| *** mvkr has quit IRC | 00:05 | |
| *** hoonetorg has quit IRC | 00:56 | |
| *** hoonetorg has joined #openstack-keystone | 01:10 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 01:23 | |
| *** threestrands has quit IRC | 01:33 | |
| *** Dinesh_Bhor has quit IRC | 01:45 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 01:48 | |
| *** hoonetorg has quit IRC | 01:49 | |
| *** Dinesh_Bhor has quit IRC | 01:53 | |
| *** hoonetorg has joined #openstack-keystone | 02:01 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 03:00 | |
| *** dave-mccowan has quit IRC | 03:07 | |
| *** cfriesen has quit IRC | 03:15 | |
| *** mvkr has joined #openstack-keystone | 03:29 | |
| *** Dinesh_Bhor has quit IRC | 03:54 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 04:34 | |
| *** pcaruana has joined #openstack-keystone | 04:36 | |
| *** pcaruana has quit IRC | 04:43 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Purge soft-deleted trusts https://review.openstack.org/604970 | 04:54 |
|---|---|---|
| *** Dinesh_Bhor has quit IRC | 05:48 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 05:54 | |
| *** Dinesh_Bhor has quit IRC | 05:58 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 06:03 | |
| *** Krenair has quit IRC | 06:04 | |
| *** Krenair has joined #openstack-keystone | 06:24 | |
| *** d0ugal has joined #openstack-keystone | 06:32 | |
| *** Emine has quit IRC | 06:36 | |
| *** hoonetorg has quit IRC | 06:36 | |
| *** dims has quit IRC | 06:38 | |
| *** Krenair has quit IRC | 06:39 | |
| *** dims has joined #openstack-keystone | 06:44 | |
| *** dims has quit IRC | 06:48 | |
| *** dims has joined #openstack-keystone | 06:51 | |
| *** Krenair has joined #openstack-keystone | 06:55 | |
| *** Dinesh_Bhor has quit IRC | 06:55 | |
| *** rcernin has quit IRC | 07:01 | |
| *** pcaruana has joined #openstack-keystone | 07:01 | |
| *** aloga has quit IRC | 07:15 | |
| *** aloga has joined #openstack-keystone | 07:15 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 07:31 | |
| *** d0ugal has quit IRC | 07:53 | |
| *** Dinesh_Bhor has quit IRC | 08:57 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 09:43 | |
| *** mvkr has quit IRC | 09:57 | |
| *** mvkr has joined #openstack-keystone | 10:26 | |
| *** Dinesh_Bhor has quit IRC | 10:27 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 10:29 | |
| *** Dinesh_Bhor has quit IRC | 10:31 | |
| *** d0ugal has joined #openstack-keystone | 11:01 | |
| *** dave-mccowan has joined #openstack-keystone | 11:02 | |
| *** mvkr has quit IRC | 11:16 | |
| *** jaosorior has joined #openstack-keystone | 11:16 | |
| *** mvkr has joined #openstack-keystone | 11:17 | |
| *** aojea_ has joined #openstack-keystone | 11:55 | |
| *** aojea_ has quit IRC | 12:05 | |
| *** aojea_ has joined #openstack-keystone | 12:06 | |
| *** aojea_ has quit IRC | 12:10 | |
| *** Emine has joined #openstack-keystone | 12:23 | |
| *** aojea_ has joined #openstack-keystone | 12:29 | |
| *** raildo has joined #openstack-keystone | 12:32 | |
| *** markvoelker has joined #openstack-keystone | 12:32 | |
| *** raildo_ has joined #openstack-keystone | 12:34 | |
| *** raildo has quit IRC | 12:37 | |
| knikolla | o/ | 12:47 |
| cmurphy | \o | 12:48 |
| ayoung | o/\o | 12:53 |
| *** pcaruana has quit IRC | 12:57 | |
| *** d0ugal has quit IRC | 13:00 | |
| *** aojea_ has quit IRC | 13:09 | |
| knikolla | anything that needs my eyes today? (i'll be off again wed-fri) | 13:09 |
| *** leeuwenrjj has joined #openstack-keystone | 13:20 | |
| *** d0ugal has joined #openstack-keystone | 13:21 | |
| leeuwenrjj | Hi, I am currently using an app in the pipeline to authenticate users by setting REMOTE_USER. The Rocky release notes suggests "It is no longer possible to, via the paste.ini file to inject middleware into the running keystone application." | 13:21 |
| leeuwenrjj | At the same time the documentation suggests it is still possible "https://docs.openstack.org/keystone/latest/advanced-topics/external-auth.html" | 13:22 |
| leeuwenrjj | So I was wondering if it is still possible, for us it would be a major headache if this breaks. | 13:23 |
| cmurphy | leeuwenrjj: the documentation is out of date, the release notes are correct | 13:23 |
| cmurphy | kmalloc: can you give leeuwenrjj advice on how to proceed ^ | 13:23 |
| leeuwenrjj | Yeah, this is a major pain. e.g. we also track request times and status codes with some middleware. It is *REALLY* painfull that was just removed | 13:24 |
| cmurphy | i was afraid of that :( | 13:25 |
| leeuwenrjj | Any specific reason this is not just an option/togggle instead of just removing it altogether. | 13:25 |
| cmurphy | leeuwenrjj: there was a major refactor of our wsgi backend | 13:26 |
| *** pcaruana has joined #openstack-keystone | 13:27 | |
| leeuwenrjj | Would there be any way to re-enable this without to much hackery? Removing such a Major feature as a small security note in the release is not something we can plan for. | 13:30 |
| openstackgerrit | Merged openstack/ldappool master: Removed older version of python added 3.5 https://review.openstack.org/606337 | 13:34 |
| *** d0ugal has quit IRC | 13:36 | |
| *** raildo_ is now known as raildo | 13:39 | |
| cmurphy | leeuwenrjj: I do not think it will be easy, but when kmalloc wakes up on the west coast he can hopefully help | 13:40 |
| kmalloc | Just woke up. | 13:50 |
| kmalloc | Like, seconds ago. Forgot to turn off phone notifications :P | 13:50 |
| cmurphy | heh sorry | 13:51 |
| kmalloc | No worries | 13:51 |
| kmalloc | Toty my fault ;) | 13:51 |
| kmalloc | Totally | 13:51 |
| *** cfriesen has joined #openstack-keystone | 13:52 | |
| kmalloc | leeuwenrjj: so the easiest bit is to wrap the whole keystone app with a proxy or turn on the debug middleware | 13:53 |
| kmalloc | leeuwenrjj: the reason we don't allow injection of middleware anymore is due to security. It was just too easy for something to totally muck up the application itself. | 13:53 |
| *** d0ugal has joined #openstack-keystone | 13:54 | |
| kmalloc | In general it also was because paste deploy was unmaintained | 13:55 |
| kmalloc | Think of keystone as a whole application, not as a modular pluggable thing | 13:56 |
| kmalloc | It is us being more opinionated and trying to ensure keystone is as consistent across all deployments as possible | 13:57 |
| kmalloc | Now, the debug middleware does emit a lot about timing and such to logs | 13:57 |
| leeuwenrjj | Thx for the info, I still think that the security aspect of it is a bit over-rated. The moment someone has enough permissions to modify the pipeline config this won't stop them. | 13:57 |
| leeuwenrjj | And for us this will create a lot of headaches without much up front warnings. (Or I have missed it) | 13:58 |
| kmalloc | leeuwenrjj: sure, so the concern is almost no one (you are literally the exception in the entire time I've run and developed OpenStack) that changed paste ini | 14:00 |
| kmalloc | So the file was usually untracked by cfg management | 14:00 |
| kmalloc | So it is another vector of change that was easier to drop in / muck up keystone's operation and it allowed loading in any code in-line that could be a security issue. It isn't major, but it is a vector we considered. | 14:01 |
| kmalloc | For what it is worth, if your code has entry points in a python package you can add a line or two in keystone.server.flask.application where we load other middleware | 14:02 |
| leeuwenrjj | Also parsing debug logs for getting API timings is pretty expensive. We just put timings directly from the pipeline into graphite which scales a lot better. Also we have seen major performance degredation when enabling debug in keystone in the past. | 14:03 |
| kmalloc | Debug middleware is different than debug logging. | 14:03 |
| kmalloc | You can still wrap all of keystone in a middleware as well, it is just a wsgi app | 14:04 |
| kmalloc | You just can't inject a middleware into keystone's pipeline (which, fwiw, is going to be almost all collapsed into a singular flask entry this cycle) | 14:05 |
| kmalloc | This is more like how java apps work. Middleware wraps the whole app, but you typically cannot inject middleware into the middle of the java app. | 14:06 |
| kmalloc | So, if you load all of keystone and wrap it In your middleware under the wsgi container, it works the same as before. | 14:07 |
| leeuwenrjj | So I assume REMOTE_USER to set authenticated users still works? | 14:07 |
| kmalloc | Yes it does. | 14:08 |
| leeuwenrjj | Ok thanks for the pointers. Will have a shot at it. | 14:08 |
| kmalloc | All normal auth and env. Data keystone used before still works as expected | 14:08 |
| kmalloc | If you are still really hard up, I can roll a patch that allows wrapping middleware around keystone (it would be the ourter-most layer). At least as an example until we considered the feature | 14:10 |
| kmalloc | But the request / use of injecting custom middleware into keystone is very limited. Most deployment tools don't even support it. | 14:10 |
| kmalloc | (none?) | 14:10 |
| kmalloc | cmurphy: it's 7am here, I need to feed/walk puppers. Brie is at a work event for the next 2 days. | 14:12 |
| kmalloc | So it was s.about when I needed to wake up anyway. | 14:12 |
| cmurphy | kmalloc: since you're awake, what do you think of backporting https://review.openstack.org/607056 to queens and pike? | 14:12 |
| kmalloc | I would +2 that change | 14:13 |
| kmalloc | It seems like a legit bug that could cause issues with ldap deployments | 14:13 |
| cmurphy | yeah it caused an issue with one of our customers | 14:13 |
| kmalloc | And it fixes a bug without otherwise changing behavior. | 14:14 |
| leeuwenrjj | We just added the template to the config management. Such a thing is so trivial that assuming ansible/puppet etc does not support it no-one is using it seems a bit | 14:14 |
| leeuwenrjj | of a short-cut | 14:14 |
| cmurphy | kmalloc: https://review.openstack.org/#/q/816b472a9d20e4e7cfe33f2f40ef5daae590795e | 14:14 |
| kmalloc | leeuwenrjj: a lot of tools relocate it out of etc, for the most part paste-ini is code not config | 14:14 |
| kmalloc | cmurphy: +2 across the board, will +a the last two after zuul weighs in. | 14:16 |
| kmalloc | leeuwenrjj: and that is the crux of it. If we reintroduce the capability it will be more restrictive and managed via the keystone config. | 14:18 |
| kmalloc | Let me know if you can wrap the whole app or need help doing so, and I can write up a quick example. | 14:18 |
| kmalloc | S/can/succeed in | 14:19 |
| leeuwenrjj | A quick example would be great would help not really my daily cup of tea these things | 14:19 |
| kmalloc | Sure. I'll roll up an example once I get done with morning things like dog food/walks and my coffee. | 14:23 |
| kmalloc | You caught me about 2 minutes after I woke up ;) so I don't think I can roll that example yet (also on mobile), need to sit down at my desk. | 14:24 |
| kmalloc | Will def. Have something for you in a few hours | 14:24 |
| kmalloc | cmurphy: mmm pumpkin roasted coffee makes me happy. | 14:25 |
| ayoung | leeuwenrjj, I am totally with you on this one | 14:25 |
| ayoung | I wanted to be able to do the same kind of thing. Paste made it impossible to do some of the things I wanted, though | 14:25 |
| kmalloc | cmurphy: down to ~7 unit tests and a couple federated functional tests for auth port. It ... Makes me cry, pushing 3k lines of change. | 14:26 |
| *** leeuwenrjj has quit IRC | 14:26 | |
| ayoung | GAH | 14:26 |
| cmurphy | kmalloc: that makes me cry too | 14:26 |
| kmalloc | ayoung: just for auth. | 14:26 |
| kmalloc | But there is only so much that can be isolated there. | 14:26 |
| ayoung | kmalloc, yeah, I wanted to be able to slip in a Basic-Auth middleware | 14:26 |
| kmalloc | ayoung: should still be doable, like java, wrap the whole app, use remote_user | 14:27 |
| ayoung | feh | 14:27 |
| ayoung | I'll come up with something better, but not right now | 14:27 |
| knikolla | kmalloc: send me a ping when you want some eyes on that | 14:28 |
| kmalloc | Paste removal doesn't break normal middleware usages. It breaks "insert middleware anywhere" | 14:28 |
| ayoung | once you get the Flaskification done, lets sit and talk it through | 14:28 |
| kmalloc | ayoung: ++ | 14:28 |
| ayoung | yeah, and I don't want "anywhere" | 14:28 |
| kmalloc | Totally, and ultimately, doc update to show an example | 14:28 |
| kmalloc | We can convert what I'll spin up for leeuwenrjj to real docs. | 14:29 |
| ayoung | ++ | 14:29 |
| kmalloc | And replace the paste bits from our docs with that. | 14:29 |
| ayoung | sitting in an OSP14 features meeting | 14:30 |
| ayoung | Bascially, what RH is promoting from current release...interesting | 14:30 |
| knikolla | ayoung: are you wearing an 869686 tshirt? | 14:30 |
| ayoung | You have the number wrong | 14:30 |
| kmalloc | cmurphy, ayoung, knikolla: this conversion has a lot of test changes too. We fundamentally do things differently now. I couldn't easily decouple a lot of it. :(. But the rest of the flaskification has been good. | 14:30 |
| ayoung | and no I am not | 14:30 |
| knikolla | i have terrible number memory :/ | 14:31 |
| kmalloc | Auth just touches ... Everything. | 14:31 |
| ayoung | kmalloc, that is actually a good thing. If it is not used for auth, it should not really be part of Keystone, right? | 14:32 |
| ayoung | but... | 14:32 |
| ayoung | should we make it more isolated? | 14:32 |
| ayoung | like, what if auth was a separate web app from all the other backends, and had to make REST calls to get the data it needed? | 14:32 |
| ayoung | I'm guessing that would not really alleviate your pain | 14:33 |
| kmalloc | I've considered that. | 14:34 |
| kmalloc | But for now, it doesn't fix anything and would make things just as painful :P | 14:34 |
| kmalloc | Anyway back in a bit, dog walking, pumpkin (not that chemical crap from the main-stream coffee shops) coffee, drugs, and breakfast is in order | 14:35 |
| kmalloc | ayoung: https://www.deathwishcoffee.com/products/cauldron-aged-pumpkin-spice | 14:35 |
| kmalloc | Mmmm | 14:35 |
| kmalloc | It's so good. | 14:35 |
| ayoung | Basin now Security stuff | 14:46 |
| ayoung | App Creds FTW! | 14:46 |
| ayoung | kmalloc, probably need to point someone at making the policy changed for glance, huh? | 14:47 |
| kmalloc | Yeah. | 14:48 |
| kmalloc | Probably | 14:48 |
| ayoung | kmalloc, would flaskification help or hurt that? | 14:48 |
| kmalloc | Indifferent | 14:48 |
| ayoung | I mean, we could just hack the policy.json file | 14:49 |
| ayoung | I don't think glance has policy-in-code yet | 14:49 |
| ayoung | W00t...low Footprint Deployment for Sales/Demo use cases! | 14:53 |
| ayoung | All-in-one | 14:53 |
| ayoung | "Potential Replacement of Packstack" | 14:53 |
| *** Emine has quit IRC | 14:55 | |
| *** nicolasbock has joined #openstack-keystone | 15:07 | |
| *** d0ugal has quit IRC | 15:12 | |
| *** d0ugal has joined #openstack-keystone | 15:12 | |
| *** leeuwenrjj has joined #openstack-keystone | 15:13 | |
| *** dave-mccowan has quit IRC | 15:27 | |
| *** dave-mccowan has joined #openstack-keystone | 15:29 | |
| hrybacki | kmalloc: o/ are you still working on that caching best practices guide by chance? | 15:39 |
| *** felipemonteiro has joined #openstack-keystone | 15:43 | |
| *** gyee has joined #openstack-keystone | 15:49 | |
| cmurphy | meeting in #openstack-meeting-alt | 16:02 |
| kmalloc | hrybacki: i need to write something up, but i sent an email out to the folks on that chain last week | 17:00 |
| kmalloc | highlighting the best way forward | 17:00 |
| kmalloc | got a nice thank you from... alexy? was that the name? | 17:01 |
| kmalloc | ayoung: if you didn't see earlier, app-creds should 100% work in ksm. | 17:01 |
| kmalloc | ayoung: just need to say "use app cred auth plugin" | 17:01 |
| kmalloc | ayoung: so changes in deployment (if it doesn't work... uhm, let me know) | 17:02 |
| kmalloc | ayoung: and i think we need to backlog a "use app-creds" as a default setup for devstack in ksm. | 17:02 |
| ayoung | ++ | 17:02 |
| * gagehugo runs to get lunch | 17:02 | |
| kmalloc | gagehugo: LUNCH! bring me some! | 17:02 |
| * kmalloc looks at the time. | 17:02 | |
| * knikolla goes to lunch as well. | 17:02 | |
| kmalloc | i should eat breakfast. | 17:02 |
| kmalloc | knikolla: hey... no fair, making me hungry | 17:03 |
| kmalloc | #startmeeting keystone-office-hours | 17:04 |
| openstack | Meeting started Tue Oct 2 17:04:37 2018 UTC and is due to finish in 60 minutes. The chair is kmalloc. Information about MeetBot at http://wiki.debian.org/MeetBot. | 17:04 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 17:04 |
| *** openstack changes topic to " (Meeting topic: keystone-office-hours)" | 17:04 | |
| *** ChanServ changes topic to "Stein release schedule: https://releases.openstack.org/stein/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )" | 17:04 | |
| openstack | The meeting name has been set to 'keystone_office_hours' | 17:04 |
| *** leeuwenrjj has quit IRC | 17:13 | |
| *** leeuwenrjj has joined #openstack-keystone | 17:19 | |
| kmalloc | ayoung: -1 on the explicit domain id for a few reasons, but mostly because the validation is insufficient. | 17:29 |
| ayoung | WFM | 17:29 |
| ayoung | I assume you expand on that in the review? | 17:29 |
| *** mvkr has quit IRC | 17:31 | |
| kmalloc | ayoung: yeah i've highlighted my concerns | 17:36 |
| kmalloc | ayoung: mostly things like the uuid you generated isn't what keystone would store internally, it has '-' in it. does shorter hex-only strings work | 17:36 |
| kmalloc | etc | 17:36 |
| kmalloc | you're probably going to need to implement json-schema or explicit cast of id to a uuid.hex | 17:37 |
| kmalloc | default and domain-root (whatever the id is) are the only exceptions for "uuid-is-the-form-of-the-id" for domains | 17:37 |
| kmalloc | and specifically uuid.hex | 17:37 |
| *** Emine has joined #openstack-keystone | 17:43 | |
| hrybacki | kmalloc: ack. I'm getting pushed for something more formal or I wouldn't ask :) | 17:44 |
| *** openstackgerrit has quit IRC | 17:51 | |
| *** leeuwenrjj has quit IRC | 17:51 | |
| kmalloc | on my long list of todo | 18:00 |
| kmalloc | formal docs. but really "enable caching. enable service-ksm caching sharing a pool" | 18:00 |
| kmalloc | that is the best practices. | 18:00 |
| *** pcaruana has quit IRC | 18:02 | |
| knikolla | any opinion/preference on the term refreshable vs renewable for app creds? | 18:04 |
| *** mvkr has joined #openstack-keystone | 18:05 | |
| kmalloc | flip a coin | 18:11 |
| kmalloc | i think renewable is a better term. | 18:12 |
| kmalloc | but i have no qualms with either name | 18:12 |
| *** aojea has joined #openstack-keystone | 18:12 | |
| *** Emine has quit IRC | 18:15 | |
| kmalloc | knikolla: https://review.openstack.org/#/c/606195/ that needs your +2 | 18:18 |
| knikolla | kmalloc: i think i'll go for renewable. | 18:18 |
| knikolla | looking now | 18:18 |
| *** openstackgerrit has joined #openstack-keystone | 18:19 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone master: WIP: Convert auth to flask native dispatching https://review.openstack.org/603461 | 18:19 |
| kmalloc | and now... time to chase the last bugs with the auth conversion so we can land it and be much closer to being done with flaskification | 18:19 |
| *** imacdonn has quit IRC | 18:21 | |
| *** imacdonn has joined #openstack-keystone | 18:21 | |
| kmalloc | cmurphy: are you ok with me breaking the json_home a little more. basically elminating the OS-FEDERATION entries in lieu of the /v3/auth/ entries only? | 18:22 |
| kmalloc | knikolla, ayoung, gagehugo: ^ | 18:22 |
| kmalloc | basically: just dropping OS-FEDERATION entries from json_home where there is a mirrored bit in the /v3/auth locations | 18:23 |
| knikolla | kmalloc: would that break someone who is using json_home to discover the url? | 18:24 |
| kmalloc | only if they are trying to discover /OS-FEDERATION bits we deprecated | 18:24 |
| kmalloc | also... i don't know of a single person using jsonhome | 18:24 |
| kmalloc | it's... not a great document for discovery | 18:25 |
| kmalloc | i think it's easier to just use the openstack docs and look up the URL :P | 18:25 |
| *** mogindi has joined #openstack-keystone | 18:25 | |
| mogindi | have a question regarding keystone token issuing, anyone know who the best person to help me? | 18:26 |
| knikolla | IIRC ayoung has a blog post on how to consume json_home | 18:26 |
| knikolla | but I'm cautiously okay with removing deprecated bits from it | 18:26 |
| kmalloc | mogindi: lots of folks here, ask away | 18:26 |
| kmalloc | knikolla: if it's important i can add a way to add in "extra" REL data | 18:27 |
| kmalloc | but basically with auth conversion, i didn't assume we'd have entries in two locations for the same data (conversion for that one bug fix) | 18:28 |
| knikolla | i tremble upon hearing the word "extra" | 18:28 |
| kmalloc | knikolla: e.g. i am missing the entry now for OS-FERDERATION/1.0/rel/projects because i have it as /auth/projects | 18:28 |
| mogindi | kmalloc: I'm issuing a token using `openstack token issue`, plug the token id generated in an rc file and export along with OS_ env vars. I'm able to run commands as that user normally, but some commands are failing giving a 401. Ever seen that? | 18:29 |
| kmalloc | we used to have it listed in both locations. but with the move to use the same code, i don't have a mechanism to add both json_home rel data bits. | 18:29 |
| kmalloc | knikolla: ^ | 18:29 |
| kmalloc | knikolla: i could split the code back out, but now in flask we really do map the URLs to both locations (direct route) so no code duplication or even a "call other controller" | 18:29 |
| kmalloc | it is the same exact controller/resource | 18:30 |
| knikolla | kmalloc: understood. in that case i think it's fine to remove it. | 18:30 |
| kmalloc | mogindi: i'd need to know more about waht is failing. is it failing after a period of time? | 18:30 |
| kmalloc | mogindi: tokens expire | 18:30 |
| kmalloc | knikolla: i'm going to just drop the OS-FEDERATION entries and add them back in if folks complain | 18:32 |
| mogindi | kmalloc: its not the expiration. its right after generating the token. The command `openstack volume list` works, but for example `openstack volume type list` returns a 401 | 18:32 |
| kmalloc | knikolla: that is i think 2-4 of the failing tests :P | 18:32 |
| kmalloc | mogindi: do you have the correct roles to list that? | 18:33 |
| kmalloc | mogindi: odd that you're getting a 401 vs a 403. | 18:33 |
| kmalloc | i would expect that to be a 403 without the roles. but i haven't looked at how cinder does enforcement | 18:34 |
| mogindi | kmalloc: yeah if its a policy issue, normally would get a 403. Tried setting identical policies to make sure, didn't work | 18:34 |
| kmalloc | so if you do: openstack volume list, openstack volume type list, openstack volume list | 18:34 |
| kmalloc | the middle of the two commands would fail | 18:34 |
| mogindi | yes | 18:34 |
| kmalloc | but the other two would work (assuming in short order use) | 18:35 |
| kmalloc | wierd | 18:35 |
| mogindi | yes exactly | 18:35 |
| *** openstackgerrit has quit IRC | 18:35 | |
| kmalloc | you might need to get some debug output for us. this might also be something we need to loop in #openstack-cinder folks on | 18:35 |
| kmalloc | is cinder the only place you're seeing this? | 18:35 |
| kmalloc | or other commands. | 18:35 |
| kmalloc | e.g. is it super wide spread or just some things, which might be some odd enforcement thing | 18:36 |
| mogindi | nope. `openstack router create` doesn't work either | 18:36 |
| kmalloc | with a 401. | 18:36 |
| mogindi | there could be others, but these are the 2 i know of right now | 18:36 |
| kmalloc | are you an admin or a normal user? | 18:36 |
| kmalloc | [or is this a public cloud somewhere]? | 18:36 |
| mogindi | tried with both. Its our cloud. | 18:37 |
| kmalloc | and finally, what version of openstack? | 18:38 |
| kmalloc | just in case i need to check if there is something specific to a release. | 18:38 |
| mogindi | pike | 18:39 |
| kmalloc | [ideally, i'd like to get some info, [debug] sanitized logs from cinder for example if things are possible], and i'd like to see the debug output of the osc run too | 18:39 |
| mogindi | okay. where should i paste these logs? | 18:40 |
| knikolla | mogindi: paste.openstack.org usually works well | 18:50 |
| ayoung | knikolla, kmalloc my blog post does not really cover that use case | 18:50 |
| ayoung | Just really how to fetch the data. The real question is whehter OS-FEDERATION would be the path people look for based on old docs | 18:51 |
| ayoung | https://docs.openstack.org/security-guide/identity/federated-keystone.html | 18:52 |
| ayoung | HMMM | 18:52 |
| ayoung | I think we might have an issue with just removing that, as all of the docs state that you need to have those there in order to set up Federation | 18:53 |
| ayoung | https://docs.openstack.org/security-guide/identity/federated-keystone.html For example | 18:53 |
| ayoung | is that what is going to move, or just things like /auth/projects? | 18:54 |
| knikolla | ayoung: if i understand correctly, those paths will still work (ex. /OS-FEDERATION/projects) they just won't be advertised on json_home | 18:54 |
| ayoung | Do we get any form of documentation? Can we put a comment in there? | 18:55 |
| *** openstackgerrit has joined #openstack-keystone | 19:06 | |
| openstackgerrit | ayoung proposed openstack/keystone-specs master: Unscoped Token Catalog https://review.openstack.org/607346 | 19:06 |
| kmalloc | i'll just add a mechanism for the additional rel entries | 19:12 |
| kmalloc | bleh. | 19:12 |
| mogindi | kmalloc: http://paste.openstack.org/show/731291/ | 19:15 |
| mogindi | let me know if there's something specific u need | 19:15 |
| * kmalloc drinks more coffee and pokes at paste | 19:26 | |
| kmalloc | ok.. i want to loop in some cinder folks. | 19:27 |
| kmalloc | mogindi: you might want to join #openstack-cinder as well. I don't know how some things are failing with 401 vs 403. might ask you to post your cinder config (with passwords/sensitive data stripped out) | 19:32 |
| *** dave-mccowan has quit IRC | 19:41 | |
| kmalloc | mogindi: can you do this with cinderclient as well? | 19:43 |
| kmalloc | mogindi: want to see if there is an issue with OSC / different response for volume list and type list | 19:43 |
| mogindi | okay just joined #openstack-cinder | 19:43 |
| mogindi | okay gonna try | 19:43 |
| mogindi | kmalloc: cinder commands not working with token, getting "ERROR: argument --os-token: conflicting option string(s): --os-token" - troubleshooting | 19:47 |
| kmalloc | blink | 19:51 |
| *** jdennis has quit IRC | 19:51 | |
| *** dave-mccowan has joined #openstack-keystone | 20:30 | |
| *** dave-mccowan has quit IRC | 20:36 | |
| *** raildo has quit IRC | 20:58 | |
| *** jdennis has joined #openstack-keystone | 21:04 | |
| *** Emine has joined #openstack-keystone | 21:16 | |
| openstackgerrit | ayoung proposed openstack/keystone master: Allow an explicit_domain_id parameter when creating a domain https://review.openstack.org/605235 | 21:28 |
| *** felipemonteiro has quit IRC | 21:33 | |
| kmalloc | knikolla: ok so... | 21:40 |
| kmalloc | knikolla: i don't have a good way to maintain json home things. it also looks like there is an issue with using the alternate_url bits i implemented :( | 21:41 |
| kmalloc | any "prefix" on the API will apply to the mapping as well | 21:42 |
| kmalloc | grrrr. | 21:42 |
| knikolla | :/ | 21:42 |
| kmalloc | i'll have a whole bunch of "fixes" down the road. | 21:43 |
| kmalloc | i'm just debating what to do next... i guess alternate_urls preclude using an API prefix | 21:46 |
| kmalloc | i'm going to add that logic in as well | 21:46 |
| kmalloc | bleh | 21:46 |
| *** mogindi has quit IRC | 21:51 | |
| *** Emine has quit IRC | 21:53 | |
| openstackgerrit | Merged openstack/keystone master: Properly replace flask view args in links https://review.openstack.org/606195 | 22:16 |
| *** aojea has quit IRC | 23:11 | |
| *** rcernin has joined #openstack-keystone | 23:59 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!