Monday, 2019-11-25

*** rcernin has quit IRC		00:17
*** rcernin has joined #openstack-keystone		00:17
*** jamesmcarthur has joined #openstack-keystone		02:07
*** jamesmcarthur has quit IRC		02:11
*** jamesmcarthur has joined #openstack-keystone		02:38
*** jamesmcarthur has quit IRC		02:44
*** jamesmcarthur has joined #openstack-keystone		03:07
*** jamesmcarthur has quit IRC		03:11
*** jamesmcarthur has joined #openstack-keystone		03:21
*** jamesmcarthur has quit IRC		03:34
*** cp has quit IRC		03:35
*** vesper11 has quit IRC		03:45
*** vesper11 has joined #openstack-keystone		03:47
*** Ben78 has joined #openstack-keystone		03:52
*** cp has joined #openstack-keystone		04:20
*** jistr has quit IRC		05:51
*** Abhishek has joined #openstack-keystone		05:51
Abhishek	vishakha: Hi.. reg MFA.. http://paste.openstack.org/show/786480/.. I am getting 403 unauthorized error (in keystone's policy.json admin has access to identity:update_user).. I am running the call as an admin.. the user_id is of different user to whom I want to configure MFA..	05:55
Abhishek	any idea what more permission is needed!	05:55
*** jistr has joined #openstack-keystone		05:56
*** jistr has quit IRC		06:06
*** jistr has joined #openstack-keystone		06:06
*** cp has quit IRC		06:21
*** cp has joined #openstack-keystone		06:34
*** cp has quit IRC		06:42
*** cp- has joined #openstack-keystone		06:49
*** rcernin has quit IRC		07:09
*** awalende has joined #openstack-keystone		07:16
*** awalende has quit IRC		07:21
*** tkajinam has quit IRC		08:06
Blinkiz	Hi. What is the different between the role "_member_" and "member"?	08:10
openstackgerrit	Merged openstack/keystone master: Start README.rst with a better title https://review.opendev.org/695029	08:11
*** tesseract has joined #openstack-keystone		08:16
*** awalende has joined #openstack-keystone		08:30
*** awalende has quit IRC		08:34
*** awalende has joined #openstack-keystone		08:43
*** amoralej\|off is now known as amoralej		08:43
*** brinzhang has joined #openstack-keystone		09:06
brinzhang	Hi folks, while run stack.sh, raised:/home/devstack/lib/keystone: line 447: /usr/local/bin/keystone-manage: No such file or directory	09:07
brinzhang	how to resolve? On master branch	09:07
vishakha	@brinzhang : Can you try to locate keystone-manage in your openstack environment?	09:16
brinzhang	How to do ?	09:18
brinzhang	vishakha: This is the generate keystone.conf http://paste.openstack.org/show/786646/	09:20
vishakha	brinzhang: Could you share the error logs?	09:24
brinzhang	vishakha: few error info: http://paste.openstack.org/show/786647/	09:26
vishakha	brinzhang: Let me take a look	09:27
brinzhang	vishakha: Thank you	09:27
vishakha	Abhishek: An admin has the permission to update the user. But as per the error the user trying to update isn't the admin. Could you please cross verify that the update call API is called by admin only?	09:30
Abhishek	vishakha: I am using ldap backend. The user running the api & the user for whom we are setting mfa are both admins. I confirm that.	09:39
Abhishek	the error i am getting is 403 forbidden: You are not authorized to perform the requested action. It doesn't say which policy fails. In the logs also, there is not much info other than warning message.	09:40
*** jistr is now known as jistr\|afk		09:58
*** takamatsu has quit IRC		10:05
*** takamatsu has joined #openstack-keystone		10:06
*** Abhishek has quit IRC		10:13
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: Fetch limits from keystone https://review.opendev.org/695724	10:14
*** jistr\|afk is now known as jistr		10:22
*** brinzhang_ has joined #openstack-keystone		10:44
vishakha	Blinkiz: Keystone used to set default_role as _member_ in old releases. Now we have the new default roles reader, member admin specific to API's.	10:44
*** brinzhang has quit IRC		10:47
*** brinzhang has joined #openstack-keystone		10:49
*** brinzhang_ has quit IRC		10:53
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: Add flat enforcer https://review.opendev.org/695310	10:55
*** awalende_ has joined #openstack-keystone		10:59
*** awalende has quit IRC		11:02
*** awalende_ has quit IRC		11:03
*** awalende has joined #openstack-keystone		11:04
vishakha	brinzhang: Could you try command locate keystone-manage under your stack user and share the output?	11:07
brinzhang	vishakha: Maybe the master branch cannot support on centos7, and the master already removed the Cetnos7's job. you can see the talk on #openstack-qa channel http://paste.openstack.org/show/786655/	11:09
vishakha	brinzhang: Ohh I wasnt aware of the OS you was using.	11:09
brinzhang	vishakha: thanks. I will use ubuntu18.04, and than try again to deploy the openstack	11:10
vishakha	brinzhang: sure.	11:10
*** awalende has quit IRC		11:11
vishakha	Abhishek: let me look if there is any change for user in external identity provider.	11:12
*** brinzhang_ has joined #openstack-keystone		11:13
*** pcaruana has joined #openstack-keystone		11:14
*** brinzhang has quit IRC		11:16
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: Add flat enforcer https://review.opendev.org/695310	11:29
*** openstack has joined #openstack-keystone		11:40
*** ChanServ sets mode: +o openstack		11:40
*** openstack has joined #openstack-keystone		11:52
*** ChanServ sets mode: +o openstack		11:52
*** irclogbot_2 has joined #openstack-keystone		11:53
*** awalende has joined #openstack-keystone		11:56
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: WIP: Two level limit enforcer https://review.opendev.org/695527	11:57
*** amoralej is now known as amoralej\|lunch		12:06
*** brinzhang has joined #openstack-keystone		12:14
*** raildo has joined #openstack-keystone		12:15
*** brinzhang_ has quit IRC		12:17
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: Add flat enforcer https://review.opendev.org/695310	12:23
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: WIP: Two level limit enforcer https://review.opendev.org/695527	12:23
*** brinzhang_ has joined #openstack-keystone		12:29
*** dave-mccowan has joined #openstack-keystone		12:30
*** brinzhang has quit IRC		12:32
*** dave-mccowan has quit IRC		12:35
*** brinzhang has joined #openstack-keystone		12:43
*** brinzhang_ has quit IRC		12:46
*** brinzhang_ has joined #openstack-keystone		12:47
*** brinzhang has quit IRC		12:48
*** brinzhang has joined #openstack-keystone		13:14
*** brinzhang_ has quit IRC		13:16
*** mvkr has quit IRC		13:19
*** amoralej\|lunch is now known as amoralej		13:24
*** jaosorior has joined #openstack-keystone		13:47
*** brinzhang_ has joined #openstack-keystone		14:02
*** brinzhang has quit IRC		14:04
*** brinzhang_ has quit IRC		14:07
*** redrobot has joined #openstack-keystone		14:35
*** jamesmcarthur has joined #openstack-keystone		14:43
*** jamesmcarthur has quit IRC		14:44
*** jamesmcarthur has joined #openstack-keystone		14:44
*** vishakha has quit IRC		14:59
*** mvkr has joined #openstack-keystone		15:06
*** awalende has quit IRC		15:11
*** awalende has joined #openstack-keystone		15:16
*** awalende has quit IRC		15:17
*** spatel has joined #openstack-keystone		15:35
spatel	Good morning	15:35
spatel	I am using Keystone with LDAP and to hide my password i have create application creds but that token also not working, am i missing something here?	15:36
*** jaosorior has quit IRC		15:45
spatel	methods = password,token	15:47
spatel	oh wait i need to enable app_creds in keystone.conf file i think	15:47
*** jaosorior has joined #openstack-keystone		16:04
*** jamesmcarthur has quit IRC		16:07
*** openstackstatus has joined #openstack-keystone		16:15
*** ChanServ sets mode: +v openstackstatus		16:15
*** jamesmcarthur has joined #openstack-keystone		16:21
lbragstad	spatel yep	16:27
knikolla	o/	16:28
spatel	knikolla: i did add in keystone.conf and restarted keystone services and then i have created creds from GUI horizon and download RC sh script and load on bash but getting error	16:30
-spatel- # openstack token issue		16:30
-spatel- Error authenticating with application credential: Application credentials cannot request a scope. (HTTP 401) (Request-ID: req-bfa30e00-28bb-4294-a63d-ef76461f325d)		16:30
spatel	knikolla: lbragstad any idea ?	16:31
lbragstad	that's an issue in the RC file i think...	16:32
lbragstad	which is probably a documentation bug or a bug in horizon?	16:32
lbragstad	you should be able to make a copy of the rc file and debug it by removing any envs that are attempting to set scope (e.g., project)	16:33
lbragstad	application credentials currently require a project, so the scope is implied	16:33
-spatel- #!/usr/bin/env bash		16:33
-spatel- export OS_AUTH_TYPE=v3applicationcredential		16:33
-spatel- export OS_AUTH_URL=https://openstack.example.com:5000/v3		16:33
-spatel- export OS_IDENTITY_API_VERSION=3		16:33
-spatel- export OS_REGION_NAME="RegionOne"		16:33
-spatel- export OS_INTERFACE=public		16:33
-spatel- export OS_APPLICATION_CREDENTIAL_ID=fee1a39148234d139ce9782fa9f3d426		16:33
-spatel- export OS_APPLICATION_CREDENTIAL_SECRET=jJfEMQ6cuJW9VY5U^Ehb^E%$E		16:33
*** aloga has quit IRC		16:33
spatel	This is the file i downloaded	16:33
*** aloga has joined #openstack-keystone		16:33
spatel	I took these variables and added in my original openrc file and adjust	16:35
spatel	Like project, domain etc..	16:35
lbragstad	do you have OS_PROJECT* set already?	16:35
lbragstad	from a left over rc file or something?	16:35
spatel	Yes i did	16:36
knikolla	hmmm, i haven't played around much with application credentials	16:36
spatel	let me post full RC file.. hang on	16:36
knikolla	try unsetting OS_PROJECT* variables	16:36
knikolla	because AFAIK the scope is implied by the app cred	16:36
knikolla	oh, lbragstad already mentioned that :)	16:37
spatel	here is the full rc file which include app creds - http://paste.openstack.org/show/786678/	16:38
lbragstad	for key in $( set \| awk -F= '/^OS_/ {print $1}' ); do unset "${key}" ; done	16:38
lbragstad	# Clear any old environment that may conflict.	16:38
lbragstad	line 28 might be throwing you off	16:38
spatel	if i removed "export OS_PROJECT_NAME=eng"	16:40
-spatel- # openstack token issue		16:40
-spatel- The request you have made requires authentication. (HTTP 401) (Request-ID: req-c6e13a87-ba47-48aa-9fed-b408f766a103)		16:40
spatel	still no luck	16:40
lbragstad	spatel but is it still set?	16:41
lbragstad	env \| grep OS_PRO*	16:41
spatel	OS_PROJECT_DOMAIN_NAME=eng	16:41
spatel	let me remove that if you think that could be problem	16:42
spatel	lbragstad: still getting same error - The request you have made requires authentication. (HTTP 401)	16:42
lbragstad	are you using openstack client?	16:43
lbragstad	can you --debug the request?	16:43
spatel	yes openstack client from command line	16:43
lbragstad	and look at the request and response?	16:43
*** jamesmcarthur has quit IRC		16:43
spatel	lbragstad: here you go - http://paste.openstack.org/show/786679/	16:45
lbragstad	does your user have access to the project you created the application credential for?	16:46
spatel	is this the same username which i am login using Horizon GUI? in my case its LDAP account	16:46
lbragstad	so 'spatel' is your ldap user name?	16:48
spatel	This is what i am trying to do, we are using LDAP for identity and now i want to hide my ldap password so i need token to do all cli stuff	16:48
lbragstad	sure	16:48
spatel	lbragstad: yes "spatel" is my LDAP account which i am using to login in GUI	16:49
lbragstad	your application credentials references a project, right?	16:49
lbragstad	fee1a39148234d139ce9782fa9f3d426	16:49
lbragstad	^ that's your application credential ID	16:49
spatel	all i did in GUI create application creds and it gave me project_ID and ID both	16:50
spatel	let me give you screenshot	16:50
lbragstad	what release are you using?	16:50
spatel	https://imgur.com/a/HcpVgjS	16:51
spatel	stein release	16:51
lbragstad	if you're using ldap - you probably need this... https://review.opendev.org/#/c/676200/	16:51
spatel	That is what i get in GUI	16:51
spatel	lbragstad: i am using ldap for identity and all role assignment are still in SQL	16:52
lbragstad	yep - that makes sense	16:52
*** jamesmcarthur has joined #openstack-keystone		16:52
lbragstad	if you use `openstack role assignment list --names`	16:52
lbragstad	does your spatel user have a role assignment on project 286b	16:52
spatel	I create users in LDAP and then come to openstack and add that user in X project with _member_ role	16:52
*** dklyle has quit IRC		16:53
spatel	spatel already has access of eng project ( so you are saying i need to add spatel in 286b project ? )	16:54
*** dklyle has joined #openstack-keystone		16:54
lbragstad	is 286b your engineering project?	16:54
spatel	Yes yes..	16:55
lbragstad	ok	16:55
lbragstad	is there anything useful in keystone.og?	16:55
lbragstad	keystone.log?	16:55
spatel	i thought its very simple to setup so didn't look at logs.. look like time to go deeper now..	16:56
spatel	I thought i am doing something stupid but as you also verify look like something else going on	16:56
lbragstad	spatel yeah - it seems straight forward	16:56
lbragstad	cmorpheus or knikolla might catch something i may have missed though..	16:56
spatel	I was following this doc and looks simple - http://daybydaylinux.blogspot.com/2019/01/how-to-create-and-use-application.html	16:57
spatel	lbragstad: let me dig into looks meantime and i will get back to you..	16:57
lbragstad	requests should look like this https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=authenticating-with-an-application-credential-detail#authenticating-with-an-application-credential	16:58
lbragstad	we have upstream documentation here, too https://docs.openstack.org/keystone/latest/user/application_credentials.html	16:59
knikolla	spatel: did you add application_credential to methods in keystone.conf?	17:03
spatel	knikolla: yes i have added application_credential in keystone.conf under [auth]	17:06
spatel	keystone_auth_methods: "password,token,application_credential"	17:06
knikolla	I can't see anything that points to a possible culprit. Maybe debug logs from keystone might be more descriptive about the issue here.	17:10
*** awalende has joined #openstack-keystone		17:12
*** jaosorior has quit IRC		17:16
*** awalende has quit IRC		17:17
*** amoralej is now known as amoralej\|off		17:20
*** takamatsu has quit IRC		17:27
*** FlorianFa has quit IRC		17:29
*** takamatsu has joined #openstack-keystone		17:32
johnthetubaguy	gmann is doing some great policy work over in Nova, if someone could take a look at these first two patches for admin api changes, that would be awesome: https://review.opendev.org/#/c/645427	17:50
*** tesseract has quit IRC		17:57
*** jaosorior has joined #openstack-keystone		17:59
spatel	knikolla: & lbragstad ^^	18:04
spatel	if i add this in terraform then its letting me create machine - http://paste.openstack.org/show/786680/	18:04
spatel	so applicate creds working but not working in command line :(	18:04
spatel	but terrafrom understand it..	18:05
spatel	what do you think of that?	18:05
lbragstad	so you still can't get things to work with the RC file	18:07
lbragstad	maybe you should try removing the username and user_domain_name	18:07
johnthetubaguy	FWIW, I had issues with a stale environment, in the end I just logged out, and everything worked	18:08
lbragstad	johnthetubaguy those changes look good	18:17
lbragstad	johnthetubaguy i'm not sure if you're going to be around next week	18:17
lbragstad	but we plan to discuss testing during keystone office hours on december 3rd	18:17
spatel	lbragstad: yes RC command line doesn't work.. but terraform works	18:18
lbragstad	spatel try removing the user information from the RC file, i don't think you need it	18:19
spatel	ok	18:19
lbragstad	because you're using the application credential ID	18:19
lbragstad	so it's globally unique	18:19
lbragstad	you shouldn't need to namespace it with the user	18:19
spatel	I have removed username/domain and still getting same error	18:20
-spatel- # openstack token issue		18:20
-spatel- The request you have made requires authentication. (HTTP 401) (Request-ID: req-818ec56e-6030-4e1a-a8a9-2f0c4b45088b)		18:20
lbragstad	did you unset it, too?	18:21
*** rafaelweingartne has joined #openstack-keystone		18:21
spatel	i kill terminal and re-login	18:21
rafaelweingartne	Hey guys, we have implemented a fix for ephemeral users in Keystone (a.k.a federated users). The fix is proposed via https://review.opendev.org/#/c/687990/	18:21
rafaelweingartne	could somebody provide us some feedback there? Do we need to change something else?	18:22
lbragstad	rafaelweingartne i added it to our review requests for next meeting	18:23
lbragstad	https://etherpad.openstack.org/p/keystone-weekly-meeting	18:23
rafaelweingartne	Awesome	18:23
rafaelweingartne	thanks!	18:23
rafaelweingartne	There is also something quite important, which is a documentation issue: https://review.opendev.org/#/c/693838/	18:25
rafaelweingartne	it is a part of the documentation that address the federated configurations in Keystone that were a bit misleading, and that would not support CLI	18:26
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: Fetch unified limits from keystone https://review.opendev.org/695724	18:31
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: Add flat enforcer https://review.opendev.org/695310	18:31
openstackgerrit	John Garbutt proposed openstack/oslo.limit master: WIP: Two level limit enforcer https://review.opendev.org/695527	18:31
*** rafaelweingartne has quit IRC		18:35
johnthetubaguy	lbragstad: actually, its my wedding anniversary, I must go book that day off actually :)	18:38
lbragstad	johnthetubaguy nice! congrats :)	18:39
*** cmorpheus is now known as cmurphy		18:50
spatel	lbragstad: now i understand why app creds wan't working with command line	18:56
spatel	when you create application credential on horizon it gives you two option, download RC file or download cloud.yml file.. this time i have download cloud.yml and copy it inside	18:57
spatel	~/.config/openstack/clouds.yaml	18:57
spatel	and ran this command "openstack --os-cloud openstack token issue" and it works	18:57
spatel	still don't know why RC env variable doesn't work but anyway cloud.yml works so i am good to go	18:58
spatel	cmurphy: hey :)	18:58
spatel	i was just watching your youtube video about "application credential" and got hit from there :)	18:59
*** jamesmcarthur has quit IRC		19:26
*** jamesmcarthur has joined #openstack-keystone		19:27
*** jamesmcarthur has quit IRC		19:32
knikolla	i really like the clouds.yaml approach. i have "alias kaizen=openstack --os-cloud kaizen", so I can talk to multiple clouds just by using their names.	19:37
*** jamesmcarthur has joined #openstack-keystone		19:48
spatel	knikolla: true..	19:54
*** spatel has quit IRC		20:14
*** jamesmcarthur has quit IRC		20:15
*** jamesmcarthur has joined #openstack-keystone		20:15
*** jamesmcarthur has quit IRC		20:20
*** cmart has joined #openstack-keystone		20:25
*** jamesmcarthur has joined #openstack-keystone		20:28
*** cmart has quit IRC		20:45
*** jamesmcarthur has quit IRC		20:51
*** jamesmcarthur has joined #openstack-keystone		20:52
*** jamesmcarthur has quit IRC		20:57
*** spatel has joined #openstack-keystone		21:15
*** jamesmcarthur has joined #openstack-keystone		21:23
*** spatel has quit IRC		21:26
*** rcernin has joined #openstack-keystone		21:31
*** pcaruana has quit IRC		21:38
*** raildo has quit IRC		21:59
*** jamesmcarthur has quit IRC		22:02
openstackgerrit	Pedro Henrique Pereira Martins proposed openstack/keystone master: Update OIDC documentation to handle bearer access token flow https://review.opendev.org/693838	22:22
*** cmart has joined #openstack-keystone		22:45
*** jamesmcarthur has joined #openstack-keystone		23:01
*** jamesmcarthur has quit IRC		23:07
*** tkajinam has joined #openstack-keystone		23:09
*** jaosorior has quit IRC		23:33

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!