Tuesday, 2019-11-12

« Monday, 2019-11-11 Index Wednesday, 2019-11-13 »
*** ayoung has quit IRC00:24
mordredcmurphy: both look great to me00:24
cmurphymordred: yay ty00:24
*** ayoung has joined #openstack-keystone00:26
*** yoctozepto has quit IRC00:53
*** yoctozepto has joined #openstack-keystone00:54
*** yoctozepto has quit IRC01:05
*** yoctozepto has joined #openstack-keystone01:05
*** lbragstad_ has joined #openstack-keystone01:24
*** lbragstad has quit IRC01:26
*** ayoung has quit IRC02:41
*** ayoung has joined #openstack-keystone02:41
*** ayoung has quit IRC02:54
*** ayoung has joined #openstack-keystone02:54
*** ileixe has joined #openstack-keystone02:55
*** rcernin_ has joined #openstack-keystone03:00
*** rcernin has quit IRC03:03
*** rcernin_ has quit IRC03:26
*** rcernin has joined #openstack-keystone03:26
*** kumar_biplab has joined #openstack-keystone03:46
*** ivve has joined #openstack-keystone03:46
*** tkajinam_ has joined #openstack-keystone04:29
*** tkajinam has quit IRC04:32
*** ayoung has quit IRC04:46
*** ayoung has joined #openstack-keystone04:47
*** tkajinam_ has quit IRC04:58
*** tkajinam has joined #openstack-keystone04:59
*** kumar_biplab has quit IRC05:18
*** kumar_biplab has joined #openstack-keystone05:19
*** shyamb has joined #openstack-keystone05:33
*** shyamb has quit IRC05:38
*** Luzi has joined #openstack-keystone05:42
*** ivve has quit IRC05:59
*** shyamb has joined #openstack-keystone06:03
*** shyamb has quit IRC06:31
*** shyamb has joined #openstack-keystone06:31
*** ayoung has quit IRC06:58
*** ayoung has joined #openstack-keystone06:58
*** ivve has joined #openstack-keystone07:03
*** ayoung has quit IRC07:07
*** ayoung has joined #openstack-keystone07:07
*** rcernin has quit IRC07:22
*** trident has quit IRC07:37
*** shyamb has quit IRC07:40
*** trident has joined #openstack-keystone07:48
*** ayoung has quit IRC07:55
*** ayoung has joined #openstack-keystone07:56
*** adriant has quit IRC08:08
*** tesseract has joined #openstack-keystone08:11
*** dancn has joined #openstack-keystone08:16
*** awalende has joined #openstack-keystone08:23
*** tkajinam has quit IRC08:37
*** shyamb has joined #openstack-keystone08:39
*** ayoung has quit IRC08:48
*** ileixe has quit IRC08:50
*** ileixe has joined #openstack-keystone08:52
*** ayoung has joined #openstack-keystone09:00
*** pawan-gupta has joined #openstack-keystone09:03
*** Luzi has quit IRC09:08
openstackgerritpengyuesheng proposed openstack/oslo.policy master: Bump the openstackdocstheme extension to 1.20  https://review.opendev.org/68824109:08
*** pawan-gupta has quit IRC09:11
*** pawan-gupta has joined #openstack-keystone09:14
*** dancn has quit IRC09:19
*** Luzi has joined #openstack-keystone09:23
*** irclogbot_1 has quit IRC09:39
*** irclogbot_2 has joined #openstack-keystone09:40
*** rcernin has joined #openstack-keystone09:45
*** ileixe has quit IRC09:46
*** ayoung has quit IRC09:47
*** ileixe has joined #openstack-keystone09:49
*** shyamb has quit IRC09:49
*** ayoung has joined #openstack-keystone09:50
*** jaosorior has joined #openstack-keystone09:51
*** awalende has quit IRC10:06
*** awalende has joined #openstack-keystone10:06
*** awalende has quit IRC10:11
*** rcernin has quit IRC10:11
*** awalende has joined #openstack-keystone10:23
*** shyamb has joined #openstack-keystone10:26
*** vesper has quit IRC10:30
*** vesper11 has joined #openstack-keystone10:31
*** shyamb has quit IRC10:46
*** shyam89 has joined #openstack-keystone10:46
*** rcernin has joined #openstack-keystone10:50
*** awalende has quit IRC10:51
*** awalende has joined #openstack-keystone10:51
*** awalende has quit IRC10:54
*** awalende has joined #openstack-keystone10:54
*** kumar_biplab has quit IRC10:55
*** dancn has joined #openstack-keystone10:59
*** gshippey has joined #openstack-keystone11:00
*** awalende has quit IRC11:01
*** awalende has joined #openstack-keystone11:02
*** shyam89 has quit IRC11:03
*** awalende has quit IRC11:06
*** awalende has joined #openstack-keystone11:08
*** jaosorior has quit IRC11:10
*** dancn has quit IRC11:14
*** rcernin has quit IRC11:26
*** shyamb has joined #openstack-keystone11:31
*** dancn has joined #openstack-keystone11:32
*** dancn has quit IRC11:39
*** dancn has joined #openstack-keystone11:39
*** ayoung has quit IRC11:53
*** ayoung has joined #openstack-keystone11:55
*** ayoung has quit IRC12:13
*** ayoung has joined #openstack-keystone12:15
*** dave-mccowan has joined #openstack-keystone12:20
*** shyamb has quit IRC12:26
*** shyamb has joined #openstack-keystone12:30
*** awalende has quit IRC12:33
*** awalende has joined #openstack-keystone12:33
*** awalende has quit IRC12:34
*** awalende has joined #openstack-keystone12:34
*** baffle has quit IRC12:38
*** openstackgerrit has quit IRC12:41
*** efried has quit IRC12:42
*** raildo has joined #openstack-keystone12:47
*** efried has joined #openstack-keystone12:49
*** shyam89 has joined #openstack-keystone12:56
*** shyamb has quit IRC12:56
*** jaosorior has joined #openstack-keystone12:57
*** shyam89 has quit IRC13:00
*** shyamb has joined #openstack-keystone13:00
*** shyamb has quit IRC13:05
*** efried has quit IRC13:05
*** awalende has quit IRC13:06
*** awalende has joined #openstack-keystone13:06
*** dancn has quit IRC13:09
*** awalende has quit IRC13:11
*** starborn has joined #openstack-keystone13:17
*** awalende has joined #openstack-keystone13:22
*** awalende has quit IRC13:24
*** baffle has joined #openstack-keystone13:25
*** awalende has joined #openstack-keystone13:25
*** awalende has quit IRC13:28
*** awalende has joined #openstack-keystone13:28
*** starborn has quit IRC13:36
*** kumar_biplab has joined #openstack-keystone13:42
*** efried has joined #openstack-keystone13:50
*** awalende_ has joined #openstack-keystone13:59
*** Luzi has quit IRC14:00
*** awalende has quit IRC14:02
*** kumar_biplab has quit IRC14:02
*** efried has quit IRC14:07
*** efried has joined #openstack-keystone14:11
*** ayoung has quit IRC14:21
*** ivve has quit IRC14:22
*** ayoung has joined #openstack-keystone14:24
*** dancn has joined #openstack-keystone14:27
*** ayoung has quit IRC14:36
*** efried has quit IRC14:43
*** dancn has quit IRC14:55
*** efried has joined #openstack-keystone15:00
*** dancn has joined #openstack-keystone15:08
cmurphykeystone team meeting in about 45 minutes (remember dst)15:18
lbragstad_awalende_ did you get your policy stuff figured out?15:20
*** lbragstad_ is now known as lbragstad15:20
lbragstadawalende_ with stable/stein - the admin use is given the admin role on the system and on the admin project15:21
lbragstadthe admin role implies the member and reader roles, so the user will have the reader role15:21
*** pcaruana has joined #openstack-keystone15:28
awalende_Not really, because opt'ing in to the new system_scope rules in my policy.yaml breaks horizon in terms of "Admin" menu points, since everything is now forbidden when not using system scope. Also I get confused maintaining a keystone policy using scopes, while every other service does not15:29
awalende_For instance I have to use a different rc file for keystone stuff with OS_SYSTEM_SCOPE=all and a different one when administrating every other service15:30
knikollao/15:47
*** awalende has joined #openstack-keystone15:52
*** also_stingrayza is now known as stingrayza15:54
*** awalende_ has quit IRC15:56
*** awalende has quit IRC15:57
*** dancn has quit IRC16:03
*** jhesketh has quit IRC16:05
*** gyee has joined #openstack-keystone16:15
*** jaosorior has quit IRC16:18
*** jhesketh has joined #openstack-keystone16:21
*** bbobrov has quit IRC16:24
*** tesseract has quit IRC16:32
lbragstadcmurphy was this discussed at the summit? http://lists.openstack.org/pipermail/openstack-discuss/2019-November/010706.html16:49
cmurphylbragstad: yes, the nova team's concern was with how to handle deprecations when we already expect the work may take >1 cycle16:49
lbragstadsure16:50
lbragstadsounds like everything is going to get proposed and then merged at once?16:50
cmurphywe talked about some ways we could change oslo.policy to not emit deprecations but the long patch chain and merge everything at once was where we landed16:51
* bnemec is very curious to see how that works16:52
lbragstadsame... i imagine it's going to cause rebase hell, but i'm not sure i have a viable alternative...16:52
bnemecBut as it is the option that requires nothing from me, I'm +1. :-D16:52
cmurphywe'll have to experiment and see, i think if the changes are mostly to the policy modules and less to the api code then there may not be a lot of code churn and it may not be that bad16:53
bnemecWe discussed the possibility of hiding the deprecations behind a flag and adding a job that set the flag to true for testing.16:53
bnemecThat way all the deprecations could be easily turned on at once when they were all in place.16:54
bnemecBut the patch series of doom has the lowest barrier to entry so it's a good place to start.16:55
*** ivve has joined #openstack-keystone16:57
*** pcaruana has quit IRC17:03
*** openstackgerrit has joined #openstack-keystone17:24
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Try to recreate 1843464  https://review.opendev.org/68439717:24
*** david-lyle is now known as dklyle17:41
gshippeyknikolla:  o/ ready when you are18:02
knikollagshippey: o/18:10
knikollalet's do this.18:10
gshippeyBrill, so to the best of my knowledge between keystone, mod_auth_openidc and keycloak I think I've set up everything correctly. I'm having trouble authenticating using the v3oidcpassword flow as the client_id isn't passed into the payload of the curl request sent to keycloak18:12
gshippeyit seems to be unhappy about that18:12
gshippeyREQ: curl -g -i --insecure -X POST http://keycloak-ip:8080/auth/realms/Openstack/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.26.0 keystoneauth1/3.13.1 python-requests/2.18.4 CPython/3.6.8" -d '{'username': 'joint-mapping-user', 'password': 'xxx', 'scope': 'openid profile', 'client_id': 'https://x:5000/openid', 'grant_type': 'password'}'18:13
knikollagive me a sec, looking at my setup18:20
gshippeycheers18:21
knikollagshippey: this seems a good article describing password owners resource credentials18:25
knikollahttps://auth0.com/docs/api-auth/tutorials/adoption/password18:25
knikollayour request looks fine, and client_id is in there18:25
knikollamy request looks similar and works.18:26
gshippeySorry i've modified the code to add the client_id in there18:26
knikollaright, i see that now.18:26
gshippeywithout the modification only the username, password, scope and grant type are passed18:26
knikollaREQ: curl -g -i -X POST https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.36.0 keystoneauth1/3.17.1 python-requests/2.22.0 CPython/3.7.5" -d '{'username': 'username', 'password': 'password', 'scope': 'openid profile', 'grant_type': 'password'}'18:27
knikollahttps://sso.massopen.cloud:443 "POST /auth/realms/moc/protocol/openid-connect/token HTTP/1.1" 200 341418:27
gshippeyWhen I remove the client_id I get this error from keycloak: WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=Openstack, clientId=https, userId=null, ipAddress=openstack-id, error=invalid_client_credentials, grant_type=password18:30
*** dancn has joined #openstack-keystone18:30
knikollagshippey: the client_id and secret should be sent here https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/oidc.py#L19418:31
knikollaa quick look at the code shows that what requests_auth does is it sets that as the auth of the requests session, so the code seems fine18:35
knikollaand that might be why it doesn't appear in my logs18:36
knikollathough it seems to not be sent at all in your case18:36
gshippeyhttps://github.com/openstack/keystoneauth/blob/5e5185f80f7ecb05b43a1c635d1cdba3cc733660/keystoneauth1/session.py#L869 - this line here?18:36
knikollayup, was just about to send you that18:36
knikollahttps://requests.kennethreitz.org/en/master/user/authentication/18:36
gshippeyI'll try logging out if client_auth actually looks like something goof18:37
gshippeygood18:37
knikollalooking at requests, setting a tuple as auth means httpbasicauth18:37
knikollalet me know, cause so far the code looks correct and it's working in my case.18:39
knikollai'm also using keycloak.18:39
gshippeyyeah requests_auth looks fine, do you know of any settings I should be suspicious of keycloak side?18:41
gshippeyIf that is a bit of a dead end I do have another question18:48
knikollahmmm, did you enable Direct Access Grants which is the Resource Owner Password Credentials grant?18:52
*** dancn has quit IRC18:53
knikollaeverything else seems to be pretty much default for this client's setup on my side18:53
gshippeyhttps://www.irccloud.com/pastebin/nBsG7mAb/Redirect%20URI19:02
gshippeyI'll have go into the password problem in more detail myself then, maybe start a fresh because I don't believe I've set much up outside of the default19:03
knikollathis one's an easy fix19:16
knikollayou need `AuthType oauth20` in that endpoint, instead of openid-connect19:17
knikollaso keep openid-connect in the endpoint that horizon hits, and use oauth20 for the REST one.19:18
gshippeyThat has got me a smidge closer it seems! Thanks for that. I've got to head off for dinner now. Do you mind if I contact you with anything else I need help with in the next couple of days? Do let me know if I'm taking too much of your time19:34
knikollaThat is fine, feel free to send me a message and i'll reply when i can19:34
gshippeyThanks very much :)!19:35
*** jaosorior has joined #openstack-keystone19:39
*** lbragstad has quit IRC19:50
*** lbragstad has joined #openstack-keystone19:51
*** jaosorior has quit IRC20:16
*** lbragstad has quit IRC20:19
*** lbragstad has joined #openstack-keystone20:20
*** munimeha1 has joined #openstack-keystone20:21
openstackgerritMerged openstack/keystone master: Drop project.id foreign keys  https://review.opendev.org/68775320:42
*** raildo has quit IRC20:59
*** rcernin has joined #openstack-keystone21:17
gagehugocmurphy: I might not make the virtual post-ptg next week, I'll be traveling for work21:28
cmurphygagehugo: :(21:29
cmurphygagehugo: is there another day next week that would work better for you?21:30
gagehugonope, I'll be out all week21:45
gagehugoIf I don't have anything up that morning I'll try to make it though21:50
cmurphyokay21:51
*** dancn has joined #openstack-keystone22:19
*** dancn has quit IRC22:28
*** adriant has joined #openstack-keystone22:41
*** tkajinam has joined #openstack-keystone23:08
*** awalende has joined #openstack-keystone23:23
*** ivve has quit IRC23:25
*** awalende has quit IRC23:28
*** munimeha1 has quit IRC23:49
« Monday, 2019-11-11 Index Wednesday, 2019-11-13 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!