Friday, 2019-02-08

« Thursday, 2019-02-07 Index Saturday, 2019-02-09 »
*** markvoelker has quit IRC00:11
lbragstadkmalloc so - about the approach i just tried00:17
lbragstadif each token has a hash of the private key used to sign it - that doesn't really help the keystone node that has to verify the token signature00:19
lbragstadhashes are one-way00:20
lbragstadso if i have a hash of a private key - how do you find the corresponding public key from that hash?00:20
lbragstadwithout iterating each public key and trying the signatures until you find one that works?00:20
lbragstadand then learning the mapping00:21
*** ileixe has joined #openstack-keystone00:48
*** ayoung has joined #openstack-keystone00:50
ayounghttps://python-social-auth-docs.readthedocs.io/en/latest/00:50
*** markvoelker has joined #openstack-keystone01:09
lbragstadhuh - interesting01:24
lbragstadi'll have to read that tomorrow01:24
*** markvoelker has quit IRC01:41
*** Dinesh_Bhor has joined #openstack-keystone01:43
kmalloclbragstad: store  it in a dict02:13
kmalloclbragstad: hash -02:13
kmalloc> key_data in memory02:14
kmallockeystone tracks that data internally and encodes that in the token.02:14
kmallocin the case of asym crypto, you use the fingerprint method for the keypair02:14
kmallochashes are one way, we hash it and store the value in keystone, we then embed that in the token02:15
kmallockeystone can lookup the private data from the hashed value since it's in memory02:15
kmalloclbragstad: Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint".02:16
kmallocanyway... we can make this work.02:17
* kmalloc has to run off to dinner.02:17
*** markvoelker has joined #openstack-keystone02:38
*** markvoelker has quit IRC03:12
*** vishakha has joined #openstack-keystone03:43
*** markvoelker has joined #openstack-keystone04:09
eanderssonlbragstad, is there a change to id_mapping ?04:17
eanderssonWe are seeing id_mapping's happening under the user table instead now04:17
*** whoami-rajat has joined #openstack-keystone04:24
*** lbragstad has quit IRC04:35
*** markvoelker has quit IRC04:41
*** gyee has quit IRC05:36
*** markvoelker has joined #openstack-keystone05:38
*** markvoelker has quit IRC06:12
*** Dinesh_Bhor has quit IRC06:57
*** Dinesh_Bhor has joined #openstack-keystone07:03
*** markvoelker has joined #openstack-keystone07:09
*** pcaruana has joined #openstack-keystone07:23
*** markvoelker has quit IRC07:41
*** takamatsu has joined #openstack-keystone08:00
*** awalende has joined #openstack-keystone08:09
*** Emine has joined #openstack-keystone08:12
*** yan0s has joined #openstack-keystone08:13
*** tkajinam has quit IRC08:14
*** markvoelker has joined #openstack-keystone08:38
*** xek has joined #openstack-keystone08:45
*** yan0s has quit IRC08:51
*** Emine has quit IRC09:05
*** markvoelker has quit IRC09:12
*** whoami-rajat has quit IRC09:14
*** yan0s has joined #openstack-keystone09:17
*** whoami-rajat has joined #openstack-keystone09:28
*** ygk_12345 has joined #openstack-keystone09:47
ygk_12345hi all09:48
*** david-lyle has joined #openstack-keystone09:54
*** dklyle has quit IRC09:57
*** vishakha has quit IRC10:02
*** markvoelker has joined #openstack-keystone10:10
*** vishakha has joined #openstack-keystone10:11
ygk_12345can anyone help me with ldap domains please10:16
ygk_12345i am trying to add users to ldap projects , but it is not working10:16
*** Dinesh_Bhor has quit IRC10:21
*** markvoelker has quit IRC10:42
*** erus1 has quit IRC10:42
*** erus1 has joined #openstack-keystone10:42
*** Emine has joined #openstack-keystone11:02
*** ygk_12345 has quit IRC11:05
*** takamatsu_ has joined #openstack-keystone11:20
*** ileixe has quit IRC11:20
*** takamatsu has quit IRC11:20
*** markvoelker has joined #openstack-keystone11:39
*** Emine has quit IRC11:51
*** markvoelker has quit IRC12:12
*** raildo has joined #openstack-keystone12:13
*** erus1 has quit IRC12:13
*** erus1 has joined #openstack-keystone12:14
*** whoami-rajat has quit IRC12:24
*** whoami-rajat has joined #openstack-keystone12:44
*** Emine has joined #openstack-keystone12:47
*** markvoelker has joined #openstack-keystone13:09
*** gary_perkins has quit IRC13:18
*** obre has quit IRC13:18
*** obre has joined #openstack-keystone13:18
*** gary_perkins has joined #openstack-keystone13:19
*** erus1 has quit IRC13:19
*** erus1 has joined #openstack-keystone13:21
*** vishakha has quit IRC13:32
*** markvoelker has quit IRC13:42
*** awalende has quit IRC14:24
*** TheJulia is now known as needssleep14:25
*** awalende has joined #openstack-keystone14:25
*** awalende has quit IRC14:29
*** dave-mccowan has joined #openstack-keystone14:29
*** lbragstad has joined #openstack-keystone14:31
*** ChanServ sets mode: +o lbragstad14:31
lbragstadkmalloc ok - so jws would need to rely on fingerprints and fernet would have to rely on hashes14:34
*** markvoelker has joined #openstack-keystone14:39
kmalloclbragstad: yes14:41
*** mchlumsky has joined #openstack-keystone14:44
*** raildo has quit IRC14:52
*** gary_perkins has quit IRC14:55
*** gary_perkins has joined #openstack-keystone14:56
*** gary_perkins has quit IRC14:56
*** gary_perkins has joined #openstack-keystone14:56
*** raildo has joined #openstack-keystone15:00
*** whoami-rajat has quit IRC15:04
*** Emine has quit IRC15:05
*** markvoelker has quit IRC15:12
*** whoami-rajat has joined #openstack-keystone15:31
*** pcaruana has quit IRC15:31
*** Emine has joined #openstack-keystone15:52
*** markvoelker has joined #openstack-keystone16:09
*** erus1 has quit IRC16:09
*** erus1 has joined #openstack-keystone16:10
*** gyee has joined #openstack-keystone16:38
*** markvoelker has quit IRC16:43
*** ileixe has joined #openstack-keystone16:53
*** Emine has quit IRC17:03
lbragstadok - i'm playing around with something similar to pyinotify, just because i'm curious17:09
lbragstadi have it setup to reload keys if the repository directories change17:09
lbragstadand i'm not noticing any real performance difference between caching the private key and not caching it17:10
lbragstadbut - it's also a single key, and not multiple17:10
lbragstadso it might not be that big of a performance hit to load that key everytime in favor of keeping the code simpler17:10
lbragstadbut - i'm going to try with a bunch of public keys and see how that affects token validation17:11
lbragstadok - from what i can tell, key caching isn't making as much of a difference as what i was expecting17:36
*** yan0s has quit IRC17:37
lbragstadif i put 100+ public keys in the repository and disable all caching (because we want to test exercising the entire validation path for timing)17:37
lbragstadtoken validation time is about 2.0 - 1.8 seconds17:37
*** opetrenko has quit IRC17:37
lbragstadif i cache all the keys in process, token validation time goes to about 1.8 seconds, with the fastest being 1.617:38
lbragstadwhich is still quite a bit...17:38
lbragstadbut, i was expecting a read from disk to take longer?17:38
lbragstadto put this in perspective, if i enable token caching (like we do by default) token validation takes 0.058s17:39
*** Emine has joined #openstack-keystone17:40
*** markvoelker has joined #openstack-keystone17:40
kmallocremember you have file system cache too17:46
kmallocpynotify and inotify-like is not guaranteed to work.17:46
kmalloci tend to prefer to not lock us into file-system specific code.17:48
kmalloci also think the brute-force mechanism of try-every-key is sub-wonderful.17:49
kmallocread from disk really depends on a lot of things. NFS can be a lot slower, iscsi delays (network), disk-cache, filesystem cache, io pressure on the disk itself.17:51
kmallocdo a throughput test on the disk with the repo and then re-run the test, watch it be a lot slower.17:51
lbragstadi was testing things out with https://pypi.org/project/watchdog/18:02
lbragstadi'm not sure if knikolla could reuse that for the mutable config bits or now18:03
lbragstadnot*18:03
lbragstadbut i though the file handler stuff was kind of nice18:03
lbragstadyou subclass a FileSystemEventHandler and specify what actions to you want to take when certain things happen18:04
lbragstadwhat i was playing with locally https://pasted.tech/pastes/d7e5363143bf44ddad8313a17beddca1a64907cc.raw18:06
lbragstadi'll work on an implementation using the approach with fingerprints this afternoon18:07
*** jmlowe has quit IRC18:11
*** Emine has quit IRC18:12
*** markvoelker has quit IRC18:13
*** Emine has joined #openstack-keystone18:16
*** whoami-rajat has quit IRC18:34
*** Emine has quit IRC18:38
eanderssonIs it intended that the ldap provider now populates users and not id_mapping?18:44
eandersson(or both)18:44
*** Emine has joined #openstack-keystone18:55
*** Emine has quit IRC19:06
*** markvoelker has joined #openstack-keystone19:10
lbragstadeandersson if you have users coming from ldap - they will appear in the non-local user table19:35
lbragstadthe local user table is specific to mysql users19:36
eanderssoninteresting19:36
eanderssonI wonder why we are seeing ldap in user as well as non-local user table19:36
lbragstadeandersson are you on master?19:37
eanderssonRocky19:37
lbragstadhm19:37
lbragstadis it causing an issue or just trying to figure it ou?19:37
lbragstadout*?19:37
eanderssonWell we have a globally replicated Keystone deployment19:38
eanderssonAnd this makes replication problematic :p19:38
eanderssonlocal_user vs. nonlocal_user is great for us19:39
lbragstadoh - sure19:39
lbragstadthat makes sense19:39
eanderssonbut users combining both not so much19:39
*** ceryx has joined #openstack-keystone19:39
eanderssonthe information users is identical to nonlocal_users19:40
eanderssononly difference is that users has created_at date19:40
eandersson(all other variables are NULL)19:40
lbragstadbecause they're shadowed i assume19:40
lbragstadthe created_at date would be the time stamp of when that happened i would think19:40
eanderssonYea19:40
*** markvoelker has quit IRC19:44
eanderssonIf we are replicating local_user is it safe to ignore users?19:47
eanderssonWe obviously don't care about replicating ldap users19:47
eanderssonnvm don't think that is safe19:48
lbragstadi want to say there is logic in keystone that factors in both19:49
lbragstadi can take a poke at it once i wrap up a few things i'm working on19:49
lbragstadi'll see if i can get devstack up and running with ldap19:50
eanderssonThanks lbragstad19:50
* kmalloc reads up19:53
kmalloceandersson: oh i think we did some weird things in regards to ldap in the past19:53
kmallocreally ldap is a special case when it comes to the shadowing local and non-local19:53
eanderssonYea - it was done in id_mapping before19:54
kmallocyep.19:54
eandersson(Mitaka)19:54
kmallocwe have been trying to move towards a local  user object regardless of identity source19:54
kmalloci am not sure how far shadow things have gotten, it's on a long to-do to get a deep dive in to see what we need to do to fix all this stuff upo19:55
kmallocit's very haphazard at the moment19:55
*** trident has quit IRC20:21
*** trident has joined #openstack-keystone20:22
*** trident has quit IRC20:34
*** trident has joined #openstack-keystone20:35
*** markvoelker has joined #openstack-keystone20:40
*** whoami-rajat has joined #openstack-keystone20:48
*** dave-mccowan has quit IRC20:50
*** dave-mccowan has joined #openstack-keystone20:53
*** raildo has quit IRC20:57
*** markvoelker has quit IRC21:12
*** dave-mccowan has quit IRC21:18
lbragstadwell - by not using a for loop over public keys, token validation went from ~1.647363 seconds to ~0.008633 seconds with 100+ public keys (simulating a deployment with over 100 individual API servers)21:29
kmalloc:)21:38
*** erus1 has quit IRC21:38
kmallocthat is a real improvement21:38
*** erus1 has joined #openstack-keystone21:38
gyeepublic keys? are we bringing back PKI token?21:41
lbragstadnope21:41
lbragstadwell... jws tokens21:41
gyeeoic21:42
gyeeinteresting, why not go all in on PKI then? we need a system to trust that public key anyway21:45
lbragstadthe idea of bringing pki tokens back has been brought up a few times21:45
kmallocJWS is essentially PKI tokens but we don't need to encode the entire payload still.21:46
gyeeno necessary PKI token, but using a proper X.509 cert to convey that public key21:46
lbragstadhaving the whole response in the token id was a bit of a deal breaker21:46
kmalloc^^21:46
gyeeno, you just need to have the unique id of the cert there21:47
lbragstadactually - nevermind... my test failed, those numbers might not be accurate21:57
kmallocgyee: a fingerprint is sufficient as part of the payload.22:00
kmalloc(this is not encrypted, this is signed)22:00
lbragstadnevermind - i'm not seeing much of a performance difference22:06
lbragstadtoken validation is just slow without caching i thin22:06
lbragstadthink*22:06
*** markvoelker has joined #openstack-keystone22:10
lbragstadi guess i'm just surprised that implementing an in-process cache doesn't have as much of an effect on performance as i was thinking22:10
lbragstadi'm curious to hear if wxy-xiyuan has more details22:10
lbragstadsounds like an internal team hit an issue iterating over all keys downstream22:11
kmalloclbragstad: do harddisk performance test while runnign your test22:32
kmallocsimulate load on the disks while running the validation test22:33
kmallocand yeah token caching off is slow22:34
kmallocknown22:34
lbragstadyeah22:41
*** markvoelker has quit IRC22:42
*** whoami-rajat has quit IRC23:08
« Thursday, 2019-02-07 Index Saturday, 2019-02-09 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!