19:04:19 #startmeeting keystone-office-hours 19:04:20 Meeting started Tue Oct 17 19:04:19 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:04:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:04:24 The meeting name has been set to 'keystone_office_hours' 19:04:36 alrighty - who's around? 19:04:41 o/ 19:04:47 o/ 19:05:11 awesome - preferences on what you want to do? 19:05:25 spec review, an implementation review, something focused, bugs? 19:06:01 hmmm.. any priorities? 19:06:04 did my office hours dashboard break or are there no bug related patches in gerrit right now? 19:06:09 or we can divide and conquer 19:06:24 cmurphy: there aren't many patches that close bugs 19:06:32 we worked through most of them, or they need fixing 19:06:43 knikolla: anything from the meeting :) 19:07:04 * lbragstad fetches his new favorite link 19:07:08 #link https://trello.com/b/5F0h9Hoe/keystone?menu=filter&filter=due:week 19:07:43 * cmurphy will go look at project tag things 19:08:00 awesome - that'd be good 19:09:22 knikolla: kmalloc would be good to get your opinions on https://review.openstack.org/#/c/505345/1 19:09:42 looking 19:10:30 o/ 19:10:38 * knikolla will review specs then. if there's any implementation patches that need more eyes give me a ping. 19:10:40 sorry was reading jwt 19:11:26 gagehugo: by all means - keep reading JWT 19:11:59 the spec looks good 19:16:44 jamielennox: i assume this can be abandon now - https://review.openstack.org/#/c/248524/ ? 19:18:26 lamt: you had an interest in the ksm+oslo.cache work didn't you? 19:18:32 lamt: i just stumbled across https://review.openstack.org/#/c/268664/ 19:20:00 lbragstad: In https://review.openstack.org/#/c/505345/1/specs/keystone/queens/auth-response-restrict-catalog.rs you talk about "getting Morgan's take on this". I don't know who that is. :) 19:20:12 cfriesen: oh - i'm sorry 19:20:16 Morgan == kmalloc 19:20:31 thanks 19:20:42 cfriesen: yep! spec looks good 19:22:07 I'll try and respin shortly 19:22:26 hopefully by tomorrow. 19:33:47 lbragstad: hehe 19:34:23 cfriesen: yeah, I had to change my nic to hide ;) 20:06:25 lbragstad cfriesen: commented 20:06:38 basically i want some metrics showing the benefit(S) of this filtering being server side. 20:09:19 and be clear this is *not* to provide added security 20:09:58 yeah - didn't mean to imply security in my comment 20:10:20 right, but it highlightsd that people might think it does 20:10:25 though - in hindsight, it probably came across that way 20:10:30 we need to be very explicit it provides no added security 20:12:29 updated my comment 20:17:11 Hi. I was wondering if I could ask a question about endpoints in keystone? 20:17:30 Merged openstack/python-keystoneclient master: Use generic user for both zuul v2 and v3 https://review.openstack.org/512509 20:24:07 mike92: go for it 20:24:46 Thanks. In my deployment, the endpoint url has a dynamic hostname in it. Like https://dyndns.com... At some points my keystone config processing, the dns may not be running. In these cases, I want to specify a uri with an explicit ip to the server I know is running the keystone server, like http://127.0.0.1. 20:25:03 Previously, I did this with OS_URL and admin_token. I could use OS_URL and it didn't matter what the endpoint in keystone was. Is there something similar I can do in Ocata or Pike? 20:26:05 This would be for the openstack command. Previously I set OS_URL and openstack worked fine. Now I have problems because openstack is trying to contact the dyndns address and it's not connecting 20:34:08 mike92: have you tried using OS_AUTH_URL? 20:34:10 https://docs.openstack.org/python-openstackclient/latest/cli/authentication.html 20:38:50 I do have OS_URL_SET, but openstack tries to use the endpoint in keystone during the communication 20:38:53 # echo $OS_AUTH_URL 20:38:53 http://127.0.0.1:35357/v3 20:38:53 [root@localhost httpd]# openstack --debug endpoint list 20:38:53 ... 20:38:53 "POST /v3/auth/tokens HTTP/1.1" 201 1044 20:38:54 {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "03de69ec878843caa16d57c934ede47d", "name": "admin"}], "expires_at": "2017-11-16T20:36:50.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "2a763d4465b346e4997eb305d3fc87c1", "name": "admin"}, "catalog": [{"endpoints": [{"url": "http://dyndns:35357/", "interface": "admin", "region": null, "region_id": null, "id": "e09499e3203e40198fa42f4f444f599d"} 20:39:00 , {"url": "http://dyndns:35357/", "interface": "internal", "region": null, "region_id": null, "id": "dfbd1a6519ab4c658c1d913d2b025379"}, {"url": "http://dyndns:5000/", "interface": "public", "region": null, "region_id": null, "id": "c99f89d7f0a84364868bb12f4570570a"}], "type": "identity", "id": "295eaf6ea94547b4ae770f0bee7c4504", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "a 20:39:04 dmin", "id": "395f1f23859245fe84dd1b056935de87"}, "audit_ids": ["V7RQCtHYRpuJj_y8RXDHBA"], "issued_at": "2017-10-17T20:36:50.000000Z"}} 20:39:07 REQ: curl -g -i -X GET http://dyndns:35357/ -H "Accept: application/json" -H "User-Agent: osc-lib/1.7.0 keystoneauth1/3.1.0 python-requests/2.11.1 CPython/2.7.5" 20:39:12 Starting new HTTP connection (1): dyndns 20:39:15 It tries to contact the dyndns address 20:39:28 sorry. I meant I have OS_AUTH_URL set 20:51:59 oh - that seems openstack-client specific 20:52:15 ping dtroyer ^ 20:59:23 OS_URL should only be used if OS_TOKEN is also set, in which case the service catalog is bypassed and OS_URL is used directly to contact the service being used by the command. This breaks down for any command that talks to multiple services (such as looking up names/ID on another API). 21:00:25 Otherwise we use the Service Catalog to locate the services. 21:01:12 You may have an option to configure different interfaces (public/admin/internal) and select between thise in the service catalog, say setting internal to the IP address then forcing that when you need it 21:01:52 Merged openstack/keystone master: Add JSON schema validation for project tags https://review.openstack.org/484483 21:03:38 that's an interesting idea. I'll see if I can get something like to work in my deployment. 21:11:42 cmurphy it's been awhile since I've looked at that OSC patch 21:13:27 :) 21:14:43 it definitely needs some fixing up 21:15:59 Thanks for the help! 21:16:23 Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno https://review.openstack.org/472396 21:16:33 gagehugo: i didn't look at much besides the docs, i was just using it to start validating the server code 21:16:55 cmurphy I think it kinda works if I remember right 21:18:01 lbragstad https://review.openstack.org/#/c/506751/ 21:19:05 hmm - those look like legit failures 21:19:37 yeah 21:20:14 idk why jenkins/zuul never ran after you last pushed 21:20:32 that might have been the previous zuul3 attempt 21:43:03 Lance Bragstad proposed openstack/keystone master: Deleting an identity provider doesn't invalidate tokens https://review.openstack.org/512872 21:43:05 partial fix for a bug ^ 22:00:06 #endmeeting