*** gyee has quit IRC | 00:00 | |
*** r-daneel has quit IRC | 00:10 | |
*** zhurong has joined #openstack-keystone | 00:13 | |
*** elibrokeit has quit IRC | 00:17 | |
*** elibrokeit has joined #openstack-keystone | 00:32 | |
*** gagehugo_ has quit IRC | 01:07 | |
*** gagehugo has joined #openstack-keystone | 01:22 | |
*** zhurong has quit IRC | 01:47 | |
*** zhurong has joined #openstack-keystone | 02:34 | |
*** dklyle has joined #openstack-keystone | 02:46 | |
*** dklyle has quit IRC | 03:42 | |
*** zhurong has quit IRC | 03:53 | |
*** _ix has quit IRC | 03:54 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Implement Trust Flush via keystone-manage. https://review.openstack.org/589378 | 04:37 |
---|---|---|
*** markvoelker has joined #openstack-keystone | 04:41 | |
*** shyambiradar has joined #openstack-keystone | 05:21 | |
*** nicolasbock has joined #openstack-keystone | 05:34 | |
*** shyambiradar has quit IRC | 05:53 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/590111 | 06:07 |
*** Emine has joined #openstack-keystone | 06:28 | |
*** nicolasbock has quit IRC | 06:35 | |
*** pcaruana has joined #openstack-keystone | 06:38 | |
*** nicolasbock has joined #openstack-keystone | 06:41 | |
*** evrardjp has joined #openstack-keystone | 06:55 | |
mbuil | lbragstad, cmurphy: what tool you use to generate a PKI key pair? | 06:56 |
cmurphy | mbuil: for the saml metadata? I just use the openssl CLI | 07:00 |
*** ispp has joined #openstack-keystone | 07:06 | |
openstackgerrit | zhengliuyang proposed openstack/keystone master: More accurate explanation in api-ref:application credentials https://review.openstack.org/589135 | 07:07 |
*** shyambiradar has joined #openstack-keystone | 07:11 | |
mbuil | cmurphy: yes. I am not familiar with key generation. I used "openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048" to generate the private key and "openssl rsa -pubout -in private_key.pem -out public_key.pem" to generate the public key. Is certfile the public key and keyfile the private key? | 07:12 |
cmurphy | mbuil: yep | 07:12 |
mbuil | cmurphy: thanks | 07:13 |
cmurphy | also i like to use this oneliner https://stackoverflow.com/a/10176685 | 07:13 |
cmurphy | with -nodes | 07:14 |
*** rcernin has quit IRC | 07:16 | |
mbuil | cmurphy: this generates a certificate which I should add as certfile? | 07:16 |
cmurphy | mbuil: it generates the certfile and keyfile in one go | 07:17 |
mbuil | oh that's good! If I remember well, a certificate was a public key signed by a private key. I was wondering if with the commands I wrote you, was enough because I did not generate any certificate but a public and a private key | 07:18 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/oslo.policy master: Imported Translations from Zanata https://review.openstack.org/590145 | 07:19 |
mbuil | cmurphy: keystone-manage does not exist. What pip package should I install? I have keystoneauth1==3.4.0 and python-keystoneclient==3.15.0 | 07:24 |
mbuil | oh wait | 07:25 |
cmurphy | mbuil: keystone-manage comes from the server package, you'll need to install keystone itself | 07:25 |
mbuil | cmurphy: I forgot things are installed in venvs, sorry | 07:25 |
mbuil | I see it now :) | 07:25 |
*** shyambiradar has quit IRC | 07:38 | |
*** shyambiradar has joined #openstack-keystone | 07:39 | |
mbuil | cmurphy: I need a bit of help. In my deployment, I had Keystone working under nginx. I have been following this guide to change to Apache ==> https://docs.openstack.org/keystone/latest/install/keystone-install-obs.html#configure-the-apache-http-server but I guess it assumes that there is a clean environment. I stopped nginx and started apache successfully but when using the openstack cli I get problems | 07:57 |
mbuil | this is what I get ==> Failed to discover available identity versions when contacting http://192.168.122.3:5000/v3. Attempting to parse version from URL. Service Unavailable (HTTP 503). I guess I am missing some config in the apache part | 07:58 |
cmurphy | mbuil: is there anything in the apache logs or the keystone logs that would indicate why it's returning a 503? | 07:59 |
mbuil | cmurphy: in apache2 logs ==> client denied by server configuration:.... let me investigate this. thanks | 08:07 |
*** _ix has joined #openstack-keystone | 08:11 | |
*** shyambiradar has quit IRC | 08:11 | |
*** aojea has joined #openstack-keystone | 08:22 | |
*** shyambiradar has joined #openstack-keystone | 08:26 | |
*** dtantsur|afk is now known as dtantsur | 08:33 | |
mbuil | cmurphy: I am stuck again and still in the nginx -> apache step :(. When trying 'openstack network list' things are ok, until it does a GET call to .../v2.0/networks, where it gets a HttpException. This are the logs in the client: https://hastebin.com/efalosiseg.sql | 08:48 |
mbuil | cmurphy: and this is the error I see in neutron logs ==> https://hastebin.com/suvivaxobi.rb "DiscoveryFailure: Could not determine a suitable URL for the plugin" | 08:49 |
mbuil | I am using the same openrc as before... do I need to change anything there? | 08:49 |
cmurphy | mbuil: that looks like an issue with neutron to me, you can see on the lines before the failure that it was successful in talking to keystone | 08:52 |
cmurphy | so the openrc should be fine, seems like a server error with neutron | 08:53 |
cmurphy | oh sorry | 08:53 |
cmurphy | you are looking at the neutron logs | 08:53 |
cmurphy | so i'd check the keystone_authtoken section in neutron.conf | 08:54 |
*** aojea has quit IRC | 08:54 | |
cmurphy | and make sure it is pointing to the right keystone endpoint and also make sure it has a user_domain_name and project_domain_name set to 'Default' | 08:54 |
mbuil | cmurphy: I also get problems when listing images and glance logs give a bit more info ==> https://hastebin.com/jowigoxica.js | 08:56 |
mbuil | let me check that | 08:57 |
cmurphy | mbuil: is your keystone listening on port 35357? we changed most of our docs to stop using that port and only use port 5000 | 08:57 |
mbuil | cmurphy: good point. I have just realized that nginx was listening to 5000, 80 and 35357 and apache is listening to 5000 and 80 | 09:04 |
*** shyambiradar has quit IRC | 09:06 | |
*** ispp has quit IRC | 09:10 | |
mbuil | cmurphy: when using nginx I had a .../conf.d/keystone-wsgi-public.conf and a .../conf.d/keystone-wsgi-admin.conf. Now I only have .../conf.d/wsgi-keystone.conf and the content points to keystone-wsgi-public. Is that enough or should there be a config for keystone-wsgi-admin too? | 09:12 |
*** josecastroleon has quit IRC | 09:14 | |
*** shyambiradar has joined #openstack-keystone | 09:15 | |
cmurphy | mbuil: that's enough, the two different endpoints are legacy from the keystone v2 API which used different access control for each endpoint, for keystone v3 all of the access control is done in code with policy and it can all go through the one endpoint | 09:17 |
*** josecastroleon has joined #openstack-keystone | 09:20 | |
*** shyambiradar has quit IRC | 09:38 | |
mbuil | cmurphy: I am at the step "Configure Apache to use a federation capable authentication method". Any preference between Shibboleth and Mellon? Remember I am planning to do Keystone to Keystone (perhaps that limits the option to one) | 09:50 |
cmurphy | mbuil: the last time I tried, mellon didn't work properly in the keystone to keystone scenario, there is some bug either in mellon or in keystone that made it unable to parse the saml response properly and i never got to the bottom of it | 09:52 |
cmurphy | shibboleth is a safe bet even though it's annoying to configure | 09:52 |
mbuil | cmurphy all right! thanks | 09:53 |
*** Emine has quit IRC | 10:04 | |
*** Emine has joined #openstack-keystone | 10:04 | |
mbuil | cmurphy: regarding shibboleth config, I am following: https://docs.openstack.org/keystone/latest/advanced-topics/federation/shibboleth.html. I am about to add the "<Location " config but I am not sure what should I write there | 10:20 |
mbuil | cmurphy: first question, should I install and configure Shibboleth in both deployments or only in the one acting as SP? | 10:21 |
*** shyambiradar has joined #openstack-keystone | 10:28 | |
cmurphy | mbuil: only on the SP | 10:34 |
cmurphy | mbuil: the <Location /Shibboleth.sso> you can copy verbatim, for the <Location /v3/OS-FERATION/...> you can also copy it verbatim but the name of the identity provider and protocol, which is 'myidp', and 'saml2' in the example, is important and will come up later in the documentation | 10:36 |
cmurphy | you should probably keep the name of the protocol as 'saml2' but you might want to change the name of the identity provider | 10:36 |
mbuil | cmurphy: ah! ok, I was wondering whether I should change myidp with what I wrote in the IdP as "idp_entity_id". Let me read further then | 10:37 |
mbuil | cmurphy: BTW, there was a shib.conf that appeared in the conf.d/ directory right after installing Shibboleth. Should I leave it there? | 10:50 |
cmurphy | mbuil: yes | 10:50 |
mbuil | cmurphy: ok. I need to stop here and focus on something different. I'll try to progress tomorrow. Thanks for the help! :) | 10:51 |
cmurphy | no problem :) | 10:52 |
*** neiljerram has joined #openstack-keystone | 10:54 | |
*** shyambiradar has quit IRC | 11:07 | |
*** shyambiradar has joined #openstack-keystone | 11:10 | |
*** aojea has joined #openstack-keystone | 11:20 | |
*** shyambiradar has quit IRC | 11:24 | |
*** shyambiradar has joined #openstack-keystone | 11:25 | |
*** shyambiradar has quit IRC | 11:32 | |
*** aojea has quit IRC | 11:33 | |
*** aojea has joined #openstack-keystone | 11:45 | |
*** s10 has joined #openstack-keystone | 11:52 | |
*** shyambiradar has joined #openstack-keystone | 11:56 | |
*** aojea has quit IRC | 11:58 | |
*** raildo has joined #openstack-keystone | 12:19 | |
*** edmondsw has joined #openstack-keystone | 12:45 | |
*** lbragstad has joined #openstack-keystone | 12:45 | |
*** ChanServ sets mode: +o lbragstad | 12:45 | |
*** _ix has quit IRC | 12:52 | |
lbragstad | ildikov: is there a specific zoom link floating around? or should we use the same one as before? | 12:53 |
ildikov | lbragstad: https://zoom.us/j/671236148 | 12:53 |
ildikov | lbragstad: all the relevant info is here: https://wiki.openstack.org/wiki/Edge_Computing_Group#Keystone | 12:54 |
*** shyambiradar has quit IRC | 12:55 | |
*** josecastroleon has quit IRC | 12:57 | |
*** josecastroleon has joined #openstack-keystone | 12:57 | |
*** _ix has joined #openstack-keystone | 13:00 | |
*** josecastroleon has quit IRC | 13:03 | |
*** josecastroleon has joined #openstack-keystone | 13:04 | |
knikolla | joining, now, sorry i'm late. | 13:12 |
lbragstad | zzzeek: about your galera work, do you know if there was ever a spec pushed for that? i remember you brought it to a meeting once and the next steps were to document the approach a bit | 13:28 |
zzzeek | lbragstad: the spec I was working on is at https://review.openstack.org/#/c/566448/ | 13:28 |
lbragstad | oh - great | 13:29 |
lbragstad | thanks! | 13:29 |
*** edmondsw has quit IRC | 13:29 | |
zzzeek | lbragstad: current POC is at https://github.com/zzzeek/stretch_cluster | 13:29 |
*** _ix has quit IRC | 13:29 | |
*** edmondsw has joined #openstack-keystone | 13:37 | |
*** jistr is now known as jistr|call | 13:39 | |
ildikov | knikolla: no worries, Tnx for joining | 13:41 |
*** edmondsw has quit IRC | 13:41 | |
*** edmondsw has joined #openstack-keystone | 13:44 | |
*** jistr|call is now known as jistr | 13:59 | |
*** _ix has joined #openstack-keystone | 14:03 | |
*** josecastroleon has quit IRC | 14:08 | |
*** josecastroleon has joined #openstack-keystone | 14:19 | |
kmalloc | o/ | 14:24 |
lbragstad | mornin' | 14:26 |
gagehugo | o/ | 14:41 |
*** dtantsur is now known as dtantsur|brb | 14:43 | |
*** aojea has joined #openstack-keystone | 14:55 | |
lbragstad | FYI - https://review.openstack.org/589950 | 15:02 |
lbragstad | i've proposed rc1 | 15:02 |
lbragstad | depending on the state of porting various APIs we can assess if we want an RC2 next week | 15:02 |
*** aojea has quit IRC | 15:06 | |
*** aojea has joined #openstack-keystone | 15:07 | |
lbragstad | also - i'll be traveling tomorrow and unavailable | 15:07 |
lbragstad | if anything urgent comes up i should be available saturday-ish? | 15:08 |
lbragstad | but at that point i'll be on opposite timezones | 15:08 |
*** s10 has quit IRC | 15:18 | |
*** dtantsur|brb is now known as dtantsur | 15:29 | |
*** dklyle has joined #openstack-keystone | 15:39 | |
openstackgerrit | OpenStack Release Bot proposed openstack/keystone master: Update reno for stable/rocky https://review.openstack.org/590405 | 15:49 |
*** dtantsur has left #openstack-keystone | 15:56 | |
*** dklyle has quit IRC | 15:59 | |
*** dklyle has joined #openstack-keystone | 16:01 | |
kmalloc | weird, i am getting a failure on policy for "get_domain_role" and i don't see why | 16:12 |
kmalloc | oh... i see what is happening. | 16:14 |
kmalloc | missing target data because of magic stuff. | 16:14 |
kmalloc | got it | 16:14 |
lbragstad | i added cycle-highlights for keystone https://review.openstack.org/#/c/590411/ | 16:15 |
lbragstad | would love feedback there if anyone has any | 16:15 |
gagehugo | lbragstad: done | 16:24 |
gagehugo | my main concern is the whole case-insensitive issue we had with "Member" vs "member" when we merged the default roles | 16:24 |
gagehugo | that may affect people | 16:24 |
lbragstad | gagehugo: done | 16:27 |
lbragstad | gagehugo: where did we put that case-sensitity statement in docs? | 16:28 |
gagehugo | https://review.openstack.org/#/c/576640/ | 16:29 |
lbragstad | https://docs.openstack.org/keystone/latest/admin/identity-case-insensitive.html ah | 16:29 |
gagehugo | yeah | 16:29 |
*** s10 has joined #openstack-keystone | 16:38 | |
*** aojea has quit IRC | 16:51 | |
*** s10 has quit IRC | 16:57 | |
*** itlinux has joined #openstack-keystone | 16:58 | |
*** raildo has quit IRC | 17:07 | |
*** raildo has joined #openstack-keystone | 17:31 | |
*** raildo_ has joined #openstack-keystone | 17:35 | |
*** raildo has quit IRC | 17:36 | |
*** gyee has joined #openstack-keystone | 17:47 | |
*** felipemonteiro has joined #openstack-keystone | 17:52 | |
*** felipemonteiro has quit IRC | 18:30 | |
kmalloc | lbragstad: interesting, role api and role_implication api is the first place i had to convert an enforcement callback. it went super easily | 18:32 |
kmalloc | lbragstad: fwiw, enforce_call made it almost painless. | 18:32 |
*** spilla has joined #openstack-keystone | 18:33 | |
openstackgerrit | Gage Hugo proposed openstack/keystone master: WIP - Add details and clarify examples on casing https://review.openstack.org/590477 | 18:35 |
*** ayoung has joined #openstack-keystone | 18:41 | |
ayoung | orange_julius, ever solve your problem? Sounds like HA proxy is sending one request to each Keystone server for some reason. | 18:43 |
kmalloc | lbragstad: hm. | 19:01 |
kmalloc | lbragstad: we broke HTTP spec again in implied roles *sigh* | 19:01 |
kmalloc | lbragstad: we issue a NO_CONTENT for HEAD. | 19:01 |
kmalloc | *eyeroll* | 19:01 |
kmalloc | checking our docks. | 19:01 |
kmalloc | docs* | 19:01 |
kmalloc | yep, we messed that one up =/ | 19:21 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert Roles API to flask native dispatching https://review.openstack.org/590494 | 19:23 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert Roles API to flask native dispatching https://review.openstack.org/590495 | 19:23 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert Roles API to flask native dispatching https://review.openstack.org/590494 | 19:24 |
*** rmascena__ has joined #openstack-keystone | 19:29 | |
*** raildo_ has quit IRC | 19:33 | |
*** pcaruana has quit IRC | 19:33 | |
*** aojea has joined #openstack-keystone | 19:47 | |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert role_inferences API to flask native dispatching https://review.openstack.org/590502 | 19:59 |
*** rmascena__ has quit IRC | 20:09 | |
*** rmascena__ has joined #openstack-keystone | 20:09 | |
*** nicolasbock has quit IRC | 20:11 | |
*** rmascena__ has quit IRC | 20:16 | |
openstackgerrit | Gage Hugo proposed openstack/keystone master: Set initiator id as user_id for auth events https://review.openstack.org/588086 | 20:19 |
orange_julius | ayoung: no I have not yet. Trying to replicate the issue. I can lock out a user by sending a POST with curl to a backend keystone node though.. so I don't think its haproxy | 20:28 |
orange_julius | since the curl never hits haproxy | 20:28 |
openstackgerrit | Merged openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/590111 | 20:39 |
kmalloc | lbragstad: almost have role_assignments converted. the assignment subsystem is getting there. | 20:50 |
*** lbragstad has quit IRC | 20:51 | |
ayoung | orange_julius, so we do one bind as the use to authenticate, and the rest of the work is done as an admin user. If there are multiple simple-bind calls from Keystone to LDAP, it should show up in the Keystone log. | 20:53 |
ayoung | Need to turn on tracing | 20:53 |
orange_julius | I can't turn that on in prod. Trying to replicate in test. Hopefully I'll have something soon | 20:57 |
ayoung | orange_julius, I wonder if it is something fun like: pooling mechanism treats a failure as a reason to retry. | 20:59 |
kmalloc | ayoung: hm. that would be odd, but i could see ldappool having such an issue | 21:00 |
orange_julius | Yup thats what the theory is. I have a bug report opened with ldappool | 21:00 |
orange_julius | Just need verification | 21:00 |
kmalloc | ayoung: wonder if we're setting a RETRY value on the connection as well | 21:00 |
orange_julius | ldappool catches ldap.LDAPError which is the superclass for all ldap errors. I'm pretty sure its happening there... line 251-268 of ldappool | 21:00 |
ayoung | simple-bind is dumb | 21:01 |
ayoung | it really is an anti-pattern. Share your password with every app.... | 21:01 |
kmalloc | hmm.. this looks suspect | 21:01 |
kmalloc | https://github.com/openstack/ldappool/blob/master/ldappool/__init__.py#L99 | 21:01 |
kmalloc | ayoung, orange_julius: https://github.com/python-ldap/python-ldap/blob/f3ff4a320a21a3ac42bc7587eaed09c4f9b2f9f5/Lib/ldap/ldapobject.py#L1193-L1203 | 21:05 |
kmalloc | looks to me like what is happening is the failure is being re-tried | 21:06 |
ayoung | except ldap.SERVER_DOWN: | 21:06 |
kmalloc | looks like LDAPpool needs a bunch more logic and we need to do connect independant of simple_bind, and ensure we don't retry on a legit simple bind error | 21:06 |
ayoung | you should not get that on an auth failure, tho | 21:06 |
kmalloc | unless the simple_bind failure to AD maybe drops the connections? | 21:07 |
kmalloc | in this case | 21:07 |
kmalloc | we can't discount that as a possibility | 21:07 |
orange_julius | This is what we had been taking a look at: https://git.openstack.org/cgit/openstack/ldappool/tree/ldappool/__init__.py#n255 Is this only to establish the pool then? | 21:07 |
ayoung | ldap.TIMEOUT maybe? | 21:07 |
kmalloc | ayoung: maybe as well | 21:07 |
kmalloc | i am guessing it is an interaction with the reconnect object and ldappool's use | 21:08 |
ayoung | oh, that last one looks like a suspect | 21:08 |
kmalloc | ah yeah that might do it | 21:08 |
ayoung | that is so not my code | 21:08 |
ayoung | who wrote that... | 21:09 |
kmalloc | that is mostly inherited from mozilla | 21:09 |
orange_julius | Are you guys looking at ldappoll stuff? | 21:09 |
kmalloc | when we took over ldappool | 21:09 |
kmalloc | orange_julius: yeah. | 21:09 |
kmalloc | ayoung: so, we own ldappool but it was originally a mozilla project. | 21:09 |
kmalloc | ayoung: my guess is that is historical. | 21:09 |
ayoung | I still wanna know who wrote dat | 21:10 |
kmalloc | ayoung: git blame? | 21:10 |
ayoung | 5f674821 (Steve Martinelli 2016-05-12 12:16:34 -0700 255) except ldap.LDAPError as error: | 21:11 |
ayoung | 5f674821 (Steve Martinelli 2016-05-12 12:16:34 -0700 256) exc = error | 21:11 |
ayoung | Dun dun DUN! | 21:11 |
ayoung | not really | 21:11 |
ayoung | - except ldap.LDAPError as exc: | 21:12 |
ayoung | + except ldap.LDAPError as error: | 21:12 |
kmalloc | ayoung: how about https://github.com/openstack/ldappool/blame/6350323b7f6ecbb54f70fd2e847190c99b826d94/ldappool/__init__.py#L217 | 21:12 |
ayoung | predates this repo.... | 21:13 |
kmalloc | yep | 21:13 |
ayoung | initial-import.... | 21:14 |
kmalloc | so long long ago | 21:14 |
kmalloc | in a galaxy far away | 21:14 |
ayoung | so, I wonder if an auth failure is not supposed to raise an exception | 21:15 |
ayoung | exception ldap.INSUFFICIENT_ACCESS | 21:16 |
ayoung | https://www.python-ldap.org/en/latest/reference/ldap.html | 21:16 |
ayoung | I wonder if we were not using that code before to authenitcate | 21:17 |
*** dave-mccowan has quit IRC | 21:17 | |
kmalloc | we might have been | 21:17 |
ayoung | conn = self.user.get_connection(user_ref['dn'], | 21:19 |
ayoung | password, end_user_auth=True) | 21:19 |
ayoung | I was young. I needed the money. | 21:19 |
ayoung | I'd like to state for the record that I did not do the pool thing. | 21:20 |
ayoung | commit 22b114f64724a551df5d32075b6a2d93c394b0d3 | 21:21 |
ayoung | Author: Dolph Mathews <dolph.mathews@gmail.com> | 21:21 |
ayoung | Date: Fri Feb 26 01:22:22 2016 +0000 | 21:21 |
ayoung | Enable LDAP connection pooling by default | 21:21 |
ayoung | https://review.openstack.org/#/c/285008/ | 21:21 |
ayoung | I +2ed it | 21:21 |
kmalloc | LOL | 21:22 |
ayoung | course, that was not the initial pool commit | 21:22 |
ayoung | commit ea689ff78f47ca762a4c46a726917b290c52cfef | 21:22 |
ayoung | Author: Arun Kant <arun.kant@hp.com> | 21:22 |
ayoung | Date: Fri May 23 15:25:38 2014 -0700 | 21:22 |
ayoung | https://review.openstack.org/#/c/95300/ | 21:23 |
ayoung | I +2ed that one, too | 21:23 |
*** spilla has quit IRC | 21:23 | |
ayoung | orange_julius, you can blame me | 21:23 |
orange_julius | fire and brimstone upon you!!! | 21:24 |
ayoung | It would cool things off right now. Heat wave in New England | 21:24 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching https://review.openstack.org/590518 | 21:24 |
ayoung | I don't think that is fixable | 21:25 |
ayoung | you'd have to turn off pooling | 21:25 |
orange_julius | So is this issue indeed with https://bugs.launchpad.net/ldappool/+bug/1785898 ? | 21:25 |
openstack | Launchpad bug 1785898 in ldappool "Connection Pooling Retries Failed Passwords" [Undecided,New] | 21:25 |
ayoung | it sure is | 21:26 |
ayoung | Switch to Kerberos | 21:26 |
ayoung | Do we still support kerberos with LDAP? Seems to me Dolph wanted to kill that | 21:26 |
orange_julius | =( What effect does turning off connection pooling have? | 21:27 |
ayoung | slower connection to the LDAP server/ | 21:27 |
ayoung | but you would not be turning it off | 21:27 |
ayoung | just stopping retrys | 21:27 |
ayoung | which means poor failover semantics, I think | 21:28 |
ayoung | the hack would be to change ldappool to not retry on auth failure | 21:28 |
ayoung | you have the power to change Python code in production? | 21:28 |
orange_julius | Yes but we won't be doing that =P. I think disabling retries would be fine. Does that involve just setting the retry number to 0 in the ldap options? | 21:29 |
*** lbragstad has joined #openstack-keystone | 21:55 | |
*** ChanServ sets mode: +o lbragstad | 21:55 | |
orange_julius | might've replicated the issue. I can't unlock my own account though so I gotta wait =( | 21:56 |
*** mchlumsky has quit IRC | 21:58 | |
*** neiljerram has quit IRC | 22:08 | |
*** rcernin has joined #openstack-keystone | 22:09 | |
kmalloc | Turning off the pool is much slower, but this legitimately is an icky bug | 22:14 |
kmalloc | I'd go with slower over lockout :P | 22:14 |
*** itlinux has quit IRC | 22:23 | |
*** _ix has quit IRC | 22:29 | |
*** aojea has quit IRC | 22:46 | |
*** evrardjp has quit IRC | 22:55 | |
*** gyee has quit IRC | 23:06 | |
openstackgerrit | Merged openstack/oslo.policy master: Imported Translations from Zanata https://review.openstack.org/590145 | 23:11 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching https://review.openstack.org/590518 | 23:31 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching https://review.openstack.org/590518 | 23:32 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching https://review.openstack.org/590518 | 23:32 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!