Monday, 2019-08-12

*** jamesmcarthur has joined #openstack-keystone		00:45
*** jamesmcarthur has quit IRC		01:13
*** jamesmcarthur has joined #openstack-keystone		01:20
*** cmorpheus is now known as cmurphy		01:24
*** jamesmcarthur has quit IRC		01:30
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [WIP] Add immutable resource option for roles https://review.opendev.org/666739	01:49
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add --immutable-roles flag to bootstrap command https://review.opendev.org/675228	01:49
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add immutable roles status check https://review.opendev.org/675509	01:49
*** jamesmcarthur has joined #openstack-keystone		02:12
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add protection tests for trusts API https://review.opendev.org/675720	02:31
*** jamesmcarthur has quit IRC		02:38
*** jamesmcarthur has joined #openstack-keystone		02:47
*** mordred has quit IRC		02:48
*** mordred has joined #openstack-keystone		02:48
*** jamesmcarthur has quit IRC		02:56
*** jamesmcarthur has joined #openstack-keystone		02:59
*** jamesmcarthur has quit IRC		03:25
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [WIP] Move hardcoded trust enforcement to default policies https://review.opendev.org/675807	04:15
cmurphy	kmalloc: beekneemech interested in your thoughts on ^ on monday	04:15
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [WIP] Add immutable resource option for roles https://review.opendev.org/666739	04:19
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add --immutable-roles flag to bootstrap command https://review.opendev.org/675228	04:19
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add immutable roles status check https://review.opendev.org/675509	04:19
openstackgerrit	Merged openstack/keystone master: Add API changes for app cred access rules https://review.opendev.org/628168	04:36
*** pcaruana has joined #openstack-keystone		05:29
*** pcaruana has quit IRC		05:37
*** jamesmcarthur has joined #openstack-keystone		05:47
*** pcaruana has joined #openstack-keystone		05:50
*** dancn has joined #openstack-keystone		05:51
*** jamesmcarthur has quit IRC		06:03
*** jamesmcarthur has joined #openstack-keystone		06:06
*** jamesmcarthur has quit IRC		06:21
*** markvoelker has joined #openstack-keystone		06:31
*** markvoelker has quit IRC		06:36
*** jamesmcarthur has joined #openstack-keystone		06:45
*** jamesmcarthur_ has joined #openstack-keystone		06:51
*** jamesmcarthur_ has quit IRC		06:53
*** jamesmcarthur_ has joined #openstack-keystone		06:53
*** jamesmcarthur_ has quit IRC		06:53
*** jamesmcarthur_ has joined #openstack-keystone		06:54
*** jamesmcarthur has quit IRC		06:54
*** jamesmcarthur_ has quit IRC		07:04
*** jamesmcarthur has joined #openstack-keystone		07:05
*** ivve has joined #openstack-keystone		07:05
*** jamesmcarthur has quit IRC		07:10
*** rcernin has quit IRC		07:13
*** tesseract has joined #openstack-keystone		07:14
openstackgerrit	Merged openstack/keystone master: Update api-ref for revocation list OS-PKI https://review.opendev.org/675296	07:53
*** tesseract has quit IRC		08:42
*** dancn has quit IRC		08:42
*** irclogbot_1 has quit IRC		08:42
*** hogepodge has quit IRC		08:42
*** mordred has quit IRC		08:42
*** dancn has joined #openstack-keystone		08:42
*** mordred has joined #openstack-keystone		08:43
*** tesseract has joined #openstack-keystone		08:43
*** openstackgerrit has quit IRC		08:45
*** irclogbot_1 has joined #openstack-keystone		08:47
*** irclogbot_1 has quit IRC		08:49
*** irclogbot_1 has joined #openstack-keystone		08:52
*** jaosorior has joined #openstack-keystone		09:07
*** mvkr has joined #openstack-keystone		09:47
*** xek has joined #openstack-keystone		09:57
*** markvoelker has joined #openstack-keystone		10:09
*** markvoelker has quit IRC		10:14
*** pcaruana has quit IRC		10:43
*** pcaruana has joined #openstack-keystone		10:43
*** jaosorior has quit IRC		10:54
*** whoami-rajat has joined #openstack-keystone		11:08
*** openstackgerrit has joined #openstack-keystone		11:32
openstackgerrit	Jens Harbott (frickler) proposed openstack/python-keystoneclient master: Stop using an admin endpoint by default https://review.opendev.org/675870	11:32
frickler	cmurphy: kmalloc: ^^ that's what it would take to make heat work in my devstack patch, but the tests blow up awfully and I'm unsure about backwards compatibility, pls let me know what you think	11:34
frickler	see also https://review.opendev.org/675778	11:35
*** raildo has joined #openstack-keystone		11:48
*** jaosorior has joined #openstack-keystone		12:03
*** pas-ha has quit IRC		12:13
*** pas-ha has joined #openstack-keystone		12:14
*** aprice has quit IRC		12:14
*** aprice has joined #openstack-keystone		12:14
*** markvoelker has joined #openstack-keystone		12:28
*** jroll has quit IRC		13:01
*** jroll has joined #openstack-keystone		13:02
*** frickler has quit IRC		13:18
*** mchlumsky has joined #openstack-keystone		13:25
*** mchlumsky has quit IRC		13:52
*** mchlumsky has joined #openstack-keystone		13:53
*** beekneemech is now known as bnemec		13:54
*** atmark has joined #openstack-keystone		14:00
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add immutable roles status check https://review.opendev.org/675509	14:18
*** dancn has quit IRC		14:26
*** dancn has joined #openstack-keystone		14:32
openstackgerrit	Merged openstack/oslo.policy master: Move doc related modules to doc/requirements.txt https://review.opendev.org/669427	14:42
openstackgerrit	Radosław Piliszek proposed openstack/keystone master: Honor group_members_are_ids for user_enabled_emulation https://review.opendev.org/674782	14:43
yoctozepto	finally found time to dig into keystone's unit tests ^	14:43
*** petitbois has joined #openstack-keystone		14:53
petitbois	hey all -- not sure of the right place to ask this but i am having trouble authenticating my keystone object in python. I'd like to grab a user name from a user ID. Here's what I've got: http://paste.openstack.org/show/756341/	14:53
cmurphy	thanks yoctozepto	15:11
cmurphy	petitbois: answered in -dev	15:11
yoctozepto	cmurphy: yw; you had some doubts on the mailing list iirc - is everything clear now?	15:13
cmurphy	yoctozepto: i still have some doubts, that ldap code is pretty dense and it's not clear to me how we didn't see this problem before, i'll probably be relying on people like raildo and gyee to help verify it	15:16
yoctozepto	cmurphy: yeah, the code could use some cleanup, hence sprinkled TODOs	15:19
yoctozepto	though I have yet to see ldap-facing code that I could describe as 'clean'	15:20
yoctozepto	could be this old technology was not meant to ever be interfaced 'cleanly' :-)	15:20
*** dave-mccowan has joined #openstack-keystone		15:20
raildo	cmurphy, ack, I'll review it util eod	15:21
cmurphy	thanks raildo	15:21
mnaser	so i'm having fun with ldap recently.	15:22
yoctozepto	mnaser: "fun" you mean	15:22
mnaser	right	15:24
mnaser	for some reason keystone is not getting any records back and i'm wondering if its because its requesting users that have "userPassword" attribute	15:24
mnaser	and this LDAP server does not supply it	15:24
yoctozepto	mnaser: run debugging to see the queries, helped me	15:26
mnaser	gah	15:27
mnaser	of course	15:27
mnaser	"dn: CN=XXXX,OU=Users,OU=$LOCATION,DC=$CORP,DC=com"	15:27
mnaser	why would they not do CN=XXX,OU=$LOCATION,OU=USERS,DC=$CORP,DC=com	15:28
* mnaser shrugs		15:28
mnaser	i wonder if that was it the whole time i'm ashamed :<	15:28
yoctozepto	mnaser: change user root dn	15:29
mnaser	yeah, i think that was it, i thought it was like some sort of tagged system	15:29
mnaser	so i had it saying like	15:29
yoctozepto	there is a lot of magic in this ldap code	15:29
mnaser	OU=Users,DC=$CORP,DC=com	15:29
mnaser	i think it might have done it	15:29
yoctozepto	not to mention string interpolation domination	15:29
yoctozepto	which makes it hard to read and search through	15:29
mnaser	great now i dont have access to the server that it gets referred to	15:31
mnaser	`ldap_chase_v3referrals` seems to run	15:31
mnaser	https://bugs.launchpad.net/keystone/+bug/1233365 hrmmm	15:32
openstack	Launchpad bug 1233365 in OpenStack Identity (keystone) "LDAP backend fails when connecting to Active Directory root DN" [High,Fix released] - Assigned to Dolph Mathews (dolph)	15:32
yoctozepto	mnaser: almost 6 years since that	15:36
mnaser	yoctozepto: doing an ldapsearch seems to give me all the users from ldap with same filter that keystone uses, but user list shows 4..	15:37
mnaser	result: 4 Size limit exceeded	15:37
mnaser	oh hm	15:37
mnaser	so i take the exact filterstr and attrs in ldapsearch on the same server	15:45
mnaser	and it returns a result	15:45
mnaser	but keystone ldap debug => "ld 0x38d2aa0 response count 0"	15:45
mnaser	base=DC=<corp>,DC=com scope=1 filterstr=(&(&(sAMAccountName=<user>))(objectClass=organizationalPerson)(employeeID=*)) attrs=['employeeID', 'enabled', 'sAMAccountName', 'mail', 'userPassword', 'cn']	15:46
mnaser	ldapsearch -x -b "dc=<corp>,dc=com" -D "<snip>" -H ldaps://<snip>:636 -W "(&(&(sAMAccountName=<user>))(objectClass=organizationalPerson)(employeeID=*))" employeeID enabled sAMAccountName mail userPassword cn	15:47
mnaser	the manual ldapsearch returns a result :<	15:47
*** petitbois has quit IRC		15:49
yoctozepto	mnaser: scope=1 is single level	15:51
yoctozepto	ldapsearch probably did scope=2	15:51
yoctozepto	for subtree	15:52
yoctozepto	it is configurable in keystone	15:52
*** dancn has quit IRC		15:52
mnaser	yoctozepto: yes indeed, darn ok let me try it out	15:54
*** gyee has joined #openstack-keystone		15:54
*** dave-mccowan has quit IRC		15:56
*** dtruong has quit IRC		15:59
*** problem_v has joined #openstack-keystone		16:00
*** dtruong has joined #openstack-keystone		16:00
kmalloc	yoctozepto, mnaser: you can blame ayoung for most of the LDAP code ;). It's aweful to deal with (not adam's fault, but LDAP in python is gross...wait...strike "python" from that statement)	16:34
*** dklyle_ is now known as dklyle		16:34
yoctozepto	kmalloc: yeah, it's gross anywhere you go, it lacks modern approach in libs	16:36
kmalloc	yoctozepto: well pyldap is actually pretty good, but since we lean on python-ldap and ldappool...it's not so easy to convert	16:38
kmalloc	or wait was it not pyldap, it was ldap3... that was the lib	16:39
kmalloc	pyldap was the fork =/	16:39
kmalloc	ldap3 is pretty darn good	16:39
yoctozepto	kmalloc: never tried anyway, my ldap journey was mostly with ldapjs in node.js and it was clumsy	16:39
kmalloc	yoctozepto: i find a lot of <talk some protocol that isn't HTTP(ish)> in node/javascript is clumsy at best	16:40
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies https://review.opendev.org/675807	16:40
yoctozepto	kmalloc: nah, database access is pretty good (think sql/redis/mongodb/other-nosql-but-still-noldap-friends)	16:40
*** ivve has quit IRC		17:27
*** whoami-rajat has quit IRC		17:38
*** jamesmcarthur has joined #openstack-keystone		17:53
*** atmark has quit IRC		17:59
*** atmark has joined #openstack-keystone		18:00
*** markvoelker has quit IRC		18:13
*** markvoelker has joined #openstack-keystone		18:20
*** dancn has joined #openstack-keystone		18:24
*** rafaelweingartne has joined #openstack-keystone		18:27
rafaelweingartne	Hello Guys, I am creating a Keystone python client using: "ks_client_v3.Client(session=session, trust_id=trust_id,....."Is it possible to use this client to generate tokens on the fly? Something similar to "openstack token issue"	18:28
*** jamesmcarthur has quit IRC		18:30
openstackgerrit	Alex Schultz proposed openstack/keystoneauth master: Cleanup session on delete https://review.opendev.org/674139	18:31
*** jamesmcarthur has joined #openstack-keystone		18:32
*** jamesmcarthur has quit IRC		18:34
*** jamesmcarthur has joined #openstack-keystone		18:34
kmalloc	rafaelweingartne: are you trying to generate tokens that are extracted and used by a non-python application or something wrapped around keystoneclient?	18:35
rafaelweingartne	I want to use by a python application	18:36
kmalloc	rafaelweingartne: if you are looking for something wrapped around keystoneclient, I recommend using keystonauth instead (works like requests): https://docs.openstack.org/keystoneauth/latest/using-sessions.html	18:36
rafaelweingartne	it is something I am creating for ceilometer	18:36
kmalloc	rafaelweingartne: keystoneauth offloads a lot of the work for you and works just like requests and handles token creation/renewal/etc	18:36
rafaelweingartne	I do not actually want a wrapper, I would like to execute the raw HTTP request with a token	18:36
kmalloc	right. keystoneauth allows you to work just like requests does and handles openstack specific discovery/catalog parsing if you want	18:38
kmalloc	keystoneauth is what openstack client and most other *-client libraries use.	18:38
kmalloc	and what the SDK uses to implement access to openstack services	18:38
rafaelweingartne	hmm	18:38
rafaelweingartne	I am not sure I follow	18:38
kmalloc	keystoneauth is a library that is based on python requests.	18:38
rafaelweingartne	I mean, I will need to generate an HTTP request programmatically, and for that, I would need a token	18:39
kmalloc	we bake into it's session code authentication (most forms), etc.	18:39
*** markvoelker has quit IRC		18:39
rafaelweingartne	I do have the keystone client, but I am not sure how to use it to issue a token that I can use in the header of my HTTP request	18:39
kmalloc	ok, lets step back.	18:39
rafaelweingartne	Sure	18:40
kmalloc	you're writing a python app that communicates with openstack services (ceilometer)? and what does it use to issue the requests to http?	18:40
kmalloc	httplib? raw socket? curl (popen), python-requests?	18:40
*** markvoelker has joined #openstack-keystone		18:40
rafaelweingartne	httplib	18:41
kmalloc	ok. i highly recommend using python-requests if you can over straight httplib.	18:41
kmalloc	it is, frankly, more feature complete	18:41
kmalloc	and is generally super easy to use in comparison	18:42
rafaelweingartne	is python requests the one you get when importing "requests"?	18:42
kmalloc	yes	18:42
rafaelweingartne	so, I am using the latter	18:42
rafaelweingartne	sorry for the confusion	18:42
kmalloc	no worries :)	18:42
kmalloc	if you're using requests, keystoneauth implements all the auth workflow on top of requests and is a potential drop in replacement	18:42
rafaelweingartne	hmm	18:42
kmalloc	https://docs.openstack.org/keystoneauth/latest/using-sessions.html you create a session (which is really a requests object with extra openstack logic)	18:43
kmalloc	and can either pass it to a current client (e.g. ceilometer-client) or you can make direct http calls via session.get() etc	18:44
kmalloc	see https://docs.openstack.org/keystoneauth/latest/using-sessions.html#service-discovery	18:44
kmalloc	as an example where you say "talk to identity and call /users"	18:44
rafaelweingartne	ok, let me see if I understood	18:44
kmalloc	it parses the catalog returned and allows working with the token (and handles adding the x-auth header) when communicating to the endpoint of your choice	18:45
kmalloc	we created keystoneauth as a low-ish level library to offload the headache of auth in openstack, and we have plugins for most forms of auth (all new auth types end up with a plugin eventually)	18:45
*** frickler has joined #openstack-keystone		18:48
rafaelweingartne	So, I just need to get the session and then issue the command "session_object.get("URL of the service I want to execute an HTTP GET request to")"?	18:49
kmalloc	pretty much. it can either handle /parse from the token's catalog, or you can use it just like requests and pass a complete url.	18:50
kmalloc	though if it's a known endpoint, i recommend using the discovery bits, it helps offload needing to know apriori two bits of data (the auth endpoint and the service endpoint)	18:50
kmalloc	if you look at that link (the sessions one) it's pretty comprehensive on the forms you can use.	18:51
kmalloc	and like i said, it's how openstack client, openstack SDK, and most other tools talk to openstack services.	18:51
rafaelweingartne	that is cool	18:51
rafaelweingartne	thanks!!	18:51
kmalloc	heck yeah :)	18:52
kmalloc	it's why we created the lib. saves lots of re-implemetation	18:52
kmalloc	and it is something we heavily test	18:52
kmalloc	also, note keystoneauth's API contract is extremely strict.	18:52
kmalloc	barring a security reason, we will not break your use, even if it's unintended use of the lib	18:52
kmalloc	basically, if we change out (even across major versions) behavior, we are wrong and i've reverted changes to ensure consistency	18:53
rafaelweingartne	is the response a "response" object?	18:53
rafaelweingartne	or is it just the response body	18:53
kmalloc	yes, it should be a requests response objecty	18:53
kmalloc	object*	18:53
rafaelweingartne	thanks	18:54
kmalloc	sure thing	18:54
*** ivve has joined #openstack-keystone		18:58
rafaelweingartne	Dure, it works!	19:02
rafaelweingartne	dude*	19:02
rafaelweingartne	Awesome	19:02
*** jamesmcarthur has quit IRC		19:08
*** rafaelweingartne has quit IRC		19:09
kmalloc	rafaelweingartne: glad it made your life easier!	19:09
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies https://review.opendev.org/675807	19:29
*** tesseract has quit IRC		19:32
*** dave-mccowan has joined #openstack-keystone		19:54
*** raildo has quit IRC		20:52
*** pcaruana has quit IRC		20:56
*** xek has quit IRC		21:02
*** markvoelker has quit IRC		21:24
cmurphy	kmalloc: could i get you to look at https://review.opendev.org/675807 before i keep going on the trust policies	21:51
kmalloc	looking	21:52
kmalloc	cmurphy: i think i see one bug	22:03
*** markvoelker has joined #openstack-keystone		22:03
kmalloc	cmurphy: it mostly looks ok	22:03
cmurphy	kmalloc: good catch	22:05
*** lbragstad has joined #openstack-keystone		22:09
*** vishwanathj has quit IRC		22:10
*** mchlumsky has quit IRC		22:14
*** lbragstad has quit IRC		22:17
*** dancn has quit IRC		22:25
*** dancn has joined #openstack-keystone		22:30
*** ivve has quit IRC		22:33
*** markvoelker has quit IRC		22:35
*** hoonetorg has quit IRC		22:48
*** hoonetorg has joined #openstack-keystone		22:50
*** hoonetorg has quit IRC		22:57
*** vishwanathj has joined #openstack-keystone		22:58
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add protection tests for trusts API https://review.opendev.org/675720	22:58
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies https://review.opendev.org/675807	22:58
*** dancn has quit IRC		23:00
*** markvoelker has joined #openstack-keystone		23:00
*** hoonetorg has joined #openstack-keystone		23:01
*** vishwanathj has quit IRC		23:03
*** markvoelker has quit IRC		23:05
*** rcernin has joined #openstack-keystone		23:11
*** dave-mccowan has quit IRC		23:17
*** markvoelker has joined #openstack-keystone		23:18
*** dave-mccowan has joined #openstack-keystone		23:37

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!