17:01:45 <lbragstad> #startmeeting keystone-office-hours 17:01:46 <openstack> Meeting started Tue Apr 10 17:01:45 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:50 <openstack> The meeting name has been set to 'keystone_office_hours' 17:02:23 <lbragstad> well - sorry about that 17:02:32 <lbragstad> i apparently forgot to end the meeting last week 17:02:51 <lbragstad> despite my efforts - http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-04-03-17.01.log.html#l-41 17:03:03 <lbragstad> must have been issues it the openstack bot 17:03:08 <lbragstad> with* 17:03:36 <lbragstad> i'll be back in about 15 to 20 minutes 17:03:39 <wxy|> lbragstad: https://review.openstack.org/#/c/558489/ replied the question for the test code. I'll address other comments tomorrow. 17:03:50 <lbragstad> wxy|: awesome 17:03:59 <lbragstad> i'll review the hierarchical limits specs 17:04:15 <wxy|> thanks 17:11:49 <mugsie> so, random question - I know in the past project IDs could be basically any string ... has that changed? or is project id's being UUIDs just the default so that is all anyone sees? 17:14:19 <SamYaple> mugsie: my ldap projects are much longer than uuid4s still 17:14:57 <mugsie> SamYaple: that is what I thought :) just wanted to confirm before blocking a patch :) 17:15:00 <mugsie> thanks! 17:38:16 <kmalloc> lbragstad: back 17:38:50 <kmalloc> mugsie: Keystone is very opinionated 17:39:03 <kmalloc> mugsie: project_ids are intended to be uuid4 17:39:49 <kmalloc> mugsie: legacy stuff that included ldap may not have been limited to uuid4 17:40:12 <mugsie> I knew it was the long term plan, but if there is still people out there using non uuid IDs, I can't allow a patch that enforces it on people 17:40:28 <kmalloc> hold on, let me give you our specific table sizes 17:40:36 <mugsie> i.e. I know the hp public cloud had ints back in the day 17:40:44 <mugsie> its a string(64) afaik 17:40:45 <kmalloc> that will break keystone. 17:40:52 <kmalloc> so you can give that guidance. 17:41:26 <kmalloc> mugsie: id = sql.Column(sql.String(64), primary_key=True) 17:42:50 <mugsie> kmalloc: thanks 17:43:05 <kmalloc> mugsie: we allow for 64bytes, so a sha256 (we use that in some caseS) for ids 17:43:21 <kmalloc> it may not be a uuid4, it might be a sha256 hexdigest 17:44:03 <kmalloc> if someone proposes a patch that enforces uuid or less than 64bytes, we cannot guarantee we wont break you 17:44:13 <mugsie> yeah - the patch is for uuidutils.is_uuid_like(project_id) 17:44:19 <kmalloc> yeah i'd -2 that 17:44:22 * mugsie wang 17:44:23 <kmalloc> and never let it land 17:44:24 <kmalloc> :) 17:44:27 <mugsie> damn 17:44:42 <kmalloc> we may go to 64bytes for ids. 17:44:43 * mugsie *wants* to wait for the keystone unified limits 17:44:58 <kmalloc> we may not, we future planned 17:45:08 <kmalloc> but we will be opinionated we should generate the ids 17:45:09 <kmalloc> :) 17:45:21 <kmalloc> if that helps ya 17:45:56 <mugsie> the problem is people are setting quotas on non existant projects, and want a way to validate the input - but this helps a lot :) I wanted to make sure I was right in my suspissions 17:46:02 <kmalloc> :) 17:46:07 <kmalloc> we're working on the limit things 17:46:16 <kmalloc> but it is slow =/ 17:47:46 <kmalloc> mugsie: man, i need to get my openstack control plane up and running 17:49:54 <lbragstad> kmalloc: we wrapped up the meeting talking about the domain to idp mappings 17:50:04 <kmalloc> lbragstad: cool. 17:50:16 <lbragstad> and if there is a use case to have more than one domain per idp 17:50:48 <kmalloc> there could be. 17:51:10 <kmalloc> but that said, you could make it work with a 1-per restriction 17:56:28 <lbragstad> we had someone in boston ask for multiple domains per identity provider 17:56:33 <lbragstad> i specifically remember that 18:00:48 <lbragstad> kmalloc: how would you do it with a workaround? 18:01:11 <kmalloc> assignments cross domains 18:02:13 <lbragstad> oh - from the shadow user across domains you mean? 18:02:38 <kmalloc> yeah, just assign the role for the <user> to <domain1> <domain2> whatever 18:02:39 <lbragstad> i suppose 18:02:42 <lbragstad> that would work 18:03:35 <lbragstad> since that's an option, i don't really see a reason to not have a one to one mapping 18:03:42 <kmalloc> yeh 18:03:44 <lbragstad> between identity providers and domains 18:04:08 <kmalloc> you can also register another idp in the system if you need clear isolation 18:04:15 <kmalloc> e.g. some users in domain x and some in y 18:04:27 <kmalloc> the same idp could be used multiple times. 18:05:23 <kmalloc> a flat 1-to-1 mapping is not really needed. but also explicitly multiple domains per idp isn't needed afaict 18:05:30 <kmalloc> without knowing more use-case specifics 18:06:02 <Pete_> hello 18:06:17 <lbragstad> kmalloc: sure 18:07:02 <lbragstad> Pete_: hi 18:27:00 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Move fernet doctor checks into tokens checks https://review.openstack.org/527527 18:46:11 <lbragstad> gagehugo: with https://review.openstack.org/#/c/555196/ 18:46:25 <lbragstad> when you generate the api-ref, where are you seeing the changes? 18:46:54 <lbragstad> i've tried generating the API reference with and without the change, but i don't notice a difference 19:18:51 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Update keystone functional tests https://review.openstack.org/560129 19:26:23 <gagehugo> lbragstad I looked at that locally vs the latest page 19:26:38 <gagehugo> under "code documentation" it's a bit different 19:26:59 <gagehugo> oh 19:27:01 <gagehugo> not the api-ref 19:27:12 <gagehugo> the docs that are auto-generated via sphinx-apidocs 19:27:25 <lbragstad> oh 19:27:29 <lbragstad> checking that quick 19:28:24 <lbragstad> gagehugo: you compared them to https://docs.openstack.org/keystone/latest/ ? 19:30:43 <gagehugo> ye 19:31:13 <gagehugo> the toctree is a bit different here: https://docs.openstack.org/keystone/latest/api/modules.html 19:31:17 <gagehugo> vs change 19:31:51 <gagehugo> it looks like it's nesting differently, but the info ends up being there 19:31:56 <lbragstad> some of the configuration options look different too 19:31:57 <Pete_> need help 19:32:01 <Pete_> Error: Could not prefetch keystone_role provider 'openstack': Execution of '/bin/openstack role list --quiet --format csv' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/roles: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) (tried 47, for a total of 170 seconds) Error: Not managing Keystone_role[_member_] due to earlier Keystone API failures. Error: /Stage[main]/Pra_openstack::Ke 19:32:13 <Pete_> What is this and how to fix 19:32:54 <Pete_> we config the admin_url/public_url as "https://<fqdn>:35357" 19:33:21 <Pete_> but why "/bin/openstack role list" talks to 127.0.0.1 instead? 19:33:22 <gagehugo> hmm 19:34:11 <Pete_> the scenario is like this, in an existing env which keystone/and other components runs w/o SSL 19:34:26 <Pete_> we are putting change through puppet to setup SSL for keystone 19:34:48 <Pete_> change admin/public_url from "http" to "https" using the same port "5000/35357" 19:35:19 <Pete_> and provides "ssl_cert, ssl_key, ssl_cacert, use_ssl=true" to start keystone 19:36:00 <lbragstad> openstack cli should look for an auth url to authenticate against 19:36:28 <lbragstad> are you sure openstack client is finding that? 19:37:01 <Pete_> when you say "openstack client" you mean "/bin/openstack"? 19:37:40 <lbragstad> yeah - is that python-openstackclient? 19:37:58 <lbragstad> https://pypi.python.org/pypi/python-openstackclient 19:38:09 <Pete_> I can't tell 19:38:35 <Pete_> from where the openstack client get the auth_url? 19:38:52 <Pete_> from the 'table keystone" or from env vars? 19:38:57 <lbragstad> openstackclient can get the auth url a couple different ways 19:39:08 <lbragstad> one of the most common is it use environment variables 19:39:09 <lbragstad> https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html#authentication-methods 19:39:15 <lbragstad> is to use* 19:40:10 <Pete_> export OS_AUTH_URL="http://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3" export OS_IDENTITY_API_VERSION="3" export OS_IMAGE_API_VERSION="2" 19:40:24 <Pete_> export OS_PROJECT_DOMAIN_NAME="Default" export OS_PROJECT_NAME="admin" export OS_USERNAME="admin" export OS_USER_DOMAIN_NAME="Default" 19:40:42 <Pete_> export OS_PASSWORD="blabla" 19:40:52 <Pete_> that is the env vars setting 19:41:51 <lbragstad> ok - are you able to get a token? 19:42:06 <lbragstad> using `openstack token issue` for example? 19:42:07 <Pete_> how? 19:43:10 <Pete_> declare -x OS_AUTH_URL="https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3" 19:43:16 <Pete_> i changed this 19:43:22 <Pete_> run "openstack user list" 19:43:34 <Pete_> [centos@piab1-praccn1-1-piab ~]$ openstack user list Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) 19:44:05 <lbragstad> that still looks like a certificate error 19:44:35 <Pete_> but I run "openssl" to verify the cert/key are fine 19:45:07 <lbragstad> did you use the upstream openstack puppet modules to setup SSL 19:45:20 <lbragstad> if so, the puppet team might be able to help 19:46:28 <Pete_> we use github/puppet-keystone 19:47:06 <Pete_> https://github.com/openstack/puppet-keystone/ 19:48:22 <lbragstad> yeah - the folks in #puppet-openstack might be able to help 19:48:48 <lbragstad> from what i can tell, it looks like an issue with the certificates 19:49:14 <lbragstad> which means the request likely isn't even getting to the keystone application yet 19:50:39 <Pete_> '/bin/openstack role list --quiet --format csv' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/roles: 19:50:43 <Pete_> anyidea 19:50:59 <Pete_> why "/bin/openstack role list" talk to 127.0.0.1 19:54:37 <lbragstad> how is your service catalog setup/ 19:54:40 <lbragstad> ? 19:55:17 <Pete_> what command to run? 19:55:57 <Pete_> whatever command "openstack" I ran all hit 19:56:06 <Pete_> Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://piab1-praccn1-1-piab.eng.sfdc.net:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) 19:56:59 <lbragstad> yeah - thats an ssl error 19:57:15 <Pete_> any idea how to trouble shoot it? 19:57:31 <lbragstad> when you setup the service catalog, how did you do it? 20:00:00 <Pete_> this is an existing env which was setup before 20:00:31 <lbragstad> do you know what was used to set it up? was it setup using puppet? 20:01:26 <Pete_> yes 20:02:35 <Pete_> class { '::keystone': admin_token => $::pra_openstack::constant::keystone_admin_token, admin_password => $::pra_openstack::config::keystone_admin_pwd, database_connection => "mysql+pymysql://keystone_admin:${keystone_cfg_ks_db_pw}@${keystone_cfg_mariadb_host}/keystone", token_provider => 'fernet', enable_fernet_setup => true, debug => $::pra_openstack::constant::debu 20:02:53 <Pete_> we just add enable_ssl => true 20:03:05 <Pete_> ssl_certfile=> 20:03:10 <Pete_> ssl_keyfile=> 20:03:14 <Pete_> ssl_ca_certs 20:03:26 <Pete_> validate_insecure=> true 20:03:41 <Pete_> to config keystone with SSL 20:03:50 <lbragstad> just a heads up, but http://paste.openstack.org/ helps if you have a bunch of information 20:04:16 <lbragstad> often times pastes don't turnout well in IRC due to formatting 20:05:17 <Pete_> http://paste.openstack.org/show/718860/ 20:05:26 <lbragstad> awesome - thanks 20:05:59 <lbragstad> public_bind_host and admin_bind_host are commented out 20:06:22 <Pete_> first we didn't comment them out, but the same failure 20:07:18 <lbragstad> i'm not very familiar with how openstack puppet does their orchestration, but someone in #puppet-openstack might 20:07:23 <openstackgerrit> Gage Hugo proposed openstack/keystone master: Have project get domain_id from parent https://review.openstack.org/489655 20:10:00 <Pete_> ok, i will try taht channel, thx 21:08:26 <lbragstad> #endmeeting