doesn't do that, just the ATM subclass00:05
ayoungbut it has them in the pre-processed form, X-  not HTTP_X00:05
jamielennoxayoung: it shouldn't matter00:06
jamielennoxif you set request.header['X-User-Id'] it internally sets environ['HTTP_X_USER_ID']00:06
ayoungthe context code to build from the environment expects it in the other form00:06
jamielennoxit'll transform it00:06
ayounghttp://git.openstack.org/cgit/openstack/oslo.context/tree/oslo_context/context.py#n43300:06
jamielennoxor it should00:06
ayoungnope00:07
ayoungit does a string compare with the values from here http://git.openstack.org/cgit/openstack/oslo.context/tree/oslo_context/context.py#n4500:07
*** thorst has joined #openstack-keystone00:07
*** david-lyle has joined #openstack-keystone00:07
jamielennoxoh, it looks like it converts the whole dict once and caches it00:07
*** dklyle has quit IRC00:08
jamielennoxi guess this is why our context still works like this00:08
ayounghow about a Keystone specific from_environment for now, and we work that fix up into oslo context after?00:08
jamielennoxnope00:09
jamielennoxit's on the fly: https://github.com/Pylons/webob/blob/master/src/webob/headers.py#L11700:09
ayoungare we using that?00:09
jamielennoxyea, request.headers00:10
ayoungbecause that match is not happening. I ran it throughh the debugger a bunch of times.00:10
ayoungAre you set up for debugging yet?00:10
jamielennoxkindof00:11
*** thorst has quit IRC00:11
jamielennoxin an office today00:12
jamielennoxbut i'm basically debugging packer so noone will know the difference00:12
ayoungheh00:14
ayoungI can keep on this.  Let me ensure we have the right class in place.00:14
*** edmondsw has quit IRC00:15
*** phalmos has quit IRC00:17
*** phalmos has joined #openstack-keystone00:18
ayoungprint request.headers.__class__00:20
ayoung<class 'webob.headers.EnvironHeaders'>00:20
kmallocjamielennox: are you still working on openstack things... or no?00:20
kmallocor just some sparetime stuff?00:20
jamielennoxkmalloc: no, not at all, just saw things coming past that i knew about00:20
kmallocah so sparetime... if/when you feel like it00:20
jamielennoxfor various reasons this week is quiet so i had some time00:20
ayoungprint request.headers['X-User-Id']00:21
ayoungb505a552c9294f4c94aafb71ccb1da3000:21
*** threestrands has quit IRC00:21
ayoungso that is good00:21
ayoungprint request.headers['HTTP_X_USER_ID']00:21
ayoung*** KeyError: 'HTTP_HTTP_X_USER_ID'00:21
ayoung(Pdb) print request.headers.__contains__('HTTP_X_USER_ID')00:23
ayoungprint request.headers.__contains__('HTTP_X_USER_ID')00:23
ayoungwhat am I missing here...00:23
*** thorst has joined #openstack-keystone00:25
*** dklyle has joined #openstack-keystone00:29
*** david-lyle has quit IRC00:30
*** phalmos has quit IRC00:38
*** david-lyle has joined #openstack-keystone00:55
*** dklyle has quit IRC00:55
*** jose-phillips has joined #openstack-keystone01:00
*** david-lyle has quit IRC01:01
*** thorst has quit IRC01:05
*** links has joined #openstack-keystone01:09
ayoungjamielennox, yeah, that is messing things up like nobody's business01:13
ayoungif the key is01:13
ayoungHTTP_X_SERVICE_TOKEN01:13
ayoungit looks for HTTP_HTTP_X_SERVICE_TOKEN01:13
*** panbalag has left #openstack-keystone01:16
*** nicolasbock has quit IRC01:22
*** edmondsw has joined #openstack-keystone01:24
*** edmondsw has quit IRC01:29
*** thorst has joined #openstack-keystone01:34
*** daidv has joined #openstack-keystone01:34
*** thorst has quit IRC01:34
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate member_role_id and member_role_name  https://review.openstack.org/52246101:36
*** annp has joined #openstack-keystone01:56
*** spzala has joined #openstack-keystone02:01
*** spzala has quit IRC02:01
*** rderose has quit IRC02:06
*** namnh has joined #openstack-keystone02:11
*** dave-mccowan has quit IRC02:18
jamielennoxayoung: it's not headers['HTTP_X..'] it's environ['HTTP_X_']02:23
ayounghmmm.02:23
jamielennoxheaders['X-User-Id'] == environ['HTTP_X_USER_ID']02:23
ayoungdamnit...02:23
jamielennoxand environ is the standard wsgi definition of environ02:24
ayoungyep, that worked...let me try the whole suite02:25
jamielennoxthat's why the oslo.context thing is from_environ() because that's standard across frameworks02:25
ayoungok...lots of tests failing due to  KeyError: 'openstack.request_id' which comes from the tests02:26
ayoungsetup that is02:26
ayoungI added that...ok, not properly defaulting...02:27
ayoungbetter....02:27
ayoungjamielennox, it seems to have Trust issues02:29
jamielennoxayoung: don't we all02:29
ayoung:)02:29
openstackgerritwangxiyuan proposed openstack/keystone master: Add new tables for unified limits  https://review.openstack.org/52304102:29
jamielennoxyea - so trusts are not something that auth_token deals with because the services don't care how the user_id etc is set02:29
jamielennoxso that's what i meant that you can get the standard variables filled, but there are some things that you would need to set on context manually02:30
ayoungexcept that they should.  Or we should come up with a better abstraction02:30
ayoungif they are checking for userid, we're going to be back in the impersonation business02:30
ayoung - Failed: 11902:31
ayoungmuch better02:31
ayoungI'm going to post this revision.02:31
openstackgerritayoung proposed openstack/keystone master: Use oslo-context  https://review.openstack.org/52365002:31
ayoungjamielennox, I think we need to append a couple of the values from http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n78  so we get the oauth and trusts values02:33
openstackgerritayoung proposed openstack/keystone master: Use oslo-context  https://review.openstack.org/52365002:36
*** dave-mccowan has joined #openstack-keystone02:46
*** zhurong has joined #openstack-keystone02:46
*** rderose has joined #openstack-keystone02:54
*** threestrands has joined #openstack-keystone02:55
*** thorst has joined #openstack-keystone02:59
*** masber has joined #openstack-keystone03:03
*** masuberu has quit IRC03:07
*** edmondsw has joined #openstack-keystone03:13
*** edmondsw has quit IRC03:17
*** aselius has quit IRC03:21
openstackgerritChangBo Guo(gcb) proposed openstack/oslo.policy master: add bandit to pep8 job  https://review.openstack.org/52405503:30
*** masber has quit IRC03:30
*** masber has joined #openstack-keystone03:34
*** thorst has quit IRC03:46
*** zhurong has quit IRC03:46
*** d0ugal_ has joined #openstack-keystone03:50
*** d0ugal has quit IRC03:52
*** rderose has quit IRC03:58
*** sticker has quit IRC03:58
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Limits API  https://review.openstack.org/45570904:01
*** dave-mccowan has quit IRC04:07
*** AlexeyAbashkin has joined #openstack-keystone04:15
*** thorst has joined #openstack-keystone04:16
openstackgerritwangxiyuan proposed openstack/keystone master: Add new tables for unified limits  https://review.openstack.org/52304104:18
*** AlexeyAbashkin has quit IRC04:20
*** thorst has quit IRC04:22
*** thorst has joined #openstack-keystone04:25
*** thorst has quit IRC04:29
*** thorst has joined #openstack-keystone04:55
*** thorst has quit IRC04:57
*** rderose has joined #openstack-keystone05:27
errrcmurphy: that warning stuff was coming from my newton install. I do not get the wanrings in my fresh pip installed OSC virtualenv05:29
errrcmurphy: and as for the missing identity_provider_url that is set in my env but its not being used for some reason.. like its ignored by openstackclient05:30
*** thorst has joined #openstack-keystone05:31
errrcmurphy: you can even do: openstack --help|grep identity   and see that identity-provider-url isnt even listed as being a param you can pass05:32
*** thorst has quit IRC05:35
*** pcaruana has joined #openstack-keystone06:05
*** thorst has joined #openstack-keystone06:07
*** thorst has quit IRC06:12
*** rderose has quit IRC06:14
*** pcaruana has quit IRC06:16
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Limits API  https://review.openstack.org/45570906:21
*** chason has joined #openstack-keystone06:23
*** masuberu has joined #openstack-keystone06:42
*** masber has quit IRC06:46
*** thorst has joined #openstack-keystone06:46
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Limits API  https://review.openstack.org/45570906:47
*** edmondsw has joined #openstack-keystone06:49
*** threestrands has quit IRC06:50
*** thorst has quit IRC06:51
*** edmondsw has quit IRC06:54
*** aojea has joined #openstack-keystone07:07
openstackgerritwangxiyuan proposed openstack/keystone master: Add new tables for unified limits  https://review.openstack.org/52304107:13
openstackgerritwangxiyuan proposed openstack/keystone master: Add db operation for unified limit  https://review.openstack.org/52408207:13
*** aojea has quit IRC07:14
*** david-lyle has joined #openstack-keystone07:19
*** rcernin has quit IRC07:20
*** thorst has joined #openstack-keystone07:20
openstackgerritMerged openstack/oslo.policy master: Updated from global requirements  https://review.openstack.org/52378307:22
*** nsingh has joined #openstack-keystone07:25
*** thorst has quit IRC07:25
nsinghi am facing an issue  Call to Nova to create snapshot failed: NotFound: (http://10.232.48.205/identity/v2.0/tokens): The resource could not be found. (HTTP 404). i enabled SSL in devstack. Any help07:28
*** markvoelker has quit IRC07:37
*** thorst has joined #openstack-keystone07:52
*** pcaruana has joined #openstack-keystone07:55
*** thorst has quit IRC07:57
*** aloga has quit IRC08:03
*** aloga has joined #openstack-keystone08:03
*** AlexeyAbashkin has joined #openstack-keystone08:06
*** rcernin has joined #openstack-keystone08:07
*** hoonetorg has quit IRC08:11
*** jaosorior has quit IRC08:13
*** hoonetorg has joined #openstack-keystone08:25
*** hoonetorg has quit IRC08:26
*** hoonetorg has joined #openstack-keystone08:27
*** thorst has joined #openstack-keystone08:27
*** thorst has quit IRC08:32
*** jaosorior has joined #openstack-keystone08:34
*** edmondsw has joined #openstack-keystone08:38
*** markvoelker has joined #openstack-keystone08:38
*** gmann is now known as gmann_afk08:41
*** AlexeyAbashkin has quit IRC08:41
*** edmondsw has quit IRC08:42
*** AlexeyAbashkin has joined #openstack-keystone08:42
*** thorst has joined #openstack-keystone09:00
openstackgerritwangxiyuan proposed openstack/keystone master: Add new tables for unified limits  https://review.openstack.org/52304109:02
openstackgerritwangxiyuan proposed openstack/keystone master: Add db operation for unified limit  https://review.openstack.org/52408209:02
cmurphyerrr: i'm flummoxed o.0 I have this in my environment: http://paste.openstack.org/show/627806/ I'd also try taking osc out of the mix and just making sure ksa works http://paste.openstack.org/show/627814/09:02
cmurphynsingh: we removed the v2.0 API from keystone so latest devstack won't work with it, where are you seeing that message? whatever is using v2.0/tokens should be moved over to v3/auth/tokens09:03
*** thorst has quit IRC09:05
nsinghcmurphy:i am working with cinder nova interaction. I seen this message while passing request.09:05
cmurphynsingh: i guess make sure cinder is using v3 for auth when it is calling to nova09:08
nsinghcmurphy: in cinder.conf it is auth_url = https://10.232.48.205/identity under [keystone_authtoken]09:09
cmurphynsingh: that should use the right endpoint automatically, do you have user_domain_name/id and project_domain_name/id set in that section?09:11
cmurphynsingh: also won't hurt to set auth_url = https://10.232.48.205/identity/v309:11
nsinghcmurphy: options under  [keystone_authtoken] http://paste.openstack.org/show/627815/09:13
*** belmoreira has joined #openstack-keystone09:13
cmurphynsingh: it looks fine to me09:15
cmurphynsingh: and devstack should be doing the right thing anyway09:15
nsinghcmurphy: i am implementing service token for cinder to nova and using nfs backend. Is there any thing related with this.09:16
*** d0ugal_ has quit IRC09:17
cmurphynsingh: maybe the nfs backend is bypassing the authtoken middleware and has v2.0 hardcoded?09:17
*** d0ugal has joined #openstack-keystone09:18
*** d0ugal has quit IRC09:18
*** d0ugal has joined #openstack-keystone09:18
nsinghcmurphy: ok i will check.09:19
nsinghcmurphy: i have situation while implementing service token for cinder to glance interaction. can you please look into this. http://paste.openstack.org/show/627817/09:21
*** namnh has quit IRC09:21
cmurphynsingh: not sure how i can help there, you could look and see what e.g. nova has done for it09:25
*** ktibi has joined #openstack-keystone09:25
nsinghcmurphy: ok thank you09:26
ktibiHi all, I try to use keystone with LDAP and domain. I use pike version. So my LDAP users and groups works, but sometimes, commands fail. keystone.log have Could not find domain: fakedomain or Could not find group: gDemo2. But If I retry command, which works.09:30
ktibiI don't know why keystone have " DomainNotFound " but I can see domain with "openstack domain list"09:31
cmurphyktibi: the "Could not find domain: domainname" is a normal (annoying) message, it just happens because openstackclient tries to search by id first09:31
cmurphyktibi: so i would look for something else in the logs when it happens09:31
ktibicmurphy e.g http://paste.openstack.org/show/627818/09:32
*** thorst has joined #openstack-keystone09:32
cmurphyktibi: is gDemo1 and ldap group?09:33
ktibiyes09:33
cmurphyan*09:33
cmurphyis it consistent? does it always work the second time?09:34
ktibiyes09:34
ktibisometimes I have "Could not find group: 13e8bcf2-6251-1037-90a3-8b533bec51be. (HTTP 404) (Request-ID: req-db0f452c-3853-48e2-bc3e-fbcf8fd4bda1)"09:34
ktibiit's like keystone try to open ldap connection first time and fail or timeout but after works09:35
cmurphyyeah that is pretty weird09:35
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410909:35
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411009:35
cmurphyif you turn on debug logging that will show the ldap bind and queries09:36
cmurphywhich could help show what's going on09:36
ktibicmurphy ldap conf  : http://paste.openstack.org/show/627820/09:36
ktibineed to add debug_level = 4095 ?09:37
cmurphyktibi: no, in the [DEFAULT] section in the main keystone.conf set debug = true09:37
*** thorst has quit IRC09:37
ktibiok I'll try09:38
cmurphynot sure if the ldap debug levels will help09:38
*** asettle_ has joined #openstack-keystone09:38
*** EmilienM_ has joined #openstack-keystone09:39
*** asettle has quit IRC09:39
*** EmilienM has quit IRC09:39
*** andymccr has quit IRC09:39
*** pcaruana has quit IRC09:39
*** pcaruana has joined #openstack-keystone09:40
*** EmilienM_ is now known as EmilienM09:40
*** andymccr has joined #openstack-keystone09:40
*** EmilienM has quit IRC09:41
*** EmilienM has joined #openstack-keystone09:41
ktibicmurphy http://paste.openstack.org/show/627821/09:41
*** gagehugo has quit IRC09:42
*** magicboiz has quit IRC09:44
*** gagehugo has joined #openstack-keystone09:44
cmurphyktibi: is there more after that? after it tries GET http://cloud-interne.poc.poc:5000/v3/groups/gDemo1 it should try /v3/groups?name=gDemo1 or something09:44
ktibinop09:44
cmurphyktibi: I don't see any LDAP connection stuff, you should be seeing "LDAP init: url=..." logs there09:44
*** chason has quit IRC09:45
*** chason has joined #openstack-keystone09:45
*** magicboiz has joined #openstack-keystone09:45
*** david-lyle has quit IRC09:46
ktibihum I have but no in keystone.log but in my elasticsearch09:47
ktibiWARNING keystone.common.wsgi [req-95ab2a73-69e8-4576-bf01-5becf328e8fa 40672e3cf2f84d7c9676120ec31367be 941bb14cdb1544ea8c33977d3ec01ad0 - default default] Could not find group: gDemo1.: GroupNotFound: Could no09:49
ktibicmurphy Payload": "ldap.url = ldap://localhost log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:2887"09:49
ktibioups wrong copy paste for the WARNING09:49
ktibivery strange, keytone try ldap://localhost09:49
cmurphyktibi: are you using domain specific configs for your ldap backend? https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html09:50
ktibiyes09:51
cmurphyldap://localhost is the default url so maybe something is mismatched, like you have [identity]/driver=ldap in your main config instead of the domain config?09:52
*** magicboiz has quit IRC09:53
ktibicmurphy conf keystone http://paste.openstack.org/show/627824/09:54
cmurphyktibi: is cloud.poc.poc the name of the keystone domain?09:55
ktibibut works 90% of the time09:55
ktibiyes09:55
ktibi| b4929df46fb245c28e0854bb53305c48 | cloud.poc.poc  | True    | Domaine de connexion LDAP09:56
cmurphyktibi: that ldap.url = ldap://localhost in the log might just be from it loading the defaults from the main config, not the value it read from the domain config09:57
cmurphyi think that's probably not the issue09:58
cmurphybut there should be "LDAP init: ..." and "LDAP search: ..." stuff in there after you make a request09:58
ktibithe log LDAP : localhost appears just when command fail09:59
ktibiso fail because keystone try localhost09:59
*** magicboiz has joined #openstack-keystone10:00
cmurphycan you paste the whole thing? or at least more context around that log10:00
ktibiok  I restart keystone and first command fail10:01
ktibiand 3 log ldap10:02
ktibicmurphy http://paste.openstack.org/show/627827/10:03
*** belmoreira has quit IRC10:03
cmurphyktibi: do you have access to the original keystone log? i don't think your kibana logs are showing the whole thing10:04
cmurphythe log_opt_values logs only happen when keystone is starting up and loading its configs10:05
cmurphyso maybe there is a delay10:05
cmurphyit's not a log from a request10:05
*** belmoreira has joined #openstack-keystone10:07
ktibiho when keystone start ==> DEBUG mod_wsgi [-] ldap.url                       = ldap://localhost log_opt_values /usr/lib/python2.7/site-packages/oslo_config/cfg.py:288710:07
ktibiok it's the log in my kibana ><10:08
cmurphyi think that's fine, it's just reporting that the main config is loading the default ldap url but that's not what is loaded for the domain-specific config10:08
ktibiI tried to search log for ldap but nothing else :/10:09
*** ayoung has quit IRC10:09
*** kong has quit IRC10:09
*** dgonzalez has quit IRC10:09
*** lxnch has quit IRC10:09
*** tommylikehu has quit IRC10:09
ktibicmurphy I don't know why keystone doesn't log ldap :/10:13
cmurphyktibi: not sure either :/10:14
*** ayoung has joined #openstack-keystone10:15
*** kong has joined #openstack-keystone10:15
*** dgonzalez has joined #openstack-keystone10:15
*** lxnch has joined #openstack-keystone10:15
*** tommylikehu has joined #openstack-keystone10:15
*** tommylikehu has quit IRC10:15
*** tommylikehu has joined #openstack-keystone10:15
ktibicmurphy do you know if I use '.' in my domain name can be an issue ?10:18
cmurphyktibi: I don't think it should10:18
ktibicmurphy ok I have log, I need to use a ldap user10:23
ktibiIf I use admin in default domain, no log10:23
*** annp has quit IRC10:23
openstackgerritwangxiyuan proposed openstack/keystone master: Add new tables for unified limits  https://review.openstack.org/52304110:28
openstackgerritwangxiyuan proposed openstack/keystone master: Add db operation for unified limit  https://review.openstack.org/52408210:28
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410910:28
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411010:28
*** daidv has quit IRC10:35
*** thorst has joined #openstack-keystone10:45
*** masuberu has quit IRC10:49
*** thorst has quit IRC10:50
*** raildo has joined #openstack-keystone11:00
*** jmlowe has quit IRC11:01
*** ayoung has quit IRC11:10
*** efried has quit IRC11:10
*** Dave has quit IRC11:12
*** efried has joined #openstack-keystone11:14
*** Dave has joined #openstack-keystone11:15
*** ayoung has joined #openstack-keystone11:15
*** thorst has joined #openstack-keystone11:24
*** mvk has quit IRC11:25
*** thorst has quit IRC11:28
*** Adobeman_ has quit IRC11:29
*** Battousai has joined #openstack-keystone11:29
*** Battousai has left #openstack-keystone11:30
*** baffle has quit IRC11:45
*** rcernin has quit IRC11:52
*** nicolasbock has joined #openstack-keystone11:55
*** thorst has joined #openstack-keystone11:55
*** thorst has quit IRC12:01
*** tbh has joined #openstack-keystone12:02
*** dave-mccowan has joined #openstack-keystone12:07
*** sakth has joined #openstack-keystone12:12
sakthHi, these days with the latest devstack, I am facing lot of errors like the one "Failed to discover available identity versions when contacting http://192.168.10.42/identity. Attempting to parse version from URL.". Couldn;t find where to look exact logs12:12
sakthcan anyone point to the exact logs location or any solution for this?12:12
*** edmondsw has joined #openstack-keystone12:14
*** mvk has joined #openstack-keystone12:14
*** edmondsw has quit IRC12:20
openstackgerritColleen Murphy proposed openstack/keystone master: Deprecate member_role_id and member_role_name  https://review.openstack.org/52246112:26
cmurphysakth: where are you seeing those errors? in the devstack output?12:28
sakthyes cmurphy12:29
cmurphysakth: it usually means it couldn't reach keystone, so check that keystone is running and accessible at that url12:29
sakthcmurphy:  but I see the status of apache as active12:32
cmurphysakth: on devstack keystone runs as it's own service so check `systemctl status devstack@keystone`12:33
*** belmoreira has quit IRC12:33
*** belmoreira has joined #openstack-keystone12:53
gagehugoo/13:02
*** thorst has joined #openstack-keystone13:05
*** spilla has joined #openstack-keystone13:06
cmurphy\o13:11
gagehugoit's too early still13:13
*** edmondsw has joined #openstack-keystone13:18
*** jmlowe has joined #openstack-keystone13:19
*** markvoelker has quit IRC13:23
*** markvoelker has joined #openstack-keystone13:24
*** magicboiz has quit IRC13:31
*** magicboiz has joined #openstack-keystone13:39
*** tbh has quit IRC13:44
*** panbalag has joined #openstack-keystone13:46
*** sakth has quit IRC13:47
*** panbalag has left #openstack-keystone13:48
*** rderose has joined #openstack-keystone13:54
*** links has quit IRC13:54
*** magicboiz has quit IRC13:56
*** gmann_afk is now known as gmann14:00
*** d0ugal has quit IRC14:03
*** magicboiz has joined #openstack-keystone14:06
*** d0ugal has joined #openstack-keystone14:17
*** jmlowe has quit IRC14:24
*** ktibi has left #openstack-keystone14:34
*** gmann is now known as gmann_afk14:40
mordredefried: oy, I'm so behind ... I still haven't updated https://review.openstack.org/#/c/484341/14:44
efriedmordred If you're looking for ways to catch up, I would really appreciate it if you could finish https://review.openstack.org/#/c/491947/ for me.  It would allow me to clean up a bunch of ugly hacks in nova.14:48
efriedmordred I just have not been able to figure out the unit tests.14:48
mordredefried: will do14:49
efriedmordred Thank you much, sir.  I know you've been super busy, really appreciate it.14:49
mordredefried: I also need to finish this: https://review.openstack.org/#/c/505764/14:49
efriedI don't think I was aware of that one.14:50
mordredso maybe the three of them will make a nice stack14:50
mordredthat one came from me trying to get the right level of logging in a log file and failing :)14:50
*** McClymontS has joined #openstack-keystone14:57
*** panbalag has joined #openstack-keystone15:06
*** jrist has quit IRC15:08
*** panbalag1 has joined #openstack-keystone15:08
*** jrist has joined #openstack-keystone15:09
*** panbalag has quit IRC15:10
*** magicboiz has quit IRC15:16
*** magicboiz has joined #openstack-keystone15:17
*** jmlowe has joined #openstack-keystone15:19
errrcmurphy: will the identity-provider-url be listed in the metadata that the idp provides?15:24
errrcmurphy: Im trying to make sure I have the right url because the ones Im trying arent working, but its at least trying to work just using ksa15:24
cmurphyerrr: yes, it should look something like <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP"/>15:26
errrcmurphy: ok thats what Im trying. Im getting an error about the response15:26
cmurphyit should be that SOAP binding15:26
cmurphyerrr: what's the error?15:26
errrhttp://paste.openstack.org/show/627879/15:27
errralso ksa seems to need lxml and its not pulled down when installing so I had to add that myself. I guess it must be missing from the requirements.tt?15:28
errrtxt*15:29
cmurphythat might be true15:29
errrhttps://github.com/openstack/keystoneauth/blob/master/keystoneauth1/extras/_saml2/v3/base.py#L1415:30
errrand its not in the requirements.txt I just looked15:30
cmurphyit's in setup.cfg http://git.openstack.org/cgit/openstack/keystoneauth/tree/setup.cfg#n29 so i think you can install it with something like pip install keystoneauth1[saml2]15:31
openstackgerritLance Bragstad proposed openstack/keystone master: Implement controller logic for system group assignments  https://review.openstack.org/52401715:32
cmurphyerrr: anyways that error does look like it's the wrong url but i'm not sure why that is15:33
errrhmm15:33
cmurphyerrr: did you try any of the other SingleSignOnService urls?15:33
errrcmurphy: in my metadata.xml there are only 2 and they are both the same15:34
*** McClymontS has quit IRC15:35
cmurphyerrr: is the other one for HTTP-POST?15:35
errrcmurphy: yes, and one for HTTP-Redirect15:36
errrboth have the same value15:36
cmurphyerrr: it sort of sounds like ECP might not be enabled on your idp15:36
errrok, Ill look into seeing if its possible to enable that15:37
errrthanks!15:37
cmurphyno problem15:37
-openstackstatus- NOTICE: if you receieved a result of "RETRY_LIMIT" after 14:15 UTC, it was likely due to an error since corrected. please "recheck"15:37
*** jaypipes has joined #openstack-keystone15:43
jaypipeslbragstad: quick ? for you... for the mapping tables in keystone federation, can I use a user *name* instead of a user ID?15:44
lbragstadjaypipes: in the mapping itself?15:44
jaypipeslbragstad: yeah. instead of having to know a bunch of UUIDs, if each Keystone in my deployment of N OpenStacks has a database table of user records where the user name is the same but the user UUID/ID is not, I'm wondering if I can use the user name instead of the user ID in the role mapping thingee15:46
lbragstadjaypipes: yeah - that should be possible, the mapping engine is really there to make sure we map things from SAML to openstack attributes15:47
lbragstadso as long as it is availabe in the saml assertion and understood by shib/mellon, exposing it to keystone, then you should be able to build off of it15:47
jaypipeslbragstad: danke15:48
lbragstadwe have a bunch of examples in our docs15:48
lbragstadjaypipes: this might be what you're looking for https://docs.openstack.org/keystone/latest/admin/federated-identity.html#mapping-examples15:48
jaypipesok, cool, thanks much Lance15:48
lbragstadanytime15:48
lbragstadand more docs - https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#mapping-rules  because we haven't consolidated them yet15:49
knikollao/16:00
spillaif anyone has the time to check out the kcs project-tags implementation patch, would be much appreciated! :)  https://review.openstack.org/#/c/481223/16:07
*** magicboiz has quit IRC16:09
*** magicboiz has joined #openstack-keystone16:15
*** magicboiz has quit IRC16:19
*** magicboiz has joined #openstack-keystone16:20
openstackgerritGage Hugo proposed openstack/keystone master: Migrate jobs to zuulV3  https://review.openstack.org/52323116:23
lbragstadspilla: i have that on my review list this week16:26
lbragstadspilla: i'll for sure get to it tomorrow if not today16:26
spillalbragstad: thanks! :D16:27
lbragstadthanks for working on it!16:27
spillanp, also shoutout other who did too16:29
*** aselius has joined #openstack-keystone16:30
openstackgerritGage Hugo proposed openstack/keystone master: Migrate jobs to zuulV3  https://review.openstack.org/52323116:31
*** panbalag has joined #openstack-keystone16:33
*** panbalag1 has quit IRC16:34
openstackgerritGage Hugo proposed openstack/keystone master: Migrate jobs to zuulV3  https://review.openstack.org/52323116:37
*** belmoreira has quit IRC16:37
*** McClymontS has joined #openstack-keystone16:38
*** rderose has quit IRC16:39
*** McClymontS has quit IRC16:40
*** aselius has quit IRC16:42
*** thorst has quit IRC16:42
*** aselius has joined #openstack-keystone16:42
*** thorst has joined #openstack-keystone16:42
*** sudodude has joined #openstack-keystone16:43
cmurphysudodude: o/16:43
sudodudehi16:43
sudodudeso, my current error is the following: ERROR keystone.common.wsgi REFERRAL: {'info': 'Referral:\nldap://domain.com/OU=Users,OU=openstack,OU=accounts,DC=domain,DC=com', 'desc': 'Referral'}16:44
*** thorst has quit IRC16:44
cmurphysudodude: can you use paste.openstack.org to paste your [ldap] config in your keystone configs?16:44
sudodudesure, one sec16:45
cmurphysudodude: could you also paste that log with some of the context around it?16:46
sudodudePaste #62789216:47
sudodudewhat do you mean by context?16:47
cmurphysudodude: in your keystone logs the few lines before and after the error appears16:47
sudodudeah16:48
cmurphythe chase_referrals keystone option might be relevant here, trying to find where that's documented16:49
cmurphyhttps://docs.openstack.org/keystone/pike/configuration/config-options.html#ldap16:50
sudodudeIf I understand that correctly, the controller is saying that the account exists in another domain, right?16:52
sudodudewhen I set up the user option as "user = openstackadadmin@example.domain.com", i get the invalid credentials error instead16:53
*** d0ugal has quit IRC16:55
cmurphysudodude: yeah i think that is what it is saying16:55
cmurphysudodude: i don't know a whole lot about AD tbh :/ but i think it's not following the referral for some reason16:56
cmurphysetting chase_referrals to true might help or there might need to be something changed on the AD server16:57
sudodudeok, I'll try that then16:57
cmurphysudodude: you can try using ldapsearch to bind with that user, if that works then it's a keystone problem16:58
*** david-lyle has joined #openstack-keystone16:59
sudodudewell this is what I'm getting: text: 000004DC: LdapErr: DSID-0C09073B, comment: In order to perform this opera  tion a successful bind must be completed on the connection., data 0, v177217:00
*** AlexeyAbashkin has quit IRC17:01
sudodudeif I use the -w to specify the password, I get an invalid credentials error instead...17:01
sudodudelooks like the problem might be with AD then eh17:01
cmurphycould be17:02
sudodudeok, I'll work on it some more see what else I can figure out. Thanks for the help!17:03
cmurphyno problem17:03
*** jmlowe has quit IRC17:06
*** pcaruana has quit IRC17:08
*** d0ugal has joined #openstack-keystone17:08
*** kmalloc has quit IRC17:11
*** d0ugal has quit IRC17:24
*** jlvacation is now known as jlvillal17:25
*** panbalag has left #openstack-keystone17:26
*** jmlowe has joined #openstack-keystone17:31
*** d0ugal has joined #openstack-keystone17:35
*** mvk has quit IRC17:48
*** ricolin_ has joined #openstack-keystone17:56
lbragstadthis is kinda frustrating http://paste.openstack.org/show/627906/18:00
lbragstadespecially when parameteres.yaml is ~1500 lines18:00
*** thorst has joined #openstack-keystone18:08
lbragstadthat warning could totally hint at alphabetical ordering18:09
lbragstadgit st18:20
* lbragstad sigh18:20
openstackgerritLance Bragstad proposed openstack/keystone master: Add system role assignment documentation  https://review.openstack.org/52430718:22
ricolin_lbragstad, it seems the default behavior for policy.Enforcer.enforce and authorize when we can't find the rule and default_rule is provided, enforce() will check against default rule, in authorize() we directly raise exception when policy not registered18:22
ricolin_lbragstad, is that right?18:22
lbragstadricolin_: that sounds correct18:24
lbragstadyou also have the ability to tell oslo.policy which exception you want raised if the check fails18:25
ricolin_lbragstad, got it, just have to check18:25
ricolin_lbragstad, thx18:26
lbragstadricolin_: yep!18:31
lbragstadso everything in https://review.openstack.org/#/q/topic:bp/system-scope+(status:open+OR+status:merged) should be all that's needed to implement https://trello.com/c/7Mx8a8sl/30-implement-system-role-assignments18:33
lbragstadmordred: cmurphy fyi =- https://blueprints.launchpad.net/keystone/+spec/application-credentials18:38
cmurphythanks lbragstad18:40
lbragstadcmurphy: no problem18:41
*** openstackgerrit has quit IRC18:48
*** ricolin_ has quit IRC18:49
mordredlbragstad: woot!18:49
mordredthanks cmurphy18:49
*** pcaruana has joined #openstack-keystone18:50
*** amito-infinidat is now known as amito18:59
*** mvk has joined #openstack-keystone18:59
*** avi_ has joined #openstack-keystone19:03
lbragstadweird client/API question for anyone up to it19:40
lbragstadshould it be /role_assignments?scope.system=True&group.id=$GROUP_ID or /role_assignments?scope.system&group.id=$GROUP_ID19:41
lbragstad?19:41
*** baffle has joined #openstack-keystone19:52
*** AlexeyAbashkin has joined #openstack-keystone19:52
*** AlexeyAbashkin has quit IRC19:59
*** kmalloc has joined #openstack-keystone20:07
*** AlexeyAbashkin has joined #openstack-keystone20:12
*** AlexeyAbashkin has quit IRC20:17
*** panbalag has joined #openstack-keystone20:31
*** panbalag has left #openstack-keystone20:36
knikollathe former I think20:46
lbragstadscope.system=True?20:47
knikollayes20:47
lbragstadcool - because that's how it works today :)20:47
knikollabecause then you can make scope.system=False :)20:47
lbragstadyeah20:47
lbragstadgood point20:47
lbragstadalright - i have a couple super hacky client patches coming20:48
ayounglbragstad, where do I look for policy-in-code?20:49
lbragstadayoung: https://www.lbragstad.com/policy-burndown/20:49
ayounghow far down the stack did we decide to push it?20:50
ayounglbragstad, I mean in the code20:50
lbragstadoh20:50
lbragstadnevermind20:50
lbragstadi got excited thinking you wanted to review stuff!20:50
ayounglbragstad, still chasing the "oslo-context" fix first20:50
ayoungI'll def be into reviewing once I have this down20:50
ayoungjamie got me over the hurdle here, and this needs to go in before the is_admin fixes....20:51
lbragstadeverything should be registered at this point https://github.com/openstack/keystone/blob/master/keystone/common/policy.py#L3520:51
ayounglbragstad, I'm seeing this message20:52
ayoung enforce identity:get_auth_projects:20:52
lbragstadwhich pretty much just passes a list of RuleDefault and DocumentedRuleDefault objects to a method in oslo.policy20:52
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/policy.py#L66-L6720:52
ayoungwhat generats the policy line for that20:52
ayoungah...centralized20:52
lbragstadyeah - that's all handled by oslo.policy20:52
ayounghttps://github.com/openstack/keystone/tree/master/keystone/common/policies20:53
lbragstadkeystone just looks for a policy file, parses it if present, and fills in the gaps with the defaults if needed20:53
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/policies/auth.py#L3420:53
lbragstad^ that's the default for that policy20:53
*** pcaruana has quit IRC20:55
ayoung check_str='',  means...what?  Default rule applies?20:55
lbragstadif it is an empty string, it just checks that the token is valid i believe20:55
lbragstadit's means the same thing as what was in the old policy.json file20:56
lbragstadit just moved into code20:56
ayounghmmm...what I broke has to be something to do with oslo-context.20:56
ayoung random_project = random.randint(0, len(projects) - 1)20:56
ayoungand this is on federation...20:56
lbragstadrandom_project = random.choice(projects)20:57
ayoung        group_ids = request.auth_context.get('group_ids')21:01
ayoungbet its that...21:01
lbragstadare those actually there?21:01
lbragstadoh...21:01
lbragstadauth_context isn't oslo.context21:02
lbragstadis it?21:02
ayounglbragstad, not yet it isn't, but it will be soon21:08
ayoungmy guess is the next speed bump will be oauth21:09
ayounga bit of the authorization.py code is going to live on in the one-offs for Keystone specific context values.  I think that is OK21:10
*** raildo has quit IRC21:12
*** threestrands has joined #openstack-keystone21:12
ayoung - Failed: 3321:16
*** McClymontS has joined #openstack-keystone21:19
*** McClymontS has quit IRC21:21
*** pcaruana has joined #openstack-keystone21:24
*** dave-mccowan has quit IRC21:35
*** pcaruana has quit IRC21:39
*** gyee has quit IRC21:54
*** openstackgerrit has joined #openstack-keystone22:03
openstackgerritLance Bragstad proposed openstack/keystone master: Add ability to list all system role assignments  https://review.openstack.org/52440722:03
*** rcernin has joined #openstack-keystone22:18
*** rcernin has quit IRC22:21
*** rcernin has joined #openstack-keystone22:21
*** edmondsw has quit IRC22:24
*** edmondsw has joined #openstack-keystone22:24
*** edmondsw has quit IRC22:25
*** edmondsw_ has joined #openstack-keystone22:27
*** spilla has quit IRC22:27
*** edmondsw_ has quit IRC22:31
bretonwhat22:38
bretonwhat should i write in "classification"?22:38
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add system role functionality  https://review.openstack.org/52441522:45
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add system role functionality  https://review.openstack.org/52441522:49
lbragstadbreton: respond to everyone on the thread and ask? i bet others are wondering the same :)22:54
*** jmlowe has quit IRC22:58
openstackgerritColleen Murphy proposed openstack/keystone master: WIP Add Application Credentials controller  https://review.openstack.org/52442323:01
*** jmlowe has joined #openstack-keystone23:09
*** AlexeyAbashkin has joined #openstack-keystone23:12
*** AlexeyAbashkin has quit IRC23:16
*** itlinux has joined #openstack-keystone23:35
*** thorst has quit IRC23:41
*** itlinux has quit IRC23:56
kmallochm.23:57
« Wednesday, 2017-11-29 Index Friday, 2017-12-01 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!