19:04:19 <lbragstad> #startmeeting keystone-office-hours
19:04:20 <openstack> Meeting started Tue Oct 17 19:04:19 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:04:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:04:24 <openstack> The meeting name has been set to 'keystone_office_hours'
19:04:36 <lbragstad> alrighty - who's around?
19:04:41 <cmurphy> o/
19:04:47 <knikolla> o/
19:05:11 <lbragstad> awesome - preferences on what you want to do?
19:05:25 <lbragstad> spec review, an implementation review, something focused, bugs?
19:06:01 <knikolla> hmmm.. any priorities?
19:06:04 <cmurphy> did my office hours dashboard break or are there no bug related patches in gerrit right now?
19:06:09 <lbragstad> or we can divide and conquer
19:06:24 <lbragstad> cmurphy: there aren't many patches that close bugs
19:06:32 <lbragstad> we worked through most of them, or they need fixing
19:06:43 <lbragstad> knikolla: anything from the meeting :)
19:07:04 * lbragstad fetches his new favorite link
19:07:08 <lbragstad> #link https://trello.com/b/5F0h9Hoe/keystone?menu=filter&filter=due:week
19:07:43 * cmurphy will go look at project tag things
19:08:00 <lbragstad> awesome - that'd be good
19:09:22 <lbragstad> knikolla: kmalloc would be good to get your opinions on https://review.openstack.org/#/c/505345/1
19:09:42 <knikolla> looking
19:10:30 <gagehugo> o/
19:10:38 * knikolla will review specs then. if there's any implementation patches that need more eyes give me a ping.
19:10:40 <gagehugo> sorry was reading jwt
19:11:26 <lbragstad> gagehugo: by all means - keep reading JWT
19:11:59 <gagehugo> the spec looks good
19:16:44 <lbragstad> jamielennox: i assume this can be abandon now - https://review.openstack.org/#/c/248524/ ?
19:18:26 <lbragstad> lamt: you had an interest in the ksm+oslo.cache work didn't you?
19:18:32 <lbragstad> lamt: i just stumbled across https://review.openstack.org/#/c/268664/
19:20:00 <cfriesen> lbragstad:  In https://review.openstack.org/#/c/505345/1/specs/keystone/queens/auth-response-restrict-catalog.rs you talk about "getting Morgan's take on this".  I don't know who that is. :)
19:20:12 <lbragstad> cfriesen: oh - i'm sorry
19:20:16 <lbragstad> Morgan == kmalloc
19:20:31 <cfriesen> thanks
19:20:42 <lbragstad> cfriesen: yep! spec looks good
19:22:07 <cfriesen> I'll try and respin shortly
19:22:26 <cfriesen> hopefully by tomorrow.
19:33:47 <kmalloc> lbragstad: hehe
19:34:23 <kmalloc> cfriesen: yeah, I had to change my nic to hide ;)
20:06:25 <kmalloc> lbragstad cfriesen: commented
20:06:38 <kmalloc> basically i want some metrics showing the benefit(S) of this filtering being server side.
20:09:19 <kmalloc> and be clear this is *not* to provide added security
20:09:58 <lbragstad> yeah - didn't mean to imply security in my comment
20:10:20 <kmalloc> right, but it highlightsd that people might think it does
20:10:25 <lbragstad> though - in hindsight, it probably came across that way
20:10:30 <kmalloc> we need to be very explicit it provides no added security
20:12:29 <lbragstad> updated my comment
20:17:11 <mike92> Hi. I was wondering if I could ask a question about endpoints in keystone?
20:17:30 <openstackgerrit> Merged openstack/python-keystoneclient master: Use generic user for both zuul v2 and v3  https://review.openstack.org/512509
20:24:07 <lbragstad> mike92: go for it
20:24:46 <mike92> Thanks. In my deployment, the endpoint url has a dynamic hostname in it. Like https://dyndns.com...  At some points my keystone config processing, the dns may not be running.  In these cases, I want to specify a uri with an explicit ip to the server I know is running the keystone server, like
20:25:03 <mike92> Previously, I did this with OS_URL and admin_token.  I could use OS_URL and it didn't matter what the endpoint in keystone was.  Is there something similar I can do in Ocata or Pike?
20:26:05 <mike92> This would be for the openstack command.  Previously I set OS_URL and openstack worked fine.  Now I have problems because openstack is trying to contact the dyndns address and it's not connecting
20:34:08 <lbragstad> mike92: have you tried using OS_AUTH_URL?
20:34:10 <lbragstad> https://docs.openstack.org/python-openstackclient/latest/cli/authentication.html
20:38:50 <mike92> I do have OS_URL_SET, but openstack tries to use the endpoint in keystone during the communication
20:38:53 <mike92> # echo $OS_AUTH_URL
20:38:53 <mike92>
20:38:53 <mike92> [root@localhost httpd]# openstack --debug  endpoint list
20:38:53 <mike92> ...
20:38:53 <mike92> "POST /v3/auth/tokens HTTP/1.1" 201 1044
20:38:54 <mike92> {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "03de69ec878843caa16d57c934ede47d", "name": "admin"}], "expires_at": "2017-11-16T20:36:50.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "2a763d4465b346e4997eb305d3fc87c1", "name": "admin"}, "catalog": [{"endpoints": [{"url": "http://dyndns:35357/", "interface": "admin", "region": null, "region_id": null, "id": "e09499e3203e40198fa42f4f444f599d"}
20:39:00 <mike92> , {"url": "http://dyndns:35357/", "interface": "internal", "region": null, "region_id": null, "id": "dfbd1a6519ab4c658c1d913d2b025379"}, {"url": "http://dyndns:5000/", "interface": "public", "region": null, "region_id": null, "id": "c99f89d7f0a84364868bb12f4570570a"}], "type": "identity", "id": "295eaf6ea94547b4ae770f0bee7c4504", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "a
20:39:04 <mike92> dmin", "id": "395f1f23859245fe84dd1b056935de87"}, "audit_ids": ["V7RQCtHYRpuJj_y8RXDHBA"], "issued_at": "2017-10-17T20:36:50.000000Z"}}
20:39:07 <mike92> REQ: curl -g -i -X GET http://dyndns:35357/ -H "Accept: application/json" -H "User-Agent: osc-lib/1.7.0 keystoneauth1/3.1.0 python-requests/2.11.1 CPython/2.7.5"
20:39:12 <mike92> Starting new HTTP connection (1): dyndns
20:39:15 <mike92> It tries to contact the dyndns address
20:39:28 <mike92> sorry. I meant I have OS_AUTH_URL set
20:51:59 <lbragstad> oh - that seems openstack-client specific
20:52:15 <lbragstad> ping dtroyer ^
20:59:23 <dtroyer> OS_URL should only be used if OS_TOKEN is also set, in which case the service catalog is bypassed and OS_URL is used directly to contact the service being used by the command.  This breaks down for any command that talks to multiple services (such as looking up  names/ID on another API).
21:00:25 <dtroyer> Otherwise we use the Service Catalog to locate the services.
21:01:12 <dtroyer> You may have an option to configure different interfaces (public/admin/internal) and select between thise in the service catalog, say setting internal to the IP address then forcing that when you need it
21:01:52 <openstackgerrit> Merged openstack/keystone master: Add JSON schema validation for project tags  https://review.openstack.org/484483
21:03:38 <mike92> that's an interesting idea.  I'll see if I can get something like to work in my deployment.
21:11:42 <gagehugo> cmurphy it's been awhile since I've looked at that OSC patch
21:13:27 <cmurphy> :)
21:14:43 <gagehugo> it definitely needs some fixing up
21:15:59 <mike92> Thanks for the help!
21:16:23 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno  https://review.openstack.org/472396
21:16:33 <cmurphy> gagehugo: i didn't look at much besides the docs, i was just using it to start validating the server code
21:16:55 <gagehugo> cmurphy I think it kinda works if I remember right
21:18:01 <gagehugo> lbragstad https://review.openstack.org/#/c/506751/
21:19:05 <lbragstad> hmm - those look like legit failures
21:19:37 <gagehugo> yeah
21:20:14 <gagehugo> idk why jenkins/zuul never ran after you last pushed
21:20:32 <gagehugo> that might have been the previous zuul3 attempt
21:43:03 <openstackgerrit> Lance Bragstad proposed openstack/keystone master: Deleting an identity provider doesn't invalidate tokens  https://review.openstack.org/512872
21:43:05 <lbragstad> partial fix for a bug ^
22:00:06 <lbragstad> #endmeeting