Thursday, 2020-02-27

« Wednesday, 2020-02-26 Index Friday, 2020-02-28 »
*** jamesmcarthur has joined #openstack-keystone00:35
*** gyee has quit IRC00:44
*** jamesmcarthur has quit IRC00:51
*** jamesmcarthur has joined #openstack-keystone00:52
*** jamesmcarthur has quit IRC00:57
*** gagehugo has joined #openstack-keystone01:19
*** jamesmcarthur has joined #openstack-keystone01:22
*** jamesmcarthur has quit IRC01:23
*** jamesmcarthur has joined #openstack-keystone01:23
*** jamesmcarthur has quit IRC01:55
*** jamesmcarthur has joined #openstack-keystone02:00
*** jamesmcarthur has quit IRC02:31
*** jamesmcarthur has joined #openstack-keystone02:43
*** jamesmcarthur has quit IRC02:49
*** jamesmcarthur has joined #openstack-keystone02:53
*** jamesmcarthur has quit IRC03:07
*** jamesmcarthur has joined #openstack-keystone03:31
*** jamesmcarthur has quit IRC03:58
*** gagehugo has quit IRC05:03
*** gagehugo has joined #openstack-keystone05:03
*** vishakha has joined #openstack-keystone05:20
*** Abhishek has joined #openstack-keystone05:24
AbhishekHi.. reg MFA functionality in keystone.. once a user is MFA enabled, 'openstack token issue' command returns a 401, which is as expected.. i was wondering what if the MFA enabled user wants to generate a token from this command instead of REST API.. there is no optional argument in this command to pass the totp & no environment variable which I can set in openrc for totp.. this means 'openstack token issue' command is not designed to work05:28
Abhishekwith MFA users..05:28
Abhishekis my above understanding right or there is a way 'openstack token issue' command can be user to generate token for MFA users?05:29
*** rcernin has quit IRC05:33
*** rcernin has joined #openstack-keystone05:33
*** evrardjp has quit IRC05:34
*** evrardjp has joined #openstack-keystone05:35
vishakhaAbhishek: I have updated a patch https://review.opendev.org/#/c/697444/ so that you can create user with the options. Also you can update the MFA user with the other arguments05:57
*** abdysn has joined #openstack-keystone06:03
*** kozhukalov has joined #openstack-keystone06:07
Abhishekvishakha: my query was something else.. no matter how the user options are set (api, cli etc), can a user who is mfa enabled (generate token by say password & totp) get his token by running 'openstack token issue' command?06:10
Abhishekthere is no option provided in 'openstack token issue' command to enter the totp06:10
vishakhaAbhishek: You can set the password and top while creating a user only.  we dont pass anything to openstack token issue06:12
Abhishekvishakha: password can be set while creating a user.. not totp as it changes every 30 seconds.. so, as far as i understand , openstack doesn't support generation of token for a mfa user using 'openstack token issue'06:16
*** rcernin has quit IRC06:24
*** lbragstad has quit IRC06:26
vishakhaAbhishek:  yes not from openstack token issue. You can make an API request https://docs.openstack.org/keystone/latest/admin/auth-totp.html#tokens06:39
Abhishekvishakha: yes.. isn't this some sort of bug/enhancement that can be done.. coz 'openstack token issue' command should provide token no matter what the auth mechanism be.. can a option be added to this command, something like --totp <passcode> after which token is generated for mfa enabled users also06:42
vishakhaAbhishek: You can add this as bug. I can bring this topic in weekly meeting and will update over the bug. or team can have a look at it06:49
vishakhacmurphy gagehugo knikolla ^^06:50
Abhishekvishakha: sure06:52
*** jawad_axd has joined #openstack-keystone07:47
*** tesseract has joined #openstack-keystone07:53
*** dancn has joined #openstack-keystone07:57
*** tkajinam has quit IRC08:02
*** Abhishek has quit IRC08:09
*** stingrayza has quit IRC08:53
*** xek__ has joined #openstack-keystone09:43
*** dmellado has quit IRC09:59
*** stingrayza has joined #openstack-keystone10:43
*** shyamb has joined #openstack-keystone10:56
*** kozhukalov has quit IRC11:17
*** kozhukalov has joined #openstack-keystone11:21
*** kozhukalov has quit IRC11:35
*** kozhukalov has joined #openstack-keystone11:35
*** kozhukalov has quit IRC11:43
*** ivve has joined #openstack-keystone11:53
*** gagehugo has quit IRC12:19
*** gagehugo has joined #openstack-keystone12:20
*** shyamb has quit IRC12:33
*** jamesmcarthur has joined #openstack-keystone12:36
*** kozhukalov has joined #openstack-keystone12:39
*** shyamb has joined #openstack-keystone12:40
*** kplant has joined #openstack-keystone12:54
*** shyamb has quit IRC12:56
*** jamesmcarthur has quit IRC13:00
*** jamesmcarthur has joined #openstack-keystone13:00
*** dmellado has joined #openstack-keystone13:05
*** shyamb has joined #openstack-keystone13:05
*** jamesmcarthur has quit IRC13:06
*** jamesmcarthur has joined #openstack-keystone13:10
*** shyamb has quit IRC13:16
kplantwould anyone mind giving me a hand with the openstack cli authenticating via openid-connect? i've got some of my config and outputs here: http://paste.openstack.org/show/Ok1chRmNxjBj5i8vKh5H/13:22
kplantwebsso is working, just having some trouble with the cli13:22
*** jamesmcarthur has quit IRC13:32
*** jamesmcarthur has joined #openstack-keystone13:32
*** gshippey has joined #openstack-keystone13:43
*** waverider has joined #openstack-keystone13:44
*** jamesmcarthur has quit IRC13:47
*** jamesmcarthur_ has joined #openstack-keystone13:47
cmurphyAbhishek: vishakha please see https://docs.openstack.org/keystoneauth/latest/authentication-plugins.html#multi-factor-with-v3-identity-plugins for MFA with the CLI - at least with keystoneauth it should be possible to use the v3multifactor auth method and pass all the auth credentials at once, if it doesn't already work with openstackclient it should only need minor tweaking (cc adriant)13:51
cmurphykplant: using the cli with oidc is tricky, the best example is https://osticket.massopen.cloud/kb/faq.php?id=16 but a lot depends on how your idp is configured, knikolla may be able to help more13:53
*** lbragstad has joined #openstack-keystone13:59
kplantthanks. i'll try to make my rc look more like the example14:03
kplantdid you see anything blatantly wrong with the keystone side of my config?14:03
*** jawad_axd has quit IRC14:04
*** dancn has quit IRC14:09
*** dancn has joined #openstack-keystone14:10
cmurphykplant: i don't see anything wrong but i'm not the best person to ask14:26
*** jamesmcarthur_ has quit IRC14:35
*** jamesmcarthur has joined #openstack-keystone14:40
*** jamesmcarthur has quit IRC14:48
*** abdysn has quit IRC14:54
*** gyee has joined #openstack-keystone15:21
*** dancn has quit IRC15:22
*** jamesmcarthur has joined #openstack-keystone15:38
vishakhacmurphy: I added a test case for openstack_groups https://review.opendev.org/#/c/704271/. I can see that openstack_groups is added to the assertion https://review.opendev.org/#/c/588211/45/keystone/federation/idp.py L245 which we can see in16:21
vishakhahttps://21b1134b494fcbb80a11-30f2d4bfe90ac8b488e5b54b3e170d95.ssl.cf1.rackcdn.com/704271/11/check/keystone-dsvm-py3-functional-federation-opensuse15-k2k/06630d0/controller/logs/screen-keystone.txt16:21
vishakha4:0916:21
vishakhaFeb 21 13:38:27.532996 opensuse-15-ovh-gra1-001473224916:21
vishakhaBUt the Environment Variables fetched from flask params doen;t contain openstack groups https://github.com/openstack/keystone/blob/04316beecc0d20290fb36e7791eb3050953c1011/keystone/federation/utils.py#L43016:21
vishakhaDue to which assertion_data passed to SP doens't have openstack_groups in it.16:22
cmurphyvishakha: did you add openstack_groups to attribute-map.xml in the devstack plugin?16:24
cmurphyhttps://opendev.org/openstack/keystone/src/branch/master/devstack/files/federation/attribute-map.xml#L10-L1416:25
*** tesseract has quit IRC16:27
vishakhacmurphy: I think I missed it. Thanks a lot16:29
vishakhacmurphy: Also if you can take a look at https://review.opendev.org/#/c/697444/. I think its good to go16:37
*** dancn has joined #openstack-keystone16:38
cmurphyvishakha: will do16:38
vishakhacmurphy: :)16:38
*** waverider has quit IRC16:40
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion  https://review.opendev.org/58821116:45
*** jamesmcarthur has quit IRC16:45
*** renich has joined #openstack-keystone16:46
*** jamesmcarthur has joined #openstack-keystone16:46
*** jmlowe has quit IRC16:54
*** renich_ has joined #openstack-keystone16:58
*** renich has quit IRC16:59
*** shyamb has joined #openstack-keystone17:17
*** shyamb has quit IRC17:17
*** evrardjp has quit IRC17:35
*** evrardjp has joined #openstack-keystone17:35
*** jmlowe has joined #openstack-keystone18:01
*** jmlowe has quit IRC18:05
*** jmlowe has joined #openstack-keystone18:05
*** kplant has quit IRC18:24
*** jmlowe has quit IRC18:27
*** jmlowe has joined #openstack-keystone18:30
*** dancn has quit IRC18:32
*** jamesmcarthur has quit IRC18:33
*** jamesmcarthur has joined #openstack-keystone18:33
*** jmlowe has quit IRC18:34
*** jmlowe has joined #openstack-keystone18:35
*** jmlowe has quit IRC18:36
*** jmlowe has joined #openstack-keystone18:56
*** jmlowe has quit IRC18:59
*** kplant has joined #openstack-keystone19:06
-openstackstatus- NOTICE: Memory pressure on zuul.opendev.org is causing connection timeouts resulting in POST_FAILURE and RETRY_LIMIT results for some jobs since around 06:00 UTC today; we will be restarting the scheduler shortly to relieve the problem, and will follow up with another notice once running changes are reenqueued.19:11
*** jamesmcarthur has quit IRC19:12
*** jmlowe has joined #openstack-keystone19:31
*** jamesmcarthur has joined #openstack-keystone19:40
-openstackstatus- NOTICE: The scheduler for zuul.opendev.org has been restarted; any changes which were in queues at the time of the restart have been reenqueued automatically, but any changes whose jobs failed with a RETRY_LIMIT, POST_FAILURE or NODE_FAILURE build result in the past 14 hours should be manually rechecked for fresh results19:44
*** gyee has quit IRC19:49
*** gyee has joined #openstack-keystone19:49
*** jmlowe has quit IRC20:07
*** kozhukalov has quit IRC20:27
*** kozhukalov has joined #openstack-keystone20:28
*** jmlowe has joined #openstack-keystone20:30
kplant~.20:46
*** kplant has quit IRC20:46
*** jamesmcarthur has quit IRC20:54
*** joshualyle has joined #openstack-keystone21:03
*** joshualyle has quit IRC21:05
*** kozhukalov has quit IRC21:08
*** kozhukalov has joined #openstack-keystone21:40
*** rcernin has joined #openstack-keystone21:44
*** xek__ has quit IRC21:53
*** jamesmcarthur has joined #openstack-keystone21:54
*** jamesmcarthur has quit IRC22:08
*** jamesmcarthur has joined #openstack-keystone22:11
*** joshualyle has joined #openstack-keystone22:20
*** joshualyle has quit IRC22:25
*** jawad_axd has joined #openstack-keystone22:38
*** jawad_axd has quit IRC22:43
adriantvishakha, cmurphy: yeah the work to get MFA support into the openstackclient never happened. I think I talked briefly with mordred about it, but I didn't have the time to chase after it.22:45
adriantI'm going to try and get the horizon part done potentially this cycle but the horizon auth code is a weird nightmare22:45
mordredadriant: I keep meaning to dig in to horizon and start replacing stuff with sdk/ksa22:46
mordredadriant: ENOTIME22:46
*** jamesmcarthur has quit IRC22:49
*** tkajinam has joined #openstack-keystone22:51
*** tkajinam has quit IRC22:51
*** tkajinam has joined #openstack-keystone22:51
*** ivve has quit IRC22:57
*** jamesmcarthur has joined #openstack-keystone23:25
*** kozhukalov has quit IRC23:35
*** jawad_axd has joined #openstack-keystone23:40
*** jawad_axd has quit IRC23:45
« Wednesday, 2020-02-26 Index Friday, 2020-02-28 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!