Wednesday, 2018-03-28

« Tuesday, 2018-03-27 Index Thursday, 2018-03-29 »
*** germs has quit IRC00:04
*** felipemonteiro has joined #openstack-keystone00:07
*** openstack has joined #openstack-keystone00:14
*** ChanServ sets mode: +o openstack00:14
*** Dinesh_Bhor has joined #openstack-keystone00:21
*** dave-mccowan has joined #openstack-keystone00:21
*** spilla has joined #openstack-keystone00:30
*** spilla has quit IRC00:30
*** gyee has quit IRC00:33
*** felipemonteiro has quit IRC00:42
*** odyssey4me has quit IRC00:53
*** odyssey4me has joined #openstack-keystone00:53
*** itlinux has joined #openstack-keystone01:07
*** gyankum has joined #openstack-keystone01:12
*** itlinux has quit IRC01:15
*** gongysh has joined #openstack-keystone01:16
*** oikiki has quit IRC01:35
*** gongysh has quit IRC01:38
*** germs has joined #openstack-keystone02:00
*** germs has quit IRC02:00
*** germs has joined #openstack-keystone02:00
*** ykarel|away has joined #openstack-keystone02:02
*** germs has quit IRC02:04
*** tmcm has quit IRC02:06
*** dikonoo has joined #openstack-keystone02:09
*** AlexeyAbashkin has joined #openstack-keystone02:12
*** ykarel|away has quit IRC02:14
*** ykarel|away has joined #openstack-keystone02:16
*** AlexeyAbashkin has quit IRC02:16
*** zhurong has joined #openstack-keystone02:33
*** ykarel|away has quit IRC02:34
*** gongysh has joined #openstack-keystone02:35
*** oikiki has joined #openstack-keystone02:52
*** itlinux has joined #openstack-keystone03:18
*** oikiki has quit IRC03:44
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Hierarchical Unified Limits  https://review.openstack.org/54080303:52
*** dave-mccowan has quit IRC03:55
*** jaosorior has joined #openstack-keystone03:56
*** germs has joined #openstack-keystone04:01
*** germs has quit IRC04:01
*** germs has joined #openstack-keystone04:01
*** germs has quit IRC04:06
*** ykarel|away has joined #openstack-keystone04:15
*** gongysh has quit IRC04:19
*** namnh has joined #openstack-keystone04:27
*** links has joined #openstack-keystone04:46
*** oikiki has joined #openstack-keystone04:51
*** Dinesh_Bhor has quit IRC05:00
*** Dinesh_Bhor has joined #openstack-keystone05:06
*** oikiki has quit IRC05:07
*** belmoreira has joined #openstack-keystone05:55
*** oikiki has joined #openstack-keystone05:57
*** germs has joined #openstack-keystone06:02
*** germs has quit IRC06:02
*** germs has joined #openstack-keystone06:02
*** gongysh has joined #openstack-keystone06:02
*** germs has quit IRC06:06
*** oikiki has quit IRC06:18
*** voelzmo has joined #openstack-keystone06:18
*** oikiki has joined #openstack-keystone06:20
*** jaosorior has quit IRC06:29
*** ykarel_ has joined #openstack-keystone06:30
*** ykarel|away has quit IRC06:32
*** pcaruana has joined #openstack-keystone06:38
*** martinus__ has joined #openstack-keystone06:53
*** voelzmo has quit IRC06:55
*** voelzmo has joined #openstack-keystone06:55
*** ykarel__ has joined #openstack-keystone07:03
*** gongysh has quit IRC07:04
*** ykarel_ has quit IRC07:06
*** zhurong has quit IRC07:08
*** voelzmo has quit IRC07:08
*** jaosorior has joined #openstack-keystone07:10
*** gongysh has joined #openstack-keystone07:10
*** voelzmo has joined #openstack-keystone07:10
*** voelzmo has quit IRC07:11
*** ykarel__ is now known as ykarel07:13
*** rcernin has quit IRC07:15
*** voelzmo has joined #openstack-keystone07:15
openstackgerritMerged openstack/keystone master: Remove admin interface in sample Apache file  https://review.openstack.org/55602207:20
openstackgerritMerged openstack/keystone master: Update RDO install guide for v3  https://review.openstack.org/55602307:20
*** tesseract has joined #openstack-keystone07:25
*** pcichy has joined #openstack-keystone07:30
*** voelzmo has quit IRC07:36
*** oikiki has quit IRC07:40
*** belmoreira has quit IRC07:49
*** AlexeyAbashkin has joined #openstack-keystone08:00
*** germs has joined #openstack-keystone08:03
*** germs has quit IRC08:03
*** germs has joined #openstack-keystone08:03
*** voelzmo has joined #openstack-keystone08:04
*** belmoreira has joined #openstack-keystone08:05
*** germs has quit IRC08:08
*** ilush has joined #openstack-keystone08:11
*** voelzmo has quit IRC08:22
*** pcichy has quit IRC08:22
*** voelzmo has joined #openstack-keystone08:22
openstackgerritwangxiyuan proposed openstack/keystone master: Delete project limits when deleting project  https://review.openstack.org/53837108:23
*** voelzmo has quit IRC08:23
*** gongysh has quit IRC08:23
*** voelzmo has joined #openstack-keystone08:23
*** voelzmo has quit IRC08:24
*** voelzmo has joined #openstack-keystone08:24
*** rcernin has joined #openstack-keystone08:24
*** voelzmo has quit IRC08:24
*** voelzmo has joined #openstack-keystone08:25
*** voelzmo has quit IRC08:25
*** voelzmo has joined #openstack-keystone08:25
*** voelzmo has quit IRC08:26
*** ilush has quit IRC08:30
openstackgerritwanghui proposed openstack/keystonemiddleware master: Update links in README  https://review.openstack.org/55718908:32
*** rcernin has quit IRC08:42
*** ilush has joined #openstack-keystone08:55
*** itlinux has quit IRC09:36
*** Dinesh_Bhor has quit IRC09:36
*** ykarel is now known as ykarel|afk09:53
*** germs has joined #openstack-keystone10:03
*** namnh has quit IRC10:03
*** germs has quit IRC10:08
*** ykarel|afk is now known as ykarel10:09
*** ilush has quit IRC10:23
*** tmcm has joined #openstack-keystone10:30
*** tmcm has quit IRC10:43
openstackgerritMerged openstack/keystone master: Fix user email in federated shadow users  https://review.openstack.org/54972310:47
*** zhurong has joined #openstack-keystone10:55
*** gyankum has quit IRC10:56
*** ykarel_ has joined #openstack-keystone11:03
*** ykarel has quit IRC11:04
*** links has quit IRC11:04
*** links has joined #openstack-keystone11:05
*** ykarel__ has joined #openstack-keystone11:05
*** ykarel_ has quit IRC11:08
*** dave-mccowan has joined #openstack-keystone11:09
*** ilush has joined #openstack-keystone11:10
*** ilush has quit IRC11:14
*** tmcm has joined #openstack-keystone11:34
*** mvk has quit IRC11:35
*** dangtrinhnt has quit IRC11:46
*** ykarel__ is now known as ykarel11:49
*** raildo has joined #openstack-keystone11:51
*** germs has joined #openstack-keystone12:04
*** germs has quit IRC12:04
*** germs has joined #openstack-keystone12:04
*** ilush has joined #openstack-keystone12:04
*** edmondsw has joined #openstack-keystone12:06
*** sapd__ has joined #openstack-keystone12:06
*** germs has quit IRC12:08
*** sapd_ has quit IRC12:09
*** sapd__ has quit IRC12:17
*** sapd_ has joined #openstack-keystone12:17
*** odyssey4me has quit IRC12:22
*** odyssey4me has joined #openstack-keystone12:22
*** sapd_ has quit IRC12:27
*** sapd_ has joined #openstack-keystone12:27
*** sapd_ has quit IRC12:32
*** sapd_ has joined #openstack-keystone12:32
*** zhurong has quit IRC12:34
*** NM has joined #openstack-keystone12:35
*** ilush has quit IRC12:44
*** ilush has joined #openstack-keystone12:44
*** MarkMielke has joined #openstack-keystone12:48
*** sapd__ has joined #openstack-keystone12:52
*** sapd_ has quit IRC12:52
*** mvk has joined #openstack-keystone12:58
*** panbalag has joined #openstack-keystone12:59
gagehugoo/13:02
*** lbragstad has joined #openstack-keystone13:04
*** ChanServ sets mode: +o lbragstad13:04
*** ykarel_ has joined #openstack-keystone13:12
*** ykarel has quit IRC13:12
*** ykarel__ has joined #openstack-keystone13:14
*** ykarel_ has quit IRC13:17
*** spilla has joined #openstack-keystone13:30
*** ykarel__ is now known as ykarel13:31
openstackgerritwangxiyuan proposed openstack/keystone master: Delete project limits when deleting project  https://review.openstack.org/53837113:35
*** NM has quit IRC13:36
*** NM has joined #openstack-keystone13:38
*** NM has quit IRC13:43
*** NM has joined #openstack-keystone13:45
*** tmcm has quit IRC13:53
*** tmcm has joined #openstack-keystone13:58
*** germs has joined #openstack-keystone14:05
*** germs has quit IRC14:05
*** germs has joined #openstack-keystone14:05
*** dklyle has joined #openstack-keystone14:05
*** david-lyle has quit IRC14:05
*** jrist has quit IRC14:07
*** dklyle has quit IRC14:07
*** dklyle has joined #openstack-keystone14:07
*** germs has quit IRC14:09
knikollao/14:13
*** mchlumsky has joined #openstack-keystone14:17
*** ykarel has quit IRC14:20
*** r-daneel has joined #openstack-keystone14:28
*** NM has quit IRC14:31
*** r-daneel has quit IRC14:32
*** NM has joined #openstack-keystone14:32
*** r-daneel has joined #openstack-keystone14:33
*** felipemonteiro has joined #openstack-keystone14:33
*** jrist has joined #openstack-keystone14:33
*** jrist has quit IRC14:33
*** jrist has joined #openstack-keystone14:33
*** NM has quit IRC14:34
*** NM has joined #openstack-keystone14:35
*** sapd__ has quit IRC14:37
*** sapd__ has joined #openstack-keystone14:38
*** sapd__ has quit IRC14:40
*** sapd__ has joined #openstack-keystone14:41
*** sapd__ has quit IRC14:41
*** sapd__ has joined #openstack-keystone14:41
*** sapd__ has quit IRC14:41
*** sapd__ has joined #openstack-keystone14:42
*** pcichy has joined #openstack-keystone14:43
*** ykarel has joined #openstack-keystone14:46
*** NM has quit IRC14:51
*** NM has joined #openstack-keystone14:51
*** NM has quit IRC14:52
*** kevinbenton has quit IRC14:58
*** NM has joined #openstack-keystone14:58
*** r-daneel has quit IRC15:00
*** links has quit IRC15:03
*** tmcm has quit IRC15:03
lbragstadhuh - with jwt we can actually get around the whole subsecond validation thing15:04
*** felipemonteiro_ has joined #openstack-keystone15:04
lbragstadit's kinda nice that rfc7519 reserves public claims, but doesn't attempt to fill some of them out for you15:05
lbragstadjwt reserves an "iat" claim for issued at times, but doesn't actually populate it I don't think15:05
*** devx has joined #openstack-keystone15:06
*** kevinbenton has joined #openstack-keystone15:06
lbragstadwell, maybe that is dependent on the library15:06
*** r-daneel has joined #openstack-keystone15:07
lbragstadit'd be cool if we could just pass values into a library as public claims though15:07
*** devx is now known as DevX15:07
*** felipemonteiro has quit IRC15:07
*** lbragstad changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"15:07
knikollalbragstad: yeah, it'd be pretty cool.15:08
knikollalbragstad: a part of me wants to see keystone be a full openid connect15:08
knikollaserver15:08
*** pcaruana has quit IRC15:09
lbragstadthis is probably a bad idea... but you could do some interesting stuff with nested jwt15:10
knikollalbragstad: why would you need nested jwt?15:11
lbragstadi was thinking of the federation case again15:11
lbragstadit's probably not needed15:11
* lbragstad comes back to earth15:11
*** gyankum has joined #openstack-keystone15:11
knikollalbragstad: iss would denote the issuer. if the other keystone has the cert it can verify the signature from that issuer.15:12
knikollafederation made easy.15:13
lbragstadwould iss be the issuing keystone or the user?15:13
knikollayes15:13
knikollakeystone15:13
knikollatechnicaly. it doesn't have to be keystone.15:13
lbragstadright15:13
lbragstadso then "sub" would be the user15:14
knikollayes15:14
lbragstadthen you'd have the other things we'd need for various scopes as private claims15:14
lbragstadbut we could reuse "iat" and "exp"15:14
knikollayes. public ones are enough for most things, like iss, sub, iat, exp15:15
knikollafor scope we need some private claims.15:15
lbragstadright15:16
lbragstadhow would you relaying information about keystone in "iss"15:16
knikollalike the entityID in saml.15:16
lbragstadwould that be the keystone domain name?15:17
knikollaunique identifier for each keystone.15:17
knikollahttps://tools.ietf.org/html/rfc7519#section-4.1.115:18
lbragstadyep15:19
lbragstadreminder that the policy meeting is going to be next week15:21
lbragstadnot today15:21
lbragstad(going to bi-weekly scheduling per discussions prior to the PTG)15:22
*** pcichy has quit IRC15:22
knikollawe could theoretically make keystone a generic openid connect server.15:22
knikollawith minor modifications after introducing jwt15:22
lbragstadi need to read up on oidc15:25
knikollalbragstad: it's built on top of oauth 2.0 so you might need to start readind up on that.15:28
lbragstadyeah - i've read up on that a few times15:29
knikollaat a minimum we just need two new api endpoints. /authorize and /token15:30
knikolla for issuing jwt access and id tokens, and validating them15:31
knikollasimilar to the endpoint for creating ecp saml assertions for k2k15:32
lbragstadright..15:49
lbragstadthat'd be interesting15:49
*** itlinux has joined #openstack-keystone15:54
*** belmoreira has quit IRC15:57
*** felipemonteiro_ has quit IRC16:00
*** gyee has joined #openstack-keystone16:06
*** ilush has quit IRC16:14
openstackgerritJohannes Grassler proposed openstack/keystone-specs master: Add capabilities to application credentials  https://review.openstack.org/39633116:39
gyeekmalloc, lbragstad: how do people normally reconcile their custom policy.json file with the newly generated policy.json from policy-in-code?16:40
lbragstadgyee: i think that's totally up to them16:40
gyeeis there a magic CLI?16:40
kmallocYep, what lbragstad said16:40
lbragstadthere is a munger16:40
lbragstadbut it's provided by oslo.policy16:41
lbragstadoslopolicy-policy-generator16:41
*** NM has quit IRC16:41
gyeedoes it work like a git rebase16:42
gyeelike generate-policy -reconsile customer-file16:42
gyeesomething like that?16:42
lbragstadit accepts an existing policy file and spits out a complete policy files with the overrides you've provided16:42
gyeenice!16:42
lbragstadit treats anything in the provided policy file as an override16:42
lbragstadand just fills in the holes16:42
lbragstadideally - this is something you'd only use for horizon16:42
lbragstad(since it requires a copy of policy files in order to provider better ux)16:43
gyeeyes, that's for horizon :-)16:43
*** germs has joined #openstack-keystone16:43
*** germs has quit IRC16:43
*** germs has joined #openstack-keystone16:43
lbragstadotherwise, the only thing you need in your policy file are the policies that you've chosen to override for you deployment16:43
gyeethanks for the info guys! let me give it a try16:43
*** germs has quit IRC16:43
lbragstadoslopolicy-checker will actually tell you if you're maintaining redundant policies16:43
lbragstad(e.g. specifying a policy and it's default value in your policy file)16:44
*** germs has joined #openstack-keystone16:44
*** germs has quit IRC16:44
*** germs has joined #openstack-keystone16:44
lbragstadso - a way to see where you can trim fat16:44
*** NM has joined #openstack-keystone16:44
gyeenice16:45
*** oikiki has joined #openstack-keystone16:53
*** mvk has quit IRC16:56
*** prometheanfire has joined #openstack-keystone16:57
openstackgerritMatthew Thode proposed openstack/keystone master: test pysaml2-4.5.0  https://review.openstack.org/55744016:57
prometheanfirefinally getting around to it16:58
*** r-daneel_ has joined #openstack-keystone16:59
*** r-daneel has quit IRC17:01
*** r-daneel_ is now known as r-daneel17:01
*** tmcm has joined #openstack-keystone17:03
*** Mujahid_ has joined #openstack-keystone17:08
*** AlexeyAbashkin has quit IRC17:08
Mujahid_cmurphy: Thanks for the quick reply. I have verified that openstack_keystone_url is having /identity only and I have given protocol name as oidc only. When I checked the keystone logs, I got the error message: Error: There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. /opt/stack/keystone/keystone/middleware/auth.py:203}} INFO keystone.common.wsgi mGET http://test-federationhos17:09
Mujahid_t.com/identity/v3/auth/OS-FEDERATION/websso/oidc?origin=http://ip-of-host/dashboard/auth/websso17:09
*** oikiki has quit IRC17:19
*** mvk has joined #openstack-keystone17:28
*** tesseract has quit IRC17:35
*** oikiki has joined #openstack-keystone17:36
*** panbalag has quit IRC17:42
*** felipemonteiro has joined #openstack-keystone17:43
*** felipemonteiro_ has joined #openstack-keystone17:43
*** ilush has joined #openstack-keystone17:45
*** panbalag has joined #openstack-keystone17:45
*** panbalag has left #openstack-keystone17:45
*** felipemonteiro has quit IRC17:47
*** r-daneel_ has joined #openstack-keystone17:51
lbragstadbahah!17:53
lbragstadhttps://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid17:53
*** r-daneel has quit IRC17:53
*** r-daneel_ is now known as r-daneel17:53
lbragstadsee if you catch it17:53
cmurphyfound it :)17:58
*** jmccrory has quit IRC17:59
*** itlinux has quit IRC18:00
lbragstadmy dog looked at me funny when i laughed out loud in an empty room18:03
cmurphylol18:05
*** jmccrory has joined #openstack-keystone18:06
lbragstadi'm curious about this paseto thing...18:07
lbragstadit looks like there might be a python library for it18:07
cmurphyMujahid_: the "there is either no auth token in the request" message is a normal message just meaning a token is being requested, is there anything else in the log?18:08
cmurphyMujahid_: are the OIDCRedirectURIs correct? pointing to the right identity_provider and protocols?18:12
kmalloclbragstad: question for you (cc gyee, cmurphy) any insight into the realistic minimum requirements to run a local openstack box?18:14
cmurphylocal openstack box?18:14
kmallocrunning into serious frustration(s) with virsh directly. [this is for home-lab setups]18:14
kmallocAIO or even multi-system, but ... need something far more functional that devstack18:14
kmallocvirsh is such a PITA.18:14
cmurphyoh i just virsh with devstack18:15
cmurphyi wrote some helper scripts to make it less painful though https://github.com/cmurphy/gimme-computer18:15
*** itlinux has joined #openstack-keystone18:15
lbragstad+1 to the repo name18:15
kmalloci mean, i have a Xeon-D 1518, but only 32GB of ram and limited storage. was considering speccing out a new system and a nas box at the same time.18:15
lbragstadkmalloc: what are you using this for?18:16
lbragstadjust devstack18:16
lbragstad?18:16
cmurphyyou can have an openstack for < 8G of ram18:16
kmalloccmurphy: but i also need 16GB of RAM for my firewall, and another gig for Pi-Hole, and another couple gigs for network controller18:16
kmalloccmurphy: i could jump and toss 64-128GB of ECC in the little box, but i think the proc is going to be overloaded then18:17
kmalloclbragstad: testing, local "stay current on tech" home-lab things, openstack instances, "play with new software in a VM" stuff.18:17
kmalloclbragstad: etc.18:18
cmurphyi do most of my upstream work on my 16gb laptop18:18
lbragstad^18:18
kmallocugh, a fan in my desktop is about to die18:18
lbragstadthat's pretty much what i did until recently18:18
kmalloc=/18:18
kmallocthe grinding sound... uggggh18:19
gyee8G won't get you much18:25
kmallocgyee: yeah. i only have about 8G of free (non-allocated)18:26
gyeebut it all depends on what services you are running and how many VMs18:26
gyeeif you enable Magnum, for example, you 8G box is going to work like a snail :-)18:26
kmallocLOL assume basic services only18:27
kmallocKS, Nova, Cinder, Neutron (...), Glance, MySQL18:27
gyeeyeah, for just Keystone and Nova, 8G should be fine18:27
kmallocif i could get away w/ neutron id do that too, but unlikely18:27
kmallocthankfully i can just dump everything onto an isolate vlan.18:28
kmalloci wish i could run more systems but also space constrained, have about 3U to work with18:28
kmalloc(or isolated vlan[s])18:28
gyeemake sure to cap the number of processes for the API services too18:29
gyeesome API service will spawn off like 20 processes by default :-)18:29
kmallocmeh, i guess i can just keep doing virsh for the moment.18:29
kmallocit's a little frustraing, i need a new nas regardless.18:30
kmallocso maybe i'll just spec out a 2u nas and wait until i move for something more powerful for the virt boxes18:30
knikollalbragstad: just asked, and i can get a 16gb baremetal node long term for the performance testing. that should be enough?18:32
*** voelzmo has joined #openstack-keystone18:33
*** gyankum has quit IRC18:36
lbragstadknikolla: nice!18:38
lbragstadi'll be something - and from the discussions in dublin, consistency was the biggest thing18:38
lbragstadcurious what other people think of http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/18:38
Mujahid_cmurphy: have a look at my vhost: OIDCRedirectURI http://test-federationhost.com/identity/v3/OS-FEDERATION/identity_providers/myidp/protocols/oidc/auth18:39
Mujahid_OIDCRedirectURI http://test-federationhost.com/identity/v3/auth/OS-FEDERATION/websso18:39
Mujahid_OIDCRedirectURI http://test-federationhost.com/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/oidc/websso18:39
openstackgerritMerged openstack/keystoneauth master: Be more helpful when version discovery fails  https://review.openstack.org/55404418:39
Mujahid_apart from keystone.log where else I can find the logs ??18:40
*** gyankum has joined #openstack-keystone18:40
knikollaMujahid_: so the goes to horizon, is redirected to keystone, then redirected to the idp, logs in there, comes back to keystone, and that's where it fails?18:41
knikollalbragstad: i'll read up on that later today, sounds interesting.18:41
Mujahid_is it Authorized redirect URIs18:43
Mujahid_ for google18:43
Mujahid_http://test-federationhost.com/identity/v3/auth/OS-FEDERATION/websso/oidc causing issue ??18:43
*** gyankum has quit IRC18:48
*** voelzmo has quit IRC18:48
knikollaMujahid_: did you install and enable mod_auth_openidc?18:49
Mujahid_knikolla: yes. apt-get install libapache2-mod-auth-openidc # a2enmod auth_openidc18:50
knikollaMujahid_: did you update the apache configuration for keystone to protect the /identity/v3/auth/OS-FEDERATION/websso path with it?18:51
Mujahid_knikolla: <LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>18:52
Mujahid_  AuthType openid-connect18:52
Mujahid_  Require valid-user18:52
Mujahid_  LogLevel debug18:52
Mujahid_</LocationMatch>18:52
Mujahid_<Location ~ "/identity/v3/auth/OS-FEDERATION/websso/oidc">18:52
Mujahid_  AuthType openid-connect18:52
Mujahid_  Require valid-user18:52
Mujahid_  LogLevel debug18:52
Mujahid_</Location>18:52
Mujahid_# For horizon18:52
Mujahid_<Location ~ "/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/oidc/websso">18:52
Mujahid_  AuthType openid-connect18:53
Mujahid_  Require valid-user18:53
Mujahid_  LogLevel debug18:53
Mujahid_</Location>18:53
*** AlexeyAbashkin has joined #openstack-keystone18:54
knikollaMujahid_: does opening any of those paths in the browser redirect you to google or whatever you idp is?18:55
knikollaopen in a private browser window to make sure you're not logged in.18:55
Mujahid_knikolla: I am getting this error {"error": {"message": "Missing entity ID from environment (Disable insecure_debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}} for the /identity/v3/auth/OS-FEDERATION/websso/oidc18:58
*** AlexeyAbashkin has quit IRC18:59
Mujahid_knikolla: it's not at all redirecting me to google login18:59
knikollaMujahid_: can you paste your apache configuration for keystone in paste.openstack.org? be careful to remove client ids and secrets.19:00
Mujahid_sure19:01
gagehugoknikolla nice19:04
Mujahid_knikolla: http://paste.openstack.org/show/716370/19:05
cmurphyMujahid_: what is your [auth]/method setting in keystone.conf? it needs to contain the auth protocol name but 'oidc' isn't technically valid19:08
knikollaMujahid_: that file looks pretty weird. you have uwsgi and wsgi.19:09
knikollauwsgi on /identity, and wsgi on 5000/3535719:09
knikollaand you're protecting on 5000. so your redirect uri should be :5000/v3/auth... etc19:09
cmurphy^ yep19:10
knikollaMujahid_: what are you advertising as your auth_url? :5000/v3 or /identity/v3?19:11
Mujahid_identity/v319:12
Mujahid_[auth]19:13
Mujahid_methods = external,password,token,oauth1,oidc,mapped,openid19:13
Mujahid_oidc = keystone.auth.plugins.mapped.Mapped19:13
knikollaMujahid_: why are you running keystone both with uwsgi and through mod_wsgi?19:14
knikollaMujahid_: anyhow, take all the lines after CustomLog and put them outside of <VirtualHost:5000>19:16
Mujahid_knikolla: I am very new on apache2 config. so, just googled :)19:17
knikollaMujahid_: is this devstack?19:17
Mujahid_yes19:18
knikollaMujahid_: http://paste.openstack.org/show/716396/19:19
*** dikonoo has quit IRC19:19
knikollagive this a try ^^19:20
knikollaalso redirect uris need to be valid urls19:20
knikollaalso you'll most likely need to register them with your idp.19:23
Mujahid_sure19:23
Mujahid_will retry and let you19:23
Mujahid_knikolla: cmurphy: thank you very much for your help.19:24
lbragstadre: jwt discussion https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ is a pretty good writeup19:33
*** MarkMielke has quit IRC19:37
*** felipemonteiro_ has quit IRC19:40
*** felipemonteiro_ has joined #openstack-keystone19:40
knikollalbragstad: that was really interesting.19:44
lbragstadright19:44
knikollaalg: none... here no need to validate me.19:44
lbragstadthe part i found interesting was that the usability bits of the specification led to ambiguity in the implementations19:45
lbragstadbecause the header contains the algorithm to be used to verify the token19:46
lbragstadbut "alg" can specify an asymmetric verification method or a symmetric on19:46
lbragstadone*19:46
lbragstadso if you know the public key, you can build your own tokens if the application, or library implementing jwt, doesn't actual perform a check19:47
lbragstador if the applications supports using asymmetric and symmetric encryption for issuing a jwt19:48
knikollalibraries now allow you to specify the algorithm when validating19:48
knikollapyjwt does at least, cause i've played around with it.19:48
lbragstadyeah..19:48
gagehugohmm19:48
lbragstadthat post specifically called out pyjwt i think19:48
knikollahttps://pyjwt.readthedocs.io/en/latest/usage.html19:49
lbragstad"tl;dr If you are using node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. See jwt.io for more information on the vulnerable libraries. (Updated 2015-04-20)"19:49
knikolladecoded = jwt.decode(encoded, public_key, algorithms='RS256')19:49
knikollayeah, they got updated to mitigate this issue19:49
lbragstadthe paseto stuff is interesting because it implies very specific encryption requirements to a version19:51
lbragstad(kinda like fernet in a way)19:51
lbragstadhttps://github.com/paragonie/paseto19:51
lbragstadbut it also includes the concept of "local" and "public"19:52
knikollai'm really curious to see if it takes off19:53
knikollafernet didn't.19:53
*** felipemonteiro__ has joined #openstack-keystone19:53
lbragstadyeah... it's interesting because ParagonIE apparently recommends fernet over jwt,jws,jwe even though it's apparently unmaintained (at least looking from the outside in)19:54
knikollai think the main point was, there's less rope to hang yourself with fernet.19:55
lbragstadyeah19:56
knikollathe jwt standard is overly broad, and if you want to comply fully with it you need a lot of rope.19:56
knikollawhich arguably you don't need to comply with fully. just pick an algorithm and only use that.19:56
lbragstadthe specification for jwt describes more ways to achieving the same thing - but attempts to do that with multiple encryption/signing approaches19:57
*** tmcm has quit IRC19:57
*** ykarel is now known as ykarel|away19:57
lbragstadfor fernet - if you want a token, it's going to be encrypted with a 128 bit AES encryption key and a 128 bit SHA 256 HMAC signing key19:58
*** felipemonteiro_ has quit IRC19:58
lbragstad*signed with a 128 bit SHA 256 HMAC key19:58
*** spilla has quit IRC19:59
knikollayes, it leaves no room for choice.20:00
lbragstadright20:00
lbragstadthere is one choice and it's verified with the HMAC20:00
lbragstadso - i guess if we were to implement jwt20:02
lbragstadwe'd need to make sure that type checking happens20:03
knikollalbragstad: with the current spec, aren't we prescribing a very specific choice of algorithms?20:05
*** ykarel|away has quit IRC20:06
lbragstadi don't think we did20:08
lbragstadthe back logged specification says we plan to use nested jwt20:09
lbragstadso token = jws(jwe(token_payload))20:09
knikollahmmm... true.20:10
lbragstadif we agreed on using "alg": "HS256" for example, we'd pretty much hard code that when working with the library20:12
prometheanfirelbragstad: lol, guess the new pysaml2 has some method renames http://logs.openstack.org/34/557434/1/check/cross-keystone-py27/4afebd9/testr_results.html.gz20:18
lbragstadthose look like version errors?20:19
prometheanfireya20:21
prometheanfireoh ya, the real test is in https://review.openstack.org/55744020:22
prometheanfirelbragstad: so looks like we can just uncap reqs, when keystone merges that change we can then move UC to it20:22
prometheanfireand probably bump the min version required to 4.5.0 as well20:23
Mujahid_knikolla: cmrphy: Thanks for your help and time. I am logged in now with google. :)20:25
lbragstadprometheanfire: sounds good20:27
*** sapd__ has quit IRC20:30
*** sapd__ has joined #openstack-keystone20:31
*** r-daneel_ has joined #openstack-keystone20:32
*** r-daneel has quit IRC20:33
*** r-daneel_ is now known as r-daneel20:33
lbragstadcmurphy: do you happen to remember the reasoning behind the nested jwt bits in the specification?20:34
*** Mujahid_ has quit IRC20:38
*** nicolasbock has joined #openstack-keystone20:39
lbragstaddo we want to kick this through quick? https://review.openstack.org/#/c/557060/20:44
lbragstadnow that the MFA specification has merged20:44
*** raildo has quit IRC20:51
*** martinus__ has quit IRC20:52
cmurphylbragstad: for encryption20:55
cmurphyit's part of the RFC20:55
lbragstad7516?20:56
cmurphy7519 i think20:57
lbragstadoh20:57
lbragstadhttps://tools.ietf.org/html/rfc7519#appendix-A.220:58
*** r-daneel_ has joined #openstack-keystone21:01
*** r-daneel has quit IRC21:03
*** r-daneel_ is now known as r-daneel21:03
*** itlinux has quit IRC21:14
*** oikiki has quit IRC21:27
*** oikiki has joined #openstack-keystone21:28
*** panbalag has joined #openstack-keystone21:29
*** NM has quit IRC21:30
*** panbalag has left #openstack-keystone21:32
*** sticker has joined #openstack-keystone21:40
*** edmondsw has quit IRC21:43
-openstackstatus- NOTICE: the zuul web dashboard will experience a short downtime as we roll out some changes - no job execution should be affected21:52
*** harlowja has joined #openstack-keystone21:53
*** aojea has joined #openstack-keystone22:23
*** rcernin has joined #openstack-keystone22:28
*** oikiki has quit IRC22:37
*** oikiki has joined #openstack-keystone22:37
*** oikiki has quit IRC22:38
*** felipemonteiro__ has quit IRC22:43
*** oikiki has joined #openstack-keystone22:53
*** oikiki has quit IRC22:55
*** oikiki has joined #openstack-keystone22:56
*** prometheanfire has left #openstack-keystone22:56
*** oikiki has quit IRC22:56
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Repropose JWT specification for Rocky  https://review.openstack.org/54190323:02
lbragstadwxy: i pretty much spent all day reading jwt specs.. i planned on getting a bit farther than ^23:02
lbragstadbut i documented a few things we'll have to watch out for in the implementation23:02
lbragstadi should be back online in a couple hours23:03
*** gyee has quit IRC23:32
*** aojea has quit IRC23:33
*** tmcm has joined #openstack-keystone23:58
-openstackstatus- NOTICE: Zuul has been restarted to update to the latest code; existing changes have been re-enqueued, you may need to recheck changes uploaded in the past 10 minutes23:58
« Tuesday, 2018-03-27 Index Thursday, 2018-03-29 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!