Monday, 2019-01-14

« Sunday, 2019-01-13 Index Tuesday, 2019-01-15 »
*** dave-mccowan has joined #openstack-keystone00:08
*** dave-mccowan has quit IRC00:13
*** markvoelker has joined #openstack-keystone00:19
*** markvoelker has quit IRC00:31
*** ileixe has joined #openstack-keystone00:51
*** markvoelker has joined #openstack-keystone01:09
openstackgerritwangxiyuan proposed openstack/keystone master: Clean up the create_arguments_apply methods  https://review.openstack.org/62761701:38
*** markvoelker has quit IRC01:45
*** erus_ has joined #openstack-keystone01:59
*** mhen has quit IRC02:52
*** mhen has joined #openstack-keystone03:00
openstackgerritwangxiyuan proposed openstack/keystone master: Expose receipt_setup and receipt_rotate command  https://review.openstack.org/63057403:08
*** markvoelker has joined #openstack-keystone03:18
*** whoami-rajat has joined #openstack-keystone03:30
*** markvoelker has quit IRC03:34
*** markvoelker has joined #openstack-keystone03:34
*** markvoelker has quit IRC03:39
*** markvoelker has joined #openstack-keystone03:48
*** markvoelker has quit IRC03:54
*** markvoelker has joined #openstack-keystone03:55
openstackgerritMerged openstack/keystone master: Do not use self in classmethod  https://review.openstack.org/62941503:59
openstackgerritMerged openstack/keystone master: Update doc for token_setup and token_rotate  https://review.openstack.org/62916804:00
*** shyamb has joined #openstack-keystone04:19
*** shyamb has quit IRC04:22
*** erus_ has quit IRC05:36
*** markvoelker has quit IRC05:39
*** erus has quit IRC06:02
*** erus has joined #openstack-keystone06:07
*** markvoelker has joined #openstack-keystone06:12
openstackgerritwangxiyuan proposed openstack/keystone master: Expose receipt_setup and receipt_rotate command  https://review.openstack.org/63057406:36
*** ileixe has quit IRC07:09
*** pcaruana has joined #openstack-keystone07:11
*** sapd1 has quit IRC07:29
*** sapd1 has joined #openstack-keystone07:29
*** markvoelker has quit IRC07:58
*** markvoelker has joined #openstack-keystone08:03
*** markvoelker has quit IRC08:10
*** sapd1 has quit IRC08:15
*** sapd1 has joined #openstack-keystone08:16
*** markvoelker has joined #openstack-keystone08:29
*** markvoelker has quit IRC08:30
*** markvoelker has joined #openstack-keystone08:32
*** markvoelker has quit IRC08:33
*** markvoelker has joined #openstack-keystone08:35
*** usr2033 has joined #openstack-keystone08:39
usr2033hi, does keystone triggers other services when a project is deleted? If so when/in which version it is started? I have an orphened resource problem08:41
wxy-xiyuanusr2033: no, keystone doesn't support it yet.09:00
wxy-xiyuanusr2033: It's under discussion. https://etherpad.openstack.org/p/community-goal-project-deletion  Perhaps it'll be landed in T IMO.09:02
*** markvoelker has quit IRC09:52
*** awalende has joined #openstack-keystone10:20
*** yan0s has joined #openstack-keystone10:35
usr2033wxy-xiyuan: thank you.10:58
*** erus has quit IRC10:58
*** erus has joined #openstack-keystone11:00
*** Dinesh_Bhor has joined #openstack-keystone11:08
*** mvkr has quit IRC11:26
*** raildo has joined #openstack-keystone11:53
*** mvkr has joined #openstack-keystone11:56
*** awalende has quit IRC12:00
*** markvoelker has joined #openstack-keystone12:01
*** awalende has joined #openstack-keystone12:03
*** awalende has quit IRC12:08
*** mvkr has quit IRC12:10
*** mvkr has joined #openstack-keystone12:10
*** awalende has joined #openstack-keystone12:27
*** Dinesh_Bhor has quit IRC12:45
*** awalende has quit IRC12:55
*** needssleep is now known as TheJulia13:02
*** awalende has joined #openstack-keystone13:03
*** dave-mccowan has joined #openstack-keystone13:14
*** erus_ has joined #openstack-keystone13:54
*** mchlumsky has joined #openstack-keystone14:16
*** beekneemech is now known as bnemec14:19
*** lbragstad has joined #openstack-keystone14:19
*** ChanServ sets mode: +o lbragstad14:19
*** aojea has joined #openstack-keystone14:19
*** awalende has quit IRC14:20
*** markvoelker has quit IRC14:31
*** markvoelker has joined #openstack-keystone14:34
lbragstado/14:36
*** aojea has quit IRC14:41
*** usr2033 has quit IRC14:55
*** erus_ has quit IRC15:08
openstackgerritCorey Bryant proposed openstack/keystone master: PY3: switch to using unicode text values  https://review.openstack.org/61119015:10
*** xek has joined #openstack-keystone15:15
*** markvoelker has quit IRC15:20
*** markvoelker has joined #openstack-keystone15:20
*** markvoelker has quit IRC15:20
knikollao/15:38
lbragstadhow goes it knikolla?15:39
gagehugoo/15:58
yan0sHi all,15:59
yan0sis it possible to create a resource in openstack cli as admin15:59
yan0sbut for a different user as owner?15:59
yan0seq. a private network16:00
yan0sis it just a matter of creating the private network on a project in which the other user has rights to access?16:02
lbragstadyan0s, you could try doing it with a trust scoped tokne16:05
lbragstador building a trust between the user and the admin with impersonation on16:05
knikollalbragstad: good, how're you?16:08
lbragstadhalfway through my first coffee - so i can't complain ;)16:11
knikollai'm trying to cut down on those, or switching to decaf.16:14
lbragstadthat's not a bad idea...16:15
lbragstadi might have to do that, eventually16:16
*** pcaruana has quit IRC16:20
yan0slbragstad: thanks, I will read more about that16:26
*** yan0s has quit IRC17:11
*** pcaruana has joined #openstack-keystone17:15
*** itlinux has joined #openstack-keystone17:33
*** mvkr has quit IRC17:41
*** erus_ has joined #openstack-keystone17:59
erus_hi!18:23
*** itlinux_ has joined #openstack-keystone18:26
*** dave-mccowan has quit IRC18:26
*** itlinux_ has quit IRC18:28
*** itlinux has quit IRC18:29
*** dave-mccowan has joined #openstack-keystone18:33
*** mvkr has joined #openstack-keystone18:56
*** pcaruana has quit IRC19:08
*** erus_ has quit IRC19:34
*** erus has quit IRC19:43
*** erus has joined #openstack-keystone19:44
*** itlinux has joined #openstack-keystone19:51
*** erus_ has joined #openstack-keystone19:53
*** itlinux has quit IRC20:04
openstackgerritCorey Bryant proposed openstack/keystone master: PY3: switch to using unicode text values  https://review.openstack.org/61119020:24
*** whoami-rajat has quit IRC20:40
erus_hello, are someone available? :) knikolla? o/20:43
knikollaerus_: o/ i'm here21:00
*** bzhao__ has quit IRC21:11
*** jroll has quit IRC21:11
*** jroll has joined #openstack-keystone21:12
*** trident has quit IRC21:13
*** trident has joined #openstack-keystone21:16
erus_hi knikolla how are you?21:17
erus_I broke everything with the authentication :D21:18
erus_so good!21:18
erus_the last thing that I had was duplicate PVs :P21:18
erus_don't know how I got there21:20
erus_I set up everything from scratch and now I am trying mellon21:21
erus_we'll see21:21
*** xek has quit IRC21:28
*** _KaszpiR_ has left #openstack-keystone21:48
*** imacdonn has quit IRC22:06
*** imacdonn has joined #openstack-keystone22:06
erus_well I got stuck haha let me know if you are available :D22:09
erus_I'm having 2 differents errors when trying to run openstack token issue22:11
erus_the first one: __init__() got an unexpected keyword argument 'user_domain_id'22:11
erus_the second: SSL exception connecting to https://sp.keystone.test.org/idendity/v3/OS-FEDERATION/identity_providers/samlidp/protocols/saml2/auth: HTTPSConnectionPool(host='sp.keystone.test.org', port=443): Max retries exceeded with url: /idendity/v3/OS-FEDERATION/identity_providers/samlidp/protocols/saml2/auth (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_record',22:11
erus_'wrong version number')],)",),))22:12
erus_knikolla don't remember your timezone :)22:12
erus_I'll be here for maybe 3-4 hours22:12
knikollaerus: walking home now, give me about 20 minutes and I’ll be back to help. I’m on EST.22:13
erus_knikolla ok thanks :D22:14
knikollaerus_: alright, let’s look into this :)22:27
erus_hi hi22:27
erus_:D22:27
erus_well22:27
erus_with shibboleth as I said I broke everything22:28
erus_so I started from scratch22:28
erus_and tried to set up mellon22:28
erus_and did everything following the docs, but when doing the env variable export and then tring to run openstack token issue I got that errors22:29
erus_trying*22:29
knikollaYou’re trying keystone to keystone federation?22:30
knikollaOr federating with samltest22:30
erus_with samltest22:30
erus_using mellon instead of shib22:31
erus_because with shib I had to downgrade libcurl :/22:31
*** rcernin has joined #openstack-keystone22:31
erus_have*22:31
knikollaerus_: can you paste the environment variables that you exported into paste.openstack.org and send me a link22:32
knikollaClear out anything sensitive22:33
knikollaAs that link will be public.22:33
erus_ok, do you have a pad?22:33
erus_maybe could work too22:33
knikollaYou mean etherpad?22:35
erus_http://paste.openstack.org/show/742360/22:36
erus_yes etherpad or another one that you use22:37
knikollaSo, you have a devstack installation, right?22:37
erus_yes22:39
knikollaWhere is it running on?22:39
erus_ubuntu 18.0422:39
knikollaIs it a vm on your machine, a vm on a cloud?22:39
erus_a vm on my machine22:39
knikollaDoes it have a desktop environment?22:40
erus_no22:40
knikollaYou’re running the commands from your machine or the vm?22:40
erus_I access through ssh to the vm22:40
knikollaOk, cool.22:41
knikollaSo in that case, change auth_url to be localhost22:41
knikollaBecause it’s not really sp.keystone.test.org22:41
erus_yes I have doubt with it, do you want to see my configs?22:42
erus_well I'll try localhost first22:42
erus_export OS_AUTH_URL = localhost/identity/v3 or just localhost?22:43
knikollahttp://localhost/identity/v322:43
erus_ok thanks I'll try that22:43
erus_Internal Server Error (HTTP 500)22:44
knikollaDo it with `--debug`22:44
knikollaTo see at which step it fails22:44
knikollaThere’s going to be a loooot of text22:44
knikollaIf you can’t make sense of it just do another paste.openstack.org and I’ll look into it.22:45
erus_yes it's a lot of text haha22:47
*** itlinux has joined #openstack-keystone22:47
erus_http://paste.openstack.org/show/742362/22:47
knikollaCan you look into the keystone logs?22:49
erus_there is nothing22:50
erus_the last log was22:50
erus_Jan 14 19:20:49 u-stack devstack@keystone.service[9084]: [pid: 9087|app: 0|req: 19/38] 192.168.122.141 () {60 vars in 1301 bytes} [Mon Jan 14 19:20:49 2019] GET /identity/v3/users/c227eb56457644d0a781f2ff06414f8e/projects => generated 1027 bytes in 52 msecs (HTTP/1.1 200) 5 headers in 178 bytes (1 switches on core 0)22:50
erus_30 minutes ago22:50
knikollaBut we just got a 500, there must be a 500 error in there.22:51
erus_but it's not22:53
erus_I'm running journalctl -f -a --unit devstack@keystone22:53
knikollaTry the call again while you have a separate tab on journalctl22:58
*** mchlumsky has quit IRC23:03
erus_I already did that23:04
knikollaHmm... then look in the apache logs23:04
erus_The request you have made requires authentication. (HTTP 401) (Request-ID: req-e28abffd-3adb-4181-8719-65dab2df5945)23:06
erus_I change some settings and now says that23:06
knikollaLeave the settings how they were23:07
knikollaAnd look at the apache logs23:07
knikollaThere might be some misconfiguration with apache mellon23:07
knikollaAnd the call not going to keystone at all, hence there being nothing in the keystone logs23:07
erus_Jan 14 19:20:17 u-stack apachectl[11382]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message that was the last log when I run openstack token issue23:08
knikollaThat wouldn’t cause it.23:08
erus_I had apache and keystone logso open at the same time23:08
erus_the change that I made was that I wasn't declared <VirtualHost> tag in keyston.conf vhost23:09
erus_keystone*23:10
knikollaShow me the keystone.conf23:10
knikollaJust put it in another paste23:10
erus_http://paste.openstack.org/show/742365/23:11
erus_yep23:11
erus_the only new there is the VirtualHost tag23:11
erus_that config is inside keystone-wsgi-public.conf in sites-available23:13
knikollaDid you create the files referenced there? Privatekeyfile, certfile, etc?23:14
erus_yes23:14
erus_I actually create the mellon dir23:14
erus_and run the script and then rename the files23:14
knikollaWhat is the ip of the vm?23:14
erus_192.168.122.14123:15
erus_and the endpoint is 192.168.122.141/identity23:15
knikollaCan you try to open http://192.168.122.141/identity from your browser in your machine23:15
knikollaYou should get the version information23:16
erus_yes it give a json23:16
knikollaCool23:16
erus_http://paste.openstack.org/show/742366/23:16
knikollaNow try to access from the browser, http://192.168.122.141/identity/v3/OS-FEDERATION/identity_providers/samlidp/protocols/saml2/auth23:16
knikollaIdeally, this should redirect you to samlidp23:17
knikollaWhat we’re encountering is that it’s giving you a 50023:17
erus_error23:17
erus_code 40123:17
erus_message "The request you have made requires authentication."23:17
erus_title "Unauthorized"23:17
knikollaRemove the virtualhost part, I guess.23:17
erus_yes without the virtualhost it give me a 50023:18
knikollaWhat is happening is that mellon is not being triggered, hence you’re going to keystone without doing being authenticated through samlidp23:18
erus_I removed the virtualhost part23:19
knikollaThat is what the <Location> tag does, it Require(s) a valid-user and the AuthType is Mellon23:19
knikollaTherefore when you hit that path, Mellon is triggered23:19
knikollaRedirecting you to samlidp23:20
knikollaWhere you authenticate, and then come back23:20
knikollaAnd then keystone lets you in23:20
erus_ok ok23:20
knikolla:)23:20
knikollaSo we need to hunt down what is throwing a 500, and fix that23:21
knikollaRestarting apache works?23:22
erus_yep :D23:23
knikollaPlease remind me what timezone are you in23:25
erus_UTC-323:25
erus_xD23:25
knikollaWhat time will you be available tomorrow to continue debugging?23:26
knikollaI gotta log off now23:26
*** raildo has quit IRC23:28
erus_maybe 9?23:30
erus_I have to go too23:30
knikollaam? pm?23:30
erus_am23:30
knikolla9am what timezone?23:31
erus_UTC-3? haha23:31
erus_it's 12 UTC23:31
knikollaThat makes it 7am here, sure, that works.23:32
erus_ohh haha right, it's ok for you?23:32
erus_I could later if you want :)23:32
erus_if you prefer that23:33
knikollaYeah, I generally try to be awake by that time.23:33
knikollaNot always successful, lol23:33
erus_haha I can't awake at that time23:34
*** erus_ has quit IRC23:41
*** markvoelker has joined #openstack-keystone23:58
« Sunday, 2019-01-13 Index Tuesday, 2019-01-15 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!