*** ayoung has quit IRC | 00:24 | |
mordred | cmurphy: both look great to me | 00:24 |
---|---|---|
cmurphy | mordred: yay ty | 00:24 |
*** ayoung has joined #openstack-keystone | 00:26 | |
*** yoctozepto has quit IRC | 00:53 | |
*** yoctozepto has joined #openstack-keystone | 00:54 | |
*** yoctozepto has quit IRC | 01:05 | |
*** yoctozepto has joined #openstack-keystone | 01:05 | |
*** lbragstad_ has joined #openstack-keystone | 01:24 | |
*** lbragstad has quit IRC | 01:26 | |
*** ayoung has quit IRC | 02:41 | |
*** ayoung has joined #openstack-keystone | 02:41 | |
*** ayoung has quit IRC | 02:54 | |
*** ayoung has joined #openstack-keystone | 02:54 | |
*** ileixe has joined #openstack-keystone | 02:55 | |
*** rcernin_ has joined #openstack-keystone | 03:00 | |
*** rcernin has quit IRC | 03:03 | |
*** rcernin_ has quit IRC | 03:26 | |
*** rcernin has joined #openstack-keystone | 03:26 | |
*** kumar_biplab has joined #openstack-keystone | 03:46 | |
*** ivve has joined #openstack-keystone | 03:46 | |
*** tkajinam_ has joined #openstack-keystone | 04:29 | |
*** tkajinam has quit IRC | 04:32 | |
*** ayoung has quit IRC | 04:46 | |
*** ayoung has joined #openstack-keystone | 04:47 | |
*** tkajinam_ has quit IRC | 04:58 | |
*** tkajinam has joined #openstack-keystone | 04:59 | |
*** kumar_biplab has quit IRC | 05:18 | |
*** kumar_biplab has joined #openstack-keystone | 05:19 | |
*** shyamb has joined #openstack-keystone | 05:33 | |
*** shyamb has quit IRC | 05:38 | |
*** Luzi has joined #openstack-keystone | 05:42 | |
*** ivve has quit IRC | 05:59 | |
*** shyamb has joined #openstack-keystone | 06:03 | |
*** shyamb has quit IRC | 06:31 | |
*** shyamb has joined #openstack-keystone | 06:31 | |
*** ayoung has quit IRC | 06:58 | |
*** ayoung has joined #openstack-keystone | 06:58 | |
*** ivve has joined #openstack-keystone | 07:03 | |
*** ayoung has quit IRC | 07:07 | |
*** ayoung has joined #openstack-keystone | 07:07 | |
*** rcernin has quit IRC | 07:22 | |
*** trident has quit IRC | 07:37 | |
*** shyamb has quit IRC | 07:40 | |
*** trident has joined #openstack-keystone | 07:48 | |
*** ayoung has quit IRC | 07:55 | |
*** ayoung has joined #openstack-keystone | 07:56 | |
*** adriant has quit IRC | 08:08 | |
*** tesseract has joined #openstack-keystone | 08:11 | |
*** dancn has joined #openstack-keystone | 08:16 | |
*** awalende has joined #openstack-keystone | 08:23 | |
*** tkajinam has quit IRC | 08:37 | |
*** shyamb has joined #openstack-keystone | 08:39 | |
*** ayoung has quit IRC | 08:48 | |
*** ileixe has quit IRC | 08:50 | |
*** ileixe has joined #openstack-keystone | 08:52 | |
*** ayoung has joined #openstack-keystone | 09:00 | |
*** pawan-gupta has joined #openstack-keystone | 09:03 | |
*** Luzi has quit IRC | 09:08 | |
openstackgerrit | pengyuesheng proposed openstack/oslo.policy master: Bump the openstackdocstheme extension to 1.20 https://review.opendev.org/688241 | 09:08 |
*** pawan-gupta has quit IRC | 09:11 | |
*** pawan-gupta has joined #openstack-keystone | 09:14 | |
*** dancn has quit IRC | 09:19 | |
*** Luzi has joined #openstack-keystone | 09:23 | |
*** irclogbot_1 has quit IRC | 09:39 | |
*** irclogbot_2 has joined #openstack-keystone | 09:40 | |
*** rcernin has joined #openstack-keystone | 09:45 | |
*** ileixe has quit IRC | 09:46 | |
*** ayoung has quit IRC | 09:47 | |
*** ileixe has joined #openstack-keystone | 09:49 | |
*** shyamb has quit IRC | 09:49 | |
*** ayoung has joined #openstack-keystone | 09:50 | |
*** jaosorior has joined #openstack-keystone | 09:51 | |
*** awalende has quit IRC | 10:06 | |
*** awalende has joined #openstack-keystone | 10:06 | |
*** awalende has quit IRC | 10:11 | |
*** rcernin has quit IRC | 10:11 | |
*** awalende has joined #openstack-keystone | 10:23 | |
*** shyamb has joined #openstack-keystone | 10:26 | |
*** vesper has quit IRC | 10:30 | |
*** vesper11 has joined #openstack-keystone | 10:31 | |
*** shyamb has quit IRC | 10:46 | |
*** shyam89 has joined #openstack-keystone | 10:46 | |
*** rcernin has joined #openstack-keystone | 10:50 | |
*** awalende has quit IRC | 10:51 | |
*** awalende has joined #openstack-keystone | 10:51 | |
*** awalende has quit IRC | 10:54 | |
*** awalende has joined #openstack-keystone | 10:54 | |
*** kumar_biplab has quit IRC | 10:55 | |
*** dancn has joined #openstack-keystone | 10:59 | |
*** gshippey has joined #openstack-keystone | 11:00 | |
*** awalende has quit IRC | 11:01 | |
*** awalende has joined #openstack-keystone | 11:02 | |
*** shyam89 has quit IRC | 11:03 | |
*** awalende has quit IRC | 11:06 | |
*** awalende has joined #openstack-keystone | 11:08 | |
*** jaosorior has quit IRC | 11:10 | |
*** dancn has quit IRC | 11:14 | |
*** rcernin has quit IRC | 11:26 | |
*** shyamb has joined #openstack-keystone | 11:31 | |
*** dancn has joined #openstack-keystone | 11:32 | |
*** dancn has quit IRC | 11:39 | |
*** dancn has joined #openstack-keystone | 11:39 | |
*** ayoung has quit IRC | 11:53 | |
*** ayoung has joined #openstack-keystone | 11:55 | |
*** ayoung has quit IRC | 12:13 | |
*** ayoung has joined #openstack-keystone | 12:15 | |
*** dave-mccowan has joined #openstack-keystone | 12:20 | |
*** shyamb has quit IRC | 12:26 | |
*** shyamb has joined #openstack-keystone | 12:30 | |
*** awalende has quit IRC | 12:33 | |
*** awalende has joined #openstack-keystone | 12:33 | |
*** awalende has quit IRC | 12:34 | |
*** awalende has joined #openstack-keystone | 12:34 | |
*** baffle has quit IRC | 12:38 | |
*** openstackgerrit has quit IRC | 12:41 | |
*** efried has quit IRC | 12:42 | |
*** raildo has joined #openstack-keystone | 12:47 | |
*** efried has joined #openstack-keystone | 12:49 | |
*** shyam89 has joined #openstack-keystone | 12:56 | |
*** shyamb has quit IRC | 12:56 | |
*** jaosorior has joined #openstack-keystone | 12:57 | |
*** shyam89 has quit IRC | 13:00 | |
*** shyamb has joined #openstack-keystone | 13:00 | |
*** shyamb has quit IRC | 13:05 | |
*** efried has quit IRC | 13:05 | |
*** awalende has quit IRC | 13:06 | |
*** awalende has joined #openstack-keystone | 13:06 | |
*** dancn has quit IRC | 13:09 | |
*** awalende has quit IRC | 13:11 | |
*** starborn has joined #openstack-keystone | 13:17 | |
*** awalende has joined #openstack-keystone | 13:22 | |
*** awalende has quit IRC | 13:24 | |
*** baffle has joined #openstack-keystone | 13:25 | |
*** awalende has joined #openstack-keystone | 13:25 | |
*** awalende has quit IRC | 13:28 | |
*** awalende has joined #openstack-keystone | 13:28 | |
*** starborn has quit IRC | 13:36 | |
*** kumar_biplab has joined #openstack-keystone | 13:42 | |
*** efried has joined #openstack-keystone | 13:50 | |
*** awalende_ has joined #openstack-keystone | 13:59 | |
*** Luzi has quit IRC | 14:00 | |
*** awalende has quit IRC | 14:02 | |
*** kumar_biplab has quit IRC | 14:02 | |
*** efried has quit IRC | 14:07 | |
*** efried has joined #openstack-keystone | 14:11 | |
*** ayoung has quit IRC | 14:21 | |
*** ivve has quit IRC | 14:22 | |
*** ayoung has joined #openstack-keystone | 14:24 | |
*** dancn has joined #openstack-keystone | 14:27 | |
*** ayoung has quit IRC | 14:36 | |
*** efried has quit IRC | 14:43 | |
*** dancn has quit IRC | 14:55 | |
*** efried has joined #openstack-keystone | 15:00 | |
*** dancn has joined #openstack-keystone | 15:08 | |
cmurphy | keystone team meeting in about 45 minutes (remember dst) | 15:18 |
lbragstad_ | awalende_ did you get your policy stuff figured out? | 15:20 |
*** lbragstad_ is now known as lbragstad | 15:20 | |
lbragstad | awalende_ with stable/stein - the admin use is given the admin role on the system and on the admin project | 15:21 |
lbragstad | the admin role implies the member and reader roles, so the user will have the reader role | 15:21 |
*** pcaruana has joined #openstack-keystone | 15:28 | |
awalende_ | Not really, because opt'ing in to the new system_scope rules in my policy.yaml breaks horizon in terms of "Admin" menu points, since everything is now forbidden when not using system scope. Also I get confused maintaining a keystone policy using scopes, while every other service does not | 15:29 |
awalende_ | For instance I have to use a different rc file for keystone stuff with OS_SYSTEM_SCOPE=all and a different one when administrating every other service | 15:30 |
knikolla | o/ | 15:47 |
*** awalende has joined #openstack-keystone | 15:52 | |
*** also_stingrayza is now known as stingrayza | 15:54 | |
*** awalende_ has quit IRC | 15:56 | |
*** awalende has quit IRC | 15:57 | |
*** dancn has quit IRC | 16:03 | |
*** jhesketh has quit IRC | 16:05 | |
*** gyee has joined #openstack-keystone | 16:15 | |
*** jaosorior has quit IRC | 16:18 | |
*** jhesketh has joined #openstack-keystone | 16:21 | |
*** bbobrov has quit IRC | 16:24 | |
*** tesseract has quit IRC | 16:32 | |
lbragstad | cmurphy was this discussed at the summit? http://lists.openstack.org/pipermail/openstack-discuss/2019-November/010706.html | 16:49 |
cmurphy | lbragstad: yes, the nova team's concern was with how to handle deprecations when we already expect the work may take >1 cycle | 16:49 |
lbragstad | sure | 16:50 |
lbragstad | sounds like everything is going to get proposed and then merged at once? | 16:50 |
cmurphy | we talked about some ways we could change oslo.policy to not emit deprecations but the long patch chain and merge everything at once was where we landed | 16:51 |
* bnemec is very curious to see how that works | 16:52 | |
lbragstad | same... i imagine it's going to cause rebase hell, but i'm not sure i have a viable alternative... | 16:52 |
bnemec | But as it is the option that requires nothing from me, I'm +1. :-D | 16:52 |
cmurphy | we'll have to experiment and see, i think if the changes are mostly to the policy modules and less to the api code then there may not be a lot of code churn and it may not be that bad | 16:53 |
bnemec | We discussed the possibility of hiding the deprecations behind a flag and adding a job that set the flag to true for testing. | 16:53 |
bnemec | That way all the deprecations could be easily turned on at once when they were all in place. | 16:54 |
bnemec | But the patch series of doom has the lowest barrier to entry so it's a good place to start. | 16:55 |
*** ivve has joined #openstack-keystone | 16:57 | |
*** pcaruana has quit IRC | 17:03 | |
*** openstackgerrit has joined #openstack-keystone | 17:24 | |
openstackgerrit | Gage Hugo proposed openstack/keystone master: [WIP] Try to recreate 1843464 https://review.opendev.org/684397 | 17:24 |
*** david-lyle is now known as dklyle | 17:41 | |
gshippey | knikolla: o/ ready when you are | 18:02 |
knikolla | gshippey: o/ | 18:10 |
knikolla | let's do this. | 18:10 |
gshippey | Brill, so to the best of my knowledge between keystone, mod_auth_openidc and keycloak I think I've set up everything correctly. I'm having trouble authenticating using the v3oidcpassword flow as the client_id isn't passed into the payload of the curl request sent to keycloak | 18:12 |
gshippey | it seems to be unhappy about that | 18:12 |
gshippey | REQ: curl -g -i --insecure -X POST http://keycloak-ip:8080/auth/realms/Openstack/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.26.0 keystoneauth1/3.13.1 python-requests/2.18.4 CPython/3.6.8" -d '{'username': 'joint-mapping-user', 'password': 'xxx', 'scope': 'openid profile', 'client_id': 'https://x:5000/openid', 'grant_type': 'password'}' | 18:13 |
knikolla | give me a sec, looking at my setup | 18:20 |
gshippey | cheers | 18:21 |
knikolla | gshippey: this seems a good article describing password owners resource credentials | 18:25 |
knikolla | https://auth0.com/docs/api-auth/tutorials/adoption/password | 18:25 |
knikolla | your request looks fine, and client_id is in there | 18:25 |
knikolla | my request looks similar and works. | 18:26 |
gshippey | Sorry i've modified the code to add the client_id in there | 18:26 |
knikolla | right, i see that now. | 18:26 |
gshippey | without the modification only the username, password, scope and grant type are passed | 18:26 |
knikolla | REQ: curl -g -i -X POST https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.36.0 keystoneauth1/3.17.1 python-requests/2.22.0 CPython/3.7.5" -d '{'username': 'username', 'password': 'password', 'scope': 'openid profile', 'grant_type': 'password'}' | 18:27 |
knikolla | https://sso.massopen.cloud:443 "POST /auth/realms/moc/protocol/openid-connect/token HTTP/1.1" 200 3414 | 18:27 |
gshippey | When I remove the client_id I get this error from keycloak: WARN [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=Openstack, clientId=https, userId=null, ipAddress=openstack-id, error=invalid_client_credentials, grant_type=password | 18:30 |
*** dancn has joined #openstack-keystone | 18:30 | |
knikolla | gshippey: the client_id and secret should be sent here https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/oidc.py#L194 | 18:31 |
knikolla | a quick look at the code shows that what requests_auth does is it sets that as the auth of the requests session, so the code seems fine | 18:35 |
knikolla | and that might be why it doesn't appear in my logs | 18:36 |
knikolla | though it seems to not be sent at all in your case | 18:36 |
gshippey | https://github.com/openstack/keystoneauth/blob/5e5185f80f7ecb05b43a1c635d1cdba3cc733660/keystoneauth1/session.py#L869 - this line here? | 18:36 |
knikolla | yup, was just about to send you that | 18:36 |
knikolla | https://requests.kennethreitz.org/en/master/user/authentication/ | 18:36 |
gshippey | I'll try logging out if client_auth actually looks like something goof | 18:37 |
gshippey | good | 18:37 |
knikolla | looking at requests, setting a tuple as auth means httpbasicauth | 18:37 |
knikolla | let me know, cause so far the code looks correct and it's working in my case. | 18:39 |
knikolla | i'm also using keycloak. | 18:39 |
gshippey | yeah requests_auth looks fine, do you know of any settings I should be suspicious of keycloak side? | 18:41 |
gshippey | If that is a bit of a dead end I do have another question | 18:48 |
knikolla | hmmm, did you enable Direct Access Grants which is the Resource Owner Password Credentials grant? | 18:52 |
*** dancn has quit IRC | 18:53 | |
knikolla | everything else seems to be pretty much default for this client's setup on my side | 18:53 |
gshippey | https://www.irccloud.com/pastebin/nBsG7mAb/Redirect%20URI | 19:02 |
gshippey | I'll have go into the password problem in more detail myself then, maybe start a fresh because I don't believe I've set much up outside of the default | 19:03 |
knikolla | this one's an easy fix | 19:16 |
knikolla | you need `AuthType oauth20` in that endpoint, instead of openid-connect | 19:17 |
knikolla | so keep openid-connect in the endpoint that horizon hits, and use oauth20 for the REST one. | 19:18 |
gshippey | That has got me a smidge closer it seems! Thanks for that. I've got to head off for dinner now. Do you mind if I contact you with anything else I need help with in the next couple of days? Do let me know if I'm taking too much of your time | 19:34 |
knikolla | That is fine, feel free to send me a message and i'll reply when i can | 19:34 |
gshippey | Thanks very much :)! | 19:35 |
*** jaosorior has joined #openstack-keystone | 19:39 | |
*** lbragstad has quit IRC | 19:50 | |
*** lbragstad has joined #openstack-keystone | 19:51 | |
*** jaosorior has quit IRC | 20:16 | |
*** lbragstad has quit IRC | 20:19 | |
*** lbragstad has joined #openstack-keystone | 20:20 | |
*** munimeha1 has joined #openstack-keystone | 20:21 | |
openstackgerrit | Merged openstack/keystone master: Drop project.id foreign keys https://review.opendev.org/687753 | 20:42 |
*** raildo has quit IRC | 20:59 | |
*** rcernin has joined #openstack-keystone | 21:17 | |
gagehugo | cmurphy: I might not make the virtual post-ptg next week, I'll be traveling for work | 21:28 |
cmurphy | gagehugo: :( | 21:29 |
cmurphy | gagehugo: is there another day next week that would work better for you? | 21:30 |
gagehugo | nope, I'll be out all week | 21:45 |
gagehugo | If I don't have anything up that morning I'll try to make it though | 21:50 |
cmurphy | okay | 21:51 |
*** dancn has joined #openstack-keystone | 22:19 | |
*** dancn has quit IRC | 22:28 | |
*** adriant has joined #openstack-keystone | 22:41 | |
*** tkajinam has joined #openstack-keystone | 23:08 | |
*** awalende has joined #openstack-keystone | 23:23 | |
*** ivve has quit IRC | 23:25 | |
*** awalende has quit IRC | 23:28 | |
*** munimeha1 has quit IRC | 23:49 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!